socket抓包工具_Linux Tcp抓包分析

Linux Tcp抓包工具

yum install tcpdump

抓包命令：tcpdump -nn -i ens33(网卡名字可能不一样) port 80

tcpdump -nn -i ens33 port 80

表示和百度服务器建立链接，用这个9代表这个链接

exec 9<> /dev/tcp/http://www.baidu.com/80

21:55:14.345415 IP 192.168.138.3.35572 > 103.235.46.39.80: Flags [S], seq 1793519089, win 29200, options [mss 1460,sackOK,TS val 41473701 ecr 0,nop,wscale 7], length 0
21:55:14.371112 IP 103.235.46.39.80 > 192.168.138.3.35572: Flags [S.], seq 1784506404, ack 1793519090, win 64240, options [mss 1460], length 0
21:55:14.371892 IP 192.168.138.3.35572 > 103.235.46.39.80: Flags [.], ack 1, win 29200, length 0

[S]代表握手

向百度发送一个请求

echo -e "GET / HTTP/1.1n" >& 9

获取返回来的数据

cat <& 9

拿到数据：

监听窗口

查看根目录cd /proc/$$/fd($$表示当前进程id)

三次握手和四次分手

查看当前进程文件描述符

[root@localhost fd]# ll
总用量 0
lrwx------. 1 root root 64 11月 12 21:48 0 -> /dev/pts/0
lrwx------. 1 root root 64 11月 12 21:48 1 -> /dev/pts/0
lr-x------. 1 root root 64 11月 12 21:48 10 -> pipe:[78067]
l-wx------. 1 root root 64 11月 12 21:48 11 -> pipe:[78067]
lrwx------. 1 root root 64 11月 12 21:48 12 -> anon_inode:[eventpoll]
lrwx------. 1 root root 64 11月 12 21:48 13 -> socket:[78071]
lrwx------. 1 root root 64 11月 12 21:48 14 -> socket:[78116]
lrwx------. 1 root root 64 11月 12 21:48 15 -> socket:[78117]
lrwx------. 1 root root 64 11月 12 21:47 2 -> /dev/pts/0
lr-x------. 1 root root 64 11月 12 21:48 3 -> /usr/local/java/jdk1.8.0_271/jre/lib/rt.jar
lr-x------. 1 root root 64 11月 12 21:48 4 -> pipe:[78065]
l-wx------. 1 root root 64 11月 12 21:48 5 -> pipe:[78065]
lrwx------. 1 root root 64 11月 12 21:48 6 -> anon_inode:[eventpoll]
lr-x------. 1 root root 64 11月 12 21:48 7 -> pipe:[78066]
l-wx------. 1 root root 64 11月 12 21:48 8 -> pipe:[78066]
lrwx------. 1 root root 64 11月 12 21:48 9 -> anon_inode:[eventpoll]
[root@localhost fd]# 

关于exec命令参考：linux下的exec命令_再闹东海7的博客-CSDN博客_exec

为什么是三次握手，主要是为了建立可靠链接，主要站在服务端角度来看，虽然我回复了客服端，但是我还是不知道客服端是否已经收到

何为套接字

ip:port + ip:port

[root@localhost java]# netstat -natp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1/systemd           
tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      7370/X              
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      7505/dnsmasq        
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      7215/sshd           
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      7212/cupsd          
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      7504/master         
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      7945/sshd: root@pts 
tcp        0      0 127.0.0.1:6011          0.0.0.0:*               LISTEN      10526/sshd: root@pt 
tcp        0      0 127.0.0.1:6012          0.0.0.0:*               LISTEN      10750/sshd: root@pt 
tcp        0      0 192.168.138.3:22        192.168.138.1:58980     ESTABLISHED 10750/sshd: root@pt 
tcp        0      0 192.168.138.3:22        192.168.138.1:49463     ESTABLISHED 7945/sshd: root@pts 
tcp        0      0 192.168.138.3:22        192.168.138.1:57884     ESTABLISHED 10526/sshd: root@pt 

ARP请求实验

监听请求

tcpdump -nn -i ens33 port 80 or arp

本地网关，也就是下一跳的地址

[root@localhost fd]# arp -a
gateway (192.168.138.2) at 00:50:56:f0:f0:59 [ether] on ens33
? (192.168.138.1) at 00:50:56:c0:00:08 [ether] on ens33
[root@localhost fd]# arp -d 192.168.138.2
//监听那边
09:01:01.635017 ARP, Request who-has 192.168.138.2 tell 192.168.138.3, length 28
09:01:01.635211 ARP, Reply 192.168.138.2 is-at 00:50:56:f0:f0:59, length 46

接下来在删除的同时发起请求（因为删除几百毫秒后会自动填充回来，所以只能连续快速执行）

[root@localhost fd]# arp -d 192.168.138.2 && curl www.baidu.com
<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title>百度一下，你就知道</title></head> 

监听那边，先请求arp,然后三次握手，接收数据，关闭链接（四次分手）

09:06:32.210573 ARP, Request who-has 192.168.138.2 tell 192.168.138.3, length 28
09:06:32.210782 ARP, Reply 192.168.138.2 is-at 00:50:56:f0:f0:59, length 46
09:06:32.470079 IP 192.168.138.3.34424 > 104.193.88.77.80: Flags [S], seq 782742757, win 29200, options [mss 1460,sackOK,TS val 54910835 ecr 0,nop,wscale 7], length 0
09:06:32.688234 IP 104.193.88.77.80 > 192.168.138.3.34424: Flags [S.], seq 1843595133, ack 782742758, win 64240, options [mss 1460], length 0
09:06:32.688660 IP 192.168.138.3.34424 > 104.193.88.77.80: Flags [.], ack 1, win 29200, length 0
09:06:32.690804 IP 192.168.138.3.34424 > 104.193.88.77.80: Flags [P.], seq 1:78, ack 1, win 29200, length 77: HTTP: GET / HTTP/1.1
09:06:32.691653 IP 104.193.88.77.80 > 192.168.138.3.34424: Flags [.], ack 78, win 64240, length 0
09:06:33.097453 IP 104.193.88.77.80 > 192.168.138.3.34424: Flags [P.], seq 1:2782, ack 78, win 64240, length 2781: HTTP: HTTP/1.1 200 OK
09:06:33.097548 IP 192.168.138.3.34424 > 104.193.88.77.80: Flags [.], ack 2782, win 33580, length 0
09:06:33.099717 IP 192.168.138.3.34424 > 104.193.88.77.80: Flags [F.], seq 78, ack 2782, win 33580, length 0
09:06:33.100592 IP 104.193.88.77.80 > 192.168.138.3.34424: Flags [.], ack 79, win 64239, 

可以看出链路层是基于物理地址mac通信的，并且为网络层服务