![678b4d07ef829351c0b6fb17b8f41b4d.png](https://i-blog.csdnimg.cn/blog_migrate/d24af1176698e58aeb563a8695432794.jpeg)
Linux Tcp抓包工具
yum install tcpdump
抓包命令:tcpdump -nn -i ens33(网卡名字可能不一样) port 80
tcpdump -nn -i ens33 port 80
表示和百度服务器建立链接,用这个9代表这个链接
exec 9<> /dev/tcp/http://www.baidu.com/80
21:55:14.345415 IP 192.168.138.3.35572 > 103.235.46.39.80: Flags [S], seq 1793519089, win 29200, options [mss 1460,sackOK,TS val 41473701 ecr 0,nop,wscale 7], length 0
21:55:14.371112 IP 103.235.46.39.80 > 192.168.138.3.35572: Flags [S.], seq 1784506404, ack 1793519090, win 64240, options [mss 1460], length 0
21:55:14.371892 IP 192.168.138.3.35572 > 103.235.46.39.80: Flags [.], ack 1, win 29200, length 0
[S]代表握手
向百度发送一个请求
echo -e "GET / HTTP/1.1n" >& 9
获取返回来的数据
cat <& 9
拿到数据:
![1a25880e99727124fe3bdb1f672cb477.png](https://i-blog.csdnimg.cn/blog_migrate/e757656988608cde8f13fe304268665d.jpeg)
监听窗口
![be108e55d03c1b5b1c9ddda336a8aa8b.png](https://i-blog.csdnimg.cn/blog_migrate/ddef70a02ce700f84f95576099c50155.jpeg)
查看根目录cd /proc/$$/fd($$表示当前进程id)
![60e0004bf72b4af7c743beada63d35ea.png](https://i-blog.csdnimg.cn/blog_migrate/6c72776a0cff01b83ceb07145e37d1f7.png)
![77e97b6239082617ca1242157640222e.png](https://i-blog.csdnimg.cn/blog_migrate/eda5c8d05a25c59f0dd23524d9a32b63.jpeg)
三次握手和四次分手
![4915d0ada8ef20230dbd345c9494c33f.png](https://i-blog.csdnimg.cn/blog_migrate/332b2bff02535a599e942eaa56125c6f.png)
![6ddd650369c30ca2b9dc073193cfbf3f.png](https://i-blog.csdnimg.cn/blog_migrate/646514a7b2e48013365054f98a046334.jpeg)
查看当前进程文件描述符
[root@localhost fd]# ll
总用量 0
lrwx------. 1 root root 64 11月 12 21:48 0 -> /dev/pts/0
lrwx------. 1 root root 64 11月 12 21:48 1 -> /dev/pts/0
lr-x------. 1 root root 64 11月 12 21:48 10 -> pipe:[78067]
l-wx------. 1 root root 64 11月 12 21:48 11 -> pipe:[78067]
lrwx------. 1 root root 64 11月 12 21:48 12 -> anon_inode:[eventpoll]
lrwx------. 1 root root 64 11月 12 21:48 13 -> socket:[78071]
lrwx------. 1 root root 64 11月 12 21:48 14 -> socket:[78116]
lrwx------. 1 root root 64 11月 12 21:48 15 -> socket:[78117]
lrwx------. 1 root root 64 11月 12 21:47 2 -> /dev/pts/0
lr-x------. 1 root root 64 11月 12 21:48 3 -> /usr/local/java/jdk1.8.0_271/jre/lib/rt.jar
lr-x------. 1 root root 64 11月 12 21:48 4 -> pipe:[78065]
l-wx------. 1 root root 64 11月 12 21:48 5 -> pipe:[78065]
lrwx------. 1 root root 64 11月 12 21:48 6 -> anon_inode:[eventpoll]
lr-x------. 1 root root 64 11月 12 21:48 7 -> pipe:[78066]
l-wx------. 1 root root 64 11月 12 21:48 8 -> pipe:[78066]
lrwx------. 1 root root 64 11月 12 21:48 9 -> anon_inode:[eventpoll]
[root@localhost fd]#
![7e6d1ed592357c447e012bcd8c074150.png](https://i-blog.csdnimg.cn/blog_migrate/289b8de2fa36d43e03989052383e5296.jpeg)
关于exec命令参考:linux下的exec命令_再闹东海7的博客-CSDN博客_exec
为什么是三次握手,主要是为了建立可靠链接,主要站在服务端角度来看,虽然我回复了客服端,但是我还是不知道客服端是否已经收到
何为套接字
ip:port + ip:port
[root@localhost java]# netstat -natp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 7370/X
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 7505/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 7215/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 7212/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 7504/master
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 7945/sshd: root@pts
tcp 0 0 127.0.0.1:6011 0.0.0.0:* LISTEN 10526/sshd: root@pt
tcp 0 0 127.0.0.1:6012 0.0.0.0:* LISTEN 10750/sshd: root@pt
tcp 0 0 192.168.138.3:22 192.168.138.1:58980 ESTABLISHED 10750/sshd: root@pt
tcp 0 0 192.168.138.3:22 192.168.138.1:49463 ESTABLISHED 7945/sshd: root@pts
tcp 0 0 192.168.138.3:22 192.168.138.1:57884 ESTABLISHED 10526/sshd: root@pt
ARP请求实验
监听请求
tcpdump -nn -i ens33 port 80 or arp
本地网关,也就是下一跳的地址
[root@localhost fd]# arp -a
gateway (192.168.138.2) at 00:50:56:f0:f0:59 [ether] on ens33
? (192.168.138.1) at 00:50:56:c0:00:08 [ether] on ens33
[root@localhost fd]# arp -d 192.168.138.2
//监听那边
09:01:01.635017 ARP, Request who-has 192.168.138.2 tell 192.168.138.3, length 28
09:01:01.635211 ARP, Reply 192.168.138.2 is-at 00:50:56:f0:f0:59, length 46
接下来在删除的同时发起请求(因为删除几百毫秒后会自动填充回来,所以只能连续快速执行)
[root@localhost fd]# arp -d 192.168.138.2 && curl www.baidu.com
<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title>百度一下,你就知道</title></head>
监听那边,先请求arp,然后三次握手,接收数据,关闭链接(四次分手)
09:06:32.210573 ARP, Request who-has 192.168.138.2 tell 192.168.138.3, length 28
09:06:32.210782 ARP, Reply 192.168.138.2 is-at 00:50:56:f0:f0:59, length 46
09:06:32.470079 IP 192.168.138.3.34424 > 104.193.88.77.80: Flags [S], seq 782742757, win 29200, options [mss 1460,sackOK,TS val 54910835 ecr 0,nop,wscale 7], length 0
09:06:32.688234 IP 104.193.88.77.80 > 192.168.138.3.34424: Flags [S.], seq 1843595133, ack 782742758, win 64240, options [mss 1460], length 0
09:06:32.688660 IP 192.168.138.3.34424 > 104.193.88.77.80: Flags [.], ack 1, win 29200, length 0
09:06:32.690804 IP 192.168.138.3.34424 > 104.193.88.77.80: Flags [P.], seq 1:78, ack 1, win 29200, length 77: HTTP: GET / HTTP/1.1
09:06:32.691653 IP 104.193.88.77.80 > 192.168.138.3.34424: Flags [.], ack 78, win 64240, length 0
09:06:33.097453 IP 104.193.88.77.80 > 192.168.138.3.34424: Flags [P.], seq 1:2782, ack 78, win 64240, length 2781: HTTP: HTTP/1.1 200 OK
09:06:33.097548 IP 192.168.138.3.34424 > 104.193.88.77.80: Flags [.], ack 2782, win 33580, length 0
09:06:33.099717 IP 192.168.138.3.34424 > 104.193.88.77.80: Flags [F.], seq 78, ack 2782, win 33580, length 0
09:06:33.100592 IP 104.193.88.77.80 > 192.168.138.3.34424: Flags [.], ack 79, win 64239,
可以看出链路层是基于物理地址mac通信的,并且为网络层服务