之前发了一篇网络排查问题的文章,反响不错,今天就常用的网络排查命令tcpdump 抓取tcp通信过程给大家展示一下
https://www.tcpdump.org/manpages/tcpdump.1.html
tcpdump官网的一段描述:
The general format of a TCP protocol line is:
src > dst: Flags [tcpflags], seq data-seqno, ack ackno, win window, urg urgent, options [opts], length len
Src and dst are the source and destination IP addresses and ports.
Tcpflags are some combination of S (SYN), F (FIN), P (PUSH), R (RST), U (URG), W (ECN CWR), E (ECN-Echo) or '.' (ACK), or 'none' if no flags are set.
Data-seqno describes the portion of sequence space covered by the data in this packet (see example below).
Ackno is sequence number of the next data expected the other direction on this connection.
Window is the number of bytes of receive buffer space available the other direction on this connection.
Urg indicates there is 'urgent' data in the packet.
Opts are TCP options (e.g., mss 1024).
Len is the length of payload data.
简单翻译一下:
tcpdump命令的使用方法
src > dst: Flags [tcpflags], seq data-seqno, ack ackno, win window, urg urgent, options [opts], length len
Src and dst are the source and destination IP addresses and ports.
src 和 dst 用来指定源IP 端口 和 目的地地址和端口
tcp标志S (SYN), F (FIN), P (PUSH), R (RST), U (URG), W (ECN CWR), E (ECN-Echo) or '.' (ACK)
注意"." 这个点符号代表的是ACK,那么"S." 就表示 SYN,ACK
// 上述标志是TCP常用的标志,如果有不熟悉的同学,后面我会补充一篇关于TCP协议的文章
1
下面我在我的linux虚拟机里面进行实践操作,首先通过shell每隔5秒访问一次百度
打开一个新的窗口,开始使用tcpdump命令抓包,因为我虚拟机很纯净,这里抓80端口就可以了
for((i=1;i>0;i++)) { curl www.baidu.com; sleep 5; } // sleep 5 防止后面tcpdump刷屏太快tcpdump -nn tcp and port 80 -c 50 -w baidu.cap // 抓取 端口为80的 tcp包 50条 记录到 baidu.captcpdump -r baidu.cap -nn // 读取 baidu.cap -nn 表示端口 直接使用数字显示// 三次握手
00:01:27.495986 IP 10.0.2.15.39629 > 61.135.169.121.80: Flags [S], seq 3269637489, win 14600, options [mss 1460,sackOK,TS val 36161220 ecr 0,nop,wscale 7], length 0
00:01:27.499790 IP 61.135.169.121.80 > 10.0.2.15.39629: Flags [S.], seq 1731784705, ack 3269637490, win 65535, options [mss 1460], length 0
00:01:27.499839 IP 10.0.2.15.39629 > 61.135.169.121.80: Flags [.], ack 1, win 14600, length 0
// Flags [S] SYC
// Flags [S.] SYC ACK
// Flags [.] ACK
// 数据
00:01:27.500578 IP 10.0.2.15.39629 > 61.135.169.121.80: Flags [P.], seq 1:177, ack 1, win 14600, length 176
00:01:27.500884 IP 61.135.169.121.80 > 10.0.2.15.39629: Flags [.], ack 177, win 65535, length 0
00:01:27.505774 IP 61.135.169.121.80 > 10.0.2.15.39629: Flags [.], seq 1:1421, ack 177, win 65535, length 1420
00:01:27.505790 IP 10.0.2.15.39629 > 61.135.169.121.80: Flags [.], ack 1421, win 17040, length 0
00:01:27.505947 IP 61.135.169.121.80 > 10.0.2.15.39629: Flags [P.], seq 1421:1441, ack 177, win 65535, length 20
00:01:27.505961 IP 10.0.2.15.39629 > 61.135.169.121.80: Flags [.], ack 1441, win 17040, length 0
00:01:27.506046 IP 61.135.169.121.80 > 10.0.2.15.39629: Flags [P.], seq 1441:2782, ack 177, win 65535, length 1341
00:01:27.506059 IP 10.0.2.15.39629 > 61.135.169.121.80: Flags [.], ack 2782, win 19880, length 0
// Flags [P.] PSH ACK
// 四次挥手
00:01:27.506605 IP 10.0.2.15.39629 > 61.135.169.121.80: Flags [F.], seq 177, ack 2782, win 19880, length 0
00:01:27.506806 IP 61.135.169.121.80 > 10.0.2.15.39629: Flags [.], ack 178, win 65535, length 0
00:01:27.510914 IP 61.135.169.121.80 > 10.0.2.15.39629: Flags [F.], seq 2782, ack 178, win 65535, length 0
00:01:27.510932 IP 10.0.2.15.39629 > 61.135.169.121.80: Flags [.], ack 2783, win 19880, length 0
// Flags [F.] FIN ACK
2 用wireshark查看net文件
wireshark打开net文件
统计>流量图
统计>流量图
3 总结一下
可以发现通过 tcpdump 工具 可以 清晰看到完整的TCP 三次握手和四次挥手的过程
在排查网络,抓包的时候该命令十分常用,是一个需要掌握的进阶命令,当然前提是要熟悉tcp协议
797
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
