一、关于tcpdump

0、tcpdump是一个网络数据包抓取分析工具。通常作为服务端抓包工具来用。

1、CentOS下安装

yum install tcpdump

2、默认用法
直接在命令行输入tcpdump回车，就可以打印出默认网口全部来往的数据包

tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:39:09.820829 IP i.rprank.tv.weibo.com.ssh > 10.222.77.160.64821: Flags [P.], seq 222070299:222070483, ack 3000051357, win 226, options [nop,nop,TS val 680411989 ecr 929164105], length 184
15:39:09.821134 IP i.rprank.tv.weibo.com.41331 > 172.16.139.249.domain: 59855+ PTR? 160.77.222.10.in-addr.arpa. (44)

3、输出格式说明

时间戳 协议 源地址.源端口 > 目的地址.目的端口 网络包详细信息

4、基本用法
tcpdump [选项][过滤表达式]

5、常用选项

-i   指定网络接口，默认是eth0(0号接口), any表示所有接口
-nn  直接以IP和port number显示，而非主机名和服务名
-A   以ACSII格式打印数据包全部内容(不指定时只显示头部信息)
-X   列出十六进制(hex)以及ACSII格式数据包内容(对于监听数据包内容很有用)
-w   把监听到的数据包保存到文件
-c   限制抓取数据包的个数
-s   设置数据包的大小
-v   输出稍微详细的报文信息
--vv 则输出更详细信息

6、常用过滤表达式

host/src host/dst host 主机过滤
port/src port/dst port 端口过滤
tcp/udp/ip 协议过滤
and/or/not 逻辑表达式过滤
tcp[tcpflags] 特定状态的TCP包过滤

二、常用用法

0、过滤tcp协议包

tcpdump tcp

1、过滤指定来源IP的请求

tcpdump -i any -nn -c 3 src host 10.222.77.160

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
16:58:31.353981 IP 10.222.77.160.64821 > 10.235.25.242.22: Flags [.], ack 222393899, win 4090, options [nop,nop,TS val 933317176 ecr 685173518], length 0
16:58:31.359983 IP 10.222.77.160.64821 > 10.235.25.242.22: Flags [.], ack 185, win 4090, options [nop,nop,TS val 933317181 ecr 685173524], length 0
16:58:31.363954 IP 10.222.77.160.64821 > 10.235.25.242.22: Flags [.], ack 369, win 4090, options [nop,nop,TS val 933317184 ecr 685173529], length 0
3 packets captured
3 packets received by filter
0 packets dropped by kernel

注：指定了-nn，所以都是IP和port显示的，一目了然。

2、过滤指定来源Nginx监听80端口的数据包

tcpdump -i any -nn -c 3 src host 10.222.77.160 and port 80

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes


17:00:18.553569 IP 10.222.77.160.52664 > 10.235.25.242.80: Flags [S], seq 2501200532, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 933423865 ecr 0,sackOK,eol], length 0
17:00:18.557372 IP 10.222.77.160.52664 > 10.235.25.242.80: Flags [.], ack 1012615865, win 4117, options [nop,nop,TS val 933423872 ecr 685280721], length 0
17:00:18.559351 IP 10.222.77.160.52664 > 10.235.25.242.80: Flags [P.], seq 0:331, ack 1, win 4117, options [nop,nop,TS val 933423872 ecr 685280721], length 331
3 packets captured
3 packets received by filter
0 packets dropped by kernel

注：过滤表达式之间需要用逻辑表达式，不然提示tcpdump: syntax error

3、打印数据包内容

tcpdump -i any -nn -A -c 3 src host 10.222.77.160 and port 80

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes


17:02:46.262818 IP 10.222.77.160.52833 > 10.235.25.242.80: Flags [S], seq 3662494123, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 933570298 ecr 0,sackOK,eol], length 0
E..@."@.=..:
.M.
....a.P.M9.........xX.............
7.&.........
17:02:46.266596 IP 10.222.77.160.52833 > 10.235.25.242.80: Flags [.], ack 972036429, win 4117, options [nop,nop,TS val 933570304 ecr 685428431], length 0
E..4}.@.=.Bm
.M.
....a.P.M9.9..M....]......
7.'.(...
17:02:46.266619 IP 10.222.77.160.52833 > 10.235.25.242.80: Flags [P.], seq 0:331, ack 1, win 4117, options [nop,nop,TS val 933570304 ecr 685428431], length 331
E...t(@.=.J.
.M.
....a.P.M9.9..M...........
7.'.(...POST http://energy.tv.weibo.cn/ssvote?aid=1&immersiveScroll=150&topnavstyle=1&display=0&retcode=6102 HTTP/1.1
Host: energy.tv.weibo.cn
User-Agent: curl/7.51.0
Accept: */*
Proxy-Connection: Keep-Alive
Content-Length: 55
Content-Type: application/x-www-form-urlencoded

t=debugqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqsalmonl
3 packets captured
3 packets received by filter
0 packets dropped by kernel

三、实战抓包

0、模拟请求地址

curl -x '10.235.25.242:80' 'http://energy.tv.weibo.cn/ssvote?aid=1&immersiveScroll=150&topnavstyle=1&display=0&retcode=6102' -d 't=debugqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqsalmonl'

1、Nginx监听80端口的数据包

tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354' and src host 10.222.77.160 and port 80
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:13:42.954084 IP (tos 0x0, ttl 61, id 31969, offset 0, flags [DF], proto TCP (6), length 383)
    10.222.77.160.53259 > i.rprank.tv.weibo.com.http: Flags [P.], cksum 0x5c76 (correct), seq 3660729521:3660729852, ack 2752049396, win 4117, options [nop,nop,TS val 934223633 ecr 686085118], length 331
E...|.@.=.B=
.M.
......P.2L.........\v.....
7...(...POST http://energy.tv.weibo.cn/ssvote?aid=1&immersiveScroll=150&topnavstyle=1&display=0&retcode=6102 HTTP/1.1
Host: energy.tv.weibo.cn
User-Agent: curl/7.51.0
Accept: */*
Proxy-Connection: Keep-Alive
Content-Length: 55
Content-Type: application/x-www-form-urlencoded

t=debugqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqsalmonl

2、FPM监听端口9022数据包

tcpdump -i any -nn -A port 9022

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
17:14:10.203895 IP 127.0.0.1.53643 > 127.0.0.1.9022: Flags [S], seq 919808982, win 32792, options [mss 16396,sackOK,TS val 686112372 ecr 0,nop,wscale 7], length 0
E..<..@.@.'...........#>6.+...............@....
(.>t........
17:14:10.203910 IP 127.0.0.1.9022 > 127.0.0.1.53643: Flags [S.], seq 803449973, ack 919808983, win 32768, options [mss 16396,sackOK,TS val 686112372 ecr 686112372,nop,wscale 7], length 0
E..<..@.@.<.........#>../..u6.+...........@....
(.>t(.>t....
17:14:10.203923 IP 127.0.0.1.53643 > 127.0.0.1.9022: Flags [.], ack 1, win 257, options [nop,nop,TS val 686112372 ecr 686112372], length 0
E..4..@.@.'...........#>6.+./..v....u9.....
(.>t(.>t
17:14:10.203956 IP 127.0.0.1.53643 > 127.0.0.1.9022: Flags [P.], seq 1:937, ack 1, win 257, options [nop,nop,TS val 686112372 ecr 686112372], length 936
E.....@.@.#v..........#>6.+./..v...........
(.>t(.>t.....................@..
.REQUEST_ID.>QUERY_STRINGaid=1&immersiveScroll=150&topnavstyle=1&display=0&retcode=6102..REQUEST_METHODPOST.!CONTENT_TYPEapplication/x-www-form-urlencoded..CONTENT_LENGTH55.
SCRIPT_NAME/index.php.FREQUEST_URI/ssvote?aid=1&immersiveScroll=150&topnavstyle=1&display=0&retcode=6102..DOCUMENT_URI/index.php/s+DOCUMENT_ROOT/data1/www/htdocs/energy.tv.weibo.cn/public..SERVER_PROTOCOLHTTP/1.1..GATEWAY_INTERFACECGI/1.1..SERVER_SOFTWAREnginxSERVER_ADDR10.235.25.242..SERVER_PORT80..SERVER_NAMEenergy.tv.weibo.cn.5SCRIPT_FILENAME/data1/www/htdocs/energy.tv.weibo.cn/public/index.php	.PATH_INFO/ssvote	.HTTP_HOSTenergy.tv.weibo.cn..HTTP_USER_AGENTcurl/7.51.0..HTTP_ACCEPT*/*.
HTTP_PROXY_CONNECTIONKeep-Alive..HTTP_CONTENT_LENGTH55.!HTTP_CONTENT_TYPEapplication/x-www-form-urlencoded.............7..t=debugqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqsalmonl.........
17:14:10.203964 IP 127.0.0.1.9022 > 127.0.0.1.53643: Flags [.], ack 937, win 271, options [nop,nop,TS val 686112372 ecr 686112372], length 0
E..4..@.@...........#>../..v6./.....q......
(.>t(.>t
17:14:10.217823 IP 127.0.0.1.9022 > 127.0.0.1.53643: Flags [P.], seq 1:257, ack 937, win 271, options [nop,nop,TS val 686112386 ecr 686112372], length 256
E..4..@.@...........#>../..v6./......(.....
(.>.(.>t........Content-type: text/html; charset=utf-8
Cache-Control: no-cache, must-revalidate
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache

PHP recive: t = debugqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqsalmonl

param t lens = 53...............qqq
17:14:10.217832 IP 127.0.0.1.53643 > 127.0.0.1.9022: Flags [.], ack 257, win 265, options [nop,nop,TS val 686112386 ecr 686112386], length 0
E..4..@.@.'...........#>6././..v...	pm.....
(.>.(.>.
17:14:10.217853 IP 127.0.0.1.9022 > 127.0.0.1.53643: Flags [F.], seq 257, ack 937, win 271, options [nop,nop,TS val 686112386 ecr 686112386], length 0
E..4..@.@...........#>../..v6./.....pf.....
(.>.(.>.
17:14:10.217929 IP 127.0.0.1.53643 > 127.0.0.1.9022: Flags [F.], seq 937, ack 258, win 265, options [nop,nop,TS val 686112386 ecr 686112386], length 0
E..4..@.@.'...........#>6././..w...	pk.....
(.>.(.>.
17:14:10.217967 IP 127.0.0.1.9022 > 127.0.0.1.53643: Flags [.], ack 938, win 271, options [nop,nop,TS val 686112386 ecr 686112386], length 0
E..4..@.@...........#>../..w6./.....pe.....
(.>.(.>.

四、总结

0、发现抓不到包的时候，可以设置-i any试试。
1、Docker容器中抓包，很多资料显示需要nsenter进入网络空间，测试不需要。
2、通过-A或者-X打印出数据包内容是很有用的。
3、目标端口后面的Flags是TCP报文标记段

值	标志类型	描述
S	SYN	Connection Start
F	FIN	Connection Finish
P	PUSH	Data push
R	RST	Connection reset
.	ACK	Acknowledgment

五、遗留问题

0、FPM监听的9022端口必须指定-i any才能抓到，如何知道是那个网口呢
1、FPM监听的9022端口使用tcp[tcpflags]过滤抓不到数据，fastcgi请求经过Nginx转发应该不是HTTP POST请求。

六、比较好的手册资料

0、查看一些使用例子

man tcpdump | less -Ip examples

1、Manpage of TCPDUMP

参考：
https://en.wikipedia.org/wiki/Tcpdump
https://zh.wikipedia.org/wiki/Tcpdump
《鸟哥Linux私房菜》
极客时间:Linux性能优化-怎么使用 tcpdump 和 Wireshark 分析网络流量
极客时间:如何使用tcpdump分析网络报文
掘金:超详细的网络抓包神器 tcpdump 使用指南
掘金:Linux基础：用tcpdump抓包
掘金:一份快速实用的 tcpdump 命令参考手册
tcpdump抓包和Wireshark解包
简书：使用tcpdump查看HTTP请求响应