一、关于tcpdump
0、tcpdump是一个网络数据包抓取分析工具。通常作为服务端抓包工具来用。
1、CentOS下安装
yum install tcpdump
2、默认用法
直接在命令行输入tcpdump回车,就可以打印出默认网口全部来往的数据包
tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 15:39:09.820829 IP i.rprank.tv.weibo.com.ssh > 10.222.77.160.64821: Flags [P.], seq 222070299:222070483, ack 3000051357, win 226, options [nop,nop,TS val 680411989 ecr 929164105], length 184 15:39:09.821134 IP i.rprank.tv.weibo.com.41331 > 172.16.139.249.domain: 59855+ PTR? 160.77.222.10.in-addr.arpa. (44)
3、输出格式说明
时间戳 协议 源地址.源端口 > 目的地址.目的端口 网络包详细信息
4、基本用法
tcpdump [选项][过滤表达式]
5、常用选项
-i 指定网络接口,默认是eth0(0号接口), any表示所有接口 -nn 直接以IP和port number显示,而非主机名和服务名 -A 以ACSII格式打印数据包全部内容(不指定时只显示头部信息) -X 列出十六进制(hex)以及ACSII格式数据包内容(对于监听数据包内容很有用) -w 把监听到的数据包保存到文件 -c 限制抓取数据包的个数 -s 设置数据包的大小 -v 输出稍微详细的报文信息 --vv 则输出更详细信息
6、常用过滤表达式
host/src host/dst host 主机过滤 port/src port/dst port 端口过滤 tcp/udp/ip 协议过滤 and/or/not 逻辑表达式过滤 tcp[tcpflags] 特定状态的TCP包过滤
二、常用用法
0、过滤tcp协议包
tcpdump tcp
1、过滤指定来源IP的请求
tcpdump -i any -nn -c 3 src host 10.222.77.160 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 16:58:31.353981 IP 10.222.77.160.64821 > 10.235.25.242.22: Flags [.], ack 222393899, win 4090, options [nop,nop,TS val 933317176 ecr 685173518], length 0 16:58:31.359983 IP 10.222.77.160.64821 > 10.235.25.242.22: Flags [.], ack 185, win 4090, options [nop,nop,TS val 933317181 ecr 685173524], length 0 16:58:31.363954 IP 10.222.77.160.64821 > 10.235.25.242.22: Flags [.], ack 369, win 4090, options [nop,nop,TS val 933317184 ecr 685173529], length 0 3 packets captured 3 packets received by filter 0 packets dropped by kernel
注:指定了-nn,所以都是IP和port显示的,一目了然。
2、过滤指定来源Nginx监听80端口的数据包
tcpdump -i any -nn -c 3 src host 10.222.77.160 and port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 17:00:18.553569 IP 10.222.77.160.52664 > 10.235.25.242.80: Flags [S], seq 2501200532, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 933423865 ecr 0,sackOK,eol], length 0 17:00:18.557372 IP 10.222.77.160.52664 > 10.235.25.242.80: Flags [.], ack 1012615865, win 4117, options [nop,nop,TS val 933423872 ecr 685280721], length 0 17:00:18.559351 IP 10.222.77.160.52664 > 10.235.25.242.80: Flags [P.], seq 0:331, ack 1, win 4117, options [nop,nop,TS val 933423872 ecr 685280721], length 331 3 packets captured 3 packets received by filter 0 packets dropped by kernel
注:过滤表达式之间需要用逻辑表达式,不然提示tcpdump: syntax error
3、打印数据包内容
tcpdump -i any -nn -A -c 3 src host 10.222.77.160 and port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 17:02:46.262818 IP 10.222.77.160.52833 > 10.235.25.242.80: Flags [S], seq 3662494123, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 933570298 ecr 0,sackOK,eol], length 0 E..@."@.=..: .M. ....a.P.M9.........xX............. 7.&......... 17:02:46.266596 IP 10.222.77.160.52833 > 10.235.25.242.80: Flags [.], ack 972036429, win 4117, options [nop,nop,TS val 933570304 ecr 685428431], length 0 E..4}.@.=.Bm .M. ....a.P.M9.9..M....]...... 7.'.(... 17:02:46.266619 IP 10.222.77.160.52833 > 10.235.25.242.80: Flags [P.], seq 0:331, ack 1, win 4117, options [nop,nop,TS val 933570304 ecr 685428431], length 331 E...t(@.=.J. .M. ....a.P.M9.9..M........... 7.'.(...POST http://energy.tv.weibo.cn/ssvote?aid=1&immersiveScroll=150&topnavstyle=1&display=0&retcode=6102 HTTP/1.1 Host: energy.tv.weibo.cn User-Agent: curl/7.51.0 Accept: */* Proxy-Connection: Keep-Alive Content-Length: 55 Content-Type: application/x-www-form-urlencoded t=debugqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqsalmonl 3 packets captured 3 packets received by filter 0 packets dropped by kernel
三、实战抓包
0、模拟请求地址
curl -x '10.235.25.242:80' 'http://energy.tv.weibo.cn/ssvote?aid=1&immersiveScroll=150&topnavstyle=1&display=0&retcode=6102' -d 't=debugqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqsalmonl'
1、Nginx监听80端口的数据包
tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354' and src host 10.222.77.160 and port 80 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 17:13:42.954084 IP (tos 0x0, ttl 61, id 31969, offset 0, flags [DF], proto TCP (6), length 383) 10.222.77.160.53259 > i.rprank.tv.weibo.com.http: Flags [P.], cksum 0x5c76 (correct), seq 3660729521:3660729852, ack 2752049396, win 4117, options [nop,nop,TS val 934223633 ecr 686085118], length 331 E...|.@.=.B= .M. ......P.2L.........\v..... 7...(...POST http://energy.tv.weibo.cn/ssvote?aid=1&immersiveScroll=150&topnavstyle=1&display=0&retcode=6102 HTTP/1.1 Host: energy.tv.weibo.cn User-Agent: curl/7.51.0 Accept: */* Proxy-Connection: Keep-Alive Content-Length: 55 Content-Type: application/x-www-form-urlencoded t=debugqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqsalmonl
2、FPM监听端口9022数据包
tcpdump -i any -nn -A port 9022 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 17:14:10.203895 IP 127.0.0.1.53643 > 127.0.0.1.9022: Flags [S], seq 919808982, win 32792, options [mss 16396,sackOK,TS val 686112372 ecr 0,nop,wscale 7], length 0 E..<..@.@.'...........#>6.+...............@.... (.>t........ 17:14:10.203910 IP 127.0.0.1.9022 > 127.0.0.1.53643: Flags [S.], seq 803449973, ack 919808983, win 32768, options [mss 16396,sackOK,TS val 686112372 ecr 686112372,nop,wscale 7], length 0 E..<..@.@.<.........#>../..u6.+...........@.... (.>t(.>t.... 17:14:10.203923 IP 127.0.0.1.53643 > 127.0.0.1.9022: Flags [.], ack 1, win 257, options [nop,nop,TS val 686112372 ecr 686112372], length 0 E..4..@.@.'...........#>6.+./..v....u9..... (.>t(.>t 17:14:10.203956 IP 127.0.0.1.53643 > 127.0.0.1.9022: Flags [P.], seq 1:937, ack 1, win 257, options [nop,nop,TS val 686112372 ecr 686112372], length 936 E.....@.@.#v..........#>6.+./..v........... (.>t(.>t.....................@.. .REQUEST_ID.>QUERY_STRINGaid=1&immersiveScroll=150&topnavstyle=1&display=0&retcode=6102..REQUEST_METHODPOST.!CONTENT_TYPEapplication/x-www-form-urlencoded..CONTENT_LENGTH55. SCRIPT_NAME/index.php.FREQUEST_URI/ssvote?aid=1&immersiveScroll=150&topnavstyle=1&display=0&retcode=6102..DOCUMENT_URI/index.php/s+DOCUMENT_ROOT/data1/www/htdocs/energy.tv.weibo.cn/public..SERVER_PROTOCOLHTTP/1.1..GATEWAY_INTERFACECGI/1.1..SERVER_SOFTWAREnginxSERVER_ADDR10.235.25.242..SERVER_PORT80..SERVER_NAMEenergy.tv.weibo.cn.5SCRIPT_FILENAME/data1/www/htdocs/energy.tv.weibo.cn/public/index.php .PATH_INFO/ssvote .HTTP_HOSTenergy.tv.weibo.cn..HTTP_USER_AGENTcurl/7.51.0..HTTP_ACCEPT*/*. HTTP_PROXY_CONNECTIONKeep-Alive..HTTP_CONTENT_LENGTH55.!HTTP_CONTENT_TYPEapplication/x-www-form-urlencoded.............7..t=debugqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqsalmonl......... 17:14:10.203964 IP 127.0.0.1.9022 > 127.0.0.1.53643: Flags [.], ack 937, win 271, options [nop,nop,TS val 686112372 ecr 686112372], length 0 E..4..@.@...........#>../..v6./.....q...... (.>t(.>t 17:14:10.217823 IP 127.0.0.1.9022 > 127.0.0.1.53643: Flags [P.], seq 1:257, ack 937, win 271, options [nop,nop,TS val 686112386 ecr 686112372], length 256 E..4..@.@...........#>../..v6./......(..... (.>.(.>t........Content-type: text/html; charset=utf-8 Cache-Control: no-cache, must-revalidate Expires: Sat, 26 Jul 1997 05:00:00 GMT Pragma: no-cache PHP recive: t = debugqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqsalmonl param t lens = 53...............qqq 17:14:10.217832 IP 127.0.0.1.53643 > 127.0.0.1.9022: Flags [.], ack 257, win 265, options [nop,nop,TS val 686112386 ecr 686112386], length 0 E..4..@.@.'...........#>6././..v... pm..... (.>.(.>. 17:14:10.217853 IP 127.0.0.1.9022 > 127.0.0.1.53643: Flags [F.], seq 257, ack 937, win 271, options [nop,nop,TS val 686112386 ecr 686112386], length 0 E..4..@.@...........#>../..v6./.....pf..... (.>.(.>. 17:14:10.217929 IP 127.0.0.1.53643 > 127.0.0.1.9022: Flags [F.], seq 937, ack 258, win 265, options [nop,nop,TS val 686112386 ecr 686112386], length 0 E..4..@.@.'...........#>6././..w... pk..... (.>.(.>. 17:14:10.217967 IP 127.0.0.1.9022 > 127.0.0.1.53643: Flags [.], ack 938, win 271, options [nop,nop,TS val 686112386 ecr 686112386], length 0 E..4..@.@...........#>../..w6./.....pe..... (.>.(.>.
四、总结
0、发现抓不到包的时候,可以设置-i any试试。
1、Docker容器中抓包,很多资料显示需要nsenter进入网络空间,测试不需要。
2、通过-A或者-X打印出数据包内容是很有用的。
3、目标端口后面的Flags是TCP报文标记段
值 标志类型 描述 S SYN Connection Start F FIN Connection Finish P PUSH Data push R RST Connection reset . ACK Acknowledgment
五、遗留问题
0、FPM监听的9022端口必须指定-i any才能抓到,如何知道是那个网口呢
1、FPM监听的9022端口使用tcp[tcpflags]过滤抓不到数据,fastcgi请求经过Nginx转发应该不是HTTP POST请求。
六、比较好的手册资料
0、查看一些使用例子
man tcpdump | less -Ip examples
参考:
https://en.wikipedia.org/wiki/Tcpdump
https://zh.wikipedia.org/wiki/Tcpdump
《鸟哥Linux私房菜》
极客时间:Linux性能优化-怎么使用 tcpdump 和 Wireshark 分析网络流量
极客时间:如何使用tcpdump分析网络报文
掘金:超详细的网络抓包神器 tcpdump 使用指南
掘金:Linux基础:用tcpdump抓包
掘金:一份快速实用的 tcpdump 命令参考手册
tcpdump抓包和Wireshark解包
简书:使用tcpdump查看HTTP请求响应