tcpdump抓包学习笔记二(抓包实践,LNMP下抓包)

一次HTTP POST请求,Nginx有没有接收到完整数据, FPM有没有接收到完整数据,通过tcpdump这个软件就可以很轻易完成。

说明:以下LNMP测试环境:
Nginx监听80端口
PHP-FPM监听9022端口
Nginx和FPM通过IP + port的方式通信。

一、通过curl模拟请求

curl -x '10.235.25.242:80' 'http://energy.tv.weibo.cn/ssvote?aid=1' -d 't=debugqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq'

# PHP中输出POST结果
PHP recive: t = debugqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq

二、tcpdump抓取Nginx监听80端口POST的数据

tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354' -nn and port 80 and src host 10.222.77.160

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:10:35.025842 IP (tos 0x0, ttl 61, id 55994, offset 0, flags [DF], proto TCP (6), length 619)
    10.222.77.160.62930 > 10.235.25.242.80: Flags [P.], cksum 0xd697 (correct), seq 2027225327:2027225894, ack 3681519634, win 4117, options [nop,nop,TS val 884338733 ecr 577897190], length 567
E..k..@.=..w
.M.
......Px....o.............
4..-"r..POST http://energy.tv.weibo.cn/ssvote?aid=1 HTTP/1.1
Host: energy.tv.weibo.cn
User-Agent: curl/7.51.0
Accept: */*
Proxy-Connection: Keep-Alive
Content-Length: 347
Content-Type: application/x-www-form-urlencoded

t=debugqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq

三、tcpdump抓取fpm监听9022端口传输数据

tcpdump -i any -nn -Xx port 9022
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
11:10:35.026177 IP 127.0.0.1.46147 > 127.0.0.1.9022: Flags [S], seq 3420317456, win 32792, options [mss 16396,sackOK,TS val 577897194 ecr 0,nop,wscale 7], length 0
	0x0000:  4500 003c e5fa 4000 4006 56bf 7f00 0001  E..<..@.@.V.....
	0x0010:  7f00 0001 b443 233e cbdd e710 0000 0000  .....C#>........
	0x0020:  a002 8018 dfc0 0000 0204 400c 0402 080a  ..........@.....
	0x0030:  2272 02ea 0000 0000 0103 0307            "r..........
11:10:35.026193 IP 127.0.0.1.9022 > 127.0.0.1.46147: Flags [S.], seq 4214014606, ack 3420317457, win 32768, options [mss 16396,sackOK,TS val 577897194 ecr 577897194,nop,wscale 7], length 0
	0x0000:  4500 003c 0000 4000 4006 3cba 7f00 0001  E..<..@.@.<.....
	0x0010:  7f00 0001 233e b443 fb2c c28e cbdd e711  ....#>.C.,......
	0x0020:  a012 8000 fcaf 0000 0204 400c 0402 080a  ..........@.....
	0x0030:  2272 02ea 2272 02ea 0103 0307            "r.."r......
11:10:35.026205 IP 127.0.0.1.46147 > 127.0.0.1.9022: Flags [.], ack 1, win 257, options [nop,nop,TS val 577897194 ecr 577897194], length 0
	0x0000:  4500 0034 e5fb 4000 4006 56c6 7f00 0001  E..4..@.@.V.....
	0x0010:  7f00 0001 b443 233e cbdd e711 fb2c c28f  .....C#>.....,..
	0x0020:  8010 0101 e4d3 0000 0101 080a 2272 02ea  ............"r..
	0x0030:  2272 02ea                                "r..
11:10:35.026237 IP 127.0.0.1.46147 > 127.0.0.1.9022: Flags [P.], seq 1:1121, ack 1, win 257, options [nop,nop,TS val 577897194 ecr 577897194], length 1120
	0x0000:  4500 0494 e5fc 4000 4006 5265 7f00 0001  E.....@.@.Re....
	0x0010:  7f00 0001 b443 233e cbdd e711 fb2c c28f  .....C#>.....,..
	0x0020:  8018 0101 0289 0000 0101 080a 2272 02ea  ............"r..
	0x0030:  2272 02ea 0101 0001 0008 0000 0001 0000  "r..............
	0x0040:  0000 0000 0104 0001 02d0 0000 0a00 5245  ..............RE
	0x0050:  5155 4553 545f 4944 0c05 5155 4552 595f  QUEST_ID..QUERY_
	0x0060:  5354 5249 4e47 6169 643d 310e 0452 4551  STRINGaid=1..REQ
	0x0070:  5545 5354 5f4d 4554 484f 4450 4f53 540c  UEST_METHODPOST.
	0x0080:  2143 4f4e 5445 4e54 5f54 5950 4561 7070  !CONTENT_TYPEapp
	0x0090:  6c69 6361 7469 6f6e 2f78 2d77 7777 2d66  lication/x-www-f
	0x00a0:  6f72 6d2d 7572 6c65 6e63 6f64 6564 0e03  orm-urlencoded..
	0x00b0:  434f 4e54 454e 545f 4c45 4e47 5448 3334  CONTENT_LENGTH34
	0x00c0:  370b 0a53 4352 4950 545f 4e41 4d45 2f69  7..SCRIPT_NAME/i
	0x00d0:  6e64 6578 2e70 6870 0b0d 5245 5155 4553  ndex.php..REQUES
	0x00e0:  545f 5552 492f 7373 766f 7465 3f61 6964  T_URI/ssvote?aid
	0x00f0:  3d31 0c11 444f 4355 4d45 4e54 5f55 5249  =1..DOCUMENT_URI
	0x0100:  2f69 6e64 6578 2e70 6870 2f73 7376 6f74  /index.php/ssvot
	0x0110:  650d 2b44 4f43 554d 454e 545f 524f 4f54  e.+DOCUMENT_ROOT
	0x0120:  2f64 6174 6131 2f77 7777 2f68 7464 6f63  /data1/www/htdoc
	0x0130:  732f 656e 6572 6779 2e74 762e 7765 6962  s/energy.tv.weib
	0x0140:  6f2e 636e 2f70 7562 6c69 630f 0853 4552  o.cn/public..SER
	0x0150:  5645 525f 5052 4f54 4f43 4f4c 4854 5450  VER_PROTOCOLHTTP
	0x0160:  2f31 2e31 1107 4741 5445 5741 595f 494e  /1.1..GATEWAY_IN
	0x0170:  5445 5246 4143 4543 4749 2f31 2e31 0f0b  TERFACECGI/1.1..
	0x0180:  5345 5256 4552 5f53 4f46 5457 4152 456e  SERVER_SOFTWAREn
	0x0190:  6769 6e78 2f31 2e34 2e37 0b0d 5245 4d4f  ginx/1.4.7..REMO
	0x01a0:  5445 5f41 4444 5231 302e 3232 322e 3737  TE_ADDR10.222.77
	0x01b0:  2e31 3630 0b05 5245 4d4f 5445 5f50 4f52  .160..REMOTE_POR
	0x01c0:  5436 3239 3330 0b0d 5345 5256 4552 5f41  T62930..SERVER_A
	0x01d0:  4444 5231 302e 3233 352e 3235 2e32 3432  DDR10.235.25.242
	0x01e0:  0b02 5345 5256 4552 5f50 4f52 5438 300b  ..SERVER_PORT80.
	0x01f0:  1253 4552 5645 525f 4e41 4d45 656e 6572  .SERVER_NAMEener
	0x0200:  6779 2e74 762e 7765 6962 6f2e 636e 0f35  gy.tv.weibo.cn.5
	0x0210:  5343 5249 5054 5f46 494c 454e 414d 452f  SCRIPT_FILENAME/
	0x0220:  6461 7461 312f 7777 772f 6874 646f 6373  data1/www/htdocs
	0x0230:  2f65 6e65 7267 792e 7476 2e77 6569 626f  /energy.tv.weibo
	0x0240:  2e63 6e2f 7075 626c 6963 2f69 6e64 6578  .cn/public/index
	0x0250:  2e70 6870 0907 5041 5448 5f49 4e46 4f2f  .php..PATH_INFO/
	0x0260:  7373 766f 7465 0912 4854 5450 5f48 4f53  ssvote..HTTP_HOS
	0x0270:  5465 6e65 7267 792e 7476 2e77 6569 626f  Tenergy.tv.weibo
	0x0280:  2e63 6e0f 0b48 5454 505f 5553 4552 5f41  .cn..HTTP_USER_A
	0x0290:  4745 4e54 6375 726c 2f37 2e35 312e 300b  GENTcurl/7.51.0.
	0x02a0:  0348 5454 505f 4143 4345 5054 2a2f 2a15  .HTTP_ACCEPT*/*.
	0x02b0:  0a48 5454 505f 5052 4f58 595f 434f 4e4e  .HTTP_PROXY_CONN
	0x02c0:  4543 5449 4f4e 4b65 6570 2d41 6c69 7665  ECTIONKeep-Alive
	0x02d0:  1303 4854 5450 5f43 4f4e 5445 4e54 5f4c  ..HTTP_CONTENT_L
	0x02e0:  454e 4754 4833 3437 1121 4854 5450 5f43  ENGTH347.!HTTP_C
	0x02f0:  4f4e 5445 4e54 5f54 5950 4561 7070 6c69  ONTENT_TYPEappli
	0x0300:  6361 7469 6f6e 2f78 2d77 7777 2d66 6f72  cation/x-www-for
	0x0310:  6d2d 7572 6c65 6e63 6f64 6564 0104 0001  m-urlencoded....
	0x0320:  0000 0000 0105 0001 015b 0500 743d 6465  .........[..t=de
	0x0330:  6275 6771 7171 7171 7171 7171 7171 7171  bugqqqqqqqqqqqqq
	0x0340:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x0350:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x0360:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x0370:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x0380:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x0390:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x03a0:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x03b0:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x03c0:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x03d0:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x03e0:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x03f0:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x0400:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x0410:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x0420:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x0430:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x0440:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x0450:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x0460:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x0470:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x0480:  7171 7171 7171 7100 0000 0000 0105 0001  qqqqqqq.........
	0x0490:  0000 0000                                ....
11:10:35.026245 IP 127.0.0.1.9022 > 127.0.0.1.46147: Flags [.], ack 1121, win 274, options [nop,nop,TS val 577897194 ecr 577897194], length 0
	0x0000:  4500 0034 c065 4000 4006 7c5c 7f00 0001  E..4.e@.@.|\....
	0x0010:  7f00 0001 233e b443 fb2c c28f cbdd eb71  ....#>.C.,.....q
	0x0020:  8010 0112 e062 0000 0101 080a 2272 02ea  .....b......"r..
	0x0030:  2272 02ea                                "r..
11:10:35.038955 IP 127.0.0.1.9022 > 127.0.0.1.46147: Flags [P.], seq 1:553, ack 1121, win 274, options [nop,nop,TS val 577897207 ecr 577897194], length 552
	0x0000:  4500 025c c066 4000 4006 7a33 7f00 0001  E..\.f@.@.z3....
	0x0010:  7f00 0001 233e b443 fb2c c28f cbdd eb71  ....#>.C.,.....q
	0x0020:  8018 0112 0051 0000 0101 080a 2272 02f7  .....Q......"r..
	0x0030:  2272 02ea 0106 0001 020b 0500 436f 6e74  "r..........Cont
	0x0040:  656e 742d 7479 7065 3a20 7465 7874 2f68  ent-type:.text/h
	0x0050:  746d 6c3b 2063 6861 7273 6574 3d75 7466  tml;.charset=utf
	0x0060:  2d38 0d0a 4361 6368 652d 436f 6e74 726f  -8..Cache-Contro
	0x0070:  6c3a 206e 6f2d 6361 6368 652c 206d 7573  l:.no-cache,.mus
	0x0080:  742d 7265 7661 6c69 6461 7465 0d0a 4578  t-revalidate..Ex
	0x0090:  7069 7265 733a 2053 6174 2c20 3236 204a  pires:.Sat,.26.J
	0x00a0:  756c 2031 3939 3720 3035 3a30 303a 3030  ul.1997.05:00:00
	0x00b0:  2047 4d54 0d0a 5072 6167 6d61 3a20 6e6f  .GMT..Pragma:.no
	0x00c0:  2d63 6163 6865 0d0a 0d0a 5048 5020 7265  -cache....PHP.re
	0x00d0:  6369 7665 3a20 7420 3d20 6465 6275 6771  cive:.t.=.debugq
	0x00e0:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x00f0:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x0100:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x0110:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x0120:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x0130:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x0140:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x0150:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x0160:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x0170:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x0180:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x0190:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x01a0:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x01b0:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x01c0:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x01d0:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x01e0:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x01f0:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x0200:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x0210:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x0220:  7171 7171 7171 7171 7171 7171 7171 7171  qqqqqqqqqqqqqqqq
	0x0230:  7171 710a 0a70 6172 616d 2074 206c 656e  qqq..param.t.len
	0x0240:  7320 3d20 3334 3500 0000 0000 0103 0001  s.=.345.........
	0x0250:  0008 0000 0000 0000 0063 732f            .........cs/
11:10:35.038964 IP 127.0.0.1.46147 > 127.0.0.1.9022: Flags [.], ack 553, win 265, options [nop,nop,TS val 577897207 ecr 577897207], length 0
	0x0000:  4500 0034 e5fd 4000 4006 56c4 7f00 0001  E..4..@.@.V.....
	0x0010:  7f00 0001 b443 233e cbdd eb71 fb2c c4b7  .....C#>...q.,..
	0x0020:  8010 0109 de29 0000 0101 080a 2272 02f7  .....)......"r..
	0x0030:  2272 02f7                                "r..
11:10:35.038975 IP 127.0.0.1.9022 > 127.0.0.1.46147: Flags [F.], seq 553, ack 1121, win 274, options [nop,nop,TS val 577897207 ecr 577897207], length 0
	0x0000:  4500 0034 c067 4000 4006 7c5a 7f00 0001  E..4.g@.@.|Z....
	0x0010:  7f00 0001 233e b443 fb2c c4b7 cbdd eb71  ....#>.C.,.....q
	0x0020:  8011 0112 de1f 0000 0101 080a 2272 02f7  ............"r..
	0x0030:  2272 02f7                                "r..
11:10:35.039064 IP 127.0.0.1.46147 > 127.0.0.1.9022: Flags [F.], seq 1121, ack 554, win 265, options [nop,nop,TS val 577897207 ecr 577897207], length 0
	0x0000:  4500 0034 e5fe 4000 4006 56c3 7f00 0001  E..4..@.@.V.....
	0x0010:  7f00 0001 b443 233e cbdd eb71 fb2c c4b8  .....C#>...q.,..
	0x0020:  8011 0109 de27 0000 0101 080a 2272 02f7  .....'......"r..
	0x0030:  2272 02f7                                "r..
11:10:35.039103 IP 127.0.0.1.9022 > 127.0.0.1.46147: Flags [.], ack 1122, win 274, options [nop,nop,TS val 577897207 ecr 577897207], length 0
	0x0000:  4500 0034 c068 4000 4006 7c59 7f00 0001  E..4.h@.@.|Y....
	0x0010:  7f00 0001 233e b443 fb2c c4b8 cbdd eb72  ....#>.C.,.....r
	0x0020:  8010 0112 de1e 0000 0101 080a 2272 02f7  ............"r..
	0x0030:  2272 02f7                                "r..

注:nginx把收到的HTTP请求转发给PHP-FPM, 这个过程我理解不再是HTTP请求,而是fastcgi请求,所以通过监听9022端口POST请求数据,抓不到。
直接抓9022端口能抓到数据包

tcpdump tcp  -s 0 -i any -nn  port 9022
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
11:22:20.043606 IP 127.0.0.1.46421 > 127.0.0.1.9022: Flags [S], seq 2857616840, win 32792, options [mss 16396,sackOK,TS val 578602211 ecr 0,nop,wscale 7], length 0
11:22:20.043621 IP 127.0.0.1.9022 > 127.0.0.1.46421: Flags [S.], seq 2338582113, ack 2857616841, win 32768, options [mss 16396,sackOK,TS val 578602211 ecr 578602211,nop,wscale 7], length 0
11:22:20.043634 IP 127.0.0.1.46421 > 127.0.0.1.9022: Flags [.], ack 1, win 257, options [nop,nop,TS val 578602211 ecr 578602211], length 0
11:22:20.043666 IP 127.0.0.1.46421 > 127.0.0.1.9022: Flags [P.], seq 1:1121, ack 1, win 257, options [nop,nop,TS val 578602212 ecr 578602211], length 1120
11:22:20.043674 IP 127.0.0.1.9022 > 127.0.0.1.46421: Flags [.], ack 1121, win 274, options [nop,nop,TS val 578602212 ecr 578602212], length 0
11:22:20.057865 IP 127.0.0.1.9022 > 127.0.0.1.46421: Flags [P.], seq 1:553, ack 1121, win 274, options [nop,nop,TS val 578602226 ecr 578602212], length 552
11:22:20.057875 IP 127.0.0.1.46421 > 127.0.0.1.9022: Flags [.], ack 553, win 265, options [nop,nop,TS val 578602226 ecr 578602226], length 0
11:22:20.057886 IP 127.0.0.1.9022 > 127.0.0.1.46421: Flags [F.], seq 553, ack 1121, win 274, options [nop,nop,TS val 578602226 ecr 578602226], length 0
11:22:20.057984 IP 127.0.0.1.46421 > 127.0.0.1.9022: Flags [F.], seq 1121, ack 554, win 265, options [nop,nop,TS val 578602226 ecr 578602226], length 0
11:22:20.058028 IP 127.0.0.1.9022 > 127.0.0.1.46421: Flags [.], ack 1122, win 274, options [nop,nop,TS val 578602226 ecr 578602226], length 0

抓9022端口POST数据发现抓不到

tcpdump -i any -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354' -nn and port 9022
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

四、小结
0、数据包不一定都走默认网口,eth0, 比如fpm 9022端口开始走默认网口发现抓不到数据,加上-i any才行
1、查看网口

tcpdump -D
1.eth0
2.docker0
3.nflog (Linux netfilter log (NFLOG) interface)
4.nfqueue (Linux netfilter queue (NFQUEUE) interface)
5.usbmon1 (USB bus number 1)
6.usbmon2 (USB bus number 2)
7.usbmon3 (USB bus number 3)
8.usbmon4 (USB bus number 4)
9.any (Pseudo-device that captures on all interfaces)
10.lo

2、客户端到服务器的请求才是HTTP请求,Nginx的PHP-FPM的请求不是HTTP请求,Fastcgi请求。
3、tcpdump 逻辑运算符用法
第一个需要and, 第二个需要,不然会提示语法错误。

tcpdump tcp  -s 0 -i any -nn  port 9022
tcpdump -i any -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354' -nn and port 9022

参考:
tcpdump诊断nginx问题

发表评论

电子邮件地址不会被公开。 必填项已用*标注