tcpdump 文档

https://www.tcpdump.org/manpages/tcpdump.1.html

tcpdump Flags:

TCP     Flag    tcpdump Flag    Meaning
SYN    S    Syn packet, a session establishment request.
ACK    A    Ack packet, acknowledge sender’s data.
FIN    F    Finish flag, indication of termination.
RESET    R    Reset, indication of immediate abort of conn.
PUSH    P    Push, immediate push of data from sender.
URGENT    U    Urgent, takes precedence over other data.
NONE    A dot .    Placeholder, usually used for ACK.

机器 A

192.168.75.119

场景1:抓取网卡 80 端口数据包,观察3次握手4次挥手过程

命令

tcpdump -nn -i venet0:0 port 80

命令解释

-nn 两个 n 表示不解析域名和端口。方便查看 IP 和端口号
-i 要抓取的接口,上述命令抓取 venet0:0 网卡
port 端口过滤器

机器 A 执行抓包命令,另开一个终端执行 curl 百度,以下为机器 A 抓包的输出

xxx@root:/tmp$ tcpdump -nn -s0 -i venet0:0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0:0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

19:38:15.662702 IP 192.168.75.119.43670 > 180.101.49.12.80: Flags [S], seq 380372445, win 14600, options [mss 1460,sackOK,TS val 3112001446 ecr 0,nop,wscale 7], length 0
19:38:15.674763 IP 180.101.49.12.80 > 192.168.75.119.43670: Flags [S.], seq 3139174922, ack 380372446, win 8192, options [mss 1452,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 5], length 0
19:38:15.674795 IP 192.168.75.119.43670 > 180.101.49.12.80: Flags [.], ack 1, win 115, length 0
19:38:15.674984 IP 192.168.75.119.43670 > 180.101.49.12.80: Flags [P.], seq 1:165, ack 1, win 115, length 164
19:38:15.682270 IP 180.101.49.12.80 > 192.168.75.119.43670: Flags [.], ack 165, win 944, length 0
19:38:15.683738 IP 180.101.49.12.80 > 192.168.75.119.43670: Flags [.], seq 1:1453, ack 165, win 944, length 1452
19:38:15.683755 IP 192.168.75.119.43670 > 180.101.49.12.80: Flags [.], ack 1453, win 137, length 0
19:38:15.683763 IP 180.101.49.12.80 > 192.168.75.119.43670: Flags [P.], seq 1453:2782, ack 165, win 944, length 1329
19:38:15.683770 IP 192.168.75.119.43670 > 180.101.49.12.80: Flags [.], ack 2782, win 160, length 0
19:38:15.684667 IP 192.168.75.119.43670 > 180.101.49.12.80: Flags [F.], seq 165, ack 2782, win 160, length 0
19:38:15.691683 IP 180.101.49.12.80 > 192.168.75.119.43670: Flags [.], ack 166, win 944, length 0
19:38:15.691786 IP 180.101.49.12.80 > 192.168.75.119.43670: Flags [F.], seq 2782, ack 166, win 944, length 0
19:38:15.691801 IP 192.168.75.119.43670 > 180.101.49.12.80: Flags [.], ack 2783, win 160, length 0
19:38:18.699755 IP 180.101.49.12.80 > 192.168.75.119.43670: Flags [R], seq 3139177705, win 0, length 0

3 次握手过程

19:38:15.662702 IP 192.168.75.119.43670 > 180.101.49.12.80: Flags [S], seq 380372445, win 14600, options [mss 1460,sackOK,TS val 3112001446 ecr 0,nop,wscale 7], length 0
19:38:15.674763 IP 180.101.49.12.80 > 192.168.75.119.43670: Flags [S.], seq 3139174922, ack 380372446, win 8192, options [mss 1452,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 5], length 0
19:38:15.674795 IP 192.168.75.119.43670 > 180.101.49.12.80: Flags [.], ack 1, win 115, length 0

4 次挥手过程

19:38:15.684667 IP 192.168.75.119.43670 > 180.101.49.12.80: Flags [F.], seq 165, ack 2782, win 160, length 0
19:38:15.691683 IP 180.101.49.12.80 > 192.168.75.119.43670: Flags [.], ack 166, win 944, length 0
19:38:15.691786 IP 180.101.49.12.80 > 192.168.75.119.43670: Flags [F.], seq 2782, ack 166, win 944, length 0
19:38:15.691801 IP 192.168.75.119.43670 > 180.101.49.12.80: Flags [.], ack 2783, win 160, length 0

场景2:分析 http 包

命令

tcpdump -nn -s0 -A -i venet0:0 port 80 

命令解释

-nn 两个 n 表示不解析域名和端口。方便查看 IP 和端口号
-s0 获取报文全部内容
-A 以ASCII格式打印每个数据包,方便查看数据包内容
-i 要抓取的接口,上述命令抓取 venet0:0 网卡
port 端口过滤器

机器 A 执行抓包命令,另开一个终端执行 curl 百度,以下为机器 A 抓包的输出

xxx@root:/tmp$ tcpdump -nn -s0 -A -i venet0:0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0:0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

20:02:49.878097 IP 192.168.75.119.45332 > 180.101.49.12.80: Flags [S], seq 4212612831, win 14600, options [mss 1460,sackOK,TS val 3113475661 ecr 0,nop,wscale 7], length 0
E..<..@.@.....Kw.e1....P..^.......9.z).........
...M........
20:02:49.886133 IP 180.101.49.12.80 > 192.168.75.119.45332: Flags [S.], seq 3330186074, ack 4212612832, win 8192, options [mss 1452,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 5], length 0
E .<..@.0..x.e1...Kw.P...~.Z..^... ..7......................
20:02:49.886168 IP 192.168.75.119.45332 > 180.101.49.12.80: Flags [.], ack 1, win 115, length 0
E..(..@.@.....Kw.e1....P..^..~.[P..sP...
20:02:49.886390 IP 192.168.75.119.45332 > 180.101.49.12.80: Flags [P.], seq 1:165, ack 1, win 115, length 164
E.....@.@.....Kw.e1....P..^..~.[P..s....GET / HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.44 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: www.baidu.com
Accept: */*


20:02:49.894725 IP 180.101.49.12.80 > 192.168.75.119.45332: Flags [.], ack 165, win 944, length 0
E .(..@.'..q.e1...Kw.P...~.[.._.P...L...
20:02:49.896030 IP 180.101.49.12.80 > 192.168.75.119.45332: Flags [P.], seq 1:1441, ack 165, win 944, length 1440
E ....@.'....e1...Kw.P...~.[.._.P...J~..HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 2381
Content-Type: text/html
Date: Wed, 27 Jan 2021 12:02:49 GMT
Etag: "588604c8-94d"
Last-Modified: Mon, 23 Jan 2017 13:27:36 GMT
Pragma: no-cache
Server: bfe/1.0.8.18
Set-Cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/

<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title>...........................</title></head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> </div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <input type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input type=hidden name=tn value=baidu><span class="bg s_ipt_wr"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus></span><span class="bg s_btn_wr"><input type=submit id=su value=............ class
20:02:49.896052 IP 192.168.75.119.45332 > 180.101.49.12.80: Flags [.], ack 1441, win 137, length 0
E..(..@.@.....Kw.e1....P.._..~..P...J?..
20:02:49.896068 IP 180.101.49.12.80 > 192.168.75.119.45332: Flags [P.], seq 1441:2782, ack 165, win 944, length 1341
E .e..@.'..2.e1...Kw.P...~...._.P.......="bg s_btn"></span> </form> </div> </div> <div id=u1> <a href=http://news.baidu.com name=tj_trnews class=mnav>......</a> <a href=http://www.hao123.com name=tj_trhao123 class=mnav>hao123</a> <a href=http://map.baidu.com name=tj_trmap class=mnav>......</a> <a href=http://v.baidu.com name=tj_trvideo class=mnav>......</a> <a href=http://tieba.baidu.com name=tj_trtieba class=mnav>......</a> <noscript> <a href=http://www.baidu.com/bdorz/login.gif?login&amp;tpl=mn&amp;u=http%3A%2F%2Fwww.baidu.com%2f%3fbdorz_come%3d1 name=tj_login class=lb>......</a> </noscript> <script>document.write('<a href="http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u='+ encodeURIComponent(window.location.href+ (window.location.search === "" ? "?" : "&")+ "bdorz_come=1")+ '" name="tj_login" class="lb">......</a>');</script> <a href=//www.baidu.com/more/ name=tj_briicon class=bri style="display: block;">............</a> </div> </div> </div> <div id=ftCon> <div id=ftConw> <p id=lh> <a href=http://home.baidu.com>............</a> <a href=http://ir.baidu.com>About Baidu</a> </p> <p id=cp>&copy;2017&nbsp;Baidu&nbsp;<a href=http://www.baidu.com/duty/>.....................</a>&nbsp; <a href=http://jianyi.baidu.com/ class=cp-feedback>............</a>&nbsp;...ICP...030173...&nbsp; <img src=//www.baidu.com/img/gs.gif> </p> </div> </div> </div> </body> </html>

20:02:49.896087 IP 192.168.75.119.45332 > 180.101.49.12.80: Flags [.], ack 2782, win 160, length 0
E..(..@.@.....Kw.e1....P.._..~.8P...D...
20:02:49.896665 IP 192.168.75.119.45332 > 180.101.49.12.80: Flags [F.], seq 165, ack 2782, win 160, length 0
E..(..@.@.....Kw.e1....P.._..~.8P...D...
20:02:49.904810 IP 180.101.49.12.80 > 192.168.75.119.45332: Flags [.], ack 166, win 944, length 0
E .(..@.'..n.e1...Kw.P...~.8.._.P...A...
20:02:49.905000 IP 180.101.49.12.80 > 192.168.75.119.45332: Flags [F.], seq 2782, ack 166, win 944, length 0
E .(..@.'..m.e1...Kw.P...~.8.._.P...A...
20:02:49.905014 IP 192.168.75.119.45332 > 180.101.49.12.80: Flags [.], ack 2783, win 160, length 0
E .(..@.@.I...Kw.e1....P.._..~.9P...D...
20:02:52.919455 IP 180.101.49.12.80 > 192.168.75.119.45332: Flags [R], seq 3330188857, win 0, length 0
E .(..@.0.Y..e1...Kw.P...~.9....P....2..

核心过程1:除去 3 次握手部分,往下看,机器 A 向百度发送 http 头

20:02:49.886390 IP 192.168.75.119.45332 > 180.101.49.12.80: Flags [P.], seq 1:165, ack 1, win 115, length 164
E.....@.@.....Kw.e1....P..^..~.[P..s....GET / HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.44 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: www.baidu.com
Accept: */*

核心过程2:百度响应一个 ack 165 的包,然后向机器 A 发送,http 响应头、空行、响应内容

20:02:49.894725 IP 180.101.49.12.80 > 192.168.75.119.45332: Flags [.], ack 165, win 944, length 0
E .(..@.'..q.e1...Kw.P...~.[.._.P...L...
20:02:49.896030 IP 180.101.49.12.80 > 192.168.75.119.45332: Flags [P.], seq 1:1441, ack 165, win 944, length 1440
E ....@.'....e1...Kw.P...~.[.._.P...J~..HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 2381
Content-Type: text/html
Date: Wed, 27 Jan 2021 12:02:49 GMT
Etag: "588604c8-94d"
Last-Modified: Mon, 23 Jan 2017 13:27:36 GMT
Pragma: no-cache
Server: bfe/1.0.8.18
Set-Cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/

<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css>
(这个包还没结束,省略后面内容...)

结语

tcpdump 是很强大的抓包工具,参数特别多,上述仅列举了两种使用场景,可根据自己的需要举一反三。
如有什么疑问或者错误的地方,欢迎评论沟通交流。