设为首页 - 加入收藏 ASP站长网(Aspzz.Cn)- 科技、建站、经验、云计算、5G、大数据,站长网!
热搜: 数据 手机 公司
当前位置: 首页 > 服务器 > 搭建环境 > Windows > 正文

在Linux命令行中使用tcpdump抓包(5)

发布时间:2018-11-08 00:23 所属栏目:117 来源:Ricardo Gerardi
导读:当然,可以使用多条件组合来筛选数据包,使用 and 以及 or 逻辑操作符来创建过滤规则。例如,筛选来自源 IP 地址 192.168.122.98 的 HTTP 数据包: $ sudo tcpdump -i any -c5 -nn src 192.168.122.98 and port 80

当然,可以使用多条件组合来筛选数据包,使用 and 以及 or 逻辑操作符来创建过滤规则。例如,筛选来自源 IP 地址 192.168.122.98 的 HTTP 数据包:

  1. $ sudo tcpdump -i any -c5 -nn src 192.168.122.98 and port 80
  2. tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  3. listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
  4. 10:08:00.472696 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [S], seq 2712685325, win 29200, options [mss 1460,sackOK,TS val 123170822 ecr 0,nop,wscale 7], length 0
  5. 10:08:00.516118 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [.], ack 268723504, win 229, options [nop,nop,TS val 123170865 ecr 522918648], length 0
  6. 10:08:00.516583 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [P.], seq 0:112, ack 1, win 229, options [nop,nop,TS val 123170866 ecr 522918648], length 112: HTTP: GET / HTTP/1.1
  7. 10:08:00.567044 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [.], ack 643, win 239, options [nop,nop,TS val 123170916 ecr 522918661], length 0
  8. 10:08:00.788153 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [F.], seq 112, ack 643, win 239, options [nop,nop,TS val 123171137 ecr 522918661], length 0
  9. 5 packets captured
  10. 5 packets received by filter
  11. 0 packets dropped by kernel

你也可以使用括号来创建更为复杂的过滤规则,但在 shell 中请用引号包含你的过滤规则以防止被识别为 shell 表达式:

  1. $ sudo tcpdump -i any -c5 -nn "port 80 and (src 192.168.122.98 or src 54.204.39.132)"
  2. tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  3. listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
  4. 10:10:37.602214 IP 192.168.122.98.39346 > 54.204.39.132.80: Flags [S], seq 871108679, win 29200, options [mss 1460,sackOK,TS val 123327951 ecr 0,nop,wscale 7], length 0
  5. 10:10:37.650651 IP 54.204.39.132.80 > 192.168.122.98.39346: Flags [S.], seq 854753193, ack 871108680, win 28960, options [mss 1460,sackOK,TS val 522957932 ecr 123327951,nop,wscale 9], length 0
  6. 10:10:37.650708 IP 192.168.122.98.39346 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 123328000 ecr 522957932], length 0
  7. 10:10:37.651097 IP 192.168.122.98.39346 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 123328000 ecr 522957932], length 112: HTTP: GET / HTTP/1.1
  8. 10:10:37.692900 IP 54.204.39.132.80 > 192.168.122.98.39346: Flags [.], ack 113, win 57, options [nop,nop,TS val 522957942 ecr 123328000], length 0
  9. 5 packets captured
  10. 5 packets received by filter
  11. 0 packets dropped by kernel

该例子中我们只抓取了来自源 IP 为 192.168.122.98 或者 54.204.39.132 的 HTTP (端口号80)的数据包。使用该方法就很容易抓取到数据流中交互双方的数据包了。

5、检查数据包内容

在以上的示例中,我们只按数据包头部的信息来建立规则筛选数据包,例如源地址、目的地址、端口号等等。有时我们需要分析网络连接问题,可能需要分析数据包中的内容来判断什么内容需要被发送、什么内容需要被接收等。tcpdump 提供了两个选项可以查看数据包内容,-X 以十六进制打印出数据报文内容,-A 打印数据报文的 ASCII 值。

例如,HTTP 请求报文内容如下:

  1. $ sudo tcpdump -i any -c10 -nn -A port 80
  2. tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  3. listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
  4. 13:02:14.871803 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [S], seq 2546602048, win 29200, options [mss 1460,sackOK,TS val 133625221 ecr 0,nop,wscale 7], length 0
  5. E..<..@.@.....zb6.'....P...@......r............
  6. ............................
  7. 13:02:14.910734 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [S.], seq 1877348646, ack 2546602049, win 28960, options [mss 1460,sackOK,TS val 525532247 ecr 133625221,nop,wscale 9], length 0
  8. E..<..@./..a6.'...zb.P..o..&...A..q a..........
  9. .R.W.......     ................
  10. 13:02:14.910832 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 133625260 ecr 525532247], length 0
  11. E..4..@.@.....zb6.'....P...Ao..'...........
  12. .....R.W................
  13. 13:02:14.911808 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 133625261 ecr 525532247], length 112: HTTP: GET / HTTP/1.1
  14. E.....@.@..1..zb6.'....P...Ao..'...........
  15. .....R.WGET / HTTP/1.1
  16. User-Agent: Wget/1.14 (linux-gnu)
  17. Accept: */*
  18. Host: opensource.com
  19. Connection: Keep-Alive
  20.  
  21. ................
  22. 13:02:14.951199 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [.], ack 113, win 57, options [nop,nop,TS val 525532257 ecr 133625261], length 0
  23. E..4.F@./.."6.'...zb.P..o..'.......9.2.....
  24. .R.a....................
  25. 13:02:14.955030 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [P.], seq 1:643, ack 113, win 57, options [nop,nop,TS val 525532258 ecr 133625261], length 642: HTTP: HTTP/1.1 302 Found
  26. E....G@./...6.'...zb.P..o..'.......9.......
  27. .R.b....HTTP/1.1 302 Found
  28. Server: nginx
  29. Date: Sun, 23 Sep 2018 17:02:14 GMT
  30. Content-Type: text/html; charset=iso-8859-1
  31. Content-Length: 207
  32. X-Content-Type-Options: nosniff
  33. Location: https://opensource.com/
  34. Cache-Control: max-age=1209600
  35. Expires: Sun, 07 Oct 2018 17:02:14 GMT
  36. X-Request-ID: v-6baa3acc-bf52-11e8-9195-22000ab8cf2d
  37. X-Varnish: 632951979
  38. Age: 0
  39. Via: 1.1 varnish (Varnish/5.2)
  40. X-Cache: MISS
  41. Connection: keep-alive
  42.  
  43. <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
  44. <html><head>
  45. <title>302 Found</title>
  46. </head><body>
  47. <h1>Found</h1>
  48. <p>The document has moved <a href="https://opensource.com/">here</a>.</p>
  49. </body></html>
  50. ................
  51. 13:02:14.955083 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [.], ack 643, win 239, options [nop,nop,TS val 133625304 ecr 525532258], length 0
  52. E..4..@.@.....zb6.'....P....o..............
  53. .....R.b................
  54. 13:02:15.195524 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [F.], seq 113, ack 643, win 239, options [nop,nop,TS val 133625545 ecr 525532258], length 0
  55. E..4..@.@.....zb6.'....P....o..............
  56. .....R.b................
  57. 13:02:15.236592 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [F.], seq 643, ack 114, win 57, options [nop,nop,TS val 525532329 ecr 133625545], length 0
  58. E..4.H@./.. 6.'...zb.P..o..........9.I.....
  59. .R......................
  60. 13:02:15.236656 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [.], ack 644, win 239, options [nop,nop,TS val 133625586 ecr 525532329], length 0
  61. E..4..@.@.....zb6.'....P....o..............
  62. .....R..................
  63. 10 packets captured
  64. 10 packets received by filter
  65. 0 packets dropped by kernel

这对定位一些普通 HTTP 调用 API 接口的问题很有用。当然如果是加密报文,这个输出也就没多大用了。

6、保存抓包数据

(编辑:ASP站长网)

网友评论
推荐文章
    热点阅读