consulmanager tcp监控 tcpdump监听端口

2.6 tcpdump：监听网络流量

 

2.6.1 命令详解

功能说明：

• tcpdump命令是一个截获网络数据包的包分析工具。tcpdump可以将网络中传送的数据包的“头”完全截获下来以提供分析。它支持针对网络层，协议，主机，端口等的过滤，并支持与，或，非逻辑语句协助过滤有效信息。
• tcpdump命令工作时要先把网卡的工作模式切换到混杂模式（promiscuous mode）。因为要修改网络接口的工作模式，所以tcpdump命令需要以root的身份运行。

 

选项说明：

参数选项	解释说明（带@的为重点）
-A	以ASCII码的方式显示每一个数据包（不会显示数据包中链路层的头部信息）。在抓取包含网页数据的数据包时，可方便查看数据
-c <数据包数目>	接收到指定的数据包数目后退出命令@
-e	每行的打印输出中将包含数据包的数据链路层头部信息
-i <网络接口>	指定要监听数据包的网络接口@
-n	不进行DNS解析，加快显示速度@
-nn	不将协议和端口数字等转换成名字@
-q	以快速输出的方式运行，此选项仅显示数据包的协议概要信息，输出信息较短@
-s <数据包大小>	设置数据包抓取长度，如果不设置则默认为68字节，设置为0则自动选择合适的长度来抓取数据包
-t	在每行输出信息中不显示时间戳标记
-tt	在每行输出信息中显示无格式的时间戳标记
-ttt	显示当前行与前一行的延迟
-tttt	在每行打印的时间戳之前添加日期
-ttttt	显示当前行与第一行的延迟
-v	显示命令执行的详细信息
-vv	显示比-v选项更加详细的信息
-vvv	显示比-vv选项更加详细的输出

 

2.6.2 使用范例

（1）不加参数运行tcpdump命令监听网络

[root@localhost ~]# tcpdump #默认情况下，直接启动tcpdump将监视第一个网络接口上所有流过的数据包

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 05:12:45.464963 IP localhost.ssh > localhost.50832: Flags [P.], seq 898292388:898292596, ack 861396487, win 317, length 208 05:12:45.465055 IP localhost.50832 > localhost.ssh: Flags [.], ack 208, win 523, length 0 05:12:45.465215 IP localhost.57595 > localhost.domain: 4104+ PTR? 254.0.168.192.in-addr.arpa. (44) 05:12:45.467851 IP localhost.domain > localhost.57595: 4104 1/0/0 PTR localhost. (67) 05:12:45.467906 IP localhost.57067 > localhost.domain: 107+ PTR? 233.0.168.192.in-addr.arpa. (44) 05:12:45.469444 IP localhost.domain > localhost.57067: 107 1/0/0 PTR localhost. (67) 05:12:45.469504 IP localhost.34192 > localhost.domain: 2703+ PTR? 1.0.168.192.in-addr.arpa. (42) 05:12:45.621206 IP localhost.ssh > localhost.50832: Flags [P.], seq 3120:3280, ack 1, win 317, length 160 05:12:45.621258 IP localhost.50832 > localhost.ssh: Flags [.], ack 3280, win 524, length 0 05:12:45.636742 IP localhost.ssh > localhost.50832: Flags [P.], seq 3280:3536, ack 1, win 317, length 256 05:12:45.643843 IP localhost.50832 > localhost.ssh: Flags [P.], seq 1:65, ack 3536, win 523, length 64 05:12:45.643889 IP localhost.ssh > localhost.50832: Flags [P.], seq 3536:3696, ack 65, win 317, length 160

^C #tcpdump命令在运行期间可以使用组合Ctrl+C终止程序

29 packets captured #最后三行就是按CTRL+C后输出的监听到的数据包汇总信息

32 packets received by filter 0 packets dropped by kernel

使用tcpdump命令时，如果不输入过滤规则，则输出的数据量将会很大。

 

（2）精简输出信息

[root@localhost ~]# tcpdump -q #默认情况下，tcpdump命令的输出信息较多，为了显示精简的信息，可以使用-q选项

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 05:33:01.438200 IP localhost.ssh > localhost.50832: tcp 208 05:33:01.479036 IP localhost.50832 > localhost.ssh: tcp 0 05:33:01.494539 IP localhost.ssh > localhost.50832: tcp 176 05:33:01.510460 IP localhost.ssh > localhost.50832: tcp 112 05:33:01.510907 IP localhost.50832 > localhost.ssh: tcp 0 05:33:01.525789 IP localhost.ssh > localhost.50832: tcp 176 05:33:01.541450 IP localhost.ssh > localhost.50832: tcp 112 05:33:01.541548 IP localhost.50832 > localhost.ssh: tcp 0 05:33:01.557049 IP localhost.ssh > localhost.50832: tcp 176 05:33:01.574173 IP localhost.ssh > localhost.50832: tcp 112 05:33:01.574486 IP localhost.50832 > localhost.ssh: tcp 0 05:33:01.583765 IP localhost.50832 > localhost.ssh: tcp 64 05:33:01.583857 IP localhost.ssh > localhost.50832: tcp 176 ^C 24 packets captured 26 packets received by filter 0 packets dropped by kernel

[root@localhost ~]# tcpdump -c 5     #使用-c选项指定监听的数据包数量，这样就不需要使用Ctrl+C了

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 05:34:24.515192 IP localhost.ssh > localhost.50832: Flags [P.], seq 898300004:898300212, ack 861398503, win 317, length 208 05:34:24.515301 IP localhost.50832 > localhost.ssh: Flags [.], ack 208, win 519, length 0 05:34:24.515445 IP localhost.60389 > localhost.domain: 26412+ PTR? 254.0.168.192.in-addr.arpa. (44) 05:34:24.518180 IP localhost.domain > localhost.60389: 26412 1/0/0 PTR localhost. (67) 05:34:24.518247 IP localhost.38804 > localhost.domain: 7473+ PTR? 233.0.168.192.in-addr.arpa. (44) 5 packets captured 10 packets received by filter 0 packets dropped by kernel

 

（3）监听指定网卡收到的数据包

[root@Mr_chen ~]# tcpdump -i eth0 #使用-i选项可以指定要监听的网卡

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 05:46:06.865643 IP localhost.ssh > localhost.50832: Flags [P.], seq 898335828:898336036, ack 861403175, win 317, length 208 05:46:06.865721 IP localhost.50832 > localhost.ssh: Flags [.], ack 208, win 524, length 0 05:46:06.865876 IP localhost.37090 > localhost.domain: 16313+ PTR? 254.0.168.192.in-addr.arpa. (44) ^C 49 packets captured 52 packets received by filter 0 packets dropped by kernel

以下是命令的结果说明

• [x] 05:46:06.865643: 当前时间，精确到微妙
• [x] IP localhost.ssh > localhost.50832: 从主机localhost的SSH端口发送数据到localhost的50832端口，“>”代表数据流向
• [x] Flags [P.]: TCP包中的标志信息，S是SYN标志的缩写，F（FIN），P（PUSH），R（RST），“.”（没有标记）。
• [x] seq: 数据包中的数据的顺序号。
• [x] ack: 下次期望的顺序号
• [x] win: 接收缓存的窗口大小
• [x] length: 数据包长度

 

（4）监听指定主机的数据包

[root@Mr_chen ~]# tcpdump -n -c 5 host 192.168.0.254    #使用-n选项不进行DNS解析，加快显示速度。监听指定主机的关键字为host，后面直接接主机名或IP地址即可。本行命令的作用是监听所有192.168.0.254的主机收到的和发出的数据包

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 06:18:59.812585 IP 192.168.0.233.ssh > 192.168.0.254.50832: Flags [P.], seq 898389300:898389508, ack 861410071, win 317, length 208 06:18:59.812763 IP 192.168.0.254.50832 > 192.168.0.233.ssh: Flags [.], ack 208, win 524, length 0 06:18:59.813478 IP 192.168.0.233.ssh > 192.168.0.254.50832: Flags [P.], seq 208:496, ack 1, win 317, length 288 06:18:59.814441 IP 192.168.0.233.ssh > 192.168.0.254.50832: Flags [P.], seq 496:672, ack 1, win 317, length 176 06:18:59.814534 IP 192.168.0.254.50832 > 192.168.0.233.ssh: Flags [.], ack 672, win 522, length 0 5 packets captured 5 packets received by filter 0 packets dropped by kernel

[root@Mr_chen ~]# tcpdump -n -c 5 src host 192.168.0.254 #只监听从192.168.0.254发出的数据包，即源地址为192.168.0.254,关键字为src（source，源地址） tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 06:19:45.439633 IP 192.168.0.254.50832 > 192.168.0.233.ssh: Flags [.], ack 898393156, win 522, length 0 06:19:45.511489 IP 192.168.0.254.50832 > 192.168.0.233.ssh: Flags [.], ack 161, win 521, length 0 06:19:45.589521 IP 192.168.0.254.50832 > 192.168.0.233.ssh: Flags [.], ack 321, win 520, length 0 06:19:45.667712 IP 192.168.0.254.50832 > 192.168.0.233.ssh: Flags [.], ack 481, win 520, length 0 06:19:45.733979 IP 192.168.0.254.50832 > 192.168.0.233.ssh: Flags [.], ack 641, win 519, length 0 5 packets captured 6 packets received by filter 0 packets dropped by kernel

 

[root@Mr_chen ~]# tcpdump -n -c 5 dst host 192.168.0.254    #只监听192.168.0.254收到的数据包，即目标地址为192.168.0.254，关键字为dst（destination，目的地） tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 18:21:33.783811 IP 192.168.0.233.ssh > 192.168.0.254.55962: Flags [P.], seq 1885784800:1885785008, ack 322191067, win 317, length 208 18:21:33.785709 IP 192.168.0.233.ssh > 192.168.0.254.55962: Flags [P.], seq 208:400, ack 1, win 317, length 192 18:21:33.786677 IP 192.168.0.233.ssh > 192.168.0.254.55962: Flags [P.], seq 400:576, ack 1, win 317, length 176 18:21:33.787676 IP 192.168.0.233.ssh > 192.168.0.254.55962: Flags [P.], seq 576:752, ack 1, win 317, length 176 18:21:33.788684 IP 192.168.0.233.ssh > 192.168.0.254.55962: Flags [P.], seq 752:928, ack 1, win 317, length 176 5 packets captured 5 packets received by filter 0 packets dropped by kernel

 

（5）监听指定端口的数据包

[root@Mr_chen ~]# tcpdump -nn -c 5 port 22    #-nn不进行DNS解析，不将端口转换成服务名字， port指定监听端口

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 18:27:25.472624 IP 192.168.0.233.22 > 192.168.0.254.55962: Flags [P.], seq 1886385856:1886386064, ack 322195131, win 317, length 208 18:27:25.472764 IP 192.168.0.254.55962 > 192.168.0.233.22: Flags [.], ack 208, win 522, length 0 18:27:25.473731 IP 192.168.0.233.22 > 192.168.0.254.55962: Flags [P.], seq 208:496, ack 1, win 317, length 288 18:27:25.474746 IP 192.168.0.233.22 > 192.168.0.254.55962: Flags [P.], seq 496:672, ack 1, win 317, length 176 18:27:25.474836 IP 192.168.0.254.55962 > 192.168.0.233.22: Flags [.], ack 672, win 520, length 0 5 packets captured 5 packets received by filter 0 packets dropped by kernel

 

（6）监听指定协议的数据包

[root@Mr_chen ~]# tcpdump -n -c 5 arp     #监听arp协议数据包，因此表达式直接写arp即可

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 18:29:08.056959 ARP, Request who-has 192.168.0.111 tell 192.168.0.1, length 46 18:29:08.978765 ARP, Request who-has 192.168.0.111 tell 192.168.0.1, length 46 18:29:09.900334 ARP, Request who-has 192.168.0.111 tell 192.168.0.1, length 46 18:29:10.822093 ARP, Request who-has 192.168.0.111 tell 192.168.0.1, length 46 18:29:12.050836 ARP, Request who-has 192.168.0.111 tell 192.168.0.1, length 46 5 packets captured 5 packets received by filter 0 packets dropped by kernel

 

[root@Mr_chen ~]# tcpdump -n -c 5 icmp    #监听icmp数据包（想要查看下面的监控数据，可以使用其他机器ping本机即可）

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 18:30:55.576828 IP 192.168.0.254 > 192.168.0.233: ICMP echo request, id 1, seq 19956, length 40 18:30:55.576844 IP 192.168.0.233 > 192.168.0.254: ICMP echo reply, id 1, seq 19956, length 40 18:30:56.578427 IP 192.168.0.254 > 192.168.0.233: ICMP echo request, id 1, seq 19958, length 40 18:30:56.578445 IP 192.168.0.233 > 192.168.0.254: ICMP echo reply, id 1, seq 19958, length 40 18:30:57.582167 IP 192.168.0.254 > 192.168.0.233: ICMP echo request, id 1, seq 19960, length 40 5 packets captured 6 packets received by filter 0 packets dropped by kernel

 

常见的协议关键字有ip，arp，icmp，tcp，udp等类型

 

（7）利用tcpdump抓包详解tcp/ip连接和断开过程的案例

1）正常的TCP连接的三个阶段

• [x] :TCP三次握手
• [x] :数据传送
• [x] :TCP四次断开

 

2）TCP连接图示

TCP连接的状态机制如下图所示

 

 

3）TCP的状态标识

• [x] SYN: （同步序列编号，Synchronize Sequence Numbers）该标志仅在三次握手建立TCP连接时有效。表示一个新的TCP连接请求。
• [x] ACK：（确认编号，Acknowledgement Number）是对TCP请求的确认标志，同时提示对端系统已经成功接收了所有的数据。
• [x] FIN：（结束标志，FINish）用来结束一个TCP回话。但对应端口仍然处于开放状态，准备接收后续数据。

 

4）使用tcpdump对tcp数据进行抓包

[root@Mr_chen www]# tcpdump tcp port 80 or dst 192.168.0.114 -i eth0 -n

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes #抓包分析：三次握手过程 22:38:18.564320 ARP, Reply 192.168.0.233 is-at 00:0c:29:a8:ca:50, length 28 #发送了一个ARP响应包给目标MAC地址，告知对方本机的MAC地址 22:38:18.564418 IP 192.168.0.114.52367 > 192.168.0.233.http: Flags [S], seq 3675775834, win 14600, options [mss 1460,sackOK,TS val 4294710555 ecr 0,nop,wscale 6], length 0 #IP为192.168.0.114（client）通过临时端口52367向本机192.168.0.233（server）的80监听端口发起连接，client的初始包序号为3675775834，滑动窗口大小为14600字节（即TCP接收缓冲区的大小，用于TCP拥塞控制），mss大小为1460（即可接收的最大包长度），[S]=[SYN](发起连接标志) 22:38:18.564434 IP 192.168.0.233.http > 192.168.0.114.52367: Flags [S.], seq 2909831439, ack 3675775835, win 14480, options [mss 1460,sackOK,TS val 15157720 ecr 4294710555,nop,wscale 6], length 0 #Server的响应连接，同时带上上一个包的ack信息（为client端的初始包序号+1，即3675775835，也就是server端下次等待接收这个包序号的包，用于TCP字节流的顺序控制。Server端的初始包序号为2909831439，mss也是1460） 22:38:18.564541 IP 192.168.0.114.52367 > 192.168.0.233.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 4294710556 ecr 15157720], length 0 #Client端再次确认，tcp三次握手完成。“.”表示没有任何标识

以下是数据传输过程：

22:38:18.564654 IP 192.168.0.114.52367 > 192.168.0.233.http: Flags [P.], seq 1:169, ack 1, win 229, options [nop,nop,TS val 4294710557 ecr 15157720], length 168 #Client端发请求包，包长度是168字节。[P]=[push]（传送数据标志） 22:38:18.564658 IP 192.168.0.233.http > 192.168.0.114.52367: Flags [.], ack 169, win 243, options [nop,nop,TS val 15157720 ecr 4294710557], length 0 #Server端回应Client端表示收到请求，并确认已经收到了之前的168字节 22:38:18.564707 IP 192.168.0.233.http > 192.168.0.114.52367: Flags [P.], seq 1:237, ack 169, win 243, options [nop,nop,TS val 15157720 ecr 4294710557], length 236 #Server回包，包长度236字节 22:38:18.564755 IP 192.168.0.233.http > 192.168.0.114.52367: Flags [P.], seq 237:258, ack 169, win 243, options [nop,nop,TS val 15157720 ecr 4294710557], length 21 22:38:18.564773 IP 192.168.0.114.52367 > 192.168.0.233.http: Flags [.], ack 237, win 245, options [nop,nop,TS val 4294710557 ecr 15157720], length 0 22:38:18.564818 IP 192.168.0.114.52367 > 192.168.0.233.http: Flags [.], ack 258, win 245, options [nop,nop,TS val 4294710557 ecr 15157720], length 0

 

以下是4次挥手过程：

22:38:18.564946 IP 192.168.0.114.52367 > 192.168.0.233.http: Flags [F.], seq 169, ack 258, win 245, options [nop,nop,TS val 4294710557 ecr 15157720], length 0 #Client端发送关闭连接请求，F=FIN（断开连接标志） 22:38:18.564956 IP 192.168.0.233.http > 192.168.0.114.52367: Flags [F.], seq 258, ack 170, win 243, options [nop,nop,TS val 15157720 ecr 4294710557], length 0 #Server端回应并确认了Client端的断开连接请求，并且也发送了FIN标志关闭。（只有当服务器传输未完成时，此处才会出现两次挥手，如果Clinet发起断开请求时，服务器已经传输数据完成，则此处服务端会直接回应关闭标志FIN） 22:38:18.565022 IP 192.168.0.114.52367 > 192.168.0.233.http: Flags [.], ack 259, win 245, options [nop,nop,TS val 4294710557 ecr 15157720], length 0 #Clinet端响应ack，关闭连接的四次挥手完成

 

提示：

tcpdump是一个非常强大并且好用的命令，请同学们多花精力来掌握，当然，要想掌握好，还需要一定的网络知识才行。

专注事业！