tcpdump抓包以及端口查看的一些操作

1.tcpdump；

      nginx開啓後會佔用80端口，此時執行命令：tcpdump tcp port 80 

         結果如下：

[syswj@host ~]$ sudo tcpdump tcp port 80
[sudo] password for syswj: 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on Auto_eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

  採用tcpdump抓到大包會顯示到屏幕上：

1.在windows上通過telnet     ip    端口號  來連接linux上80端口運行的nginx服務器

      

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on Auto_eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:14:23.406697 IP 192.168.137.1.7352 > 192.168.137.128.http: Flags [S], seq 322176964, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
14:14:23.406740 IP 192.168.137.128.http > 192.168.137.1.7352: Flags [S.], seq 300095102, ack 322176965, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 6], length 0
14:14:23.406992 IP 192.168.137.1.7352 > 192.168.137.128.http: Flags [.], ack 1, win 256, length 0

這就是tcp的3次握手經過

2.退出windows上的telnet後：

14:16:37.910069 IP 192.168.137.1.7360 > 192.168.137.128.http: Flags [F.], seq 1, ack 1, win 256, length 0
14:16:37.910194 IP 192.168.137.128.http > 192.168.137.1.7360: Flags [F.], seq 1, ack 2, win 229, length 0
14:16:37.910854 IP 192.168.137.1.7360 > 192.168.137.128.http: Flags [.], ack 2, win 256, length 0

客戶端跟服務器發送一個FIN結束報文，服務器收到後，

3.在網頁上(windows)進入http:192.168.137.128

  進入的時候：

[sudo] password for syswj: 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on Auto_eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:23:09.504575 IP 192.168.137.1.rtps-dd-mt > 192.168.137.128.http: Flags [S], seq 4063271087, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
14:23:09.504610 IP 192.168.137.128.http > 192.168.137.1.rtps-dd-mt: Flags [S.], seq 1526809447, ack 4063271088, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 6], length 0
14:23:09.504867 IP 192.168.137.1.rtps-dd-mt > 192.168.137.128.http: Flags [.], ack 1, win 1024, length 0

  也是和上面一樣的3次握手

 關閉頁面，等待一段時間後：

14:24:09.565990 IP 192.168.137.128.http > 192.168.137.1.rtps-dd-mt: Flags [F.], seq 1, ack 1, win 229, length 0
14:24:09.566290 IP 192.168.137.1.rtps-dd-mt > 192.168.137.128.http: Flags [.], ack 2, win 1024, length 0

 再等待一段時間後： 

14:25:32.242143 IP 192.168.137.1.rtps-dd-mt > 192.168.137.128.http: Flags [F.], seq 1, ack 2, win 1024, length 0
14:25:32.242248 IP 192.168.137.128.http > 192.168.137.1.rtps-dd-mt: Flags [R], seq 1526809449, win 0, length 0

--因爲超時的原因服務器已經關閉了這個連接，此時客戶端再向服務器發送信息，服務器根本不識別這個客戶端，所以返回一個RST報文

關於端口的一些命令：

lsof  -i  :端口號    ----查看端口進程信息

關閉某個端口的進程：

  先用lsof -i:端口號 查出這個端口的進程，找出pid，然後kill -9 pid，關閉進程

  或者 直接: fuser -k 80/tcp     

查看端口進程：

  netstat -anp | grep 80