tcpdump 速查

basic

tcpdump -nvvv -i any

-n: 打印ip port, 而非hostname, portname
-v: verbose, -vvv 三級 verbose
-i：指定網絡interface

針對IP port 進行過濾

tcpdump -nvvv -i any -c 20 '(port 80 or port 443) and host 10.0.3.169'

打印包內容，hex and ascII

tcpdump -nvvv -i any -c 1 -XX 'port 80 and host 10.0.3.1'

-XX: 用hex and ascII打印包內容

會有類似下面到輸出（極醜無比）:

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
19:51:15.697640 IP (tos 0x0, ttl 64, id 54313, offset 0, flags [DF], proto TCP (6), length 483)
    10.0.3.1.45732 > 10.0.3.246.80: Flags [P.], cksum 0x1ccc (incorrect -> 0x2ce8), seq 3920159713:3920160144, ack 969855140, win 245, options [nop,nop,TS val 624122099 ecr 624117334], length 431
        0x0000:  0000 0001 0006 fe0a e2d1 8785 0000 0800  ................
        0x0010:  4500 01e3 d429 4000 4006 49f5 0a00 0301  E....)@[email protected].....
        0x0020:  0a00 03f6 b2a4 0050 e9a8 e3e1 39ce d0a4  .......P....9...
        0x0030:  8018 00f5 1ccc 0000 0101 080a 2533 58f3  ............%3X.
        0x0040:  2533 4656 4745 5420 2f73 6f6d 6570 6167  %3FVGET./somepag
        0x0050:  6520 4854 5450 2f31 2e31 0d0a 486f 7374  e.HTTP/1.1..Host
        0x0060:  3a20 3130 2e30 2e33 2e32 3436 0d0a 436f  :.10.0.3.246..Co
        0x0070:  6e6e 6563 7469 6f6e 3a20 6b65 6570 2d61  nnection:.keep-a
        0x0080:  6c69 7665 0d0a 4361 6368 652d 436f 6e74  live..Cache-Cont
        0x0090:  726f 6c3a 206d 6178 2d61 6765 3d30 0d0a  rol:.max-age=0..
        0x00a0:  4163 6365 7074 3a20 7465 7874 2f68 746d  Accept:.text/htm
        0x00b0:  6c2c 6170 706c 6963 6174 696f 6e2f 7868  l,application/xh
        0x00c0:  746d 6c2b 786d 6c2c 6170 706c 6963 6174  tml+xml,applicat
        0x00d0:  696f 6e2f 786d 6c3b 713d 302e 392c 696d  ion/xml;q=0.9,im
        0x00e0:  6167 652f 7765 6270 2c2a 2f2a 3b71 3d30  age/webp,*/*;q=0
        0x00f0:  2e38 0d0a 5573 6572 2d41 6765 6e74 3a20  .8..User-Agent:.
        0x0100:  4d6f 7a69 6c6c 612f 352e 3020 284d 6163  Mozilla/5.0.(Mac
        0x0110:  696e 746f 7368 3b20 496e 7465 6c20 4d61  intosh;.Intel.Ma
        0x0120:  6320 4f53 2058 2031 305f 395f 3529 2041  c.OS.X.10_9_5).A
        0x0130:  7070 6c65 5765 624b 6974 2f35 3337 2e33  ppleWebKit/537.3
        0x0140:  3620 284b 4854 4d4c 2c20 6c69 6b65 2047  6.(KHTML,.like.G
        0x0150:  6563 6b6f 2920 4368 726f 6d65 2f33 382e  ecko).Chrome/38.
        0x0160:  302e 3231 3235 2e31 3031 2053 6166 6172  0.2125.101.Safar
        0x0170:  692f 3533 372e 3336 0d0a 4163 6365 7074  i/537.36..Accept
        0x0180:  2d45 6e63 6f64 696e 673a 2067 7a69 702c  -Encoding:.gzip,
        0x0190:  6465 666c 6174 652c 7364 6368 0d0a 4163  deflate,sdch..Ac
        0x01a0:  6365 7074 2d4c 616e 6775 6167 653a 2065  cept-Language:.e
        0x01b0:  6e2d 5553 2c65 6e3b 713d 302e 380d 0a49  n-US,en;q=0.8..I
        0x01c0:  662d 4d6f 6469 6669 6564 2d53 696e 6365  f-Modified-Since
        0x01d0:  3a20 5375 6e2c 2031 3220 4f63 7420 3230  :.Sun,.12.Oct.20
        0x01e0:  3134 2031 393a 3430 3a32 3020 474d 540d  14.19:40:20.GMT.
        0x01f0:  0a0d 0a  

僅使用ASCII打印包內容

tcpdump -nvvv -i any -c 1 -A 'port 80 and host 10.0.3.1'

實驗實例

抓包一個完整的 http 請求和返回。

啓動一個 http server

用python3

準備一個 cgi script

cat <<eof > cgi-bin/helloworld.py
#!/usr/bin/env python
print('Content-type: text/html')
print()
print('hello world')
eof

啓動 http.server 在 9899 端口，並開啓cgi模式

python -m http.server --cgi 9899

用 Ncat

nc -vl 9899 -c 'echo -e "HTTP/1.1 200 OK\n\nhello world"'

http 請求就用 curl

請求python cgi

curl -d'{"A": a, "B": b}' http://localhost:9899/cgi-bin/helloworld.py 

請求 Ncat server

curl -d'{"A": a, "B": b}' http://localhost:9899

tcpdump 抓包

sudo tcpdump -iany -nvvv -A 'port 9899'

下面輸出完整包含了 1. tcp 三次握手過程，2. 請求發送的http 請求 head 和body 數據，3. http 返回 head 和 body 數據，4. tcp 四次揮手過程。

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
11:55:16.172743 IP (tos 0x0, ttl 64, id 2001, offset 0, flags [DF], proto TCP (6), length 60)
    127.0.0.1.59340 > 127.0.0.1.9899: Flags [S], cksum 0xfe30 (incorrect -> 0xa737), seq 2474881011, win 43690, options [mss 65495,sackOK,TS val 65447970 ecr 0,nop,wscale 7], length 0
E..<..@[email protected]...........&..............0.........
..."........................
11:55:16.172752 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    127.0.0.1.9899 > 127.0.0.1.59340: Flags [S.], cksum 0xfe30 (incorrect -> 0x7eab), seq 4251746053, ack 2474881012, win 43690, options [mss 65495,sackOK,TS val 65447970 ecr 65447970,nop,wscale 7], length 0
E..<..@.@.<.........&....l...........0.........
..."..."....................
11:55:16.172759 IP (tos 0x0, ttl 64, id 2002, offset 0, flags [DF], proto TCP (6), length 52)
    127.0.0.1.59340 > 127.0.0.1.9899: Flags [.], cksum 0xfe28 (incorrect -> 0x50f0), seq 1, ack 1, win 342, options [nop,nop,TS val 65447970 ecr 65447970], length 0
E..4..@[email protected]...........&......l.....V.(.....
..."..."................
11:55:16.172800 IP (tos 0x0, ttl 64, id 2003, offset 0, flags [DF], proto TCP (6), length 216)
    127.0.0.1.59340 > 127.0.0.1.9899: Flags [P.], cksum 0xfecc (incorrect -> 0x44a1), seq 1:165, ack 1, win 342, options [nop,nop,TS val 65447970 ecr 65447970], length 164
E.....@[email protected]..........&......l.....V.......
..."..."POST / HTTP/1.1
User-Agent: curl/7.29.0
Host: localhost:9899
Accept: */*
Content-Length: 16
Content-Type: application/x-www-form-urlencoded

{"A": a, "B": b}................
11:55:16.172805 IP (tos 0x0, ttl 64, id 55076, offset 0, flags [DF], proto TCP (6), length 52)
    127.0.0.1.9899 > 127.0.0.1.59340: Flags [.], cksum 0xfe28 (incorrect -> 0x5044), seq 1, ack 165, win 350, options [nop,nop,TS val 65447970 ecr 65447970], length 0
E..4.$@[email protected].........&....l.........^.(.....
..."..."................
11:55:16.174520 IP (tos 0x0, ttl 64, id 55077, offset 0, flags [DF], proto TCP (6), length 81)
    127.0.0.1.9899 > 127.0.0.1.59340: Flags [P.], cksum 0xfe45 (incorrect -> 0xb7ca), seq 1:30, ack 165, win 350, options [nop,nop,TS val 65447970 ecr 65447970], length 29
E..Q.%@[email protected].........&....l.........^.E.....
..."..."HTTP/1.1 200 OK

hello world
................
11:55:16.174529 IP (tos 0x0, ttl 64, id 2004, offset 0, flags [DF], proto TCP (6), length 52)
    127.0.0.1.59340 > 127.0.0.1.9899: Flags [.], cksum 0xfe28 (incorrect -> 0x502f), seq 165, ack 30, win 342, options [nop,nop,TS val 65447970 ecr 65447970], length 0
E..4..@[email protected]...........&......l.#...V.(.....
..."..."................
11:55:16.174608 IP (tos 0x0, ttl 64, id 55078, offset 0, flags [DF], proto TCP (6), length 52)
    127.0.0.1.9899 > 127.0.0.1.59340: Flags [F.], cksum 0xfe28 (incorrect -> 0x5026), seq 30, ack 165, win 350, options [nop,nop,TS val 65447970 ecr 65447970], length 0
E..4.&@[email protected].........&....l.#.......^.(.....
..."..."................
11:55:16.174650 IP (tos 0x0, ttl 64, id 2005, offset 0, flags [DF], proto TCP (6), length 52)
    127.0.0.1.59340 > 127.0.0.1.9899: Flags [F.], cksum 0xfe28 (incorrect -> 0x502d), seq 165, ack 31, win 342, options [nop,nop,TS val 65447970 ecr 65447970], length 0
E..4..@[email protected]...........&......l.$...V.(.....
..."..."................
11:55:16.174661 IP (tos 0x0, ttl 64, id 55079, offset 0, flags [DF], proto TCP (6), length 52)
    127.0.0.1.9899 > 127.0.0.1.59340: Flags [.], cksum 0xfe28 (incorrect -> 0x5025), seq 31, ack 166, win 350, options [nop,nop,TS val 65447970 ecr 65447970], length 0
E..4.'@[email protected].........&....l.$.......^.(.....
..."..."................