tcpdump是在linux下的一款很好用的抓包工具,(运行此命令需要root权限)
以下的服务器程序为: tcpserv01.c 客户端程序为:tcpcli01.c
首先输入: tcpdump -D 列出本机所有的网卡接口
sh-3.2# tcpdump -D
1.en0
2.bridge0
3.pktap0
4.en1
5.p2p0
6.lo0
输入:ifconfig 查看对应的ipsh-3.2# ifconfig
lo0: flags=8049
options=3
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
nd6 options=1
gif0: flags=8010
stf0: flags=0<> mtu 1280
en0: flags=8863
ether d0:e1:40:90:4e:24
inet6 fe80::d2e1:40ff:fe90:4e24%en0 prefixlen 64 scopeid 0x4
inet 192.168.30.102 netmask 0xffffff00 broadcast 192.168.30.255
nd6 options=1
media: autoselect
status: active
发现对我们有用的有 lo0(127.0.0.1)可以用来抓取本机发给本机的网络包, en0(192.168.30.102)外网发给本机的网络包然后可以这样:tcpdump -i lo0 port 9877 抓取本机特定9877端口上产生的网络信息
sh-3.2# tcpdump -i lo0 port 9877
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo0, link-type NULL (BSD loopback), capture size 65535 bytes
接着打开服务器:
➜ tcpcliserv ./tcpserv01
打开客户端:
➜ tcpcliserv ./tcpcli01 127.0.0.1
此时发现已经有信息显示了:
sh-3.2# tcpdump -i lo0 port 9877
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo0, link-type NULL (BSD loopback), capture size 65535 bytes
13:51:08.475530 IP localhost.51181 > localhost.9877: Flags [S], seq 2383495116, win 65535, options [mss 16344,nop,wscale 4,nop,nop,TS val 1146053386 ecr 0,sackOK,eol], length 0
13:51:08.475609 IP localhost.9877 > localhost.51181: Flags [S.], seq 725028019, ack 2383495117, win 65535, options [mss 16344,nop,wscale 4,nop,nop,TS val 1146053386 ecr 1146053386,sackOK,eol], length 0
13:51:08.475632 IP localhost.51181 > localhost.9877: Flags [.], ack 1, win 9186, options [nop,nop,TS val 1146053386 ecr 1146053386], length 0
13:51:08.475652 IP localhost.9877 > localhost.51181: Flags [.], ack 1, win 9186, options [nop,nop,TS val 1146053386 ecr 1146053386], length 0
14:18:40.247642 IP localhost.51181 > localhost.9877: Flags [F.], seq 1, ack 1, win 9186, options [nop,nop,TS val 1147699374 ecr 1146053386], length 0
14:18:40.247672 IP localhost.9877 > localhost.51181: Flags [.], ack 2, win 9186, options [nop,nop,TS val 1147699374 ecr 1147699374], length 0
14:18:40.247681 IP localhost.51181 > localhost.9877: Flags [.], ack 1, win 9186, options [nop,nop,TS val 1147699374 ecr 1147699374], length 0
14:18:40.248278 IP localhost.9877 > localhost.51181: Flags [F.], seq 1, ack 2, win 9186, options [nop,nop,TS val 1147699374 ecr 1147699374], length 0
14:18:40.248304 IP localhost.51181 > localhost.9877: Flags [.], ack 2, win 9186, options [nop,nop,TS val 1147699374 ecr 1147699374], length 0
服务器打开的是 9877端口,客户端随机分配的是 51181端口
补充:
flags 标志由S(SYN), F(FIN), P(PUSH, R(RST),W(ECN CWT(nt | rep:未知, 需补充))或者 E(ECN-Echo(nt | rep:未知, 需补充))组成,
单独一个'.'表示没有flags标识;
抓取以下几种情况:
客户端连上服务器时:
14:27:10.280723 IP localhost.51628 > localhost.9877: Flags [S], seq 3242378970, win 65535, options [mss 16344,nop,wscale 4,nop,nop,TS val 1148208205 ecr 0,sackOK,eol], length 0
14:27:10.280772 IP localhost.9877 > localhost.51628: Flags [S.], seq 1396205182, ack 3242378971, win 65535, options [mss 16344,nop,wscale 4,nop,nop,TS val 1148208205 ecr 1148208205,sackOK,eol], length 0
14:27:10.280782 IP localhost.51628 > localhost.9877: Flags [.], ack 1, win 9186, options [nop,nop,TS val 1148208205 ecr 1148208205], length 0
14:27:10.280791 IP localhost.9877 > localhost.51628: Flags [.], ack 1, win 9186, options [nop,nop,TS val 1148208205 ecr 1148208205], length 0
客户端主动断开时:
14:31:58.549143 IP localhost.51651 > localhost.9877: Flags [F.], seq 1, ack 1, win 9186, options [nop,nop,TS val 1148494143 ecr 1148479561], length 0
14:31:58.549184 IP localhost.9877 > localhost.51651: Flags [.], ack 2, win 9186, options [nop,nop,TS val 1148494143 ecr 1148494143], length 0
14:31:58.549195 IP localhost.51651 > localhost.9877: Flags [.], ack 1, win 9186, options [nop,nop,TS val 1148494143 ecr 1148494143], length 0
14:31:58.549456 IP localhost.9877 > localhost.51651: Flags [F.], seq 1, ack 2, win 9186, options [nop,nop,TS val 1148494143 ecr 1148494143], length 0
14:31:58.549477 IP localhost.51651 > localhost.9877: Flags [.], ack 2, win 9186, options [nop,nop,TS val 1148494143 ecr 1148494143], length 0
服务器主动断开时:
14:32:30.519533 IP localhost.9877 > localhost.51657: Flags [F.], seq 1, ack 1, win 9186, options [nop,nop,TS val 1148525891 ecr 1148519819], length 0
14:32:30.519567 IP localhost.51657 > localhost.9877: Flags [.], ack 2, win 9186, options [nop,nop,TS val 1148525891 ecr 1148525891], length 0
14:32:30.519580 IP localhost.9877 > localhost.51657: Flags [.], ack 1, win 9186, options [nop,nop,TS val 1148525891 ecr 1148525891], length 0
服务器断开后,客户端发送消息:显示:
➜ tcpcliserv ./tcpcli01 127.0.0.1
jf
str_cli: server terminated prematurely
➜ tcpcliserv
客户端被动结束,抓取到的信息:14:32:30.519533 IP localhost.9877 > localhost.51657: Flags [F.], seq 1, ack 1, win 9186, options [nop,nop,TS val 1148525891 ecr 1148519819], length 0
14:32:30.519567 IP localhost.51657 > localhost.9877: Flags [.], ack 2, win 9186, options [nop,nop,TS val 1148525891 ecr 1148525891], length 0
14:32:30.519580 IP localhost.9877 > localhost.51657: Flags [.], ack 1, win 9186, options [nop,nop,TS val 1148525891 ecr 1148525891], length 0
14:32:57.863413 IP localhost.51657 > localhost.9877: Flags [P.], seq 1:4, ack 2, win 9186, options [nop,nop,TS val 1148553080 ecr 1148525891], length 3
14:32:57.863458 IP localhost.9877 > localhost.51657: Flags [R], seq 2012492879, win 0, length 0
而且发现,当服务器首先主动断开连接时,此时客户端还未断开,然后服务器此时想再次启动会发现起不来,提示:
➜ tcpcliserv ./tcpserv01
bind error: Address already in use
➜ tcpcliserv
用netstat 查看端口占用,显示:
tcp4 0 0 localhost.51699 localhost.9877 CLOSE_WAIT
然后修改后发现就行了,贴上修改代码;
const int on =1;
listenfd = Socket(AF_INET, SOCK_STREAM,0);
setsockopt(listenfd, SOL_SOCKET, SO_REUSEADDR, &on,sizeof (on));//加上这句就可以了
接着继续发现,当kill掉服务器进程:kill pid 后
14:46:20.625064 IP localhost.9877 > localhost.51848: Flags [F.], seq 1, ack 1, win 9186, options [nop,nop,TS val 1149349828 ecr 1149276896], length 0
14:46:20.625160 IP localhost.51848 > localhost.9877: Flags [.], ack 2, win 9186, options [nop,nop,TS val 1149349828 ecr 1149349828], length 0
14:46:20.625176 IP localhost.9877 > localhost.51848: Flags [.], ack 1, win 9186, options [nop,nop,TS val 1149349828 ecr 1149349828], length 0