tcpdump抓包

tcpdump顾名思义，是linux/unix上的tcp抓包工具。

确定网卡

电脑可能有多个网卡，所以首先确定要抓哪块网卡。

tcpdump -D

输出：

1.en0 [Up, Running]
2.p2p0 [Up, Running]
3.awdl0 [Up, Running]
4.bridge0 [Up, Running]
5.utun0 [Up, Running]
6.en1 [Up, Running]
7.utun1 [Up, Running]
8.en2 [Up, Running]
9.lo0 [Up, Running, Loopback]
10.gif0
11.stf0
12.XHC0
13.XHC20

或者使用ifconfig来查看网卡。

ifconfig

输出：

lo0: flags=8049 mtu 16384
    options=1203
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    nd6 options=201
gif0: flags=8010 mtu 1280
stf0: flags=0<> mtu 1280
XHC0: flags=0<> mtu 0
XHC20: flags=0<> mtu 0
en0: flags=8863 mtu 1500
    ether 38:f9:d3:5e:1c:57
    inet6 fe80::f6:8677:e17:918b%en0 prefixlen 64 secured scopeid 0x6
    inet 192.168.1.106 netmask 0xffffff00 broadcast 192.168.1.255
    nd6 options=201
    media: autoselect
    status: active

lo0一般是本地环回接口（或地址）。例如你访问本机的服务localhost/127.0.0.1，那么需要抓这块网卡。
对于访问非本机服务，一般要选带有inet的网卡，或者找有描述ipv4地址的网卡。我的系统对应的是en0。

尝试抓包

下面开始选定网卡进行抓包。注意tcpdump需要sudo权限。

sudo tcpdump -i en0

输出：

10:08:05.858305 IP (tos 0x0, ttl 64, id 45595, offset 0, flags [none], proto TCP (6), length 40)
    localhost.54917 > 203.208.43.98.http: Flags [.], cksum 0x952a (correct), ack 4097259631, win 2048, length 0
10:08:05.859590 IP (tos 0x0, ttl 255, id 9880, offset 0, flags [none], proto UDP (17), length 72)
    localhost.61311 > dialdns.bta.net.cn.domain: 54149+ PTR? 98.43.208.203.in-addr.arpa. (44)
10:08:05.862766 IP (tos 0x0, ttl 60, id 0, offset 0, flags [DF], proto UDP (17), length 72)
    dialdns.bta.net.cn.domain > localhost.61311: 54149 NXDomain 0/0/0 (44)
10:08:05.902532 IP (tos 0x0, ttl 64, id 55746, offset 0, flags [none], proto UDP (17), length 60)
    localhost.64834 > 123.58.9.77.https: UDP, length 32
10:08:05.943473 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has localhost tell localhost, length 28
^C
497 packets captured
497 packets received by filter
0 packets dropped by kernel

抓到的包有点多，很难找到我们的目标。

筛选包

我们知道tcp四元组确定一个连接，即：src host， src port， dst host， dst port。
tcpdump可以指定多个条件，然后进行逻辑组合。

sudo tcpdump -i lo0 src host localhost and dst host localhost and dst port 13

输出：

tcpdump: listening on lo0, link-type NULL (BSD loopback), capture size 262144 bytes
10:13:36.886627 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64, bad cksum 0 (->3cb6)!)
    localhost.55038 > localhost.daytime: Flags [S], cksum 0xfe34 (incorrect -> 0x2e11), seq 1671843223, win 65535, options [mss 16344,nop,wscale 6,nop,nop,TS val 527116560 ecr 0,sackOK,eol], length 0
10:13:36.886698 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->3cc2)!)
    localhost.55038 > localhost.daytime: Flags [.], cksum 0xfe28 (incorrect -> 0xcd34), seq 1671843224, ack 3182869411, win 6379, options [nop,nop,TS val 527116560 ecr 527116560], length 0
10:13:36.886748 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->3cc2)!)
    localhost.55038 > localhost.daytime: Flags [.], cksum 0xfe28 (incorrect -> 0xcd1a), seq 0, ack 27, win 6379, options [nop,nop,TS val 527116560 ecr 527116560], length 0
10:13:36.886755 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->3cc2)!)
    localhost.55038 > localhost.daytime: Flags [.], cksum 0xfe28 (incorrect -> 0xcd19), seq 0, ack 28, win 6379, options [nop,nop,TS val 527116560 ecr 527116560], length 0
10:13:36.887031 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->3cc2)!)
    localhost.55038 > localhost.daytime: Flags [F.], cksum 0xfe28 (incorrect -> 0xcd18), seq 0, ack 28, win 6379, options [nop,nop,TS val 527116560 ecr 527116560], length 0
^C
5 packets captured
44 packets received by filter
0 packets dropped by kernel

wireshark

tcpdump的结果使用wireshark来查看更方便些。
首先需要安装wireshark：https://www.wireshark.org/#download
然后将tcpdump抓包的结果使用-w选项存储起来。

sudo tcpdump -i lo0 -v src host localhost and dst host localhost and dst port 13 -v -w tcpdump.out

尝试查看一下保存的结果。

more tcpdump.out

输出：

"tcpdump.out" may be a binary file.  See it anyway?
ò^B^@^D^@^@^@^@^@^@^@^@^@^@^@^D^@^@^@^@^@Gy2]^@^@D^@^@^@D^@^@^@^B^@^@^@E^@^@@^@^@@^@@^F^@^@^?^@^@^A^?^@^@^A^E^@^M<81>^Dx^@^@^@^@^B4^@^@^B^D?^A^C^C^F^A^A^H
^_l^@^@^@^@^D^B^@^@Gy2]^@^@8^@^@^@8^@^@^@^B^@^@^@E^@^@4^@^@@^@@^F^@^@^?^@^@^A^?^@^@^A^E^@^M<81>^Dy^U    ^Y^E<80>^P^X(^@^@^A^A^H
^_l^_lGy2]!^@^@8^@^@^@8^@^@^@^B^@^@^@E^@^@4^@^@@^@@^F^@^@^?^@^@^A^?^@^@^A^E^@^M<81>^Dy^U    ^Y^_<80>^P^X(^@^@^A^A^H
^_l^_lGy2]?^@^@8^@^@^@8^@^@^@^B^@^@^@E^@^@4^@^@@^@@^F^@^@^?^@^@^A^?^@^@^A^E^@^M<81>^Dy^U    ^Y <80>^P^X(^@^@^A^A^H
^_l^_lGy2]^\^@^@8^@^@^@8^@^@^@^B^@^@^@E^@^@4^@^@@^@@^F^@^@^?^@^@^A^?^@^@^A^E^@^M<81>^Dy^U   ^Y <80>^Q^X(^@^@^A^A^H
^_l^_l

抓包结果是二进制不可读。
使用wireshark打开这个文件。

image.png