tcpdump抓包工具分析

tcpdump抓包工具分析

实验环境：

主机：192.168.122.1

虚拟机：192.168.122.15

tcpdump -h

#显示使用参数

tcpdump version 4.1-PRE-CVS_2012_02_01

libpcap version 1.0.0

Usage: tcpdump [-aAdDefIKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]

[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]

[ -i interface ] [ -M secret ] [ -r file ]

[ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ]

[ -y datalinktype ] [ -z command ] [ -Z user ]

[ expression ]

tcpdump -D

#这个是显示当前有什么可用的设备

1.eth0

2.usbmon1 (USB bus number 1)

3.any (Pseudo-device that captures on all interfaces)

4.lo

tcpdump  -i virbr0 host 192.168.122.15

#使用virbr0虚拟网卡来监听192.168.122.15这台机子的数据包

#在192.168.122.15上执行：ping 192.168.122.1 就可以看到数据包的流动

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on virbr0, link-type EN10MB (Ethernet), capture size 65535 bytes

10:06:12.814214 IP instructor.example.com.47822 > bogon.ssh: Flags [P.], seq 667390582:667390630, ack 2212608986, win 396, options [nop,nop,TS val 5874253 ecr 4241995], length 48

10:06:12.816535 IP bogon.ssh >instructor.example.com.47822: Flags [P.], seq 1:49, ack 48, win 407, options [nop,nop,TS val 4247409 ecr 5874253], length 48

10:06:12.816577 IP instructor.example.com.47822 > bogon.ssh: Flags [.], ack 49, win 396, options [nop,nop,TS val 5874255 ecr 4247409], length 0

…

注意到上面的IP信息已经被主机名替代，如果不想对IP做DNS解析可以使用

tcpdump  -n -nn -i virbr0 host 192.168.122.15

# -n 是不对域名进行转换，-nn是不对端口进行转换

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on virbr0, link-type EN10MB (Ethernet), capture size 65535 bytes

10:07:02.234243 IP 192.168.122.1.47822 > 192.168.122.15.22: Flags [P.], seq 667390630:667390678, ack 2212609498, win 421, options [nop,nop,TS val 5923673 ecr 4248411], length 48

10:07:02.236534 IP 192.168.122.15.22 > 192.168.122.1.47822: Flags [P.], seq 1:65, ack 48, win 407, options [nop,nop,TS val 4296829 ecr 5923673], length 64

10:07:02.236584 IP 192.168.122.1.47822 > 192.168.122.15.22: Flags [.], ack 65, win 421, options [nop,nop,TS val 5923675 ecr 4296829], length 0

10:07:02.461253 IP 192.168.122.1.47822 > 192.168.122.15.22: Flags [P.], seq 48:96, ack 65, win 421, options [nop,nop,TS val 5923900 ecr 4296829], length 48

10:07:02.463533 IP 192.168.122.15.22 > 192.168.122.1.47822: Flags [P.], seq 65:129, ack 96, win 407, options [nop,nop,TS val 4297056 ecr 5923900], length 64

10:07:02.463581 IP 192.168.122.1.47822 > 192.168.122.15.22: Flags [.], ack 129, win 421, options [nop,nop,TS val 5923902 ecr 4297056], length 0

tcpdump -n -nn  -i virbr0  not tcp port 22

#监听本地虚拟桥接网卡，过滤tcp协议和22端口的信息，下面是192.168.122.15 ping

#192.168.122.1后的结果

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on virbr0, link-type EN10MB (Ethernet), capture size 65535 bytes

12:37:14.263530 IP 192.168.122.15 > 192.168.122.1: ICMP echo request, id 5126, seq 1, length 64

12:37:14.263571 IP 192.168.122.1 > 192.168.122.15: ICMP echo reply, id 5126, seq 1, length 64

12:37:15.263538 IP 192.168.122.15 > 192.168.122.1: ICMP echo request, id 5126, seq 2, length 64

12:37:15.263587 IP 192.168.122.1 > 192.168.122.15: ICMP echo reply, id 5126, seq 2, length 64

tcpdump -n -nn  -i virbr0  host 192.168.122.15and not tcp port tcp 22

#监听192.168.122.15和virbr0的通讯，过滤tcp协议和22端口的信息，要加and，下面是 #192.168.122.15 ping192.168.122.1后的结果

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on virbr0, link-type EN10MB (Ethernet), capture size 65535 bytes

12:44:33.900685 IP 192.168.122.15 > 192.168.122.1: ICMP echo request, id 5894, seq 1, length 64

12:44:33.900733 IP 192.168.122.1 > 192.168.122.15: ICMP echo reply, id 5894, seq 1, length 64

12:44:34.900555 IP 192.168.122.15 > 192.168.122.1: ICMP echo request, id 5894, seq 2, length 64

12:44:34.900612 IP 192.168.122.1 > 192.168.122.15: ICMP echo reply, id 5894, seq 2, length 64

tcpdump -n -nn  -i virbr0 " tcp and (host 192.168.122.15 and not host 192.168.122.1 )"

#这个是监听192.168.122.15的TCP协议的包，过滤192.168.122.1的信息。

#192.168.122.1 telnet登录192.168.122.15的21端口的时候没反应。而用另一台

#192.168.122.139 telnet登录192.168.122.15的21端口的时候才会出现下面的信息。

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on virbr0, link-type EN10MB (Ethernet), capture size 65535 bytes

#TCP的三次握手

13:03:11.384187 IP 192.168.122.139.37920 > 192.168.122.15.21: Flags [S], seq 1611535590, win 14600, options [mss 1460,sackOK,TS val 14805925 ecr 0,nop,wscale 6], length 0

13:03:11.384357 IP 192.168.122.15.21 > 192.168.122.139.37920: Flags [S.], seq 3128557920, ack 1611535591, win 14480, options [mss 1460,sackOK,TS val 14865976 ecr 14805925,nop,wscale 6], length 0

13:03:11.384488 IP 192.168.122.139.37920 > 192.168.122.15.21: Flags [.], ack 1, win 229, options [nop,nop,TS val 14805926 ecr 14865976], length 0

13:03:11.386606 IP 192.168.122.15.21 > 192.168.122.139.37920: Flags [P.], seq 1:21, ack 1, win 227, options [nop,nop,TS val 14865979 ecr 14805926], length 20

13:03:11.386734 IP 192.168.122.139.37920 > 192.168.122.15.21: Flags [.], ack 21, win 229, options [nop,nop,TS val 14805928 ecr 14865979], length 0

vsftpd原理：

客户端访问的时候就是访问服务器端的21端口，如果客户端要下载资料，则服务端会随便开启一个没有被使用的tcp端口来建立连接。这样就可以避免了，客户端在早期的TCP在下载时的需要排队的问题（早期TCP下载和连接用的都是21端口）。