分析tcpdump输出
- 基本的tcp包结构
13:41:20.634990 IP 192.168.2.154.49552 > 198.7.58.74.http: Flags [S], seq 2038222836, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 361925289 ecr 0,sackOK,eol], length 0
............en0...................... ..............~...http...........................................................Zn. ....................................`w.$.t..y..E..@lV@.@.
.......:J...Py|.........................
............
13:50:05.758568 IP 192.168.2.154.49548 > 17.252.156.14.5223: Flags [F.], seq 1847, ack 3641, win 4096, options [nop,nop,TS val 362449061 ecr 3067529640], length 0
............en0...................... ..............]................................................................ .Z(......................................`w.$.t..y..E..4..@.@..............g.
...t.}....?......
........
13:50:22.997209 ARP, Request who-has 192.168.2.154 (24:a0:74:10:9c:79 (oui Unknown)) tell 192.168.2.100, length 46
............en0...................... ............................................................................... .ZY7..................................$.t..y4...............4........d$.t..y......................
13:50:22.997221 IP 199.239.182.243.http > 192.168.2.154.49568: Flags [.], ack 184, win 235, options [nop,nop,TS val 452319868 ecr 362465594,nop,nop,sack 1 {1:184}], length 0
............en0...................... ..................apsd......................................................... .Ze7..................................$.t..y...`w...E..@.\@.3..7.........P..#=...|......f......
...|...:...
.|.2.|..
13:50:22.997250 ARP, Reply 192.168.2.154 is-at 24:a0:74:10:9c:79 (oui Unknown), length 28
............en0...................... ............................................................................... .Z.7..................................4.....$.t..y..........$.t..y....4........d
13:50:23.032243 30:b4:9e:5e:f8:f5 (oui Unknown) > Broadcast, RRCP-0x23 query
............en0...................... ............................................................................... .Z.}........................................0..^....#... .I7.3....................................
13:50:23.234212 IP 199.239.182.243.http > 192.168.2.154.49568: Flags [.], seq 5761:7201, ack 184, win 235, options [nop,nop,TS val 452319890 ecr 362465975], length 1440: HTTP
............en0...................... ..................apsd......................................................... .Z....................................$.t..y...`w...E....]@.3............P..#=.X.|......j......
........ZXk+QVBOU0FXRFzMDwvaW50Z
13:50:23.234220 IP 199.239.182.243.http > 192.168.2.154.49568: Flags [P.], seq 7201:8187, ack 184, win 235, options [nop,nop,TS val 452319890 ecr 362465975], length 986: HTTP
............en0...................... ..................apsd......................................................... .Z....................................$.t..y...`w...E....^@.3..f.........P..#=...|.............
........QVBOU01pbmN0Pgo=</data>
</dict>
</plist>
13:50:23.234225 IP 17.179.252.32.https > 192.168.2.154.49569: Flags [S.], seq 2904281612, ack 1674281315, win 65535, options [mss 1460,nop,nop,TS val 1613497001 ecr 362466182,nop,wscale 11], length 0
............en0...................... ..................akd.......................................................... .Z....................................$.t..y...`w...E..<..@.-.|.... ............c..c.....-.........
`,..........
<!-- 13:50:23.234212 该包接收到的时间 -->
<!-- 199.239.182.243.http 发送方的ip地址及端口号(243)-->
<!-- 192.168.2.154.49568 是我iphone的ip地址及端口号-->
<!-- Flags [P.] 是tcp包header部分的第14个字节的P位。这个字节所包含的几个flag很重要。这里P位表示接受方需要马上将包push到应用层。 -->
<!-- seq 1:54 tcp包的seq号,1是起始值,54结束值。tcp之所以被认为是流,是因为tcp包所携带的每一个字节都有标号(seq号)。1:54表明总共有54个字节被接受,其中一个字节是三次握手阶段所使用,所以一共发送的长度是53字节。 -->
<!-- seq 5761:7201 -->
<!-- ack 101 tcp包的ack号,ack 101表明seq号为100的字节已被确认收到,下一个期望接收的seq号从101开始。 -->
<!-- ack 184 -->
<!-- options [nop,nop,…] options[…]表示的是该tcp包的options区域,nop是no opertion的缩写,没什么实际用途,主要是用做padding,因为options区域按协议规定必须是4字节的倍数。 -->
<!-- options[… TS val 2381386761] ts val这个值是tcp包的时间戳,不过这个时间戳和设备的系统时间没啥关系,刚开始是随机值,后面随着系统时钟自增长。这个时间戳主要用处是seq序列号越界从0重新开始后,可以确认包的顺序。 -->
<!-- win 65535 win表示的是tcp包发送方,作为接受方还可以接受的字节数。这里win 65535 表明ip为192.168.2.154的主机还可以接受65535个字节。 -->
<!-- options[… ecr 427050796] ts ecr这个值主要用来计算RTT。比如A发送一个tcp包给B,A会在包里带上TS val,B收到之后在ack包里再把这个值原样返回,A收到B的ack包之后再根据本地时钟就可以计算出RTT了。这个值只在ack包里有效,非ack包ecr的值就为0. -->
<!-- length 53 这个length是应用层传过来的数据大小,不包括tcp的header。这个值和我们上面分析的seq 1:54是一致的。 -->
<!-- length 1440 -->
<!-- 2、 http请求的例子-->
14:01:50.621466 IP 192.168.2.154.54015 > public1..com.domain: 33369+ A? open-api..com. (37)
............en0...................... ..................mDNSResponder...................SpringBoard.................N..Z.{ ....................................`w.$.t..y..E..A.Y.....+....rrrr...5.-.J.Y...........open-api..com.....
14:01:50.682419 IP com.wl..com.domain > 192.168.2.154.54015: 33369 1/0/0 A 120.27.83.144 (53)
............en0...................... ..................mDNSResponder...................SpringBoard.................N..Z.i
.................................$.t..y...`w...E..Q......yurrrr.....5...=...Y...........open-api..com..............X..x.S.
14:01:50.684827 IP 192.168.2.154.49589 > 120.27.83.144.http: Flags [S], seq 4174354258, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 363153415 ecr 0,sackOK,eol], length 0
............en0...................... ..................SpringBoard.................................................N..Z.s
....................................`w.$.t..y..E..@.u@.@."U....x.S....P...R.........:.............
..H.........
14:01:50.729213 IP 120.27.83.144.http > 192.168.2.154.49589: Flags [S.], seq 1197848712, ack 4174354259, win 64240, options [mss 1444,nop,nop,sackOK,nop,wscale 11], length 0
............en0...................... ..................SpringBoard.................................................N..Z} ..................................$.t..y...`w...E..4..@.2...x.S......P..Ge.....S....................
14:01:50.729411 IP 192.168.2.154.49589 > 120.27.83.144.http: Flags [.], ack 1, win 8192, length 0
............en0...................... ..................SpringBoard.................................................N..ZC!.....................................`w.$.t..y..E..(..@.@.......x.S....P...SGe..P. .....
14:01:50.733450 IP 192.168.2.154.49589 > 120.27.83.144.http: Flags [P.], seq 1:518, ack 1, win 8192, length 517: HTTP: GET ////?Brand=iPhone&Height=568&NetworkType=Wifi&OS=iOS&OSVersion=10.2&Platform=2&VersionCode=1&VersionName=1.1.0&Width=320&channel=default&deviceid=&time=1521093710&v=1521093710.602857 HTTP/1.1
............en0...................... ..................SpringBoard.................................................N..Z
1.....................................`w.$.t..y..E..-.-@.@.......x.S....P...SGe..P. ..J..GET ////?Brand=iPhone&Height=568&NetworkType=Wifi&OS=iOS&OSVersion=10.2&Platform=2&VersionCode=1&VersionName=1.1.0&Width=320&channel=default&deviceid=&time=1521093710&v=1521093710.602857 HTTP/1.1
Host: open-api..com
Platform: 2
Uuid:
Accept: */*
Version: 1.0
User-Agent: SpringBoard/1.0 (iPhone; iOS 10.2; Scale/2.00)
Accept-Language: zh-Hans-CN;q=1
Accept-Encoding: gzip, deflate
Connection: keep-alive
14:01:50.779518 IP 120.27.83.144.http > 192.168.2.154.49589: Flags [.], ack 518, win 32, length 0
............en0...................... ..................SpringBoard.................................................N..Z....................................$.t..y...`w...E..(Ma@.2.l.x.S......P..Ge.....XP.. ....
14:01:50.806873 IP 120.27.83.144.http > 192.168.2.154.49589: Flags [.], seq 1:1453, ack 518, win 32, length 1452: HTTP: HTTP/1.1 200 OK
............en0...................... ..................SpringBoard.................................................N..Z.O..................................$.t..y...`w...E...Mb@.2.f.x.S......P..Ge.....XP.. ....HTTP/1.1 200 OK
Server: openresty
Date: Thu, 15 Mar 2018 06:01:50 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=6cc3becb6e026be3e2a4a2f39a5300fa14cf193a; path=/; domain=.open-api.abuyun.com
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 15 Mar 2018 06:01:50GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Content-Encoding: gzip
58a
...........s....PNG
.
....IHDR...`............m...:IDATX..Y.K3M.....F.,.....F..X......P.... .SXi.=..#..XID..EA.......X..........e.....(..j.;.;.....M(.H.B....0M..T.%.L.J.[.z
.4..T*.....$.P(..
%. Y.u].h.i.eY.Pgg.o.IUU...VxQ.......J...............^^^l.~~~>99......../;..=>>V.U.S....5....T*eY..........&`.Ky.q$I...u...V.`v@...4....|.a.(.......f..`5.>.c......k...5...;......"D/'].&.....&.14.Rg...`.lfS
(.....}zz:.&a..u].e..i....T7.L.
.EQ@...R`.......}%5M...B.\...777.....;.............b.....477....u.\..uU/....z.WTew.{...7X..Z..1.m...J.7W.4.......8v\.hmm...A.[L..F.5..1.....S^M...s.A.]..EA..G.h$.....yp-..H$....d.0./....'..=.[..W*.,.RU..UQ...3.....x.l6K.pk*......|$.iii).J...........v&.......b..=....)...B ~Su...O......J....}..............T*.NMYX.$h`...r>..... B...b]]..?.. [a.}....JR...w...i..M.B...X...$I_.Z.1...(2....I.yD...BA.e.k..h4
........D1.t:M...9...r9n......Q.3ZP...2m...d:...u.....S.TU.......o.....TU....,.........N........-....|..
.*.>P.Z.+R.!...e..0...............
14:01:50.933441 IP 192.168.2.154.49589 > 120.27.83.144.http: Flags [.], ack 1453, win 8192, length 0
............en0...................... ..................SpringBoard.................................................N..ZA>.....................................`w.$.t..y..E..(L.@.@._.....x.S....P...XGe.5P. .....
14:01:51.007958 IP 120.27.83.144.http > 192.168.2.154.49589: Flags [P.], seq 1453:1905, ack 518, win 32, length 452: HTTP
............en0...................... ..................SpringBoard.................................................O..Z....................................$.t..y...`w...E...Mc@.2.j.x.S......P..Ge.5...XP.. .N...E.....H&.....=...P....B..,...x.i)I.!...b..z.....}../x).O...64...].(..i.r$......P
.8.///..4.....A>....\1A...>. o&..lv......en......\..J.....J:A..f.....b....i. h.v....m...W..PUU..B....9.e.c.....Z+;,....B.x\ S3A.....l6...T__...1.ms.M.4.1Dhn5/6..|9...Bh..]....z|>5.........wBQ..4....k....3.....1.........lGG.X..@........;.(...6..>........Z...B........... ^/y.O....6..G^...~}}......e..A..(.#..?%.....G.;..i4......F._..B.?..h.`.......IEND.B`...!.s...
0
14:01:51.008127 IP 192.168.2.154.49589 > 120.27.83.144.http: Flags [.], ack 1905, win 8177, length 0
............en0...................... ..................SpringBoard.................................................O..Z.......................................`w.$.t..y..E..(A.@.@.j ....x.S....P...XGe..P....h..
tcpdump常用的一些命令参数 sudo tcpdump -i rvi0 -AAl
-i, 要监听的网卡名称,-i rvi0监听虚拟网卡。不设置的时候默认监听所有网卡流量。
-A, 用ASCII码展示所截取的流量,一般用于网页或者app里http请求。-AA可以获取更多的信息。
-X,用ASCII码和hex来展示包的内容,和上面的-A比较像。-XX可以展示更多的信息(比如link layer的header)。
-n,不解析hostname,tcpdump会优先暂时主机的名字。-nn则不展示主机名和端口名(比如443端口会被展示成https)。
-s,截取的包字节长度,默认情况下tcpdump会展示96字节的长度,要获取完整的长度可以用-s0或者-s1600。
-c,只截取指定数目的包,然后退出。
-v,展示更多的有用信息,还可以用-vv -vvv增加信息的展示量。
src,指明ip包的发送方地址。
dst,指明ip包的接收方地址。
port,指明tcp包发送方或者接收方的端口号。
and,or,not,
<!-- 例子 -->
tcpdump ‘tcp[13] & 16!=0’
tcpdump src port 80 and tcp
tcpdump -vv src baidu and not dst port 23
tcpdump -nnvvS src 192.0.1.100 and dst port 443
例子:sudo tcpdump -i rvi0 -AAl src 192.168.2.54 or dst 101.227.169.159
tcpdump: WARNING: rvi0: That device doesn't support promiscuous mode
(BIOCPROMISC: Operation not supported on socket)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on rvi0, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
............en0...................... ...............................................................................$.Z............................................ZF.[............ZF.[...6..........
15:45:04.201643 IP 192.168.2.54.49525 > 218.75.177.11.https: Flags [F.], seq 1966557688, ack 1968545729, win 4096, options [nop,nop,TS val 1005623903 ecr 2012104264], length 0
............en0...................... ...............................................................................$.Z.......................................`w...ZF.[..E..4..@.@......6.K...u..u7I.uU.............
;.._w.FH
15:45:04.216860 IP 192.168.2.54.49525 > 218.75.177.11.https: Flags [FP.], seq 4294967211:0, ack 1, win 4096, options [nop,nop,TS val 1005623943 ecr 2012134515], length 85
............en0...................... ...............................................................................$.Z.O.....................................`w...ZF.[..E....m@.@.*....6.K...u..u7I.uU.............
;...w..s....P'._..c..)L..b....X....[....m.)"k.*7...'x.....P$.......1...)....?t+._ny4..UQd/..3
15:45:04.232246 IP 192.168.2.54.49525 > 218.75.177.11.https: Flags [.], ack 1, win 4096, options [nop,nop,TS val 1005623957 ecr 2012134519], length 0
............en0...................... ...............................................................................$.Z6......................................`w...ZF.[..E..4X.@.@......6.K...u..u7I.uU......v#.....
;...w..w
15:45:04.232328 IP 192.168.2.54.49525 > 218.75.177.11.https: Flags [.], ack 2, win 4096, options [nop,nop,TS val 1005623957 ecr 2012134519], length 0
............en0...................... ...............................................................................$.Z.......................................`w...ZF.[..E..4)L@.@..B...6.K...u..u7I.uU......v".....
;...w..w
15:45:18.443362 IP 192.168.2.54 > 192.168.2.100: ICMP 192.168.2.54 udp port weblogin unreachable, length 36
............en0...................... ...............................................................................$.Z....................................4.......ZF.[..E..8*...@..>...6...d.. .....E..8...........d...6.5...$..
15:45:23.372847 ARP, Reply 192.168.2.54 is-at f4:f1:5a:46:97:5b (oui Unknown), length 28
............en0...................... ...............................................................................$.Zo...................................4.......ZF.[............ZF.[...64........d
15:46:18.444230 IP 192.168.2.54 > 192.168.2.100: ICMP 192.168.2.54 udp port weblogin unreachable, length 36
............en0...................... ...............................................................................$.ZF...................................4.......ZF.[..E..8$...@..U...6...d..
o....E..8./.........d...6.c...$..
15:46:23.372414 ARP, Reply 192.168.2.54 is-at f4:f1:5a:46:97:5b (oui Unknown), length 28
............en0...................... ...............................................................................$.Z....................................4.......ZF.[............ZF.[...64........d
15:46:56.202113 ARP, Request who-has 192.168.2.1 tell 192.168.2.54, length 28
............en0...................... ...............................................................................$.Z............................................ZF.[............ZF.[...6..........
15:46:56.231715 IP 192.168.2.54.62927 > public1.114dns.com.domain: 39203+ A? minorshort.weixin.qq.com. (42)
............en0...................... ...............................................................................$.Z#......................................`w...ZF.[..E..F.A..@.,....6rrrr...5.2.;.#..........
minorshort.weixin.qq.com.....
15:46:56.593275 IP 192.168.2.54.49527 > 41.224.151.61.dial.xw.sh.dynamic.163data.com.cn.https: Flags [S], seq 2997068169, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1005736282 ecr 0,sackOK,eol], length 0
............en0...................... ...............................................................................$.Z{. ....................................`w...ZF.[..E..@.i@.@.q....6=..).w.............................
;.QZ........
<!-- rvictl -x fa6770acd2e0625 -->
tcpdump 基础知识
- tcp header
- TCP Flags(tcp header第十四个字节)–这8个flag首字母分别是:C E U A P R S F
flags位于tcp header的第十四个字节,包含8个比特位,也就是上图的CWR到FIN。
这8个比特位都有特定的功能用途,分别是:CWR,ECE,URG,ACK,PSH,RST,SYN,FIN。
<!-- CWR((Congestion Window Reduced)) ,ECE 两个flag是用来配合做congestion control; -->
发送方的包ECE(ECN-Echo)为0的时候表示出现了congestion,
接收方回的包里CWR(Congestion Window Reduced)为1表明收到congestion信息并做了处理。
<!-- URG URG代表Urgent,表明包的优先级高,需要优先传送对方并处理。像我们平时使用terminal的时候经常ctrl+c来结束某个任务,这种命令产生的网络数据包就需要urgent。 -->
<!-- ACK:用来告诉对方上一个数据包已经成功收到。在下一个要发送的packet里设置ack位,这属于tcp的优化机制 -->
参见delayed ack:https://en.wikipedia.org/wiki/TCP_delayed_acknowledgment
<!-- PSH Push接收方接收到P位的flag包需要马上将包交给应用层处理 -->
一般我们在http request的最后一个包里都能看到P位被设置。
<!-- RST Reset位,表明packet的发送方马上就要断开当前连接了。 -->
在http请求结束的时候一般可以看到一个数据包设置了RST位。
<!-- SYN位在发送建立连接请求的时候会设置,我们所熟悉的tcp三次握手就是syn和ack位的配合:syn->syn+ack->ack。 -->
<!-- FIN Finish位设置了就表示发送方没有更多的数据要发送了,之后就要单向关闭连接了,接收方一般会回一个ack包。接收方再同理发送一个FIN就可以双向关闭连接了。 -->
<!-- ps:[S],[P],[R],[F],[.]; -->
[.]特殊点,是个占位符,没有其他flag被设置的时候就显示这个占位符,一般表示ack
rvictl
Remote Virtual Interface Tool starts and stops a remote packet capture instance for any set of attached mobile devices. It can also provide feedback on any attached devices that are currently relaying packets back to this host.
- -l
devzkndeMacBook-Pro:com.wl..git devzkn$ rvictl -l
Current Active Devices:
[1] bea23bf46e215fd9beca7f9dd4e31 with interface rvi0
- rvictl help
Options:
-l, -L List currently active devices
-s, -S Start a device or set of devices
-x, -X Stop a device or set of devices
- -x
devzkndeMacBook-Pro:com.wl..git devzkn$ rvictl -x bea23be5fd9beca7f9dd4e31
Stopping device bea23b5fd9beca7f9dd4e31 [SUCCEEDED]
tcpdump: pcap_loop: The interface went down
14135 packets captured
20178 packets received by filter
6043 packets dropped by kernel
rvictl 创建管理虚拟网卡
- rvictl -s udid 创建虚拟网卡
devzkndeMacBook-Pro:com.wl..git devzkn$ rvictl -s bea23bf46e21509946b4e31
- 启动tcpdump监控流量
devzkndeMacBook-Pro:com.wl..git devzkn$ sudo tcpdump -i rvi0 -AAl
Password:
tcpdump: WARNING: rvi0: That device doesn't support promiscuous mode
(BIOCPROMISC: Operation not supported on socket)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on rvi0, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
See Also
/Users/devzkn/bin/knpost tcpdump 截获分析网络数据包 -t internet #原来""的参数,需要自己加上""
