Linux就业技术指导（五）：Linux运维核心管理命令详解 (19)

（5）监听指定端口的数据包

[root@Mr_chen ~]# tcpdump -nn -c 5 port 22 #-nn不进行DNS解析，不将端口转换成服务名字， port指定监听端口 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 18:27:25.472624 IP 192.168.0.233.22 > 192.168.0.254.55962: Flags [P.], seq 1886385856:1886386064, ack 322195131, win 317, length 208 18:27:25.472764 IP 192.168.0.254.55962 > 192.168.0.233.22: Flags [.], ack 208, win 522, length 0 18:27:25.473731 IP 192.168.0.233.22 > 192.168.0.254.55962: Flags [P.], seq 208:496, ack 1, win 317, length 288 18:27:25.474746 IP 192.168.0.233.22 > 192.168.0.254.55962: Flags [P.], seq 496:672, ack 1, win 317, length 176 18:27:25.474836 IP 192.168.0.254.55962 > 192.168.0.233.22: Flags [.], ack 672, win 520, length 0 5 packets captured 5 packets received by filter 0 packets dropped by kernel

（6）监听指定协议的数据包

[root@Mr_chen ~]# tcpdump -n -c 5 arp #监听arp协议数据包，因此表达式直接写arp即可 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 18:29:08.056959 ARP, Request who-has 192.168.0.111 tell 192.168.0.1, length 46 18:29:08.978765 ARP, Request who-has 192.168.0.111 tell 192.168.0.1, length 46 18:29:09.900334 ARP, Request who-has 192.168.0.111 tell 192.168.0.1, length 46 18:29:10.822093 ARP, Request who-has 192.168.0.111 tell 192.168.0.1, length 46 18:29:12.050836 ARP, Request who-has 192.168.0.111 tell 192.168.0.1, length 46 5 packets captured 5 packets received by filter 0 packets dropped by kernel [root@Mr_chen ~]# tcpdump -n -c 5 icmp #监听icmp数据包（想要查看下面的监控数据，可以使用其他机器ping本机即可） tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 18:30:55.576828 IP 192.168.0.254 > 192.168.0.233: ICMP echo request, id 1, seq 19956, length 40 18:30:55.576844 IP 192.168.0.233 > 192.168.0.254: ICMP echo reply, id 1, seq 19956, length 40 18:30:56.578427 IP 192.168.0.254 > 192.168.0.233: ICMP echo request, id 1, seq 19958, length 40 18:30:56.578445 IP 192.168.0.233 > 192.168.0.254: ICMP echo reply, id 1, seq 19958, length 40 18:30:57.582167 IP 192.168.0.254 > 192.168.0.233: ICMP echo request, id 1, seq 19960, length 40 5 packets captured 6 packets received by filter 0 packets dropped by kernel

常见的协议关键字有ip，arp，icmp，tcp，udp等类型

（7）利用tcpdump抓包详解tcp/ip连接和断开过程的案例

1）正常的TCP连接的三个阶段

[x] :TCP三次握手

[x] :数据传送

[x] :TCP四次断开

2）TCP连接图示

TCP连接的状态机制如下图所示

3）TCP的状态标识

[x] SYN:（同步序列编号，Synchronize Sequence Numbers）该标志仅在三次握手建立TCP连接时有效。表示一个新的TCP连接请求

[x] ACK：（确认编号，Acknowledgement Number）是对TCP请求的确认标志，同时提示对端系统已经成功接收了所有的数据。

[x] FIN：（结束标志，FINish）用来结束一个TCP回话。但对应端口仍然处于开放状态，准备接收后续数据。

4）使用tcpdump对tcp数据进行抓包

[root@Mr_chen www]# tcpdump tcp port 80 or dst 192.168.0.114 -i eth0 -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes #抓包分析：三次握手过程 22:38:18.564320 ARP, Reply 192.168.0.233 is-at 00:0c:29:a8:ca:50, length 28 #发送了一个ARP响应包给目标MAC地址，告知对方本机的MAC地址 22:38:18.564418 IP 192.168.0.114.52367 > 192.168.0.233.http: Flags [S], seq 3675775834, win 14600, options [mss 1460,sackOK,TS val 4294710555 ecr 0,nop,wscale 6], length 0 #IP为192.168.0.114（client）通过临时端口52367向本机192.168.0.233（server）的80监听端口发起连接，client的初始包序号为3675775834，滑动窗口大小为14600字节（即TCP接收缓冲区的大小，用于TCP拥塞控制），mss大小为1460（即可接收的最大包长度），[S]=[SYN](发起连接标志) 22:38:18.564434 IP 192.168.0.233.http > 192.168.0.114.52367: Flags [S.], seq 2909831439, ack 3675775835, win 14480, options [mss 1460,sackOK,TS val 15157720 ecr 4294710555,nop,wscale 6], length 0 #Server的响应连接，同时带上上一个包的ack信息（为client端的初始包序号+1，即3675775835，也就是server端下次等待接收这个包序号的包，用于TCP字节流的顺序控制。Server端的初始包序号为2909831439，mss也是1460） 22:38:18.564541 IP 192.168.0.114.52367 > 192.168.0.233.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 4294710556 ecr 15157720], length 0 #Client端再次确认，tcp三次握手完成。“.”表示没有任何标识