L74.linux命令每日一练 -- 第十章 Linux网络管理命令 -- nmap和tcpdump

10.21 nmap：网络探测工具和安全/端口扫描器

10.21.1 命令详解

​ 【命令星级】 ★★★★★

​ 【功能说明】

​ nmap命令是一款开发源代码的网络探测和安全审核工具，是Network Mapper的缩写。其设计目标是快速地扫描大型网络。nmap可以发现网络上有哪些主机，主机提供了什么服务（应用程序名称和版本号），并检测操作系统的类型及版本信息。

​ 如果系统没有nmap命令，则可以使用下面的命令来安装：

[root@centos7 ~]# yum -y install nmap

​ 【语法格式】

nmap [Scan Type] [option] [target specification]
nmap [扫描类型] [通用选项] [扫描目标]

​ 说明：

​ 1）在nmap命令及后面的选项里，每个元素直接都至少要有一个空格。

​ 2）扫描目标可以为IP地址、子网掩码等，如192.168.1.2或10.0.0.0/24。

​ 【选项说明】

​ 表10-22针对该命令的参数选项进行了说明。

​ 表10-22 nmap命令的参数选项及说明

10.21.2 使用范例

​ **范例10-76：**查看主机当前开放的端口。

[root@centos7 ~]# nmap 10.0.0.201	#nmap直接接目标主机，默认会扫描前1-1000的端口。

Starting Nmap 6.40 ( http://nmap.org ) at 2020-10-31 16:44 CST
Nmap scan report for 10.0.0.201
Host is up (0.000020s latency).	#目标主机正在运行。
Not shown: 999 closed ports		#999个端口关闭。
PORT   STATE SERVICE
22/tcp open  ssh		#开放的22端口SSH服务。

Nmap done: 1 IP address (1 host up) scanned in 1.82 seconds

​ **范例10-77：**扫描主机的指定端口。

[root@centos7 ~]# nmap -p 1024-65535 10.0.0.201	#使用-p选项指定扫描范围。

Starting Nmap 6.40 ( http://nmap.org ) at 2020-10-31 16:46 CST
Nmap scan report for 10.0.0.201
Host is up (0.000024s latency).
All 64512 scanned ports on 10.0.0.201 are closed

Nmap done: 1 IP address (1 host up) scanned in 7.83 seconds

​ **范例10-78：**扫描局域网内所有的IP。

[root@centos7 ~]# nmap 10.0.0.0/24	#使用网段的格式扫描局域网。

Starting Nmap 6.40 ( http://nmap.org ) at 2020-10-31 16:51 CST
Nmap scan report for 10.0.0.1
Host is up (0.00021s latency).
Not shown: 991 closed ports
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
443/tcp   open  https
5800/tcp  open  vnc-http
5900/tcp  open  vnc
8080/tcp  open  http-proxy
8181/tcp  open  unknown
49167/tcp open  unknown
MAC Address: 00:50:56:C0:00:08 (VMware)

Nmap scan report for 10.0.0.5
Host is up (0.00039s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:0C:29:A3:21:26 (VMware)

Nmap scan report for 10.0.0.202
Host is up (0.00046s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:0C:29:A3:21:26 (VMware)

Nmap scan report for 10.0.0.254
Host is up (0.00028s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
53/tcp open  domain
MAC Address: 00:50:56:E0:7D:13 (VMware)

Nmap scan report for 10.0.0.2
Host is up (0.000024s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap scan report for 10.0.0.201
Host is up (0.000015s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 256 IP addresses (6 hosts up) scanned in 245.15 seconds

[root@centos7 ~]# nmap -sn 10.0.0.0/24	#使用-sn选项不扫描端口。

Starting Nmap 6.40 ( http://nmap.org ) at 2020-10-31 16:52 CST
Nmap scan report for 10.0.0.1
Host is up (0.00013s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.0.0.5
Host is up (0.0010s latency).
MAC Address: 00:0C:29:A3:21:26 (VMware)
Nmap scan report for 10.0.0.202
Host is up (-0.10s latency).
MAC Address: 00:0C:29:A3:21:26 (VMware)
Nmap scan report for 10.0.0.254
Host is up (-0.10s latency).
MAC Address: 00:50:56:E0:7D:13 (VMware)
Nmap scan report for 10.0.0.2
Host is up.
Nmap scan report for 10.0.0.201
Host is up.
Nmap done: 256 IP addresses (6 hosts up) scanned in 2.31 seconds
[root@centos7 ~]# nmap -sn 10.0.0.200-205	#可以使用这种地址范围进行扫描。

Starting Nmap 6.40 ( http://nmap.org ) at 2020-10-31 16:52 CST
Nmap scan report for 10.0.0.202
Host is up (0.0016s latency).
MAC Address: 00:0C:29:A3:21:26 (VMware)
Nmap scan report for 10.0.0.201
Host is up.
Nmap done: 6 IP addresses (2 hosts up) scanned in 0.37 seconds

​ **范例10-79：**探测目标主机的服务和操作系统的版本。

[root@centos7 ~]# nmap -O -sV 10.0.0.201

Starting Nmap 6.40 ( http://nmap.org ) at 2020-10-31 16:55 CST
Nmap scan report for 10.0.0.201
Host is up (0.000033s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)	#-sV显示服务版本号。
#-O显示系统版本，但是nmap命令是根据探测的TCP/IP指纹与自己的指纹库进行对比的。如果不在指纹库之内的系统就会无法识别。
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.7 - 3.9
Network Distance: 0 hops

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.46 seconds

​ 上面的输出信息中不仅包含了端口号，而且还包括了服务的版本号。在网络安全性要求较高的主机上，最好能够屏蔽服务器版本号，以防止黑河利用特定版本的服务漏洞进行攻击。

10.22 tcpdump：监听网络流量

10.22.1 命令详解

​ 【命令星级】 ★★★★★

​ 【功能说明】

​ tcpdump命令是一个截获网络数据包的包分析工具。tcpdump可以将网络中传送的数据包的“头”完全截获下来以提供分析。它支持针对网络层、协议、主机、端口等的过滤，并支持与、或、非逻辑语句协助过滤有效信息。

​ tcpdump命令工作时要先把网卡的工作模式切换到混杂模式（promiscuous mode）。因为要修改网络接口的工作模式，所以tcpdump命令需要以root的身份运行。

​ 【语法格式】

tcpdump [option] [expression]
tcpdump [选项] [表达式]

​ **说明：**在tcpdump命令及后面的选项和表达式里，每个元素直接都至少要有一个空格。

​ 【选项说明】

​ 表10-23针对该命令的参数选项进行了说明。

​ 表10-23 nmap命令的参数选项及说明

10.22.2 使用范例

​ **范例10-80：**不加参数运行tcpdump命令监听网络。

[root@centos7 ~]# tcpdump	#默认情况下，直接启动tcpdump将监视第一个网络接口上所有流过的数据包。
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:10:35.562572 IP centos7.ssh > 10.0.0.1.58234: Flags [P.], seq 1549030233:1549030445, ack 229546085, win 274, length 212
17:10:35.563865 IP centos7.53502 > public1.alidns.com.domain: 9703+ PTR? 1.0.0.10.in-addr.arpa. (39)
17:10:35.586029 IP public1.alidns.com.domain > centos7.53502: 9703 NXDomain 0/1/0 (116)
17:10:35.588787 IP centos7.53886 > public1.alidns.com.domain: 19036+ PTR? 201.0.0.10.in-addr.arpa. (41)
17:10:35.623450 IP public1.alidns.com.domain > centos7.53886: 19036 NXDomain 0/1/0 (118)
17:10:35.624075 IP centos7.42054 > public1.alidns.com.domain: 10696+ PTR? 5.5.5.223.in-addr.arpa. (40)
17:10:35.624305 IP centos7.ssh > 10.0.0.1.58234: Flags [P.], seq 212:392, ack 1, win 274, length 180
17:10:35.624426 IP 10.0.0.1.58234 > centos7.ssh: Flags [.], ack 392, win 254, length 0
17:10:35.644275 IP public1.alidns.com.domain > centos7.42054: 10696 1/0/0 PTR public1.alidns.com. (72)
17:10:35.644918 IP centos7.ssh > 10.0.0.1.58234: Flags [P.], seq 392:1228, ack 1, win 274, length 836
17:10:35.645397 IP centos7.ssh > 10.0.0.1.58234: Flags [P.], seq 1228:1392, ack 1, win 274, length 164
17:10:35.645515 IP 10.0.0.1.58234 > centos7.ssh: Flags [.], ack 1392, win 256, length 0
17:10:35.645655 IP centos7.ssh > 10.0.0.1.58234: Flags [P.], seq 1392:1636, ack 1, win 274, length 244
17:10:35.645803 IP centos7.ssh > 10.0.0.1.58234: Flags [P.], seq 1636:1800, ack 1, win 274, length 164
17:10:35.645881 IP 10.0.0.1.58234 > centos7.ssh: Flags [.], ack 1800, win 255, length 0
17:10:35.646021 IP centos7.ssh > 10.0.0.1.58234: Flags [P.], seq 1800:2044, ack 1, win 274, length 244
17:10:35.646143 IP centos7.ssh > 10.0.0.1.58234: Flags [P.], seq 2044:2208, ack 1, win 274, length 164
17:10:35.646216 IP 10.0.0.1.58234 > centos7.ssh: Flags [.], ack 2208, win 253, length 0
17:10:35.646336 IP centos7.ssh > 10.0.0.1.58234: Flags [P.], seq 2208:2452, ack 1, win 274, length 244
17:10:35.646477 IP centos7.ssh > 10.0.0.1.58234: Flags [P.], seq 2452:2616, ack 1, win 274, length 164
17:10:35.646543 IP 10.0.0.1.58234 > centos7.ssh: Flags [.], ack 2616, win 251, length 0
17:10:35.646633 IP centos7.ssh > 10.0.0.1.58234: Flags [P.], seq 2616:2860, ack 1, win 274, length 244
17:10:35.646779 IP centos7.ssh > 10.0.0.1.58234: Flags [P.], seq 2860:3024, ack 1, win 274, length 164
17:10:35.646860 IP 10.0.0.1.58234 > centos7.ssh: Flags [.], ack 3024, win 256, length 0
17:10:35.646964 IP centos7.ssh > 10.0.0.1.58234: Flags [P.], seq 3024:3268, ack 1, win 274, length 244
17:10:35.647079 IP centos7.ssh > 10.0.0.1.58234: Flags [P.], seq 3268:3432, ack 1, win 274, length 164
17:10:35.647150 IP 10.0.0.1.58234 > centos7.ssh: Flags [.], ack 3432, win 255, length 0
17:10:35.647269 IP centos7.ssh > 10.0.0.1.58234: Flags [P.], seq 3432:3676, ack 1, win 274, length 244
17:10:35.647417 IP centos7.ssh > 10.0.0.1.58234: Flags [P.], seq 3676:3840, ack 1, win 274, length 164
17:10:35.647488 IP 10.0.0.1.58234 > centos7.ssh: Flags [.], ack 3840, win 253, length 0
...
^C	#tcpdump命令在运行期间可以使用组合键Ctrl+c终止程序。
788 packets captured	#最后3行就是按Ctrl+c后输出的监听到的数据包汇总信息。
788 packets received by filter
0 packets dropped by kernel

​ 使用tcpdump命令时，如果不输入过滤规则，则输出的数据量将会很大。

​ **范例10-81：**精简输出信息。

[root@centos7 ~]# tcpdump -q	#默认情况下，tcpdump命令的输出信息较多，为了显示精简的信息，可以使用-q选项。
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:14:19.195409 IP centos7.ssh > 10.0.0.1.58234: tcp 212
17:14:19.196754 IP centos7.50642 > public1.alidns.com.domain: UDP, length 39
17:14:19.219432 ARP, Request who-has centos7 tell gateway, length 46
17:14:19.219468 ARP, Reply centos7 is-at 00:0c:29:23:c8:7a (oui Unknown), length 28
17:14:19.219606 IP public1.alidns.com.domain > centos7.50642: UDP, length 116
17:14:19.223763 IP centos7.35560 > public1.alidns.com.domain: UDP, length 41
17:14:19.244139 IP public1.alidns.com.domain > centos7.35560: UDP, length 118
...
^C
1313 packets captured
1314 packets received by filter
0 packets dropped by kernel

[root@centos7 ~]# tcpdump -c 5	#使用-c选项指定监听的数据包数量，这样既不需要使用Ctrl+c了。
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:15:45.888387 IP centos7.ssh > 10.0.0.1.58234: Flags [P.], seq 1549655441:1549655653, ack 229547625, win 274, length 212
17:15:45.889387 IP centos7.56876 > public1.alidns.com.domain: 49016+ PTR? 1.0.0.10.in-addr.arpa. (39)
17:15:45.906446 IP public1.alidns.com.domain > centos7.56876: 49016 NXDomain 0/1/0 (116)
17:15:45.909105 IP centos7.45220 > public1.alidns.com.domain: 49313+ PTR? 201.0.0.10.in-addr.arpa. (41)
17:15:45.927371 IP public1.alidns.com.domain > centos7.45220: 49313 NXDomain 0/1/0 (118)
5 packets captured
9 packets received by filter
0 packets dropped by kernel

​ **范例10-82：**监听指定网卡收到的数据包。

[root@centos7 ~]# tcpdump -i eth0	#使用-i选项可以指定要监听的网卡。
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:17:28.965552 IP centos7.ssh > 10.0.0.1.58413: Flags [P.], seq 3823697909:3823698121, ack 2215692834, win 274, length 212
17:17:28.965758 IP 10.0.0.1.58413 > centos7.ssh: Flags [.], ack 212, win 253, length 0
17:17:28.967053 IP centos7.60096 > public1.alidns.com.domain: 65032+ PTR? 1.0.0.10.in-addr.arpa. (39)
17:17:29.000754 IP public1.alidns.com.domain > centos7.60096: 65032 NXDomain 0/1/0 (116)
...
^C
1201 packets captured
1201 packets received by filter
0 packets dropped by kernel

​ 以下是命令结果说明。

• 17:17:28.96555：当前时间，精确到微妙。
• IP centos7.ssh > 10.0.0.1.58413：从主机IP（主机名）centos7的SSH端口发送数据到10.0.0.1的58413端口，“>”代表数据流向。
• Flags [P.]：TCP包含中的标志信息，S是SYN标志的缩写，F（FIN）、P（PUSH）、R（RST）、“.”（没有标记）。
• seq：数据包中的数据的顺序号。
• ack ：下次期望的顺序号。
• win：接收缓存的窗口大小。
• length：数据包长度。

​ **范例10-83：**监听指定主机的数据包。

[root@centos7 ~]# tcpdump -n host 10.0.0.1	#使用-n选项不进行DNS解析，加快显示速度。监听指定主机的关键字为host，后面直接接主机名或IP地址即可。本行命令的作用是监听所有10.0.0.1的主机收到和发出的数据包。
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:26:30.724731 IP 10.0.0.201.ssh > 10.0.0.1.58677: Flags [P.], seq 1596002082:1596002294, ack 3345107430, win 274, length 212
17:26:30.725055 IP 10.0.0.201.ssh > 10.0.0.1.58677: Flags [P.], seq 212:392, ack 1, win 274, length 180
17:26:30.725160 IP 10.0.0.1.58677 > 10.0.0.201.ssh: Flags [.], ack 392, win 256, length 0
17:26:30.725271 IP 10.0.0.201.ssh > 10.0.0.1.58677: Flags [P.], seq 392:652, ack 1, win 274, length 260
...
^C
3220 packets captured
3220 packets received by filter
0 packets dropped by kernel

[root@centos7 ~]# tcpdump -n src host 10.0.0.1	#只监听从10.0.0.1发出的数据包，既源地址为10.0.0.1，关键字为src（source，源地址）。
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:28:28.648384 IP 10.0.0.1.58677 > 10.0.0.201.ssh: Flags [.], ack 1596458922, win 254, length 0
17:28:28.848983 IP 10.0.0.1.58677 > 10.0.0.201.ssh: Flags [.], ack 149, win 253, length 0
17:28:28.857826 IP 10.0.0.1.50606 > 10.0.0.202.ssh: Flags [P.], seq 391322570:391322618, ack 880777960, win 255, length 48
17:28:28.858186 IP 10.0.0.1.58677 > 10.0.0.201.ssh: Flags [.], ack 477, win 252, length 0
^C
4 packets captured
5 packets received by filter
0 packets dropped by kernel

[root@centos7 ~]# tcpdump -n dst host 10.0.0.1	#只监听从10.0.0.1收到的数据包，既目标地址为10.0.0.1，关键字为dst（destination，目的地）。
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:29:44.848116 IP 10.0.0.201.ssh > 10.0.0.1.58677: Flags [P.], seq 1596461066:1596461278, ack 3345111138, win 274, length 212
17:29:44.851065 IP 10.0.0.201.ssh > 10.0.0.1.58677: Flags [P.], seq 212:392, ack 1, win 274, length 180
17:29:44.851289 IP 10.0.0.201.ssh > 10.0.0.1.58677: Flags [P.], seq 392:556, ack 1, win 274, length 164
17:29:44.851383 IP 10.0.0.201.ssh > 10.0.0.1.58677: Flags [P.], seq 556:720, ack 1, win 274, length 164
17:29:44.851497 IP 10.0.0.201.ssh > 10.0.0.1.58677: Flags [P.], seq 720:884, ack 1, win 274, length 164
17:29:44.851588 IP 10.0.0.201.ssh > 10.0.0.1.58677: Flags [P.], seq 884:1048, ack 1, win 274, length 164
17:29:44.851703 IP 10.0.0.201.ssh > 10.0.0.1.58677: Flags [P.], seq 1048:1212, ack 1, win 274, length 164
...
^C
348 packets captured
348 packets received by filter
0 packets dropped by kernel

​ **范例10-84：**监听指定端口的数据包。

[root@centos7 ~]# tcpdump -nn port 22	#使用-n选项不进行DNS解析，但是其会将一些协议、端口进行转换，比如22端口转为ssh，读者可以对比查看范例10-4的输出结果。因此本例使用-nn选项。监听指定端口的关键字是port，后面街上端口号即可。
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:32:21.374181 IP 10.0.0.201.22 > 10.0.0.1.58852: Flags [P.], seq 3724448175:3724448387, ack 1012729262, win 274, length 212
17:32:21.374729 IP 10.0.0.201.22 > 10.0.0.1.58852: Flags [P.], seq 212:392, ack 1, win 274, length 180
17:32:21.374854 IP 10.0.0.1.58852 > 10.0.0.201.22: Flags [.], ack 392, win 256, length 0
17:32:21.375228 IP 10.0.0.201.22 > 10.0.0.1.58852: Flags [P.], seq 392:636, ack 1, win 274, length 244
...
^C
1520 packets captured
1520 packets received by filter
0 packets dropped by kernel

​ **范例10-85：**监听指定协议的数据包。

[root@centos7 ~]# tcpdump -n arp	#监听ARP数据包，因此表达式直接写arp即可。
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:35:33.560844 ARP, Request who-has 10.0.0.202 (00:0c:29:a3:21:26) tell 10.0.0.1, length 46
17:35:33.561013 ARP, Reply 10.0.0.202 is-at 00:0c:29:a3:21:26, length 46
17:35:36.560537 ARP, Request who-has 10.0.0.201 (00:0c:29:23:c8:7a) tell 10.0.0.1, length 46
17:35:36.560565 ARP, Reply 10.0.0.201 is-at 00:0c:29:23:c8:7a, length 28
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel

[root@centos7 ~]# tcpdump -n icmp	#监听icmp数据包（相应查看下面的监控数据，可以使用其他机器ping本机即可）。
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:36:44.351369 IP 10.0.0.202 > 10.0.0.201: ICMP echo request, id 44553, seq 1, length 64
17:36:44.351611 IP 10.0.0.201 > 10.0.0.202: ICMP echo reply, id 44553, seq 1, length 64
17:36:45.351381 IP 10.0.0.202 > 10.0.0.201: ICMP echo request, id 44553, seq 2, length 64
17:36:45.351443 IP 10.0.0.201 > 10.0.0.202: ICMP echo reply, id 44553, seq 2, length 64
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel

​ 常见的协议关键字有ip、arp、icmp、tcp、udp等类型。

​ **范例10-86：**多个过滤添加混合使用。

​ 前面的几种方法都是使用单个过滤条件过滤数据包，其实过滤添加可以混合使用，因为tcpdump命令支持逻辑运算符and（与）、or（或）、!（非）。

[root@centos7 ~]# tcpdump -n ip host 10.0.0.201 and ! 10.0.0.1	#获取主机10.0.0.201与所有主机（除了主机10.0.0.1之外）通信的ip数据包。
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:41:25.655390 IP 10.0.0.202.38382 > 10.0.0.201.ssh: Flags [S], seq 568201934, win 14600, options [mss 1460,sackOK,TS val 13717488 ecr 0,nop,wscale 6], length 0
17:41:25.655547 IP 10.0.0.201.ssh > 10.0.0.202.38382: Flags [S.], seq 2639908343, ack 568201935, win 28960, options [mss 1460,sackOK,TS val 13734300 ecr 13717488,nop,wscale 7], length 0
17:41:25.655733 IP 10.0.0.202.38382 > 10.0.0.201.ssh: Flags [.], ack 1, win 229, options [nop,nop,TS val 13717489 ecr 13734300], length 0
17:41:25.685047 IP 10.0.0.201.ssh > 10.0.0.202.38382: Flags [P.], seq 1:22, ack 1, win 227, options [nop,nop,TS val 13734330 ecr 13717489], length 21
17:41:25.685548 IP 10.0.0.202.38382 > 10.0.0.201.ssh: Flags [.], ack 22, win 229, options [nop,nop,TS val 13717519 ecr 13734330], length 0
17:41:26.020099 IP 10.0.0.202.38382 > 10.0.0.201.ssh: Flags [P.], seq 1:22, ack 22, win 229, options [nop,nop,TS val 13717853 ecr 13734330], length 21
...
^C
18 packets captured
18 packets received by filter
0 packets dropped by kernel

​ **范例10-87：**利用tcpdump抓包详细tcp/ip连接和断开过程的案例。

​ 1）正常的TCP连接的三个阶段。

• TCP三次握手。
• 数据传送。
• TCP四次断开。

​ 2）TCP连接图示。

​ TCP连接的状态机制如果10-6所示。

​ 3）TCP的状态标识。

• SYN：（同步序列编号，Synchronize Sequence Numbers）该标志仅在三次握手建立TCP连接时有效。标识一个新的TCP连接请求。
• ACK：（确认编号，Acknowledgement Number）是对TCP请求的确认标志，同时提示对端系统已经成功接收了所有的数据。
• FIN：（结束标志，FINish）用来结束一个TCP回话。但对应端口仍然处于开放状态，准备接收后续数据。

There are 8 bits in the control bits section of the TCP header:
CWR | ECE | URG | ACK | PSH | RST | SYN | FIN 

​ 4）使用tcpdump对tcp数据进行抓包。

以下为数据传输的过程：


以下为四次断开的过程：

**提示：**tcpdump是一个非常强大并且好用的命令，请读者多花精力来掌握，当然，要想掌握好，还需要一定的网络知识才行。