Foreword:
Usage scenarios of network packet capture tools
-
Network security testing
After the project goes online, there are likely to be security risks that need to be dealt with. Which areas of the network need to be strengthened and which areas meet security standards? These require the use of packet capture tools to obtain actual logs.
2. Quickly locate complex network problems
Some projects may have a more complex network environment, such as a mix of multiple networks, and some problems may be hidden deeper. For example, the front end of a certain page can be opened normally, but you may not know whether the page is opened in the expected way. , or there is a hidden loop somewhere in the network. For these more complex problems, it is better to use packet capture tools to quickly locate them.
3. Target sniffing of crawler project
The main reason is that the target of the crawler is likely to have various encryptions, and there is a high probability that these secrets are hidden in the network traffic. Therefore, packet capture tools can help you quickly and accurately write various complex crawlers.
A brief introduction to Tcpdump
It uses the libpcap library to capture network packets, which is available in almost all Linux/Unix. Being familiar with the use of tcpdump can help you analyze and debug network data. This article will introduce its use in different scenarios through specific examples. Whether you are a system administrator, a programmer, a cloud native engineer or a yaml engineer, mastering the use of tcpdump can make you more powerful and get a promotion and salary increase.
Under centos, if it is a minimal installation, yum installation is required. The installation command is very simple, just yum install tcpdump –y.
This program is similar to the ab command. It basically works out of the box (meaning it can be used after installation). It is very simple and has not many functions. Compared with other programs such as wireshark
parameter list
Set not to resolve domain names to increase speed
-n does not convert IP into domain name, displays IP directly, avoids the process of DNS lookups, and the speed will be much faster
-nn does not convert the protocol and port number into a name, and the speed will be much faster.
-N does not print out the domain name part of the host. For example, if this option is set, tcpdump will print 'nic' instead of 'nic.ddn.mil'.
Filter the data packets of the specified network card
-i specifies the network card interface to be filtered. If you want to view all network cards, you can -i any
Filter data packets in specific flow directions
-Q Select whether the packet is in the inbound or outbound direction. The options are: in, out, inout. You can also use --direction=[direction].
Some commonly used parameters
-A displays each data packet in ASCII code (does not display link layer header information). When grabbing data packets containing web page data, you can easily view the data
-l Line-based output, easy for you to save and view, or give it to other tools for analysis
tcpdump -nn -A -s1500 -l | egrep -i 'User-Agent:|Host’
User agent and hostname (or other header files) can be extracted simultaneously through egrep:
-q Print output tersely. That is, very little protocol-related information is printed, so the output lines are shorter.
-c Capture count packets and tcpdump exits
-s tcpdump will only intercept the first 96 bytes of content by default. If you want to intercept all message contents, you can use -s number. Number is the number of bytes of the message you want to intercept. If it is 0, it means intercepting the message. all content.
-S Use absolute sequence numbers instead of relative sequence numbers
-C file-size, tcpdump checks whether the file size exceeds file-size before saving the original data packet directly to the file. If it exceeds, the file will be closed and another file will be created to continue recording the original data packet. . The name of the newly created file is the same as the file name specified by the -w option, but there is an extra number after the file name. This number will start from 1 and increase with the number of newly created files. The unit of file-size is millions of words. Section (nt: This refers to 1,000,000 bytes, not 1,048,576 bytes. The latter is calculated based on 1024 bytes as 1k and 1024k bytes as 1M, that is, 1M=1024 * 1024 = 1,048,576)
-F uses the file file as the input of the filter expression, and the input on the command line will be ignored.
Output filtering results to file
-w Use the -w parameter followed by a file name with the .pcap suffix command to save the data captured by tcpdump to a file. Use wireshark to open this file for analysis tcpdump icmp -w icmp.pcap
-r Read data from the file. After reading, we can still use the above filter syntax for filtering analysis. tcpdump icmp -r all.pcap
Parameters that control output content
-D displays a list of all available network interfaces
-e Each line of printout will include the data link layer header information of the packet.
-E Reveal IPSEC data
-L List the data link layer types supported by the specified network interface and exit
-Z followed by the username will be subject to permission restrictions when capturing packets. If you start tcpdump as the root user, tcpdump will have superuser privileges.
-d prints out human-readable package matching codes
-dd prints out the package matching code in C language.
-ddd Print out the packet matching code as a decimal number
Control the output of detailed content
-v Produces detailed output. Such as the TTL of the packet, id identification, packet length, and some options of the IP packet. It also turns on some additional packet integrity checks, such as checksums on IP or ICMP packet headers.
-vv produces more verbose output than -v. For example, additional fields in NFS response packets will be printed, and SMB packets will be fully decoded. (Taken from the Internet, I have not used it yet)
-vvv produces more verbose output than -vv. For example, the SB and SE options used in telnet will be printed. If telnet also uses a graphical interface, the corresponding graphical options will be printed in hexadecimal format (taken from the Internet, I have not used it yet)
Control the display of time
-t Do not output time in each line of output
-tt will output a timestamp in each line of output
-ttt Output the time interval between printing every two lines (in milliseconds)
-tttt Add date printing before the timestamp printed in each line (this option makes the output time the most intuitive)
Display the header of the packet
-x prints the header data of each packet in hexadecimal form (but does not include the data link layer header)
-xx prints the header data of each packet in hexadecimal form (including the data link layer header)
-X prints out the data of each packet in hexadecimal and ASCII format (but does not include the header of the connection layer), which is very convenient when analyzing data packets of some new protocols.
-XX prints out the data of each packet (including the header of the connection layer) in hexadecimal and ASCII format, which is very convenient when analyzing data packets of some new protocols.
option optional parameters: will be explained one by one later.
proto class filter: Filter according to the protocol. Recognizable keywords are: tcp, udp, icmp, ip, ip6, arp, rarp,ether,wlan, fddi, tr, decnet
Type type filter: Recognizable keywords include: host, net, port, portrange, these words need to be followed by parameters.
direction type filter: filter according to the data flow direction. Recognizable keywords are: src, dst. At the same time, you can use logical operators for combination, such as src or dst.
OK, in fact, so many parameters seem like a lot, but they are nothing. Most of them are not used. Only some parameters are used frequently. Here is a brief explanation of the parameters of this tool with examples.
one,
Monitor the specified network card parameter i
For example, my Linux virtual machine has an ens33 network card, monitors the data flowing through this network card, and displays detailed information:
[root@node1 ~]# tcpdump -vv -i ens33 |more
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
00:45:35.541931 IP (tos 0x10, ttl 64, id 61217, offset 0, flags [DF], proto TCP (6), length 76)
server0.ssh > 192.168.123.1.57930: Flags [P.], cksum 0x869f (correct), seq 354227367:354227403, ack 2554328704, win 274, length 36
00:45:35.542034 IP (tos 0x10, ttl 64, id 61218, offset 0, flags [DF], proto TCP (6), length 164)
server0.ssh > 192.168.123.1.57930: Flags [P.], cksum 0xcb1d (correct), seq 36:160, ack 1, win 274, length 124
00:45:35.542196 IP (tos 0x0, ttl 64, id 62863, offset 0, flags [DF], proto UDP (17), length 72)
server0.43079 > public2.alidns.com.domain: [udp sum ok] 27602+ PTR? 1.123.168.192.in-addr.arpa. (44)
00:45:35.542322 IP (tos 0x0, ttl 64, id 15391, offset 0, flags [DF], proto TCP (6), length 52)
192.168.123.1.57930 > server0.ssh: Flags [.], cksum 0x03a5 (correct), seq 1, ack 36, win 4101, options [nop,nop,sack 1 {0:36}], length 0
00:45:35.583563 IP (tos 0x0, ttl 64, id 15392, offset 0, flags [DF], proto TCP (6), length 40)
192.168.123.1.57930 > server0.ssh: Flags [.], cksum 0x8cec (correct), seq 1, ack 160, win 4101, length 0
00:45:35.587940 IP (tos 0x0, ttl 128, id 65357, offset 0, flags [none], proto UDP (17), length 149)
public2.alidns.com.domain > server0.43079: [udp sum ok] 27602 NXDomain q: PTR? 1.123.168.192.in-addr.arpa. 0/1/0 ns: 168.192.in-addr.arpa. SOA prisoner.iana.org. hostmaster.root-servers.org. 1 604800 60 604800 604800 (121)
00:45:35.588840 IP (tos 0x0, ttl 64, id 62874, offset 0, flags [DF], proto UDP (17), length 68)
server0.51572 > public2.alidns.com.domain: [udp sum ok] 20994+ PTR? 6.6.6.223.in-addr.arpa. (40)
00:45:35.634474 IP (tos 0x0, ttl 128, id 65358, offset 0, flags [none], proto UDP (17), length 100)
public2.alidns.com.domain > server0.51572: [udp sum ok] 20994 q: PTR? 6.6.6.223.in-addr.arpa. 1/0/0 6.6.6.223.in-addr.arpa. PTR public2.alidns.com. (72)
00:45:35.753081 IP (tos 0x0, ttl 64, id 50245, offset 0, flags [DF], proto TCP (6), length 60)
server1.45136 > server0.2380: Flags [S], cksum 0xe926 (correct), seq 4107944122, win 29200, options [mss 1460,sackOK,TS val 19891455 ecr 0,nop,wscale 7], length 0
00:45:35.753123 IP (tos 0x0, ttl 64, id 400, offset 0, flags [DF], proto TCP (6), length 40)
server0.2380 > server1.45136: Flags [R.], cksum 0x4935 (correct), seq 0, ack 4107944123, win 0, length 0
00:45:35.753140 IP (tos 0x0, ttl 64, id 52130, offset 0, flags [DF], proto TCP (6), length 60)
server1.45140 > server0.2380: Flags [S], cksum 0xd6b9 (correct), seq 4171255645, win 29200, options [mss 1460,sackOK,TS val 19891455 ecr 0,nop,wscale 7], length 0
00:45:35.753145 IP (tos 0x0, ttl 64, id 401, offset 0, flags [DF], proto TCP (6), length 40)
server0.2380 > server1.45140: Flags [R.], cksum 0x36c8 (correct), seq 0, ack 4171255646, win 0, length 0
00:45:35.841681 IP (tos 0x0, ttl 64, id 8501, offset 0, flags [DF], proto TCP (6), length 60)
server0.57066 > server1.2379: Flags [S], cksum 0x2774 (correct), seq 2700492840, win 29200, options [mss 1460,sackOK,TS val 211902749 ecr 0,nop,wscale 7], length 0
00:45:35.841916 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
40)
OK, this kind of output will be very good, because it is useful for xshell to connect to this virtual machine through the ssh protocol. The output will be output very quickly, so the more channel is used
So, what does so much content mean? In other words, how to correctly understand what the packets we caught represent?
00:45:35.541931 IP (tos 0x10, ttl 64, id 61217, offset 0, flags [DF], proto TCP (6), length 76)
server0.ssh > 192.168.123.1.57930: Flags [P.], cksum 0x869f (correct), seq 354227367:354227403, ack 2554328704, win 274, length 36Take this paragraph as an example.00:45:35.541931 represents the timestamp of the captured data. This is a very precise time. flags is a flag, and the specific meaning is unclear. The following proto TCP indicates that the data is the tcp protocol used. The second line is server0.ssh host name + service name, des is 192.168.123.1 and the port is 57930. P. indicates the SYN response. The following is the simple flag of the second line. Introduction (you need to know the data direction, it is tcp protocol, virtual machine server0 to 192.168.123.1, this 192.168.123.1 is my gateway)
[S]: SYN (start connection)[.]: No Flag[P]: PSH (push data)[F]: FIN (end connection)[R]: RST (reset connection)
00:45:35.542196 IP (tos 0x0, ttl 64, id 62863, offset 0, flags [DF], proto UDP (17), length 72)
server0.43079 > public2.alidns.com.domain: [udp sum ok] 27602+ PTR? 1.123.168.192.in-addr.arpa. (44)Taking this paragraph as an example, this paragraph means that I am using Alibaba Cloud's DNS to resolve the port 192.168.123.1. There is a common sense that DNS uses the udp protocol (the data direction needs to be known, it is the tcp protocol, the virtual machine server0 to Alibaba Cloud DNS, this public2.alidns.com.domain is Alibaba Cloud DNS)
It is indeed using Alibaba Cloud’s DNS:
[root@node1 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 223.6.6.6
two,
Output filtering of tcpdump
In fact, generally just use the parameter i, but there is a problem. The output is too much, which seriously affects the eyesight. Considering that there is too much output, some filtering is still needed to allow us to see the data we want to see.
This example is to install the httpd service in the virtual machine server0, and then use a browser in the host machine to access the homepage of the service. The specific commands and output results are as follows:
The command uses -vv. This parameter indicates a moderately detailed log. The highest level is -vvv. -e indicates that the information of the data link layer is displayed, that is, the mac address of the target and source are displayed. However, because it is -vv, There is still a lot of content displayed, and you can see a few 404s, but there is nothing to worry about. The key is the mac address of the network card, the browser version used by the host, and other information, as well as the IP address of server0. It also displays the version of httpd. This information is very critical.
[root@node1 ~]# tcpdump -i ens33 -vv -e port 80 |more
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
01:18:10.567545 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 33921, offset 0, flags [DF], proto TCP (6), length 40)
192.168.123.1.51900 > server0.http: Flags [F.], cksum 0x5b8f (correct), seq 25081266, ack 3031668207, win 4102, length 0
01:18:10.567596 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 20714, offset 0, flags [DF], proto TCP (6), length 40)
server0.http > 192.168.123.1.51900: Flags [.], cksum 0x6aa0 (correct), seq 1, ack 1, win 245, length 0
01:18:10.567620 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 33922, offset 0, flags [DF], proto TCP (6), length 40)
192.168.123.1.51899 > server0.http: Flags [F.], cksum 0x30e1 (correct), seq 234186194, ack 2457347651, win 4102, length 0
01:18:10.567629 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 20715, offset 0, flags [DF], proto TCP (6), length 40)
server0.http > 192.168.123.1.51899: Flags [.], cksum 0x3fe9 (correct), seq 1, ack 1, win 254, length 0
01:18:10.567641 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 33923, offset 0, flags [DF], proto TCP (6), length 52)
192.168.123.1.51913 > server0.http: Flags [S], cksum 0xe259 (correct), seq 2266679347, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
01:18:10.567667 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
server0.http > 192.168.123.1.51913: Flags [S.], cksum 0xca6a (correct), seq 4244677566, ack 2266679348, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
01:18:10.567680 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 33924, offset 0, flags [DF], proto TCP (6), length 52)
192.168.123.1.51914 > server0.http: Flags [S], cksum 0x514b (correct), seq 2355123195, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
01:18:10.567692 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
server0.http > 192.168.123.1.51914: Flags [S.], cksum 0x0944 (correct), seq 3950044518, ack 2355123196, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
01:18:10.567932 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 33925, offset 0, flags [DF], proto TCP (6), length 40)
192.168.123.1.51913 > server0.http: Flags [.], cksum 0x6d43 (correct), seq 1, ack 1, win 4106, length 0
01:18:10.567950 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 33926, offset 0, flags [DF], proto TCP (6), length 40)
192.168.123.1.51914 > server0.http: Flags [.], cksum 0xac1c (correct), seq 1, ack 1, win 4106, length 0
01:18:10.567954 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 513: (tos 0x0, ttl 64, id 33927, offset 0, flags [DF], proto TCP (6), length 499)
192.168.123.1.51913 > server0.http: Flags [P.], cksum 0xb25d (correct), seq 1:460, ack 1, win 4106, length 459: HTTP, length: 459
GET / HTTP/1.1
Host: 192.168.123.11
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
01:18:10.567986 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 38779, offset 0, flags [DF], proto TCP (6), length 40)
server0.http > 192.168.123.1.51913: Flags [.], cksum 0x7a95 (correct), seq 1, ack 460, win 237, length 0
01:18:10.568546 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 1514: (tos 0x0, ttl 64, id 38780, offset 0, flags [DF], proto TCP (6), length 1500)
server0.http > 192.168.123.1.51913: Flags [.], cksum 0xed50 (correct), seq 1:1461, ack 460, win 237, length 1460: HTTP, length: 1460
HTTP/1.1 403 Forbidden
Date: Tue, 10 Oct 2023 17:18:10 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT
ETag: "1321-5058a1e728280"
Accept-Ranges: bytes
Content-Length: 4897
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title>Apache HTTP Server Test Page powered by CentOS</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<!-- Bootstrap -->
<link href="/noindex/css/bootstrap.min.css" rel="stylesheet">
<link rel="stylesheet" href="noindex/css/open-sans.css" type="text/css" />
<style type="text/css"><!--
body {
font-family: "Open Sans", Helvetica, sans-serif;
font-weight: 100;
color: #ccc;
background: rgba(10, 24, 55, 1);
font-size: 16px;
}
h2, h3, h4 {
font-weight: 200;
}
h2 {
font-size: 28px;
}
.jumbotron {
margin-bottom: 0;
color: #333;
background: rgb(212,212,221); /* Old browsers */
background: radial-gradient(ellipse at center top, rgba(255,255,255,1) 0%,rgba(174,174,183,1) 100%); /* W3C */
}
.jumbotron h1 {
font-size: 128px;
font-weight: 700;
color: white;
text-shadow: 0px 2px 0px #abc,
0px 4px 10px rgba(0,0,0,0.15),
0px 5px 2px rgba(0,0,0,0.1),
[!http]
01:18:10.568577 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 1514: (tos 0x0, ttl 64, id 38781, offset 0, flags [DF], proto TCP (6), length 1500)
server0.http > 192.168.123.1.51913: Flags [.], cksum 0xc442 (correct), seq 1461:2921, ack 460, win 237, length 1460: HTTP
01:18:10.568595 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 1514: (tos 0x0, ttl 64, id 38782, offset 0, flags [DF], proto TCP (6), length 1500)
server0.http > 192.168.123.1.51913: Flags [.], cksum 0x2407 (correct), seq 2921:4381, ack 460, win 237, length 1460: HTTP
01:18:10.568639 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 879: (tos 0x0, ttl 64, id 38783, offset 0, flags [DF], proto TCP (6), length 865)
server0.http > 192.168.123.1.51913: Flags [P.], cksum 0xe705 (correct), seq 4381:5206, ack 460, win 237, length 825: HTTP
01:18:10.568796 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 33928, offset 0, flags [DF], proto TCP (6), length 40)
192.168.123.1.51913 > server0.http: Flags [.], cksum 0x5723 (correct), seq 460, ack 5206, win 4106, length 0
01:18:10.585181 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 455: (tos 0x0, ttl 64, id 33929, offset 0, flags [DF], proto TCP (6), length 441)
192.168.123.1.51913 > server0.http: Flags [P.], cksum 0xb661 (correct), seq 460:861, ack 5206, win 4106, length 401: HTTP, length: 401
GET /noindex/css/fonts/Bold/OpenSans-Bold.woff HTTP/1.1
Host: 192.168.123.11
Connection: keep-alive
Origin: http://192.168.123.11
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36
Accept: */*
Referer: http://192.168.123.11/noindex/css/open-sans.css
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
01:18:10.585276 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 457: (tos 0x0, ttl 64, id 33930, offset 0, flags [DF], proto TCP (6), length 443)
192.168.123.1.51914 > server0.http: Flags [P.], cksum 0x79fb (correct), seq 1:404, ack 1, win 4106, length 403: HTTP, length: 403
GET /noindex/css/fonts/Light/OpenSans-Light.woff HTTP/1.1
Host: 192.168.123.11
Connection: keep-alive
Origin: http://192.168.123.11
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36
Accept: */*
Referer: http://192.168.123.11/noindex/css/open-sans.css
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
01:18:10.585308 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 53682, offset 0, flags [DF], proto TCP (6), length 40)
server0.http > 192.168.123.1.51914: Flags [.], cksum 0xb9a6 (correct), seq 1, ack 404, win 237, length 0
01:18:10.585557 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 508: (tos 0x0, ttl 64, id 38784, offset 0, flags [DF], proto TCP (6), length 494)
server0.http > 192.168.123.1.51913: Flags [P.], cksum 0xae1f (correct), seq 5206:5660, ack 861, win 245, length 454: HTTP, length: 454
HTTP/1.1 404 Not Found
Date: Tue, 10 Oct 2023 17:18:10 GMT
Server: Apache/2.4.6 (CentOS)
Content-Length: 239
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /noindex/css/fonts/Bold/OpenSans-Bold.woff was not found on this server.</p>
</body></html>
01:18:10.585943 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 511: (tos 0x0, ttl 64, id 53683, offset 0, flags [DF], proto TCP (6), length 497)
server0.http > 192.168.123.1.51914: Flags [P.], cksum 0xbb5c (correct), seq 1:458, ack 404, win 237, length 457: HTTP, length: 457
HTTP/1.1 404 Not Found
Date: Tue, 10 Oct 2023 17:18:10 GMT
Server: Apache/2.4.6 (CentOS)
Content-Length: 241
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /noindex/css/fonts/Light/OpenSans-Light.woff was not found on this server.</p>
</body></html>
01:18:10.589160 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 454: (tos 0x0, ttl 64, id 33931, offset 0, flags [DF], proto TCP (6), length 440)
192.168.123.1.51914 > server0.http: Flags [P.], cksum 0xe28b (correct), seq 404:804, ack 458, win 4104, length 400: HTTP, length: 400
GET /noindex/css/fonts/Bold/OpenSans-Bold.ttf HTTP/1.1
Host: 192.168.123.11
Connection: keep-alive
Origin: http://192.168.123.11
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36
Accept: */*
Referer: http://192.168.123.11/noindex/css/open-sans.css
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
01:18:10.589311 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 507: (tos 0x0, ttl 64, id 53684, offset 0, flags [DF], proto TCP (6), length 493)
server0.http > 192.168.123.1.51914: Flags [P.], cksum 0x52d1 (correct), seq 458:911, ack 804, win 245, length 453: HTTP, length: 453
HTTP/1.1 404 Not Found
Date: Tue, 10 Oct 2023 17:18:10 GMT
Server: Apache/2.4.6 (CentOS)
Content-Length: 238
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /noindex/css/fonts/Bold/OpenSans-Bold.ttf was not found on this server.</p>
</body></html>
01:18:10.590131 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 456: (tos 0x0, ttl 64, id 33932, offset 0, flags [DF], proto TCP (6), length 442)
192.168.123.1.51914 > server0.http: Flags [P.], cksum 0x4dd9 (correct), seq 804:1206, ack 911, win 4102, length 402: HTTP, length: 402
GET /noindex/css/fonts/Light/OpenSans-Light.ttf HTTP/1.1
Host: 192.168.123.11
Connection: keep-alive
Origin: http://192.168.123.11
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36
Accept: */*
Referer: http://192.168.123.11/noindex/css/open-sans.css
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
01:18:10.590241 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 509: (tos 0x0, ttl 64, id 53685, offset 0, flags [DF], proto TCP (6), length 495)
server0.http > 192.168.123.1.51914: Flags [P.], cksum 0xc611 (correct), seq 911:1366, ack 1206, win 254, length 455: HTTP, length: 455
HTTP/1.1 404 Not Found
Date: Tue, 10 Oct 2023 17:18:10 GMT
Server: Apache/2.4.6 (CentOS)
Content-Length: 240
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /noindex/css/fonts/Light/OpenSans-Light.ttf was not found on this server.</p>
</body></html>
01:18:10.626356 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 33934, offset 0, flags [DF], proto TCP (6), length 40)
192.168.123.1.51913 > server0.http: Flags [.], cksum 0x53ce (correct), seq 861, ack 5660, win 4104, length 0
01:18:10.630824 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 33935, offset 0, flags [DF], proto TCP (6), length 40)
192.168.123.1.51914 > server0.http: Flags [.], cksum 0xa218 (correct), seq 1206, ack 1366, win 4100, length 0
01:18:15.591467 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 38785, offset 0, flags [DF], proto TCP (6), length 40)
server0.http > 192.168.123.1.51913: Flags [F.], cksum 0x62e0 (correct), seq 5660, ack 861, win 245, length 0
01:18:15.591687 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 33937, offset 0, flags [DF], proto TCP (6), length 40)
192.168.123.1.51913 > server0.http: Flags [.], cksum 0x53cd (correct), seq 861, ack 5661, win 4104, length 0
01:18:15.594413 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 53686, offset 0, flags [DF], proto TCP (6), length 40)
server0.http > 192.168.123.1.51914: Flags [F.], cksum 0xb11d (correct), seq 1366, ack 1206, win 254, length 0
01:18:15.594532 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 33938, offset 0, flags [DF], proto TCP (6), length 40)
192.168.123.1.51914 > server0.http: Flags [.], cksum 0xa217 (correct), seq 1206, ack 1367, win 4100, length 0
01:18:25.903287 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 33939, offset 0, flags [DF], proto TCP (6), length 40)
192.168.123.1.51913 > server0.http: Flags [F.], cksum 0x53cc (correct), seq 861, ack 5661, win 4104, length 0
01:18:25.903320 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 28459, offset 0, flags [DF], proto TCP (6), length 40)
To be continued! ! !