1 due
Some time ago, has been a problem adjusting line: online application accepts POST requests, request parameters body in obtaining incomplete, there is a missing status. The problem is sporadic, the probability of occurrence is about 5% -10%, the probability is quite high. Use in the course of the investigation in question to be Wireshark and tcpdump packet capture analysis. I feel these two tools work with them, very perfect. All network traffic in these two tools with, have nowhere to hide.
In order to better and more easily be able to make good use of these tools, especially finishing this article, I hope to bring the harvest to give you. After troubleshooting the problem for everyone, add a weapon.
2 tcpdump and Wireshark Introduction
In the debugging network problems, tcpdump should be said is an essential tool, and linux under the most outstanding tools, it is characterized by simple and powerful. It is based on the Unix system command line tool packet sniffer can fetch packets flowing on the network card.
By default, tcpdump will not crawl inside the machine to communicate messages. Under the network protocol stack, for the message, even if the destination is a local, but also need to go through the network protocol layer of the machine, so the machine is sure communication via the API into the kernel, and completed the routing. [TCP communication such as the machine must also be socket basic elements of communication: src ip port dst ip port]
If you want to use tcpdump to crawl any other host MAC address of the packet, must turn the card in promiscuous mode, so-called promiscuous mode, with the most simple language is to allow any card to crawl through its data packet, regardless of the packet is not addressed to it or is it sends. In general, Unix will not allow ordinary users to set promiscuous mode, because it can see the information of others, such as telnet user name and password, which can cause problems on some security, so only the root user can turn promiscuous mode, open mixed command mode is: ifconfig en0 promisc, en0 is you have to open the card in promiscuous mode.
Linux packet capture principle:
Linux packet capture process is done right (to be exact network equipment) news network packets by registering a virtual underlying network protocol. When the network card receives a message, it goes through the system all the registered network protocols, such as Ethernet protocol, x25 protocol processing modules to try to resolve the processes packets, mount it, and some file systems similar it is to make all the registered file system mount system to try, if which one thinks he can handle, then complete the mount.
When the capture module disguised himself as a network protocol, the system received the message in time will give the pseudo-protocol chance to make it to a processing packets received by the network card, this time on the module will take the opportunity to snoop packets, that is, this message is intact copy, pretending to be his own message received, reporting to capture modules.
Wireshark is a network protocol testing tools, support for the Windows platform, Unix platform, Mac platform, generally only use Wireshark graphical interface platform, if it is Linux, the direct use tcpdump because Linux comes with a general tcpdump, or after the capture with tcpdump open analyzed by Wireshark.
In Mac platform, through the Wireshark capture WinPcap, good packaging, easy to use, can easily capture the development of the display filter or filters, simply use the following will explain specifically. Wireshark is a free tool, just google it can easily find where to download.
Therefore, tcpdump is very convenient for data capture, Wireshark is used to analyze data more convenient gripping.
3 tcpdump use
3.1 Syntax
Types of keywords
host (default Type): indicates a host, such as: host 210.27.48.2
net: specifies a network address, such as: net 202.0.0.0
port: the port number specified as: port 23
Keywords determine the direction of
src: src 210.27.48.2, IP packet source address 210.27.48.2
dst: dst net 202.0.0.0, the destination network address is 202.0.0.0
dst or src (default)
dst and src
Keywords agreement: The default is to listen to all packet protocols
fddi
ip
arp
rarp
tcp
udp
Other keywords
gateway
broadcast
less
greater
Common expressions: when many conditions you can use parentheses, but if you escape
Non-:! Or "not" (remove the double quotes)
且 : && or “and”
或 : || or “or”
3.2 Options
3.3 Command practice
1, the tcpdump direct start, after all the fetch on the first packet network interface
2, after all the fetch specified packet network interface
3, after all the fetch en0, source or destination network of data 10.37.63.255:
4, gripping communicating hosts and host 10.37.63.61 or 10.37.63.95 10.37.63.255 of:
5, in addition to gripping the host and the host 192.168.13.210 10.37.63.61 packets all communication with the host:
6, in addition to gripping the host and the host 10.37.63.255 10.37.63.61 ip packet communication all hosts
7, all data fetch host 10.37.63.3 transmitted:
8, all received data fetch host 10.37.63.3:
9, the host 10.37.63.3 fetch all data packets in the TCP 80 port:
10, gripping host 10.37.63.3 HTTP port 80 in the received packet:
11, after all the fetch en0, source or destination port of the network data 25
12, after all the fetch en0, the network is a packet 192.168
13, protocol filtering
14, after all the fetch en0, or destination address is 192.168.1.254 192.168.1.200 TCP data port 80
15, grab all through en0, the destination MAC address is 00: ICMP data 05: 01:02: 03:04
16, grab all through en0, the destination network is 192.168, but not the destination host 192.168.1.200 of TCP data
17, focus only on SYN packets
18, grasping SYN, ACK
19, grasping SMTP data, data capture area began to "MAIL" package, "MAIL" hexadecimal is 0x4d41494c
20, caught HTTP GET data, "GET" hexadecimal is 0x47455420
21、抓 SSH 返回,”SSH-“的十六进制是 0x5353482D
22、高级包头过滤如前两个的包头过滤,首先了解如何从包头过滤信息:
23、抓 DNS 请求数据
24、其他-c 参数对于运维人员来说也比较常用,因为流量比较大的服务器,靠人工 CTRL+C 还是抓的太多,于是可以用-c 参数指定抓多少个包。
3.4 抓个网站练练
想抓取访问某个网站时的网络数据。比如网站 http://www.baidu.com/ 怎么做?
1、通过tcpdump截获主机www.baidu.com发送与接收所有的数据包
2、访问这个网站
3、想要看到详细的http报文。怎么做?
4、分析抓取到的报文
4 tcpdump抓取TCP包分析
TCP传输控制协议是面向连接的可靠的传输层协议,在进行数据传输之前,需要在传输数据的两端(客户端和服务器端)创建一个连接,这个连接由一对插口地址唯一标识,即是在IP报文首部的源IP地址、目的IP地址,以及TCP数据报首部的源端口地址和目的端口地址。TCP首部结构如下:
注意:通常情况下,一个正常的TCP连接,都会有三个阶段:1、TCP三次握手;2、数据传送;3、TCP四次挥手
其中在TCP连接和断开连接过程中的关键部分如下:
源端口号:即发送方的端口号,在TCP连接过程中,对于客户端,端口号往往由内核分配,无需进程指定;
目的端口号:即发送目的的端口号;
序号:即为发送的数据段首个字节的序号;
确认序号:在收到对方发来的数据报,发送确认时期待对方下一次发送的数据序号;
SYN:同步序列编号,Synchronize Sequence Numbers;
ACK:确认编号,Acknowledgement Number;
FIN:结束标志,FINish;
4.1 TCP三次握手
三次握手的过程如下:
step1. 由客户端向服务器端发起TCP连接请求。Client发送:同步序列编号SYN置为1,发送序号Seq为一个随机数,这里假设为X,确认序号ACK置为0;
step2. 服务器端接收到连接请求。Server响应:同步序列编号SYN置为1,并将确认序号ACK置为X+1,然后生成一个随机数Y作为发送序号Seq(因为所确认的数据报的确认序号未初始化);
step3. 客户端对接收到的确认进行确认。Client发送:将确认序号ACK置为Y+1,然后将发送序号Seq置为X+1(即为接收到的数据报的确认序号);
为什么是三次握手而不是两次对于step3的作用,假设一种情况,客户端A向服务器B发送一个连接请求数据报,然后这个数据报在网络中滞留导致其迟到了,虽然迟到了,但是服务器仍然会接收并发回一个确认数据报。但是A却因为久久收不到B的确认而将发送的请求连接置为失效,等到一段时间后,接到B发送过来的确认,A认为自己现在没有发送连接,而B却一直以为连接成功了,于是一直在等待A的动作,而A将不会有任何的动作了。这会导致服务器资源白白浪费掉了,因此,两次握手是不行的,因此需要再加上一次,对B发过来的确认再进行一次确认,即确认这次连接是有效的,从而建立连接。
对于双方,发送序号的初始化为何值有的系统中是显式的初始化序号是0,但是这种已知的初始化值是非常危险的,因为这会使得一些黑客钻漏洞,发送一些数据报来破坏连接。因此,初始化序号因为取随机数会更好一些,并且是越随机越安全。
tcpdump抓TCP三次握手抓包分析:
sudotcpdump-n-S-ilo0host10.37.63.3andtcpport8080
# 接着再运行:
curlhttp://10.37.63.3:8080/atbg/doc
控制台输出:
每一行中间都有这个包所携带的标志:
S=SYN,发起连接标志。
P=PUSH,传送数据标志。
F=FIN,关闭连接标志。
ack,表示确认包。
RST=RESET,异常关闭连接。
.,表示没有任何标志。
第1行:16:00:13.486776,从10.37.63.3(client)的临时端口61725向10.37.63.3(server)的8080监听端口发起连接,client初始包序号seq为1944916150,滑动窗口大小为65535字节(滑动窗口即tcp接收缓冲区的大小,用于tcp拥塞控制),mss大小为16344(即可接收的最大包长度,通常为MTU减40字节,IP头和TCP头各20字节)。【seq=1944916150,ack=0,syn=1】
第2行:16:00:13.486850,server响应连接,同时带上第一个包的ack信息,为client端的初始包序号seq加1,即1944916151,即server端下次等待接受这个包序号的包,用于tcp字节流的顺序控制。Server端的初始包序号seq为1119565918,mss也是16344。【seq=1119565918,ack=1944916151,syn=1】
第3行:15:46:13.084161,client再次发送确认连接,tcp连接三次握手完成,等待传输数据包。【ack=1119565919,seq=1944916151】
4.2 TCP四次挥手
连接双方在完成数据传输之后就需要断开连接。由于TCP连接是属于全双工的,即连接双方可以在一条TCP连接上互相传输数据,因此在断开时存在一个半关闭状态,即有有一方失去发送数据的能力,却还能接收数据。因此,断开连接需要分为四次。主要过程如下:
step1. 主机A向主机B发起断开连接请求,之后主机A进入FIN-WAIT-1状态;
step2. 主机B收到主机A的请求后,向主机A发回确认,然后进入CLOSE-WAIT状态;
step3. 主机A收到B的确认之后,进入FIN-WAIT-2状态,此时便是半关闭状态,即主机A失去发送能力,但是主机B却还能向A发送数据,并且A可以接收数据。此时主机B占主导位置了,如果需要继续关闭则需要主机B来操作了;
step4. 主机B向A发出断开连接请求,然后进入LAST-ACK状态;
step5. 主机A接收到请求后发送确认,进入TIME-WAIT状态,等待2MSL之后进入CLOSED状态,而主机B则在接受到确认后进入CLOSED状态;
为何主机A在发送了最后的确认后没有进入CLOSED状态,反而进入了一个等待2MSL的TIME-WAIT主要作用有两个:
第一,确保主机A最后发送的确认能够到达主机B。如果处于LAST-ACK状态的主机B一直收不到来自主机A的确认,它会重传断开连接请求,然后主机A就可以有足够的时间去再次发送确认。但是这也只能尽最大力量来确保能够正常断开,如果主机A的确认总是在网络中滞留失效,从而超过了2MSL,最后也无法正常断开;
第二,如果主机A在发送了确认之后立即进入CLOSED状态。假设之后主机A再次向主机B发送一条连接请求,而这条连接请求比之前的确认报文更早地到达主机B,则会使得主机B以为这条连接请求是在旧的连接中A发出的报文,并不看成是一条新的连接请求了,即使得这个连接请求失效了,增加2MSL的时间可以使得这个失效的连接请求报文作废,这样才不影响下次新的连接请求中出现失效的连接请求。
为什么断开连接请求报文只有三个,而不是四个因为在TCP连接过程中,确认的发送有一个延时(即经受延时的确认),一端在发送确认的时候将等待一段时间,如果自己在这段事件内也有数据要发送,就跟确认一起发送,如果没有,则确认单独发送。而我们的抓包实验中,由服务器端先断开连接,之后客户端在确认的延迟时间内,也有请求断开连接需要发送,于是就与上次确认一起发送,因此就只有三个数据报了。
5 Wireshark分析tcpdump抓包结果
1、启动8080端口,tcpdump抓包命令如下:
tcpdump-ilo0-s0-n-Shost10.37.63.3andport8080-w./Desktop/tcpdump_10.37.63.3_8080_20160525.cap
# 然后再执行curl
curlhttp://10.37.63.3:8080/atbg/doc
2, use Wireshark to open the file tcpdump_10.37.63.3_8080_20160525.cap
No. 1-4 Line: TCP three-way handshake links;
Line No. 5-8: TCP data transmission links;
No. 9-13 line: TCP four wave links;
3, by the way a method to view the http request and response:
Pop as shown below, above the red part of the request information, the following information in response to the blue part:
These are simple to use Wireshark to analyze the tcpdump, Wireshark is more powerful filter tool, you can learn more research on their own to Wireshark, relatively cool.