Linuxtcpdump抓包

　　今天聊聊抓包吧，毕竟也是需要用到的。其实man tcpdump已经很全面了。我这里仅仅简单举例。今天不谈其他的抓包工具比如tshark or wireshark
　　复习的原因，客户反馈有rst情况，那就抓包吧 直接tcpdump
　　放后台抓包命令如下：
　　tcpdump -i any ＂tcp[tcpflags] & tcp-rst != 0＂ -w abc.pcap
　　读取文件tcpdump -r abc.pcap# tcpdump -r abc.pcap reading from PCAP-NG file abc.pcap 18:03:26.075862 IP 192.168.31.239.49152 > 192.168.31.92.63655: Flags [R], seq 2304773203, win 0, length 0 18:03:44.493833 IP tsa01s09-in-f10.1e100.net.https > 192.168.31.92.64055: Flags [R], seq 4293862520, win 0, length 0 18:03:45.010709 IP tsa01s09-in-f10.1e100.net.https > 192.168.31.92.64056: Flags [R], seq 3606198384, win 0, length 0 18:04:03.281209 IP tsa01s09-in-f10.1e100.net.https > 192.168.31.92.64054: Flags [R], seq 3764652670, win 0, length 0 18:04:04.477276 IP tsa01s09-in-f10.1e100.net.https > 192.168.31.92.64057: Flags [R], seq 3262442809, win 0, length 0 18:04:15.102509 IP tsa01s09-in-f10.1e100.net.https > 192.168.31.92.64064: Flags [R], seq 4156919088, win 0, length 0 18:04:15.164990 IP tsa01s09-in-f10.1e100.net.https > 192.168.31.92.64065: Flags [R], seq 4137319441, win 0, length 0 18:04:22.431280 IP tsa01s09-in-f10.1e100.net.https > 192.168.31.92.64062: Flags [R], seq 136333647, win 0, length 0 18:04:23.556760 IP tsa01s09-in-f10.1e100.net.https > 192.168.31.92.64063: Flags [R], seq 3908194171, win 0, length 0
　　tcpdump -r abc.pcap ＂tcp[tcpflags] & (tcp-rst) !=0＂
　　tcpdump ＂tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet＂
　　tcpdump ＂tcp[tcpflags] & (tcp-rst) !=0＂
　　tcpdump -i any ＂tcp[tcpflags] & tcp-rst != 0＂
　　一些帮助
　　Capturing TCP packets with particular flag combinations (SYN-ACK, URG-ACK, etc.)
　　There are 8 bits in the control bits section of the TCP header:
　　CWR | ECE | URG | ACK | PSH | RST | SYN | FIN
　　Some offsets and field values may be expressed as names rather than as numeric values. For example tcp[13] may be replaced with tcp[tcpflags].
　　The following TCP flag field values are also available: tcp-fin, tcp-syn, tcp-rst, tcp-push, tcp-act, tcp-urg.
　　This can be demonstrated as:
　　tcpdump -i xl0 ＂tcp[tcpflags] & tcp-push != 0＂
　　tcpdump -D 命令列出可以抓包的网络接口
　　特殊接口 any 可用于抓取所有活动的网络接口的数据包
　　-D
　　--list-interfaces
　　tcpdump -i pktap,lo0,en
　　An interface argument of ＂all＂ or ＂pktap,all＂ can be used to capture packets from all interfaces, including loopback and tunnel
　　interfaces.
　　-c 选项可以用于限制 tcpdump 抓包的数量
　　-nn 选项显示端口号 如果想要抓域名不要使用这个【通常在网络故障排查中，使用 IP 地址和端口号更便于分析问题；用 -n 选项显示 IP 地址，-nn 选项显示端口号】
　　使用 -w 选项来保存数据包而不是在屏幕上显示出抓取的数据包，后缀名 pcap 表示文件是抓取的数据包格式
　　-w file将原始数据包写入文件，而不是解析并打印出来。以后可以使用-r选项打印它们。如果文件为＂-＂，则使用标准输出。
　　-r 选项参数来阅读该文件中的报文内容
　　host 参数只抓取和特定主机相关的数据包
　　可以根据服务类型或者端口号来筛选数据包。例如，抓取和 HTTPS 服务器相关的数据包
　　dst 就是按目的 IP/主机名来筛选数据包
　　用多条件组合来筛选数据包，使用 and 以及 or 逻辑操作符来创建过滤规则
　　tcpdump 提供了两个选项可以查看数据包内容，-X 以十六进制打印出数据报文内容，-A 打印数据报文的 ASCII 值
　　【Print each packet (minus its link level header) in ASCII. Handy for capturing web pages.】
　　tcpdump host 180.97.125.228 and port 443 -A
　　tcpdump -i any port 443
　　tcpdump -XX -i en0 -vv port 80 and host weibo.com
　　-XX When parsing and printing, in addition to printing the headers of each packet, print the data of each packet, including its link level
　　header, in hex and ASCII.
　　-XX在解析和打印时，除了打印每个数据包的标题外，还应以十六进制和ASCII打印每个数据包的数据，包括其链路级标题。
　　用我的mac抓arp包
　　sudo tcpdump -l -n arp > arp2.txt
　　抓组播地址：
　　virtual_router_id 51
　　#组播ID，通过224.0.0.18可以监听到现在已经存在的VRRP ID，最好不要跟现有ID冲突
　　多播，也称为＂组播＂，将局域网中同一业务类型的主机进行了逻辑上的分组，进行数据收发的时候其数据仅仅在同一分组中进行，其他的主机没有加入此分组不能收发对应的数据。
　　多播的地址是特定的，D类地址用于多播。D类IP地址就是多播IP地址，即224.0.0.0到239.255.255.255之间的IP地址，并被划分为局部连续多播地址，预留多播地址和管理权限多播地址3类tcpdump -i eth0 host 224.0.0.18 -w /tmp/vrid tcpdump -r /tmp/vrid |grep vrid|awk -F ＂,＂ ＂{print$3}＂|sort|uniq -c   ~ sudo tcpdump -r /tmp/vrid |grep vrid|awk -F ＂,＂ ＂{print$3}＂|sort|uniq -c reading from file /tmp/vrid, link-type EN10MB (Ethernet) tcpdump: pcap_loop: truncated dump file; tried to read 60 captured bytes, only got 12 81 vrid 51 80 vrid 52
　　用快捷键CTRL-a d 来暂时断开当前会话。
　　离开screen
　　完成终止一个会话可以使用＂Ctrl-A＂ ＂K＂ 或＂exit＂命令结束。
　　保留会话但关闭窗口可以使用＂Ctrl-A＂ ＂d＂命令，这样下次你可以连接此会话。
　　-list or -ls. Do nothing, just list our SockDir
　　root@localhost ~]# screen -list
　　There is a screen on:
　　27014.pts-0.localhost (Attached)
　　1 Socket in /var/run/screen/S-root.
　　$ screen -ls
　　There is a screen on:
　　10287.pts-3.abintel (Attached)这个状态就是被占用了 需要踢掉那个用户
　　1 Socket in /tmp/uscreens/S-lxu.
　　当你挂起screen，下次想连上screen的时候，有时候会出现screen session的状态为Attached而怎么连也连不上的情况。下面给出解决方法。
　　列出状态为Attached的session id。
　　screen -ls
　　screen -D -r  session-id>
　　解释：-D -r 先踢掉前一用户，再登陆。就OK了
　　如果要看下完整的Flags如下
　　tcpdump host 180.97.125.228 and port 44317:06:58.797568 IP 192.168.31.92.62721 > 180.97.125.228.https: Flags [S], seq 968089709, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1066549044 ecr 0,sackOK,eol], length 0 17:06:58.847999 IP 180.97.125.228.https > 192.168.31.92.62721: Flags [S.], seq 3917924754, ack 968089710, win 5808, options [mss 1440,nop,nop,sackOK,nop,wscale 12], length 0 17:06:58.849561 IP 192.168.31.92.62721 > 180.97.125.228.https: Flags [.], ack 1, win 4096, length 0 17:06:58.855931 IP 192.168.31.92.62721 > 180.97.125.228.https: Flags [P.], seq 1:229, ack 1, win 4096, length 228 17:06:58.921399 IP 180.97.125.228.https > 192.168.31.92.62721: Flags [.], ack 229, win 123, length 0 17:06:58.921446 IP 180.97.125.228.https > 192.168.31.92.62721: Flags [.], seq 1:1441, ack 229, win 123, length 1440 17:06:58.921447 IP 180.97.125.228.https > 192.168.31.92.62721: Flags [.], seq 1441:2881, ack 229, win 123, length 1440 17:06:58.921447 IP 180.97.125.228.https > 192.168.31.92.62721: Flags [P.], seq 2881:4062, ack 229, win 123, length 1181 17:06:58.923339 IP 192.168.31.92.62721 > 180.97.125.228.https: Flags [.], ack 4062, win 4032, length 0 17:06:58.924448 IP 192.168.31.92.62721 > 180.97.125.228.https: Flags [.], ack 4062, win 4096, length 0 17:06:58.925903 IP 192.168.31.92.62721 > 180.97.125.228.https: Flags [P.], seq 229:355, ack 4062, win 4096, length 126 17:06:59.018505 IP 180.97.125.228.https > 192.168.31.92.62721: Flags [P.], seq 4062:4113, ack 355, win 123, length 51 17:06:59.020313 IP 192.168.31.92.62721 > 180.97.125.228.https: Flags [.], ack 4113, win 4095, length 0 17:06:59.020507 IP 192.168.31.92.62721 > 180.97.125.228.https: Flags [P.], seq 355:485, ack 4113, win 4096, length 130 17:06:59.134003 IP 180.97.125.228.https > 192.168.31.92.62721: Flags [.], ack 485, win 131, length 0 17:06:59.212294 IP 180.97.125.228.https > 192.168.31.92.62721: Flags [.], seq 4113:5553, ack 485, win 131, length 1440 17:06:59.212295 IP 180.97.125.228.https > 192.168.31.92.62721: Flags [.], seq 5553:6993, ack 485, win 131, length 1440 17:06:59.212296 IP 180.97.125.228.https > 192.168.31.92.62721: Flags [P.], seq 6993:7068, ack 485, win 131, length 75 17:06:59.212296 IP 180.97.125.228.https > 192.168.31.92.62721: Flags [P.], seq 7068:7102, ack 485, win 131, length 34 17:06:59.216453 IP 192.168.31.92.62721 > 180.97.125.228.https: Flags [.], ack 7102, win 4049, length 0 17:06:59.216695 IP 192.168.31.92.62721 > 180.97.125.228.https: Flags [.], ack 7102, win 4096, length 0 17:06:59.216777 IP 192.168.31.92.62721 > 180.97.125.228.https: Flags [P.], seq 485:516, ack 7102, win 4096, length 31 17:06:59.217763 IP 192.168.31.92.62721 > 180.97.125.228.https: Flags [F.], seq 516, ack 7102, win 4096, length 0 17:06:59.298151 IP 180.97.125.228.https > 192.168.31.92.62721: Flags [.], ack 516, win 131, length 0 17:06:59.298151 IP 180.97.125.228.https > 192.168.31.92.62721: Flags [F.], seq 7102, ack 517, win 131, length 0 17:06:59.304531 IP 192.168.31.92.62721 > 180.97.125.228.https: Flags [.], ack 7103, win 4096, length 0