抓包软件学习

[root@vultr ~]# tcpdump -i eth0 -c 2

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

01:25:44.952654 IP 45.63.62.88.vultrusercontent.com.ssh > 27.38.238.130.cxws: Flags [P.], seq 2453249983:2453250179, ack 227453586, win 37, length 196

01:25:44.953148 IP 45.63.62.88.vultrusercontent.com.53759 > 108.61.10.10.choopa.net.domain: 63726+ PTR? 130.238.38.27.in-addr.arpa. (44)

2 packets captured

8 packets received by filter

0 packets dropped by kernel

[root@vultr ~]# tcpdump -i eth0 -c 2 -nn

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

01:29:06.950182 IP 45.63.62.88.22 > 27.38.238.130.4673: Flags [P.], seq 2453251891:2453252087, ack 227454630, win 37, length 196

01:29:06.950649 IP 45.63.62.88.22 > 27.38.238.130.4673: Flags [P.], seq 196:376, ack 1, win 37, length 180

2 packets captured

2 packets received by filter

0 packets dropped by kernel

-n     Don't convert host addresses to names.  This can be used to avoid DNS lookups.

-nn    Don't convert protocol and port numbers etc. to names either.

-nn :IP和port以数字形式展示,默认以主机名和服务名称展示

-i:监听的网络接口

-c:抓取的数据包数量

-r:从文件读取数据包

-w:将数据包存储下来

Next, we look at the two commands used to generate our captures:

Write to PCAP file - tcpdump -i enp0s8 -c100 -nn -w output_file

Write to TXT file - tcpdump -i enp0s8 -c100 -nn > output.txt

保存到PCAP文件可以使用WireShark打开

//抓取的时候进行过滤

[root@vultr ~]# tcpdump -i eth0 -nn port 9094

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

01:58:32.925799 IP 45.63.62.88.9094 > 27.38.238.130.65110: Flags [P.], seq 1945586592:1945586665, ack 3204078956, win 33, length 73

01:58:33.086865 IP 27.38.238.130.65110 > 45.63.62.88.9094: Flags [F.], seq 1, ack 73, win 1027, length 0

01:58:33.087135 IP 45.63.62.88.9094 > 27.38.238.130.65110: Flags [F.], seq 73, ack 2, win 33, length 0

01:58:33.246390 IP 27.38.238.130.65110 > 45.63.62.88.9094: Flags [.], ack 74, win 1027, length 0

^C

4 packets captured

4 packets received by filter

0 packets dropped by kernel

//抓取数据包保存为文件

[root@vultr ~]# tcpdump -i eth0 -c 4 -nn -w test.dump

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes


4 packets captured

5 packets received by filter

0 packets dropped by kernel

[root@vultr ~]# file test.dump 

test.dump: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 262144)

//读取数据包文件

[root@vultr ~]# tcpdump -r test.dump 

reading from file test.dump, link-type EN10MB (Ethernet)

01:47:09.099760 IP 45.63.62.88.vultrusercontent.com.ssh > 27.38.238.130.cxws: Flags [P.], seq 2453254991:2453255123, ack 227456682, win 37, length 132

01:47:09.258998 IP 27.38.238.130.cxws > 45.63.62.88.vultrusercontent.com.ssh: Flags [.], ack 132, win 1025, length 0

01:47:17.421624 IP 27.38.238.130.cxws > 45.63.62.88.vultrusercontent.com.ssh: Flags [P.], seq 1:53, ack 132, win 1025, length 52

01:47:17.421799 IP 45.63.62.88.vultrusercontent.com.ssh > 27.38.238.130.cxws: Flags [P.], seq 132:184, ack 53, win 37, length 52

//从已保存数据包文件过滤

[root@vultr ~]# tcpdump -r test.dump port 21

reading from file test.dump, link-type EN10MB (Ethernet)

[root@vultr ~]# tcpdump -r test.dump 'port 22'

reading from file test.dump, link-type EN10MB (Ethernet)

01:47:09.099760 IP 45.63.62.88.vultrusercontent.com.ssh > 27.38.238.130.cxws: Flags [P.], seq 2453254991:2453255123, ack 227456682, win 37, length 132

01:47:09.258998 IP 27.38.238.130.cxws > 45.63.62.88.vultrusercontent.com.ssh: Flags [.], ack 132, win 1025, length 0

01:47:17.421624 IP 27.38.238.130.cxws > 45.63.62.88.vultrusercontent.com.ssh: Flags [P.], seq 1:53, ack 132, win 1025, length 52

01:47:17.421799 IP 45.63.62.88.vultrusercontent.com.ssh > 27.38.238.130.cxws: Flags [P.], seq 132:184, ack 53, win 37, length 52

过滤条件举例:

'tcp port 21':针对协议和端口过滤;

'host 127.0.0.1':针对主机进行过滤

误区:

wireshark底层不是tcpdump,过滤条件语法不同。

[root@vultr ~]# tcpdump -i eth0 -nn 'tcp.port==22' -c 5

tcpdump: syntax error

评论

发表评论

此博客中的热门博文

码率单位

Feature Bandwidth Traffic Throughput Definition Maximum data transfer rate Actual data being transmitted Actual data transfer rate achieved Measure Capacity (bps) Data volume (bytes or packets) Transfer rate (bps) Static vs. Dynamic Static (connection property) Dynamic (varies over time) Dynamic (affected by network conditions) Impact on Performance Determines potential data transfer speed Affects network congestion and utilization Measures actual network performance 表格一览: 名称 符号 b/s B/s 示例 比特每秒 b/s 1 1/8 字节每秒 B/s 8 1 千比特每秒 kb/s 1000 = 10^3 125 = 10^3/8 二进制千比特每秒 Kib/s 1024 = 2^10 128 = 2^10/8 千字节每秒 kB/s 8000 = 8*10^3 1000 = 10^3 二进制千字节每秒 KiB/s 8192 = 8*2^10 1024 = 2^10 k 与 Ki k 与 Ki 分别表示 kilo-(千) 与 kibi-(二进制千) 。作为前缀使用时, k 表示 1,000,Ki 表示1,024 ,因为“Ki”来源于它在计算机方面 2^10 = 1,024 的使用。不幸的是,人们常常错误地用 K 代替 Ki。此外,不知晓其中微妙差别的广大公众,常常不加区别地使用“Kbps”与“Kibps”,造成了混乱。总之,使用“Kibps”通常是正确的。 The bit rate is expressed in the unit bit per second (symbol: bit/s), often in conjunction with an SI prefix such as kilo (1...
阅读全文

Process vs. Thread

图片
  A process is an executing instance of a program with its own memory and resources, while  a thread is the smallest unit of execution within a process that can run concurrently with other threads in the same process .  Processes are isolated with separate address spaces and require system-provided inter-process communication to share data, whereas threads share the process's memory and resources, allowing for faster communication and context switching.   Process vs. Thread Process: An independent program in execution.  Has its own separate memory address space.  Carries more state information and resources (like open files and system handles).  Data sharing requires Inter-Process Communication (IPC) mechanisms.  Considered a "heavyweight" unit of execution due to resource overhead for creation and context switching.  Thread: A subset of a process , executing within the process's context.  Shares the process's address space, memory, and ...
阅读全文

日志文件系统

图片
Journaling filesystem 基本原理 更新文件系统以反映文件和目录的更改通常需要许多单独的写入操作。这使得写入之间可能发生中断(例如电源故障或系统崩溃),从而使数据结构处于无效的中间状态。[1] 例如,删除 Unix 文件系统上的文件涉及三个步骤:[7] 删除其目录条目。(Removing its directory entry.) 将索引节点释放到空闲索引节点池中。(Releasing the inode to the pool of free inodes.) 将所有磁盘块返回到空闲磁盘块池。(Returning all disk blocks to the pool of free disk blocks.) 如果在步骤1之后和步骤2之前发生崩溃,就会出现孤立的inode,从而导致存储泄漏;如果在步骤2和步骤3之间发生崩溃,则该文件先前使用的块将无法用于新文件,从而有效地减少了文件系统的存储容量。重新安排步骤也无济于事。如果步骤 3 在步骤 1 之前,则它们之间的崩溃可能允许文件的块重新用于新文件,这意味着部分删除的文件将包含另一个文件的部分内容,并且对任一文件的修改都会显示在两个文件中。另一方面,如果步骤 2 在步骤 1 之前,则它们之间的崩溃将导致文件无法访问,尽管该文件看起来存在。 检测此类不一致并从中恢复通常需要完整地检查其数据结构,例如通过 fsck (文件系统检查器)等工具。[2] 这通常必须在下次安装文件系统以进行读写访问之前完成。如果文件系统很大并且 I/O 带宽相对较小,则这可能会花费很长时间,并且如果它阻止系统的其余部分恢复联机,则会导致更长的停机时间。 为了防止这种情况,日志文件系统分配一个特殊区域——日志——在其中记录它将提前进行的更改。崩溃后,恢复只需从文件系统读取日志并重播该日志中的更改,直到文件系统再次保持一致。因此,这些更改被认为是原子的(不可整除),因为它们要么成功(最初成功或在恢复期间完全重播),要么根本不重播(被跳过,因为它们在之前尚未完全写入日志)发生崩溃)。  JFS(1990)->NTFS(1993)->XFS(1994)->Apple HFS Plus(1998)->ext3(2001)->ext4(2008) ext和ext2文件系统不是日志文件系统 日誌式檔...
阅读全文