tcpdump 和Wireshark抓包
1 起因#
前段時間,一直在調線上的一個問題:線上應用接受POST請求,請求body中的參數獲取不全,存在丟失的狀況。這個問題是偶發性的,大概發生的幾率為5%-10%左右,這個概率已經相當高了。在排查問題的過程中使用到了tcpdump和Wireshark進行抓包分析。感覺這兩個工具搭配起來干活,非常完美。所有的網絡傳輸在這兩個工具搭配下,都無處遁形。
為了更好、更順手地能夠用好這兩個工具,特整理本篇文章,希望也能給大家帶來收獲。為大家之后排查問題,添一利器。
2 tcpdump與Wireshark介紹#
在網絡問題的調試中,tcpdump應該說是一個必不可少的工具,和大部分linux下優秀工具一樣,它的特點就是簡單而強大。它是基于Unix系統的命令行式的數據包嗅探工具,可以抓取流動在網卡上的數據包。
默認情況下,tcpdump不會抓取本機內部通訊的報文。根據網絡協議棧的規定,對于報文,即使是目的地是本機,也需要經過本機的網絡協議層,所以本機通訊肯定是通過API進入了內核,并且完成了路由選擇。【比如本機的TCP通信,也必須要socket通信的基本要素:src ip port dst ip port】
如果要使用tcpdump抓取其他主機MAC地址的數據包,必須開啟網卡混雜模式,所謂混雜模式,用最簡單的語言就是讓網卡抓取任何經過它的數據包,不管這個數據包是不是發給它或者是它發出的。一般而言,Unix不會讓普通用戶設置混雜模式,因為這樣可以看到別人的信息,比如telnet的用戶名和密碼,這樣會引起一些安全上的問題,所以只有root用戶可以開啟混雜模式,開啟混雜模式的命令是:ifconfig en0 promisc, en0是你要打開混雜模式的網卡。
Linux抓包原理:
Linux抓包是通過注冊一種虛擬的底層網絡協議來完成對網絡報文(準確的說是網絡設備)消息的處理權。當網卡接收到一個網絡報文之后,它會遍歷系統中所有已經注冊的網絡協議,例如以太網協議、x25協議處理模塊來嘗試進行報文的解析處理,這一點和一些文件系統的掛載相似,就是讓系統中所有的已經注冊的文件系統來進行嘗試掛載,如果哪一個認為自己可以處理,那么就完成掛載。當抓包模塊把自己偽裝成一個網絡協議的時候,系統在收到報文的時候就會給這個偽協議一次機會,讓它來對網卡收到的報文進行一次處理,此時該模塊就會趁機對報文進行窺探,也就是把這個報文完完整整的復制一份,假裝是自己接收到的報文,匯報給抓包模塊。Wireshark是一個網絡協議檢測工具,支持Windows平臺、Unix平臺、Mac平臺,一般只在圖形界面平臺下使用Wireshark,如果是Linux的話,直接使用tcpdump了,因為一般而言Linux都自帶的tcpdump,或者用tcpdump抓包以后用Wireshark打開分析。
在Mac平臺下,Wireshark通過WinPcap進行抓包,封裝的很好,使用起來很方便,可以很容易的制定抓包過濾器或者顯示過濾器,具體簡單使用下面會介紹。Wireshark是一個免費的工具,只要google一下就能很容易找到下載的地方。
所以,tcpdump是用來抓取數據非常方便,Wireshark則是用于分析抓取到的數據比較方便。
3 tcpdump使用#
3.1 語法##
tcpdump [ -AdDefIKlLnNOpqRStuUvxX ] [ -B buffer_size ] [ -c count ]
[ -C file_size ] [ -G rotate_seconds ] [ -F file ]
[ -i interface ] [ -m module ] [ -M secret ]
[ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,… ]
[ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
[ expression ]
3.2 選項##
-A:以ASCII編碼打印每個報文(不包括鏈路層的頭),這對分析網頁來說很方便;
-a:將網絡地址和廣播地址轉變成名字;
-c<數據包數目>:在收到指定的包的數目后,tcpdump就會停止;
-C:用于判斷用 -w 選項將報文寫入的文件的大小是否超過這個值,如果超過了就新建文件(文件名后綴是1、2、3依次增加);
-d:將匹配信息包的代碼以人們能夠理解的匯編格式給出;
-dd:將匹配信息包的代碼以c語言程序段的格式給出;
-ddd:將匹配信息包的代碼以十進制的形式給出;
-D:列出當前主機的所有網卡編號和名稱,可以用于選項 -i;
-e:在輸出行打印出數據鏈路層的頭部信息;
-f:將外部的Internet地址以數字的形式打印出來;
-F<表達文件>:從指定的文件中讀取表達式,忽略其它的表達式;
-i<網絡界面>:監聽主機的該網卡上的數據流,如果沒有指定,就會使用最小網卡編號的網卡(在選項-D可知道,但是不包括環路接口),linux 2.2 內核及之后的版本支持 any 網卡,用于指代任意網卡;
-l:如果沒有使用 -w 選項,就可以將報文打印到 標準輸出終端(此時這是默認);
-n:顯示ip,而不是主機名;
-N:不列出域名;
-O:不將數據包編碼最佳化;
-p:不讓網絡界面進入混雜模式;
-q:快速輸出,僅列出少數的傳輸協議信息;
-r<數據包文件>:從指定的文件中讀取包(這些包一般通過-w選項產生);
-s<數據包大小>:指定抓包顯示一行的寬度,-s0表示可按包長顯示完整的包,經常和-A一起用,默認截取長度為60個字節,但一般ethernet MTU都是1500字節。所以,要抓取大于60字節的包時,使用默認參數就會導致包數據丟失;
-S:用絕對而非相對數值列出TCP關聯數;
-t:在輸出的每一行不打印時間戳;
-tt:在輸出的每一行顯示未經格式化的時間戳記;
-T<數據包類型>:將監聽到的包直接解釋為指定的類型的報文,常見的類型有rpc (遠程過程調用)和snmp(簡單網絡管理協議);
-v:輸出一個稍微詳細的信息,例如在ip包中可以包括ttl和服務類型的信息;
-vv:輸出詳細的報文信息;
-x/-xx/-X/-XX:以十六進制顯示包內容,幾個選項只有細微的差別,詳見man手冊;
-w<數據包文件>:直接將包寫入文件中,并不分析和打印出來;
expression:用于篩選的邏輯表達式;
3.3 命令實踐##
直接啟動tcpdump,將抓取所有經過第一個網絡接口上的數據包tcpdump
控制臺輸出:
taomingkais-MacBook-Pro:~ TaoBangren$ sudo tcpdump
Password:
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pktap, link-type PKTAP (Packet Tap), capture size 262144 bytes
11:00:19.788139 IP 10.37.63.3.50809 > 10.37.253.32.socks: Flags [.], ack 151417909, win 4096, length 0
11:00:19.790267 IP 10.37.253.32.socks > 10.37.63.3.50809: Flags [.], ack 1, win 560, options [nop,nop,TS val 1323324836 ecr 501713973], length 0
11:00:19.851362 IP 10.37.63.53.57443 > 239.255.255.250.ssdp: UDP, length 133
11:00:19.851367 IP 10.37.63.107.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:00:19.851369 IP 10.37.63.138.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:00:20.060087 IP 10.37.63.71.54616 > 239.255.255.250.ssdp: UDP, length 133
tcpdump -i en0
如果不指定網卡,默認tcpdump只會監視第一個網絡接口,一般是eth0,下面的例子都沒有指定網絡接口。
控制臺輸出:
taomingkais-MacBook-Pro:~ TaoBangren$ sudo tcpdump -i en0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:04:31.780759 IP 10.37.63.100.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
tcpdump -i en0 host 10.37.63.255
控制臺輸出:
taomingkais-MacBook-Pro:~ TaoBangren$ sudo tcpdump host 10.37.63.255
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pktap, link-type PKTAP (Packet Tap), capture size 262144 bytes
11:07:23.807683 IP 10.37.63.61.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:07:23.913143 IP 10.37.63.95.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:07:24.538785 IP 10.37.63.61.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:07:24.643311 IP 10.37.63.95.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:07:24.747672 IP 10.37.63.87.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
11:07:25.374527 IP 10.37.63.95.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:07:26.209995 IP 10.37.63.86.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:07:26.210530 IP 10.37.63.61.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
tcpdump host 10.37.63.255 and (10.37.63.61 or 10.37.63.95 )
控制臺輸出:
taomingkais-MacBook-Pro:~ TaoBangren$ sudo tcpdump host 10.37.63.255 and (10.37.63.61 or 10.37.63.95 )
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pktap, link-type PKTAP (Packet Tap), capture size 262144 bytes
11:10:38.395320 IP 10.37.63.61.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:10:39.234047 IP 10.37.63.61.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:10:39.962286 IP 10.37.63.61.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:10:48.422443 IP 10.37.63.61.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:10:49.153630 IP 10.37.63.61.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:10:49.894146 IP 10.37.63.61.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:10:52.600297 IP 10.37.63.61.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
tcpdump -n host 10.37.63.255 and ! 10.37.63.61
控制臺輸出:
taomingkais-MacBook-Pro:~ TaoBangren$ sudo tcpdump -n host 10.37.63.255 and ! 10.37.63.61
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pktap, link-type PKTAP (Packet Tap), capture size 262144 bytes
15:54:33.921068 IP 10.37.63.86.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
15:54:34.025490 IP 10.37.63.86.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
15:54:34.025492 IP 10.37.63.86.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
15:54:34.338753 IP 10.37.63.56.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
15:54:35.174516 IP 10.37.63.88.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
15:54:35.204268 IP 10.37.63.56.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
15:54:35.592199 IP 10.37.63.135.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
tcpdump ip -n host 10.37.63.255 and ! 10.37.63.61
控制臺輸出:
taomingkais-MacBook-Pro:~ TaoBangren$ sudo tcpdump ip -n host 10.37.63.255 and ! 10.37.63.61
Password:
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pktap, link-type PKTAP (Packet Tap), capture size 262144 bytes
16:02:48.168264 IP 10.37.63.107.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:02:48.272626 IP 10.37.63.28.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:02:48.586137 IP 10.37.63.75.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:02:48.586140 IP 10.37.63.48.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:02:48.586201 IP 10.37.63.48.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:02:48.586202 IP 10.37.63.48.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:02:48.690751 IP 10.37.63.103.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:02:49.004792 IP 10.37.63.28.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:02:49.212622 IP 10.37.63.88.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:02:49.317969 IP 10.37.63.48.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:02:49.317972 IP 10.37.63.48.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:02:49.318301 IP 10.37.63.48.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
tcpdump -i en0 src host 10.37.63.3 (注意數據流向)
控制臺輸出:
taomingkais-MacBook-Pro:~ TaoBangren$ sudo tcpdump -i en0 src host 10.37.63.3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:08:05.698674 IP 10.37.63.3.51503 > 101.201.169.146.https: Flags [.], ack 3067697680, win 4096, length 0
16:08:06.225543 IP 10.37.63.3.56531 > 10.37.253.51.domain: 49330+ PTR? 3.63.37.10.in-addr.arpa. (41)
16:08:06.228851 IP 10.37.63.3.56781 > 10.37.253.51.domain: 9247+ PTR? 146.169.201.101.in-addr.arpa. (46)
16:08:07.247441 IP 10.37.63.3.53716 > 10.37.253.51.domain: 60009+ PTR? 51.253.37.10.in-addr.arpa. (43)
16:08:08.198285 IP 10.37.63.3.newoak > 123.151.13.85.irdmi: UDP, length 47
16:08:08.254488 IP 10.37.63.3.51134 > 10.37.253.51.domain: 52763+ PTR? 85.13.151.123.in-addr.arpa. (44)
16:08:08.917142 IP 10.37.63.3.51815 > 106.11.4.88.https: Flags [P.], seq 341932595:341932930, ack 4196579612, win 65535, length 335
16:08:08.918050 IP 10.37.63.3.51815 > 106.11.4.88.https: Flags [P.], seq 335:804, ack 1, win 65535, length 469
16:08:08.984637 IP 10.37.63.3.51815 > 106.11.4.88.https: Flags [.], ack 292, win 65535, length 0
tcpdump -i en0 dst host 10.37.63.3 (注意數據流向)
控制臺輸出:
taomingkais-MacBook-Pro:~ TaoBangren$ sudo tcpdump -i en0 dst host 10.37.63.3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:10:00.120346 IP 123.151.13.85.irdmi > 10.37.63.3.newoak: UDP, length 47
16:10:00.447742 IP 106.11.4.88.https > 10.37.63.3.51840: Flags [.], ack 3563461726, win 62712, length 0
16:10:00.449252 IP 106.11.4.88.https > 10.37.63.3.51840: Flags [P.], seq 0:291, ack 1, win 62712, length 291
16:10:00.590941 IP 10.37.253.51.domain > 10.37.63.3.62089: 38134 NXDomain 0/1/0 (101)
16:10:00.593145 IP 10.37.253.51.domain > 10.37.63.3.56987: 19136 NXDomain* 0/0/0 (41)
16:10:01.598164 IP 10.37.253.51.domain > 10.37.63.3.63380: 43688 NXDomain* 0/0/0 (43)
16:10:03.194440 IP 123.151.13.85.irdmi > 10.37.63.3.newoak: UDP, length 79
16:10:03.880803 IP 106.11.4.88.https > 10.37.63.3.51840: Flags [.], ack 806, win 63784, length 0
16:10:03.883452 IP 106.11.4.88.https > 10.37.63.3.51840: Flags [P.], seq 291:582, ack 806, win 63784, length 291
16:10:04.051402 IP dns15.online.tj.cn.irdmi > 10.37.63.3.terabase: UDP, length 87
tcpdump -i en0 host 10.37.63.3 and tcp port 80
控制臺輸出:
taomingkais-MacBook-Pro:~ TaoBangren$ sudo tcpdump -i en0 host 10.37.63.3 and tcp port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:13:34.869399 IP 10.37.63.3.51843 > cncln.online.ln.cn.http: Flags [.], ack 3148173637, win 8192, length 0
16:13:34.890175 IP cncln.online.ln.cn.http > 10.37.63.3.51843: Flags [.], ack 1, win 31, length 0
16:13:49.497784 IP 10.37.63.3.51845 > 27.221.81.19.http: Flags [.], ack 3932049450, win 4096, length 0
16:13:49.497786 IP 10.37.63.3.51844 > 27.221.81.19.http: Flags [.], ack 3635221024, win 4096, length 0
16:13:49.513952 IP 27.221.81.19.http > 10.37.63.3.51845: Flags [.], ack 1, win 122, options [nop,nop,TS val 4035158002 ecr 876369829], length 0
16:13:49.518587 IP 27.221.81.19.http > 10.37.63.3.51844: Flags [.], ack 1, win 122, options [nop,nop,TS val 4035158002 ecr 876369829], length 0
tcpdump -i en0 host 10.37.63.3 and dst port 80
控制臺輸出:
taomingkais-MacBook-Pro:~ TaoBangren$ sudo tcpdump -i en0 host 10.37.63.3 and dst port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:19:36.187617 IP 10.37.63.3.51901 > 180.149.132.47.http: Flags [P.], seq 219000907:219001688, ack 4212585623, win 8192, length 781: HTTP: GET / HTTP/1.1
16:19:36.194163 IP 10.37.63.3.51901 > 180.149.132.47.http: Flags [.], ack 292, win 8182, length 0
16:19:36.194292 IP 10.37.63.3.51901 > 180.149.132.47.http: Flags [.], ack 453, win 8186, length 0
tcpdump -i en0 port 25
源端口
tcpdump -i en0 src port 25
目的端口
tcpdump -i en0 dst port 25網絡過濾
抓取所有經過 en0,網絡是 192.168上的數據包tcpdump -i en0 net 192.168
tcpdump -i en0 src net 192.168
tcpdump -i en0 dst net 192.168
tcpdump -i en0 net 192.168.1
tcpdump -i en0 net 192.168.1.0/24
tcpdump -i en0 arp
tcpdump -i en0 ip
tcpdump -i en0 tcp
tcpdump -i en0 udp
tcpdump -i en0 icmp
tcpdump -i en0 ‘((tcp) and (port 80) and ((dst host 192.168.1.254) or (dst host 192.168.1.200)))’
抓取所有經過 en0,目標 MAC 地址是 00:01:02:03:04:05 的 ICMP 數據tcpdump -i eth1 ‘((icmp) and ((ether dst host 00:01:02:03:04:05)))’
抓取所有經過 en0,目的網絡是 192.168,但目的主機不是 192.168.1.200 的 TCP 數據tcpdump -i en0 ‘((tcp) and ((dst net 192.168) and (not dst host 192.168.1.200)))’
只抓 SYN 包tcpdump -i en0 ‘tcp[tcpflags] = tcp-syn’
抓 SYN, ACKtcpdump -i en0 ‘tcp[tcpflags] & tcp-syn != 0 and tcp[tcpflags] & tcp-ack != 0’
抓 SMTP 數據,抓取數據區開始為"MAIL"的包,"MAIL"的十六進制為 0x4d41494ctcpdump -i en0 ‘((port 25) and (tcp[(tcp[12]>>2):4] = 0x4d41494c))’
抓 HTTP GET 數據,"GET "的十六進制是 0x47455420tcpdump -i en0 ‘tcp[(tcp[12]>>2):4] = 0x47455420’
0x4745 為”GET”前兩個字母”GE”,0x4854 為”HTTP”前兩個字母”HT”
tcpdump -XvvennSs 0 -i en0 tcp[20:2]=0x4745 or tcp[20:2]=0x4854
抓 SSH 返回,"SSH-"的十六進制是 0x5353482Dtcpdump -i en0 ‘tcp[(tcp[12]>>2):4] = 0x5353482D’
抓老版本的 SSH 返回信息,如”SSH-1.99..”
tcpdump -i en0 ‘(tcp[(tcp[12]>>2):4] = 0x5353482D) and (tcp[((tcp[12]>>2)+4):2] = 0x312E)’
高級包頭過濾如前兩個的包頭過濾,首先了解如何從包頭過濾信息:
proto[x:y] : 過濾從x字節開始的y字節數。比如ip[2:2]過濾出3、4字節(第一字節從0開始排)
proto[x:y] & z = 0 : proto[x:y]和z的與操作為0
proto[x:y] & z !=0 : proto[x:y]和z的與操作不為0
proto[x:y] & z = z : proto[x:y]和z的與操作為z
proto[x:y] = z : proto[x:y]等于z
抓取端口大于1024的TCP數據包:
tcpdump -i en0 ‘tcp[0:2] > 1024’
抓 DNS 請求數據tcpdump -i en0 udp dst port 53
其他-c 參數對于運維人員來說也比較常用,因為流量比較大的服務器,靠人工 CTRL+C 還是抓的太多,于是可以用-c 參數指定抓多少個包。
time tcpdump -nn -i en0 ‘tcp[tcpflags] = tcp-syn’ -c 10000 > /dev/null
上面的命令計算抓 10000 個 SYN 包花費多少時間,可以判斷訪問量大概是多少。
實時抓取端口號8000的GET包,然后寫入GET.log
tcpdump -i en0 ‘((port 8000) and (tcp[(tcp[12]>>2):4]=0x47455420))’ -nnAl -w /tmp/GET.
總結
以上是生活随笔為你收集整理的tcpdump 和Wireshark抓包的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: UBUNTU16 64位编译VLC-2.
- 下一篇: 电阻选型,这几个参数不可忽视