大多数时候,当我们连接到互联网时,我们不会考虑底层工作的网络协议,正是这些协议使一切成为可能。现在,当您阅读这篇文章时,您的计算机正在交换大量数据包,并在互联网上进行传输。
要理解这些协议,您需要一个可以捕获并帮助您分析这些数据包的工具。Wireshark 是一款流行的开源图形用户界面 (GUI) 工具,用于分析数据包。然而,它也为喜欢在 Linux 命令行上工作的人们提供了一个强大的命令行实用程序,称为 TShark。
要尝试本文中的示例,您需要连接到互联网。对于 TShark 命令行选项或标志的任何更改,请参阅相应的手册页和在线文档。此外,我在这些示例中使用的是 Fedora。
[gaurav@testbox ~]$ cat /etc/fedora-release
Fedora release 30 (Thirty)
[gaurav@testbox ~]$ 检查您的安装
首先,确保已安装所需的软件包
[gaurav@testbox ~]$ rpm -qa | grep -i wireshark
wireshark-cli-3.0.1-1.fc30.x86_64
[gaurav@testbox ~]$ 如果已安装 Wireshark 软件包,请检查是否已安装 TShark 实用程序,如果已安装,则检查其版本
[gaurav@testbox ~]$ tshark -v
TShark (Wireshark) 3.0.1 (23f278e2)
Built using gcc 9.0.1 20190312 (Red Hat 9.0.1-0.10).
[gaurav@testbox ~]$ 如果您以常规的非 root 用户身份登录,则需要 sudo 权限才能使用 TShark 实用程序。Root 用户可以跳过 sudo 并直接运行 tshark 命令。
查找 TShark 可用的网络设备
在 TShark 可以分析数据包之前,它需要捕获这些数据包。网络数据包通过服务器、工作站或桌面上的网络接口卡 (NIC) 或笔记本电脑上的 WiFi 卡进行处理。首先确定用于连接到互联网的 NIC 或 WiFi 卡。
要确定 TShark 可用的网络设备,请运行以下命令。我的笔记本电脑(我用于这些示例的电脑)显示
[gaurav@testbox ~]$ sudo tshark -D
Running as user "root" and group "root". This could be dangerous.
1. wlp61s0
2. lo (Loopback)
3. any
4. virbr0
5. enp0s31f6
6. bluetooth-monitor
7. nflog
8. nfqueue
[gaurav@testbox ~]$ 我正在使用我的 WiFi 卡连接到我的家庭路由器以访问互联网。您可以使用 ifconfig -a 命令来查看系统上的所有网络接口。如果未安装 ifconfig 命令,您可以使用更新的 ip addr show 命令代替。其中一个接口应已分配 IP 地址。对于特定接口,您可以使用 ifconfig <接口名称>,例如
ifconfig wlp61s0捕获一些数据包
现在您知道哪个接口用于连接到互联网,您可以开始使用它捕获一些数据包。-i 选项可用于在此特定接口上捕获数据包。您将看到一堆输出,显示通过接口传输的网络数据包,但您可以使用 Ctrl+C 命令停止它
[gaurav@testbox ~]$ sudo tshark -i wlp61s0
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp61s0'
1 0.000000000 192.168.1.9 → 192.168.1.1 DNS 77 Standard query 0xa02b AAAA fedoraproject.org
2 0.000128115 192.168.1.9 → 192.168.1.1 DNS 77 Standard query 0xcc47 A fedoraproject.org
3 0.000316195 192.168.1.9 → 192.168.1.1 DNS 77 Standard query 0xe29d A fedoraproject.org
4 0.000616019 192.168.1.9 → 192.168.1.1 DNS 77 Standard query 0xac7c AAAA fedoraproject.org
5 0.007963200 192.168.1.1 → 192.168.1.9 DNS 93 Standard query response 0xcc47 A fedoraproject.org A 185.141.165.254
6 0.009171815 192.168.1.1 → 192.168.1.9 DNS 93 Standard query response 0xe29d A fedoraproject.org A 185.141.165.254
7 0.011075350 192.168.1.1 → 192.168.1.9 DNS 322 Standard query response 0xa02b AAAA fedoraproject.org AAAA 2610:28:3090:3001:dead:beef:cafe:fed3 AAAA 2605:bc80:3010:600:dead:beef:cafe:fed9 AAAA 2604:1580:fe00:0:dead:beef:cafe:fed1 NS ns04.fedoraproject.org NS ns05.fedoraproject.org NS ns02.fedoraproject.org A 152.19.134.139 AAAA 2610:28:3090:3001:dead:beef:cafe:fed5 A 209.132.181.17 A 85.236.55.10 AAAA 2001:4178:2:1269:dead:beef:cafe:fed5
8 0.012458151 192.168.1.1 → 192.168.1.9 DNS 322 Standard query response 0xac7c AAAA fedoraproject.org AAAA 2605:bc80:3010:600:dead:beef:cafe:fed9 AAAA 2610:28:3090:3001:dead:beef:cafe:fed3 AAAA 2604:1580:fe00:0:dead:beef:cafe:fed1 NS ns05.fedoraproject.org NS ns02.fedoraproject.org NS ns04.fedoraproject.org A 152.19.134.139 AAAA 2610:28:3090:3001:dead:beef:cafe:fed5 A 209.132.181.17 A 85.236.55.10 AAAA 2001:4178:2:1269:dead:beef:cafe:fed5
^C8 packets captured
[gaurav@testbox ~]$ 查看上面的前两个数据包;它们以行首的数字表示
1 0.000000000 192.168.1.9 → 192.168.1.1 DNS 77 Standard query 0xa02b AAAA fedoraproject.org
2 0.000128115 192.168.1.9 → 192.168.1.1 DNS 77 Standard query 0xcc47 A fedoraproject.org这些行包括箭头两侧的两个 IP 地址——这些是交换数据包的主机。箭头的方向指示数据包的传输方向。因此,192.168.1.9 → 192.168.1.1 表示数据包起源于主机 192.168.1.9(即我的笔记本电脑),并 направляется к назначению 192.168.1.1(即我的家庭路由器)。在目标 IP 地址之后,您会看到 DNS,这只是域名系统协议,后跟 DNS 查询。稍后会详细介绍。
您可以使用 -c(计数)选项限制捕获和屏幕上显示的数据包数量。以下示例显示捕获了 10 个数据包。请注意协议——您在上面看到了 DNS,这里还有其他协议,如 NTP 和 TCP
[gaurav@testbox ~]$ sudo tshark -i wlp61s0 -c 10
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp61s0'
1 0.000000000 192.168.1.9 → 10.5.26.10 NTP 90 NTP Version 4, client
2 0.803303963 192.168.1.9 → 10.5.27.10 NTP 90 NTP Version 4, client
3 3.524867645 192.168.1.9 → 192.168.1.1 DNS 69 Standard query 0x3837 A testbox
4 6.227373094 192.168.1.9 → 192.168.1.1 DNS 89 Standard query 0x0814 A location.services.mozilla.com
5 6.227395145 192.168.1.9 → 192.168.1.1 DNS 89 Standard query 0x5e1c AAAA location.services.mozilla.com
6 6.234878912 192.168.1.1 → 192.168.1.9 DNS 105 Standard query response 0x0814 A location.services.mozilla.com A 34.253.23.107
7 6.238110416 192.168.1.1 → 192.168.1.9 DNS 223 Standard query response 0x5e1c AAAA location.services.mozilla.com CNAME locprod1-elb-eu-west-1.prod.mozaws.net SOA ns-1260.awsdns-29.org
8 6.238446999 192.168.1.9 → 34.253.23.107 TCP 74 35326 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=2832002333 TSecr=0 WS=128
9 6.438833991 34.253.23.107 → 192.168.1.9 TCP 74 443 → 35326 [SYN, ACK] Seq=0 Ack=1 Win=26847 Len=0 MSS=1440 SACK_PERM=1 TSval=2056252981 TSecr=2832002333 WS=256
10 6.438947001 192.168.1.9 → 34.253.23.107 TCP 66 35326 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=2832002533 TSecr=2056252981
10 packets captured
[gaurav@testbox ~]$ DNS 协议将主机名转换为 IP 地址,并将 IP 地址转换为主机名。有专门的 DNS(或名称)服务器,您可以使用主机名或 IP 地址查询它们。以下示例使用 nslookup 命令查询名称服务器,将主机名解析为 IP 地址。在继续之前,请确保已安装 bind-utils 软件包
[gaurav@testbox ~]$ rpm -qa | grep -i bind-utils
bind-utils-9.11.5-13.P4.fc30.x86_64
[gaurav@testbox ~]$为了查询您的名称服务器,您需要找出您的机器正在与哪个服务器通信。您可以在 /etc/resolv.conf 文件中找到该信息。在我的情况下,名称服务器指向 1.1.1.1,这是 Cloudflare 提供的公共 DNS 服务
[gaurav@testbox ~]$ cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 1.1.1.1
[gaurav@testbox ~]$ 像 Opensource.com 这样的主机名对人类来说很容易理解,但机器使用 IP 地址通过网络或互联网连接到其他机器。为了让您的计算机连接到 opensource.com,它需要找到该站点的 IP 地址;您可以使用以下命令找到它
nslookup opensource.com如果您的机器上没有 nslookup,您可以改用 dig 命令
dig opensource.com但是——在您按下 Enter 键之前——打开另一个终端并键入以下命令,告诉 TShark 捕获任何发送到您的名称服务器(例如 1.1.1.1)的流量
sudo tshark -i wlp61s0 host 1.1.1.1保持该终端运行,然后返回到另一个终端,然后运行 nslookup(或 dig)。当命令完成时,它会给出 Opensource.com 的 IP 地址,即 54.204.39.132。以下是 nslookup 的输出
[gaurav@testbox ~]$ nslookup opensource.com
Server: 1.1.1.1
Address: 1.1.1.1#53
Non-authoritative answer:
Name: opensource.com
Address: 54.204.39.132
[gaurav@testbox ~]$ 以及 dig 的输出
[gaurav@testbox ~]$ dig opensource.com
; <<>> DiG 9.11.5-P4-RedHat-9.11.5-13.P4.fc30 <<>> opensource.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33030
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;opensource.com. IN A
;; ANSWER SECTION:
opensource.com. 206 IN A 54.204.39.132
;; Query time: 30 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sat Nov 02 21:05:54 IST 2019
;; MSG SIZE rcvd: 59
[gaurav@testbox ~]$ 到目前为止,一切顺利,但数据包级别发生了什么?移动到您输入 tshark 命令的终端。它捕获了一些数据包
[gaurav@testbox ~]$ sudo tshark -i wlp61s0 host 1.1.1.1
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp61s0'
2 1.798275687 192.168.1.9 → 1.1.1.1 DNS 74 Standard query 0xcda0 A opensource.com
3 1.827143443 1.1.1.1 → 192.168.1.9 DNS 90 Standard query response 0xcda0 A opensource.com A 54.204.39.132
^C packets captured
[gaurav@testbox ~]$ 以下数据包来自我的笔记本电脑 192.168.1.9,目的地是 1.1.1.1。该数据包用于 DNS 协议,并且正在查询(标准查询)Opensource.com 的名称服务器
2 1.798275687 192.168.1.9 → 1.1.1.1 DNS 74 Standard query 0xcda0 A opensource.com以下数据包是从我的名称服务器 1.1.1.1 发送到我的机器 192.168.1.9 的回复。同样,它是 DNS,但现在它是对 Opensource.com 的 IP 地址的查询的响应(标准查询响应)
3 1.827143443 1.1.1.1 → 192.168.1.9 DNS 90 Standard query response 0xcda0 A opensource.com A 54.204.39.132如果您预先知道您要查找的协议,您可以将其添加到 tshark 命令中。以下示例仅查找 UDP 数据包,但它捕获了 DNS 数据包。这是因为 DNS 数据包在底层使用 UDP 协议
[gaurav@testbox ~]$ sudo tshark -i wlp61s0 udp
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp61s0'
1 0.000000000 192.168.1.9 → 1.1.1.1 DNS 89 Standard query 0xcc6d A location.services.mozilla.com
2 0.000068640 192.168.1.9 → 1.1.1.1 DNS 89 Standard query 0x6484 AAAA location.services.mozilla.com
3 0.032616053 1.1.1.1 → 192.168.1.9 DNS 189 Standard query response 0xcc6d A location.services.mozilla.com CNAME locprod1-elb-eu-west-1.prod.mozaws.net A 52.215.71.87 A 54.72.168.141 A 34.253.23.107
4 0.108203529 1.1.1.1 → 192.168.1.9 DNS 241 Standard query response 0x6484 AAAA location.services.mozilla.com CNAME locprod1-elb-eu-west-1.prod.mozaws.net SOA ns-1260.awsdns-29.org
5 1.268489014 192.168.1.9 → 1.1.1.1 DNS 69 Standard query 0x74be A testbox
6 1.302652455 1.1.1.1 → 192.168.1.9 DNS 144 Standard query response 0x74be No such name A testbox SOA a.root-servers.net
7 6.268558254 192.168.1.9 → 1.1.1.1 DNS 79 Standard query 0xc47a A cups.pnq.redhat.com
8 6.268618039 192.168.1.9 → 1.1.1.1 DNS 79 Standard query 0xb08b AAAA cups.pnq.redhat.com
9 6.664992312 1.1.1.1 → 192.168.1.9 DNS 143 Standard query response 0xb08b AAAA cups.pnq.redhat.com SOA a1-68.akam.net
10 6.665088305 1.1.1.1 → 192.168.1.9 DNS 143 Standard query response 0xc47a A cups.pnq.redhat.com SOA a1-68.akam.net
^C10 packets captured
[gaurav@testbox ~]$ ping 命令通常用于检查机器是否启动或可通过网络访问。您可以针对 Opensource.com 的 IP 地址运行 ping 命令,以查看服务器是否已启动并正在运行。
在执行此操作之前,启动数据包捕获,以便您可以稍后分析数据包。打开终端并运行以下命令,该命令将保持运行并查找源自或 направляется к назначению IP 地址 54.204.39.132 的数据包
sudo tshark -i wlp61s0 host 54.204.39.132在另一个终端中,运行以下 ping 命令。-c 用于计数,因此 -c 2 表示它应该只向给定主机发送两个数据包
ping -c 2 54.204.39.132从您运行 ping 命令的终端,您可以看到发送了两个数据包,接收了两个数据包。它还表示有 0% 的数据包丢失,这表明目标 54.204.39.132 响应了
[gaurav@testbox ~]$ ping -c 2 54.204.39.132
PING 54.204.39.132 (54.204.39.132) 56(84) bytes of data.
64 bytes from 54.204.39.132: icmp_seq=1 ttl=43 time=357 ms
64 bytes from 54.204.39.132: icmp_seq=2 ttl=43 time=278 ms
--- 54.204.39.132 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1ms
rtt min/avg/max/mdev = 278.045/317.410/356.776/39.369 ms
[gaurav@testbox ~]$ 返回到运行 TShark 的终端。它显示了四个数据包:ping 命令中的请求 (-c 2) 和两个回复,因此总共四个数据包
Packet 1 - request (1st request)
Packet 2 - reply (to Packet 1)
Packet 3 - request (2nd request)
Packet 4 - reply (to Packet 3)输出显示它正在使用 ICMP 协议。Ping 通过 ICMP 工作来完成其任务
[gaurav@testbox ~]$ sudo tshark -i wlp61s0 host 54.204.39.132
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp61s0'
1 0.000000000 192.168.1.9 → 54.204.39.132 ICMP 98 Echo (ping) request id=0x1749, seq=1/256, ttl=64
2 0.356750411 54.204.39.132 → 192.168.1.9 ICMP 98 Echo (ping) reply id=0x1749, seq=1/256, ttl=43 (request in 1)
3 1.000295229 192.168.1.9 → 54.204.39.132 ICMP 98 Echo (ping) request id=0x1749, seq=2/512, ttl=64
4 1.278267790 54.204.39.132 → 192.168.1.9 ICMP 98 Echo (ping) reply id=0x1749, seq=2/512, ttl=43 (request in 3)
^C4 packets captured
[gaurav@testbox ~]$ 网络数据包以二进制格式发送,因此如果您想查看它们在网络上的外观,您可以通过简单地将 -x 添加到 tshark 命令来转储数据包的十六进制格式,您将看到十六进制输出。以下输出显示了通过运行命令 ping -c 1 54.204.39.132 发送的 ping 请求
[gaurav@testbox ~]$ sudo tshark -i wlp61s0 -x -c 2 host 54.204.39.132
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp61s0'
0000 28 c6 8e 3e 39 3a 48 89 e7 a0 33 db 08 00 45 00 (..>9:H...3...E.
0010 00 54 e6 29 40 00 40 01 34 7e c0 a8 01 09 36 cc .T.)@.@.4~....6.
0020 27 84 08 00 25 5f 27 d1 00 01 7e aa bd 5d 00 00 '...%_'...~..]..
0030 00 00 a2 f3 0d 00 00 00 00 00 10 11 12 13 14 15 ................
0040 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 .......... !"#$%
0050 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 &'()*+,-./012345
0060 36 37 67
0000 48 89 e7 a0 33 db 28 c6 8e 3e 39 3a 08 00 45 00 H...3.(..>9:..E.
0010 00 54 31 06 00 00 2b 01 3e a2 36 cc 27 84 c0 a8 .T1...+.>.6.'...
0020 01 09 00 00 2d 5f 27 d1 00 01 7e aa bd 5d 00 00 ....-_'...~..]..
0030 00 00 a2 f3 0d 00 00 00 00 00 10 11 12 13 14 15 ................
0040 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 .......... !"#$%
0050 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 &'()*+,-./012345
0060 36 37 67
2 packets captured
[gaurav@testbox ~]$ 保存您的输出
在屏幕上查看输出是可以的,但通常您需要将数据保存到文件中以便稍后使用。使用 ping 命令,但添加 -w 以告诉 TShark 将输出转储到文件中。例如,以下命令将输出保存到 /tmp 目录中名为 nlog.pcap 的文件中
sudo tshark -w /tmp/nlog.pcap -i wlp61s0 host 54.204.39.132现在从另一个终端再次运行 ping 命令,但这次计数为五个数据包
ping -c 5 54.204.39.132TShark 终端显示捕获了 10 个数据包。为什么是 10 个?因为您要求 ping 发送五个请求,并且您收到了五个回复,因此是 10 个数据包。使用 Ctrl+C 停止数据包捕获
[gaurav@testbox ~]$ sudo tshark -w /tmp/nlog.pcap -i wlp61s0 host 54.204.39.132
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp61s0'
10 ^C
[gaurav@testbox ~]$ TShark 已将输出保存到文件 /tmp/nlog.pcap
[gaurav@testbox ~]$ ls -l /tmp/nlog.pcap
-rw-------. 1 root root 1692 Nov 2 21:10 /tmp/nlog.pcap
[gaurav@testbox ~]$ file 命令显示文件类型是 pcapng 捕获文件,因此您不能只使用像 Vim 这样的编辑器打开文件并开始阅读;您只会看到一堆垃圾字符
[gaurav@testbox ~]$ sudo file /tmp/nlog.pcap
/tmp/nlog.pcap: pcapng capture file - version 1.0
[gaurav@testbox ~]$ 由于 TShark 将数据写入文件,因此它也可以使用 -r 选项后跟文件名从文件中读回数据。以下显示所有 10 个数据包(五个请求和五个回复)
[gaurav@testbox ~]$ sudo tshark -r /tmp/nlog.pcap
Running as user "root" and group "root". This could be dangerous.
1 0.000000000 192.168.1.9 → 54.204.39.132 ICMP 98 Echo (ping) request id=0x1875, seq=1/256, ttl=64
2 0.270098703 54.204.39.132 → 192.168.1.9 ICMP 98 Echo (ping) reply id=0x1875, seq=1/256, ttl=43 (request in 1)
3 1.000485186 192.168.1.9 → 54.204.39.132 ICMP 98 Echo (ping) request id=0x1875, seq=2/512, ttl=64
4 1.323571769 54.204.39.132 → 192.168.1.9 ICMP 98 Echo (ping) reply id=0x1875, seq=2/512, ttl=43 (request in 3)
5 2.000955585 192.168.1.9 → 54.204.39.132 ICMP 98 Echo (ping) request id=0x1875, seq=3/768, ttl=64
6 2.347737132 54.204.39.132 → 192.168.1.9 ICMP 98 Echo (ping) reply id=0x1875, seq=3/768, ttl=43 (request in 5)
7 3.000912998 192.168.1.9 → 54.204.39.132 ICMP 98 Echo (ping) request id=0x1875, seq=4/1024, ttl=64
8 3.269412434 54.204.39.132 → 192.168.1.9 ICMP 98 Echo (ping) reply id=0x1875, seq=4/1024, ttl=43 (request in 7)
9 4.001573635 192.168.1.9 → 54.204.39.132 ICMP 98 Echo (ping) request id=0x1875, seq=5/1280, ttl=64
10 4.293431592 54.204.39.132 → 192.168.1.9 ICMP 98 Echo (ping) reply id=0x1875, seq=5/1280, ttl=43 (request in 9)
[gaurav@testbox ~]$
#TCP handshake在通过网络建立连接之前,需要完成 TCP 握手。上面的示例只是查询名称服务器或尝试确定是否可以通过 ping 命令访问计算机,这两者都不需要与主机建立连接。尝试通过 wget 命令获取 www.opensource.com。
在运行 wget 之前,在另一个终端中运行以下命令以捕获数据包。我故意将计数保持为三个,因为握手涉及初始数据包
sudo tshark -i wlp61s0 -c 3 host 54.204.39.132接下来,运行 wget 命令下载索引文件
[gaurav@testbox ~]$ wget https://www.opensource.com
--2019-11-02 21:13:54-- https://www.opensource.com/
Resolving www.opensource.com (www.opensource.com)... 54.204.39.132
Connecting to www.opensource.com (www.opensource.com)|54.204.39.132|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://open-source.net.cn/ [following]
--2019-11-02 21:13:56-- https://open-source.net.cn/
Resolving opensource.com (opensource.com)... 54.204.39.132
Connecting to opensource.com (opensource.com)|54.204.39.132|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://open-source.net.cn/ [following]
--2019-11-02 21:13:57-- https://open-source.net.cn/
Connecting to opensource.com (opensource.com)|54.204.39.132|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 71561 (70K) [text/html]
Saving to: ‘index.html’
index.html 100%[=============================================================>] 69.88K 105KB/s in 0.7s
2019-11-02 21:13:59 (105 KB/s) - ‘index.html’ saved [71561/71561]
[gaurav@testbox ~]$ ^C您可以查看以下三个数据包。第一个数据包从我的笔记本电脑向 Opensource.com 服务器发送 SYN 请求。第二个数据包是 Opensource.com 服务器回复,设置了 SYN, ACK 标志。最后,第三个数据包是我的笔记本电脑发送 ACK 请求,以确认收到第二个数据包。这称为 TCP 握手。在此握手之后,两个节点(即我的笔记本电脑和 Opensource.com 服务器)可以交换数据。
[gaurav@testbox ~]$ sudo tshark -i wlp61s0 -c 3 host 54.204.39.132
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp61s0'
1 0.000000000 192.168.1.9 → 54.204.39.132 TCP 74 58784 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=790376430 TSecr=0 WS=128
2 0.306538226 54.204.39.132 → 192.168.1.9 TCP 74 443 → 58784 [SYN, ACK] Seq=0 Ack=1 Win=26847 Len=0 MSS=1440 SACK_PERM=1 TSval=1306268046 TSecr=790376430 WS=512
3 0.306671608 192.168.1.9 → 54.204.39.132 TCP 66 58784 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=790376737 TSecr=1306268046
3 packets captured
[gaurav@testbox ~]$ 如果您排除 -c 3,它将捕获所有数据包,您将看到类似于关闭连接的仪式。只是这次,我的笔记本电脑向 Opensource.com 发送了一个 FIN, ACK 数据包(在下面的数据包 1 中),然后是来自 Opensource.com 到我的笔记本电脑的 FIN, ACK(在下面的数据包 2 中),最后是我的笔记本电脑发送到 Opensource.com 服务器的 ACK 数据包。这结束了之前建立的网络连接,任何未来的连接都必须再次设置 TCP 握手。
73 4.505715716 192.168.1.9 → 54.204.39.132 TCP 66 59574 → 443 [FIN, ACK] Seq=814 Ack=76239 Win=69888 Len=0 TSval=792384514 TSecr=1306769989
74 4.737227282 54.204.39.132 → 192.168.1.9 TCP 66 443 → 59574 [FIN, ACK] Seq=76239 Ack=815 Win=29184 Len=0 TSval=1306770066 TSecr=792384514
75 4.737389399 192.168.1.9 → 54.204.39.132 TCP 66 59574 → 443 [ACK] Seq=815 Ack=76240 Win=69888 Len=0 TSval=792384745 TSecr=1306770066加密握手数据
如今,大多数网站都是通过 HTTPS 而不是 HTTP 访问的。这确保了在两个节点之间传递的数据在通过互联网时在网络上被加密。为了确保数据被加密,会发生 TLS 握手方法,该方法类似于 TCP 握手。
再次触发一个 wget 命令,但这次它从一开始就捕获 11 个数据包
[gaurav@testbox ~]$ wget https://www.opensource.com
--2019-11-02 21:15:21-- https://www.opensource.com/
Resolving www.opensource.com (www.opensource.com)... 54.204.39.132
Connecting to www.opensource.com (www.opensource.com)|54.204.39.132|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://open-source.net.cn/ [following]
--2019-11-02 21:15:23-- https://open-source.net.cn/
Resolving opensource.com (opensource.com)... 54.204.39.132
Connecting to opensource.com (opensource.com)|54.204.39.132|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://open-source.net.cn/ [following]
--2019-11-02 21:15:28-- https://open-source.net.cn/
Connecting to opensource.com (opensource.com)|54.204.39.132|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 71561 (70K) [text/html]
Saving to: ‘index.html’
index.html 100%[=============================================================>] 69.88K 114KB/s in 0.6s
2019-11-02 21:15:31 (114 KB/s) - ‘index.html’ saved [71561/71561]
[gaurav@testbox ~]$ TCP 握手在前三个数据包中结束,第四到第九个数据包有各种带有 TLS 字符串的数据包,它们遵循类似的握手仪式,以在两个主机之间建立安全、加密的连接
[gaurav@testbox ~]$ sudo tshark -i wlp61s0 -c 11 host 54.204.39.132
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp61s0'
1 0.000000000 192.168.1.9 → 54.204.39.132 TCP 74 58800 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=790462858 TSecr=0 WS=128
2 0.305006506 54.204.39.132 → 192.168.1.9 TCP 74 443 → 58800 [SYN, ACK] Seq=0 Ack=1 Win=26847 Len=0 MSS=1440 SACK_PERM=1 TSval=1306289652 TSecr=790462858 WS=512
3 0.305135180 192.168.1.9 → 54.204.39.132 TCP 66 58800 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=790463163 TSecr=1306289652
4 0.308282152 192.168.1.9 → 54.204.39.132 TLSv1 583 Client Hello
5 0.613210220 54.204.39.132 → 192.168.1.9 TCP 66 443 → 58800 [ACK] Seq=1 Ack=518 Win=28160 Len=0 TSval=1306289729 TSecr=790463166
6 0.613298883 54.204.39.132 → 192.168.1.9 TLSv1.2 3139 Server Hello, Certificate, Server Key Exchange, Server Hello Done
7 0.613356054 192.168.1.9 → 54.204.39.132 TCP 66 58800 → 443 [ACK] Seq=518 Ack=3074 Win=61184 Len=0 TSval=790463472 TSecr=1306289729
8 0.617318607 192.168.1.9 → 54.204.39.132 TLSv1.2 192 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
9 0.919718195 54.204.39.132 → 192.168.1.9 TLSv1.2 324 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message
10 0.940858609 192.168.1.9 → 54.204.39.132 TLSv1.2 240 Application Data
11 1.228530079 54.204.39.132 → 192.168.1.9 TLSv1.2 754 Application Data
11 packets captured
[gaurav@testbox ~]$ 因为 HTTPS 默认在端口 443 上工作,所以您可以使用它作为 TShark 中的过滤器来捕获 направляется к этому порту 的流量
sudo tshark -i wlp61s0 host 54.204.39.132 and port 443当您需要离线分析数据包以从过去重建事件时(例如,用于调试),时间戳至关重要。向 TShark 添加 -t ad 标志将在每个数据包捕获的开头添加时间戳
[gaurav@testbox ~]$ sudo tshark -n -i wlp61s0 -t ad
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp61s0'
1 2019-11-02 21:43:58.344158174 25:c9:8e:3f:38:3a → 48:89:e7:a0:33:db ARP 42 Who has 192.168.1.9? Tell 192.168.1.1
2 2019-11-02 21:43:58.344194844 48:89:e7:a0:33:db → 25:c9:8e:3f:38:3a ARP 42 192.168.1.9 is at 48:89:e7:a0:33:db
3 2019-11-02 21:44:00.223393961 192.168.1.9 → 1.1.1.1 DNS 79 Standard query 0x00fb A cups.pnq.redhat.com
4 2019-11-02 21:44:00.223460961 192.168.1.9 → 1.1.1.1 DNS 79 Standard query 0x1814 AAAA cups.pnq.redhat.com
5 2019-11-02 21:44:00.266325914 1.1.1.1 → 192.168.1.9 DNS 143 Standard query response 0x00fb A cups.pnq.redhat.com SOA a1-68.akam.net
6 2019-11-02 21:44:00.269102767 1.1.1.1 → 192.168.1.9 DNS 143 Standard query response 0x1814 AAAA cups.pnq.redhat.com SOA a1-68.akam.net
^C6 packets captured
[gaurav@testbox ~]$查看整个数据包
到目前为止,您已经看到了几个数据包示例以及解释它们的方法,但没有看到整个数据包。以下是如何使用 ping 和 nslookup 实用程序转储整个数据包
[gaurav@testbox ~]$ ping -c 1 54.204.39.132
PING 54.204.39.132 (54.204.39.132) 56(84) bytes of data.
64 bytes from 54.204.39.132: icmp_seq=1 ttl=43 time=357 ms
--- 54.204.39.132 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 356.961/356.961/356.961/0.000 ms
[gaurav@testbox ~]$ 在另一个窗口中,运行以下命令,然后运行上面的 ping 命令。请注意附加的 -V 标志——它用于在屏幕上转储整个数据包信息。输出分为多个部分,从帧开始,然后移动到以太网,然后移动到互联网协议,依此类推。
[gaurav@testbox ~]$ sudo tshark -i wlp61s0 -c 1 -V host 54.204.39.132
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp61s0'
Frame 1: 98 bytes on wire (784 bits), 98 bytes captured (784 bits) on interface 0
Interface id: 0 (wlp61s0)
Interface name: wlp61s0
Encapsulation type: Ethernet (1)
Arrival Time: Nov 2, 2019 21:17:55.556150846 IST
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1572709675.556150846 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 98 bytes (784 bits)
Capture Length: 98 bytes (784 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:icmp:data]
Ethernet II, Src: IntelCor_a0:33:db (48:89:e7:a0:33:db), Dst: Netgear_3f:38:3a (25:c9:8e:3f:38:3a)
Destination: Netgear_3f:38:3a (25:c9:8e:3f:38:3a)
Address: Netgear_3f:38:3a (25:c9:8e:3f:38:3a)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: IntelCor_a0:33:db (48:89:e7:a0:33:db)
Address: IntelCor_a0:33:db (48:89:e7:a0:33:db)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.1.9, Dst: 54.204.39.132
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 84
Identification: 0x8f68 (36712)
Flags: 0x4000, Don't fragment
0... .... .... .... = Reserved bit: Not set
.1.. .... .... .... = Don't fragment: Set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 64
Protocol: ICMP (1)
Header checksum: 0x8b3f [validation disabled]
[Header checksum status: Unverified]
Source: 192.168.1.9
Destination: 54.204.39.132
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0xcfc5 [correct]
[Checksum Status: Good]
Identifier (BE): 7399 (0x1ce7)
Identifier (LE): 59164 (0xe71c)
Sequence number (BE): 1 (0x0001)
Sequence number (LE): 256 (0x0100)
Timestamp from icmp data: Nov 2, 2019 21:17:55.000000000 IST
[Timestamp from icmp data (relative): 0.556150846 seconds]
Data (48 bytes)
0000 5b 7c 08 00 00 00 00 00 10 11 12 13 14 15 16 17 [|..............
0010 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 ........ !"#$%&'
0020 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37 ()*+,-./01234567
Data: 5b7c080000000000101112131415161718191a1b1c1d1e1f…
[Length: 48]
1 packet captured
[gaurav@testbox ~]同样,运行以下 nslookup 命令,并在侧面通过 TShark 转储整个数据包
[gaurav@testbox ~]$ nslookup opensource.com
Server: 1.1.1.1
Address: 1.1.1.1#53
Non-authoritative answer:
Name: opensource.com
Address: 54.204.39.132
[gaurav@testbox ~]$ 以下是当您执行 DNS 查找时数据包的外观——请注意正在使用 UDP 协议
[gaurav@testbox ~]$ sudo tshark -i wlp61s0 -c 1 -V host 1.1.1.1
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp61s0'
Frame 1: 88 bytes on wire (704 bits), 88 bytes captured (704 bits) on interface 0
Interface id: 0 (wlp61s0)
Interface name: wlp61s0
Encapsulation type: Ethernet (1)
Arrival Time: Nov 2, 2019 21:19:32.161216715 IST
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1572709772.161216715 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 88 bytes (704 bits)
Capture Length: 88 bytes (704 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:dns]
Ethernet II, Src: IntelCor_a0:33:db (48:89:e7:a0:33:db), Dst: Netgear_3f:38:3a (25:c9:8e:3f:38:3a)
Destination: Netgear_3f:38:3a (25:c9:8e:3f:38:3a)
Address: Netgear_3f:38:3a (25:c9:8e:3f:38:3a)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: IntelCor_a0:33:db (48:89:e7:a0:33:db)
Address: IntelCor_a0:33:db (48:89:e7:a0:33:db)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.1.9, Dst: 1.1.1.1
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 74
Identification: 0x907d (36989)
Flags: 0x4000, Don't fragment
0... .... .... .... = Reserved bit: Not set
.1.. .... .... .... = Don't fragment: Set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0xe672 [validation disabled]
[Header checksum status: Unverified]
Source: 192.168.1.9
Destination: 1.1.1.1
User Datagram Protocol, Src Port: 60656, Dst Port: 53
Source Port: 60656
Destination Port: 53
Length: 54
Checksum: 0x2fd2 [unverified]
[Checksum Status: Unverified]
[Stream index: 0]
[Timestamps]
[Time since first frame: 0.000000000 seconds]
[Time since previous frame: 0.000000000 seconds]
Domain Name System (query)
Transaction ID: 0x303c
Flags: 0x0100 Standard query
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Standard query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... .0.. .... = Z: reserved (0)
.... .... ...0 .... = Non-authenticated data: Unacceptable
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
clock01.util.phx2.redhat.com: type A, class IN
Name: clock01.util.phx2.redhat.com
[Name Length: 28]
[Label Count: 5]
Type: A (Host Address) (1)
Class: IN (0x0001)
1 packet captured
[gaurav@testbox ~]$ 下一步
一旦您熟悉了数据包捕获和分析的这些基础知识,您就可以在处理更高级的用例时利用 TShark 的各种捕获和显示过滤器。有关这些过滤器的更多信息,请参阅在线文档。
1 条评论