Linux下使用Wireshark和TShark分析网络数据包
本文介绍了如何在Linux环境中使用Wireshark的命令行工具TShark来分析网络数据包。从检查安装、识别可用网络设备、捕获数据包到理解不同类型的网络协议如DNS和TCP,详细阐述了使用TShark进行网络监控和故障排查的过程。
学习分析网络数据包是一项强大的技能。
当连接到网络后,大多数情况下我们不会去考虑实现这一切的底层网络协议。现在,当你阅读本文时,计算机正在交换大量数据包并通过Internet进行传输。
要了解这些协议,需要一个可以捕获并帮助你分析这些数据包的工具。Wireshark是一种流行的开源图形用户界面(GUI)工具,用于分析数据包。但是,它还为喜欢在Linux命令行上工作的人们提供了一个称为TShark的强大命令行实用程序。
若要尝试本文中的示例,需要连接到Internet。有关TShark命令行选项或标志的任何更改,请参考相应的手册页和在线文档。另外,我将用Fedora来做示范。
[gaurav@testbox ~]$ cat/etc/fedora-release
Fedora release 30 (Thirty)
[gaurav@testbox ~]$
1. 检查安装
首先,确保已安装必需的软件包:
[gaurav@testbox ~] r p m − q a ∣ g r e p − i w i r e s h a r k w i r e s h a r k − c l i − 3.0.1 − 1. f c 30. x 8 6 6 4 [ g a u r a v @ t e s t b o x ] rpm -qa | grep -i wireshark wireshark-cli-3.0.1-1.fc30.x86_64 [gaurav@testbox ~] rpm−qa∣grep−iwiresharkwireshark−cli−3.0.1−1.fc30.x8664[gaurav@testbox ]
如果安装了Wireshark软件包,请检查是否安装了TShark实用程序,如果已安装,则检查软件版本:
[gaurav@testbox ~]$tshark -v
TShark (Wireshark) 3.0.1 (23f278e2)
Built using gcc 9.0.1 20190312 (Red Hat9.0.1-0.10).
[gaurav@testbox ~]$
如果以非root用户身份登录,则需要sudo权限才能使用TShark实用程序。超级用户可以跳过sudo并直接运行tshark命令。
2. 查找可用于TShark的网络设备
在TShark可以分析数据包之前,它需要捕获这些数据包。网络数据包通过服务器,工作站或台式机上的网络接口卡(NIC)或笔记本电脑上的WiFi卡进行处理。首先确定用于连接互联网的NIC或WiFi卡。
要确定哪些网络设备可用于TShark,请运行以下命令。我的笔记本电脑显示如下:
[gaurav@testbox ~]$sudo tshark -D
Running as user “root” and group"root". This could be dangerous.
- wlp61s0
- lo (Loopback)
- any
- virbr0
- enp0s31f6
- bluetooth-monitor
- nflog
- nfqueue
[gaurav@testbox ~]$
我正在使用WiFi卡连接到家庭路由器以访问Internet。可以使用ifconfig -a命令查看系统上的所有网络接口。如果未安装ifconfig命令,则可以改用较新的ip addr show命令。
其中某个接口应该有一个分配给它的IP地址。对于特定的接口,可以使用ifconfig
ifconfig wlp61s0
3. 获取一些数据包
既然知道正在使用哪个接口连接到Internet,就可以开始使用它捕获数据包。-i参数可用于捕获此特定接口上的数据包。你将看到一堆输出,显示通过接口传输的网络数据包,但是可以使用Ctrl + C命令停止它:
*[gaurav@testbox ~]$sudo tshark -i wlp61s0
Running as user “root” and group"root". This could be dangerous.
Capturing on ‘wlp61s0’
1 0.000000000 192.168.1.9→ 192.168.1.1 DNS 77 Standard query 0xa02b AAAA fedoraproject.org
2 0.000128115 192.168.1.9→ 192.168.1.1 DNS 77 Standard query 0xcc47 A fedoraproject.org
3 0.000316195 192.168.1.9→ 192.168.1.1 DNS 77 Standard query 0xe29d A fedoraproject.org
4 0.000616019 192.168.1.9→ 192.168.1.1 DNS 77 Standard query 0xac7c AAAA fedoraproject.org
5 0.007963200 192.168.1.1→ 192.168.1.9 DNS 93 Standard query response 0xcc47 A fedoraproject.org A185.141.165.254
6 0.009171815 192.168.1.1→ 192.168.1.9 DNS 93 Standard query response 0xe29d A fedoraproject.org A185.141.165.254
7 0.011075350 192.168.1.1 →192.168.1.9 DNS 322 Standard query response 0xa02b AAAA fedoraproject.orgAAAA 2610:28:3090:3001:dead:beef:cafe:fed3 AAAA2605:bc80:3010:600:dead:beef:cafe:fed9 AAAA2604:1580:fe00:0:dead:beef:cafe:fed1 NS ns04.fedoraproject.org NSns05.fedoraproject.org NS ns02.fedoraproject.org A 152.19.134.139 AAAA2610:28:3090:3001:dead:beef:cafe:fed5 A 209.132.181.17 A 85.236.55.10 AAAA2001:4178:2:1269:dead:beef:cafe:fed5
8 0.012458151 192.168.1.1→ 192.168.1.9 DNS 322 Standard query response 0xac7c AAAA fedoraproject.orgAAAA 2605:bc80:3010:600:dead:beef:cafe:fed9 AAAA2610:28:3090:3001:dead:beef:cafe:fed3 AAAA 2604:1580:fe00:0:dead:beef:cafe:fed1NS ns05.fedoraproject.org NS ns02.fedoraproject.org NS ns04.fedoraproject.org A152.19.134.139 AAAA 2610:28:3090:3001:dead:beef:cafe:fed5 A 209.132.181.17 A85.236.55.10 AAAA 2001:4178:2:1269:dead:beef:cafe:fed5
^C8 packets captured
[gaurav@testbox~]$*
查看上面的前两个数据包,它们在行的开头用数字表示:
*1 0.000000000 192.168.1.9 → 192.168.1.1 DNS 77 Standard query 0xa02b AAAAfedoraproject.org
2 0.000128115 192.168.1.9 → 192.168.1.1 DNS 77 Standard query 0xcc47 A fedoraproject.org*
在箭头的两侧的两个IP地址是交换数据包的主机。箭头的方向指示数据包的前进方向。因此,192.168.1.9→192.168.1.1表示该数据包来自于主机192.168.1.9(我的笔记本电脑),并且到达目的地192.168.1.1(我的家庭路由器)。在目标IP地址之后,看到的是DNS,即域名系统协议,然后是DNS查询,稍后再详细介绍。
可以使用-c(计数)参数限制屏幕上显示的数据包数量。以下示例显示了捕获的10个数据包。注意协议,在上面看到了DNS,这里还有其他协议,例如NTP和TCP:
*[gaurav@testbox ~]$sudo tshark -i wlp61s0 -c 10
Running as user “root” and group"root". This could be dangerous.
Capturing on ‘wlp61s0’
1 0.000000000 192.168.1.9→ 10.5.26.10 NTP 90 NTP Version 4, client
2 0.803303963 192.168.1.9→ 10.5.27.10 NTP 90 NTP Version 4, client
3 3.524867645 192.168.1.9→ 192.168.1.1 DNS 69 Standard query 0x3837 A testbox
4 6.227373094 192.168.1.9→ 192.168.1.1 DNS 89 Standard query 0x0814 Alocation.services.mozilla.com
5 6.227395145 192.168.1.9→ 192.168.1.1 DNS 89 Standard query 0x5e1c AAAAlocation.services.mozilla.com
6 6.234878912 192.168.1.1→ 192.168.1.9 DNS 105 Standard query response 0x0814 Alocation.services.mozilla.com A 34.253.23.107
7 6.238110416 192.168.1.1→ 192.168.1.9 DNS 223 Standard query response 0x5e1c AAAAlocation.services.mozilla.com CNAME locprod1-elb-eu-west-1.prod.mozaws.net SOAns-1260.awsdns-29.org
8 6.238446999 192.168.1.9→ 34.253.23.107 TCP 74 35326 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460SACK_PERM=1 TSval=2832002333 TSecr=0 WS=128
9 6.438833991 34.253.23.107 →192.168.1.9 TCP 74 443 → 35326 [SYN, ACK] Seq=0 Ack=1 Win=26847 Len=0MSS=1440 SACK_PERM=1 TSval=2056252981 TSecr=2832002333 WS=256
10 6.438947001 192.168.1.9→ 34.253.23.107 TCP 66 35326 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0TSval=2832002533 TSecr=2056252981
10 packets captured
[gaurav@testbox ~]$*
DNS协议将主机名转换为IP地址,或将IP地址转换为主机名。有专用的DNS(或名称)服务器,便可以使用主机名或IP地址进行查询。下面的示例使用nslookup命令查询名称服务器,以将主机名解析为IP地址。在继续之前,请确保已安装bind-utils软件包:
[gaurav@testbox ~] r p m − q a ∣ g r e p − i b i n d − u t i l s b i n d − u t i l s − 9.11.5 − 13. P 4. f c 30. x 8 6 6 4 [ g a u r a v @ t e s t b o x ] rpm -qa | grep -i bind-utils bind-utils-9.11.5-13.P4.fc30.x86_64 [gaurav@testbox ~] rpm−qa∣grep−ibind−utilsbind−utils−9.11.5−13.P4.fc30.x8664[gaurav@testbox ]
为了查询名称服务器,要找出你的计算机正在与哪个服务器进行通信。可以在/etc/resolv.conf文件中找到该信息。在我的例子中,名称服务器指向1.1.1.1,这是Cloudflare提供的公共DNS服务:
[gaurav@testbox ~]KaTeX parse error: Expected 'EOF', got '#' at position 23: …c/resolv.conf *#̲ Generated by N…*
诸如Opensource.com这样的主机名对于人类来说很容易理解,但是机器使用IP地址通过网络或互联网连接到其他机器。为了使你的计算机连接到opensource.com,需要找到该站点的IP地址。可以使用以下命令找到它:
nslookupopensource.com
如果计算机上没有nslookup,则可以改用dig命令:
dig opensource.com
但是,在按下Enter键之前,请打开另一个终端,然后键入以下命令,告诉TShark捕获去往名称服务器的所有流量(例如1.1.1.1):
sudo tshark -iwlp61s0 host 1.1.1.1
保持该终端运行并返回到另一个终端,然后运行nslookup(或dig)。命令完成后,它将提供Opensource.com的IP地址,即54.204.39.132。这是nslookup的输出:
[gaurav@testbox ~]KaTeX parse error: Expected 'EOF', got '#' at position 72: … 1.1.1.1#̲53 Non-authorit…
Dig的输出:
[gaurav@testbox ~]KaTeX parse error: Expected 'EOF', got '#' at position 499: …SERVER: 1.1.1.1#̲53(1.1.1.1) ;; …
到目前为止,一切都没问题,但是在数据包级别发生了什么?移至执行tshark命令的终端。看到捕获了一些数据包:
[gaurav@testbox ~] s u d o t s h a r k − i w l p 61 s 0 h o s t 1.1.1.1 R u n n i n g a s u s e r " r o o t " a n d g r o u p " r o o t " . T h i s c o u l d b e d a n g e r o u s . C a p t u r i n g o n ′ w l p 61 s 0 ′ 21.798275687192.168.1.9 → 1.1.1.1 D N S 74 S t a n d a r d q u e r y 0 x c d a 0 A o p e n s o u r c e . c o m 31.8271434431.1.1.1 → 192.168.1.9 D N S 90 S t a n d a r d q u e r y r e s p o n s e 0 x c d a 0 A o p e n s o u r c e . c o m A 54.204.39.13 2 C p a c k e t s c a p t u r e d [ g a u r a v @ t e s t b o x ] sudo tshark -i wlp61s0 host 1.1.1.1 Running as user "root" and group"root". This could be dangerous. Capturing on 'wlp61s0' 2 1.798275687 192.168.1.9→ 1.1.1.1 DNS 74 Standard query 0xcda0 A opensource.com 3 1.827143443 1.1.1.1 → 192.168.1.9 DNS 90 Standard query response 0xcda0 Aopensource.com A 54.204.39.132 ^C packets captured [gaurav@testbox ~] sudotshark−iwlp61s0host1.1.1.1Runningasuser"root"andgroup"root".Thiscouldbedangerous.Capturingon′wlp61s0′21.798275687192.168.1.9→1.1.1.1DNS74Standardquery0xcda0Aopensource.com31.8271434431.1.1.1→192.168.1.9DNS90Standardqueryresponse0xcda0Aopensource.comA54.204.39.132Cpacketscaptured[gaurav@testbox ]
下面的数据包来自笔记本电脑192.168.1.9,并且前往目的地1.1.1.1。该数据包用于DNS协议,它正在查询(标准查询)Opensource.com的名称服务器:
2 1.798275687192.168.1.9 → 1.1.1.1 DNS 74 Standard query 0xcda0 A opensource.com
下面的数据包是从名称服务器1.1.1.1发送到机器192.168.1.9的响应。同样是DNS,但现在它是对Opensource.com IP地址查询的响应(标准查询响应):
3 1.827143443 1.1.1.1 → 192.168.1.9 DNS 90 Standard query response0xcda0 A opensource.com A 54.204.39.132
如果事先知道要查找的协议,则可以将其添加到tshark命令中。以下示例显示仅查找UDP数据包,可以看到捕获了DNS数据包。这是因为DNS数据包使用下面的UDP协议:
*[gaurav@testbox ~]$sudo tshark -i wlp61s0 udp
Running as user “root” and group"root". This could be dangerous.
Capturing on ‘wlp61s0’
1 0.000000000 192.168.1.9→ 1.1.1.1 DNS 89 Standard query 0xcc6d Alocation.services.mozilla.com
2 0.000068640 192.168.1.9→ 1.1.1.1 DNS 89 Standard query 0x6484 AAAAlocation.services.mozilla.com
3 0.032616053 1.1.1.1 → 192.168.1.9 DNS 189 Standard query response 0xcc6d Alocation.services.mozilla.com CNAME locprod1-elb-eu-west-1.prod.mozaws.net A52.215.71.87 A 54.72.168.141 A 34.253.23.107
4 0.108203529 1.1.1.1 → 192.168.1.9 DNS 241 Standard query response 0x6484 AAAAlocation.services.mozilla.com CNAME locprod1-elb-eu-west-1.prod.mozaws.net SOAns-1260.awsdns-29.org
5 1.268489014 192.168.1.9→ 1.1.1.1 DNS 69 Standard query 0x74be A testbox
6 1.302652455 1.1.1.1 → 192.168.1.9 DNS 144 Standard query response 0x74be Nosuch name A testbox SOA a.root-servers.net
7 6.268558254 192.168.1.9→ 1.1.1.1 DNS 79 Standard query 0xc47a Acups.pnq.redhat.com
8 6.268618039 192.168.1.9→ 1.1.1.1 DNS 79 Standard query 0xb08b AAAAcups.pnq.redhat.com
9 6.664992312 1.1.1.1 → 192.168.1.9 DNS 143 Standard query response 0xb08b AAAAcups.pnq.redhat.com SOA a1-68.akam.net
10 6.665088305 1.1.1.1 → 192.168.1.9 DNS 143 Standard query response 0xc47a Acups.pnq.redhat.com SOA a1-68.akam.net
^C10 packets captured
[gaurav@testbox ~]$*
ping命令通常用于检查计算机是否已启动或可通过网络访问。可以对Opensource.com的IP地址运行ping命令,以查看服务器是否已启动并正在运行。
在执行此操作之前,请开始捕获数据包,以便稍后可以分析数据包。打开终端并运行以下命令,该命令将继续运行并查找源自IP地址54.204.39.132的数据包:
sudo tshark -iwlp61s0 host 54.204.39.132
在另一个终端中,运行以下ping命令。 -c用于计数,因此-c 2表示应仅向给定主机发送两个数据包:
ping -c 254.204.39.132
在运行ping命令的终端上,您可以看到发送了两个数据包,并且收到了两个数据包。有0%的数据包丢失,这表明目的地54.204.39.132响应ping请求:
[gaurav@testbox ~] p i n g − c 254.204.39.132 P I N G 54.204.39.132 ( 54.204.39.132 ) 56 ( 84 ) b y t e s o f d a t a . 64 b y t e s f r o m 54.204.39.132 : i c m p s e q = 1 t t l = 43 t i m e = 357 m s 64 b y t e s f r o m 54.204.39.132 : i c m p s e q = 2 t t l = 43 t i m e = 278 m s − − − 54.204.39.132 p i n g s t a t i s t i c s − − − 2 p a c k e t s t r a n s m i t t e d , 2 r e c e i v e d , 0 r t t m i n / a v g / m a x / m d e v = 278.045 / 317.410 / 356.776 / 39.369 m s [ g a u r a v @ t e s t b o x ] ping -c 2 54.204.39.132 PING 54.204.39.132 (54.204.39.132) 56(84)bytes of data. 64 bytes from 54.204.39.132: icmp_seq=1 ttl=43time=357 ms 64 bytes from 54.204.39.132: icmp_seq=2 ttl=43time=278 ms --- 54.204.39.132 ping statistics --- 2 packets transmitted, 2 received, 0% packetloss, time 1ms rtt min/avg/max/mdev =278.045/317.410/356.776/39.369 ms [gaurav@testbox ~] ping−c254.204.39.132PING54.204.39.132(54.204.39.132)56(84)bytesofdata.64bytesfrom54.204.39.132:icmpseq=1ttl=43time=357ms64bytesfrom54.204.39.132:icmpseq=2ttl=43time=278ms−−−54.204.39.132pingstatistics−−−2packetstransmitted,2received,0rttmin/avg/max/mdev=278.045/317.410/356.776/39.369ms[gaurav@testbox ]
返回到运行TShark的终端。显示了四个数据包:ping命令中的请求(-c 2)和两个答复,因此总共有四个数据包:
Packet 1 - request(1st request)
Packet 2 - reply (to Packet 1)
Packet 3 - request (2nd request)
Packet 4 - reply (to Packet 3)
输出显示它正在使用ICMP协议。Ping通过ICMP来完成其任务:
[gaurav@testbox ~]$sudo tshark -i wlp61s0 host 54.204.39.132
Running as user “root” and group “root”.This could be dangerous.
Capturing on ‘wlp61s0’
1 0.000000000 192.168.1.9→ 54.204.39.132 ICMP 98 Echo (ping) request id=0x1749, seq=1/256, ttl=64
2 0.356750411 54.204.39.132 →192.168.1.9 ICMP 98 Echo (ping) reply id=0x1749, seq=1/256,ttl=43 (request in 1)
3 1.000295229 192.168.1.9→ 54.204.39.132 ICMP 98 Echo (ping) request id=0x1749, seq=2/512, ttl=64
4 1.278267790 54.204.39.132 →192.168.1.9 ICMP 98 Echo (ping) reply id=0x1749, seq=2/512,ttl=43 (request in 3)
^C4 packets captured
[gaurav@testbox ~]$
网络数据包以二进制格式发送,因此,如果要查看它们在网络上是什么形式,可以通过在tshark命令中简单地添加-x来转储数据包的十六进制格式,然后将看到十六进制输出。以下输出显示通过运行命令ping -c 1 54.204.39.132发送的ping请求:
[gaurav@testbox ~]KaTeX parse error: Expected 'EOF', got '#' at position 495: … .......... !"#̲%
0050 26 27 28 29 2a 2b 2c 2d 2e 2f 30 3132 33 34 35 &’()*+,-./012345
0060 36 37 67
0000 48 89 e7 a0 33 db 28 c6 8e 3e 39 3a08 00 45 00 H…3.(…>9:…E.
0010 00 54 31 06 00 00 2b 01 3e a2 36 cc27 84 c0 a8 .T1…+.>.6.’…
0020 01 09 00 00 2d 5f 27 d1 00 01 7e aabd 5d 00 00 …-_’…~…]…
0030 00 00 a2 f3 0d 00 00 00 00 00 10 1112 13 14 15 …
0040 16 17 18 19 1a 1b 1c 1d 1e 1f 20 2122 23 24 25 … !"#$%
0050 26 27 28 29 2a 2b 2c 2d 2e 2f 30 3132 33 34 35 &’()*+,-./012345
0060 36 37 67
2 packets captured
[gaurav@testbox ~]$
4. 保存输出
可以在屏幕上看到输出,但是通常您需要将数据保存到文件中以备后用。使用ping命令,但添加-w告诉TShark将输出转储到文件中。例如,以下内容将输出保存到/ tmp目录中名为nlog.pcap的文件中:
sudo tshark -w/tmp/nlog.pcap -i wlp61s0 host 54.204.39.132
现在,从另一个终端再次运行ping命令,但是这次计数为五个数据包:
ping -c 554.204.39.132
TShark终端显示已捕获10个数据包。为什么是10?因为你要求ping发送五个请求,得到了五个响应,因此有10个数据包。使用Ctrl + C停止抓取数据包:
[gaurav@testbox ~] s u d o t s h a r k − w / t m p / n l o g . p c a p − i w l p 61 s 0 h o s t 54.204.39.132 R u n n i n g a s u s e r " r o o t " a n d g r o u p " r o o t " . T h i s c o u l d b e d a n g e r o u s . C a p t u r i n g o n ′ w l p 61 s 0 ′ 1 0 C [ g a u r a v @ t e s t b o x ] sudo tshark -w /tmp/nlog.pcap -i wlp61s0 host 54.204.39.132 Running as user "root" and group "root".This could be dangerous. Capturing on 'wlp61s0' 10 ^C [gaurav@testbox ~] sudotshark−w/tmp/nlog.pcap−iwlp61s0host54.204.39.132Runningasuser"root"andgroup"root".Thiscouldbedangerous.Capturingon′wlp61s0′10C[gaurav@testbox ]
TShark将输出保存到文件/tmp/nlog.pcap中:
[gaurav@testbox ~] l s − l / t m p / n l o g . p c a p − r w − − − − − − − . 1 r o o t r o o t 1692 N o v 221 : 10 / t m p / n l o g . p c a p [ g a u r a v @ t e s t b o x ] ls -l /tmp/nlog.pcap -rw-------. 1 root root 1692 Nov 2 21:10/tmp/nlog.pcap [gaurav@testbox ~] ls−l/tmp/nlog.pcap−rw−−−−−−−.1rootroot1692Nov221:10/tmp/nlog.pcap[gaurav@testbox ]
file命令显示文件类型是pcapng捕获文件,因此不能只使用Vim这样的编辑器打开文件并开始阅读;不然将看到的只是一堆垃圾字符:
[gaurav@testbox ~] s u d o f i l e / t m p / n l o g . p c a p / t m p / n l o g . p c a p : p c a p n g c a p t u r e f i l e − v e r s i o n 1.0 [ g a u r a v @ t e s t b o x ] sudo file /tmp/nlog.pcap /tmp/nlog.pcap: pcapng capture file - version1.0 [gaurav@testbox ~] sudofile/tmp/nlog.pcap/tmp/nlog.pcap:pcapngcapturefile−version1.0[gaurav@testbox ]
由于TShark将数据写入文件,因此它也可以使用-r参数和文件名从文件中读取回数据。下面显示了所有10个数据包(五个请求和五个响应):
[gaurav@testbox ~]$sudo tshark -r /tmp/nlog.pcap
Running as user “root” and group"root". This could be dangerous.
1 0.000000000 192.168.1.9→ 54.204.39.132 ICMP 98 Echo (ping) request id=0x1875, seq=1/256, ttl=64
2 0.270098703 54.204.39.132 →192.168.1.9 ICMP 98 Echo (ping) reply id=0x1875, seq=1/256,ttl=43 (request in 1)
3 1.000485186 192.168.1.9→ 54.204.39.132 ICMP 98 Echo (ping) request id=0x1875, seq=2/512, ttl=64
4 1.323571769 54.204.39.132 →192.168.1.9 ICMP 98 Echo (ping) reply id=0x1875, seq=2/512,ttl=43 (request in 3)
5 2.000955585 192.168.1.9→ 54.204.39.132 ICMP 98 Echo (ping) request id=0x1875, seq=3/768, ttl=64
6 2.347737132 54.204.39.132 →192.168.1.9 ICMP 98 Echo (ping) reply id=0x1875, seq=3/768,ttl=43 (request in 5)
7 3.000912998 192.168.1.9→ 54.204.39.132 ICMP 98 Echo (ping) request id=0x1875, seq=4/1024, ttl=64
8 3.269412434 54.204.39.132 →192.168.1.9 ICMP 98 Echo (ping) reply id=0x1875, seq=4/1024,ttl=43 (request in 7)
9 4.001573635 192.168.1.9→ 54.204.39.132 ICMP 98 Echo (ping) request id=0x1875, seq=5/1280, ttl=64
10 4.293431592 54.204.39.132 →192.168.1.9 ICMP 98 Echo (ping) reply id=0x1875, seq=5/1280,ttl=43 (request in 9)
[gaurav@testbox ~]$
#TCP handshake
在通过网络建立连接之前,已完成TCP握手。上面的示例只是查询了一个名称服务器,以及试图通过ping命令确定一台机器是否可以访问,这两个都不需要与主机建立连接。尝试通过wget命令获取www.opensource.com。
在运行wget之前,请在另一个终端上运行以下命令以捕获数据包。由于握手涉及初始数据包,因此我故意将计数保持为三:
sudo tshark -iwlp61s0 -c 3 host 54.204.39.132
接下来,运行wget命令下载索引文件:
[gaurav@testbox ~]$wget https://www.opensource.com
–2019-11-02 21:13:54-- https://www.opensource.com/
Resolving www.opensource.com(www.opensource.com)… 54.204.39.132
Connecting to www.opensource.com(www.opensource.com)|54.204.39.132|:443… connected.
HTTP request sent, awaiting response… 301Moved Permanently
Location: http://opensource.com/ [following]
–2019-11-02 21:13:56-- http://opensource.com/
Resolving opensource.com (opensource.com)…54.204.39.132
Connecting to opensource.com(opensource.com)|54.204.39.132|:80… connected.
HTTP request sent, awaiting response… 302Found
Location: https://opensource.com/ [following]
–2019-11-02 21:13:57-- https://opensource.com/
Connecting to opensource.com(opensource.com)|54.204.39.132|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 71561 (70K) [text/html]
Saving to: ‘index.html’
index.html 100%[=============================================================>] 69.88K 105KB/s in 0.7s
2019-11-02 21:13:59 (105 KB/s) - ‘index.html’saved [71561/71561]
[gaurav@testbox ~]$ ^C
可以查看下面的三个数据包。第一个数据包将SYN请求从笔记本电脑发送到Opensource.com服务器。第二个数据包是OpenSource.com服务器,其中设置了SYN,ACK标志。最后,第三个数据包是笔记本电脑发送的ACK请求,以确认收到了第二个数据包。这称为TCP握手。握手之后,两个节点(即我的笔记本电脑和Opensource.com服务器)都可以交换数据。
[gaurav@testbox ~]$sudo tshark -i wlp61s0 -c 3 host 54.204.39.132
Running as user “root” and group"root". This could be dangerous.
Capturing on ‘wlp61s0’
1 0.000000000 192.168.1.9→ 54.204.39.132 TCP 74 58784 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460SACK_PERM=1 TSval=790376430 TSecr=0 WS=128
2 0.306538226 54.204.39.132 →192.168.1.9 TCP 74 443 → 58784 [SYN, ACK] Seq=0 Ack=1 Win=26847 Len=0MSS=1440 SACK_PERM=1 TSval=1306268046 TSecr=790376430 WS=512
3 0.306671608 192.168.1.9→ 54.204.39.132 TCP 66 58784 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0TSval=790376737 TSecr=1306268046
3 packets captured
[gaurav@testbox ~]$
如果去掉-c 3,它将抓取所有数据包,并且将看到类似的关闭连接的指示。在这里,我的笔记本电脑向FINPS发送FIN,ACK数据包(在下面的数据包1中),然后FIN,ACK从Opensource.com向我的笔记本电脑发送(在下面的数据包2中),最后我的笔记本电脑连接到Opensource.com服务器。这样就结束了先前建立的网络连接,以后的任何连接都必须再次建立TCP握手。
*73 4.505715716 192.168.1.9 → 54.204.39.132 TCP 66 59574 → 443 [FIN, ACK] Seq=814Ack=76239 Win=69888 Len=0 TSval=792384514 TSecr=1306769989
74 4.737227282 54.204.39.132 →192.168.1.9 TCP 66 443 → 59574 [FIN, ACK] Seq=76239 Ack=815 Win=29184Len=0 TSval=1306770066 TSecr=792384514
75 4.737389399 192.168.1.9→ 54.204.39.132 TCP 66 59574 → 443 [ACK] Seq=815 Ack=76240 Win=69888 Len=0TSval=792384745 TSecr=1306770066*
5. 加密握手数据
如今,大多数网站都是通过HTTPS而非HTTP访问的。这样可以确保在两个节点之间传递的数据在通过Internet时都经过在线加密。为了确保数据被加密,采用了类似于TCP握手的TLS握手方法。
执行另一个wget命令,但这一次它从头开始抓取了11个数据包:
[gaurav@testbox ~]$wget https://www.opensource.com
–2019-11-02 21:15:21-- https://www.opensource.com/
Resolving www.opensource.com(www.opensource.com)… 54.204.39.132
Connecting to www.opensource.com(www.opensource.com)|54.204.39.132|:443… connected.
HTTP request sent, awaiting response… 301Moved Permanently
Location: http://opensource.com/ [following]
–2019-11-02 21:15:23-- http://opensource.com/
Resolving opensource.com (opensource.com)…54.204.39.132
Connecting to opensource.com(opensource.com)|54.204.39.132|:80… connected.
HTTP request sent, awaiting response… 302Found
Location: https://opensource.com/ [following]
–2019-11-02 21:15:28-- https://opensource.com/
Connecting to opensource.com(opensource.com)|54.204.39.132|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 71561 (70K) [text/html]
Saving to: ‘index.html’
index.html 100%[=============================================================>] 69.88K 114KB/s in 0.6s
2019-11-02 21:15:31 (114 KB/s) - ‘index.html’saved [71561/71561]
[gaurav@testbox ~]$
TCP握手在前三个数据包中结束,而第四个到第九个数据包中的每个数据包都有TLS字符串,这些数据包遵循类似的握手规则在两个主机之间建立安全的加密连接:
[gaurav@testbox ~]$sudo tshark -i wlp61s0 -c 11 host 54.204.39.132
Running as user “root” and group"root". This could be dangerous.
Capturing on ‘wlp61s0’
1 0.000000000 192.168.1.9→ 54.204.39.132 TCP 74 58800 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460SACK_PERM=1 TSval=790462858 TSecr=0 WS=128
2 0.305006506 54.204.39.132 →192.168.1.9 TCP 74 443 → 58800 [SYN, ACK] Seq=0 Ack=1 Win=26847 Len=0MSS=1440 SACK_PERM=1 TSval=1306289652 TSecr=790462858 WS=512
3 0.305135180 192.168.1.9→ 54.204.39.132 TCP 66 58800 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0TSval=790463163 TSecr=1306289652
4 0.308282152 192.168.1.9→ 54.204.39.132 TLSv1 583 Client Hello
5 0.613210220 54.204.39.132 →192.168.1.9 TCP 66 443 → 58800 [ACK] Seq=1 Ack=518 Win=28160 Len=0TSval=1306289729 TSecr=790463166
6 0.613298883 54.204.39.132 →192.168.1.9 TLSv1.2 3139 Server Hello, Certificate, Server Key Exchange,Server Hello Done
7 0.613356054 192.168.1.9→ 54.204.39.132 TCP 66 58800 → 443 [ACK] Seq=518 Ack=3074 Win=61184 Len=0TSval=790463472 TSecr=1306289729
8 0.617318607 192.168.1.9→ 54.204.39.132 TLSv1.2 192 Client Key Exchange, Change Cipher Spec, EncryptedHandshake Message
9 0.919718195 54.204.39.132 →192.168.1.9 TLSv1.2 324 New Session Ticket, Change Cipher Spec, EncryptedHandshake Message
10 0.940858609 192.168.1.9→ 54.204.39.132 TLSv1.2 240 Application Data
11 1.228530079 54.204.39.132 →192.168.1.9 TLSv1.2 754 Application Data
11 packets captured
[gaurav@testbox ~]$
由于HTTPS默认情况下在端口443上工作,因此你可以将其用作TShark中的筛选器,以捕获流向该特定端口的流量:
sudo tshark -iwlp61s0 host 54.204.39.132 and port 443
当需要离线分析数据包以重建过去的事件(例如进行调试)时,时间戳是必不可少的。在TShark中添加-t ad标志会将时间戳添加到每个数据包捕获的开始:
[gaurav@testbox ~]$sudo tshark -n -i wlp61s0 -t ad
Running as user “root” and group"root". This could be dangerous.
Capturing on ‘wlp61s0’
1 2019-11-02 21:43:58.34415817425:c9:8e:3f:38:3a → 48:89:e7:a0:33:db ARP 42 Who has 192.168.1.9? Tell192.168.1.1
2 2019-11-02 21:43:58.34419484448:89:e7:a0:33:db → 25:c9:8e:3f:38:3a ARP 42 192.168.1.9 is at48:89:e7:a0:33:db
3 2019-11-02 21:44:00.223393961 192.168.1.9 → 1.1.1.1 DNS 79 Standard query 0x00fb Acups.pnq.redhat.com
4 2019-11-02 21:44:00.223460961 192.168.1.9 → 1.1.1.1 DNS 79 Standard query 0x1814AAAA cups.pnq.redhat.com
5 2019-11-02 21:44:00.266325914 1.1.1.1 → 192.168.1.9 DNS 143 Standard query response0x00fb A cups.pnq.redhat.com SOA a1-68.akam.net
6 2019-11-02 21:44:00.269102767 1.1.1.1 → 192.168.1.9 DNS 143 Standard query response0x1814 AAAA cups.pnq.redhat.com SOA a1-68.akam.net
^C6 packets captured
[gaurav@testbox ~]$
6. 查看整个数据包
到目前为止,已经看到了数据包的几个示例以及解释它们的方法,但没有看到整个数据包。这是使用ping和nslookup实用程序转储整个数据包的方法:
[gaurav@testbox ~]$ping -c 1 54.204.39.132
PING 54.204.39.132 (54.204.39.132) 56(84)bytes of data.
64 bytes from 54.204.39.132: icmp_seq=1 ttl=43time=357 ms
— 54.204.39.132 ping statistics —
1 packets transmitted, 1 received, 0% packetloss, time 0ms
rtt min/avg/max/mdev =356.961/356.961/356.961/0.000 ms
[gaurav@testbox ~]$
在另一个窗口中,运行以下命令,然后运行上面的ping命令。请注意附加的-V标志用于在屏幕上转储整个数据包信息。输出分为多个部分,从帧开始,然后移至以太网,然后移至Internet协议,依此类推。
[gaurav@testbox ~]$sudo tshark -i wlp61s0 -c 1 -V host 54.204.39.132
Running as user “root” and group"root". This could be dangerous.
Capturing on ‘wlp61s0’
Frame 1: 98 bytes on wire (784 bits), 98 bytescaptured (784 bits) on interface 0
Interface id: 0 (wlp61s0)
Interface name:wlp61s0
Encapsulation type: Ethernet (1)
Arrival Time: Nov 2, 201921:17:55.556150846 IST
[Time shift for this packet:0.000000000 seconds]
Epoch Time: 1572709675.556150846seconds
[Time delta from previouscaptured frame: 0.000000000 seconds]
[Time delta from previousdisplayed frame: 0.000000000 seconds]
[Time since reference or firstframe: 0.000000000 seconds]
Frame Number: 1
Frame Length: 98 bytes (784bits)
Capture Length: 98 bytes (784bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame:eth:ethertype:ip:icmp:data]
Ethernet II, Src: IntelCor_a0:33:db(48:89:e7:a0:33:db), Dst: Netgear_3f:38:3a (25:c9:8e:3f:38:3a)
Destination: Netgear_3f:38:3a(25:c9:8e:3f:38:3a)
Address:Netgear_3f:38:3a (25:c9:8e:3f:38:3a)
… …0. … … … = LG bit: Globally unique address (factory default)
… …0 … … … = IG bit: Individual address (unicast)
Source: IntelCor_a0:33:db(48:89:e7:a0:33:db)
Address:IntelCor_a0:33:db (48:89:e7:a0:33:db)
… …0. … … … = LG bit: Globally unique address (factory default)
… …0 … … … = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.1.9,Dst: 54.204.39.132
0100 … = Version: 4
… 0101 = Header Length: 20bytes (5)
Differentiated Services Field:0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00… =Differentiated Services Codepoint: Default (0)
… …00 =Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 84
Identification: 0x8f68 (36712)
Flags: 0x4000, Don’t fragment
0… … … = Reserved bit: Not set
.1… … … = Don’t fragment: Set
…0. … … = More fragments: Not set
…0 0000 00000000 = Fragment offset: 0
Time to live: 64
Protocol: ICMP (1)
Header checksum: 0x8b3f[validation disabled]
[Header checksum status:Unverified]
Source: 192.168.1.9
Destination: 54.204.39.132
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0xcfc5 [correct]
[Checksum Status: Good]
Identifier (BE): 7399 (0x1ce7)
Identifier (LE): 59164 (0xe71c)
Sequence number (BE): 1 (0x0001)
Sequence number (LE): 256(0x0100)
Timestamp from icmp data: Nov 2, 2019 21:17:55.000000000 IST
[Timestamp from icmp data(relative): 0.556150846 seconds]
Data (48 bytes)
0000 5b 7c 08 00 00 00 00 00 10 11 12 1314 15 16 17 [|…
0010 18 19 1a 1b 1c 1d 1e 1f 20 21 22 2324 25 26 27 … !"#$%&’
0020 28 29 2a 2b 2c 2d 2e 2f 30 31 32 3334 35 36 37 ()*+,-./01234567
Data:5b7c080000000000101112131415161718191a1b1c1d1e1f…
[Length: 48]
1 packet captured
[gaurav@testbox ~]
同样,运行以下nslookup命令,并在一侧通过TShark转储整个数据包:
[gaurav@testbox ~]$nslookup opensource.com
Server: 1.1.1.1
Address: 1.1.1.1#53
Non-authoritative answer:
Name: opensource.com
Address: 54.204.39.132
[gaurav@testbox ~]$
这是进行DNS查找时数据包的样子,请注意,正在使用UDP协议:
[gaurav@testbox ~]$sudo tshark -i wlp61s0 -c 1 -V host 1.1.1.1
Running as user “root” and group"root". This could be dangerous.
Capturing on ‘wlp61s0’
Frame 1: 88 bytes on wire (704 bits), 88 bytescaptured (704 bits) on interface 0
Interface id: 0 (wlp61s0)
Interface name:wlp61s0
Encapsulation type: Ethernet (1)
Arrival Time: Nov 2, 201921:19:32.161216715 IST
[Time shift for this packet:0.000000000 seconds]
Epoch Time: 1572709772.161216715seconds
[Time delta from previouscaptured frame: 0.000000000 seconds]
[Time delta from previousdisplayed frame: 0.000000000 seconds]
[Time since reference or firstframe: 0.000000000 seconds]
Frame Number: 1
Frame Length: 88 bytes (704bits)
Capture Length: 88 bytes (704bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame:eth:ethertype:ip:udp:dns]
Ethernet II, Src: IntelCor_a0:33:db(48:89:e7:a0:33:db), Dst: Netgear_3f:38:3a (25:c9:8e:3f:38:3a)
Destination: Netgear_3f:38:3a(25:c9:8e:3f:38:3a)
Address:Netgear_3f:38:3a (25:c9:8e:3f:38:3a)
… …0. … … … = LG bit: Globally unique address (factory default)
… …0 … … … = IG bit: Individual address (unicast)
Source: IntelCor_a0:33:db(48:89:e7:a0:33:db)
Address:IntelCor_a0:33:db (48:89:e7:a0:33:db)
… …0. … … … = LG bit: Globally unique address (factory default)
… …0 … … … = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.1.9,Dst: 1.1.1.1
0100 … = Version: 4
… 0101 = Header Length: 20bytes (5)
Differentiated Services Field:0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00… =Differentiated Services Codepoint: Default (0)
… …00 =Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 74
Identification: 0x907d (36989)
Flags: 0x4000, Don’t fragment
0… … … = Reserved bit: Not set
.1… … … = Don’t fragment: Set
…0. … … …= More fragments: Not set
…0 0000 00000000 = Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0xe672[validation disabled]
[Header checksum status:Unverified]
Source: 192.168.1.9
Destination: 1.1.1.1
User Datagram Protocol, Src Port: 60656, DstPort: 53
Source Port: 60656
Destination Port: 53
Length: 54
Checksum: 0x2fd2 [unverified]
[Checksum Status: Unverified]
[Stream index: 0]
[Timestamps]
[Time since firstframe: 0.000000000 seconds]
[Time sinceprevious frame: 0.000000000 seconds]
Domain Name System (query)
Transaction ID: 0x303c
Flags: 0x0100 Standard query
0… … … = Response: Message is a query
.000 0… … …= Opcode: Standard query (0)
… …0. … = Truncated: Message is not truncated
… …1 … = Recursion desired: Do query recursively
… … .0… = Z: reserved (0)
… … …0… = Non-authenticated data: Unacceptable
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
clock01.util.phx2.redhat.com: type A, class IN
Name: clock01.util.phx2.redhat.com
[Name Length: 28]
[Label Count: 5]
Type: A (Host Address) (1)
Class: IN (0x0001)
1 packet captured
[gaurav@testbox ~]$
一旦熟悉了数据包捕获和分析的这些基础知识,就可以在更高级的用例上使用TShark的各种抓包和过滤。有关这些过滤器的更多信息,请参考在线文档。
扫码关注公众号,获取更多技术解决方案!
扫一扫
900
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
