實驗環境:
主機:192.168.122.1
虛擬機:192.168.122.15
tcpdump -h
#顯示使用參數
tcpdump version 4.1-PRE-CVS_2012_02_01
libpcap version 1.0.0
Usage: tcpdump [-aAdDefIKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]
[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
[ -i interface ] [ -M secret ] [ -r file ]
[ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ]
[ -y datalinktype ] [ -z command ] [ -Z user ]
[ expression ]
tcpdump -D
#這個是顯示當前有什麼可用的設備
1.eth0
2.usbmon1 (USB bus number 1)
3.any (Pseudo-device that captures on all interfaces)
4.lo
tcpdump -i virbr0 host 192.168.122.15
#使用virbr0虛擬網卡來監聽192.168.122.15這臺機子的數據包
#在192.168.122.15上執行:ping 192.168.122.1 就可以看到數據包的流動
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on virbr0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:06:12.814214 IP instructor.example.com.47822 > bogon.ssh: Flags [P.], seq 667390582:667390630, ack 2212608986, win 396, options [nop,nop,TS val 5874253 ecr 4241995], length 48
10:06:12.816535 IP bogon.ssh >instructor.example.com.47822: Flags [P.], seq 1:49, ack 48, win 407, options [nop,nop,TS val 4247409 ecr 5874253], length 48
10:06:12.816577 IP instructor.example.com.47822 > bogon.ssh: Flags [.], ack 49, win 396, options [nop,nop,TS val 5874255 ecr 4247409], length 0
…
注意到上面的IP信息已經被主機名替代,如果不想對IP做DNS解析可以使用
tcpdump -n -nn -i virbr0 host 192.168.122.15
# -n 是不對域名進行轉換,-nn是不對端口進行轉換
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on virbr0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:07:02.234243 IP 192.168.122.1.47822 > 192.168.122.15.22: Flags [P.], seq 667390630:667390678, ack 2212609498, win 421, options [nop,nop,TS val 5923673 ecr 4248411], length 48
10:07:02.236534 IP 192.168.122.15.22 > 192.168.122.1.47822: Flags [P.], seq 1:65, ack 48, win 407, options [nop,nop,TS val 4296829 ecr 5923673], length 64
10:07:02.236584 IP 192.168.122.1.47822 > 192.168.122.15.22: Flags [.], ack 65, win 421, options [nop,nop,TS val 5923675 ecr 4296829], length 0
10:07:02.461253 IP 192.168.122.1.47822 > 192.168.122.15.22: Flags [P.], seq 48:96, ack 65, win 421, options [nop,nop,TS val 5923900 ecr 4296829], length 48
10:07:02.463533 IP 192.168.122.15.22 > 192.168.122.1.47822: Flags [P.], seq 65:129, ack 96, win 407, options [nop,nop,TS val 4297056 ecr 5923900], length 64
10:07:02.463581 IP 192.168.122.1.47822 > 192.168.122.15.22: Flags [.], ack 129, win 421, options [nop,nop,TS val 5923902 ecr 4297056], length 0
tcpdump -n -nn -i virbr0 not tcp port 22
#監聽本地虛擬橋接網卡,過濾tcp協議和22端口的信息,下面是192.168.122.15 ping
#192.168.122.1後的結果
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on virbr0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:37:14.263530 IP 192.168.122.15 > 192.168.122.1: ICMP echo request, id 5126, seq 1, length 64
12:37:14.263571 IP 192.168.122.1 > 192.168.122.15: ICMP echo reply, id 5126, seq 1, length 64
12:37:15.263538 IP 192.168.122.15 > 192.168.122.1: ICMP echo request, id 5126, seq 2, length 64
12:37:15.263587 IP 192.168.122.1 > 192.168.122.15: ICMP echo reply, id 5126, seq 2, length 64
tcpdump -n -nn -i virbr0 host 192.168.122.15and not tcp port tcp 22
#監聽192.168.122.15和virbr0的通訊,過濾tcp協議和22端口的信息,要加and,下面是 #192.168.122.15 ping192.168.122.1後的結果
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on virbr0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:44:33.900685 IP 192.168.122.15 > 192.168.122.1: ICMP echo request, id 5894, seq 1, length 64
12:44:33.900733 IP 192.168.122.1 > 192.168.122.15: ICMP echo reply, id 5894, seq 1, length 64
12:44:34.900555 IP 192.168.122.15 > 192.168.122.1: ICMP echo request, id 5894, seq 2, length 64
12:44:34.900612 IP 192.168.122.1 > 192.168.122.15: ICMP echo reply, id 5894, seq 2, length 64
tcpdump -n -nn -i virbr0 " tcp and (host 192.168.122.15 and not host 192.168.122.1 )"
#這個是監聽192.168.122.15的TCP協議的包,過濾192.168.122.1的信息。
#192.168.122.1 telnet登錄192.168.122.15的21端口的時候沒反應。而用另一臺
#192.168.122.139 telnet登錄192.168.122.15的21端口的時候纔會出現下面的信息。
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on virbr0, link-type EN10MB (Ethernet), capture size 65535 bytes
#TCP的三次握手
13:03:11.384187 IP 192.168.122.139.37920 > 192.168.122.15.21: Flags [S], seq 1611535590, win 14600, options [mss 1460,sackOK,TS val 14805925 ecr 0,nop,wscale 6], length 0
13:03:11.384357 IP 192.168.122.15.21 > 192.168.122.139.37920: Flags [S.], seq 3128557920, ack 1611535591, win 14480, options [mss 1460,sackOK,TS val 14865976 ecr 14805925,nop,wscale 6], length 0
13:03:11.384488 IP 192.168.122.139.37920 > 192.168.122.15.21: Flags [.], ack 1, win 229, options [nop,nop,TS val 14805926 ecr 14865976], length 0
13:03:11.386606 IP 192.168.122.15.21 > 192.168.122.139.37920: Flags [P.], seq 1:21, ack 1, win 227, options [nop,nop,TS val 14865979 ecr 14805926], length 20
13:03:11.386734 IP 192.168.122.139.37920 > 192.168.122.15.21: Flags [.], ack 21, win 229, options [nop,nop,TS val 14805928 ecr 14865979], length 0
vsftpd原理:
客戶端訪問的時候就是訪問服務器端的21端口,如果客戶端要下載資料,則服務端會隨便開啓一個沒有被使用的tcp端口來建立連接。這樣就可以避免了,客戶端在早期的TCP在下載時的需要排隊的問題(早期TCP下載和連接用的都是21端口)。