tcpdump抓包
2019-07-20 本文已影响0人
yanchenghust
tcpdump顾名思义,是linux/unix上的tcp抓包工具。
确定网卡
电脑可能有多个网卡,所以首先确定要抓哪块网卡。
tcpdump -D
输出:
1.en0 [Up, Running]
2.p2p0 [Up, Running]
3.awdl0 [Up, Running]
4.bridge0 [Up, Running]
5.utun0 [Up, Running]
6.en1 [Up, Running]
7.utun1 [Up, Running]
8.en2 [Up, Running]
9.lo0 [Up, Running, Loopback]
10.gif0
11.stf0
12.XHC0
13.XHC20
或者使用ifconfig来查看网卡。
ifconfig
输出:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
XHC0: flags=0<> mtu 0
XHC20: flags=0<> mtu 0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 38:f9:d3:5e:1c:57
inet6 fe80::f6:8677:e17:918b%en0 prefixlen 64 secured scopeid 0x6
inet 192.168.1.106 netmask 0xffffff00 broadcast 192.168.1.255
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
lo0一般是本地环回接口(或地址)。例如你访问本机的服务localhost/127.0.0.1,那么需要抓这块网卡。
对于访问非本机服务,一般要选带有inet的网卡,或者找有描述ipv4地址的网卡。我的系统对应的是en0。
尝试抓包
下面开始选定网卡进行抓包。注意tcpdump需要sudo权限。
sudo tcpdump -i en0
输出:
10:08:05.858305 IP (tos 0x0, ttl 64, id 45595, offset 0, flags [none], proto TCP (6), length 40)
localhost.54917 > 203.208.43.98.http: Flags [.], cksum 0x952a (correct), ack 4097259631, win 2048, length 0
10:08:05.859590 IP (tos 0x0, ttl 255, id 9880, offset 0, flags [none], proto UDP (17), length 72)
localhost.61311 > dialdns.bta.net.cn.domain: 54149+ PTR? 98.43.208.203.in-addr.arpa. (44)
10:08:05.862766 IP (tos 0x0, ttl 60, id 0, offset 0, flags [DF], proto UDP (17), length 72)
dialdns.bta.net.cn.domain > localhost.61311: 54149 NXDomain 0/0/0 (44)
10:08:05.902532 IP (tos 0x0, ttl 64, id 55746, offset 0, flags [none], proto UDP (17), length 60)
localhost.64834 > 123.58.9.77.https: UDP, length 32
10:08:05.943473 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has localhost tell localhost, length 28
^C
497 packets captured
497 packets received by filter
0 packets dropped by kernel
抓到的包有点多,很难找到我们的目标。
筛选包
我们知道tcp四元组确定一个连接,即:src host, src port, dst host, dst port。
tcpdump可以指定多个条件,然后进行逻辑组合。
sudo tcpdump -i lo0 src host localhost and dst host localhost and dst port 13
输出:
tcpdump: listening on lo0, link-type NULL (BSD loopback), capture size 262144 bytes
10:13:36.886627 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64, bad cksum 0 (->3cb6)!)
localhost.55038 > localhost.daytime: Flags [S], cksum 0xfe34 (incorrect -> 0x2e11), seq 1671843223, win 65535, options [mss 16344,nop,wscale 6,nop,nop,TS val 527116560 ecr 0,sackOK,eol], length 0
10:13:36.886698 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->3cc2)!)
localhost.55038 > localhost.daytime: Flags [.], cksum 0xfe28 (incorrect -> 0xcd34), seq 1671843224, ack 3182869411, win 6379, options [nop,nop,TS val 527116560 ecr 527116560], length 0
10:13:36.886748 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->3cc2)!)
localhost.55038 > localhost.daytime: Flags [.], cksum 0xfe28 (incorrect -> 0xcd1a), seq 0, ack 27, win 6379, options [nop,nop,TS val 527116560 ecr 527116560], length 0
10:13:36.886755 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->3cc2)!)
localhost.55038 > localhost.daytime: Flags [.], cksum 0xfe28 (incorrect -> 0xcd19), seq 0, ack 28, win 6379, options [nop,nop,TS val 527116560 ecr 527116560], length 0
10:13:36.887031 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->3cc2)!)
localhost.55038 > localhost.daytime: Flags [F.], cksum 0xfe28 (incorrect -> 0xcd18), seq 0, ack 28, win 6379, options [nop,nop,TS val 527116560 ecr 527116560], length 0
^C
5 packets captured
44 packets received by filter
0 packets dropped by kernel
wireshark
tcpdump的结果使用wireshark来查看更方便些。
首先需要安装wireshark:https://www.wireshark.org/#download
然后将tcpdump抓包的结果使用-w选项存储起来。
sudo tcpdump -i lo0 -v src host localhost and dst host localhost and dst port 13 -v -w tcpdump.out
尝试查看一下保存的结果。
more tcpdump.out
输出:
"tcpdump.out" may be a binary file. See it anyway?
<D4>ò<A1>^B^@^D^@^@^@^@^@^@^@^@^@^@^@^D^@^@^@^@^@Gy2]<AC><CA>^@^@D^@^@^@D^@^@^@^B^@^@^@E^@^@@^@^@@^@@^F^@^@^?^@^@^A^?^@^@^A<D7>^E^@^M<81><FE>^Dx^@^@^@^@<B0>^B<FF><FF><FE>4^@^@^B^D?<D8>^A^C^C^F^A^A^H
^_l<F5><FF>^@^@^@^@^D^B^@^@Gy2]<E8><CA>^@^@8^@^@^@8^@^@^@^B^@^@^@E^@^@4^@^@@^@@^F^@^@^?^@^@^A^?^@^@^A<D7>^E^@^M<81><FE>^Dy^U ^Y^E<80>^P^X<EB><FE>(^@^@^A^A^H
^_l<F5><FF>^_l<F5><FF>Gy2]!<CB>^@^@8^@^@^@8^@^@^@^B^@^@^@E^@^@4^@^@@^@@^F^@^@^?^@^@^A^?^@^@^A<D7>^E^@^M<81><FE>^Dy^U ^Y^_<80>^P^X<EB><FE>(^@^@^A^A^H
^_l<F5><FF>^_l<F5><FF>Gy2]?<CB>^@^@8^@^@^@8^@^@^@^B^@^@^@E^@^@4^@^@@^@@^F^@^@^?^@^@^A^?^@^@^A<D7>^E^@^M<81><FE>^Dy^U ^Y <80>^P^X<EB><FE>(^@^@^A^A^H
^_l<F5><FF>^_l<F5><FF>Gy2]^\<CC>^@^@8^@^@^@8^@^@^@^B^@^@^@E^@^@4^@^@@^@@^F^@^@^?^@^@^A^?^@^@^A<D7>^E^@^M<81><FE>^Dy^U ^Y <80>^Q^X<EB><FE>(^@^@^A^A^H
^_l<F5><FF>^_l<F5><FF>
抓包结果是二进制不可读。
使用wireshark打开这个文件。
image.png