ºìÁªLinuxÃÅ»§
Linux°ïÖú
µ±Ç°Î»ÖÃ: ºìÁªLinuxÃÅ»§ > LinuxWorld China

TcpdumpµÄÓ÷¨¼°Ê¹Óð¸Àý

·¢²¼Ê±¼ä:2014-06-14 21:31:43À´Ô´:ºìÁª×÷Õß:velcbo
Tcpdump¹¤¾ßÊÇUnixºÍlinuxϵͳץÍøÂçÊý¾Ý¿â°ü×îÓÐЧµÄ¹¤¾ß£¬windowsÉÏÀàËƵŤ¾ßÊÇwireshark¡£ tcpdump¿ÉÒÔ½«ÍøÂçÖд«Ë͵ÄÊý¾Ý°üµÄ¡°Í·¡±ÍêÈ«½Ø»ñÏÂÀ´Ìṩ·ÖÎö¡£ËüÖ§³ÖÕë¶ÔÍøÂç²ã¡¢Ð­Òé¡¢Ö÷»ú¡¢ÍøÂç»ò¶Ë¿ÚµÄ¹ýÂË£¬²¢Ìṩand¡¢or¡¢notµÈÂß¼­Óï¾äÀ´°ïÖúÄãÈ¥µôÎÞÓõÄÐÅÏ¢¡£ÁíÍâtcpdump¿ÉÒÔµ¼ÈëµÄÎļþÖУ¬¿ÉÒÔ½øÒ»²½Ê¹ÓÃwiresharkºÍjava´úÂë½øÒ»²½Í³¼Æ¹ýÂË·ÖÎö¡£¸ÃÃüÁîÐèÒªrootȨÏÞ£¬ÃüÁî»á×Ô¶¯°ÑÍø¿¨ÉèÖÃΪ»ìÔÓ£¨promiscuous£©×´Ì¬

1£¬Tcpdump³£ÓÃÃüÁ

¼àÌýij¸öÍø¿¨

tcpdump -i bond0

ÏÔʾºÍijÖ÷»ú192.168.0.1ͨÐŵÄÊý¾Ý°ü

tcpdump host 192.168.0.1

Ô´µØÖ·ºÍÄ¿µÄµØÖ·£¬ÌØÊâ¶Ë¿ÚµÄÊý¾Ý°ü

tcpdump src 192.168.1.100 and dst192.168.1.2 and port ftp

²é¿´udpÊý¾Ý°ü

tcpdump udp

²é¿´Êý¾Ý°üµÄÄÚÈÝ

tcpdump -A

Ïà¹ØÊý¾Ý°üдÈëijÎļþ

tcpdump -w /tmp/tcpdump.cap

2£¬TCPDUMPÓ¦Óð¸Àý

tcpdump²»½ö¿ÉÒÔ´¦ÀíÈÕ³£ÍøÂçÏà¹ØÎÊÌâÎÊÌ⣬»¹¿ÉÓÃÓÚ·ÖÎöÊý¾Ý¿âÎÊÌ⣬ÓÃÓÚÊý¾Ý¿âµ÷ÓÅ

°¸Àý1£º¿Í»§¶Ë£¨192.168.15.14£©Í»È»²»ÄÜ·ÃÎÊsql serverÊý¾Ý¿â£¨192.168.15.14£©

1£¬windows¶ËʹÓÃwireshark×¥µ½µÄ±¨ÎÄ£¬Í¨¹ý±¨ÎÄÏÔʾ£¬SQLSERVER·þÎñÆ÷¶ËÒѾ­ÊÕµ½ÁËackÇëÇ󣬲¢°ÑÈ·ÈÏÁËÏà¹ØÇëÇó£¨ACK=1£©£¬µ«ÊÇ¿Í»§¶Ë¶¼Ã»Óе½È·ÈÏÇëÇó

10:51:21.102439 IP (tos 0x10, ttl 60, id 45670, offset 0, flags [DF], length:44) yytlc.50162 > 192.168.15.14.ms-sql-s: S [tcp sum ok]616881461:616881461(0) win 65535

10:51:23.750271 IP (tos 0x10, ttl 60, id 45768, offset 0, flags [DF], length:44) yytlc.50162 > 192.168.15.14.ms-sql-s: S [tcp sum ok]616881461:616881461(0) win 65535

10:51:29.943904 IP (tos 0x10, ttl 60, id 45971, offset 0, flags [none], length:44) yytlc.50162 > 192.168.15.14.ms-sql-s: S [tcp sum ok]616881461:616881461(0) win 65535

10:51:42.045897 IP (tos 0x10, ttl 60, id 46849, offset 0, flags [none], length:44) yytlc.50162 > 192.168.15.14.ms-sql-s: S [tcp sum ok]616881461:616881461(0) win 65535

14309 23.459236000 192.168.1.219 192.168.15.14 TCP 60 50162 > ms-sql-s [SYN] Seq=0 Win=65535Len=0 MSS=1460

14310 23.459330000 192.168.15.14 192.168.1.219 TCP 58 ms-sql-s > 50162 [SYN, ACK] Seq=0 Ack=1Win=8192 Len=0 MSS=1460

2£¬ÎªÊ²Ã´»Ø°üûÓÐÊÕµ½ÄØ£¬Ê¹ÓÃtraceÃüÁî¿´¿´

C:\Users\Administrator>tracert192.168.1.219

ͨ¹ý×î¶à 30 ¸öÔ¾µã¸ú×Ùµ½ 192.168.1.219 µÄ·ÓÉ

1 1 ms 1 ms 1 ms 192.168.15.30

2 <1 ºÁÃë <1 ºÁÃë <1 ºÁÃë 192.168.15.36

3 1 ms 1 ms 1 ms 192.168.208.106

4 1 ms 1 ms 1 ms 192.168.215.137

5 1 ms 1 ms 1 ms 192.168.212.245

6 1 ms <1 ºÁÃë <1 ºÁÃë 192.168.212.246

7 1 ms 1 ms 1 ms 192.168.212.241

8 1 ms 1 ms 1 ms 192.168.248.241

9 1 ms 1 ms 1 ms 192.168.249.98

10 2ms 5 ms 1 ms 192.168.1.219

¸ú×ÙÍê³É¡£

3£¬linux²âtrace·¢ÏÖ²»Í¨£¬ÇÒÊý¾Ý¿âÊÕµ½ÁËÇëÇóµÄÊý¾Ý°ü£¬Ò²·¢ËÍÁ˻ذü£¬µ«¿Í»§¶ËûÓÐÊÕµ½»Ø°ü£¬ËµÃ÷»ØÈ¥µÄÊý¾Ý°üÔÚ·É϶ªÁË¡£»ù±¾ÅжÏΪ·ÓÉÎÊÌâÁË¡£

yytlc:/#>traceroute 192.168.15.14

trying to get source for 192.168.15.14

source should be 192.168.1.219

traceroute to 192.168.15.14 (192.168.15.14)from 192.168.1.219 (192.168.1.219), 30 hops max

outgoing MTU = 1500

1 192.168.1.217 (192.168.1.217) 4ms 2 ms 6 ms
2 192.168.47.220 (192.168.47.220) 0ms 1 ms 6 ms
3 192.168.253.41 (192.168.253.41) 8ms 8 ms 8 ms
4 * * *
5 * * *
6 * * *

........

trace·ÓÉʱץ°ü½á¹ûΪ

12:08:49.834285 IP yytlc.61860 >192.168.15.14.33456: udp 1472

12:08:55.834091 IP yytlc.61860 >192.168.15.14.33457: udp 1472

12:09:00.835624 IP yytlc.61860 >192.168.15.14.33458: udp 1472

¶ø´Ëʱwindows¶Ëwireshark×¥°üµÄ½á¹ûÏÔʾ£¬ÒѾ­ÊÕµ½udpÇëÇó

11539 47.422984000 192.168.1.219 192.168.15.14 UDP 1514 Source port: 61860 Destination port: 33457

4£¬½öÍøÂçר¼ÒЭÖú£¬junper·ÓÉÆ÷ÉϵÄ·ÓÉÓÐÎÊÌ⣬µ¼Ö»ذü²»ÄÜÕýÈ·ËÍ´ï¡£

°¸Àý2£ºsqlplus¿Í»§¶Ë²»ÄÜÁ¬½ÓOracleÊý¾Ý¿âµÄÎÊÌ⣬Á¬½Óʱ±¨´íORA-12537

ÏÖÏó£ºÁ¬½Ó±¨´í

[oracle@localhost ~]$ sqlplussomczx/somc@SMPDB

SQL*Plus: Release 11.2.0.2.0 Production on ÐÇÆÚÒ» 11ÔÂ 25 14:32:452013

Copyright (c) 1982, 2010, Oracle. All rights reserved.

ERROR:

ORA-12537: TNS: Á¬½Ó¹Ø±Õ

¿Í»§¶Ë×¥°ü£ºÊÕµ½ÁË»ØÀ´µÄÊý¾Ý°ü£¬µ«Á¬½ÓÈ´¹Ø±ÕÁË

[root@localhost ~]# tcpdump -i eth0 host192.168.3.220

tcpdump: verbose output suppressed, use -vor -vv for full protocol decode

listening on eth0, link-type EN10MB(Ethernet), capture size 96 bytes

16:48:07.048525 IP 192.168.1.45.38405 >192.168.3.220.ncube-lm: S 2870102332:2870102332(0) win 5840

16:48:07.048872 IP 192.168.3.220.ncube-lm> 192.168.1.45.38405: S 2343325666:2343325666(0) ack 2870102333 win 65535

16:48:07.048882 IP 192.168.1.45.38405 >192.168.3.220.ncube-lm: . ack 1 win 46

16:48:07.049044 IP 192.168.1.45.38405 >192.168.3.220.ncube-lm: P 1:225(224) ack 1 win 46

16:48:07.049145 IP 192.168.3.220.ncube-lm> 192.168.1.45.38405: . ack 225 win 8298

16:49:07.370802 IP 192.168.3.220.ncube-lm> 192.168.1.45.38405: F 1:1(0) ack 225 win 8298

16:49:07.370888 IP 192.168.1.45.38405 >192.168.3.220.ncube-lm: . ack 2 win 46

16:49:07.371014 IP 192.168.1.45.38405 >192.168.3.220.ncube-lm: F 225:225(0) ack 2 win 46

16:49:07.371121 IP 192.168.3.220.ncube-lm> 192.168.1.45.38405: . ack 226 win 8297

Êý¾Ý¿â·þÎñÆ÷¶Ë×¥°ü£¬Ö»ÊÕµ½ÁËÊý¾Ý°üÇëÇ󣬵«Ã»ÓлØÓ¦µÄÊý¾Ý°ü£¨×¢ÒâÕâ¸öclient¶ËÊÕµ½Á˻ذüÊÇì¶ÜµÄ£¬ÖÁ½ñҲûÃ÷°×¾ßÌåÔ­Òò£©

16:53:57.176963 IP 192.168.1.45.38405 >DSAPP2.ncube-lm: Flags [S], seq 1170139240, win 65535, options [mss1380,nop,wscale 3,sackOK,TS val 32986 ecr 0], length 0

16:54:00.185469 IP 192.168.1.45.38405 >DSAPP2.ncube-lm: Flags [S], seq 1170139240, win 65535, options [mss1380,nop,wscale 3,sackOK,TS val 35986 ecr 0], length 0

16:54:03.396744 IP 192.168.1.45.38405 >DSAPP2.ncube-lm: Flags [S], seq 1170139240, win 65535, options [mss1380,nop,wscale 3,sackOK,TS val 39186 ecr 0], length 0

16:54:06.618718 IP 192.168.1.45.38405 >DSAPP2.ncube-lm: Flags [S], seq 1170139240, win 65535, options [mss1380,sackOK,eol], length 0

16:54:09.846067 IP 192.168.1.45.38405 >DSAPP2.ncube-lm: Flags [S], seq 1170139240, win 65535, options [mss1380,sackOK,eol], length 0

16:54:13.073922 IP 192.168.1.45.38405 >DSAPP2.ncube-lm: Flags [S], seq 1170139240, win 65535, options [mss1380,sackOK,eol], length 0

16:54:19.326237 IP 192.168.1.45.38405 >DSAPP2.ncube-lm: Flags [S], seq 936514366, win 65535, options [mss1380,sackOK,eol], length 0

16:54:31.603109 IP 192.168.1.45.38405 >DSAPP2.ncube-lm: Flags [S], seq 936514366, win 65535, options [mss1380,sackOK,eol], length 0

16:54:55.892606 IP 192.168.1.45.38405 >DSAPP2.ncube-lm: Flags [S], seq 802356553, win 65535, options [mss1380,sackOK,eol], length 0

³õ²½¶¨Î»

¼ÈÈ»·þÎñÆ÷¶ËÊÕµ½ÁËÊý¾Ý¿â°ü£¬ËµÃ÷1521¶Ë¿Ú£¬ÔÚ·À»ðǽÒѾ­¿ªÍ¨ÁË¡£ÎÊÌâÔÚÊý¾Ý¿â·þÎñÆ÷¶Ë¡£·þÎñÆ÷µÄlistener.logÈÕÖ¾ÖÐҲûÓз¢ÏÖÈκÎÀ´×Ô¿Í»§¶ËµÄÁ¬½ÓÇëÇó¡£

×îÖÕ¶¨Î»£º

Êý¾Ý¿â·þÎñÆ÷ÉÏ¿ªÆôÁËiptables·À»ðǽ²ßÂÔ£¬µ¼Ö¿ͻ§¶ËÁ¬²»ÉÏÊý¾Ý¿â£¬ÔÚiptablesÉÏ¿ªÍ¨Ïà¹Ø·À»ðǽ²ßÂԺ󣬷ÃÎʼ´Õý³£ÁË

°¸Àý3£ºÊ¹ÓÃlinux iptablesºóftp¶Ë¿Ú²»Í¨µÄÇé¿ö

ÏÖÏó£ºftpÄÜÕý³£Á¬½Ó£¬µ«²»ÄÜ´«ÊäÊý¾Ý

ftp²»Í¨Ê±µÄ×¥°üÏÖÏó£¬Êý¾Ý´«ÊäʹÓÃÁËftp-data¶Ë¿Ú

root@stylog1 ~]# tcpdump -i bond0 host 192.168.9.37
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bond0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:48:10.171437 IP 192.168.9.37.55460 > 192.168.5.5.ftp: Flags [P.], seq 2473112340:2473112365, ack 2946208393, win 8064, length 25
10:48:10.171486 IP 192.168.5.5.ftp > 192.168.9.37.55460: Flags [.], ack 25, win 115, length 0

10:51:38.397111 IP 192.168.5.5.ftp-data > 192.168.9.37.55516: Flags [S], seq 2207620674, win 14600, options [mss 1460,sackOK,TS val 1965825832 ecr 0,nop,wscale 7], length 0
10:51:54.397107 IP 192.168.5.5.ftp-data > 192.168.9.37.55516: Flags [S], seq 2207620674, win 14600, options [mss 1460,sackOK,TS val 1965841832 ecr 0,nop,wscale 7], length 0

ftp-dataʹÓÃÁË20¶Ë¿Ú£¬Õâ¸ö¶Ë¿Úû¿ª·À»ðǽ²ßÂÔ

[root@stylog1 ~]# cat /etc/services |grep ftp-data
ftp-data 20/tcp
ftp-data 20/udp
ftp-data 20/sctp # FTP
kftp-data 6620/tcp # Kerberos V5 FTP Data
kftp-data 6620/udp # Kerberos V5 FTP Data

×÷Õߣºhijk139
ÎÄÕÂÆÀÂÛ

¹²ÓÐ 0 ÌõÆÀÂÛ

ƵµÀÎÄÕÂ

×îн̳Ì

Ëæ»úÍƼö

¹ØÓÚÎÒÃÇ | ºÏ×÷ | ÁªÏµÎÒÃÇ

© linuxdiyf.com ºìÁªLinuxÃÅ»§ °æȨËùÓÐ