tcpdump

tcpdump是常用的网络工具，它支持针对网络层、协议、主机、网络或端口的过滤，并提供and、or、not等逻辑语句来帮助你过滤掉无用的信息。下面对其进行简单介绍。

tcpdump

-c count 当接收到count个packets后退出
-e 打印链路层header。
-n 为了DNS查找，不会将host addresses转化为names
-nn Don't convert protocol and port numbers etc. to names either.
--list-interfaces 获取系统中所有可用的网络接口，可以简写为-D
-i interface 指定监听的接口
-d Dump the compiled packet-matching code in a human readable form to standard output and stop.
-r file 从指定的文件中读取packets，一般是通过-w选项创建的文件。
-w file 将raw packets写入指定的文件中。
-X 当解析和打印时，除了打印每个packet的headers以外，也打印每个packet的十六进制和ASCII数据（除了链路层header）。
-XX 当解析和打印时，除了打印每个packet的headers以外，也打印每个packet的十六进制和ASCII数据，包含链路层header。
-S 显示绝对的TCP序列号（TCP sequence number），而不是相对编号。

(ENV) [root@ceph-2 ~]# tcpdump --list-interfaces
1.docker0
2.nflog (Linux netfilter log (NFLOG) interface)
3.nfqueue (Linux netfilter queue (NFQUEUE) interface)
4.ens160
5.ens192
6.ens224
7.any (Pseudo-device that captures on all interfaces)
8.lo [Loopback]

前面提到过ping使用ICMP协议和ECHO请求应答的消息类型。因此我们可以通过抓包的形式来查看。

A ping uses the ICMP protocol and the message type of ECHO Request and ECHO Reply.

(ENV) [root@ceph-2 ~]# ping 1.1
PING 1.1 (1.0.0.1) 56(84) bytes of data.
64 bytes from 1.0.0.1: icmp_seq=2 ttl=49 time=197 ms
64 bytes from 1.0.0.1: icmp_seq=3 ttl=49 time=198 ms
64 bytes from 1.0.0.1: icmp_seq=6 ttl=49 time=197 ms
64 bytes from 1.0.0.1: icmp_seq=7 ttl=49 time=197 ms
64 bytes from 1.0.0.1: icmp_seq=8 ttl=49 time=197 ms
^C
--- 1.1 ping statistics ---
8 packets transmitted, 5 received, 37% packet loss, time 7008ms
rtt min/avg/max/mdev = 197.250/197.511/198.132/0.323 ms

(ENV) [root@ceph-2 ~]# tcpdump -i ens160 icmp and host 1.0.0.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
13:57:05.425942 IP ceph-2 > one.one.one.one: ICMP echo request, id 5074, seq 1, length 64
13:57:06.427970 IP ceph-2 > one.one.one.one: ICMP echo request, id 5074, seq 2, length 64
13:57:06.625357 IP one.one.one.one > ceph-2: ICMP echo reply, id 5074, seq 2, length 64
13:57:07.430765 IP ceph-2 > one.one.one.one: ICMP echo request, id 5074, seq 3, length 64
13:57:07.628860 IP one.one.one.one > ceph-2: ICMP echo reply, id 5074, seq 3, length 64
13:57:08.431785 IP ceph-2 > one.one.one.one: ICMP echo request, id 5074, seq 4, length 64
13:57:09.431856 IP ceph-2 > one.one.one.one: ICMP echo request, id 5074, seq 5, length 64
13:57:10.431782 IP ceph-2 > one.one.one.one: ICMP echo request, id 5074, seq 6, length 64
13:57:10.629011 IP one.one.one.one > ceph-2: ICMP echo reply, id 5074, seq 6, length 64
13:57:11.433061 IP ceph-2 > one.one.one.one: ICMP echo request, id 5074, seq 7, length 64
13:57:11.630278 IP one.one.one.one > ceph-2: ICMP echo reply, id 5074, seq 7, length 64
13:57:12.434300 IP ceph-2 > one.one.one.one: ICMP echo request, id 5074, seq 8, length 64
13:57:12.631722 IP one.one.one.one > ceph-2: ICMP echo reply, id 5074, seq 8, length 64

上面的输出我们比较关注的是时间以及丢包率等等。其中，

rtt = rount trip time
min = quickest time, 197.250 ms
max = slowest time, 198.132 ms
mdev = deviation, 0.323

同时，我们也可以看到ttl(time to live)， packets在过期之前跨越了49 个routers。有三个packets没有收到echo reply。

Traceroute

traceroute也是一种诊断网络流量的命令行工具，主要用于显示到目的主机的路由信息。在Linux，其默认使用UDP协议，而Windows上使用的是ICMP协议。

(ENV) [root@ceph-2 ~]# traceroute 1.1
traceroute to 1.1 (1.0.0.1), 30 hops max, 60 byte packets
 1  10.255.1.254 (10.255.1.254)  0.544 ms  0.680 ms  0.840 ms
 2  192.168.3.254 (192.168.3.254)  8.960 ms  9.663 ms  10.244 ms
 3  42.62.101.129 (42.62.101.129)  0.976 ms  0.809 ms  0.739 ms
 4  10.9.23.5 (10.9.23.5)  2.234 ms  2.826 ms  1.612 ms
 5  10.9.12.1 (10.9.12.1)  3.397 ms  3.204 ms 10.9.12.133 (10.9.12.133)  3.086 ms
 6  124.243.213.145 (124.243.213.145)  2.212 ms * *
 7  * * *
 8  * * *
 9  220.181.16.217 (220.181.16.217)  4.084 ms 220.181.0.97 (220.181.0.97)  2.188 ms 220.181.0.141 (220.181.0.141)  2.175 ms
10  220.181.177.77 (220.181.177.77)  2.774 ms 220.181.16.17 (220.181.16.17)  5.338 ms 220.181.177.73 (220.181.177.73)  4.537 ms
11  202.97.34.74 (202.97.34.74)  3.623 ms 202.97.34.158 (202.97.34.158)  3.640 ms 202.97.34.74 (202.97.34.74)  3.342 ms
12  202.97.12.58 (202.97.12.58)  24.875 ms * 202.97.27.154 (202.97.27.154)  18.003 ms
13  * 202.97.27.190 (202.97.27.190)  180.040 ms 202.97.41.50 (202.97.41.50)  175.026 ms
14  * 202.97.50.26 (202.97.50.26)  225.889 ms  225.405 ms
15  218.30.54.214 (218.30.54.214)  209.996 ms  210.792 ms *
16  * one.one.one.one (1.0.0.1)  189.526 ms *

(ENV) [root@ceph-2 ~]# tcpdump -i ens160 udp and host 1.0.0.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
14:13:04.020953 IP ceph-2.53803 > one.one.one.one.traceroute: UDP, length 32
14:13:04.020998 IP ceph-2.56375 > one.one.one.one.33435: UDP, length 32
14:13:04.021027 IP ceph-2.50229 > one.one.one.one.33436: UDP, length 32
..........
14:13:54.351055 IP ceph-2.60596 > one.one.one.one.33483: UDP, length 32

• 我们通过指定-I参数指定traceroute使用ICMP协议。另外也可以通过-T参数指定使用TCP SYNC

• To use ICMP with traceroute we must run as root and add the -I option
• -T Use TCP SYN for probes

(ENV) [root@ceph-2 ~]# traceroute -I 1.1

(ENV) [root@ceph-2 ~]# tcpdump -v -i ens160 icmp and host 1.0.0.1
tcpdump: listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
14:23:31.239865 IP (tos 0x0, ttl 1, id 5162, offset 0, flags [none], proto ICMP (1), length 60)
    ceph-2 > one.one.one.one: ICMP echo request, id 9147, seq 1, length 40
14:23:31.239905 IP (tos 0x0, ttl 1, id 5163, offset 0, flags [none], proto ICMP (1), length 60)
    ceph-2 > one.one.one.one: ICMP echo request, id 9147, seq 2, length 40
.......
14:23:41.720274 IP (tos 0x28, ttl 49, id 36814, offset 0, flags [none], proto ICMP (1), length 60)
    one.one.one.one > ceph-2: ICMP echo reply, id 9147, seq 47, length 40
14:23:41.842224 IP (tos 0x28, ttl 49, id 36884, offset 0, flags [none], proto ICMP (1), length 60)
    one.one.one.one > ceph-2: ICMP echo reply, id 9147, seq 48, length 40

上面输出中的tos代表Type of Service。

• 我们可以通过指定-w选项将抓取的packets保存在文件中，以及指定-r选项从文件中读取并分析packets。如下所示为部分输出结果：

(ENV) [root@ceph-2 ~]# tcpdump -i ens160 -w /tmp/out.tcpdump icmp and host 1.0.0.1
tcpdump: listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
^C51 packets captured
67 packets received by filter
0 packets dropped by kernel
(ENV) [root@ceph-2 ~]# tcpdump -enr /tmp/out.tcpdump -vvv -X | less
15:05:18.122759 00:50:56:b4:21:7f > f8:b1:56:8e:08:ed, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 1, id 30889, offset 0, flags [none], proto ICMP (1), length 60)
    10.255.101.74 > 1.0.0.1: ICMP echo request, id 31601, seq 1, length 40
        0x0000:  4500 003c 78a9 0000 0101 cfce 0aff 654a  E..<x.........eJ
        0x0010:  0100 0001 0800 0708 7b71 0001 4849 4a4b  ........{q..HIJK
        0x0020:  4c4d 4e4f 5051 5253 5455 5657 5859 5a5b  LMNOPQRSTUVWXYZ[
        0x0030:  5c5d 5e5f 6061 6263 6465 6667            \]^_`abcdefg
15:05:18.122790 00:50:56:b4:21:7f > f8:b1:56:8e:08:ed, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 1, id 30890, offset 0, flags [none], proto ICMP (1), length 60)
    10.255.101.74 > 1.0.0.1: ICMP echo request, id 31601, seq 2, length 40
        0x0000:  4500 003c 78aa 0000 0101 cfcd 0aff 654a  E..<x.........eJ
        0x0010:  0100 0001 0800 0707 7b71 0002 4849 4a4b  ........{q..HIJK
        0x0020:  4c4d 4e4f 5051 5253 5455 5657 5859 5a5b  LMNOPQRSTUVWXYZ[
        0x0030:  5c5d 5e5f 6061 6263 6465 6667            \]^_`abcdefg

• 截获主机ceph-2发送的，同时接收主机为1.0.0.1的所有的数据包。可以通过src host和dest host来指定。

(ENV) [root@ceph-2 ~]# ping 1.1
PING 1.1 (1.0.0.1) 56(84) bytes of data.
64 bytes from 1.0.0.1: icmp_seq=1 ttl=49 time=196 ms
64 bytes from 1.0.0.1: icmp_seq=2 ttl=49 time=196 ms
64 bytes from 1.0.0.1: icmp_seq=3 ttl=49 time=197 ms
64 bytes from 1.0.0.1: icmp_seq=4 ttl=49 time=206 ms
^C
--- 1.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 196.646/199.195/206.243/4.096 ms

(ENV) [root@ceph-2 ~]# tcpdump -i ens160 src host ceph-2 and dst host 1.0.0.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
22:12:26.462842 IP ceph-2 > one.one.one.one: ICMP echo request, id 14618, seq 1, length 64
22:12:27.463973 IP ceph-2 > one.one.one.one: ICMP echo request, id 14618, seq 2, length 64
22:12:28.465739 IP ceph-2 > one.one.one.one: ICMP echo request, id 14618, seq 3, length 64
22:12:29.466714 IP ceph-2 > one.one.one.one: ICMP echo request, id 14618, seq 4, length 64
^C
4 packets captured
17 packets received by filter
0 packets dropped by kernel

• 可以通过net监控指定的网络，例如keepalived中使用的VRRP协议，其通过竞选协议来实现虚拟路由器的功能，所有的协议报文都是通过IP多播(multicast)包(多播地址224.0.0.18)形式发送的，例如我们可以通过net来监控多播地址，或者通过指定vrrp协议来进行过滤。

tcpdump -nn -i any net 224.0.0.0/8 
tcpdump -n -c 1024 -i <interface> vrrp

• 通过port <port>抓取指定端口的packets，例如抓取ElasticSearch port 9200的数据包。也可以通过portrange指定端口范围。同时也可以通过less或者greater指定包的大小。

(ENV) [root@ceph-2 ~]# tcpdump -nnSX port 9200 -i ens160  and src host ceph-2 and greater 512
23:29:42.513347 IP 10.255.101.75.43060 > 10.255.101.74.9200: Flags [P.], seq 668822626:668830818, ack 1241488301, win 1424, options [nop,nop,TS val 205459928 ecr 205570933], length 8192
    0x0000:  4500 2034 14e2 4000 4006 254f 0aff 654b  E..4..@.@.%O..eK
    0x0010:  0aff 654a a834 23f0 27dd 6c62 49ff 9bad  ..eJ.4#.'.lbI...
    0x0020:  8018 0590 00ba 0000 0101 080a 0c3f 11d8  .............?..
    0x0030:  0c40 c375 3230 2d30 332d 3238 5432 333a  .@.u20-03-28T23:
    0x0040:  3239 3a34 342e 3136 3539 3134 3638 352b  29:44.165914685+
    0x0050:  3038 3a30 3022 7d5d 7d7d 0a7b 2275 7064  08:00"}]}}.{"upd
    0x0060:  6174 6522 3a7b 225f 696e 6465 7822 3a22  ate":{"_index":"
    0x0070:  7364 732d 626c 6f63 6b5f 766f 6c75 6d65  sds-block_volume
    0x0080:  222c 225f 7479 7065 223a 2262 6c6f 636b  ","_type":"block
    0x0090:  5f76 6f6c 756d 6522 2c22 5f69 6422 3a22  _volume","_id":"
    0x00a0:  3136 3122 7d7d 0a7b 2264 6f63 223a 7b22  161"}}.{"doc":{"
    0x00b0:  7361 6d70 6c65 7322 3a5b 7b22 7265 6164  samples":[{"read
    0x00c0:  5f69 6f70 7322 3a30 2c22 7265 6164 5f62  _iops":0,"read_b
    0x00d0:  616e 6477 6964 7468 5f6b 6279 7465 223a  andwidth_kbyte":
    0x00e0:  302c 2272 6561 645f 6c61 7465 6e63 795f  0,"read_latency_
    0x00f0:  7573 223a 302c 2277 7269 7465 5f69 6f70  us":0,"write_iop
    0x0100:  7322 3a30 2c22 7772 6974 655f 6261 6e64  s":0,"write_band

从上面packet可以看出大致为：src-ip.src-port > dest-ip.dest-port: Flags[P.]，其中Flags:

• [S] - SYN (Start Connection)
• [.] - No Flag Set
• [P] - PSH (Push Data)
• [F] - FIN (Finish Connection)
• [R] - RST (Reset Connection)
• [S.] this is used to indicate a SYN-ACK packet.

• 为了更精确的过滤我们需要的packets，我们可以使用combinations，前面的栗子已经涉及到了，主要有三种形式的combinations：
  1. AND
     • and or &&
  2. OR
     • or or ||
  3. EXCEPT
     • not or !

查看来自于网络192.168.x.x 和目标网络为10.x 或者 172.16.x.x， 同时输出为16进制的packet。

tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16

需要注意的是：当我们构造比较复杂的查询时，我们最后将选项加上单引号，单引号告诉tcpdump忽略特定的字符，例如下面栗子中的括号。

Keep in mind that when you’re building complex queries you might have to group your options using single quotes. Single quotes are used in order to tell tcpdump to ignore certain special characters—in this case below the “( )” brackets. This same technique can be used to group using other expressions such as host, port, net, etc.

tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'

tcpdump过滤器（filter）表达式可以简单的分为三类：

• Types:
  • host, net, and port.
• Directions:
  • src and dst.

• Protocols:
  • tcp, udp, icmp, arp, vrrp and many more.

References

• understand-your-network-more-effectively-with-tcpdump
• Linux tcpdump命令详解
• A tcpdump Tutorial with Examples — 50 Ways to Isolate Traffic
• 抓包神器 tcpdump 使用介绍
• A Quick and Practical Reference for tcpdump
• Learn eBPF Tracing
• eBPF简史