tcpdump观察tcp连接

使用tcpdump抓包

1
2
tcpdump -n -S -i eth0 host www.baidu.com and tcp port 80
curl www.baidu.com

标志位含义

SYN:发起一个新连接
FIN:释放一个连接
ACK:确认序号有效

PSH:接收方应该尽快将这个报文交给应用层
RST:重置连接
URG:紧急指针(urgent pointer)有效

三次握手

1
2
3
4
5
6
// local to remote SYN = 1 seq = x = 3685443592
10:50:53.579086 IP 172.30.150.2.49164 > 14.215.177.39.http: Flags [S], seq 3685443592, win 29200, options [mss 1460,sackOK,TS val 4294802472 ecr 0,nop,wscale 7], length 0
// remote to local SYN = 1 ACK = 1 ack =  x + 1 = 3685443593 seq = y = 2874118926
10:50:53.598024 IP 14.215.177.39.http > 172.30.150.2.49164: Flags [S.], seq 2874118926, ack 3685443593, win 8192, options [mss 1440,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 5], length 0
// local to remote ACK = 1 ack = y + 1 = 2874118927
10:50:53.598111 IP 172.30.150.2.49164 > 14.215.177.39.http: Flags [.], ack 2874118927, win 229, length 0

数据传输

1
2
3
4
5
6
7
// P=> PSH seq x:y tcp包所携带的每一个字节都有标号(seq号)
10:50:53.598539 IP 172.30.150.2.49164 > 14.215.177.39.http: Flags [P.], seq 3685443593:3685443670, ack 2874118927, win 229, length 77: HTTP: GET / HTTP/1.1
10:50:53.616478 IP 14.215.177.39.http > 172.30.150.2.49164: Flags [.], ack 3685443670, win 908, length 0
10:50:53.618157 IP 14.215.177.39.http > 172.30.150.2.49164: Flags [P.], seq 2874118927:2874120367, ack 3685443670, win 908, length 1440: HTTP: HTTP/1.1 200 OK
10:50:53.618178 IP 172.30.150.2.49164 > 14.215.177.39.http: Flags [.], ack 2874120367, win 251, length 0
10:50:53.618190 IP 14.215.177.39.http > 172.30.150.2.49164: Flags [P.], seq 2874120367:2874121708, ack 3685443670, win 908, length 1341: HTTP
10:50:53.618200 IP 172.30.150.2.49164 > 14.215.177.39.http: Flags [.], ack 2874121708, win 274, length 0

四次挥手

1
2
3
4
5
6
7
8
9
10
11
// FIN = 1 seq = u = 3685443670
10:50:53.618746 IP 172.30.150.2.49164 > 14.215.177.39.http: Flags [F.], seq 3685443670, ack 2874121708, win 274, length 0
// 此时还有待传输的数据
10:50:53.627500 IP 14.215.177.39.http > 172.30.150.2.49164: Flags [P.], seq 2874120367:2874121708, ack 3685443670, win 908, length 1341: HTTP
10:50:53.627526 IP 172.30.150.2.49164 > 14.215.177.39.http: Flags [.], ack 2874121708, win 274, options [nop,nop,sack 1 {2874120367:2874121708}], length 0
// ACK = 1 ack = u + 1 = 3685443671 seq = v 找不到seq ?
10:50:53.636762 IP 14.215.177.39.http > 172.30.150.2.49164: Flags [.], ack 3685443671, win 908, length 0
// FIN = 1 ACK = 1 seq = w = 2874121708  ack = u + 1 = 3685443671
10:50:53.637481 IP 14.215.177.39.http > 172.30.150.2.49164: Flags [F.], seq 2874121708, ack 3685443671, win 908, length 0
// ACK = 1 ack = w + 1 = 2874121709
10:50:53.637490 IP 172.30.150.2.49164 > 14.215.177.39.http: Flags [.], ack 2874121709, win 274, length 0

三次挥手(server端合并了fin跟ack)

1
2
3
10:00:18.067032 IP 192.168.59.234.54840 > 36.249.74.218.http: Flags [F.], seq 3117045187, ack 512354441, win 237, length 0
10:00:18.080683 IP 36.249.74.218.http > 192.168.59.234.54840: Flags [F.], seq 512354441, ack 3117045188, win 58, length 0
10:00:18.080724 IP 192.168.59.234.54840 > 36.249.74.218.http: Flags [.], ack 512354442, win 237, length 0
作者

ZhongHuihong

发布于

2020-07-11

更新于

2021-10-02

许可协议