document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2025-02-03 23:40:14 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10783 from jrglinux/master

Browse Source 
[翻译完成]20181010 An introduction to using tcpdump at the Linux command line.md
This commit is contained in:
Xingyu.Wang 2018-10-20 23:36:32 +08:00 committed by GitHub
commit 592421e320
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 74 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

149
sources/tech/20181010 An introduction to using tcpdump at the Linux command line.md → translated/tech/20181010 An introduction to using tcpdump at the Linux command line.md
View File

@ -1,44 +1,43 @@
[translation by jrg]
An introduction to using tcpdump at the Linux command line
Linux 命令行中使用 tcpdump 抓包
======
This flexible, powerful command-line tool helps ease the pain of troubleshooting network issues.
Tcpdump 是一款灵活、功能强大的抓包工具,能有效地帮助排查网络故障问题。
![](https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/terminal_command_linux_desktop_code.jpg?itok=p5sQ6ODE)
In my experience as a sysadmin, I have often found network connectivity issues challenging to troubleshoot. For those situations, tcpdump is a great ally.
根据我作为管理员的经验在网络连接中经常遇到十分难以排查的故障问题。对于这类情况tcpdump 便能派上用场。
Tcpdump is a command line utility that allows you to capture and analyze network traffic going through your system. It is often used to help troubleshoot network issues, as well as a security tool.
Tcpdump 是一个命令行实用工具,允许你抓取和分析经过系统的流量数据包。它通常被用作于网络故障分析工具以及安全工具。
A powerful and versatile tool that includes many options and filters, tcpdump can be used in a variety of cases. Since it's a command line tool, it is ideal to run in remote servers or devices for which a GUI is not available, to collect data that can be analyzed later. It can also be launched in the background or as a scheduled job using tools like cron.
Tcpdump 是一款强大的工具,支持多种选项和过滤规则,适用场景十分广泛。由于它是命令行工具,因此适用于在远程服务器或者没有图形界面的设备中收集数据包以便于事后分析。它可以在后台启动,也可以用 cron 等定时工具创建定时任务启用它。
In this article, we'll look at some of tcpdump's most common features.
本文中,我们将讨论 tcpdump 最常用的一些功能。
### 1\. Installation on Linux
### 1\. 在 Linux 中安装 tcpdump
Tcpdump is included with several Linux distributions, so chances are, you already have it installed. Check if tcpdump is installed on your system with the following command:
Tcpdump 支持多种 Linux 发行版,所以你的系统中很有可能已经安装了它。用下面的命令检查一下是否已经安装了 tcpdump
```
$ which tcpdump
/usr/sbin/tcpdump
```
If tcpdump is not installed, you can install it but using your distribution's package manager. For example, on CentOS or Red Hat Enterprise Linux, like this:
如果还没有安装 tcpdump你可以用软件包管理器安装它。
例如,在 CentOS 或者 Red Hat Enterprise 系统中,用如下命令安装 tcpdump
```
$ sudo yum install -y tcpdump
```
Tcpdump requires `libpcap`, which is a library for network packet capture. If it's not installed, it will be automatically added as a dependency.
Tcpdump 依赖于 `libpcap`,该库文件用于捕获网络数据包。如果该库文件也没有安装,系统会根据依赖关系自动安装它。
You're ready to start capturing some packets.
现在你可以开始抓包了。
### 2\. Capturing packets with tcpdump
### 2\. 用 tcpdump 抓包
To capture packets for troubleshooting or analysis, tcpdump requires elevated permissions, so in the following examples most commands are prefixed with `sudo`.
使用 tcpdump 抓包,需要管理员权限,因此下面的示例中绝大多数命令都是以 `sudo` 开头。
To begin, use the command `tcpdump -D` to see which interfaces are available for capture:
首先,先用 `tcpdump -D` 命令列出可以抓包的网络接口:
```
$ sudo tcpdump -D
@ -49,9 +48,9 @@ $ sudo tcpdump -D
5.lo [Loopback]
```
In the example above, you can see all the interfaces available in my machine. The special interface `any` allows capturing in any active interface.
如上所示,可以看到我的机器中所有可以抓包的网络接口。其中特殊接口 `any` 可用于抓取所有活动的网络接口的数据包。
Let's use it to start capturing some packets. Capture all packets in any interface by running this command:
我们就用如下命令先对 `any` 接口进行抓包:
```
$ sudo tcpdump -i any
@ -81,7 +80,7 @@ listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
$
```
Tcpdump continues to capture packets until it receives an interrupt signal. You can interrupt capturing by pressing `Ctrl+C`. As you can see in this example, `tcpdump` captured more than 9,000 packets. In this case, since I am connected to this server using `ssh`, tcpdump captured all these packages. To limit the number of packets captured and stop `tcpdump`, use the `-c` option:
Tcpdump 会持续抓包直到收到中断信号。你可以按 `Ctrl+C` 来停止抓包。正如上面示例所示,`tcpdump` 抓取了超过 9000 个数据包。在这个示例中,由于我是通过 `ssh` 连接到服务器,所以 tcpdump 也捕获了所有这类数据包。`-c` 选项可以用于限制 tcpdump 抓包的数量:
```
$ sudo tcpdump -i any -c 5
@ -98,9 +97,9 @@ listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
$
```
In this case, `tcpdump` stopped capturing automatically after capturing five packets. This is useful in different scenarios—for instance, if you're troubleshooting connectivity and capturing a few initial packages is enough. This is even more useful when we apply filters to capture specific packets (shown below).
如上所示,`tcpdump` 在抓取 5 个数据包后自动停止了抓包。这在有些场景中十分有用——比如你只需要抓取少量的数据包用于分析。当我们需要使用过滤规则抓取特定的数据包(如下所示)时,`-c` 的作用就十分突出了。
By default, tcpdump resolves IP addresses and ports into names, as shown in the previous example. When troubleshooting network issues, it is often easier to use the IP addresses and port numbers; disable name resolution by using the option `-n` and port resolution with `-nn`:
在上面示例中tcpdump 默认是将 IP 地址和端口号解析为对应的接口名以及服务协议名称。而通常在网络故障排查中,使用 IP 地址和端口号更便于分析问题;用 `-n` 选项显示 IP 地址,`-nn` 选项显示端口号:
```
$ sudo tcpdump -i any -c5 -nn
@ -116,57 +115,57 @@ listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
0 packets dropped by kernel
```
As shown above, the capture output now displays the IP addresses and port numbers. This also prevents tcpdump from issuing DNS lookups, which helps to lower network traffic while troubleshooting network issues.
如上所示,抓取的数据包中显示 IP 地址和端口号。这样还可以阻止 tcpdump 发出 DNS 查找,有助于在网络故障排查中减少数据流量。
Now that you're able to capture network packets, let's explore what this output means.
现在你已经会抓包了,让我们来分析一下这些抓包输出的含义吧。
### 3\. Understanding the output format
### 3\. 理解抓取的报文
Tcpdump is capable of capturing and decoding many different protocols, such as TCP, UDP, ICMP, and many more. While we can't cover all of them here, to help you get started, let's explore the TCP packet. You can find more details about the different protocol formats in tcpdump's [manual pages][1]. A typical TCP packet captured by tcpdump looks like this:
Tcpdump 能够抓取并解码多种协议类型的数据报文,如 TCPUDPICMP 等等。虽然这里我们不可能介绍所有的数据报文类型,但可以分析下 TCP 类型的数据报文,来帮助你入门。更多有关 tcpdump 的详细介绍可以参考其 [帮助手册][1]。Tcpdump 抓取的 TCP 报文看起来如下:
```
08:41:13.729687 IP 192.168.64.28.22 > 192.168.64.1.41916: Flags [P.], seq 196:568, ack 1, win 309, options [nop,nop,TS val 117964079 ecr 816509256], length 372
```
The fields may vary depending on the type of packet being sent, but this is the general format.
具体的字段根据不同的报文类型会有不同,但上面这个例子是一般的格式形式。
The first field, `08:41:13.729687,` represents the timestamp of the received packet as per the local clock.
第一个字段 `08:41:13.729687` 是该数据报文被抓取的系统本地时间戳。
Next, `IP` represents the network layer protocol—in this case, `IPv4`. For `IPv6` packets, the value is `IP6`.
然后,`IP` 是网络层协议类型,这里是 `IPv4`,如果是 `IPv6` 协议,该字段值是 `IP6`
The next field, `192.168.64.28.22`, is the source IP address and port. This is followed by the destination IP address and port, represented by `192.168.64.1.41916`.
`192.168.64.28.22` 是源 ip 地址和端口号,紧跟其后的是目的 ip 地址和其端口号,这里是 `192.168.64.1.41916`
After the source and destination, you can find the TCP Flags `Flags [P.]`. Typical values for this field include:
在源 IP 和目的 IP 之后,可以看到是 TCP 报文标记段 `Flags [P.]`。该字段通常取值如下:
| Value | Flag Type | Description |
|-------| --------- | ----------------- |
| ----- | --------- | ----------------- |
| S | SYN | Connection Start |
| F | FIN | Connection Finish |
| P | PUSH | Data push |
| R | RST | Connection reset |
| . | ACK | Acknowledgment |
This field can also be a combination of these values, such as `[S.]` for a `SYN-ACK` packet.
该字段也可以是这些值的组合,例如 `[S.]` 代表 `SYN-ACK` 数据包。
Next is the sequence number of the data contained in the packet. For the first packet captured, this is an absolute number. Subsequent packets use a relative number to make it easier to follow. In this example, the sequence is `seq 196:568,` which means this packet contains bytes 196 to 568 of this flow.
接下来是该数据包中数据的序列号。对于抓取的第一个数据包,该字段值是一个绝对数字,后续包使用相对数值,以便更容易查询跟踪。例如此处 `seq 196:568` 代表该数据包包含该数据流的第 196 到 568 字节。
This is followed by the Ack Number: `ack 1`. In this case, it is 1 since this is the side sending data. For the side receiving data, this field represents the next expected byte (data) on this flow. For example, the Ack number for the next packet in this flow would be 568.
接下来是 ack 值:`ack 1`。该数据包是数据发送方ack 值为1。在数据接收方该字段代表数据流上的下一个预期字节数据例如该数据流中下一个数据包的 ack 值应该是 568。
The next field is the window size `win 309`, which represents the number of bytes available in the receiving buffer, followed by TCP options such as the MSS (Maximum Segment Size) or Window Scale. For details about TCP protocol options, consult [Transmission Control Protocol (TCP) Parameters][2].
接下来字段是接收窗口大小 `win 309`,它表示接收缓冲区中可用的字节数,后跟 TCP 选项如 MSS最大段大小或者窗口比例值。更详尽的 TCP 协议内容请参考 [Transmission Control Protocol(TCP) Parameters][2]。
Finally, we have the packet length, `length 372`, which represents the length, in bytes, of the payload data. The length is the difference between the last and first bytes in the sequence number.
最后,`length 372`代表数据包有效载荷字节长度。这个长度和 seq 序列号中字节数值长度是不一样的。
Now let's learn how to filter packages to narrow down results and make it easier to troubleshoot specific issues.
现在让我们学习如何过滤数据报文以便更容易的分析定位问题。
### 4\. Filtering packets
### 4\. 过滤数据包
As mentioned above, tcpdump can capture too many packages, some of which are not even related to the issue you're troubleshooting. For example, if you're troubleshooting a connectivity issue with a web server you're not interested in the SSH traffic, so removing the SSH packets from the output makes it easier to work on the real issue.
正如上面所提tcpdump 可以抓取很多种类型的数据报文,其中很多可能和我们需要查找的问题并没有关系。举个例子,假设你正在定位一个与 web 服务器连接的网络问题,就不必关系 SSH 数据报文,因此在抓包结果中过滤掉 SSH 报文可能更便于你分析问题。
One of tcpdump's most powerful features is its ability to filter the captured packets using a variety of parameters, such as source and destination IP addresses, ports, protocols, etc. Let's look at some of the most common ones.
Tcpdump 有很多参数选项可以设置数据包过滤规则,例如根据源 IP 以及目的 IP 地址,端口号,协议等等规则来过滤数据包。下面就介绍一些最常用的过滤方法。
#### Protocol
#### 协议
To filter packets based on protocol, specifying the protocol in the command line. For example, capture ICMP packets only by using this command:
在命令中指定协议便可以按照协议类型来筛选数据包。比方说用如下命令只要抓取 ICMP 报文:
```
$ sudo tcpdump -i any -c5 icmp
@ -174,7 +173,7 @@ tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
```
In a different terminal, try to ping another machine:
然后再打开一个终端,去 ping 另一台机器:
```
$ ping opensource.com
@ -182,7 +181,7 @@ PING opensource.com (54.204.39.132) 56(84) bytes of data.
64 bytes from ec2-54-204-39-132.compute-1.amazonaws.com (54.204.39.132): icmp_seq=1 ttl=47 time=39.6 ms
```
Back in the tcpdump capture, notice that tcpdump captures and displays only the ICMP-related packets. In this case, tcpdump is not displaying name resolution packets that were generated when resolving the name `opensource.com`:
回到运行 tcpdump 命令的终端中,可以看到它筛选出了 ICMP 报文。这里 tcpdump 并没有显示有关 `opensource.com`的域名解析数据包:
```
09:34:20.136766 IP rhel75 > ec2-54-204-39-132.compute-1.amazonaws.com: ICMP echo request, id 20361, seq 1, length 64
@ -195,9 +194,9 @@ Back in the tcpdump capture, notice that tcpdump captures and displays only the
0 packets dropped by kernel
```
#### Host
#### 主机
Limit capture to only packets related to a specific host by using the `host` filter:
`host` 参数只抓取和特定主机相关的数据包:
```
$ sudo tcpdump -i any -c5 -nn host 54.204.39.132
@ -212,12 +211,11 @@ listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
5 packets received by filter
0 packets dropped by kernel
```
如上所示,只抓取和显示与 `54.204.39.132` 有关的数据包。
In this example, tcpdump captures and displays only packets to and from host `54.204.39.132`.
#### 端口号
#### Port
To filter packets based on the desired service or port, use the `port` filter. For example, capture packets related to a web (HTTP) service by using this command:
Tcpdump 可以根据服务类型或者端口号来筛选数据包。例如,抓取和 HTTP 服务相关的数据包:
```
$ sudo tcpdump -i any -c5 -nn port 80
@ -233,9 +231,9 @@ listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
0 packets dropped by kernel
```
#### Source IP/hostname
#### IP 地址/主机名
You can also filter packets based on the source or destination IP Address or hostname. For example, to capture packets from host `192.168.122.98`:
同样,你也可以根据源 IP 地址或者目的 IP 地址或者主机名来筛选数据包。例如抓取源 IP 地址为 `192.168.122.98` 的数据包:
```
$ sudo tcpdump -i any -c5 -nn src 192.168.122.98
@ -251,9 +249,9 @@ listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
0 packets dropped by kernel
```
Notice that tcpdumps captured packets with source IP address `192.168.122.98` for multiple services such as name resolution (port 53) and HTTP (port 80). The response packets are not displayed since their source IP is different.
注意此处示例中抓取了来自源 IP 地址 `192.168.122.98` 的 53 端口以及 80 端口的数据包,它们的应答包没有显示出来因为那些包的源 IP 地址已经变了。
Conversely, you can use the `dst` filter to filter by destination IP/hostname:
相对的,使用 `dst` 就是按目的 IP/主机名来筛选数据包。
```
$ sudo tcpdump -i any -c5 -nn dst 192.168.122.98
@ -269,9 +267,9 @@ listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
0 packets dropped by kernel
```
#### Complex expressions
#### 多条件筛选
You can also combine filters by using the logical operators `and` and `or` to create more complex expressions. For example, to filter packets from source IP address `192.168.122.98` and service HTTP only, use this command:
当然,可以使用多条件组合来筛选数据包,使用 `and` 以及 `or` 逻辑操作符来创建过滤规则。例如,筛选来自源 IP 地址 `192.168.122.98` 的 HTTP 数据包:
```
$ sudo tcpdump -i any -c5 -nn src 192.168.122.98 and port 80
@ -287,7 +285,7 @@ listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
0 packets dropped by kernel
```
You can create more complex expressions by grouping filter with parentheses. In this case, enclose the entire filter expression with quotation marks to prevent the shell from confusing them with shell expressions:
你也可以使用括号来创建更为复杂的过滤规则,但在 shell 中请用引号包含你的过滤规则以防止被识别为 shell 表达式:
```
$ sudo tcpdump -i any -c5 -nn "port 80 and (src 192.168.122.98 or src 54.204.39.132)"
@ -303,13 +301,13 @@ listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
0 packets dropped by kernel
```
In this example, we're filtering packets for HTTP service only (port 80) and source IP addresses `192.168.122.98` or `54.204.39.132`. This is a quick way of examining both sides of the same flow.
该例子中我们只抓取了来自源 IP 为 `192.168.122.98` 或者 `54.204.39.132` 的 HTTP 端口号80的数据包。使用该方法就很容易抓取到数据流中交互双方的数据包了。
### 5\. Checking packet content
### 5\. 检查数据包内容
In the previous examples, we're checking only the packets' headers for information such as source, destinations, ports, etc. Sometimes this is all we need to troubleshoot network connectivity issues. Sometimes, however, we need to inspect the content of the packet to ensure that the message we're sending contains what we need or that we received the expected response. To see the packet content, tcpdump provides two additional flags: `-X` to print content in hex, and ASCII or `-A` to print the content in ASCII.
在以上的示例中我们只按数据包头部的信息来建立规则筛选数据包例如源地址、目的地址、端口号等等。有时我们需要分析网络连接问题可能需要分析数据包中的内容来判断什么内容需要被发送、什么内容需要被接收等。Tcpdump 提供了两个选项可以查看数据包内容,`-X` 以十六进制打印出数据报文内容,`-A` 打印数据报文的 ASCII 值。
For example, inspect the HTTP content of a web request like this:
例如HTTP request 报文内容如下:
```
$ sudo tcpdump -i any -c10 -nn -A port 80
@ -379,13 +377,13 @@ E..4..@.@.....zb6.'....P....o..............
0 packets dropped by kernel
```
This is helpful for troubleshooting issues with API calls, assuming the calls are using plain HTTP. For encrypted connections, this output is less useful.
这对定位一些普通 HTTP 调用 API 接口的问题很有用。当然如果是加密报文,这个输出也就没多大用了。
### 6\. Saving captures to a file
### 6\. 保存抓包数据
Another useful feature provided by tcpdump is the ability to save the capture to a file so you can analyze the results later. This allows you to capture packets in batch mode overnight, for example, and verify the results in the morning. It also helps when there are too many packets to analyze since real-time capture can occur too fast.
Tcpdump 提供了保存抓包数据的功能以便后续分析数据包。例如,你可以夜里让它在那里抓包,然后早上起来再去分析它。同样当有很多数据包时,显示过快也不利于分析,将数据包保存下来,更有利于分析问题。
To save packets to a file instead of displaying them on screen, use the option `-w`:
使用 `-w` 选项来保存数据包而不是在屏幕上显示出抓取的数据包:
```
$ sudo tcpdump -i any -c10 -nn -w webserver.pcap port 80
@ -396,11 +394,11 @@ tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 2621
0 packets dropped by kernel
```
This command saves the output in a file named `webserver.pcap`. The `.pcap` extension stands for "packet capture" and is the convention for this file format.
该命令将抓取的数据包保存到文件 `webserver.pcap`。后缀名 `pcap` 表示文件是抓取的数据包格式。
As shown in this example, nothing gets displayed on-screen, and the capture finishes after capturing 10 packets, as per the option `-c10`. If you want some feedback to ensure packets are being captured, use the option `-v`.
正如示例中所示,保存数据包到文件中时屏幕上就没有任何有关数据报文的输出,其中 `-c10` 表示抓取到 10 个数据包后就停止抓包。如果想有一些反馈来提示确实抓取到了数据包,可以使用 `-v` 选项。
Tcpdump creates a file in binary format so you cannot simply open it with a text editor. To read the contents of the file, execute tcpdump with the `-r` option:
Tcpdump 将数据包保存在二进制文件中,所以不能简单的用文本编辑器去打开它。使用 `-r` 选项参数来阅读该文件中的报文内容:
```
$ tcpdump -nn -r webserver.pcap
@ -418,9 +416,9 @@ reading from file webserver.pcap, link-type LINUX_SLL (Linux cooked)
$
```
Since you're no longer capturing the packets directly from the network interface, `sudo` is not required to read the file.
这里不需要管理员权限 `sudo` 了,因为此刻并不是在网络接口处抓包。
You can also use any of the filters we've discussed to filter the content from the file, just as you would with real-time data. For example, inspect the packets in the capture file from source IP address `54.204.39.132` by executing this command:
你还可以使用我们讨论过的任何过滤规则来过滤文件中的内容,就像使用实时数据一样。 例如,通过执行以下命令从源 IP 地址`54.204.39.132` 检查文件中的数据包:
```
$ tcpdump -nn -r webserver.pcap src 54.204.39.132
@ -431,13 +429,13 @@ reading from file webserver.pcap, link-type LINUX_SLL (Linux cooked)
13:36:58.022089 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [F.], seq 643, ack 114, win 57, options [nop,nop,TS val 526053025 ecr 135708327], length 0
```
### What's next?
### 下一步做什么?
These basic features of tcpdump will help you get started with this powerful and versatile tool. To learn more, consult the [tcpdump website][3] and [man pages][4].
以上的基本功能已经可以帮助你使用强大的 tcpdump 抓包工具了。更多的内容请参考 [tcpdump网页][3] 以及它的 [帮助文件][4]。
The tcpdump command line interface provides great flexibility for capturing and analyzing network traffic. If you need a graphical tool to understand more complex flows, look at [Wireshark][5].
Tcpdump 命令行工具为分析网络流量数据包提供了强大的灵活性。如果需要使用图形工具来抓包请参考 [Wireshark][5]。
One benefit of Wireshark is that it can read `.pcap` files captured by tcpdump. You can use tcpdump to capture packets in a remote machine that does not have a GUI and analyze the result file with Wireshark, but that is a topic for another day.
Wireshark 还可以用来读取 tcpdump 保存的 `pcap` 文件。你可以使用 tcpdump 命令行在没有 GUI 界面的远程机器上抓包然后在 Wireshark 中分析数据包。
--------------------------------------------------------------------------------
@ -445,7 +443,7 @@ via: https://opensource.com/article/18/10/introduction-tcpdump
作者:[Ricardo Gerardi][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
译者:[jrg](https://github.com/jrglinux)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
@ -457,3 +455,4 @@ via: https://opensource.com/article/18/10/introduction-tcpdump
[3]: http://www.tcpdump.org/#
[4]: http://www.tcpdump.org/manpages/tcpdump.1.html
[5]: https://www.wireshark.org/