使用tcpdump探測TCP/IP三次握手

時間 2019-11-16

原文原文鏈接

讀計算機應該就同說過TCP/IP三次握手，可是都沒有去驗證過，今天心血來潮，去驗證了一下，因而乎寫下了這篇博客，可能寫的可能有問題，還請多多指教html

包括我學習，還有從不少資料來看資料，第三次握手，應該會返回ack(上一個seq+1)，可是我從抓包，並無發現，第三次只會返回一個ack，但願有人來解答一下這個問題nginx

抓包以下(用黃色的勾畫起來的):緩存

09:52:52.462194 IP 192.168.0.110.54420 > localhost.localdomain.http: Flags [S], seq 3925850975, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4x.@.@.@z...n...m...P..._........r...............
09:52:52.462222 IP localhost.localdomain.http > 192.168.0.110.54420: Flags [S.], seq 2302688839, ack 3925850976, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.@......m...n.P...@>G...`..r..R..............
09:52:52.462491 IP 192.168.0.110.54420 > localhost.localdomain.http: Flags [.], ack 1, win 1024, length 0
E..(x.@.@.@....n...m...P...`.@>HP.............
09:52:52.462628 IP 192.168.0.110.54420 > localhost.localdomain.http: Flags [P.], seq 1:223, ack 1, win 1024, length 222: HTTP: GET /favicon.ico HTTP/1.1
E...x @.@.?....n...m...P...`.@>HP.......GET /favicon.ico HTTP/1.1

此次咱們就利用tcpdump來驗證一下TCP/IP三次握手服務器

要使用tcpdump抓包，首先要清楚工具輸出的信息，默認tcpdump輸出格式爲dom

src > dst: Flags [tcpflags], seq data-seqno, ack ackno, win window, urg urgent, options [opts], length len

src > dst 目標源IP 端口 和 目標IP 端口
tcpflags
 Tcpflags are some combination of S (SYN), F (FIN), P (PUSH), R (RST), U (URG), W (ECN CWR), E (ECN-Echo) or '.' (ACK), or 'none' if no flags are set. S: SYN 同步 SYN = 1 表示這是一個鏈接請求或鏈接接受報文 F: FIN 用來釋放一個鏈接.FIN=1 代表此報文段的發送端的數據已發送完畢,並要求釋放運輸鏈接 P: PUSH 接收 TCP 收到 PSH = 1 的報文段,就儘快地交付接收應用進程,而再也不等到整個緩存都填滿了後再向上交付 R: RST 當 RST=1 時,代表 TCP 鏈接中出現嚴重差錯（如因爲主機崩潰或其餘緣由）,必須釋放鏈接,而後再從新創建運輸鏈接 .: 爲ACK,表示響應

使用tcpdump抓取本機80端口的包tcp

[root@localhost ~]# tcpdump -i enp0s8 port 80 -A 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s8, link-type EN10MB (Ethernet), capture size 262144 bytes 09:52:52.462194 IP 192.168.0.110.54420 > localhost.localdomain.http: Flags [S], seq 3925850975, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 E..4x.@.@.@z...n...m...P..._........r............... 09:52:52.462222 IP localhost.localdomain.http > 192.168.0.110.54420: Flags [S.], seq 2302688839, ack 3925850976, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 E..4..@.@......m...n.P...@>G...`..r..R.............. 09:52:52.462491 IP 192.168.0.110.54420 > localhost.localdomain.http: Flags [.], ack 1, win 1024, length 0 E..(x.@.@.@....n...m...P...`.@>HP............. 09:52:52.462628 IP 192.168.0.110.54420 > localhost.localdomain.http: Flags [P.], seq 1:223, ack 1, win 1024, length 222: HTTP: GET /favicon.ico HTTP/1.1 E...x @.@.?....n...m...P...`.@>HP.......GET /favicon.ico HTTP/1.1 Accept: */* UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: 192.168.0.109 Connection: Keep-Alive 09:52:52.462638 IP localhost.localdomain.http > 192.168.0.110.54420: Flags [.], ack 223, win 237, length 0 E..(.&@.@..}...m...n.P...@>H...>P....F.. 09:52:52.463084 IP localhost.localdomain.http > 192.168.0.110.54420: Flags [P.], seq 1:325, ack 223, win 237, length 324: HTTP: HTTP/1.1 404 Not Found E..l.'@.@..8...m...n.P...@>H...>P.......HTTP/1.1 404 Not Found Server: nginx/1.14.2 Date: Wed, 17 Apr 2019 13:52:52 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive <html> <head><title>404 Not Found</title></head> <body bgcolor="white"> <center><h1>404 Not Found</h1></center> <hr><center>nginx/1.14.2</center> </body> </html> 09:52:52.463219 IP 192.168.0.110.54420 > localhost.localdomain.http: Flags [.], ack 325, win 1022, length 0 E..(x!@.@.@....n...m...P...>.@?.P............. 09:52:54.652738 IP 192.168.0.110.54420 > localhost.localdomain.http: Flags [R.], seq 223, ack 325, win 0, length 0 E..(x#@.@.@....n...m...P...>.@?.P............. ^C 8 packets captured 8 packets received by filter 0 packets dropped by kernel [root@localhost ~]#

分析:
03:07:29.669315 IP 192.168.56.1.56572 > localhost.localdomain.http: Flags [S], seq 2538461989, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
客戶端向發送SYN請求，seq爲2538461989

03:07:29.669366 IP localhost.localdomain.http > 192.168.56.1.56572: Flags [S.], seq 643447264, ack 2538461990, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
服務器接受來自客戶端的請求ack爲2538461990(上次請求的seq + 1) ， 而且發送 seq 爲643447264

03:07:29.669632 IP 192.168.56.1.56572 > localhost.localdomain.http: Flags [.], ack 1, win 2053, length 0
客戶端向服務器發送一個爲ack