主页 / unix / 问题 / 466584
Accepted
Artem S. Tashkinov
Asked: 2018-09-04 06:56:13 +0800 CST

tcpdump/tshark:只查看传出的 TCP 连接请求

  • 772

我想查看TCP我的 PC/服务器向其他主机发起的请求(同步数据包)。更具体地说,我想查看outgoing connection requests. 我怎样才能做到这一点?

此外,我不想看到任何连接到我的 PC/服务器的尝试。

以下iptables命令有效,但使用起来很笨拙,因为它记录了所有内容,而我只想查看屏幕上的所有内容:

iptables -I OUTPUT 1 -o eth0 -p tcp -m state --state NEW -j LOG
networking tcpdump

1 个回答

  1. Best Answer

    如果您想查看来自您的主机的传出 TCP 连接,您可以使用 switchsrc host <ip>作为参数tcpdump

    $ tcpdump -i any -nn src host 10.0.2.15 and port 80

    例子

    模拟传出流量:

    $ curl -vv telnet://www.google.com:80
* About to connect() to www.google.com port 80 (#0)
*   Trying 172.217.15.100...
* Connected to www.google.com (172.217.15.100) port 80 (#0)
^C

    观看tcpdump

    $ tcpdump -i any -nn src host 10.0.2.15 and port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
11:04:19.585773 IP 10.0.2.15.50642 > 216.58.218.4.80: Flags [S], seq 315169574, win 29200, options [mss 1460,sackOK,TS val 38358006 ecr 0,nop,wscale 7], length 0
11:04:19.623676 IP 10.0.2.15.50642 > 216.58.218.4.80: Flags [.], ack 470600706, win 29200, length 0

    过滤同步数据包

    要仅捕获传出的 syn 数据包,您需要分析 tcpflags,特别是寻找tcp-syn标志。再次使用上面的相同curl命令,但现在调用tcpdump如下:

    $ tcpdump -i any -nn src host 10.0.2.15 and "tcp[tcpflags] == tcp-syn"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
11:13:39.962475 IP 10.0.2.15.44810 > 64.233.185.103.80: Flags [S], seq 3710429425, win 29200, options [mss 1460,sackOK,TS val 38918382 ecr 0,nop,wscale 7], length 0

    tcpflags

    tcpdump手册页: 
    The general format of a TCP protocol line is:

src > dst: Flags [tcpflags], seq data-seqno, ack ackno, win window, urg urgent, options [opts], length len

Src and dst are the source and destination IP addresses and ports. 
Tcpflags are some combination of S (SYN), F (FIN), P (PUSH), R (RST), U 
(URG), W (ECN CWR), E (ECN-Echo) or `.' (ACK), or `none' if no flags are 
set. Data-seqno describes the portion of sequence space covered by the 
data in this packet (see example below). Ackno is sequence number of the 
next data expected the other direction on this connection. Window is the 
number of bytes of receive buffer space available the other direction on 
this connection. Urg indicates there is `urgent' data in the packet. Opts 
are TCP options (e.g., mss 1024). Len is the length of payload data.

    参考

    • 5

相关问题