我有一个示例 tcp 转储。如何识别哪些数据包属于哪个 TCP 连接。我知道在这种情况下有两个连接(在相同的源和目的地之间),按时间分开,但是当我们无法根据时间区分时如何识别。我在某处读到我可以使用 tcp.stream 值来识别同一连接的数据包,但我似乎无法打印它。也许我缺少一些 tcpdump 过滤器。
usc430tb@client:~$ sudo tcpdump -nn -i eth1 tcp and host server
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
04:19:30.105947 IP 1.1.2.3.37572 > 5.6.7.8.80: Flags [S], seq 3941923648, win 64240, options [mss 1460,sackOK,TS val 4040159679 ecr 0,nop,wscale 7], length 0
04:19:30.106238 IP 5.6.7.8.80 > 1.1.2.3.37572: Flags [S.], seq 3066551855, ack 3941923649, win 65160, options [mss 1460,sackOK,TS val 343847781 ecr 4040159679,nop,wscale 7], length 0
04:19:30.106299 IP 1.1.2.3.37572 > 5.6.7.8.80: Flags [.], ack 1, win 502, options [nop,nop,TS val 4040159679 ecr 343847781], length 0
04:19:30.106475 IP 1.1.2.3.37572 > 5.6.7.8.80: Flags [P.], seq 1:71, ack 1, win 502, options [nop,nop,TS val 4040159679 ecr 343847781], length 70: HTTP: GET / HTTP/1.1
04:19:30.106735 IP 5.6.7.8.80 > 1.1.2.3.37572: Flags [.], ack 71, win 509, options [nop,nop,TS val 343847781 ecr 4040159679], length 0
04:19:30.107237 IP 5.6.7.8.80 > 1.1.2.3.37572: Flags [.], seq 1:2897, ack 71, win 509, options [nop,nop,TS val 343847782 ecr 4040159679], length 2896: HTTP: HTTP/1.1 200 OK
04:19:30.107251 IP 1.1.2.3.37572 > 5.6.7.8.80: Flags [.], ack 2897, win 496, options [nop,nop,TS val 4040159680 ecr 343847782], length 0
04:19:30.107287 IP 5.6.7.8.80 > 1.1.2.3.37572: Flags [.], seq 2897:5793, ack 71, win 509, options [nop,nop,TS val 343847782 ecr 4040159679], length 2896: HTTP
04:19:30.107303 IP 1.1.2.3.37572 > 5.6.7.8.80: Flags [.], ack 5793, win 481, options [nop,nop,TS val 4040159680 ecr 343847782], length 0
04:19:30.107338 IP 5.6.7.8.80 > 1.1.2.3.37572: Flags [P.], seq 5793:11174, ack 71, win 509, options [nop,nop,TS val 343847782 ecr 4040159679], length 5381: HTTP
04:19:30.107352 IP 1.1.2.3.37572 > 5.6.7.8.80: Flags [.], ack 11174, win 481, options [nop,nop,TS val 4040159680 ecr 343847782], length 0
04:19:30.108948 IP 1.1.2.3.37572 > 5.6.7.8.80: Flags [F.], seq 71, ack 11174, win 501, options [nop,nop,TS val 4040159682 ecr 343847782], length 0
04:19:30.109436 IP 5.6.7.8.80 > 1.1.2.3.37572: Flags [F.], seq 11174, ack 72, win 509, options [nop,nop,TS val 343847784 ecr 4040159682], length 0
04:19:30.109467 IP 1.1.2.3.37572 > 5.6.7.8.80: Flags [.], ack 11175, win 501, options [nop,nop,TS val 4040159682 ecr 343847784], length 0
04:22:36.733297 IP 1.1.2.3.37574 > 5.6.7.8.80: Flags [S], seq 3284054345, win 64240, options [mss 1460,sackOK,TS val 4040346308 ecr 0,nop,wscale 7], length 0
04:22:36.733604 IP 5.6.7.8.80 > 1.1.2.3.37574: Flags [S.], seq 4201800729, ack 3284054346, win 65160, options [mss 1460,sackOK,TS val 344034404 ecr 4040346308,nop,wscale 7], length 0
04:22:36.733672 IP 1.1.2.3.37574 > 5.6.7.8.80: Flags [.], ack 1, win 502, options [nop,nop,TS val 4040346308 ecr 344034404], length 0
04:22:36.733913 IP 1.1.2.3.37574 > 5.6.7.8.80: Flags [P.], seq 1:71, ack 1, win 502, options [nop,nop,TS val 4040346309 ecr 344034404], length 70: HTTP: GET / HTTP/1.1
04:22:36.734149 IP 5.6.7.8.80 > 1.1.2.3.37574: Flags [.], ack 71, win 509, options [nop,nop,TS val 344034405 ecr 4040346309], length 0
04:22:36.734653 IP 5.6.7.8.80 > 1.1.2.3.37574: Flags [.], seq 1:2897, ack 71, win 509, options [nop,nop,TS val 344034406 ecr 4040346309], length 2896: HTTP: HTTP/1.1 200 OK
04:22:36.734671 IP 1.1.2.3.37574 > 5.6.7.8.80: Flags [.], ack 2897, win 496, options [nop,nop,TS val 4040346309 ecr 344034406], length 0
04:22:36.734701 IP 5.6.7.8.80 > 1.1.2.3.37574: Flags [.], seq 2897:5793, ack 71, win 509, options [nop,nop,TS val 344034406 ecr 4040346309], length 2896: HTTP
04:22:36.734717 IP 1.1.2.3.37574 > 5.6.7.8.80: Flags [.], ack 5793, win 481, options [nop,nop,TS val 4040346309 ecr 344034406], length 0
04:22:36.734752 IP 5.6.7.8.80 > 1.1.2.3.37574: Flags [P.], seq 5793:11174, ack 71, win 509, options [nop,nop,TS val 344034406 ecr 4040346309], length 5381: HTTP
04:22:36.734765 IP 1.1.2.3.37574 > 5.6.7.8.80: Flags [.], ack 11174, win 451, options [nop,nop,TS val 4040346309 ecr 344034406], length 0
04:22:36.739626 IP 1.1.2.3.37574 > 5.6.7.8.80: Flags [F.], seq 71, ack 11174, win 501, options [nop,nop,TS val 4040346314 ecr 344034406], length 0
04:22:36.740045 IP 5.6.7.8.80 > 1.1.2.3.37574: Flags [F.], seq 11174, ack 72, win 509, options [nop,nop,TS val 344034411 ecr 4040346314], length 0
04:22:36.740074 IP 1.1.2.3.37574 > 5.6.7.8.80: Flags [.], ack 11175, win 501, options [nop,nop,TS val 4040346315 ecr 344034411], length 0
每个 TCP/IP 连接在任何给定时间都由集合
(src-ip-addr; src-port; dest-ip-addr; dest-port)(1.1.2.3; 37574; 5.6.7.8; 80)(1.1.2.3; 37572; 5.6.7.8; 80)src-port如果我正确阅读了 手册页 - 示例,您可以使用
tcpdump ... port 37574