之前發了一篇網絡排查問題的文章，反響不錯，今天就常用的網絡排查命令tcpdump 抓取tcp通信過程給大家展示一下

---

https://www.tcpdump.org/manpages/tcpdump.1.html
tcpdump官網的一段描述:

The general format of a TCP protocol line is:

src > dst: Flags [tcpflags], seq data-seqno, ack ackno, win window, urg urgent, options [opts], length len

Src and dst are the source and destination IP addresses and ports.

Tcpflags are some combination of S (SYN), F (FIN), P (PUSH), R (RST), U (URG), W (ECN CWR), E (ECN-Echo) or '.' (ACK), or 'none' if no flags are set.

Data-seqno describes the portion of sequence space covered by the data in this packet (see example below).

Ackno is sequence number of the next data expected the other direction on this connection.

Window is the number of bytes of receive buffer space available the other direction on this connection.

Urg indicates there is 'urgent' data in the packet.

Opts are TCP options (e.g., mss 1024).

Len is the length of payload data.

簡單翻譯一下：

tcpdump命令的使用方法

src > dst: Flags [tcpflags], seq data-seqno, ack ackno, win window, urg urgent, options [opts], length len

Src and dst are the source and destination IP addresses and ports.

src 和 dst 用來指定源IP 端口 和 目的地地址和端口

tcp標志S (SYN), F (FIN), P (PUSH), R (RST), U (URG), W (ECN CWR), E (ECN-Echo) or '.' (ACK)
注意"." 這個點符號代表的是ACK，那么"S." 就表示 SYN，ACK

// 上述標志是TCP常用的標志，如果有不熟悉的同學，后面我會補充一篇關于TCP協議的文章

---

1

下面我在我的linux虛擬機里面進行實踐操作，首先通過shell每隔5秒訪問一次百度

打開一個新的窗口，開始使用tcpdump命令抓包，因為我虛擬機很純凈，這里抓80端口就可以了

for((i=1;i>0;i++)) { curl www.baidu.com; sleep 5; } // sleep 5?防止后面tcpdump刷屏太快tcpdump -nn tcp and port 80 -c 50 -w baidu.cap // 抓取 端口為80的 tcp包 50條 記錄到 baidu.captcpdump -r baidu.cap -nn // 讀取 baidu.cap -nn 表示端口 直接使用數字顯示

// 三次握手

00:01:27.495986 IP 10.0.2.15.39629 > 61.135.169.121.80: Flags [S], seq 3269637489, win 14600, options [mss 1460,sackOK,TS val 36161220 ecr 0,nop,wscale 7], length 0

00:01:27.499790 IP 61.135.169.121.80 > 10.0.2.15.39629: Flags [S.], seq 1731784705, ack 3269637490, win 65535, options [mss 1460], length 0

00:01:27.499839 IP 10.0.2.15.39629 > 61.135.169.121.80: Flags [.], ack 1, win 14600, length 0

// Flags [S] SYC

// Flags [S.] SYC ACK

// Flags [.] ACK

// 數據

00:01:27.500578 IP 10.0.2.15.39629 > 61.135.169.121.80: Flags [P.], seq 1:177, ack 1, win 14600, length 176

00:01:27.500884 IP 61.135.169.121.80 > 10.0.2.15.39629: Flags [.], ack 177, win 65535, length 0

00:01:27.505774 IP 61.135.169.121.80 > 10.0.2.15.39629: Flags [.], seq 1:1421, ack 177, win 65535, length 1420

00:01:27.505790 IP 10.0.2.15.39629 > 61.135.169.121.80: Flags [.], ack 1421, win 17040, length 0

00:01:27.505947 IP 61.135.169.121.80 > 10.0.2.15.39629: Flags [P.], seq 1421:1441, ack 177, win 65535, length 20

00:01:27.505961 IP 10.0.2.15.39629 > 61.135.169.121.80: Flags [.], ack 1441, win 17040, length 0

00:01:27.506046 IP 61.135.169.121.80 > 10.0.2.15.39629: Flags [P.], seq 1441:2782, ack 177, win 65535, length 1341

00:01:27.506059 IP 10.0.2.15.39629 > 61.135.169.121.80: Flags [.], ack 2782, win 19880, length 0

// Flags [P.] PSH ACK

// 四次揮手

00:01:27.506605 IP 10.0.2.15.39629 > 61.135.169.121.80: Flags [F.], seq 177, ack 2782, win 19880, length 0

00:01:27.506806 IP 61.135.169.121.80 > 10.0.2.15.39629: Flags [.], ack 178, win 65535, length 0

00:01:27.510914 IP 61.135.169.121.80 > 10.0.2.15.39629: Flags [F.], seq 2782, ack 178, win 65535, length 0

00:01:27.510932 IP 10.0.2.15.39629 > 61.135.169.121.80: Flags [.], ack 2783, win 19880, length 0

// Flags [F.] FIN ACK

---

2 用wireshark查看net文件

wireshark打開net文件

統計>流量圖

統計>流量圖

3 總結一下

可以發現通過 tcpdump 工具 可以 清晰看到完整的TCP 三次握手和四次揮手的過程
在排查網絡，抓包的時候該命令十分常用，是一個需要掌握的進階命令，當然前提是要熟悉tcp協議

總結

以上是生活随笔為你收集整理的tcpdump抓包命令_tcpdump实战的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。