一、介绍
linux抓包命令
二、被请求端口监听:dst port
tcpflow -ci eth0 dst port 6060
tcpdump -i eth0 dst port 6060
案例:
hubble-transfer服务端口为9511,所以下面截图的案例其实就是监听服务开启的端口,有哪些请求来源数据。
三、请求端口监听:src
tcpflow -ci eth0 src port 9092:监听来源端口为9092的网络包数据。说白了,是请求端口为9092的服务的数据。
案例:
以下案例是Kafka消费者,Kafka的端口为9092,hubble-biz-log从9092端口消费数据(其实本质就是请求9092端口服务)
代码:
代码语言:javascript复制/**
* 监听流水日志
* @param message
*/
@KafkaListener(topics = "hubble-log-ms")
public void consumer(String message,Acknowledgment ack){
try {
Map<String,Object> dataMap = JSON.parseObject(message, new TypeReference<Map<String,Object>>(){}.getType());
HubbleSyslogMsVO hubbleSyslogMsVO = handleToVO(dataMap);
if(!hubbleSyslogMsVO.getRequesturi().contains("query")){
logList.add(hubbleSyslogMsVO);
if (logList.size() >= batchSize) {
int num = hubbleSyslogMsVOMapper.insertBatch(logList);
log.info("log batch num={}",num);
logList.clear();
}
}
} catch (Exception e) {
logList.clear();
log.error("consumer has error,error info is ",e);
}finally {
ack.acknowledge();
}
}
抓包日志:
代码语言:javascript复制[root@hubble-biz-log-pod-64b7b45596-q2dz2 DockerHubblebizhost]# tcpflow -ci eth0 src port 9092
tcpflow: listening on eth0
010.034.004.182.09092-010.068.202.022.58066:
010.034.004.182.09092-010.068.202.022.58066:
010.034.004.182.09092-010.068.202.022.58066: stat_syslog_access_line
010.034.004.182.09092-010.068.202.022.58066:
010.034.004.182.09092-010.068.202.022.58066: D{eyF.{"requestUri":"/api/host/hostSync","haoshi":0}
010.034.004.182.09092-010.068.202.022.58066:
010.034.004.188.09092-010.068.202.022.56576: 6'
010.034.004.188.09092-010.068.202.022.56576:
010.034.004.188.09092-010.068.202.022.56576: stat_syslog_access_line
010.034.004.188.09092-010.068.202.022.56576:
010.034.004.188.09092-010.068.202.022.56576: JkatyF4{"requestUri":"/api/group/queryGrpInfo","haoshi":59}
010.034.004.188.09092-010.068.202.022.56576:
010.034.004.168.09092-010.068.202.022.50760: ,stat_syslog_access_line
010.034.004.168.09092-010.068.202.022.50760: .stat_syslog_access_line
010.034.004.182.09092-010.068.202.022.58066: M
010.034.004.182.09092-010.068.202.022.58066:
010.034.004.182.09092-010.068.202.022.58066: stat_syslog_access_line
010.034.004.182.09092-010.068.202.022.58066:
010.034.004.182.09092-010.068.202.022.58066: QODyF;{"requestUri":"/api/template/findStrategyById","haoshi":18}
010.034.004.182.09092-010.068.202.022.58066:
010.034.004.168.09092-010.068.202.022.50760: 0stat_syslog_access_line
010.034.004.182.09092-010.068.202.022.58066: /
010.034.004.182.09092-010.068.202.022.58066:
010.034.004.182.09092-010.068.202.022.58066: stat_syslog_access_line
010.034.004.182.09092-010.068.202.022.58066: x
010.034.004.182.09092-010.068.202.022.58066: J=xyG4{"requestUri":"/api/open/notice/v2/send","haoshi":1}
010.034.004.182.09092-010.068.202.022.58066: =
010.034.004.168.09092-010.068.202.022.50760: 2stat_syslog_access_line
010.034.004.188.09092-010.068.202.022.56576: 6-
010.034.004.188.09092-010.068.202.022.56576:
010.034.004.188.09092-010.068.202.022.56576: stat_syslog_access_line
010.034.004.188.09092-010.068.202.022.56576:
010.034.004.188.09092-010.068.202.022.56576: JOyG@4{"requestUri":"/api/group/queryGrpInfo","haoshi":38}
010.034.004.188.09092-010.068.202.022.56576:
010.034.004.168.09092-010.068.202.022.50760: 4stat_syslog_access_line
010.034.004.188.09092-010.068.202.022.56576: 3
010.034.004.188.09092-010.068.202.022.56572:
010.034.004.188.09092-010.068.202.022.56576:
010.034.004.188.09092-010.068.202.022.56572:
010.034.004.188.09092-010.068.202.022.56576: stat_syslog_access_line
hubble-log-ms88.09092-010.068.202.022.56572:
010.034.004.188.09092-010.068.202.022.56572: N
010.034.004.188.09092-010.068.202.022.56576: x
010.034.004.188.09092-010.068.202.022.56576: J~PyGZ4{"requestUri":"/api/open/notice/v2/send","haoshi":0}
010.034.004.188.09092-010.068.202.022.56572: NyGZ{"responsecode":200,"enddate":1656556701530,"clientIp":"10.19.0.227","paramData":"{"noticeWay": "", "content": "QAE \u62a5\u8b66\uff1a\u5e94\u7528wangcan.itv-tab-drama-ulike-deep-scorer-v1-prod-wh.bdwh-online01 (docker-registry.qiyi.virtual/mba-rec/mba-deep-rank-service:prod-gl_scorer-2112171043)\u5728\u8fc7\u53bb60\u5206\u949f\u5931\u8d25\u4e8634\u6b21\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u5904\u7406\u3002", "toUsers": "wangcan", "emailSubject": "QAE \u62a5\u8b66"}","methodName":"POST","usertoken":"5fa50","startdate":1656556701530,"total_time":0,"uri":"/api/open/notice/v2/send","username":"guoguanglu"}
010.034.004.188.09092-010.068.202.022.56576: =
010.034.004.168.09092-010.068.202.022.50836: 4IY
010.034.004.168.09092-010.068.202.022.50836:
010.034.004.168.09092-010.068.202.022.50836: hubble-log-event
010.034.004.168.09092-010.068.202.022.50836: B7
010.034.004.188.09092-010.068.202.022.56572: =
010.034.004.168.09092-010.068.202.022.50760: 6stat_syslog_access_line
hubble-log-ms68.09092-010.068.202.022.50758: !
010.034.004.168.09092-010.068.202.022.50756: $Ihubble-log-event
010.034.004.168.09092-010.068.202.022.50836: I]
010.034.004.168.09092-010.068.202.022.50836:
010.034.004.168.09092-010.068.202.022.50836: hubble-log-event
010.034.004.168.09092-010.068.202.022.50836: B8
010.034.004.168.09092-010.068.202.022.50836: B7}&yG]{"responsecode":404,"enddate":1656556701533,"clientIp":"10.128.220.10","paramData":"{}","methodName":"HEAD","startdate":1656556701532,"total_time":1,"uri":"/error"}=
010.034.004.188.09092-010.068.202.022.56576: M5
010.034.004.188.09092-010.068.202.022.56576:
010.034.004.188.09092-010.068.202.022.56576: stat_syslog_access_line
010.034.004.188.09092-010.068.202.022.56576:
010.034.004.188.09092-010.068.202.022.56576: QBoVyGg;{"requestUri":"/api/template/findStrategyById","haoshi":22}
010.034.004.188.09092-010.068.202.022.56576:
010.034.004.182.09092-010.068.202.022.58066: 61
010.034.004.182.09092-010.068.202.022.58066:
010.034.004.182.09092-010.068.202.022.58066: stat_syslog_access_line
010.034.004.182.09092-010.068.202.022.58066:
010.034.004.182.09092-010.068.202.022.58066: JqyGr4{"requestUri":"/api/group/queryGrpInfo","haoshi":37}
010.034.004.182.09092-010.068.202.022.58066:
010.034.004.168.09092-010.068.202.022.50760: 8stat_syslog_access_line
010.034.004.168.09092-010.068.202.022.50760: :stat_syslog_access_line
010.034.004.198.09092-010.068.202.022.55068: )
010.034.004.198.09092-010.068.202.022.55068:
010.034.004.198.09092-010.068.202.022.55068: stat_syslog_access_line
010.034.004.198.09092-010.068.202.022.55068: x
010.034.004.198.09092-010.068.202.022.55068: JwVyG4{"requestUri":"/api/open/notice/v2/send","haoshi":0}
010.034.004.198.09092-010.068.202.022.55068: =
010.034.004.168.09092-010.068.202.022.50760: <stat_syslog_access_line
010.034.004.188.09092-010.068.202.022.56572: M
010.034.004.188.09092-010.068.202.022.56572:
hubble-log-ms88.09092-010.068.202.022.56572:
010.034.004.188.09092-010.068.202.022.56572: N
010.034.004.188.09092-010.068.202.022.56572: NRyG{"responsecode":200,"enddate":1656556701596,"clientIp":"10.19.0.228","paramData":"{"noticeWay": "", "content": "QAE \u62a5\u8b66\uff1a\u5e94\u7528wangcan.itv-tab-drama-ulike-deep-scorer-v1-prod-wh.bdwh-online01 (docker-registry.qiyi.virtual/mba-rec/mba-deep-rank-service:prod-gl_scorer-2112171043)\u5bb9\u5668\u5b9e\u4f8b\u4e0d\u7a33\u5b9a\uff0c\u5728\u8fc7\u53bb6\u5c0f\u65f6\u5185\u81f3\u5c11\u53d8\u66f4\u4e8635\u6b21\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u5904\u7406\u3002", "toUsers": "wangcan", "emailSubject": "QAE \u62a5\u8b66"}","methodName":"POST","usertoken":"5fa50","startdate":1656556701596,"total_time":0,"uri":"/api/open/notice/v2/send","username":"guoguanglu"}
四、其它使用示例
- 1. 针对特定网口抓包 ( -i 选项 )。 不加任何选项执行 tcpdump 时,tcpdump 将抓取通过所有网口的包;使用 -i 在指定的网口抓包: 示例:tcpdump 抓取所有通过 eth0 的包。命令:root@kali:~# tcpdump -i eth0
- 2. 抓取指定数目的包( -c 选项 )。 默认情况下 tcpdump 将一直抓包,直到按下 Ctrl c 中止,使用 -c 选项我们可以指定抓包的数量: 示例:只针对 eth0 网口抓 10 个包。命令:root@kali:~# tcpdump -i eth0 -c 10
- 3. 将抓到包写入文件中( -w 选项 )。使用 -w 选项,将抓包记录到一个指定文件中,保存为.pcap后缀的文件,可以使用 wireshark 等工具读取分析。 命令:root@kali:~# tcpdump -i eth0 -c 10 -w 2017.pcap
- 4. 读取 tcpdump 保存文件( -r 选项 )。对于保存的抓包文件,我们可以使用 -r 选项进行读取。命令:root@kali:~# tcpdump -r 2017.pcap
- 5. 抓包时不进行域名解析( -n选项 )。默认情况下,tcpdump 抓包结果中将进行域名解析,显示的是域名地址而非 ip 地址,使用 -n 选项,可指定显示 ip 地址。
- 6. 增加抓包时间戳(-tttt选项)。使用-tttt选项,抓包结果中将包含抓包日期:
- 7. 指定抓包的协议类型。我们可以只抓某种协议的包,tcpdump 支持指定以下协议:ip、ip6、arp、tcp、udp、wlan 等。 示例:只抓取 arp 协议的包:root@kali:~# tcpdump -i eth0 -tttt arp
- 8. 指定抓包端口。如果想要对某个特定的端口抓包,可以通过以下命令:root@kali:~# tcpdump -i eth0 port 22
- 9. 抓取特定目标 ip和端口 的包。网络包的内容中,包含了源ip地址、端口和目标ip、端口,我们可以根据目标ip和端口过滤tcpdump抓包结果,以下命令说明了此用法: 示例:root@kali:~# tcpdump -i eth0 dst 10.70.121.92 and port 22 示例:root@kali:~# tcpdump -i eth0 -c 10 ip -tttt -X
参考文档:
https://blog.csdn.net/weixin_34124651/article/details/88267519
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。
发布者:全栈程序员栈长,转载请注明出处:https://javaforall.cn/183539.html原文链接:https://javaforall.cn