tcpdump/tshark：仅查看传出 TCP 连接请求

Question

如果您想查看源自主机的传出 TCP 连接，您可以使用开关src host <ip>作为参数tcpdump：

$ tcpdump -i any -nn src host 10.0.2.15 and port 80

例子

模拟出站流量：

$ curl -vv telnet://www.google.com:80
* About to connect() to www.google.com port 80 (#0)
*   Trying 172.217.15.100...
* Connected to www.google.com (172.217.15.100) port 80 (#0)
^C

观看方式tcpdump：

$ tcpdump -i any -nn src host 10.0.2.15 and port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
11:04:19.585773 IP 10.0.2.15.50642 > 216.58.218.4.80: Flags [S], seq 315169574, win 29200, options [mss 1460,sackOK,TS val 38358006 ecr 0,nop,wscale 7], length 0
11:04:19.623676 IP 10.0.2.15.50642 > 216.58.218.4.80: Flags [.], ack 470600706, win 29200, length 0

对 syn 数据包进行过滤

要仅捕获传出的 syn 数据包，您需要分析 tcpflags，特别是查找标志tcp-syn。再次使用curl上面相同的命令，但现在tcpdump像这样调用：

$ tcpdump -i any -nn src host 10.0.2.15 and "tcp[tcpflags] == tcp-syn"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
11:13:39.962475 IP 10.0.2.15.44810 > 64.233.185.103.80: Flags [S], seq 3710429425, win 29200, options [mss 1460,sackOK,TS val 38918382 ecr 0,nop,wscale 7], length 0

TCP标志

从tcpdump手册页：

The general format of a TCP protocol line is:

src > dst: Flags [tcpflags], seq data-seqno, ack ackno, win window, urg urgent, options [opts], length len

Src and dst are the source and destination IP addresses and ports. 
Tcpflags are some combination of S (SYN), F (FIN), P (PUSH), R (RST), U 
(URG), W (ECN CWR), E (ECN-Echo) or `.' (ACK), or `none' if no flags are 
set. Data-seqno describes the portion of sequence space covered by the 
data in this packet (see example below). Ackno is sequence number of the 
next data expected the other direction on this connection. Window is the 
number of bytes of receive buffer space available the other direction on 
this connection. Urg indicates there is `urgent' data in the packet. Opts 
are TCP options (e.g., mss 1024). Len is the length of payload data.

参考

Answer 1

如果您想查看源自主机的传出 TCP 连接，您可以使用开关src host <ip>作为参数tcpdump：

$ tcpdump -i any -nn src host 10.0.2.15 and port 80

例子

模拟出站流量：

$ curl -vv telnet://www.google.com:80
* About to connect() to www.google.com port 80 (#0)
*   Trying 172.217.15.100...
* Connected to www.google.com (172.217.15.100) port 80 (#0)
^C

观看方式tcpdump：

$ tcpdump -i any -nn src host 10.0.2.15 and port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
11:04:19.585773 IP 10.0.2.15.50642 > 216.58.218.4.80: Flags [S], seq 315169574, win 29200, options [mss 1460,sackOK,TS val 38358006 ecr 0,nop,wscale 7], length 0
11:04:19.623676 IP 10.0.2.15.50642 > 216.58.218.4.80: Flags [.], ack 470600706, win 29200, length 0

对 syn 数据包进行过滤

要仅捕获传出的 syn 数据包，您需要分析 tcpflags，特别是查找标志tcp-syn。再次使用curl上面相同的命令，但现在tcpdump像这样调用：

$ tcpdump -i any -nn src host 10.0.2.15 and "tcp[tcpflags] == tcp-syn"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
11:13:39.962475 IP 10.0.2.15.44810 > 64.233.185.103.80: Flags [S], seq 3710429425, win 29200, options [mss 1460,sackOK,TS val 38918382 ecr 0,nop,wscale 7], length 0

TCP标志

从tcpdump手册页：

The general format of a TCP protocol line is:

src > dst: Flags [tcpflags], seq data-seqno, ack ackno, win window, urg urgent, options [opts], length len

Src and dst are the source and destination IP addresses and ports. 
Tcpflags are some combination of S (SYN), F (FIN), P (PUSH), R (RST), U 
(URG), W (ECN CWR), E (ECN-Echo) or `.' (ACK), or `none' if no flags are 
set. Data-seqno describes the portion of sequence space covered by the 
data in this packet (see example below). Ackno is sequence number of the 
next data expected the other direction on this connection. Window is the 
number of bytes of receive buffer space available the other direction on 
this connection. Urg indicates there is `urgent' data in the packet. Opts 
are TCP options (e.g., mss 1024). Len is the length of payload data.

tcpdump/tshark：仅查看传出 TCP 连接请求

答案1

例子

对 syn 数据包进行过滤

TCP标志

参考

相关内容