我想查看TCP
我的电脑/服务器向其他主机发起的请求(syn 数据包)。更具体地说,我想查看outgoing connection requests
.我怎样才能做到这一点?
另外,我不想看到任何对我的电脑/服务器的连接尝试。
以下iptables
命令可以工作,但使用起来很笨拙,因为它会记录所有内容,而我只想查看屏幕上的所有内容:
iptables -I OUTPUT 1 -o eth0 -p tcp -m state --state NEW -j LOG
答案1
如果您想查看源自主机的传出 TCP 连接,您可以使用开关src host <ip>
作为参数tcpdump
:
$ tcpdump -i any -nn src host 10.0.2.15 and port 80
例子
模拟出站流量:
$ curl -vv telnet://www.google.com:80
* About to connect() to www.google.com port 80 (#0)
* Trying 172.217.15.100...
* Connected to www.google.com (172.217.15.100) port 80 (#0)
^C
观看方式tcpdump
:
$ tcpdump -i any -nn src host 10.0.2.15 and port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
11:04:19.585773 IP 10.0.2.15.50642 > 216.58.218.4.80: Flags [S], seq 315169574, win 29200, options [mss 1460,sackOK,TS val 38358006 ecr 0,nop,wscale 7], length 0
11:04:19.623676 IP 10.0.2.15.50642 > 216.58.218.4.80: Flags [.], ack 470600706, win 29200, length 0
对 syn 数据包进行过滤
要仅捕获传出的 syn 数据包,您需要分析 tcpflags,特别是查找标志tcp-syn
。再次使用curl
上面相同的命令,但现在tcpdump
像这样调用:
$ tcpdump -i any -nn src host 10.0.2.15 and "tcp[tcpflags] == tcp-syn"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
11:13:39.962475 IP 10.0.2.15.44810 > 64.233.185.103.80: Flags [S], seq 3710429425, win 29200, options [mss 1460,sackOK,TS val 38918382 ecr 0,nop,wscale 7], length 0
TCP标志
从tcpdump
手册页:
The general format of a TCP protocol line is: src > dst: Flags [tcpflags], seq data-seqno, ack ackno, win window, urg urgent, options [opts], length len Src and dst are the source and destination IP addresses and ports. Tcpflags are some combination of S (SYN), F (FIN), P (PUSH), R (RST), U (URG), W (ECN CWR), E (ECN-Echo) or `.' (ACK), or `none' if no flags are set. Data-seqno describes the portion of sequence space covered by the data in this packet (see example below). Ackno is sequence number of the next data expected the other direction on this connection. Window is the number of bytes of receive buffer space available the other direction on this connection. Urg indicates there is `urgent' data in the packet. Opts are TCP options (e.g., mss 1024). Len is the length of payload data.