tcpdump/tshark:仅查看传出 TCP 连接请求

tcpdump/tshark:仅查看传出 TCP 连接请求

我想查看TCP我的电脑/服务器向其他主机发起的请求(syn 数据包)。更具体地说,我想查看outgoing connection requests.我怎样才能做到这一点?

另外,我不想看到任何对我的电脑/服务器的连接尝试。

以下iptables命令可以工作,但使用起来很笨拙,因为它会记录所有内容,而我只想查看屏幕上的所有内容:

iptables -I OUTPUT 1 -o eth0 -p tcp -m state --state NEW -j LOG

答案1

如果您想查看源自主机的传出 TCP 连接,您可以使用开关src host <ip>作为参数tcpdump

$ tcpdump -i any -nn src host 10.0.2.15 and port 80

例子

模拟出站流量:

$ curl -vv telnet://www.google.com:80
* About to connect() to www.google.com port 80 (#0)
*   Trying 172.217.15.100...
* Connected to www.google.com (172.217.15.100) port 80 (#0)
^C

观看方式tcpdump

$ tcpdump -i any -nn src host 10.0.2.15 and port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
11:04:19.585773 IP 10.0.2.15.50642 > 216.58.218.4.80: Flags [S], seq 315169574, win 29200, options [mss 1460,sackOK,TS val 38358006 ecr 0,nop,wscale 7], length 0
11:04:19.623676 IP 10.0.2.15.50642 > 216.58.218.4.80: Flags [.], ack 470600706, win 29200, length 0

对 syn 数据包进行过滤

要仅捕获传出的 syn 数据包,您需要分析 tcpflags,特别是查找标志tcp-syn。再次使用curl上面相同的命令,但现在tcpdump像这样调用:

$ tcpdump -i any -nn src host 10.0.2.15 and "tcp[tcpflags] == tcp-syn"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
11:13:39.962475 IP 10.0.2.15.44810 > 64.233.185.103.80: Flags [S], seq 3710429425, win 29200, options [mss 1460,sackOK,TS val 38918382 ecr 0,nop,wscale 7], length 0

TCP标志

tcpdump手册页:
The general format of a TCP protocol line is:

src > dst: Flags [tcpflags], seq data-seqno, ack ackno, win window, urg urgent, options [opts], length len

Src and dst are the source and destination IP addresses and ports. 
Tcpflags are some combination of S (SYN), F (FIN), P (PUSH), R (RST), U 
(URG), W (ECN CWR), E (ECN-Echo) or `.' (ACK), or `none' if no flags are 
set. Data-seqno describes the portion of sequence space covered by the 
data in this packet (see example below). Ackno is sequence number of the 
next data expected the other direction on this connection. Window is the 
number of bytes of receive buffer space available the other direction on 
this connection. Urg indicates there is `urgent' data in the packet. Opts 
are TCP options (e.g., mss 1024). Len is the length of payload data.

参考

相关内容