我最近买了一套腾达MW6网格单元 - 我以“桥接”模式运行,因为这是唯一可以关闭 dhcp 服务器的选项。主网格单元连接到 DIY Linux 路由器(ubuntu,带有防火墙)。完整设置如下这里) - 这使我可以运行一些更有趣的工具来监控我的流量。Linux 路由器提供 DHCP 和 DNS,并有 3 个端口桥接到一个接口,主网格单元位于其中一个端口上。我显然可以运行 tcpdump 并获取通过网格单元的流量。
我正在以桥接模式运行网格单元(如果这很重要的话),并且到辅助节点的回程是通过无线方式进行的。tenda 通过手机应用程序进行管理,但它是本地的,没有设置云帐户。
Router - Runs ubuntu + firewalld
192.168.1.1
+
|
|
|
v
Primary Mesh Node (Tenda MW6) 192.168.1.99
+
Secondary | Secondary
192.168.1.91 <-----+-----> 192.168.1.87
我使用 iftop 发现设备与 45.113.192.102 通信 - 这个 IP 似乎属于一个名为百度的中国搜索引擎,而 tcpdump 表明所有 3 个节点都通过 http 连接到该 IP。Tenda 声称这是一种检查互联网连接的方法蒂
01:43:00.987943 IP 192.168.1.99.34783 > 45.113.192.102.http: Flags [F.], seq 1, ack 1, win 913, length 0
是我的主路由器上的 tcpdump 输出的一个示例。
运行 tcpdump ( sudo tcpdump -i br0 host 45.113.192.102 -s 0 -w dumpfile) 并通过 wireshark 运行转储显示
No. Time Source Destination Protocol Length Info
1 0.000000 192.168.1.99 45.113.192.102 TCP 66 36256 → 80 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 WS=16
2 0.071250 45.113.192.102 192.168.1.99 TCP 66 80 → 36256 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1452 SACK_PERM=1 WS=32
3 0.075499 192.168.1.99 45.113.192.102 TCP 60 36256 → 80 [ACK] Seq=1 Ack=1 Win=14608 Len=0
4 0.075573 192.168.1.99 45.113.192.102 TCP 60 36256 → 80 [FIN, ACK] Seq=1 Ack=1 Win=14608 Len=0
5 0.352218 192.168.1.99 45.113.192.102 TCP 60 [TCP Retransmission] 36256 → 80 [FIN, ACK] Seq=1 Ack=1 Win=14608 Len=0
6 0.632204 192.168.1.99 45.113.192.102 TCP 60 [TCP Retransmission] 36256 → 80 [FIN, ACK] Seq=1 Ack=1 Win=14608 Len=0
7 1.192806 192.168.1.99 45.113.192.102 TCP 60 [TCP Retransmission] 36256 → 80 [FIN, ACK] Seq=1 Ack=1 Win=14608 Len=0
8 2.312628 192.168.1.99 45.113.192.102 TCP 60 [TCP Retransmission] 36256 → 80 [FIN, ACK] Seq=1 Ack=1 Win=14608 Len=0
9 2.893126 192.168.1.99 45.113.192.102 TCP 60 36255 → 80 [FIN, ACK] Seq=1 Ack=1 Win=913 Len=0
10 4.552308 192.168.1.99 45.113.192.102 TCP 60 [TCP Retransmission] 36256 → 80 [FIN, ACK] Seq=1 Ack=1 Win=14608 Len=0
11 5.732298 192.168.1.99 45.113.192.102 TCP 60 36254 → 80 [FIN, ACK] Seq=1 Ack=1 Win=913 Len=0
12 9.042919 192.168.1.99 45.113.192.102 TCP 60 [TCP Retransmission] 36256 → 80 [FIN, ACK] Seq=1 Ack=1 Win=14608 Len=0
13 11.373253 192.168.1.99 45.113.192.102 TCP 60 36252 → 80 [FIN, ACK] Seq=1 Ack=1 Win=913 Len=0
14 15.155209 192.168.1.99 45.113.192.102 TCP 66 36257 → 80 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 WS=16
15 15.227698 45.113.192.102 192.168.1.99 TCP 66 80 → 36257 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1452 SACK_PERM=1 WS=32
16 15.231005 192.168.1.99 45.113.192.102 TCP 60 36257 → 80 [ACK] Seq=1 Ack=1 Win=14608 Len=0
17 15.231078 192.168.1.99 45.113.192.102 TCP 60 36257 → 80 [FIN, ACK] Seq=1 Ack=1 Win=14608 Len=0
18 15.492991 192.168.1.99 45.113.192.102 TCP 60 [TCP Retransmission] 36257 → 80 [FIN, ACK] Seq=1 Ack=1 Win=14608 Len=0
19 15.763425 192.168.1.99 45.113.192.102 TCP 60 [TCP Retransmission] 36257 → 80 [FIN, ACK] Seq=1 Ack=1 Win=14608 Len=0
20 16.303042 192.168.1.99 45.113.192.102 TCP 60 [TCP Retransmission] 36257 → 80 [FIN, ACK] Seq=1 Ack=1 Win=14608 Len=0
21 17.382364 192.168.1.99 45.113.192.102 TCP 60 [TCP Retransmission] 36257 → 80 [FIN, ACK] Seq=1 Ack=1 Win=14608 Len=0
22 18.013092 192.168.1.99 45.113.192.102 TCP 60 [TCP Retransmission] 36256 → 80 [FIN, ACK] Seq=1 Ack=1 Win=14608 Len=0
23 19.542368 192.168.1.99 45.113.192.102 TCP 60 [TCP Retransmission] 36257 → 80 [FIN, ACK] Seq=1 Ack=1 Win=14608 Len=0
24 23.893447 192.168.1.99 45.113.192.102 TCP 60 [TCP Retransmission] 36257 → 80 [FIN, ACK] Seq=1 Ack=1 Win=14608 Len=0
25 26.493192 192.168.1.99 45.113.192.102 TCP 60 36253 → 80 [FIN, ACK] Seq=1 Ack=1 Win=913 Len=0
数据包看起来像
No. Time Source Destination Protocol Length Info
1 0.000000 192.168.1.99 45.113.192.102 TCP 66 36256 → 80 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 WS=16
Frame 1: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: TendaTec_56:35:08 (04:95:e6:56:35:08), Dst: Gifa_01:07:60 (40:62:31:01:07:60)
Internet Protocol Version 4, Src: 192.168.1.99, Dst: 45.113.192.102
Transmission Control Protocol, Src Port: 36256, Dst Port: 80, Seq: 0, Len: 0
Source Port: 36256
Destination Port: 80
[Stream index: 0]
[TCP Segment Len: 0]
Sequence number: 0 (relative sequence number)
Acknowledgment number: 0
1000 .... = Header Length: 32 bytes (8)
Flags: 0x002 (SYN)
Window size value: 14600
[Calculated window size: 14600]
Checksum: 0x6b93 [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
Options: (12 bytes), Maximum segment size, No-Operation (NOP), No-Operation (NOP), SACK permitted, No-Operation (NOP), Window scale
No. Time Source Destination Protocol Length Info
2 0.071250 45.113.192.102 192.168.1.99 TCP 66 80 → 36256 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1452 SACK_PERM=1 WS=32
Frame 2: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Gifa_01:07:60 (40:62:31:01:07:60), Dst: TendaTec_56:35:08 (04:95:e6:56:35:08)
Internet Protocol Version 4, Src: 45.113.192.102, Dst: 192.168.1.99
Transmission Control Protocol, Src Port: 80, Dst Port: 36256, Seq: 0, Ack: 1, Len: 0
Source Port: 80
Destination Port: 36256
[Stream index: 0]
[TCP Segment Len: 0]
Sequence number: 0 (relative sequence number)
Acknowledgment number: 1 (relative ack number)
1000 .... = Header Length: 32 bytes (8)
Flags: 0x012 (SYN, ACK)
Window size value: 8192
[Calculated window size: 8192]
Checksum: 0xfa3d [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
Options: (12 bytes), Maximum segment size, No-Operation (NOP), No-Operation (NOP), SACK permitted, No-Operation (NOP), Window scale
[SEQ/ACK analysis]
No. Time Source Destination Protocol Length Info
3 0.075499 192.168.1.99 45.113.192.102 TCP 60 36256 → 80 [ACK] Seq=1 Ack=1 Win=14608 Len=0
Frame 3: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
Ethernet II, Src: TendaTec_56:35:08 (04:95:e6:56:35:08), Dst: Gifa_01:07:60 (40:62:31:01:07:60)
Internet Protocol Version 4, Src: 192.168.1.99, Dst: 45.113.192.102
Transmission Control Protocol, Src Port: 36256, Dst Port: 80, Seq: 1, Ack: 1, Len: 0
Source Port: 36256
Destination Port: 80
[Stream index: 0]
[TCP Segment Len: 0]
Sequence number: 1 (relative sequence number)
Acknowledgment number: 1 (relative ack number)
0101 .... = Header Length: 20 bytes (5)
Flags: 0x010 (ACK)
Window size value: 913
[Calculated window size: 14608]
[Window size scaling factor: 16]
Checksum: 0x5775 [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
[SEQ/ACK analysis]
No. Time Source Destination Protocol Length Info
4 0.075573 192.168.1.99 45.113.192.102 TCP 60 36256 → 80 [FIN, ACK] Seq=1 Ack=1 Win=14608 Len=0
Frame 4: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
Ethernet II, Src: TendaTec_56:35:08 (04:95:e6:56:35:08), Dst: Gifa_01:07:60 (40:62:31:01:07:60)
Internet Protocol Version 4, Src: 192.168.1.99, Dst: 45.113.192.102
Transmission Control Protocol, Src Port: 36256, Dst Port: 80, Seq: 1, Ack: 1, Len: 0
Source Port: 36256
Destination Port: 80
[Stream index: 0]
[TCP Segment Len: 0]
Sequence number: 1 (relative sequence number)
Acknowledgment number: 1 (relative ack number)
0101 .... = Header Length: 20 bytes (5)
Flags: 0x011 (FIN, ACK)
Window size value: 913
[Calculated window size: 14608]
[Window size scaling factor: 16]
Checksum: 0x5774 [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
No. Time Source Destination Protocol Length Info
5 0.352218 192.168.1.99 45.113.192.102 TCP 60 [TCP Retransmission] 36256 → 80 [FIN, ACK] Seq=1 Ack=1 Win=14608 Len=0
Frame 5: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
Ethernet II, Src: TendaTec_56:35:08 (04:95:e6:56:35:08), Dst: Gifa_01:07:60 (40:62:31:01:07:60)
Internet Protocol Version 4, Src: 192.168.1.99, Dst: 45.113.192.102
Transmission Control Protocol, Src Port: 36256, Dst Port: 80, Seq: 1, Ack: 1, Len: 0
Source Port: 36256
Destination Port: 80
[Stream index: 0]
[TCP Segment Len: 0]
Sequence number: 1 (relative sequence number)
Acknowledgment number: 1 (relative ack number)
0101 .... = Header Length: 20 bytes (5)
Flags: 0x011 (FIN, ACK)
Window size value: 913
[Calculated window size: 14608]
[Window size scaling factor: 16]
Checksum: 0x5774 [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
[SEQ/ACK analysis]
没有明显的有效载荷
有什么方法可以让我检查流量情况以及发生了什么事情?
答案1
看起来它只是在检查它是否在线并且可以通过端口 80 访问 45.113.192.102。
据推测这只是 AP 正在进行“互联网可访问”测试,就像您在 Windows 中经常看到的那样(它将连接到 Microsoft 地址)。
从每个数据包可以看出 - 没有数据,如 LEN=0 所示。
3 0.075499 192.168.1.99 45.113.192.102 TCP 60 36256 → 80 [ACK] Seq=1 Ack=1 Win=14608 Len=0
如果有数据,它通常会存储在数据包的这一部分中。他们可以可以通过在它们生成的数据包的序列号中隐藏加密信息等方式来执行某些操作,但对于这种设备来说,这会非常慢并且不太可能。
如果有固件更新或类似内容,它们可能会响应一些数据有效负载,在这种情况下,您会看到数据以这些数据包的形式返回:
15 15.227698 45.113.192.102 192.168.1.99 TCP 66 80 → 36257 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1452 SACK_PERM=1 WS=32
但目前它们看起来是空的,并且是原始的。
你可以阻止访问 45.113.192.102 或您想要的更大的子网,但这可能会导致 AP 认为它处于离线状态,或者无法以某种方式正确连接,从而造成比它更大的麻烦。