我正在使用一个具有多个桥接接口的系统。我想监控多个接口上的流量,但tcpdump要从主接口和其相同的桥接器捕获流量,导致相同数据包的输出重复。我知道tcpdump在多个接口上进行操作的唯一方法是使用熟数据包捕获模式。我如何区分桥接器上的流量与其主接口上的相同流量,以便将其过滤掉?
捕获示例应该只有两行(一个回显请求和一个回显答复):
root@UP-2033:~# tcpdump -qn -c 5 -i any 'icmp and net 10.2.64.0/27'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
22:52:32.387377 IP 10.2.64.9 > 10.2.64.1: ICMP echo request, id 40587, seq 1, length 64
22:52:32.387377 IP 10.2.64.9 > 10.2.64.1: ICMP echo request, id 40587, seq 1, length 64
22:52:32.387377 IP 10.2.64.9 > 10.2.64.1: ICMP echo request, id 40587, seq 1, length 64
22:52:32.387631 IP 10.2.64.1 > 10.2.64.9: ICMP echo reply, id 40587, seq 1, length 64
22:52:32.387660 IP 10.2.64.1 > 10.2.64.9: ICMP echo reply, id 40587, seq 1, length 64
5 packets captured
11 packets received by filter
0 packets dropped by kernel
答案1
最近(我有 4.99.1)版本的tcpdump输出中包含接口名称,因此当使用 进行跟踪-i any并且涉及桥梁时(docker0在此示例中),我们会看到:
# tcpdump -i any net 172.17.0.0/16
20:37:49.636299 docker0 Out IP 172.17.0.1.37872 ...
20:37:49.636304 veth7c5eddd Out IP 172.17.0.1.37872 ...
20:37:49.636320 veth7c5eddd P IP 172.17.0.2.webcache ...
20:37:49.636322 docker0 In IP 172.17.0.2.webcache ...
这并不是您想要的,但您可以对输出进行后处理以删除您不感兴趣的接口上的流量。
看起来 tcpdump 在 pcap 文件中记录了接口索引,因此您可以使用 tshark/wireshark 中的显示过滤器来隔离您想要的跟踪。
例如,如果我执行上述捕获到文件的操作:
# tcpdump -i any -w packets -s 0 net 172.17.0.0/16
鉴于我已经:
# ip link show | egrep 'docker0|veth7c5eddd'
24: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
241: veth7c5eddd@if240: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default
我只能查看docker0这样的数据包:
# tshark -n -r packets -Y 'sll.ifindex==24'
1 0.000000 172.17.0.1 → 172.17.0.2 TCP 80 48402 → 8080 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=2076236842 TSecr=0 WS=128
4 0.000027 172.17.0.2 → 172.17.0.1 TCP 80 [TCP Out-Of-Order] 8080 → 48402 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=2816273104 TSecr=2076236842 WS=128
5 0.000037 172.17.0.1 → 172.17.0.2 TCP 72 48402 → 8080 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=2076236842 TSecr=2816273104
7 0.000061 172.17.0.1 → 172.17.0.2 HTTP 151 GET / HTTP/1.1
10 0.000065 172.17.0.2 → 172.17.0.1 TCP 72 [TCP Dup ACK 9#1] 8080 → 48402 [ACK] Seq=1 Ack=80 Win=65152 Len=0 TSval=2816273104 TSecr=2076236842
12 0.000169 172.17.0.2 → 172.17.0.1 TCP 235 [TCP Retransmission] 8080 → 48402 [PSH, ACK] Seq=1 Ack=80 Win=65152 Len=163 TSval=2816273104 TSecr=2076236842
13 0.000178 172.17.0.1 → 172.17.0.2 TCP 72 48402 → 8080 [ACK] Seq=80 Ack=164 Win=64128 Len=0 TSval=2076236842 TSecr=2816273104
16 0.000189 172.17.0.2 → 172.17.0.1 TCP 263 [TCP Retransmission] 8080 → 48402 [PSH, ACK] Seq=164 Ack=80 Win=65152 Len=191 TSval=2816273104 TSecr=2076236842
17 0.000193 172.17.0.1 → 172.17.0.2 TCP 72 48402 → 8080 [ACK] Seq=80 Ack=355 Win=64128 Len=0 TSval=2076236842 TSecr=2816273104
19 0.000232 172.17.0.1 → 172.17.0.2 TCP 72 48402 → 8080 [FIN, ACK] Seq=80 Ack=355 Win=64128 Len=0 TSval=2076236842 TSecr=2816273104
22 0.040551 172.17.0.2 → 172.17.0.1 TCP 72 [TCP Dup ACK 21#1] 8080 → 48402 [ACK] Seq=355 Ack=81 Win=65152 Len=0 TSval=2816273144 TSecr=2076236842
您可以在输出中看到没有任何重复的数据包。