如何使用TCPDUMP绘制HTTP消息序列?

时间:2015-08-10 10:42:18

标签: http tcpdump

我想在localhost和178.209.54.154地址之间看到HTTP按摩序列,标题,正文等。

现在我正在使用tcpdump -s 0 -i en0 -vvv -XX -n net 178.209.54.154 and tcp port http命令。

得到类似的东西:

tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:37:53.995945 IP (tos 0x0, ttl 64, id 610, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.0.100.50145 > 178.209.54.154.80: Flags [S], cksum 0x816e (correct), seq 2583279465, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 921157274 ecr 0,sackOK,eol], length 0
    0x0000:  10fe ed86 4692 2837 3719 e1e4 0800 4500  ....F.(77.....E.
    0x0010:  0040 0262 4000 4006 8dde c0a8 0064 b2d1  .@.b@.@......d..
    0x0020:  369a c3e1 0050 99f9 b769 0000 0000 b002  6....P...i......
    0x0030:  ffff 816e 0000 0204 05b4 0103 0305 0101  ...n............
    0x0040:  080a 36e7 be9a 0000 0000 0402 0000       ..6...........
12:37:54.028202 IP (tos 0x0, ttl 53, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    178.209.54.154.80 > 192.168.0.100.50145: Flags [S.], cksum 0xcc89 (correct), seq 2159366931, ack 2583279466, win 14480, options [mss 1460,sackOK,TS val 3897807146 ecr 921157274,nop,wscale 6], length 0
    0x0000:  2837 3719 e1e4 10fe ed86 4692 0800 4500  (77.......F...E.
    0x0010:  003c 0000 4000 3506 9b44 b2d1 369a c0a8  .<..@.5..D..6...
    0x0020:  0064 0050 c3e1 80b5 5313 99f9 b76a a012  .d.P....S....j..
    0x0030:  3890 cc89 0000 0204 05b4 0402 080a e853  8..............S
    0x0040:  d12a 36e7 be9a 0103 0306                 .*6.......
12:37:54.028392 IP (tos 0x0, ttl 64, id 52651, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.0.100.50145 > 178.209.54.154.80: Flags [.], cksum 0x23b0 (correct), seq 1, ack 1, win 4117, options [nop,nop,TS val 921157306 ecr 3897807146], length 0
    0x0000:  10fe ed86 4692 2837 3719 e1e4 0800 4500  ....F.(77.....E.
    0x0010:  0034 cdab 4000 4006 c2a0 c0a8 0064 b2d1  .4..@.@......d..
    0x0020:  369a c3e1 0050 99f9 b76a 80b5 5314 8010  6....P...j..S...
    0x0030:  1015 23b0 0000 0101 080a 36e7 beba e853  ..#.......6....S
    0x0040:  d12a                                     .*
12:37:54.028939 IP (tos 0x0, ttl 64, id 50669, offset 0, flags [DF], proto TCP (6), length 733)
    192.168.0.100.50145 > 178.209.54.154.80: Flags [P.], cksum 0xf925 (correct), seq 1:682, ack 1, win 4117, options [nop,nop,TS val 921157306 ecr 3897807146], length 681
    0x0000:  10fe ed86 4692 2837 3719 e1e4 0800 4500  ....F.(77.....E.
    0x0010:  02dd c5ed 4000 4006 c7b5 c0a8 0064 b2d1  ....@.@......d..
    0x0020:  369a c3e1 0050 99f9 b76a 80b5 5314 8018  6....P...j..S...
    0x0030:  1015 f925 0000 0101 080a 36e7 beba e853  ...%......6....S
    0x0040:  d12a 504f 5354 202f 6170 692f 7075 7368  .*POST./api/push

这是一种查看人类可读文本的方法吗?

1 个答案:

答案 0 :(得分:0)

我在这里找到答案here。需要:-A-s 0,不需要:-X

所以现在命令看起来像是:tcpdump -s 0 -i en0 -A -n net 178.209.54.154 and tcp port http

可以看到TCP消息序列已建立:

enter image description here 

//This is the first TCP SYN message

12:56:20.423947 IP 192.168.0.100.50309 > 178.209.54.154.80: Flags [S], seq 500264639, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 922261713 ecr 0,sackOK,eol], length 0
E..@2.@.@.^%...d..6....P..n.........kU.............
6...........

//SYN/ACK package

12:56:20.454469 IP 178.209.54.154.80 > 192.168.0.100.50309: Flags [S.], seq 2881439697, ack 500264640, win 14480, options [mss 1460,sackOK,TS val 3898083756 ecr 922261713,nop,wscale 6], length 0
E..<..@.4..D..6....d.P....G...n...8.^".........
.X  .6.......

//SYN/ACK package

12:56:20.454569 IP 192.168.0.100.50309 > 178.209.54.154.80: Flags [.], ack 1, win 4117, options [nop,nop,TS val 922261743 ecr 3898083756], length 0
E..4.p@.@......d..6....P..n...G......J.....
6....X  .

//TCP data segment request

12:56:20.454814 IP 192.168.0.100.50309 > 178.209.54.154.80: Flags [P.], seq 1:682, ack 1, win 4117, options [nop,nop,TS val 922261743 ecr 3898083756], length 681
E...].@.@./....d..6....P..n...G............
6....X  .POST /api/push/push_notifications HTTP/1.1
Host: www.swisshttp.weact.ch
Connection: keep-alive
Content-Length: 79
Origin: chrome-extension://hgmloofddffdnphfgcellkdfbfbjeloo
X-CSRF-Token: L3rPWu32UJS_nFdt60nXsX1-QalAtyfu8SN4bulqka4
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: SESSddd86b861821645243debeb76dd4c66e=ukkmK9R2qpXb5qzXCs6qfGO5_cjSTrc7UwolrL94ylg; has_js=1

token=7fa88ba075b6b20e388bc6171379004c853a775dec08aa2a2559c34dfd79cd9h&type=ios

//TCP ACK maybe??

12:56:20.485212 IP 178.209.54.154.80 > 192.168.0.100.50309: Flags [.], ack 682, win 248, options [nop,nop,TS val 3898083764 ecr 922261743], length 0
E..4Nf@.4.M...6....d.P....G...qi...........
.X  .6...

//TCP data segment response

12:56:20.638911 IP 178.209.54.154.80 > 192.168.0.100.50309: Flags [P.], seq 1:381, ack 682, win 248, options [nop,nop,TS val 3898083802 ecr 922261743], length 380
E...Ng@.4.Li..6....d.P....G...qi.....5.....
.X  .6...HTTP/1.1 200 OK
Date: Mon, 10 Aug 2015 10:56:20 GMT
Server: Apache
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Vary: Accept
Content-Length: 77
Keep-Alive: timeout=30, max=50
Connection: Keep-Alive
Content-Type: application/json

{"success":1,"message":"This token was successfully stored in the database."}

//TCP FIN/ACK

12:56:20.639082 IP 192.168.0.100.50309 > 178.209.54.154.80: Flags [.], ack 381, win 4105, options [nop,nop,TS val 922261926 ecr 3898083802], length 0
E..4..@.@..r...d..6....P..qi..IN... .L.....
6....X  .
^C
7 packets captured
相关问题
最新问题