我正在尝试使用tcpdump ..
最终的tcpdump命令看起来像这个
sudo tcpdump -i eth0 -n -tt 'tcp port 6379 or port 5432 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
我的理解是......
我正在使用6379
5432和端口(((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)
当我运行时,我看到以下输出。
1521257077.232079 IP 10.240.0.40.37978 > 10.240.0.9.6379: Flags [P.], seq 1142349306:1142349326, ack 4173563637, win 222, options [nop,nop,TS val 1441301100 ecr 2758188018], length 20: RESP "del" "a"
1521257077.234193 IP 10.240.0.9.6379 > 10.240.0.40.37978: Flags [P.], seq 1:5, ack 20, win 220, options [nop,nop,TS val 2758213022 ecr 1441301100], length 4: RESP "0"
1521257100.633083 IP 10.240.0.40.37978 > 10.240.0.9.6379: Flags [P.], seq 20:40, ack 5, win 222, options [nop,nop,TS val 1441306950 ecr 2758213022], length 20: RESP "del" "a"
1521257100.634825 IP 10.240.0.9.6379 > 10.240.0.40.37978: Flags [P.], seq 5:9, ack 40, win 220, options [nop,nop,TS val 2758218872 ecr 1441306950], length 4: RESP "0"
我的目标是正确匹配TCP请求和相应的响应。
我从seq编号得到一些推论,并且像这里一样
1521257100.633083 IP 10.240.0.40.37978 > 10.240.0.9.6379: Flags [P.], seq 20:40, ack 5, win 222, options [nop,nop,TS val 1441306950 ecr 2758213022], length 20: RESP "del" "a"
1521257100.634825 IP 10.240.0.9.6379 > 10.240.0.40.37978: Flags [P.], seq 5:9, ack 40, win 220, options [nop,nop,TS val 2758218872 ecr 1441306950], length 4: RESP "0"
我看到ack(40) seq 20:40,但问题是我无法对发送的第一个数据包进行推断(在连接开始时)
1521257077.232079 IP 10.240.0.40.37978 > 10.240.0.9.6379: Flags [P.], seq 1142349306:1142349326, ack 4173563637, win 222, options [nop,nop,TS val 1441301100 ecr 2758188018], length 20: RESP "del" "a"
1521257077.234193 IP 10.240.0.9.6379 > 10.240.0.40.37978: Flags [P.], seq 1:5, ack 20, win 220, options [nop,nop,TS val 2758213022 ecr 1441301100], length 4: RESP "0"
我唯一的猜测就是查看TCP val和ECR值。
我怎样才能做到这一点?