0.前言
在互联网技术行业,网络可以说是日常工作中的核心,不管是从事哪种岗位,都不可避免的要与网络打交道,而网络所包含的知识也是极其丰富的,对网络感兴趣的朋友,推荐阅读《tcp-ip详解》三卷。日常工作中常用常见的网络问题有网络不通、端口不通、数据包异常等问题,对于网络不通,可以用ping命令,端口不通可以用telnet命令,数据包异常则可以通过抓包查看,也就是今天的主角tcpdump命令。tcpdump可以抓取网络包,之后可以通过常见的工具(比如wireshark)查看网络包中的内容,解决一些网络问题。今天我们就来看下tcpdump是如何使用的,又能解决日常工作中的哪些问题。
1.实验准备
这里我们准备两台安装了rocky linux9操作系统的虚拟机,配置如下:
IP地址 | CPU | 内存 |
---|---|---|
192.168.159.167 | 4核 | 8G |
192.168.159.168 | 4核 | 8G |
准备完成之后,可以检查一下服务器上是否有tcpdump命令,如果没有的话,可以执行以下命令安装:
yum install -y tcpdump
一切准备就绪,就可以开始今天的实验了。
2.tcpdump常见用法
先简单介绍一下tcpdump的常见用法,为后面示例做准备。
2.1 抓取指定网卡的包
tcpdump -i ens160
抓包主要内容如下所示:
11:34:19.760275 IP rocky-web.ssh > 192.168.159.1.52018: Flags [P.], seq 45840:48760, ack 641, win 249, length 2920
11:34:19.760316 IP rocky-web.ssh > 192.168.159.1.52018: Flags [P.], seq 48760:50128, ack 641, win 249, length 1368
11:34:19.760348 IP rocky-web.ssh > 192.168.159.1.52018: Flags [P.], seq 50128:51184, ack 641, win 249, length 1056
11:34:19.760378 IP rocky-web.ssh > 192.168.159.1.52018: Flags [P.], seq 51184:54104, ack 641, win 249, length 2920
11:34:19.760394 IP rocky-web.ssh > 192.168.159.1.52018: Flags [P.], seq 54104:54240, ack 641, win 249, length 136
11:34:19.760423 IP rocky-web.ssh > 192.168.159.1.52018: Flags [P.], seq 54240:55296, ack 641, win 249, length 1056
11:34:19.760491 IP rocky-web.ssh > 192.168.159.1.52018: Flags [P.], seq 55296:56864, ack 641, win 249, length 1568
11:34:19.760518 IP rocky-web.ssh > 192.168.159.1.52018: Flags [P.], seq 56864:57216, ack 641, win 249, length 352
可以看到主要是ssh连接信息。
2.2 抓取指定数量的包
tcpdump -c 2 -i ens160
显示内容如下:
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:50:30.470981 IP rocky-web.ssh > 192.168.159.1.52018: Flags [P.], seq 3630793102:3630793310, ack 1984352038, win 249, length 208
11:50:30.471009 IP 192.168.159.168.mysql > rocky-web.44532: Flags [.], ack 321520384, win 249, options [nop,nop,TS val 181262507 ecr 1344057709], length 0
2 packets captured
12 packets received by filter
0 packets dropped by kernel
可以看到抓到了两个包。
2.3 生成抓包文件
tcpdump -w 20250603.pcap -i ens160
可以执行ctrl+c停止该命令,打印如下内容:
dropped privs to tcpdump
tcpdump: listening on ens160, link-type EN10MB (Ethernet), snapshot length 262144 bytes
1196 packets captured
1198 packets received by filter
0 packets dropped by kernel
说明抓取了1196个包,抓包信息生成到了20250603.pcap文件里面,供以后分析使用。
2.4 读取抓包文件
tcpdump -r 20250603.pcap
会打印以下抓包信息:
reading from file 20250603.pcap, link-type EN10MB (Ethernet), snapshot length 262144
dropped privs to tcpdump
13:26:18.052332 IP rocky-web.ssh > 192.168.159.1.52018: Flags [P.], seq 3630809854:3630810030, ack 1984365638, win 249, length 176
13:26:18.052821 IP 192.168.159.1.52018 > rocky-web.ssh: Flags [.], ack 176, win 4099, length 0
13:26:18.078799 IP rocky-web.44534 > 192.168.159.168.mysql: Flags [.], ack 2096048902, win 249, options [nop,nop,TS val 1349805358 ecr 186972089], length 0
13:26:18.324251 IP 192.168.159.168.46612 > rocky-web.20090: Flags [P.], seq 1189837158:1189837207, ack 1580946759, win 251, options [nop,nop,TS val 186972380 ecr 1349804586], length 49
13:26:18.324386 IP rocky-web.20090 > 192.168.159.168.46612: Flags [P.], seq 1:30, ack 49, win 249, options [nop,nop,TS val 1349805603 ecr 186972380], length 29
13:26:18.324562 IP 192.168.159.168.46612 > rocky-web.20090: Flags [.], ack 30, win 251, options [nop,nop,TS val 186972381 ecr 1349805603], length 0
13:26:18.339876 IP rocky-web.44534 > 192.168.159.168.mysql: Flags [P.], seq 0:31, ack 1, win 249, options [nop,nop,TS val 1349805619 ecr 186972089], length 31
13:26:18.340513 IP 192.168.159.168.mysql > rocky-web.44534: Flags [.], seq 1:1449, ack 31, win 760, options [nop,nop,TS val 186972396 ecr 1349805619], length 1448
13:26:18.340524 IP rocky-web.44534 > 192.168.159.168.mysql: Flags [.], ack 1449, win 249, options [nop,nop,TS val 1349805619 ecr 186972396], length 0
13:26:18.340563 IP 192.168.159.168.mysql > rocky-web.44534: Flags [P.], seq 1449:1512, ack 31, win 760, options [nop,nop,TS val 186972396 ecr 1349805619], length 63
13:26:18.340584 IP rocky-web.44534 > 192.168.159.168.mysql: Flags [.], ack 1512, win 249, options [nop,nop,TS val 1349805619 ecr 186972396], length 0
13:26:18.357139 IP rocky-web.44534 > 192.168.159.168.mysql: Flags [P.], seq 31:85, ack 1512, win 249, options [nop,nop,TS val 1349805636 ecr 186972396], length 54
13:26:18.357299 ARP, Request who-has _gateway tell 192.168.159.168, length 46
2.5 显示抓包具体时间
tcpdump -i -tttt ens160
显示内容如下:
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), snapshot length 262144 bytes
2025-06-03 13:53:09.891524 IP rocky-web.ssh > 192.168.159.1.52018: Flags [P.], seq 3631188590:3631188830, ack 1984372198, win 286, length 240
2025-06-03 13:53:09.918054 IP rocky-web.36334 > 192.168.159.168.mysql: Flags [P.], seq 750640168:750640199, ack 1142970624, win 249, options [nop,nop,TS val 1351417197 ecr 188584737], length 31
2025-06-03 13:53:09.918860 IP 192.168.159.168.mysql > rocky-web.36334: Flags [.], ack 31, win 391, options [nop,nop,TS val 188584869 ecr 1351417197], length 0
2025-06-03 13:53:09.918879 IP 192.168.159.168.mysql > rocky-web.36334: Flags [.], seq 1:1449, ack 31, win 391, options [nop,nop,TS val 188584869 ecr 1351417197], length 1448
2025-06-03 13:53:09.918895 IP 192.168.159.168.mysql > rocky-web.36334: Flags [P.], seq 1449:1512, ack 31, win 391, options [nop,nop,TS val 188584869 ecr 1351417197], length 63
2025-06-03 13:53:09.918904 IP rocky-web.36334 > 192.168.159.168.mysql: Flags [.], ack 1512, win 249, options [nop,nop,TS val 1351417198 ecr 188584869], length 0
2025-06-03 13:53:09.932877 IP 192.168.159.1.52018 > rocky-web.ssh: Flags [.], ack 240, win 4099, length 0
现在就可以看到具体的抓包时间了。
2.6 指定抓包协议类型
tcpdump -i ens160 arp
我们抓取arp协议相关的包,输出信息如下:
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), snapshot length 262144 bytes
15:15:19.440963 IP rocky-web.55874 > 114.118.7.163.ntp: NTPv4, Client, length 48
15:15:19.516853 IP rocky-web.40622 > _gateway.domain: 49245+ PTR? 163.7.118.114.in-addr.arpa. (44)
15:15:19.534470 IP _gateway.domain > rocky-web.40622: 49245 NXDomain 0/1/0 (96)
15:15:19.536349 IP rocky-web.38459 > _gateway.domain: 59424+ PTR? 167.159.168.192.in-addr.arpa. (46)
15:15:19.546782 IP _gateway.domain > rocky-web.38459: 59424 NXDomain 0/1/0 (128)
15:15:19.638321 IP rocky-web.59956 > _gateway.domain: 36090+ PTR? 2.159.168.192.in-addr.arpa. (44)
15:15:19.640944 IP _gateway.domain > rocky-web.59956: 36090 NXDomain 0/1/0 (126)
可以看到确实都是和arp协议相关的信息。
2.7 指定抓包端口
tcpdump -i ens160 port 22
打印信息如下:
15:20:47.292086 IP rocky-web.ssh > 192.168.159.1.52018: Flags [P.], seq 3631326302:3631326510, ack 1984376950, win 413, length 208
15:20:47.298030 IP 192.168.159.1.52018 > rocky-web.ssh: Flags [.], ack 208, win 4097, length 0
15:20:47.397079 IP rocky-web.ssh > 192.168.159.1.52018: Flags [P.], seq 208:496, ack 1, win 413, length 288
15:20:47.441778 IP 192.168.159.1.52018 > rocky-web.ssh: Flags [.], ack 496, win 4096, length 0
15:20:47.473042 IP rocky-web.ssh > 192.168.159.1.52018: Flags [P.], seq 496:752, ack 1, win 413, length 256
15:20:47.532613 IP 192.168.159.1.52018 > rocky-web.ssh: Flags [.], ack 752, win 4095, length 0
15:20:47.578273 IP rocky-web.ssh > 192.168.159.1.52018: Flags [P.], seq 752:1008, ack 1, win 413, length 256
15:20:47.622747 IP 192.168.159.1.52018 > rocky-web.ssh: Flags [.], ack 1008, win 4100, length 0
15:20:47.684244 IP rocky-web.ssh > 192.168.159.1.52018: Flags [P.], seq 1008:1280, ack 1, win 413, length 272
15:20:47.731368 IP 192.168.159.1.52018 > rocky-web.ssh: Flags [.], ack 1280, win 4099, length 0
可以看到确实都是ssh远程连接相关的信息。
2.8 指定目标IP和端口
tcpdump -i eth0 dst 192.168.159.1 and port 22
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), snapshot length 262144 bytes
15:40:29.624130 IP rocky-web.ssh > 192.168.159.1.52018: Flags [P.], seq 3631337454:3631337534, ack 1984382246, win 486, length 80
15:40:29.624288 IP rocky-web.ssh > 192.168.159.1.52018: Flags [P.], seq 80:272, ack 1, win 486, length 192
15:40:29.624684 IP rocky-web.ssh > 192.168.159.1.52018: Flags [P.], seq 272:640, ack 1, win 486, length 368
15:40:29.656861 IP rocky-web.ssh > 192.168.159.1.52018: Flags [P.], seq 640:832, ack 1, win 486, length 192
15:40:29.656940 IP rocky-web.ssh > 192.168.159.1.52018: Flags [P.], seq 832:896, ack 1, win 486, length 64
15:40:29.656969 IP rocky-web.ssh > 192.168.159.1.52018: Flags [P.], seq 896:1056, ack 1, win 486, length 160
15:40:29.657005 IP rocky-web.ssh > 192.168.159.1.52018: Flags [P.], seq 1056:1120, ack 1, win 486, length 64
15:40:29.657045 IP rocky-web.ssh > 192.168.159.1.52018: Flags [P.], seq 1120:1280, ack 1, win 486, length 160
15:40:29.657076 IP rocky-web.ssh > 192.168.159.1.52018: Flags [P.], seq 1280:1344, ack 1, win 486, length 64
15:40:29.756470 IP rocky-web.ssh > 192.168.159.1.52018: Flags [P.], seq 1344:2064, ack 1, win 486, length 720
可以看到网络信息和ssh有关,目标IP也确实是192.168.159.1。
3.tcpdump实战
有了以上命令使用基础,就可以开始今天的实验了。
实验内容:我们在192.168.159.167上面部署一个nginx(nginx部署这里就不具体说明了,不会的小伙伴们可以自行谷歌一下),然后写一个简单的前端页面,之后从192.168.159.168向192.168.159.167发送http请求,再抓包查看下请求的具体信息。
3.1 修改index.html
在192.168.159.167上修改nginx的index.html页面,如下所示:
cat /usr/local/nginx/html/index.html
内容如下:
<!DOCTYPE html>
<html>
<head>
<title>Test!</title>
</head>
<body>
<p><em>Hello the cruel world.</em></p>
</body>
</html>
改好之后,可以尝试用浏览器访问一下,如果显示没问题,就可以开始实验了。
3.2 发起http请求
在192.168.159.168发送http请求,命令如下所示:
while true; do curl 192.168.159.167;sleep 3; done
这个命令的作用是每隔3秒向192.168.159.167发送一个http请求,实验过程中可以让该命令一直跑,方便我们抓包的时候查看请求信息。
3.3 tcpdump抓包
首先我们通过上面讲到的最基础的命令抓包,具体命令如下:
tcpdump -i ens160 dst 192.168.159.168 and port 80
该命令就是抓取响应192.168.159.168请求相关的包,输出信息如下:
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), snapshot length 262144 bytes
16:28:12.378765 IP rocky-web.http > 192.168.159.168.52020: Flags [S.], seq 94417879, ack 4155727827, win 31856, options [mss 1460,sackOK,TS val 1358510379 ecr 196269149,nop,wscale 7], length 0
16:28:12.379012 IP rocky-web.http > 192.168.159.168.52020: Flags [.], ack 80, win 249, options [nop,nop,TS val 1358510379 ecr 196269149], length 0
16:28:12.379151 IP rocky-web.http > 192.168.159.168.52020: Flags [P.], seq 1:239, ack 80, win 249, options [nop,nop,TS val 1358510379 ecr 196269149], length 238: HTTP: HTTP/1.1 200 OK
16:28:12.379236 IP rocky-web.http > 192.168.159.168.52020: Flags [P.], seq 239:360, ack 80, win 249, options [nop,nop,TS val 1358510379 ecr 196269149], length 121: HTTP
16:28:12.379519 IP rocky-web.http > 192.168.159.168.52020: Flags [F.], seq 360, ack 81, win 249, options [nop,nop,TS val 1358510380 ecr 196269150], length 0
从以上信息可以看到,响应是发送给192.168.159.168服务器的52020端口,基于以上命令可以看到192.168.159.167和192.168.159.168之间tcp三次握手的信息,并确定两台服务器之间确实存在http请求和响应,但是无法看到更多的信息。
3.4 tcpdum抓包命令优化
为了看到请求相关的更多信息,我们可以优化我们的抓包命令,具体命令如下:
tcpdump -i ens160 -vvv -tttt -nn -XX dst 192.168.159.168 and port 80
参数说明:
-vvv: 展示更加详细的信息
-tttt: 展示请求时间
-nn: 展示服务器IP和端口
-XX: 展示请求头详细信息
输出信息如下:
dropped privs to tcpdump
tcpdump: listening on ens160, link-type EN10MB (Ethernet), snapshot length 262144 bytes
2025-06-03 16:41:03.735170 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.159.167.80 > 192.168.159.168.48312: Flags [S.], cksum 0xc0cf (incorrect -> 0xf152), seq 1443628272, ack 853270288, win 31856, options [mss 1460,sackOK,TS val 1359281735 ecr 197104783,nop,wscale 7], length 0
0x0000: 000c 2973 8445 000c 29f6 150a 0800 4500 ..)s.E..).....E.
0x0010: 003c 0000 4000 4006 7a1b c0a8 9fa7 c0a8 .<..@.@.z.......
0x0020: 9fa8 0050 bcb8 560c 04f0 32db df10 a012 ...P..V...2.....
0x0030: 7c70 c0cf 0000 0204 05b4 0402 080a 5104 |p............Q.
0x0040: fe47 0bbf 948f 0103 0307 .G........
2025-06-03 16:41:03.735517 IP (tos 0x0, ttl 64, id 56241, offset 0, flags [DF], proto TCP (6), length 52)
192.168.159.167.80 > 192.168.159.168.48312: Flags [.], cksum 0xc0c7 (incorrect -> 0x9b45), seq 1, ack 80, win 249, options [nop,nop,TS val 1359281736 ecr 197104784], length 0
0x0000: 000c 2973 8445 000c 29f6 150a 0800 4500 ..)s.E..).....E.
0x0010: 0034 dbb1 4000 4006 9e71 c0a8 9fa7 c0a8 .4..@.@..q......
0x0020: 9fa8 0050 bcb8 560c 04f1 32db df5f 8010 ...P..V...2.._..
0x0030: 00f9 c0c7 0000 0101 080a 5104 fe48 0bbf ..........Q..H..
0x0040: 9490 ..
2025-06-03 16:41:03.735727 IP (tos 0x0, ttl 64, id 56242, offset 0, flags [DF], proto TCP (6), length 290)
192.168.159.167.80 > 192.168.159.168.48312: Flags [P.], cksum 0xc1b5 (incorrect -> 0x8586), seq 1:239, ack 80, win 249, options [nop,nop,TS val 1359281736 ecr 197104784], length 238: HTTP, length: 238
HTTP/1.1 200 OK
Server: Tengine/3.1.0
Date: Tue, 03 Jun 2025 08:41:03 GMT
Content-Type: text/html
Content-Length: 121
Last-Modified: Tue, 03 Jun 2025 08:05:59 GMT
Connection: keep-alive
ETag: "683eace7-79"
Accept-Ranges: bytes
0x0000: 000c 2973 8445 000c 29f6 150a 0800 4500 ..)s.E..).....E.
0x0010: 0122 dbb2 4000 4006 9d82 c0a8 9fa7 c0a8 ."..@.@.........
0x0020: 9fa8 0050 bcb8 560c 04f1 32db df5f 8018 ...P..V...2.._..
0x0030: 00f9 c1b5 0000 0101 080a 5104 fe48 0bbf ..........Q..H..
0x0040: 9490 4854 5450 2f31 2e31 2032 3030 204f ..HTTP/1.1.200.O
0x0050: 4b0d 0a53 6572 7665 723a 2054 656e 6769 K..Server:.Tengi
0x0060: 6e65 2f33 2e31 2e30 0d0a 4461 7465 3a20 ne/3.1.0..Date:.
0x0070: 5475 652c 2030 3320 4a75 6e20 3230 3235 Tue,.03.Jun.2025
0x0080: 2030 383a 3431 3a30 3320 474d 540d 0a43 .08:41:03.GMT..C
0x0090: 6f6e 7465 6e74 2d54 7970 653a 2074 6578 ontent-Type:.tex
0x00a0: 742f 6874 6d6c 0d0a 436f 6e74 656e 742d t/html..Content-
0x00b0: 4c65 6e67 7468 3a20 3132 310d 0a4c 6173 Length:.121..Las
0x00c0: 742d 4d6f 6469 6669 6564 3a20 5475 652c t-Modified:.Tue,
0x00d0: 2030 3320 4a75 6e20 3230 3235 2030 383a .03.Jun.2025.08:
0x00e0: 3035 3a35 3920 474d 540d 0a43 6f6e 6e65 05:59.GMT..Conne
0x00f0: 6374 696f 6e3a 206b 6565 702d 616c 6976 ction:.keep-aliv
0x0100: 650d 0a45 5461 673a 2022 3638 3365 6163 e..ETag:."683eac
0x0110: 6537 2d37 3922 0d0a 4163 6365 7074 2d52 e7-79"..Accept-R
0x0120: 616e 6765 733a 2062 7974 6573 0d0a 0d0a anges:.bytes....
2025-06-03 16:41:03.735804 IP (tos 0x0, ttl 64, id 56243, offset 0, flags [DF], proto TCP (6), length 173)
192.168.159.167.80 > 192.168.159.168.48312: Flags [P.], cksum 0xc140 (incorrect -> 0x021b), seq 239:360, ack 80, win 249, options [nop,nop,TS val 1359281736 ecr 197104784], length 121: HTTP
0x0000: 000c 2973 8445 000c 29f6 150a 0800 4500 ..)s.E..).....E.
0x0010: 00ad dbb3 4000 4006 9df6 c0a8 9fa7 c0a8 ....@.@.........
0x0020: 9fa8 0050 bcb8 560c 05df 32db df5f 8018 ...P..V...2.._..
0x0030: 00f9 c140 0000 0101 080a 5104 fe48 0bbf ...@......Q..H..
0x0040: 9490 3c21 444f 4354 5950 4520 6874 6d6c ..<!DOCTYPE.html
0x0050: 3e0a 3c68 746d 6c3e 0a3c 6865 6164 3e0a >.<html>.<head>.
0x0060: 3c74 6974 6c65 3e54 6573 7421 3c2f 7469 <title>Test!</ti
0x0070: 746c 653e 0a3c 2f68 6561 643e 0a3c 626f tle>.</head>.<bo
0x0080: 6479 3e0a 3c70 3e3c 656d 3e48 656c 6c6f dy>.<p><em>Hello
0x0090: 2074 6865 2063 7275 656c 2077 6f72 6c64 .the.cruel.world
0x00a0: 2e3c 2f65 6d3e 3c2f 703e 0a3c 2f62 6f64 .</em></p>.</bod
0x00b0: 793e 0a3c 2f68 746d 6c3e 0a y>.</html>.
2025-06-03 16:41:03.736460 IP (tos 0x0, ttl 64, id 56244, offset 0, flags [DF], proto TCP (6), length 52)
192.168.159.167.80 > 192.168.159.168.48312: Flags [F.], cksum 0xc0c7 (incorrect -> 0x99da), seq 360, ack 81, win 249, options [nop,nop,TS val 1359281737 ecr 197104785], length 0
0x0000: 000c 2973 8445 000c 29f6 150a 0800 4500 ..)s.E..).....E.
0x0010: 0034 dbb4 4000 4006 9e6e c0a8 9fa7 c0a8 .4..@.@..n......
0x0020: 9fa8 0050 bcb8 560c 0658 32db df60 8011 ...P..V..X2..`..
0x0030: 00f9 c0c7 0000 0101 080a 5104 fe49 0bbf ..........Q..I..
0x0040: 9491
可以看到打印的信息非常的丰富,几乎将整个响应的所有内容都打印出来了,包括请求过程中两台服务器的IP和端口,三次握手的过程,以及响应头(http相关)和响应体(html文件信息),比较重要的是我们可以看到html文件中包含的"hello the cruel world"字样。
4.wireshark工具使用
如果只是从打印信息分析网络包,确实比较难,打印信息很多并且格式比较乱,所以推荐将抓包信息存到文件里面,然后用专门的抓包工具分析,这里推荐的抓包工具是wireshark,可以直接安装到windows上,然后将抓包文件放进去即可。
4.1 wireshark安装
wireshark下载地址:https://www.wireshark.org/download.html
推荐下载windows x64版本,然后直接双击安装程序即可,安装完成之后,打开wireshark,出现如下界面:
说明安装完成。
4.2 生成抓包文件
生成抓包文件具体命令如下:
tcpdump -i ens160 -vvv -tttt -nn -XX dst 192.168.159.168 and port 80 -w 20250603.pcap
执行一段时间之后,就可以停止该命令了,然后会发现当前目录下生成了一个20250603.pcap文件。
4.3 wireshark分析文件
将上一步生成的抓包文件下载到本地,然后通过wireshark打开分析即可。
wireshark打开抓包文件之后界面展示如下所示:
比标准输出清爽了不少,并且请求也被分段了,可以非常清楚的看到三次握手信息和请求详情,只需要点击不同的行即可。我们点击http协议响应行,可看到如下信息:
可以看到html文件和里面的具体信息,确实比看标准输出方便很多,如果想了解wireshark更多用法,也可以查看wireshark官方文档。
5.结语
抓包是互联网技术行业必不可少的一项技能,上面展示了tcpdump的常见用法和分析网络包的常见思路,实验案例虽然简单,但是万变不离其宗,掌握了分析方法,以后遇到了网络包异常的问题,都可以通过以上方法分析,当然也需要大家多多实践,多多积累。