网络异常时如何抓取数据包

详细信息

阿里云提醒您：

如果您对实例或数据有修改、变更等风险操作，务必注意实例的容灾、容错能力，确保数据安全。

如果您对实例（包括但不限于ECS、RDS）等进行配置与数据修改，建议提前创建快照或开启RDS日志备份等功能。

如果您在阿里云平台授权或者提交过登录账号、密码等安全信息，建议您及时修改。

如果源服务器访问目标服务器时出现异常，您可以抓包获取最原始的交互数据进行排查分析。在介绍常用的抓包工具以及如何抓包的详细信息前，请参见以下文档排查和分析问题。

Linux环境中的抓包工具

Linux环境中通常使用TCPDump工具进行抓包和分析，TCPDump工具是所有Linux发行版本预装的数据包抓取和分析工具。有关TCPDump工具的获取和安装方法，请参见TCPDump官方文档。

关于tcpdump命令的说明如下所示（区分大小写）。

<span style="box-sizing: border-box; padding-right: 0.1px;">tcpdump [ <span style="box-sizing: border-box; color: #0000cc;">-AbdDefhHIJKlLnNOpqStuUvxX</span><span style="box-sizing: border-box; color: #aa5500;"># ] [ -B buffer_size ]</span></span>
<span style="box-sizing: border-box; padding-right: 0.1px;">[ <span style="box-sizing: border-box; color: #0000cc;">-c</span> count ]</span>
<span style="box-sizing: border-box; padding-right: 0.1px;">[ <span style="box-sizing: border-box; color: #0000cc;">-C</span> file_size ] [ <span style="box-sizing: border-box; color: #0000cc;">-G</span> rotate_seconds ] [ <span style="box-sizing: border-box; color: #0000cc;">-F</span> file ]</span>
<span style="box-sizing: border-box; padding-right: 0.1px;">[ <span style="box-sizing: border-box; color: #0000cc;">-i</span> interface ] [ <span style="box-sizing: border-box; color: #0000cc;">-j</span> tstamp_type ] [ <span style="box-sizing: border-box; color: #0000cc;">-m</span> module ] [ <span style="box-sizing: border-box; color: #0000cc;">-M</span> secret ]</span>
<span style="box-sizing: border-box; padding-right: 0.1px;">[ <span style="box-sizing: border-box; color: #0000cc;">--number</span> ] [ <span style="box-sizing: border-box; color: #0000cc;">-Q</span> <span style="box-sizing: border-box; color: #770088;">in</span>|out|inout ]</span>
<span style="box-sizing: border-box; padding-right: 0.1px;">[ <span style="box-sizing: border-box; color: #0000cc;">-r</span> file ] [ <span style="box-sizing: border-box; color: #0000cc;">-V</span> file ] [ <span style="box-sizing: border-box; color: #0000cc;">-s</span> snaplen ] [ <span style="box-sizing: border-box; color: #0000cc;">-T</span> type ] [ <span style="box-sizing: border-box; color: #0000cc;">-w</span> file ]</span>
<span style="box-sizing: border-box; padding-right: 0.1px;">[ <span style="box-sizing: border-box; color: #0000cc;">-W</span> filecount ]</span>
<span style="box-sizing: border-box; padding-right: 0.1px;">[ <span style="box-sizing: border-box; color: #0000cc;">-E</span> spi@ipaddr algo:secret,... ]</span>
<span style="box-sizing: border-box; padding-right: 0.1px;">[ <span style="box-sizing: border-box; color: #0000cc;">-y</span> datalinktype ] [ <span style="box-sizing: border-box; color: #0000cc;">-z</span> postrotate-command ] [ <span style="box-sizing: border-box; color: #0000cc;">-Z</span> user ]</span>
<span style="box-sizing: border-box; padding-right: 0.1px;">[ <span style="box-sizing: border-box; color: #0000cc;">--time-stamp-precision</span><span style="box-sizing: border-box; color: #981a1a;">=</span>tstamp_precision ]</span>
<span style="box-sizing: border-box; padding-right: 0.1px;">[ <span style="box-sizing: border-box; color: #0000cc;">--immediate-mode</span> ] [ <span style="box-sizing: border-box; color: #0000cc;">--version</span> ]</span>
<span style="box-sizing: border-box; padding-right: 0.1px;">[ expression ]</span>

tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ]

[ -c count ]

[ -C file_size ] [ -G rotate_seconds ] [ -F file ]

[ -i interface ] [ -j tstamp_type ] [ -m module ] [ -M secret ]

[ --number ] [ -Q in|out|inout ]

[ -r file ] [ -V file ] [ -s snaplen ] [ -T type ] [ -w file ]

[ -W filecount ]

[ -E spi@ipaddr algo:secret,... ]

[ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]

[ --time-stamp-precision=tstamp_precision ]

[ --immediate-mode ] [ --version ]

[ expression ]

-s：用于设置数据包抓取长度。如果-s为0，则表示自动选择合适的长度来抓取数据包。
-w：用于将抓包结果导出到文件，而不是在控制台进行分析和打印输出。
-i：用于指定需要监听的接口（网卡）。
-vvv：用于输出详细的交互数据。
expression：是一个正则表达式，用于过滤报文，主要包含如下几类：
- 指定类型的关键字：包括host（主机）、net（网络）和port（端口）。
- 指定传输方向的关键字：包括src（源）、dst（目标）、dst or src（源或目标）和dst and src（源和目标）。
- 指定协议的关键字：包括ICMP、IP、ARP、RARP、TCP和UDP等协议类型。
关于其他参数说明及用法请参见tcpdump的Manpage。

关于tcpdump命令常见用法和示例输出的详细信息。

执行以下命令，抓取eth0网卡22端口的交互数据。

tcpdump -s 0 -i eth0 port 22

1	tcpdump -s 0 -i eth0 port 22

系统显示类似如下。

<span style="box-sizing: border-box; padding-right: 0.1px;">tcpdump: verbose output suppressed, use <span style="box-sizing: border-box; color: #0000cc;">-v</span> or <span style="box-sizing: border-box; color: #0000cc;">-vv</span> <span style="box-sizing: border-box; color: #770088;">for</span> full protocol decode</span>
<span style="box-sizing: border-box; padding-right: 0.1px;">listening on eth0, link-type EN10MB (Ethernet), capture size <span style="box-sizing: border-box; color: #116644;">65535</span> bytes</span>
<span style="box-sizing: border-box; padding-right: 0.1px;"><span style="box-sizing: border-box; color: #116644;">20</span>:24:59.414951 IP <span style="box-sizing: border-box; color: #116644;">172</span>.xx.xx.226.ssh &gt; <span style="box-sizing: border-box; color: #116644;">42</span>.xx.xx.107.43414: Flags [P.], seq <span style="box-sizing: border-box; color: #116644;">442372</span>:442536, ack <span style="box-sizing: border-box; color: #116644;">53</span>, win <span style="box-sizing: border-box; color: #116644;">141</span>, length <span style="box-sizing: border-box; color: #116644;">164</span></span>
<span style="box-sizing: border-box; padding-right: 0.1px;"><span style="box-sizing: border-box; color: #116644;">20</span>:24:59.415002 IP <span style="box-sizing: border-box; color: #116644;">172</span>.xx.xx.226.ssh &gt; <span style="box-sizing: border-box; color: #116644;">42</span>.xx.xx.107.43414: Flags [P.], seq <span style="box-sizing: border-box; color: #116644;">442536</span>:442700, ack <span style="box-sizing: border-box; color: #116644;">53</span>, win <span style="box-sizing: border-box; color: #116644;">141</span>, length <span style="box-sizing: border-box; color: #116644;">164</span></span>
<span style="box-sizing: border-box; padding-right: 0.1px;"><span style="box-sizing: border-box; color: #116644;">20</span>:24:59.415052 IP <span style="box-sizing: border-box; color: #116644;">172</span>.xx.xx.226.ssh &gt; <span style="box-sizing: border-box; color: #116644;">42</span>.xx.xx.107.43414: Flags [P.], seq <span style="box-sizing: border-box; color: #116644;">442700</span>:442864, ack <span style="box-sizing: border-box; color: #116644;">53</span>, win <span style="box-sizing: border-box; color: #116644;">141</span>, length <span style="box-sizing: border-box; color: #116644;">164</span></span>
<span style="box-sizing: border-box; padding-right: 0.1px;"><span style="box-sizing: border-box; color: #116644;">20</span>:24:59.415103 IP <span style="box-sizing: border-box; color: #116644;">172</span>.xx.xx.226.ssh &gt; <span style="box-sizing: border-box; color: #116644;">42</span>.xx.xx.107.43414: Flags [P.], seq <span style="box-sizing: border-box; color: #116644;">442864</span>:443028, ack <span style="box-sizing: border-box; color: #116644;">53</span>, win <span style="box-sizing: border-box; color: #116644;">141</span>, length <span style="box-sizing: border-box; color: #116644;">164</span></span>

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

20:24:59.414951 IP 172.xx.xx.226.ssh > 42.xx.xx.107.43414: Flags [P.], seq 442372:442536, ack 53, win 141, length 164

20:24:59.415002 IP 172.xx.xx.226.ssh > 42.xx.xx.107.43414: Flags [P.], seq 442536:442700, ack 53, win 141, length 164

20:24:59.415052 IP 172.xx.xx.226.ssh > 42.xx.xx.107.43414: Flags [P.], seq 442700:442864, ack 53, win 141, length 164

20:24:59.415103 IP 172.xx.xx.226.ssh > 42.xx.xx.107.43414: Flags [P.], seq 442864:443028, ack 53, win 141, length 164

执行以下命令，抓取eth1网卡发送给22端口的交互数据，并在控制台输出详细交互信息。

tcpdump -s 0 -i eth1 -vvv port 22

1	tcpdump -s 0 -i eth1 -vvv port 22

系统显示类似如下。

<span style="box-sizing: border-box; padding-right: 0.1px;">tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size <span style="box-sizing: border-box; color: #116644;">65535</span> bytes</span>
<span style="box-sizing: border-box; padding-right: 0.1px;"><span style="box-sizing: border-box; color: #116644;">20</span>:24:20.991006 IP (tos 0x10, ttl <span style="box-sizing: border-box; color: #116644;">64</span>, id <span style="box-sizing: border-box; color: #116644;">22747</span>, offset <span style="box-sizing: border-box; color: #116644;">0</span>, flags [DF], proto TCP (6), length <span style="box-sizing: border-box; color: #116644;">316</span>)</span>
<span style="box-sizing: border-box; padding-right: 0.1px;"><span style="box-sizing: border-box; color: #116644;">172</span>.xx.xx.226.ssh &gt; <span style="box-sizing: border-box; color: #116644;">42</span>.xx.xx.107.43414: Flags [P.], cksum 0x2504 (incorrect <span style="box-sizing: border-box; color: #0000cc;">-</span>&gt; 0x270d), seq <span style="box-sizing: border-box; color: #116644;">133624</span>:133900, ack <span style="box-sizing: border-box; color: #116644;">1</span>, win <span style="box-sizing: border-box; color: #116644;">141</span>, length <span style="box-sizing: border-box; color: #116644;">276</span></span>
<span style="box-sizing: border-box; padding-right: 0.1px;"><span style="box-sizing: border-box; color: #116644;">20</span>:24:20.991033 IP (tos 0x0, ttl <span style="box-sizing: border-box; color: #116644;">53</span>, id <span style="box-sizing: border-box; color: #116644;">2348</span>, offset <span style="box-sizing: border-box; color: #116644;">0</span>, flags [DF], proto TCP (6), length <span style="box-sizing: border-box; color: #116644;">92</span>)</span>
<span style="box-sizing: border-box; padding-right: 0.1px;"><span style="box-sizing: border-box; color: #116644;">42</span>.xx.xx.107.43414 &gt; <span style="box-sizing: border-box; color: #116644;">172</span>.xx.xx.226.ssh: Flags [P.], cksum 0x4759 (correct), seq <span style="box-sizing: border-box; color: #116644;">1</span>:53, ack <span style="box-sizing: border-box; color: #116644;">129036</span>, win <span style="box-sizing: border-box; color: #116644;">15472</span>, length <span style="box-sizing: border-box; color: #116644;">52</span></span>

tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes

20:24:20.991006 IP (tos 0x10, ttl 64, id 22747, offset 0, flags [DF], proto TCP (6), length 316)

172.xx.xx.226.ssh > 42.xx.xx.107.43414: Flags [P.], cksum 0x2504 (incorrect -> 0x270d), seq 133624:133900, ack 1, win 141, length 276

20:24:20.991033 IP (tos 0x0, ttl 53, id 2348, offset 0, flags [DF], proto TCP (6), length 92)

42.xx.xx.107.43414 > 172.xx.xx.226.ssh: Flags [P.], cksum 0x4759 (correct), seq 1:53, ack 129036, win 15472, length 52

执行以下命令，抓取eth1网卡发送至指定IP地址的PING交互数据，并输出详细交互数据。

tcpdump -s 0 -i eth1 -vvv dst 223.xx.xx.5 and icmp

1	tcpdump -s 0 -i eth1 -vvv dst 223.xx.xx.5 and icmp

系统显示类似如下。

<span style="box-sizing: border-box; padding-right: 0.1px;">tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size <span style="box-sizing: border-box; color: #116644;">65535</span> bytes</span>
<span style="box-sizing: border-box; padding-right: 0.1px;"><span style="box-sizing: border-box; color: #116644;">20</span>:26:00.368958 IP (tos 0x0, ttl <span style="box-sizing: border-box; color: #116644;">64</span>, id <span style="box-sizing: border-box; color: #116644;">0</span>, offset <span style="box-sizing: border-box; color: #116644;">0</span>, flags [DF], proto ICMP (1), length <span style="box-sizing: border-box; color: #116644;">84</span>)</span>
<span style="box-sizing: border-box; padding-right: 0.1px;"><span style="box-sizing: border-box; color: #116644;">172</span>.xx.xx.226 &gt; public1.alidns.com: ICMP <span style="box-sizing: border-box; color: #3300aa;">echo</span> request, id <span style="box-sizing: border-box; color: #116644;">55097</span>, seq <span style="box-sizing: border-box; color: #116644;">341</span>, length <span style="box-sizing: border-box; color: #116644;">64</span></span>
<span style="box-sizing: border-box; padding-right: 0.1px;"><span style="box-sizing: border-box; color: #116644;">20</span>:26:01.369996 IP (tos 0x0, ttl <span style="box-sizing: border-box; color: #116644;">64</span>, id <span style="box-sizing: border-box; color: #116644;">0</span>, offset <span style="box-sizing: border-box; color: #116644;">0</span>, flags [DF], proto ICMP (1), length <span style="box-sizing: border-box; color: #116644;">84</span>)</span>
<span style="box-sizing: border-box; padding-right: 0.1px;"><span style="box-sizing: border-box; color: #116644;">172</span>.xx.xx.226 &gt; public1.alidns.com: ICMP <span style="box-sizing: border-box; color: #3300aa;">echo</span> request, id <span style="box-sizing: border-box; color: #116644;">55097</span>, seq <span style="box-sizing: border-box; color: #116644;">342</span>, length <span style="box-sizing: border-box; color: #116644;">64</span></span>
<span style="box-sizing: border-box; padding-right: 0.1px;"><span style="box-sizing: border-box; color: #116644;">20</span>:26:02.371058 IP (tos 0x0, ttl <span style="box-sizing: border-box; color: #116644;">64</span>, id <span style="box-sizing: border-box; color: #116644;">0</span>, offset <span style="box-sizing: border-box; color: #116644;">0</span>, flags [DF], proto ICMP (1), length <span style="box-sizing: border-box; color: #116644;">84</span>)</span>
<span style="box-sizing: border-box; padding-right: 0.1px;"><span style="box-sizing: border-box; color: #116644;">172</span>.xx.xx.226 &gt; public1.alidns.com: ICMP <span style="box-sizing: border-box; color: #3300aa;">echo</span> request, id <span style="box-sizing: border-box; color: #116644;">55097</span>, seq <span style="box-sizing: border-box; color: #116644;">343</span>, length <span style="box-sizing: border-box; color: #116644;">64</span></span>
<span style="box-sizing: border-box; padding-right: 0.1px;"><span style="box-sizing: border-box; color: #116644;">20</span>:26:03.372181 IP (tos 0x0, ttl <span style="box-sizing: border-box; color: #116644;">64</span>, id <span style="box-sizing: border-box; color: #116644;">0</span>, offset <span style="box-sizing: border-box; color: #116644;">0</span>, flags [DF], proto ICMP (1), length <span style="box-sizing: border-box; color: #116644;">84</span>)</span>
<span style="box-sizing: border-box; padding-right: 0.1px;"><span style="box-sizing: border-box; color: #116644;">172</span>.xx.xx.226 &gt; public1.alidns.com: ICMP <span style="box-sizing: border-box; color: #3300aa;">echo</span> request, id <span style="box-sizing: border-box; color: #116644;">55097</span>, seq <span style="box-sizing: border-box; color: #116644;">344</span>, length <span style="box-sizing: border-box; color: #116644;">64</span></span>

20:26:00.368958 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)

172.xx.xx.226 > public1.alidns.com: ICMP echo request, id 55097, seq 341, length 64

20:26:01.369996 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)

172.xx.xx.226 > public1.alidns.com: ICMP echo request, id 55097, seq 342, length 64

20:26:02.371058 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)

172.xx.xx.226 > public1.alidns.com: ICMP echo request, id 55097, seq 343, length 64

20:26:03.372181 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)

172.xx.xx.226 > public1.alidns.com: ICMP echo request, id 55097, seq 344, length 64

执行以下命令，抓取系统内所有接口数据并保存到指定文件。

tcpdump -i any -s 0 -w test.cap

1

tcpdump -i any -s 0 -w test.cap

说明：您如果通过cat、vim命令查看保存的文件，都会显示为乱码。此时您可以执行tcpdump -r test.cap命令，查看信息。或者您可以使用Wireshark工具查看信息。

系统显示类似如下。

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

1

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

Windows环境中的抓包工具

Windows环境中一般使用免费的较为流行的Wireshark开源工具进行抓包和分析。请参见Wireshark官方网站，获取并安装Wireshark工具，然后进行抓包。

安装并打开Wireshark工具。
依次单击捕获>选项。
在Wireshark 捕获接口界面中，根据接口名称或对应的IP地址选择需要进行抓包的网卡，然后单击开始。
抓取足量数据包后，依次单击捕获>停止。
依次单击文件>保存，将抓包结果保存到指定文件。
更多有关Wireshark工具使用和数据分析方法，请参见Wireshark官方网站。

抓包分析流程

出现异常时，您可以抓取数据包进行分析。抓包时请确保从源服务器和目标服务器同时并发操作，以便进行对比分析，具体操作步骤如下：

确认源服务器和目标服务器进行数据交互通过的网卡。
如果源服务器通过NAT共享方式访问公网，则访问淘宝IP地址库，获取本地网络对应的公网IP地址。
利用前文所述工具，从源服务器对目标服务器地址的目标端口和网卡进行抓包，或者进行完整抓包。
利用前文所述工具，从目标服务器对源服务器地址和网卡进行抓包，或者进行完整抓包，然后进行分析。
若问题无法解决，您可以创建工单并附上抓包数据文件，提交工单后，阿里云技术支持会排查问题并通过工单向您反馈结果。

阿慕笔记

网络异常时如何抓取数据包

Linux环境中的抓包工具

Windows环境中的抓包工具

抓包分析流程

发表回复取消回复

网络异常时如何抓取数据包

Linux环境中的抓包工具

Windows环境中的抓包工具

抓包分析流程

发表回复 取消回复

发表回复取消回复