By Long Luo

挖坑

网络抓包常用命令

详细解析和Demo版本：就是要你懂抓包–WireShark之命令行版tshark

```shell 用tcpdump抓取并保存包： sudo tcpdump -i eth0 port 3306 -w plantegg.cap

抓到的包存储在plantegg.cap中，可以用作wireshark、tshark详细分析 如果明确知道目的ip、端口等可以通过指定条件来明确只抓取某个连接的包

抓取详细SQL语句： sudo tshark -i eth0 -Y “mysql.command==3” -T fields -e mysql.query sudo tshark -i eth0 -R mysql.query -T fields -e mysql.query

sudo tshark -i any -f ‘port 8527’ -s 0 -l -w - |strings

#parse 8507/4444 as mysql protocol, default only parse 3306 as mysql. sudo tshark -i eth0 -d tcp.port==8507,mysql -T fields -e mysql.query ‘port 8507’ sudo tshark -i any -c 50 -d tcp.port==4444,mysql -Y ” ((tcp.port eq 4444 ) )” -o tcp.calculate_timestamps:true -T fields -e frame.number -e frame.time_epoch -e frame.time_delta_displayed -e ip.src -e tcp.srcport -e tcp.dstport -e ip.dst -e tcp.time_delta -e tcp.stream -e tcp.len -e mysql.query

sudo tshark -i eth0 -R “ip.addr==11.163.182.137” -d tcp.port==3306,mysql -T fields -e mysql.query ‘port 3306’ sudo tshark -i eth0 -R “tcp.srcport==62877” -d tcp.port==3001,mysql -T fields -e tcp.srcport -e mysql.query ‘port 3001’

如果MySQL开启了SSL，那么抓包后的内容tshark/wireshark分析不到MySQL的具体内容，可以强制关闭：connectionProperties里加上useSSL=false

查看SQL具体内容 sudo tshark -r gege_plantegg.cap -Y “mysql.query or ( tcp.stream==1)” -o tcp.calculate_timestamps:true -T fields -e frame.number -e frame.time_epoch -e frame.time_delta_displayed -e ip.src -e tcp.srcport -e tcp.dstport -e ip.dst -e tcp.time_delta -e frame.time_delta_displayed -e tcp.stream -e tcp.len -e mysql.query

按mysql查询分析响应时间 对于rt分析，要注意一个query多个response情况（response结果多，分包了），分析这种rt的时候只看query之后的第一个response，其它连续response需要忽略掉。

以上抓包结果文件可以用tshark进行详细分析

分析MySQL rt，倒数第四列基本就是rt tshark -r gege_plantegg.pcap -Y ” ((tcp.srcport eq 3306 ) and tcp.len>0 )” -o tcp.calculate_timestamps:true -T fields -e frame.number -e frame.time_epoch -e frame.time_delta_displayed -e ip.src -e tcp.srcport -e tcp.dstport -e ip.dst -e tcp.time_delta -e tcp.stream -e tcp.len -e tcp.analysis.ack_rtt

或者排序一下 tshark -r 213_php.cap -Y “mysql.query or ( tcp.srcport==3306)” -o tcp.calculate_timestamps:true -T fields -e frame.number -e frame.time_epoch -e frame.time_delta_displayed -e ip.src -e tcp.srcport -e tcp.dstport -e ip.dst -e tcp.time_delta -e tcp.stream -e tcp.len -e mysql.query |sort -nk9 -nk1

MySQL响应时间直方图【第八列的含义– Time since previous frame in this TCP stream: seconds】： tshark -r gege_plantegg.pcap -Y “mysql.query or (tcp.srcport3306 and tcp.len>60)” -o tcp.calculate_timestamps:true -T fields -e frame.number -e frame.time_epoch -e frame.time_delta_displayed -e ip.src -e tcp.srcport -e tcp.dstport -e ip.dst -e tcp.time_delta -e tcp.stream -e tcp.len | awk ’BEGIN {sum0=0;sum3=0;sum10=0;sum30=0;sum50=0;sum100=0;sum300=0;sum500=0;sum1000=0;sumo=0;count=0;sum=0} {rt=$8; if(rt>=0.000) sum=sum+rt; count=count+1; if(rt<=0.000) sum0=sum0+1; else if(rt<0.003) sum3=sum3+1 ; else if(rt<0.01) sum10=sum10+1; else if(rt<0.03) sum30=sum30+1; else if(rt<0.05) sum50=sum50+1; else if(rt < 0.1) sum100=sum100+1; else if(rt < 0.3) sum300=sum300+1; else if(rt < 0.5) sum500=sum500+1; else if(rt < 1) sum1000=sum1000+1; else sum=sum+1 ;} END{printf “————-3ms:http response分析响应时间 tshark -nr 213_php.cap -o tcp.calculate_timestamps:true -Y”http.request or http.response” -T fields -e frame.number -e frame.time_epoch -e frame.time_delta_displayed -e ip.src -e ip.dst -e tcp.stream -e http.request.full_uri -e http.response.code -e http.response.phrase | sort -nk6 -nk1

分析rtt、丢包、deplicate等等，可以得到整体网络状态 $ tshark -r retrans.cap -q -z io,stat,1,“AVG(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt”,“COUNT(tcp.analysis.retransmission) tcp.analysis.retransmission”,“COUNT(tcp.analysis.fast_retransmission) tcp.analysis.fast_retransmission”,“COUNT(tcp.analysis.duplicate_ack) tcp.analysis.duplicate_ack”,“COUNT(tcp.analysis.lost_segment) tcp.analysis.lost_segment”,“MIN(tcp.window_size)tcp.window_size”

=================================================================================== | IO Statistics | | | | Duration: 89.892365 secs | | Interval: 2 secs | | | | Col 1: AVG(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt | | 2: COUNT(tcp.analysis.retransmission) tcp.analysis.retransmission | | 3: COUNT(tcp.analysis.fast_retransmission) tcp.analysis.fast_retransmission | | 4: COUNT(tcp.analysis.duplicate_ack) tcp.analysis.duplicate_ack | | 5: COUNT(tcp.analysis.lost_segment) tcp.analysis.lost_segment | | 6: AVG(tcp.window_size)tcp.window_size | |———————————————————————————| | |1 |2 |3 |4 |5 |6 | | | Interval | AVG | COUNT | COUNT | COUNT | COUNT | AVG | | |————————————————————-| | | 0 <> 2 | 0.001152 | 0 | 0 | 0 | 0 | 4206 | | | 2 <> 4 | 0.002088 | 0 | 0 | 0 | 1 | 6931 | | | 4 <> 6 | 0.001512 | 0 | 0 | 0 | 0 | 7099 | | | 6 <> 8 | 0.002859 | 0 | 0 | 0 | 0 | 7171 | | | 8 <> 10 | 0.001716 | 0 | 0 | 0 | 0 | 6472 | | | 10 <> 12 | 0.000319 | 0 | 0 | 0 | 2 | 5575 | | | 12 <> 14 | 0.002030 | 0 | 0 | 0 | 0 | 6922 | | | 14 <> 16 | 0.003371 | 0 | 0 | 0 | 2 | 5884 | | | 16 <> 18 | 0.000138 | 0 | 0 | 0 | 1 | 3480 | | | 18 <> 20 | 0.000999 | 0 | 0 | 0 | 4 | 6665 | | | 20 <> 22 | 0.000682 | 0 | 0 | 41 | 2 | 5484 | | | 22 <> 24 | 0.002302 | 2 | 0 | 19 | 0 | 7127 | | | 24 <> 26 | 0.000156 | 1 | 0 | 22 | 0 | 3042 | | | 26 <> 28 | 0.000000 | 1 | 0 | 19 | 1 | 152 | | | 28 <> 30 | 0.001498 | 1 | 0 | 24 | 0 | 5615 | | | 30 <> 32 | 0.000235 | 0 | 0 | 44 | 0 | 1880 | | 1 =================================================================================== 2 | IO Statistics | 3 | | 4 | Duration: 89.892365 secs | 5 | Interval: 2 secs | 6 | | 7 | Col 1: AVG(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt | 8 | 2: COUNT(tcp.analysis.retransmission) tcp.analysis.retransmission | 9 | 3: COUNT(tcp.analysis.fast_retransmission) tcp.analysis.fast_retransmission | 10 | 4: COUNT(tcp.analysis.duplicate_ack) tcp.analysis.duplicate_ack | 11 | 5: COUNT(tcp.analysis.lost_segment) tcp.analysis.lost_segment | 12 | 6: AVG(tcp.window_size)tcp.window_size | 13 |———————————————————————————| 14 | |1 |2 |3 |4 |5 |6 | | 15 | Interval | AVG | COUNT | COUNT | COUNT | COUNT | AVG | | 16 |————————————————————-| | 17 | 0 <> 2 | 0.001152 | 0 | 0 | 0 | 0 | 4206 | | 18 | 2 <> 4 | 0.002088 | 0 | 0 | 0 | 1 | 6931 | | 19 | 4 <> 6 | 0.001512 | 0 | 0 | 0 | 0 | 7099 | | 20 | 6 <> 8 | 0.002859 | 0 | 0 | 0 | 0 | 7171 | | 21 | 8 <> 10 | 0.001716 | 0 | 0 | 0 | 0 | 6472 | | 22 | 10 <> 12 | 0.000319 | 0 | 0 | 0 | 2 | 5575 | | 23 | 12 <> 14 | 0.002030 | 0 | 0 | 0 | 0 | 6922 | | 24 | 14 <> 16 | 0.003371 | 0 | 0 | 0 | 2 | 5884 | | 25 | 16 <> 18 | 0.000138 | 0 | 0 | 0 | 1 | 3480 | | 26 | 18 <> 20 | 0.000999 | 0 | 0 | 0 | 4 | 6665 | | 27 | 20 <> 22 | 0.000682 | 0 | 0 | 41 | 2 | 5484 | | 28 | 22 <> 24 | 0.002302 | 2 | 0 | 19 | 0 | 7127 | | 29 | 24 <> 26 | 0.000156 | 1 | 0 | 22 | 0 | 3042 | | 30 | 26 <> 28 | 0.000000 | 1 | 0 | 19 | 1 | 152 | | 31 | 28 <> 30 | 0.001498 | 1 | 0 | 24 | 0 | 5615 | | 32 | 30 <> 32 | 0.000235 | 0 | 0 | 44 | 0 | 1880 | |

#tshark tshark -r ./mysql-compress.cap -o tcp.calculate_timestamps:true -T fields -e mysql.caps.cp -e frame.number -e frame.time_epoch -e frame.time_delta_displayed -e ip.src -e tcp.srcport -e tcp.dstport -e ip.dst -e tcp.time_delta -e frame.time_delta_displayed -e tcp.stream -e tcp.len -e mysql.query

#用tcpdump抓取并保存包： sudo tcpdump -i eth0 port 3306 -w plantegg.cap

#每隔3秒钟生成一个新文件，总共生成5个文件后（15秒后）终止抓包，然后包名也按时间规范好了 sudo tcpdump -t -s 0 tcp port 3306 -w ‘dump_%Y-%m-%d_%H:%M:%S.pcap’ -G 3 -W 5 -Z root

#每隔30分钟生成一个包并压缩 nohup sudo tcpdump -i eth0 -t -s 0 tcp and port 3306 -w ‘dump_%Y-%m-%d_%H:%M:%S.pcap’ -G 1800 -W 48 -Z root -z gzip &

#file size 1000M nohup sudo tcpdump -i eth0 -t -s 0 tcp and port 3306 -w ‘dump_’ -C 1000 -W 300 -Z root -z gzip &

#port range sudo tcpdump -i enp44s0f0 -t -s 0 portrange 3000-3100 -w ‘dump_%Y-%m-%d_%H:%M:%S.pcap’ -G 60 -W 100 -Z root

#subnet sudo tcpdump -i enp44s0f0 -t -s 0 net 192.168.0.1/28 -w ‘dump_%Y-%m-%d_%H:%M:%S.pcap’ -G 60 -W 100 -Z root

#抓取详细SQL语句, 快速确认client发过来的具体SQL内容： sudo tshark -i any -f ‘port 8527’ -s 0 -l -w - |strings sudo tshark -i eth0 -d tcp.port==3306,mysql -T fields -e mysql.query ‘port 3306’ sudo tshark -i eth0 -R “ip.addr==11.163.182.137” -d tcp.port==3306,mysql -T fields -e mysql.query ‘port 3306’ sudo tshark -i eth0 -R “tcp.srcport==62877” -d tcp.port==3001,mysql -T fields -e tcp.srcport -e mysql.query ‘port 3001’

#query time sudo tshark -i eth0 -Y ” ((tcp.port eq 3306 ) and tcp.len>0 )” -o tcp.calculate_timestamps:true -T fields -e frame.number -e frame.time_epoch -e frame.time_delta_displayed -e ip.src -e tcp.srcport -e tcp.dstport -e ip.dst -e tcp.time_delta -e tcp.stream -e tcp.len -e mysql.query

#如果MySQL开启了SSL，那么抓包后的内容tshark/wireshark分析不到MySQL的具体内容，可以强制关闭：connectionProperties里加上useSSL=false

tshark -r ./manager.cap -o tcp.calculate_timestamps:true -Y ” tcp.analysis.retransmission ” -T fields -e tcp.stream -e frame.number -e frame.time -e ip.src -e tcp.srcport -e tcp.dstport -e ip.dst | sort

#MySQL响应时间直方图【第八列的含义– Time since previous frame in this TCP stream: seconds】： tshark -r gege_plantegg.pcap -Y “mysql.query or (tcp.srcport3306 and tcp.len>60)” -o tcp.calculate_timestamps:true -T fields -e frame.number -e frame.time_epoch -e frame.time_delta_displayed -e ip.src -e tcp.srcport -e tcp.dstport -e ip.dst -e tcp.time_delta -e tcp.stream -e tcp.len | awk ‘BEGIN {sum0=0;sum3=0;sum10=0;sum30=0;sum50=0;sum100=0;sum300=0;sum500=0;sum1000=0;sumo=0;count=0;sum=0} {rt=$8; if(rt>=0.000) sum=sum+rt; count=count+1; if(rt<=0.000) sum0=sum0+1; else if(rt<0.003) sum3=sum3+1 ; else if(rt<0.01) sum10=sum10+1; else if(rt<0.03) sum30=sum30+1; else if(rt<0.05) sum50=sum50+1; else if(rt < 0.1) sum100=sum100+1; else if(rt < 0.3) sum300=sum300+1; else if(rt < 0.5) sum500=sum500+1; else if(rt < 1) sum1000=sum1000+1; else sum=sum+1 ;} END{printf “————-3ms:%s 10ms:%s 30ms:%s 50ms:%s 100ms:%s 300ms:%s 500ms:%s 1000ms:%s >1s:%s————-: %.6f ” , sum3,sum10,sum30,sum50,sum100,sum300,sum500,sum1000,sumo,sum/count;}’

#分析MySQL rt，倒数第四列基本就是rt tshark -r gege_plantegg.pcap -Y ” ((tcp.srcport eq 3306 ) and tcp.len>0 )” -o tcp.calculate_timestamps:true -T fields -e frame.number -e frame.time_epoch -e frame.time_delta_displayed -e ip.src -e tcp.srcport -e tcp.dstport -e ip.dst -e tcp.time_delta -e tcp.stream -e tcp.len -e tcp.analysis.ack_rtt

#或者排序一下 tshark -r 213_php.cap -Y “mysql.query or ( tcp.srcport==3306)” -o tcp.calculate_timestamps:true -T fields -e frame.number -e frame.time_epoch -e frame.time_delta_displayed -e ip.src -e tcp.srcport -e tcp.dstport -e ip.dst -e tcp.time_delta -e tcp.stream -e tcp.len -e mysql.query |sort -nk9 -nk1

#将 tls key和抓包文件合并 editcap –inject-secrets tls,key.log in.pcap out.pcap #把包长截掉，只保留前面54，可以脱敏包内容 editcap -s 54 old.pcap new.pcap

参考文献

1. The Most Useful Linux Commands For Network And Systems Administrators
2. 7 Linux networking commands that every sysadmin should know
3. Mastering Linux Networking Commands: A Comprehensive Guide
4. Linux Networking Commands with Examples