tcpdump抓包
目录:
TcpDump
TcpDump可以将网络中传送的数据包完全截获下来提供分析。它支持针对网络层、协议、主机、网络或端口的过滤,并提供and、or、not等逻辑语句来帮助你去掉无用的信息。
————以上内容来自百度百科
Server端,本次抓包使用的为阿里云上的主机,eth1为对外网卡121.42.37.139,服务器上有提供本博客的web服务。
Client端,用于发送数据包的主机,出网IP为222.129.235.159
普通情况下,直接启动tcpdump将监视第一个网络接口上所有流过的数据包,所以我们很多情况下都是抓取指定网卡的数据包
根据网卡进行抓包
Client端进行ping Server端
[root@heartbeat1 ~]# ping 121.42.37.139
PING 121.42.37.139 (121.42.37.139) 56(84) bytes of data.
64 bytes from 121.42.37.139: icmp_seq=1 ttl=51 time=17.4 ms
64 bytes from 121.42.37.139: icmp_seq=2 ttl=51 time=16.9 ms
64 bytes from 121.42.37.139: icmp_seq=3 ttl=51 time=54.1 ms
抓包端进行抓包,此时我们抓到的有ping的icmp包和ssh连接的tcp包
[root@why ~]# tcpdump -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
21:16:08.799929 IP 121.42.37.139.ssh > 222.129.235.159.61292: Flags [P.], seq 1849569832:1849570028, ack 4124372451, win 313, length 196
21:16:08.815628 IP 222.129.235.159.61292 > 121.42.37.139.ssh: Flags [.], ack 196, win 59, length 0
21:16:09.075926 IP 121.42.37.139.ssh > 222.129.235.159.61292: Flags [P.], seq 196:472, ack 1, win 313, length 276
21:16:09.076875 IP 121.42.37.139.ssh > 222.129.235.159.61292: Flags [P.], seq 472:636, ack 1, win 313, length 164
21:16:09.078092 IP 121.42.37.139.ssh > 222.129.235.159.61292: Flags [P.], seq 636:800, ack 1, win 313, length 164
21:16:09.078877 IP 121.42.37.139.ssh > 222.129.235.159.61292: Flags [P.], seq 800:964, ack 1, win 313, length 164
21:16:09.079902 IP 121.42.37.139.ssh > 222.129.235.159.61292: Flags [P.], seq 964:1128, ack 1, win 313, length 164
21:16:09.080904 IP 121.42.37.139.ssh > 222.129.235.159.61292: Flags [P.], seq 1128:1292, ack 1, win 313, length 164
21:16:09.092864 IP 222.129.235.159.61292 > 121.42.37.139.ssh: Flags [.], ack 636, win 64, length 0
21:16:09.092890 IP 121.42.37.139.ssh > 222.129.235.159.61292: Flags [P.], seq 1292:1456, ack 1, win 313, length 164
21:16:09.093886 IP 121.42.37.139.ssh > 222.129.235.159.61292: Flags [P.], seq 1456:1716, ack 1, win 313, length 260
21:16:09.093967 IP 222.129.235.159.61292 > 121.42.37.139.ssh: Flags [.], ack 964, win 63, length 0
21:16:09.094878 IP 121.42.37.139.ssh > 222.129.235.159.61292: Flags [P.], seq 1716:1976, ack 1, win 313, length 260
可以看到有来的包,也有回的包
取消域名解析
如果在Server端配置了/etc/hosts
[root@why ~]# vi /etc/hosts
[root@why ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.163.241.39 why
222.129.235.159 whysclient.com
在Server端再次进行抓包
[root@why ~]# tcpdump -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
21:18:30.691930 IP 121.42.37.139.ssh > whysclient.com.61292: Flags [P.], seq 1849673072:1849673268, ack 4124378495, win 313, length 196
21:18:30.693886 IP 121.42.37.139.ssh > whysclient.com.61292: Flags [P.], seq 196:376, ack 1, win 313, length 180
21:18:30.694977 IP 121.42.37.139.ssh > whysclient.com.61292: Flags [P.], seq 376:540, ack 1, win 313, length 164
21:18:30.695880 IP 121.42.37.139.ssh > whysclient.com.61292: Flags [P.], seq 540:704, ack 1, win 313, length 164
21:18:30.696875 IP 121.42.37.139.ssh > whysclient.com.61292: Flags [P.], seq 704:868, ack 1, win 313, length 164
21:18:30.697875 IP 121.42.37.139.ssh > whysclient.com.61292: Flags [P.], seq 868:1032, ack 1, win 313, length 164
21:18:30.698881 IP 121.42.37.139.ssh > whysclient.com.61292: Flags [P.], seq 1032:1196, ack 1, win 313, length 164
21:18:30.709510 IP whysclient.com.61292 > 121.42.37.139.ssh: Flags [.], ack 196, win 61, length 0
21:18:30.709532 IP 121.42.37.139.ssh > whysclient.com.61292: Flags [P.], seq 1196:1360, ack 1, win 313, length 164
21:18:30.709882 IP 121.42.37.139.ssh > whysclient.com.61292: Flags [P.], seq 1360:1620, ack 1, win 313, length 260
21:18:30.711535 IP whysclient.com.61292 > 121.42.37.139.ssh: Flags [.], ack 704, win 59, length 0
21:18:30.711560 IP 121.42.37.139.ssh > whysclient.com.61292: Flags [P.], seq 1620:1784, ack 1, win 313, length 164
21:18:30.711884 IP 121.42.37.139.ssh > whysclient.com.61292: Flags [P.], seq 1784:2044, ack 1, win 313, length 260
可以看到IP地址被解析成域名,通过指定-nnn参数防止将IP解析为域名
[root@why ~]# tcpdump -i eth1 -nnn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
21:19:18.385895 IP 121.42.37.139.22 > 222.129.235.159.61292: Flags [P.], seq 1849838260:1849838456, ack 4124378947, win 313, length 196
21:19:18.386985 IP 121.42.37.139.22 > 222.129.235.159.61292: Flags [P.], seq 196:376, ack 1, win 313, length 180
21:19:18.387879 IP 121.42.37.139.22 > 222.129.235.159.61292: Flags [P.], seq 376:540, ack 1, win 313, length 164
21:19:18.388877 IP 121.42.37.139.22 > 222.129.235.159.61292: Flags [P.], seq 540:704, ack 1, win 313, length 164
21:19:18.389875 IP 121.42.37.139.22 > 222.129.235.159.61292: Flags [P.], seq 704:868, ack 1, win 313, length 164
21:19:18.390881 IP 121.42.37.139.22 > 222.129.235.159.61292: Flags [P.], seq 868:1032, ack 1, win 313, length 164
21:19:18.391895 IP 121.42.37.139.22 > 222.129.235.159.61292: Flags [P.], seq 1032:1196, ack 1, win 313, length 164
21:19:18.392878 IP 121.42.37.139.22 > 222.129.235.159.61292: Flags [P.], seq 1196:1360, ack 1, win 313, length 164
21:19:18.393885 IP 121.42.37.139.22 > 222.129.235.159.61292: Flags [P.], seq 1360:1524, ack 1, win 313, length 164
21:19:18.401036 IP 222.129.235.159.61292 > 121.42.37.139.22: Flags [.], ack 196, win 60, length 0
21:19:18.401062 IP 121.42.37.139.22 > 222.129.235.159.61292: Flags [P.], seq 1524:1688, ack 1, win 313, length 164
21:19:18.401897 IP 121.42.37.139.22 > 222.129.235.159.61292: Flags [P.], seq 1688:1948, ack 1, win 313, length 260
21:19:18.402766 IP 222.129.235.159.61292 > 121.42.37.139.22: Flags [.], ack 540, win 59, length 0
21:19:18.402915 IP 121.42.37.139.22 > 222.129.235.159.61292: Flags [P.], seq 1948:2208, ack 1, win 313, length 260
可以看到以前被解析为ssh的现在被解析为22端口,域名也被解析为IP地址
显示包的详细信息
[root@why ~]# tcpdump -i eth1 -nnn -X
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
22:17:27.430926 IP 121.42.37.139.22 > 222.129.235.159.61292: Flags [P.], seq 1850266868:1850267064, ack 4124381607, win 313, length 196
0x0000: 4510 00ec d043 4000 4006 00e2 792a 258b E....C@.@...y*%.
0x0010: de81 eb9f 0016 ef6c 6e48 d4f4 f5d5 11a7 .......lnH......
0x0020: 5018 0139 69b5 0000 1d8a 540f 5651 37dc P..9i.....T.VQ7.
0x0030: f50d b33f 82c8 d979 5170 6a1e 53ce 304c ...?...yQpj.S.0L
0x0040: 6c98 645b 6903 2f08 e107 c1ba ca8a cbe0 l.d[i./.........
0x0050: 66ed 536f f121 3553 4b92 ac78 c134 55fe f.So.!5SK..x.4U.
0x0060: 789e 3c17 7696 226c f941 6393 f436 b7a1 x.<.v."l.Ac..6..
0x0070: 379d 5b66 1e43 3ef7 0e78 cac4 d8a4 ca43 7.[f.C>..x.....C
0x0080: 454f 1e56 8a18 aeb4 6cd3 73e1 a4bd ea27 EO.V....l.s....'
0x0090: 60ed b828 c65a 9ecd 5c1e ce38 ad29 0778 `..(.Z..\..8.).x
0x00a0: 89e6 5af0 2fab 8c0c 2f24 b684 9551 c21d ..Z./.../$...Q..
0x00b0: 60bc 9e89 5fe3 0a2b 2562 3f5b 3c7b 7a13 `..._..+%b?[<{z.
0x00c0: 1898 2747 babd 248e 3afd 7916 de26 1a17 ..'G..$.:.y..&..
0x00d0: b97d 70bf b730 e15b c57e 28e1 8397 e1ae .}p..0.[.~(.....
0x00e0: 978b 27a1 f51c 0b64 1de2 9cdd ..'....d....
不截断抓包
-s参数是设置tcpdump的数据包抓取长度,默认会只截取60个字节,如果指定为0,就代表自动选择合适的数据包进行抓包
此处我并没有看到截取达到60个字节,就是加不加-s0参数返回的结果是一样的
指定抓包个数
[root@why ~]# tcpdump -i eth1 -nnn -X -s0 -c 10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
22:25:25.979886 IP 121.42.37.139.22 > 222.129.235.159.61292: Flags [P.], seq 1850820572:1850820768, ack 4124382623, win 313, length 196
0x0000: 4510 00ec d219 4000 4006 ff0b 792a 258b E.....@.@...y*%.
0x0010: de81 eb9f 0016 ef6c 6e51 47dc f5d5 159f .......lnQG.....
0x0020: 5018 0139 69b5 0000 1c2e 2c12 b5f1 c6c3 P..9i.....,.....
0x0030: 75a5 15fe dfdf 517e 365c c533 cd86 9a82 u.....Q~6\.3....
0x0040: 63e3 78a6 4c38 6d1d 5859 9fbc 1567 a2c6 c.x.L8m.XY...g..
0x0050: deaa e83d 757e 76e1 334f 85fc 4d9c 7bcd ...=u~v.3O..M.{.
0x0060: dc0f dc83 fe44 d356 a528 d3d8 d419 7599 .....D.V.(....u.
0x0070: b7e2 a781 a5e4 10cf b72f 8d11 93b9 6322 ........./....c"
0x0080: fdd6 3f3f ce9d a1d9 794e b102 0dd9 6c34 ..??....yN....l4
0x0090: a487 df59 2aee ffc6 de8a 74d4 6816 9956 ...Y*.....t.h..V
0x00a0: d472 9afa 9928 34d4 a558 890c 0ff6 3312 .r...(4..X....3.
0x00b0: bf6c 1475 6a3f ddf9 5425 83a2 6c76 a0f9 .l.uj?..T%..lv..
0x00c0: 5eab e56c 2a48 ded4 b8f7 9500 7f5e d459 ^..l*H.......^.Y
0x00d0: fa6b 0228 e07c 2b08 dc1c ba06 d565 3c20 .k.(.|+......e<.
0x00e0: 2da9 3750 fe85 e61d ca3e ea7f -.7P.....>..
省略9个包的数据输出
10 packets captured
10 packets received by filter
0 packets dropped by kernel
可以看到抓取了10个包
抓取指定源IP地址的包
[root@why ~]# tcpdump -i eth1 -nnn -X -s0 -c 3 'src host 222.129.235.159'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
22:31:47.498745 IP 222.129.235.159.61292 > 121.42.37.139.22: Flags [.], ack 1850895724, win 63, length 0
0x0000: 4500 0028 607b 4000 3406 7d7e de81 eb9f E..(`{@.4.}~....
0x0010: 792a 258b ef6c 0016 f5d5 2a6f 6e52 6d6c y*%..l....*onRml
0x0020: 5010 003f 5b38 0000 P..?[8..
22:31:47.566765 IP 222.129.235.159.61292 > 121.42.37.139.22: Flags [.], ack 357, win 62, length 0
0x0000: 4500 0028 607c 4000 3406 7d7d de81 eb9f E..(`|@.4.}}....
0x0010: 792a 258b ef6c 0016 f5d5 2a6f 6e52 6ed0 y*%..l....*onRn.
0x0020: 5010 003e 59d5 0000 P..>Y...
22:31:47.632571 IP 222.129.235.159.61292 > 121.42.37.139.22: Flags [.], ack 697, win 60, length 0
0x0000: 4500 0028 607d 4000 3406 7d7c de81 eb9f E..(`}@.4.}|....
0x0010: 792a 258b ef6c 0016 f5d5 2a6f 6e52 7024 y*%..l....*onRp$
0x0020: 5010 003c 5883 0000 P..<X...
3 packets captured
3 packets received by filter
0 packets dropped by kernel
抓取指定源IP地址和数据包协议
源IP为222.129.235.159和TCP协议数据包,这些包都是22端口的,即为我ssh连接阿里云服务器的时候产生的tcp数据包
[root@why ~]# tcpdump -i eth1 -nnn -X -s0 -c 3 'src host 222.129.235.159 and tcp'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
22:38:33.323407 IP 222.129.235.159.61292 > 121.42.37.139.22: Flags [.], ack 1850908480, win 61, length 0
0x0000: 4500 0028 6121 4000 3406 7cd8 de81 eb9f E..(a!@.4.|.....
0x0010: 792a 258b ef6c 0016 f5d5 4157 6e52 9f40 y*%..l....AWnR.@
0x0020: 5010 003d 127e 0000 P..=.~..
22:38:33.390190 IP 222.129.235.159.61292 > 121.42.37.139.22: Flags [.], ack 357, win 60, length 0
0x0000: 4500 0028 6122 4000 3406 7cd7 de81 eb9f E..(a"@.4.|.....
0x0010: 792a 258b ef6c 0016 f5d5 4157 6e52 a0a4 y*%..l....AWnR..
0x0020: 5010 003c 111b 0000 P..<....
22:38:33.457263 IP 222.129.235.159.61292 > 121.42.37.139.22: Flags [.], ack 697, win 64, length 0
0x0000: 4500 0028 6123 4000 3406 7cd6 de81 eb9f E..(a#@.4.|.....
0x0010: 792a 258b ef6c 0016 f5d5 4157 6e52 a1f8 y*%..l....AWnR..
0x0020: 5010 0040 0fc3 0000 P..@....
3 packets captured
3 packets received by filter
0 packets dropped by kernel
源IP为222.129.235.159和ICMP协议数据包
[root@why ~]# tcpdump -i eth1 -nnn -X -s0 -c 3 'src host 222.129.235.159 and icmp'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
22:42:02.150212 IP 222.129.235.159 > 121.42.37.139: ICMP echo request, id 34933, seq 1476, length 64
0x0000: 4500 0054 0000 4000 3401 ddd2 de81 eb9f E..T..@.4.......
0x0010: 792a 258b 0800 a0c3 8875 05c4 ba25 f658 y*%......u...%.X
0x0020: 0000 0000 58b1 0100 0000 0000 1011 1213 ....X...........
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"#
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123
0x0050: 3435 3637 4567
22:42:03.150006 IP 222.129.235.159 > 121.42.37.139: ICMP echo request, id 34933, seq 1477, length 64
0x0000: 4500 0054 0000 4000 3401 ddd2 de81 eb9f E..T..@.4.......
0x0010: 792a 258b 0800 f4bd 8875 05c5 bb25 f658 y*%......u...%.X
0x0020: 0000 0000 03b6 0100 0000 0000 1011 1213 ................
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"#
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123
0x0050: 3435 3637 4567
22:42:04.149977 IP 222.129.235.159 > 121.42.37.139: ICMP echo request, id 34933, seq 1478, length 64
0x0000: 4500 0054 0000 4000 3401 ddd2 de81 eb9f E..T..@.4.......
0x0010: 792a 258b 0800 e8b7 8875 05c6 bc25 f658 y*%......u...%.X
0x0020: 0000 0000 0ebb 0100 0000 0000 1011 1213 ................
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"#
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123
0x0050: 3435 3637 4567
3 packets captured
3 packets received by filter
0 packets dropped by kernel
还有更多的选项
- 协议常用的有tcp,udp,icmp
- src(source)和dst(destination)
- type类型:host(主机名,IP或网段),port(端口),portrange(端口范围)和net(网络),可以写src和dst后,写可以不写在src和dst后
- and(等价于&&),or(等价于||)和not(等价于!)
示例
tcp src host 222.129.235.159udp dst port 53udp dst port 6000-icmp src 192.168.0.0/24
通过tcpdump展示通过浏览器访问一个网站的过程
抓包
[root@why ~]# tcpdump -i eth1 -nnn -X 'host 222.129.235.159 and port 80'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
23:24:28.476145 IP 222.129.235.159.51255 > 121.42.37.139.80: Flags [S], seq 1044122079, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
0x0000: 4500 0034 66ce 4000 3406 771f de81 eb9f E..4f.@.4.w.....
0x0010: 792a 258b c837 0050 3e3c 09df 0000 0000 y*%..7.P><......
0x0020: 8002 2000 d59e 0000 0204 05ac 0103 0308 ................
0x0030: 0101 0402 ....
23:24:28.476205 IP 121.42.37.139.80 > 222.129.235.159.51255: Flags [S.], seq 2209593428, ack 1044122080, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 6], length 0
0x0000: 4500 0034 0000 4000 4006 d1ed 792a 258b E..4..@.@...y*%.
0x0010: de81 eb9f 0050 c837 83b3 b854 3e3c 09e0 .....P.7...T><..
0x0020: 8012 3908 8077 0000 0204 05b4 0101 0402 ..9..w..........
0x0030: 0103 0306 ....
23:24:28.492981 IP 222.129.235.159.51255 > 121.42.37.139.80: Flags [.], ack 1, win 64, length 0
0x0000: 4500 0028 66cf 4000 3406 772a de81 eb9f E..(f.@.4.w*....
0x0010: 792a 258b c837 0050 3e3c 09e0 83b3 b855 y*%..7.P><.....U
0x0020: 5010 0040 fa10 0000 P..@....
23:24:28.493259 IP 222.129.235.159.51255 > 121.42.37.139.80: Flags [P.], seq 1:460, ack 1, win 64, length 459
0x0000: 4500 01f3 66d0 4000 3406 755e de81 eb9f E...f.@.4.u^....
0x0010: 792a 258b c837 0050 3e3c 09e0 83b3 b855 y*%..7.P><.....U
0x0020: 5018 0040 e71a 0000 4745 5420 2f20 4854 P..@....GET./.HT
0x0030: 5450 2f31 2e31 0d0a 486f 7374 3a20 7777 TP/1.1..Host:.ww
0x0040: 772e 7768 7973 646f 6d61 696e 2e63 6f6d w.whysdomain.com
0x0050: 0d0a 436f 6e6e 6563 7469 6f6e 3a20 6b65 ..Connection:.ke
0x0060: 6570 2d61 6c69 7665 0d0a 4163 6365 7074 ep-alive..Accept
0x0070: 3a20 7465 7874 2f68 746d 6c2c 6170 706c :.text/html,appl
0x0080: 6963 6174 696f 6e2f 7868 746d 6c2b 786d ication/xhtml+xm
0x0090: 6c2c 6170 706c 6963 6174 696f 6e2f 786d l,application/xm
0x00a0: 6c3b 713d 302e 392c 696d 6167 652f 7765 l;q=0.9,image/we
0x00b0: 6270 2c2a 2f2a 3b71 3d30 2e38 0d0a 5573 bp,*/*;q=0.8..Us
0x00c0: 6572 2d41 6765 6e74 3a20 4d6f 7a69 6c6c er-Agent:.Mozill
0x00d0: 612f 352e 3020 2857 696e 646f 7773 204e a/5.0.(Windows.N
0x00e0: 5420 3130 2e30 3b20 574f 5736 3429 2041 T.10.0;.WOW64).A
0x00f0: 7070 6c65 5765 624b 6974 2f35 3337 2e33 ppleWebKit/537.3
0x0100: 3620 284b 4854 4d4c 2c20 6c69 6b65 2047 6.(KHTML,.like.G
0x0110: 6563 6b6f 2920 4368 726f 6d65 2f33 382e ecko).Chrome/38.
0x0120: 302e 3231 3235 2e31 3232 2053 6166 6172 0.2125.122.Safar
0x0130: 692f 3533 372e 3336 2053 4520 322e 5820 i/537.36.SE.2.X.
0x0140: 4d65 7461 5372 2031 2e30 0d0a 4163 6365 MetaSr.1.0..Acce
0x0150: 7074 2d45 6e63 6f64 696e 673a 2067 7a69 pt-Encoding:.gzi
0x0160: 702c 6465 666c 6174 652c 7364 6368 0d0a p,deflate,sdch..
0x0170: 4163 6365 7074 2d4c 616e 6775 6167 653a Accept-Language:
0x0180: 207a 682d 434e 2c7a 683b 713d 302e 380d .zh-CN,zh;q=0.8.
0x0190: 0a43 6f6f 6b69 653a 2073 6573 7369 6f6e .Cookie:.session
0x01a0: 6964 3d64 6f6f 6a72 7231 736d 7734 3931 id=doojrr1smw491
0x01b0: 666c 6a64 6a30 7162 3864 6134 736d 7676 fljdj0qb8da4smvv
0x01c0: 6d69 733b 2063 7372 6674 6f6b 656e 3d72 mis;.csrftoken=r
0x01d0: 5365 7031 6a72 5772 4845 4855 6544 7177 Sep1jrWrHEHUeDqw
0x01e0: 4b75 4839 5372 5641 616d 6570 7432 570d KuH9SrVAamept2W.
0x01f0: 0a0d 0a ...
23:24:28.493272 IP 121.42.37.139.80 > 222.129.235.159.51255: Flags [.], ack 460, win 245, length 0
0x0000: 4500 0028 f18c 4000 4006 e06c 792a 258b E..(..@.@..ly*%.
0x0010: de81 eb9f 0050 c837 83b3 b855 3e3c 0bab .....P.7...U><..
0x0020: 5010 00f5 f790 0000 P.......
23:24:28.495802 IP 121.42.37.139.80 > 222.129.235.159.51255: Flags [.], seq 1:2905, ack 460, win 245, length 2904
0x0000: 4500 0b80 f18d 4000 4006 d513 792a 258b E.....@.@...y*%.
0x0010: de81 eb9f 0050 c837 83b3 b855 3e3c 0bab .....P.7...U><..
0x0020: 5010 00f5 7449 0000 4854 5450 2f31 2e31 P...tI..HTTP/1.1
0x0030: 2032 3030 204f 4b0d 0a53 6572 7665 723a .200.OK..Server:
0x0040: 206e 6769 6e78 2f31 2e31 302e 320d 0a44 .nginx/1.10.2..D
0x0050: 6174 653a 2054 7565 2c20 3138 2041 7072 ate:.Tue,.18.Apr
0x0060: 2032 3031 3720 3135 3a32 343a 3238 2047 .2017.15:24:28.G
0x0070: 4d54 0d0a 436f 6e74 656e 742d 5479 7065 MT..Content-Type
0x0080: 3a20 7465 7874 2f68 746d 6c3b 2063 6861 :.text/html;.cha
0x0090: 7273 6574 3d75 7466 2d38 0d0a 5472 616e rset=utf-8..Tran
0x00a0: 7366 6572 2d45 6e63 6f64 696e 673a 2063 sfer-Encoding:.c
0x00b0: 6875 6e6b 6564 0d0a 436f 6e6e 6563 7469 hunked..Connecti
0x00c0: 6f6e 3a20 6b65 6570 2d61 6c69 7665 0d0a on:.keep-alive..
0x00d0: 582d 4672 616d 652d 4f70 7469 6f6e 733a X-Frame-Options:
0x00e0: 2053 414d 454f 5249 4749 4e0d 0a0d 0a65 .SAMEORIGIN....e
0x00f0: 3030 0d0a 3c68 746d 6c20 6c61 6e67 3d22 00..<html.lang="
0x0100: 656e 223e 0a3c 6865 6164 3e0a 3c6d 6574 en">.<head>.<met
0x0110: 6120 6368 6172 7365 743d 2275 7466 2d38 a.charset="utf-8
0x0120: 223e 0a3c 6d65 7461 206e 616d 653d 2276 ">.<meta.name="v
0x0130: 6965 7770 6f72 7422 2063 6f6e 7465 6e74 iewport".content
0x0140: 3d22 7769 6474 683d 6465 7669 6365 2d77 ="width=device-w
0x0150: 6964 7468 2c20 696e 6974 6961 6c2d 7363 idth,.initial-sc
0x0160: 616c 653d 3122 3e20 2020 2020 2020 2020 ale=1">.........
0x0170: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x0180: 0a3c 6d65 7461 206e 616d 653d 2264 6573 .<meta.name="des
0x0190: 6372 6970 7469 6f6e 2220 636f 6e74 656e cription".conten
0x01a0: 743d 2273 686f 7720 6120 626c 6f67 223e t="show.a.blog">
0x01b0: 0a09 3c74 6974 6c65 3e77 6879 2773 2063 ..<title>why's.c
0x01c0: 6c6f 7564 2070 6c61 7466 6f72 6d3c 2f74 loud.platform</t
0x01d0: 6974 6c65 3e0a 093c 6c69 6e6b 2072 656c itle>..<link.rel
0x01e0: 3d22 7374 796c 6573 6865 6574 2220 6872 ="stylesheet".hr
0x01f0: 6566 3d22 6874 7470 3a2f 2f79 7569 2e79 ef="http://yui.y
0x0200: 6168 6f6f 6170 6973 2e63 6f6d 2f70 7572 ahooapis.com/pur
0x0210: 652f 302e 352e 302f 7075 7265 2d6d 696e e/0.5.0/pure-min
0x0220: 2e63 7373 223e 0a09 3c6c 696e 6b20 7265 .css">..<link.re
0x0230: 6c3d 2273 7479 6c65 7368 6565 7422 2068 l="stylesheet".h
0x0240: 7265 663d 2268 7474 703a 2f2f 7069 6374 ref="http://pict
0x0250: 7572 6562 6167 2e71 696e 6975 646e 2e63 urebag.qiniudn.c
0x0260: 6f6d 2f62 6c6f 672e 6373 7322 3e20 2020 om/blog.css">...
0x0270: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x0280: 2020 2020 2020 2020 200a 093c 6c69 6e6b ...........<link
0x0290: 2072 656c 3d22 7374 796c 6573 6865 6574 .rel="stylesheet
0x02a0: 2220 6872 6566 3d22 6874 7470 3a2f 2f79 ".href="http://y
0x02b0: 7569 2e79 6168 6f6f 6170 6973 2e63 6f6d ui.yahooapis.com
0x02c0: 2f70 7572 652f 302e 352e 302f 6772 6964 /pure/0.5.0/grid
0x02d0: 732d 7265 7370 6f6e 7369 7665 2d6d 696e s-responsive-min
0x02e0: 2e63 7373 223e 0a20 2020 2020 2020 203c .css">.........<
0x02f0: 6c69 6e6b 2072 656c 3d22 7368 6f72 7463 link.rel="shortc
0x0300: 7574 2069 636f 6e22 2068 7265 663d 2268 ut.icon".href="h
0x0310: 7474 703a 2f2f 696d 672e 7768 7973 646f ttp://img.whysdo
0x0320: 6d61 696e 2e63 6f6d 2f77 7777 2e69 636f main.com/www.ico
0x0330: 2220 7479 7065 3d22 696d 6167 652f 782d ".type="image/x-
0x0340: 6963 6f6e 223e 0a20 093c 6469 7620 6964 icon">...<div.id
0x0350: 3d22 6c61 796f 7574 2220 636c 6173 733d ="layout".class=
0x0360: 2270 7572 652d 6722 3e20 2020 2020 2020 "pure-g">.......
0x0370: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x0380: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x0390: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x03a0: 2020 2020 2020 2020 2020 200a 2020 2020 ................
0x03b0: 0909 3c64 6976 2063 6c61 7373 3d22 7369 ..<div.class="si
0x03c0: 6465 6261 7220 2070 7572 652d 752d 6d64 debar..pure-u-md
0x03d0: 2d31 2d34 223e 2020 2020 2020 2020 2020 -1-4">..........
0x03e0: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x03f0: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x0400: 2020 2020 2020 200a 2020 2020 2020 2009 ................
0x0410: 0909 3c64 6976 2063 6c61 7373 3d22 6865 ..<div.class="he
0x0420: 6164 6572 223e 0a20 2020 2020 2020 2020 ader">..........
0x0430: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x0440: 2020 2020 2020 203c 6120 6872 6566 3d22 .......<a.href="
0x0450: 2f6d 6522 3e3c 696d 6720 7372 633d 2268 /me"><img.src="h
0x0460: 7474 703a 2f2f 696d 672e 7768 7973 646f ttp://img.whysdo
0x0470: 6d61 696e 2e63 6f6d 2f32 7069 6364 6979 main.com/2picdiy
0x0480: 3230 3136 3132 3134 3138 3833 3536 3331 2016121418835631
0x0490: 2e6a 7067 2220 7769 6474 683d 2231 3630 .jpg".width="160
0x04a0: 2220 6865 6967 6874 3d22 3136 3022 2073 ".height="160".s
0x04b0: 7479 6c65 3d22 706f 7369 7469 6f6e 3a61 tyle="position:a
0x04c0: 6273 6f6c 7574 653b 206c 6566 743a 3130 bsolute;.left:10
0x04d0: 3070 783b 2074 6f70 3a38 3070 783b 2022 0px;.top:80px;."
0x04e0: 2f3e 3c2f 613e 0a20 2020 2020 2020 2020 /></a>..........
0x04f0: 2020 2020 0909 093c 6831 2063 6c61 7373 .......<h1.class
0x0500: 3d22 6272 616e 642d 7469 746c 6522 3e57 ="brand-title">W
0x0510: 4859 2773 2048 4f4d 453c 2f68 313e 0a20 HY's.HOME</h1>..
0x0520: 2020 2020 2020 2020 2020 2020 0909 093c ...............<
0x0530: 6832 2063 6c61 7373 3d22 6272 616e 642d h2.class="brand-
0x0540: 7461 676c 696e 6522 3ee7 b2be e980 9ae5 tagline">.......
0x0550: 9084 e5a4 a7e8 afad e8a8 80e7 9a84 4865 ..............He
0x0560: 6c6c 6f20 576f 726c 6421 3c2f 6832 3e0a llo.World!</h2>.
0x0570: 2020 2020 2020 2020 2020 2020 2009 0909 ................
0x0580: 3c6e 6176 2063 6c61 7373 3d22 6e61 7622 <nav.class="nav"
0x0590: 3e0a 2020 2020 2020 2020 2020 2020 2020 >...............
0x05a0: 2020 2020 0909 093c 756c 2063 6c61 7373 .......<ul.class
0x05b0: 3d22 6e61 762d 6c69 7374 223e 0a20 2020 ="nav-list">....
0x05c0: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x05d0: 2020 2009 0909 093c 6c69 2063 6c61 7373 .......<li.class
0x05e0: 3d22 6e61 762d 6974 656d 223e 0a20 2020 ="nav-item">....
0x05f0: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x0600: 2020 2020 2020 2009 0909 093c 6120 636c ...........<a.cl
0x0610: 6173 733d 2270 7572 652d 6275 7474 6f6e ass="pure-button
0x0620: 2220 6872 6566 3d22 2f22 3e77 6879 2773 ".href="/">why's
0x0630: 2048 4f4d 453c 2f61 3e0a 2020 2020 2020 .HOME</a>.......
0x0640: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x0650: 0909 0909 3c2f 6c69 3e0a 2020 2020 2020 ....</li>.......
0x0660: 2020 2020 2020 2020 2020 2020 2020 2009 ................
0x0670: 0909 093c 6c69 2063 6c61 7373 3d22 6e61 ...<li.class="na
0x0680: 762d 6974 656d 223e 2020 2020 2020 2020 v-item">........
0x0690: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x06a0: 2020 0a20 2020 2020 2020 2020 2020 2020 ................
0x06b0: 2020 2020 2020 2020 2020 2020 2009 0909 ................
0x06c0: 093c 6120 636c 6173 733d 2270 7572 652d .<a.class="pure-
0x06d0: 6275 7474 6f6e 2220 6872 6566 3d22 2f62 button".href="/b
0x06e0: 6c6f 6722 3e77 6879 2773 2042 6c6f 673c log">why's.Blog<
0x06f0: 2f61 3e0a 2020 2020 2020 2020 2020 2020 /a>.............
0x0700: 2020 2020 2020 2020 2020 0909 0909 3c2f ..............</
0x0710: 6c69 3e20 2020 2020 2020 2020 2020 2020 li>.............
0x0720: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x0730: 2020 2020 2020 2020 2020 2020 200a 2020 ................
0x0740: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x0750: 2020 2020 0909 0909 3c6c 6920 636c 6173 ........<li.clas
0x0760: 733d 226e 6176 2d69 7465 6d22 3e20 2020 s="nav-item">...
0x0770: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x0780: 2020 2020 2020 200a 2020 2020 2020 2020 ................
0x0790: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x07a0: 2020 0909 0909 3c61 2063 6c61 7373 3d22 ......<a.class="
0x07b0: 7075 7265 2d62 7574 746f 6e22 2068 7265 pure-button".hre
0x07c0: 663d 2223 223e 7768 7927 7320 4269 6744 f="#">why's.BigD
0x07d0: 6174 613c 2f61 3e0a 2020 2020 2020 2020 ata</a>.........
0x07e0: 2020 2020 2020 2020 2020 2020 2020 0909 ................
0x07f0: 0909 3c2f 6c69 3e20 2020 2020 2020 2020 ..</li>.........
0x0800: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x0810: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x0820: 200a 2020 2020 2020 2020 2020 2020 2020 ................
0x0830: 2020 2020 2020 2020 0909 0909 3c6c 6920 ............<li.
0x0840: 636c 6173 733d 226e 6176 2d69 7465 6d22 class="nav-item"
0x0850: 3e20 2020 2020 2020 2020 2020 2020 2020 >...............
0x0860: 2020 2020 2020 2020 2020 200a 2020 2020 ................
0x0870: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x0880: 2020 2020 2020 0909 0909 3c61 2063 6c61 ..........<a.cla
0x0890: 7373 3d22 7075 7265 2d62 7574 746f 6e22 ss="pure-button"
0x08a0: 2068 7265 663d 2223 223e 7768 7927 7320 .href="#">why's.
0x08b0: 4d6f 6e69 746f 723c 2f61 3e0a 2020 2020 Monitor</a>.....
0x08c0: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x08d0: 2020 0909 0909 3c2f 6c69 3e20 2020 2020 ......</li>.....
0x08e0: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x08f0: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x0900: 2020 2020 200a 2020 2020 2020 2020 2020 ................
0x0910: 2020 2020 2020 2020 0909 093c 2f75 6c3e ...........</ul>
0x0920: 0a20 2020 2020 2020 2020 2020 2020 2009 ................
0x0930: 0909 3c2f 6e61 763e 2020 2020 2020 0a20 ..</nav>........
0x0940: 2020 2020 2020 2020 2009 093c 2f64 6976 ...........</div
0x0950: 3e20 2020 2020 200a 2020 2020 2020 0909 >...............
0x0960: 3c2f 6469 763e 200a 2020 2020 2020 2020 </div>..........
0x0970: 2020 2020 2020 2020 3c64 6976 2063 6c61 ........<div.cla
0x0980: 7373 3d22 636f 6e74 656e 7420 7075 7265 ss="content.pure
0x0990: 2d75 2d31 2070 7572 652d 752d 6d64 2d33 -u-1.pure-u-md-3
0x09a0: 2d34 223e 0a20 2020 2020 2020 2020 2020 -4">............
0x09b0: 2020 2020 2020 2020 203c 666f 726d 2069 .........<form.i
0x09c0: 643d 2262 6466 6d22 2074 6172 6765 743d d="bdfm".target=
0x09d0: 225f 626c 616e 6b22 206e 616d 653d 2262 "_blank".name="b
0x09e0: 6466 6d22 2063 6c61 7373 3d22 7075 7265 dfm".class="pure
0x09f0: 2d66 6f72 6d20 7075 7265 2d66 6f72 6d2d -form.pure-form-
0x0a00: 7374 6163 6b65 6422 2020 6d65 7468 6f64 stacked"..method
0x0a10: 3d22 6765 7422 2061 6374 696f 6e3d 2268 ="get".action="h
0x0a20: 7474 703a 2f2f 7777 772e 6261 6964 752e ttp://www.baidu.
0x0a30: 636f 6d2f 7322 3e0a 2020 2020 2020 2020 com/s">.........
0x0a40: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x0a50: 3c69 6e70 7574 2063 6c61 7373 3d22 7075 <input.class="pu
0x0a60: 7265 2d69 6e70 7574 2d31 2d34 2220 6e61 re-input-1-4".na
0x0a70: 6d65 3d22 776f 7264 2220 7479 7065 3d22 me="word".type="
0x0a80: 7465 7874 223e 0a20 2020 2020 2020 2020 text">..........
0x0a90: 2020 2020 2020 2020 2020 2020 2020 203c ...............<
0x0aa0: 6275 7474 6f6e 2063 6c61 7373 3d22 7075 button.class="pu
0x0ab0: 7265 2d62 7574 746f 6e22 2074 7970 653d re-button".type=
0x0ac0: 2273 7562 6d69 7422 3e3c 613e 4261 6964 "submit"><a>Baid
0x0ad0: 75e4 b880 e4b8 8b3c 2f61 3e3c 2f62 7574 u......</a></but
0x0ae0: 746f 6e3e 0a20 2020 2020 2020 2020 2020 ton>............
0x0af0: 2020 2020 2020 2020 203c 2f66 6f72 6d3e .........</form>
0x0b00: 0a20 2020 2020 2020 2020 2020 2020 2020 ................
0x0b10: 203c 6469 7620 636c 6173 7320 3d20 2270 .<div.class.=."p
0x0b20: 6f73 7473 223e 0a20 2020 2020 2020 2020 osts">..........
0x0b30: 2020 2020 2020 2020 2020 203c 7365 6374 ...........<sect
0x0b40: 696f 6e20 636c 6173 733d 2270 6f73 7422 ion.class="post"
0x0b50: 3e0a 2020 2020 2020 2020 2020 2020 2020 >...............
0x0b60: 2020 2020 2020 2020 2020 3c66 6f72 6d20 ..........<form.
0x0b70: 6163 7469 6f6e 3d2f 626c 6f67 2f73 6561 action=/blog/sea
23:24:28.495815 IP 121.42.37.139.80 > 222.129.235.159.51255: Flags [P.], seq 2905:3791, ack 460, win 245, length 886
0x0000: 4500 039e f18f 4000 4006 dcf3 792a 258b E.....@.@...y*%.
0x0010: de81 eb9f 0050 c837 83b3 c3ad 3e3c 0bab .....P.7....><..
0x0020: 5018 00f5 6c67 0000 7263 6820 636c 6173 P...lg..rch.clas
0x0030: 733d 2270 7572 652d 666f 726d 2070 7572 s="pure-form.pur
0x0040: 652d 666f 726d 2d73 7461 636b 6564 2220 e-form-stacked".
0x0050: 6d65 7468 6f64 3d22 706f 7374 223e 0a20 method="post">..
0x0060: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x0070: 2020 2020 2020 2020 2020 203c 696e 7075 ...........<inpu
0x0080: 7420 636c 6173 733d 2270 7572 652d 696e t.class="pure-in
0x0090: 7075 742d 312d 3422 206e 616d 653d 2273 put-1-4".name="s
0x00a0: 6561 7263 6877 6f72 6422 2074 7970 653d earchword".type=
0x00b0: 2274 6578 7422 3e0a 2020 2020 2020 2020 "text">.........
0x00c0: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x00d0: 2020 2020 3c62 7574 746f 6e20 636c 6173 ....<button.clas
0x00e0: 733d 2270 7572 652d 6275 7474 6f6e 2220 s="pure-button".
0x00f0: 7479 7065 3d22 7375 626d 6974 2220 706c type="submit".pl
0x0100: 6163 6568 6f6c 6465 723d 2273 6561 7263 aceholder="searc
0x0110: 6822 3e3c 613e e7ab 99e5 8685 e690 9ce7 h"><a>..........
0x0120: b4a2 3c2f 613e 3c2f 6275 7474 6f6e 3e0a ..</a></button>.
0x0130: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x0140: 2020 2020 2020 2020 3c2f 666f 726d 3e0a ........</form>.
0x0150: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x0160: 3c64 6976 2063 6c61 7373 3d22 666f 6f74 <div.class="foot
0x0170: 6572 223e 0a20 2020 2020 2020 2020 2020 er">............
0x0180: 2020 2020 2020 2020 203c 6469 7620 636c .........<div.cl
0x0190: 6173 733d 2270 7572 652d 6d65 6e75 2070 ass="pure-menu.p
0x01a0: 7572 652d 6d65 6e75 2d68 6f72 697a 6f6e ure-menu-horizon
0x01b0: 7461 6c20 7075 7265 2d6d 656e 752d 6f70 tal.pure-menu-op
0x01c0: 656e 223e 0a20 2020 2020 2020 2020 2020 en">............
0x01d0: 2020 2020 2020 2020 203c 756c 3e0a 2020 .........<ul>...
0x01e0: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x01f0: 2020 2020 2020 3c6c 693e 3c61 2068 7265 ......<li><a.hre
0x0200: 663d 222f 6d65 223e 4162 6f75 7420 4d65 f="/me">About.Me
0x0210: 3c2f 613e 3c2f 6c69 3e3c 2f73 7061 6e3e </a></li></span>
0x0220: 0a20 2020 2020 2020 2020 2020 2020 2020 ................
0x0230: 2020 2020 2020 2020 203c 6c69 3e3c 6120 .........<li><a.
0x0240: 6872 6566 3d22 6874 7470 733a 2f2f 6769 href="https://gi
0x0250: 7468 7562 2e63 6f6d 2f72 6564 6861 646f thub.com/redhado
0x0260: 6f70 7768 792f 626c 6f67 223e 4769 7448 opwhy/blog">GitH
0x0270: 7562 3c2f 613e 3c2f 6c69 3e3c 2f73 7061 ub</a></li></spa
0x0280: 6e3e 0a20 2020 2020 2020 2020 2020 2020 n>..............
0x0290: 2020 2020 2020 2020 2020 203c 6c69 3e3c ...........<li><
0x02a0: 6120 6872 6566 3d22 6874 7470 3a2f 2f77 a.href="http://w
0x02b0: 7777 2e6d 6969 7462 6569 616e 2e67 6f76 ww.miitbeian.gov
0x02c0: 2e63 6e2f 223e e4ba ac49 4350 e5a4 8731 .cn/">...ICP...1
0x02d0: 3630 3632 3932 33e5 8fb7 3c2f 613e 3c2f 6062923...</a></
0x02e0: 6c69 3e3c 2f73 7061 6e3e 0a20 2020 2020 li></span>......
0x02f0: 2020 2020 2020 2020 2020 2020 2020 203c ...............<
0x0300: 2f75 6c3e 0a20 2020 2020 2020 2020 2020 /ul>............
0x0310: 2020 2020 2020 2020 203c 2f64 6976 3e0a .........</div>.
0x0320: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x0330: 3c2f 6469 763e 0a3c 2f62 6f64 793e 2020 </div>.</body>..
0x0340: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x0350: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x0360: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x0370: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x0380: 2020 2020 2020 2020 2020 2020 2020 2020 ................
0x0390: 2020 200a 3c2f 6874 6d6c 3e0a 0d0a ....</html>...
23:24:28.495905 IP 121.42.37.139.80 > 222.129.235.159.51255: Flags [P.], seq 3791:3796, ack 460, win 245, length 5
0x0000: 4500 002d f190 4000 4006 e063 792a 258b E..-..@.@..cy*%.
0x0010: de81 eb9f 0050 c837 83b3 c723 3e3c 0bab .....P.7...#><..
0x0020: 5018 00f5 68f6 0000 300d 0a0d 0a P...h...0....
23:24:28.512090 IP 222.129.235.159.51255 > 121.42.37.139.80: Flags [.], ack 3796, win 64, length 0
0x0000: 4500 0028 66d2 4000 3406 7727 de81 eb9f E..(f.@.4.w'....
0x0010: 792a 258b c837 0050 3e3c 0bab 83b3 c728 y*%..7.P><.....(
0x0020: 5010 0040 e972 0000 P..@.r..
23:25:13.513632 IP 222.129.235.159.51255 > 121.42.37.139.80: Flags [.], seq 459:460, ack 3796, win 64, length 1
0x0000: 4500 0029 66db 4000 3406 771d de81 eb9f E..)f.@.4.w.....
0x0010: 792a 258b c837 0050 3e3c 0baa 83b3 c728 y*%..7.P><.....(
0x0020: 5010 0040 e972 0000 00 P..@.r...
23:25:13.513660 IP 121.42.37.139.80 > 222.129.235.159.51255: Flags [.], ack 460, win 245, options [nop,nop,sack 1 {459:460}], length 0
0x0000: 4500 0034 f191 4000 4006 e05b 792a 258b E..4..@.@..[y*%.
0x0010: de81 eb9f 0050 c837 83b3 c728 3e3c 0bab .....P.7...(><..
0x0020: 8010 00f5 1ed9 0000 0101 050a 3e3c 0baa ............><..
0x0030: 3e3c 0bab ><..
23:25:33.550502 IP 121.42.37.139.80 > 222.129.235.159.51255: Flags [F.], seq 3796, ack 460, win 245, length 0
0x0000: 4500 0028 f192 4000 4006 e066 792a 258b E..(..@.@..fy*%.
0x0010: de81 eb9f 0050 c837 83b3 c728 3e3c 0bab .....P.7...(><..
0x0020: 5011 00f5 e8bc 0000 P.......
23:25:33.645861 IP 222.129.235.159.51255 > 121.42.37.139.80: Flags [.], ack 3797, win 64, length 0
0x0000: 4500 0028 66dd 4000 3406 771c de81 eb9f E..(f.@.4.w.....
0x0010: 792a 258b c837 0050 3e3c 0bab 83b3 c729 y*%..7.P><.....)
0x0020: 5010 0040 e971 0000 P..@.q..
23:25:33.925451 IP 222.129.235.159.51255 > 121.42.37.139.80: Flags [F.], seq 460, ack 3797, win 64, length 0
0x0000: 4500 0028 66e0 4000 3406 7719 de81 eb9f E..(f.@.4.w.....
0x0010: 792a 258b c837 0050 3e3c 0bab 83b3 c729 y*%..7.P><.....)
0x0020: 5011 0040 e970 0000 P..@.p..
23:25:33.925478 IP 121.42.37.139.80 > 222.129.235.159.51255: Flags [.], ack 461, win 245, length 0
0x0000: 4500 0028 0000 4000 4006 d1f9 792a 258b E..(..@.@...y*%.
0x0010: de81 eb9f 0050 c837 83b3 c729 3e3c 0bac .....P.7...)><..
0x0020: 5010 00f5 e8bb 0000 P.......
第一个数据包,第一次握手
23:24:28.476145 IP 222.129.235.159.51255 > 121.42.37.139.80: Flags [S], seq 1044122079, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
0x0000: 4500 0034 66ce 4000 3406 771f de81 eb9f E..4f.@.4.w.....
0x0010: 792a 258b c837 0050 3e3c 09df 0000 0000 y*%..7.P><......
0x0020: 8002 2000 d59e 0000 0204 05ac 0103 0308 ................
0x0030: 0101 0402 ....
- 23:24:28.476145精确到微秒的时间
- IP 222.129.235.159.51255 > 121.42.37.139.80从222.129.235.159的51255端口到121.42.37.139的80
- seq 1044122079, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
0x0000: 这里数据包每一个都是一个16进制数字,代表4个bit
- 4500 换算为2进制为 0100 0101 0000 0000 4位0100代表版本IPV4,4位0101代表首部长度5个32bit,即20字节和8位0000 0000服务类型TOS
- 0034 换算为2进制为 0000 0000 0011 0100 16位0000 0000 0011 0100代表总长度为34字节
- 66ce 换算为2进制为 0110 0110 1100 1110 16位0110 0110 1100 1110代表标识
4000 换算为2进制为 0100 0000 0000 0000 3位010代表标志 13位0 0000 0000 0000代表偏移量
3406 换算为2进制为 0011 0100 0000 0110 8位0011 0100代表生存时间52,8位0000 0110代表协议是TCP,这两项都不是我们关心的
- 771f 换算为2进制为 0111 0111 0001 1111 16位0111 0111 0001 1111代表首部校验
- de81 换算为2进制为 1101 1110 1000 0001
- eb9f 换算为2进制为 1110 1011 1001 1111 32位代表源IP地址,按照点分十进制,1101 1110是219,1000 0001是129,1110 1011是235,1001 1111是159,即源地址为222.129.235.159
0x0010:
- 792a 换算为2进制为 0111 1001 0010 1010
- 258b 换算为2进制为 0010 0101 1000 1011 32位代表目的IP地址,按照点分十进制,0111 1001是121,0010 1010是42,0010 0101是37,1000 1011是139,即目的地址为121.42.37.139 以上为IP头
以下为tcp header头
- c837 换算为2进制为 1100 1000 0011 0111 16位1100 1000 0011 0111代表源端口,为51255
- 0050 换算为2进制为 0000 0000 0101 0000 16位0000 0000 0101 0000代表目的端口,为80
- 3e3c 换算为2进制为 0011 1110 0011 1100
- 09df 换算为2进制为 0000 1001 1101 1111 32位代表seq,值为1044122079,即为syn,数值为随机生成
- 0000 换算为2进制为 0000 0000 0000 0000
- 0000 换算为2进制为 0000 0000 0000 0000 32位代表sck,值为0
0x0020:
- 8002 换算为2进制为 1000 0000 0000 0010 4位1000代表数据偏移,6位0000 00用于保留,6位00 0010代表标志位urg,ack,psh,rst,syn和fin,此处为syn
- 2000 换算为2进制为 0010 0000 0000 0000 16位0010 0000 0000 0000代表tcp缓冲区还能容纳多少字节,为8192
- d59e 换算为2进制为 1101 0101 1001 1110 16位1101 0101 1001 1110代表校验和
0000 换算为2进制为 0000 0000 0000 0000 16位0000 0000 0000 0000代表紧急指针
0204 换算为2进制为 0000 0010 0000 0100
- 05ac 换算为2进制为 0000 0101 1010 1100
- 0103 换算为2进制为 0000 0001 0000 0011
- 0308 换算为2进制为 0000 0011 0000 1000 0x0030:
- 0101 换算为2进制为 0000 0001 0000 0001
- 0402 换算为2进制为 0000 0100 0000 0010
第二个数据包,第二次握手
23:24:28.476205 IP 121.42.37.139.80 > 222.129.235.159.51255: Flags [S.], seq 2209593428, ack 1044122080, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 6], length 0
0x0000: 4500 0034 0000 4000 4006 d1ed 792a 258b E..4..@.@...y*%.
0x0010: de81 eb9f 0050 c837 83b3 b854 3e3c 09e0 .....P.7...T><..
0x0020: 8012 3908 8077 0000 0204 05b4 0101 0402 ..9..w..........
0x0030: 0103 0306
- Flags [S.], seq 2209593428, ack 1044122080, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 6], length 0
0x0000:
- 省略
0x0010:
省略de81 eb9f 0050 c837
83b3 换算为2进制为 1000 0011 1011 0011
- b854 换算为2进制为 1011 1000 0101 0100 32位代表seq,值为2209593428,此值为随机生成
- 3e3c 换算为2进制为 0011 1110 0011 1100
- 09e0 换算为2进制为 0000 1001 1110 0000 32位代表ack,值为1044122080,client发送过来的为1044122079,server在此基础上加一
0x0020:
- 8012 换算为2进制为 1000 0000 0001 0010 4位1000代表数据偏移,6位0000 00用于保留,最后6位01 0010代表标志位urg,ack,psh,rst,syn和fin,此处为ack+syn
省略余下
0x0030:
- 省略
第三个数据包,第三次握手
23:24:28.492981 IP 222.129.235.159.51255 > 121.42.37.139.80: Flags [.], ack 1, win 64, length 0
0x0000: 4500 0028 66cf 4000 3406 772a de81 eb9f E..(f.@.4.w*....
0x0010: 792a 258b c837 0050 3e3c 09e0 83b3 b855 y*%..7.P><.....U
0x0020: 5010 0040 fa10 0000 P..@....
0x0000:
- 省略
0x0010:
省略792a 258b c837 0050
3e3c 换算为2进制为 0011 1110 0011 1100
- 09e0 换算为2进制为 0000 1001 1110 0000 32位代表seq,值为1044122080,将server端发送的ack以seq的形式发送给client
- 83b3 1000 0011 1011 0011
- b855 1011 1000 0101 0100 32位代表ack,值为2209593429,server端发送过来的为2209593428,client在此基础上加一
0x0020:
- 5010 0101 0000 0001 0000 4位1000代表数据偏移,6位0000 00用于保留,最后6位01 0000代表标志位urg,ack,psh,rst,syn和fin,此处为ack
省略余下
第四个数据包,HTTP的GET请求
23:24:28.493259 IP 222.129.235.159.51255 > 121.42.37.139.80: Flags [P.], seq 1:460, ack 1, win 64, length 459
0x0000: 4500 01f3 66d0 4000 3406 755e de81 eb9f E...f.@.4.u^....
0x0010: 792a 258b c837 0050 3e3c 09e0 83b3 b855 y*%..7.P><.....U
0x0020: 5018 0040 e71a 0000 4745 5420 2f20 4854 P..@....GET./.HT
0x0030: 5450 2f31 2e31 0d0a 486f 7374 3a20 7777 TP/1.1..Host:.ww
0x0040: 772e 7768 7973 646f 6d61 696e 2e63 6f6d w.whysdomain.com
0x0050: 0d0a 436f 6e6e 6563 7469 6f6e 3a20 6b65 ..Connection:.ke
0x0060: 6570 2d61 6c69 7665 0d0a 4163 6365 7074 ep-alive..Accept
0x0070: 3a20 7465 7874 2f68 746d 6c2c 6170 706c :.text/html,appl
0x0080: 6963 6174 696f 6e2f 7868 746d 6c2b 786d ication/xhtml+xm
0x0090: 6c2c 6170 706c 6963 6174 696f 6e2f 786d l,application/xm
0x00a0: 6c3b 713d 302e 392c 696d 6167 652f 7765 l;q=0.9,image/we
0x00b0: 6270 2c2a 2f2a 3b71 3d30 2e38 0d0a 5573 bp,*/*;q=0.8..Us
0x00c0: 6572 2d41 6765 6e74 3a20 4d6f 7a69 6c6c er-Agent:.Mozill
0x00d0: 612f 352e 3020 2857 696e 646f 7773 204e a/5.0.(Windows.N
0x00e0: 5420 3130 2e30 3b20 574f 5736 3429 2041 T.10.0;.WOW64).A
0x00f0: 7070 6c65 5765 624b 6974 2f35 3337 2e33 ppleWebKit/537.3
0x0100: 3620 284b 4854 4d4c 2c20 6c69 6b65 2047 6.(KHTML,.like.G
0x0110: 6563 6b6f 2920 4368 726f 6d65 2f33 382e ecko).Chrome/38.
0x0120: 302e 3231 3235 2e31 3232 2053 6166 6172 0.2125.122.Safar
0x0130: 692f 3533 372e 3336 2053 4520 322e 5820 i/537.36.SE.2.X.
0x0140: 4d65 7461 5372 2031 2e30 0d0a 4163 6365 MetaSr.1.0..Acce
0x0150: 7074 2d45 6e63 6f64 696e 673a 2067 7a69 pt-Encoding:.gzi
0x0160: 702c 6465 666c 6174 652c 7364 6368 0d0a p,deflate,sdch..
0x0170: 4163 6365 7074 2d4c 616e 6775 6167 653a Accept-Language:
0x0180: 207a 682d 434e 2c7a 683b 713d 302e 380d .zh-CN,zh;q=0.8.
0x0190: 0a43 6f6f 6b69 653a 2073 6573 7369 6f6e .Cookie:.session
0x01a0: 6964 3d64 6f6f 6a72 7231 736d 7734 3931 id=doojrr1smw491
0x01b0: 666c 6a64 6a30 7162 3864 6134 736d 7676 fljdj0qb8da4smvv
0x01c0: 6d69 733b 2063 7372 6674 6f6b 656e 3d72 mis;.csrftoken=r
0x01d0: 5365 7031 6a72 5772 4845 4855 6544 7177 Sep1jrWrHEHUeDqw
0x01e0: 4b75 4839 5372 5641 616d 6570 7432 570d KuH9SrVAamept2W.
0x01f0: 0a0d 0a ...
0x0000:
- 省略
0x0010:
省略792a 258b c837 0050
3e3c 换算为2进制为 0011 1110 0011 1100
- 09e0 换算为2进制为 0000 1001 1110 0000 32位代表seq,值为1044122080,与第三次握手的seq值相同
- 83b3 换算为2进制为 1000 0011 1011 0011
- b855 换算为2进制为 1011 1000 0101 0100 32位代表ack,值为2209593429,与第三次握手的ack值相同
0x0020:
- 5018 换算为2进制为 0101 0000 0001 1000 4位0101代表数据偏移为5也代表5个32bit,6位0000 00用于保留最后6位01 1000代表标志位urg,ack,psh,rst,syn和fin,此处为ack+psh
- 0040 换算为2进制为 0000 0000 0100 0000 16位0000 0000 0100 0000代表tcp缓冲区还能容纳多少字节,为64
- e71a 换算为2进制为 1111 0111 0001 1010 16位1111 0111 0001 1010代表校验和
0000 换算为2进制为 0000 0000 0000 0000 16位0000 0000 0000 0000代表紧急指针
4745 代表'GE',47为16进制,写作0x47,通过chr(0x47)将ACSII码转化为字符为G,同理45转为为E
- 5420 代表'T ',20转为数据链路转义
- 2f20 代表'/ '
- 4854 代表'HT'
0x0030:
- 5450 代表'TP'
- 2f31 代表'/1'
- 2e31 代表'.1'
- 0d0a 代表'\r\n'
省略
以上的字符是通过将16进制转换为ascii码
[root@why ~]# python
Python 2.6.6 (r266:84292, Aug 18 2016, 15:13:37)
[GCC 4.4.7 20120313 (Red Hat 4.4.7-17)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> chr(0x47)
'G'
>>> chr(0x45)
'E'
>>> chr(0x54)
'T'
>>> chr(0x20)
' '
>>> chr(0x2f)
'/'
>>> chr(0x48)
'H'
>>> chr(0x54)
'T'
>>> chr(0x2f)
'/'
>>> chr(0x31)
'1'
>>> chr(0x2e)
'.'
>>> chr(0x0d)
'\r'
>>> chr(0x0a)
'\n'
第五个数据包
23:24:28.493272 IP 121.42.37.139.80 > 222.129.235.159.51255: Flags [.], ack 460, win 245, length 0
0x0000: 4500 0028 f18c 4000 4006 e06c 792a 258b E..(..@.@..ly*%.
0x0010: de81 eb9f 0050 c837 83b3 b855 3e3c 0bab .....P.7...U><..
0x0020: 5010 00f5 f790 0000 P.......
0x0000:
- 省略
0x0010:
省略792a 258b c837 0050
83b3 换算为2进制为 1000 0011 1011 0011
- b855 换算为2进制为 1011 1000 0101 0100 32位代表seq,值为2209593429,与第三次握手的ack值相同
- 3e3c 换算为2进制为 0011 1110 0011 1100
- 0bab 换算为2进制为 0000 1011 1010 1011 32位代表ack,值为1044122539,在第三次握手的seq值1044122080基础上加上459
0x0020:
- 5010 换算为2进制为 0101 0000 0001 0000 4位1000代表数据偏移,6位0000 00用于保留,最后6位01 0000代表标志位urg,ack,psh,rst,syn和fin,此处为ack
余下省略
第六个数据包和第七个数据包是给浏览器返回的数据包
第六个数据包结尾为
>...............
..........<form.
action=/blog/sea
以sea结尾
第七个数据包开头为
E.....@.@...y*%.
.....P.7....><..
P...lg..rch.clas
s="pure-form.pur
e-form-stacked".
method="post">..
rch.class的r为0x0020的第9个字节,也就是tcp的第21个字节,为数据
和第六个数据包接起来就是search.class
而我的html代码是<form action={% url 'blog_search' %} class="pure-form pure-form-stacked" method="post">,是连接的
第八个数据包
23:24:28.495905 IP 121.42.37.139.80 > 222.129.235.159.51255: Flags [P.], seq 3791:3796, ack 460, win 245, length 5
0x0000: 4500 002d f190 4000 4006 e063 792a 258b E..-..@.@..cy*%.
0x0010: de81 eb9f 0050 c837 83b3 c723 3e3c 0bab .....P.7...#><..
0x0020: 5018 00f5 68f6 0000 300d 0a0d 0a P...h...0....
0x0020: - 5018 换算为2进制为 0101 0000 0001 1000 4位1000代表数据偏移,6位0000 00用于保留,最后6位01 0000代表标志位urg,ack,psh,rst,syn和fin,此处为ack+psh 代表HTTP发送的数据完毕,client端应该尽快将这个报文段交给应用层的浏览器
第九个数据包
23:24:28.512090 IP 222.129.235.159.51255 > 121.42.37.139.80: Flags [.], ack 3796, win 64, length 0
0x0000: 4500 0028 66d2 4000 3406 7727 de81 eb9f E..(f.@.4.w'....
0x0010: 792a 258b c837 0050 3e3c 0bab 83b3 c728 y*%..7.P><.....(
0x0020: 5010 0040 e972 0000 P..@.r..
0x0020: - 5010 换算为2进制为 0101 0000 0001 0000 4位1000代表数据偏移,6位0000 00用于保留,最后6位01 0000代表标志位urg,ack,psh,rst,syn和fin,此处为ack 是对第六第七和第八个数据包的应答
余下四次挥手的数据包
四次挥手的包我抓到了两种
第一类
23:25:13.513632 IP 222.129.235.159.51255 > 121.42.37.139.80: Flags [.], seq 459:460, ack 3796, win 64, length 1
0x0000: 4500 0029 66db 4000 3406 771d de81 eb9f E..)f.@.4.w.....
0x0010: 792a 258b c837 0050 3e3c 0baa 83b3 c728 y*%..7.P><.....(
0x0020: 5010 0040 e972 0000 00 P..@.r...
23:25:13.513660 IP 121.42.37.139.80 > 222.129.235.159.51255: Flags [.], ack 460, win 245, options [nop,nop,sack 1 {459:460}], length 0
0x0000: 4500 0034 f191 4000 4006 e05b 792a 258b E..4..@.@..[y*%.
0x0010: de81 eb9f 0050 c837 83b3 c728 3e3c 0bab .....P.7...(><..
0x0020: 8010 00f5 1ed9 0000 0101 050a 3e3c 0baa ............><..
0x0030: 3e3c 0bab ><..
23:25:33.550502 IP 121.42.37.139.80 > 222.129.235.159.51255: Flags [F.], seq 3796, ack 460, win 245, length 0
0x0000: 4500 0028 f192 4000 4006 e066 792a 258b E..(..@.@..fy*%.
0x0010: de81 eb9f 0050 c837 83b3 c728 3e3c 0bab .....P.7...(><..
0x0020: 5011 00f5 e8bc 0000 P.......
23:25:33.645861 IP 222.129.235.159.51255 > 121.42.37.139.80: Flags [.], ack 3797, win 64, length 0
0x0000: 4500 0028 66dd 4000 3406 771c de81 eb9f E..(f.@.4.w.....
0x0010: 792a 258b c837 0050 3e3c 0bab 83b3 c729 y*%..7.P><.....)
0x0020: 5010 0040 e971 0000 P..@.q..
23:25:33.925451 IP 222.129.235.159.51255 > 121.42.37.139.80: Flags [F.], seq 460, ack 3797, win 64, length 0
0x0000: 4500 0028 66e0 4000 3406 7719 de81 eb9f E..(f.@.4.w.....
0x0010: 792a 258b c837 0050 3e3c 0bab 83b3 c729 y*%..7.P><.....)
0x0020: 5011 0040 e970 0000 P..@.p..
23:25:33.925478 IP 121.42.37.139.80 > 222.129.235.159.51255: Flags [.], ack 461, win 245, length 0
0x0000: 4500 0028 0000 4000 4006 d1f9 792a 258b E..(..@.@...y*%.
0x0010: de81 eb9f 0050 c837 83b3 c729 3e3c 0bac .....P.7...)><..
0x0020: 5010 00f5 e8bb 0000 P.......
第二类
23:48:00.705203 IP 222.129.235.159.56453 > 121.42.37.139.80: Flags [.], seq 459:460, ack 3796, win 64, length 1
0x0000: 4500 0029 7015 4000 3406 6de3 de81 eb9f E..)p.@.4.m.....
0x0010: 792a 258b dc85 0050 b382 73a8 12b4 ac19 y*%....P..s.....
0x0020: 5010 0040 83ee 0000 00 P..@.....
23:48:00.705233 IP 121.42.37.139.80 > 222.129.235.159.56453: Flags [.], ack 460, win 245, options [nop,nop,sack 1 {459:460}], length 0
0x0000: 4500 0034 7d31 4000 4006 54bc 792a 258b E..4}1@.@.T.y*%.
0x0010: de81 eb9f 0050 dc85 12b4 ac19 b382 73a9 .....P........s.
0x0020: 8010 00f5 feca 0000 0101 050a b382 73a8 ..............s.
0x0030: b382 73a9 ..s.
23:48:20.746337 IP 121.42.37.139.80 > 222.129.235.159.56453: Flags [F.], seq 3796, ack 460, win 245, length 0
0x0000: 4500 0028 7d32 4000 4006 54c7 792a 258b E..(}2@.@.T.y*%.
0x0010: de81 eb9f 0050 dc85 12b4 ac19 b382 73a9 .....P........s.
0x0020: 5011 00f5 8338 0000 P....8..
23:48:20.764939 IP 222.129.235.159.56453 > 121.42.37.139.80: Flags [.], ack 3797, win 64, length 0
0x0000: 4500 0028 7018 4000 3406 6de1 de81 eb9f E..(p.@.4.m.....
0x0010: 792a 258b dc85 0050 b382 73a9 12b4 ac1a y*%....P..s.....
0x0020: 5010 0040 83ed 0000 P..@....
指定数据包内容抓取
抓GET的数据包
获取GET每个字符的16进制
>>> hex(ord('G'))
'0x47'
>>> hex(ord('E'))
'0x45'
>>> hex(ord('T'))
'0x54'
>>> hex(ord(' '))
'0x20'
- proto[expr:size]语法
proto为协议名称,expr为偏移量,size偏移量后提取字节数,默认为1,我们抓取的tcp协议,偏移量为tcp[12] >> 2,size提取字节数为4。
tcp[12]为第13个字节,第一个字节为0,tcp[12] >> 2代表从第13个字节起取2个字节,而这两个字节正好代表偏移量
[root@why ~]# tcpdump -i eth1 -nnn -X 'tcp[(tcp[12] >> 2):4]=0x47455420'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
00:17:26.673999 IP 222.129.235.159.56677 > 121.42.37.139.80: Flags [P.], seq 3597343342:3597343847, ack 2317967084, win 64, length 505
0x0000: 4500 0221 7480 4000 3406 6780 de81 eb9f E..!t.@.4.g.....
0x0010: 792a 258b dd65 0050 d66b 1a6e 8a29 5eec y*%..e.P.k.n.)^.
0x0020: 5018 0040 0dd5 0000 4745 5420 2f62 6c6f P..@....GET./blo
0x0030: 6720 4854 5450 2f31 2e31 0d0a 486f 7374 g.HTTP/1.1..Host
0x0040: 3a20 7777 772e 7768 7973 646f 6d61 696e :.www.whysdomain
0x0050: 2e63 6f6d 0d0a 436f 6e6e 6563 7469 6f6e .com..Connection
0x0060: 3a20 6b65 6570 2d61 6c69 7665 0d0a 4163 :.keep-alive..Ac
0x0070: 6365 7074 3a20 7465 7874 2f68 746d 6c2c cept:.text/html,
0x0080: 6170 706c 6963 6174 696f 6e2f 7868 746d application/xhtm
0x0090: 6c2b 786d 6c2c 6170 706c 6963 6174 696f l+xml,applicatio
0x00a0: 6e2f 786d 6c3b 713d 302e 392c 696d 6167 n/xml;q=0.9,imag
0x00b0: 652f 7765 6270 2c2a 2f2a 3b71 3d30 2e38 e/webp,*/*;q=0.8
0x00c0: 0d0a 5573 6572 2d41 6765 6e74 3a20 4d6f ..User-Agent:.Mo
0x00d0: 7a69 6c6c 612f 352e 3020 2857 696e 646f zilla/5.0.(Windo
0x00e0: 7773 204e 5420 3130 2e30 3b20 574f 5736 ws.NT.10.0;.WOW6
0x00f0: 3429 2041 7070 6c65 5765 624b 6974 2f35 4).AppleWebKit/5
0x0100: 3337 2e33 3620 284b 4854 4d4c 2c20 6c69 37.36.(KHTML,.li
0x0110: 6b65 2047 6563 6b6f 2920 4368 726f 6d65 ke.Gecko).Chrome
0x0120: 2f33 382e 302e 3231 3235 2e31 3232 2053 /38.0.2125.122.S
0x0130: 6166 6172 692f 3533 372e 3336 2053 4520 afari/537.36.SE.
0x0140: 322e 5820 4d65 7461 5372 2031 2e30 0d0a 2.X.MetaSr.1.0..
0x0150: 5265 6665 7265 723a 2068 7474 703a 2f2f Referer:.http://
0x0160: 7777 772e 7768 7973 646f 6d61 696e 2e63 www.whysdomain.c
0x0170: 6f6d 2f62 6c6f 672f 0d0a 4163 6365 7074 om/blog/..Accept
0x0180: 2d45 6e63 6f64 696e 673a 2067 7a69 702c -Encoding:.gzip,
0x0190: 6465 666c 6174 652c 7364 6368 0d0a 4163 deflate,sdch..Ac
0x01a0: 6365 7074 2d4c 616e 6775 6167 653a 207a cept-Language:.z
0x01b0: 682d 434e 2c7a 683b 713d 302e 380d 0a43 h-CN,zh;q=0.8..C
0x01c0: 6f6f 6b69 653a 2073 6573 7369 6f6e 6964 ookie:.sessionid
0x01d0: 3d64 6f6f 6a72 7231 736d 7734 3931 666c =doojrr1smw491fl
0x01e0: 6a64 6a30 7162 3864 6134 736d 7676 6d69 jdj0qb8da4smvvmi
0x01f0: 733b 2063 7372 6674 6f6b 656e 3d72 5365 s;.csrftoken=rSe
0x0200: 7031 6a72 5772 4845 4855 6544 7177 4b75 p1jrWrHEHUeDqwKu
0x0210: 4839 5372 5641 616d 6570 7432 570d 0a0d H9SrVAamept2W...
0x0220: 0a .
00:19:38.012046 IP 222.129.235.159.56705 > 121.42.37.139.80: Flags [P.], seq 1598730869:1598731328, ack 4007224157, win 64, length 459
0x0000: 4500 01f3 749c 4000 3406 6792 de81 eb9f E...t.@.4.g.....
0x0010: 792a 258b dd81 0050 5f4a b275 eed9 635d y*%....P_J.u..c]
0x0020: 5018 0040 f1fe 0000 4745 5420 2f20 4854 P..@....GET./.HT
0x0030: 5450 2f31 2e31 0d0a 486f 7374 3a20 7777 TP/1.1..Host:.ww
0x0040: 772e 7768 7973 646f 6d61 696e 2e63 6f6d w.whysdomain.com
0x0050: 0d0a 436f 6e6e 6563 7469 6f6e 3a20 6b65 ..Connection:.ke
0x0060: 6570 2d61 6c69 7665 0d0a 4163 6365 7074 ep-alive..Accept
0x0070: 3a20 7465 7874 2f68 746d 6c2c 6170 706c :.text/html,appl
0x0080: 6963 6174 696f 6e2f 7868 746d 6c2b 786d ication/xhtml+xm
0x0090: 6c2c 6170 706c 6963 6174 696f 6e2f 786d l,application/xm
0x00a0: 6c3b 713d 302e 392c 696d 6167 652f 7765 l;q=0.9,image/we
0x00b0: 6270 2c2a 2f2a 3b71 3d30 2e38 0d0a 5573 bp,*/*;q=0.8..Us
0x00c0: 6572 2d41 6765 6e74 3a20 4d6f 7a69 6c6c er-Agent:.Mozill
0x00d0: 612f 352e 3020 2857 696e 646f 7773 204e a/5.0.(Windows.N
0x00e0: 5420 3130 2e30 3b20 574f 5736 3429 2041 T.10.0;.WOW64).A
0x00f0: 7070 6c65 5765 624b 6974 2f35 3337 2e33 ppleWebKit/537.3
0x0100: 3620 284b 4854 4d4c 2c20 6c69 6b65 2047 6.(KHTML,.like.G
0x0110: 6563 6b6f 2920 4368 726f 6d65 2f33 382e ecko).Chrome/38.
0x0120: 302e 3231 3235 2e31 3232 2053 6166 6172 0.2125.122.Safar
0x0130: 692f 3533 372e 3336 2053 4520 322e 5820 i/537.36.SE.2.X.
0x0140: 4d65 7461 5372 2031 2e30 0d0a 4163 6365 MetaSr.1.0..Acce
0x0150: 7074 2d45 6e63 6f64 696e 673a 2067 7a69 pt-Encoding:.gzi
0x0160: 702c 6465 666c 6174 652c 7364 6368 0d0a p,deflate,sdch..
0x0170: 4163 6365 7074 2d4c 616e 6775 6167 653a Accept-Language:
0x0180: 207a 682d 434e 2c7a 683b 713d 302e 380d .zh-CN,zh;q=0.8.
0x0190: 0a43 6f6f 6b69 653a 2073 6573 7369 6f6e .Cookie:.session
0x01a0: 6964 3d64 6f6f 6a72 7231 736d 7734 3931 id=doojrr1smw491
0x01b0: 666c 6a64 6a30 7162 3864 6134 736d 7676 fljdj0qb8da4smvv
0x01c0: 6d69 733b 2063 7372 6674 6f6b 656e 3d72 mis;.csrftoken=r
0x01d0: 5365 7031 6a72 5772 4845 4855 6544 7177 Sep1jrWrHEHUeDqw
0x01e0: 4b75 4839 5372 5641 616d 6570 7432 570d KuH9SrVAamept2W.
0x01f0: 0a0d 0a ...
可以看到我们抓到了访问/和/blog的数据包
抓GET方法并且是访问/blog路径的
>>> hex(ord('b'))
'0x62'
>>> hex(ord('l'))
'0x6c'
>>> hex(ord('o'))
'0x6f'
>>> hex(ord('g'))
'0x67'
在偏移量的基础上+5,跳过'GET /'
[root@why ~]# tcpdump -i eth1 -nnn -X 'tcp[((tcp[12] >> 2)+5):4]=0x626c6f67'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
00:08:15.697535 IP 222.129.235.159.56603 > 121.42.37.139.80: Flags [P.], seq 3323784288:3323784788, ack 3591352505, win 64, length 500
0x0000: 4500 021c 730d 4000 3406 68f8 de81 eb9f E...s.@.4.h.....
0x0010: 792a 258b dd1b 0050 c61c ec60 d60f b0b9 y*%....P...`....
0x0020: 5018 0040 1040 0000 4745 5420 2f62 6c6f P..@.@..GET./blo
0x0030: 6720 4854 5450 2f31 2e31 0d0a 486f 7374 g.HTTP/1.1..Host
0x0040: 3a20 7777 772e 7768 7973 646f 6d61 696e :.www.whysdomain
0x0050: 2e63 6f6d 0d0a 436f 6e6e 6563 7469 6f6e .com..Connection
0x0060: 3a20 6b65 6570 2d61 6c69 7665 0d0a 4163 :.keep-alive..Ac
0x0070: 6365 7074 3a20 7465 7874 2f68 746d 6c2c cept:.text/html,
0x0080: 6170 706c 6963 6174 696f 6e2f 7868 746d application/xhtm
0x0090: 6c2b 786d 6c2c 6170 706c 6963 6174 696f l+xml,applicatio
0x00a0: 6e2f 786d 6c3b 713d 302e 392c 696d 6167 n/xml;q=0.9,imag
0x00b0: 652f 7765 6270 2c2a 2f2a 3b71 3d30 2e38 e/webp,*/*;q=0.8
0x00c0: 0d0a 5573 6572 2d41 6765 6e74 3a20 4d6f ..User-Agent:.Mo
0x00d0: 7a69 6c6c 612f 352e 3020 2857 696e 646f zilla/5.0.(Windo
0x00e0: 7773 204e 5420 3130 2e30 3b20 574f 5736 ws.NT.10.0;.WOW6
0x00f0: 3429 2041 7070 6c65 5765 624b 6974 2f35 4).AppleWebKit/5
0x0100: 3337 2e33 3620 284b 4854 4d4c 2c20 6c69 37.36.(KHTML,.li
0x0110: 6b65 2047 6563 6b6f 2920 4368 726f 6d65 ke.Gecko).Chrome
0x0120: 2f33 382e 302e 3231 3235 2e31 3232 2053 /38.0.2125.122.S
0x0130: 6166 6172 692f 3533 372e 3336 2053 4520 afari/537.36.SE.
0x0140: 322e 5820 4d65 7461 5372 2031 2e30 0d0a 2.X.MetaSr.1.0..
0x0150: 5265 6665 7265 723a 2068 7474 703a 2f2f Referer:.http://
0x0160: 7777 772e 7768 7973 646f 6d61 696e 2e63 www.whysdomain.c
0x0170: 6f6d 2f0d 0a41 6363 6570 742d 456e 636f om/..Accept-Enco
0x0180: 6469 6e67 3a20 677a 6970 2c64 6566 6c61 ding:.gzip,defla
0x0190: 7465 2c73 6463 680d 0a41 6363 6570 742d te,sdch..Accept-
0x01a0: 4c61 6e67 7561 6765 3a20 7a68 2d43 4e2c Language:.zh-CN,
0x01b0: 7a68 3b71 3d30 2e38 0d0a 436f 6f6b 6965 zh;q=0.8..Cookie
0x01c0: 3a20 7365 7373 696f 6e69 643d 646f 6f6a :.sessionid=dooj
0x01d0: 7272 3173 6d77 3439 3166 6c6a 646a 3071 rr1smw491fljdj0q
0x01e0: 6238 6461 3473 6d76 766d 6973 3b20 6373 b8da4smvvmis;.cs
0x01f0: 7266 746f 6b65 6e3d 7253 6570 316a 7257 rftoken=rSep1jrW
0x0200: 7248 4548 5565 4471 774b 7548 3953 7256 rHEHUeDqwKuH9SrV
0x0210: 4161 6d65 7074 3257 0d0a 0d0a Aamept2W....
00:08:15.726563 IP 222.129.235.159.56603 > 121.42.37.139.80: Flags [P.], seq 500:1001, ack 249, win 63, length 501
0x0000: 4500 021d 730f 4000 3406 68f5 de81 eb9f E...s.@.4.h.....
0x0010: 792a 258b dd1b 0050 c61c ee54 d60f b1b1 y*%....P...T....
0x0020: 5018 003f f53c 0000 4745 5420 2f62 6c6f P..?.<..GET./blo
0x0030: 672f 2048 5454 502f 312e 310d 0a48 6f73 g/.HTTP/1.1..Hos
0x0040: 743a 2077 7777 2e77 6879 7364 6f6d 6169 t:.www.whysdomai
0x0050: 6e2e 636f 6d0d 0a43 6f6e 6e65 6374 696f n.com..Connectio
0x0060: 6e3a 206b 6565 702d 616c 6976 650d 0a41 n:.keep-alive..A
0x0070: 6363 6570 743a 2074 6578 742f 6874 6d6c ccept:.text/html
0x0080: 2c61 7070 6c69 6361 7469 6f6e 2f78 6874 ,application/xht
0x0090: 6d6c 2b78 6d6c 2c61 7070 6c69 6361 7469 ml+xml,applicati
0x00a0: 6f6e 2f78 6d6c 3b71 3d30 2e39 2c69 6d61 on/xml;q=0.9,ima
0x00b0: 6765 2f77 6562 702c 2a2f 2a3b 713d 302e ge/webp,*/*;q=0.
0x00c0: 380d 0a55 7365 722d 4167 656e 743a 204d 8..User-Agent:.M
0x00d0: 6f7a 696c 6c61 2f35 2e30 2028 5769 6e64 ozilla/5.0.(Wind
0x00e0: 6f77 7320 4e54 2031 302e 303b 2057 4f57 ows.NT.10.0;.WOW
0x00f0: 3634 2920 4170 706c 6557 6562 4b69 742f 64).AppleWebKit/
0x0100: 3533 372e 3336 2028 4b48 544d 4c2c 206c 537.36.(KHTML,.l
0x0110: 696b 6520 4765 636b 6f29 2043 6872 6f6d ike.Gecko).Chrom
0x0120: 652f 3338 2e30 2e32 3132 352e 3132 3220 e/38.0.2125.122.
0x0130: 5361 6661 7269 2f35 3337 2e33 3620 5345 Safari/537.36.SE
0x0140: 2032 2e58 204d 6574 6153 7220 312e 300d .2.X.MetaSr.1.0.
0x0150: 0a52 6566 6572 6572 3a20 6874 7470 3a2f .Referer:.http:/
0x0160: 2f77 7777 2e77 6879 7364 6f6d 6169 6e2e /www.whysdomain.
0x0170: 636f 6d2f 0d0a 4163 6365 7074 2d45 6e63 com/..Accept-Enc
0x0180: 6f64 696e 673a 2067 7a69 702c 6465 666c oding:.gzip,defl
0x0190: 6174 652c 7364 6368 0d0a 4163 6365 7074 ate,sdch..Accept
0x01a0: 2d4c 616e 6775 6167 653a 207a 682d 434e -Language:.zh-CN
0x01b0: 2c7a 683b 713d 302e 380d 0a43 6f6f 6b69 ,zh;q=0.8..Cooki
0x01c0: 653a 2073 6573 7369 6f6e 6964 3d64 6f6f e:.sessionid=doo
0x01d0: 6a72 7231 736d 7734 3931 666c 6a64 6a30 jrr1smw491fljdj0
0x01e0: 7162 3864 6134 736d 7676 6d69 733b 2063 qb8da4smvvmis;.c
0x01f0: 7372 6674 6f6b 656e 3d72 5365 7031 6a72 srftoken=rSep1jr
0x0200: 5772 4845 4855 6544 7177 4b75 4839 5372 WrHEHUeDqwKuH9Sr
0x0210: 5641 616d 6570 7432 570d 0a0d 0a VAamept2W....
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel
