tcpdump/HTTP协议实践

tcpdump/HTTP协议实践

客户端：

CLOSED->SYN_SENT->ESTABLISHED->FIN_WAIT_1->FIN_WAIT_2->TIME_WAIT->CLOSED

服务端：

CLOSED->LISTEN->SYN收到->ESTABLISHED->CLOSE_WAIT->LAST_ACK->CLOSED

 

# tcpdump host 192.168.64.71 and port 80 -n

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes

10:13:01.617505 IP 10.1.9.11.58384 > 192.168.64.71.80: Syn 3718379515:3718379515(0) win 65535 <mss 1460,nop,nop,sackOK> 客户端发起连接请求

10:13:01.617631 IP 192.168.64.71.80 > 10.1.9.11.58384: Syn 261066897:261066897(0) ack 3718379516 win 5840 <mss 1460,nop,nop,sackOK> 服务端响应连接请求

10:13:01.617766 IP 10.1.9.11.58384 > 192.168.64.71.80: . ack 1 win 65535

10:13:01.618011 IP 10.1.9.11.58384 > 192.168.64.71.80: Push 1:612(611) ack 1 win 65535 客户端向服务端发送数据(HTTP请求)

10:13:01.618023 IP 192.168.64.71.80 > 10.1.9.11.58384: . ack 612 win 6721

10:13:01.618486 IP 192.168.64.71.80 > 10.1.9.11.58384: Push 1:329(328) ack 612 win 6721服务端向客户端回送数据(HTTP响应)

10:13:01.618510 IP 192.168.64.71.80 > 10.1.9.11.58384: Push 329:1303(974) ack 612 win 6721

10:13:01.619638 IP 10.1.9.11.58384 > 192.168.64.71.80: . ack 1303 win 64233

10:13:11.574352 IP 10.1.9.11.58384 > 192.168.64.71.80: Fin 612:612(0) ack 1303 win 64233 客户端先发起关闭连接操作

10:13:11.574455 IP 192.168.64.71.80 > 10.1.9.11.58384: Fin 1303:1303(0) ack 613 win 6721 服务端响应客户端的关闭连接操作

10:13:11.574991 IP 10.1.9.11.58384 > 192.168.64.71.80: . ack 1304 win 64233 客户端进入TIME_WAIT状态

 

Ø         服务端(192.168.64.71.80)向客户端(10.1.9.11.58384)回送的响应分了两个tcp包：

       第一个包发送了328字节，第二个包发送了974字节

Ø         关闭连接由客户端(10.1.9.11.58384)首先发起，因此客户端(192.168.64.71.80)需要经历一个TIME_WAIT过程

 

Site found: www.tcpdump.com=192.168.64.71

Connecting to 192.168.64.71

Connected to 192.168.64.71

GET http:// www.tcpdump.com/

> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*

> User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)

> Host: tsf.oa.com

Request sent. 611 bytes

Data available. 974/974 bytes

HTTP/1.1 200 OK

Date: Sun, 10 Aug 2008 02:27:08 GMT

Server: Apache/2.0.59 (Unix) DAV/2 PHP/5.2.1 SVN/1.4.6

Last-Modified: Wed, 21 May 2008 01:19:21 GMT

ETag: "298227-3ce-62ec9840"

Accept-Ranges: bytes

Content-Length: 974

Keep-Alive: timeout=15, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=GB2312

 

200 Request complete

 

从上面的抓包结果来看，Apache将HTTP响应头和数据部分是分成两两部分发送的，而且TCP/IP协议栈没有再对其分包，也就是每个send调用都将数据发送完毕。

 

显示包的内容：

tcpdump -i eth1 -n -vv -x -e -s 1600 # 仅二进制

tcpdump -i eth1 -n -vv -X -e -s 1600 # 二进制和文本

-s 指定显示多少字节的包内容