用tcpdump抓取并保存包:sudo tcpdump -i eth0 port 3306 -w plantegg.cap抓到的包存储在plantegg.cap中,可以用作wireshark、tshark详细分析如果明确知道目的ip、端口等可以通过指定条件来明确只抓取某个连接的包抓取详细SQL语句:sudo tshark -i eth0 -Y "mysql.command==3" -T fields -e mysql.querysudo tshark -i eth0 -R mysql.query -T fields -e mysql.querysudo tshark -i any -f 'port 8527' -s 0 -l -w - |strings#parse 8507/4444 as mysql protocol, default only parse 3306 as mysql.sudo tshark -i eth0 -d tcp.port==8507,mysql -T fields -e mysql.query 'port 8507'sudo tshark -i any -c 50 -d tcp.port==4444,mysql -Y " ((tcp.port eq 4444 ) )" -o tcp.calculate_timestamps:true -T fields -e frame.number -e frame.time_epoch -e frame.time_delta_displayed -e ip.src -e tcp.srcport -e tcp.dstport -e ip.dst -e tcp.time_delta -e tcp.stream -e tcp.len -e mysql.querysudo tshark -i eth0 -R "ip.addr==11.163.182.137" -d tcp.port==3306,mysql -T fields -e mysql.query 'port 3306'sudo tshark -i eth0 -R "tcp.srcport==62877" -d tcp.port==3001,mysql -T fields -e tcp.srcport -e mysql.query 'port 3001'如果MySQL开启了SSL,那么抓包后的内容tshark/wireshark分析不到MySQL的具体内容,可以强制关闭:connectionProperties里加上useSSL=false查看SQL具体内容sudo tshark -r gege_plantegg.cap -Y "mysql.query or ( tcp.stream==1)" -o tcp.calculate_timestamps:true -T fields -e frame.number -e frame.time_epoch -e frame.time_delta_displayed -e ip.src -e tcp.srcport -e tcp.dstport -e ip.dst -e tcp.time_delta -e frame.time_delta_displayed -e tcp.stream -e tcp.len -e mysql.query按mysql查询分析响应时间对于rt分析,要注意一个query多个response情况(response结果多,分包了),分析这种rt的时候只看query之后的第一个response,其它连续response需要忽略掉。以上抓包结果文件可以用tshark进行详细分析分析MySQL rt,倒数第四列基本就是rttshark -r gege_plantegg.pcap -Y " ((tcp.srcport eq 3306 ) and tcp.len>0 )" -o tcp.calculate_timestamps:true -T fields -e frame.number -e frame.time_epoch -e frame.time_delta_displayed -e ip.src -e tcp.srcport -e tcp.dstport -e ip.dst -e tcp.time_delta -e tcp.stream -e tcp.len -e tcp.analysis.ack_rtt或者排序一下tshark -r 213_php.cap -Y "mysql.query or ( tcp.srcport==3306)" -o tcp.calculate_timestamps:true -T fields -e frame.number -e frame.time_epoch -e frame.time_delta_displayed -e ip.src -e tcp.srcport -e tcp.dstport -e ip.dst -e tcp.time_delta -e tcp.stream -e tcp.len -e mysql.query |sort -nk9 -nk1MySQL响应时间直方图【第八列的含义-- Time since previous frame in this TCP stream: seconds】:tshark -r gege_plantegg.pcap -Y "mysql.query or (tcp.srcport3306 and tcp.len>60)" -o tcp.calculate_timestamps:true -T fields -e frame.number -e frame.time_epoch -e frame.time_delta_displayed -e ip.src -e tcp.srcport -e tcp.dstport -e ip.dst -e tcp.time_delta -e tcp.stream -e tcp.len | awk 'BEGIN {sum0=0;sum3=0;sum10=0;sum30=0;sum50=0;sum100=0;sum300=0;sum500=0;sum1000=0;sumo=0;count=0;sum=0} {rt=$8; if(rt>=0.000) sum=sum+rt; count=count+1; if(rt<=0.000) sum0=sum0+1; else if(rt<0.003) sum3=sum3+1 ; else if(rt<0.01) sum10=sum10+1; else if(rt<0.03) sum30=sum30+1; else if(rt<0.05) sum50=sum50+1; else if(rt < 0.1) sum100=sum100+1; else if(rt < 0.3) sum300=sum300+1; else if(rt < 0.5) sum500=sum500+1; else if(rt < 1) sum1000=sum1000+1; else sum=sum+1 ;} END{printf "-------------\n3ms:\t%s \n10ms:\t%s \n30ms:\t%s \n50ms:\t%s \n100ms:\t%s \n300ms:\t%s \n500ms:\t%s \n1000ms:\t%s \n>1s:\t %s\n-------------\navg: %.6f \n" , sum3,sum10,sum30,sum50,sum100,sum300,sum500,sum1000,sumo,sum/count;}'按http response分析响应时间tshark -nr 213_php.cap -o tcp.calculate_timestamps:true -Y "http.request or http.response" -T fields -e frame.number -e frame.time_epoch -e frame.time_delta_displayed -e ip.src -e ip.dst -e tcp.stream -e http.request.full_uri -e http.response.code -e http.response.phrase | sort -nk6 -nk1分析rtt、丢包、deplicate等等,可以得到整体网络状态tshark -r retrans.cap -q -z io,stat,1,"AVG(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt","COUNT(tcp.analysis.retransmission) tcp.analysis.retransmission","COUNT(tcp.analysis.fast_retransmission) tcp.analysis.fast_retransmission","COUNT(tcp.analysis.duplicate_ack) tcp.analysis.duplicate_ack","COUNT(tcp.analysis.lost_segment) tcp.analysis.lost_segment","MIN(tcp.window_size)tcp.window_size"===================================================================================| IO Statistics || || Duration: 89.892365 secs || Interval: 2 secs || || Col 1: AVG(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt || 2: COUNT(tcp.analysis.retransmission) tcp.analysis.retransmission || 3: COUNT(tcp.analysis.fast_retransmission) tcp.analysis.fast_retransmission || 4: COUNT(tcp.analysis.duplicate_ack) tcp.analysis.duplicate_ack || 5: COUNT(tcp.analysis.lost_segment) tcp.analysis.lost_segment || 6: AVG(tcp.window_size)tcp.window_size ||---------------------------------------------------------------------------------|| |1 |2 |3 |4 |5 |6 | || Interval | AVG | COUNT | COUNT | COUNT | COUNT | AVG | ||-------------------------------------------------------------| || 0 <> 2 | 0.001152 | 0 | 0 | 0 | 0 | 4206 | || 2 <> 4 | 0.002088 | 0 | 0 | 0 | 1 | 6931 | || 4 <> 6 | 0.001512 | 0 | 0 | 0 | 0 | 7099 | || 6 <> 8 | 0.002859 | 0 | 0 | 0 | 0 | 7171 | || 8 <> 10 | 0.001716 | 0 | 0 | 0 | 0 | 6472 | || 10 <> 12 | 0.000319 | 0 | 0 | 0 | 2 | 5575 | || 12 <> 14 | 0.002030 | 0 | 0 | 0 | 0 | 6922 | || 14 <> 16 | 0.003371 | 0 | 0 | 0 | 2 | 5884 | || 16 <> 18 | 0.000138 | 0 | 0 | 0 | 1 | 3480 | || 18 <> 20 | 0.000999 | 0 | 0 | 0 | 4 | 6665 | || 20 <> 22 | 0.000682 | 0 | 0 | 41 | 2 | 5484 | || 22 <> 24 | 0.002302 | 2 | 0 | 19 | 0 | 7127 | || 24 <> 26 | 0.000156 | 1 | 0 | 22 | 0 | 3042 | || 26 <> 28 | 0.000000 | 1 | 0 | 19 | 1 | 152 | || 28 <> 30 | 0.001498 | 1 | 0 | 24 | 0 | 5615 | || 30 <> 32 | 0.000235 | 0 | 0 | 44 | 0 | 1880 | |1===================================================================================2| IO Statistics |3| |4| Duration: 89.892365 secs |5| Interval: 2 secs |6| |7| Col 1: AVG(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt |8| 2: COUNT(tcp.analysis.retransmission) tcp.analysis.retransmission |9| 3: COUNT(tcp.analysis.fast_retransmission) tcp.analysis.fast_retransmission |10| 4: COUNT(tcp.analysis.duplicate_ack) tcp.analysis.duplicate_ack |11| 5: COUNT(tcp.analysis.lost_segment) tcp.analysis.lost_segment |12| 6: AVG(tcp.window_size)tcp.window_size |13|---------------------------------------------------------------------------------|14| |1 |2 |3 |4 |5 |6 | |15| Interval | AVG | COUNT | COUNT | COUNT | COUNT | AVG | |16|-------------------------------------------------------------| |17| 0 <> 2 | 0.001152 | 0 | 0 | 0 | 0 | 4206 | |18| 2 <> 4 | 0.002088 | 0 | 0 | 0 | 1 | 6931 | |19| 4 <> 6 | 0.001512 | 0 | 0 | 0 | 0 | 7099 | |20| 6 <> 8 | 0.002859 | 0 | 0 | 0 | 0 | 7171 | |21| 8 <> 10 | 0.001716 | 0 | 0 | 0 | 0 | 6472 | |22| 10 <> 12 | 0.000319 | 0 | 0 | 0 | 2 | 5575 | |23| 12 <> 14 | 0.002030 | 0 | 0 | 0 | 0 | 6922 | |24| 14 <> 16 | 0.003371 | 0 | 0 | 0 | 2 | 5884 | |25| 16 <> 18 | 0.000138 | 0 | 0 | 0 | 1 | 3480 | |26| 18 <> 20 | 0.000999 | 0 | 0 | 0 | 4 | 6665 | |27| 20 <> 22 | 0.000682 | 0 | 0 | 41 | 2 | 5484 | |28| 22 <> 24 | 0.002302 | 2 | 0 | 19 | 0 | 7127 | |29| 24 <> 26 | 0.000156 | 1 | 0 | 22 | 0 | 3042 | |30| 26 <> 28 | 0.000000 | 1 | 0 | 19 | 1 | 152 | |31| 28 <> 30 | 0.001498 | 1 | 0 | 24 | 0 | 5615 | |32| 30 <> 32 | 0.000235 | 0 | 0 | 44 | 0 | 1880 | |#tsharktshark -r ./mysql-compress.cap -o tcp.calculate_timestamps:true -T fields -e mysql.caps.cp -e frame.number -e frame.time_epoch -e frame.time_delta_displayed -e ip.src -e tcp.srcport -e tcp.dstport -e ip.dst -e tcp.time_delta -e frame.time_delta_displayed -e tcp.stream -e tcp.len -e mysql.query#用tcpdump抓取并保存包:sudo tcpdump -i eth0 port 3306 -w plantegg.cap#每隔3秒钟生成一个新文件,总共生成5个文件后(15秒后)终止抓包,然后包名也按时间规范好了sudo tcpdump -t -s 0 tcp port 3306 -w 'dump_%Y-%m-%d_%H:%M:%S.pcap' -G 3 -W 5 -Z root#每隔30分钟生成一个包并压缩nohup sudo tcpdump -i eth0 -t -s 0 tcp and port 3306 -w 'dump_%Y-%m-%d_%H:%M:%S.pcap' -G 1800 -W 48 -Z root -z gzip &#file size 1000Mnohup sudo tcpdump -i eth0 -t -s 0 tcp and port 3306 -w 'dump_' -C 1000 -W 300 -Z root -z gzip &#port rangesudo tcpdump -i enp44s0f0 -t -s 0 portrange 3000-3100 -w 'dump_%Y-%m-%d_%H:%M:%S.pcap' -G 60 -W 100 -Z root#subnetsudo tcpdump -i enp44s0f0 -t -s 0 net 192.168.0.1/28 -w 'dump_%Y-%m-%d_%H:%M:%S.pcap' -G 60 -W 100 -Z root#抓取详细SQL语句, 快速确认client发过来的具体SQL内容:sudo tshark -i any -f 'port 8527' -s 0 -l -w - |stringssudo tshark -i eth0 -d tcp.port==3306,mysql -T fields -e mysql.query 'port 3306'sudo tshark -i eth0 -R "ip.addr==11.163.182.137" -d tcp.port==3306,mysql -T fields -e mysql.query 'port 3306'sudo tshark -i eth0 -R "tcp.srcport==62877" -d tcp.port==3001,mysql -T fields -e tcp.srcport -e mysql.query 'port 3001'#query timesudo tshark -i eth0 -Y " ((tcp.port eq 3306 ) and tcp.len>0 )" -o tcp.calculate_timestamps:true -T fields -e frame.number -e frame.time_epoch -e frame.time_delta_displayed -e ip.src -e tcp.srcport -e tcp.dstport -e ip.dst -e tcp.time_delta -e tcp.stream -e tcp.len -e mysql.query#如果MySQL开启了SSL,那么抓包后的内容tshark/wireshark分析不到MySQL的具体内容,可以强制关闭:connectionProperties里加上useSSL=falsetshark -r ./manager.cap -o tcp.calculate_timestamps:true -Y " tcp.analysis.retransmission " -T fields -e tcp.stream -e frame.number -e frame.time -e ip.src -e tcp.srcport -e tcp.dstport -e ip.dst | sort#MySQL响应时间直方图【第八列的含义-- Time since previous frame in this TCP stream: seconds】:tshark -r gege_plantegg.pcap -Y "mysql.query or (tcp.srcport3306 and tcp.len>60)" -o tcp.calculate_timestamps:true -T fields -e frame.number -e frame.time_epoch -e frame.time_delta_displayed -e ip.src -e tcp.srcport -e tcp.dstport -e ip.dst -e tcp.time_delta -e tcp.stream -e tcp.len | awk 'BEGIN {sum0=0;sum3=0;sum10=0;sum30=0;sum50=0;sum100=0;sum300=0;sum500=0;sum1000=0;sumo=0;count=0;sum=0} {rt=$8; if(rt>=0.000) sum=sum+rt; count=count+1; if(rt<=0.000) sum0=sum0+1; else if(rt<0.003) sum3=sum3+1 ; else if(rt<0.01) sum10=sum10+1; else if(rt<0.03) sum30=sum30+1; else if(rt<0.05) sum50=sum50+1; else if(rt < 0.1) sum100=sum100+1; else if(rt < 0.3) sum300=sum300+1; else if(rt < 0.5) sum500=sum500+1; else if(rt < 1) sum1000=sum1000+1; else sum=sum+1 ;} END{printf "-------------\n3ms:\t%s \n10ms:\t%s \n30ms:\t%s \n50ms:\t%s \n100ms:\t%s \n300ms:\t%s \n500ms:\t%s \n1000ms:\t%s \n>1s:\t %s\n-------------\navg: %.6f \n" , sum3,sum10,sum30,sum50,sum100,sum300,sum500,sum1000,sumo,sum/count;}'#分析MySQL rt,倒数第四列基本就是rttshark -r gege_plantegg.pcap -Y " ((tcp.srcport eq 3306 ) and tcp.len>0 )" -o tcp.calculate_timestamps:true -T fields -e frame.number -e frame.time_epoch -e frame.time_delta_displayed -e ip.src -e tcp.srcport -e tcp.dstport -e ip.dst -e tcp.time_delta -e tcp.stream -e tcp.len -e tcp.analysis.ack_rtt#或者排序一下tshark -r 213_php.cap -Y "mysql.query or ( tcp.srcport==3306)" -o tcp.calculate_timestamps:true -T fields -e frame.number -e frame.time_epoch -e frame.time_delta_displayed -e ip.src -e tcp.srcport -e tcp.dstport -e ip.dst -e tcp.time_delta -e tcp.stream -e tcp.len -e mysql.query |sort -nk9 -nk1#将 tls key和抓包文件合并editcap --inject-secrets tls,key.log in.pcap out.pcap把包长截掉,只保留前面54,可以脱敏包内容editcap -s 54 old.pcap new.pcap
ppt.cc/fVjECx ppt.cc/fEnHsx ppt.cc/fRZTnx ppt.cc/fSZ3cx ppt.cc/fLOuCx ppt.cc/fE9Nux ppt.cc/fL5Kyx ppt.cc/fIr1ax ppt.cc/f71Yqx tecmint.com linuxcool.com linux.die.net linux.it.net.cn ostechnix.com unix.com ubuntugeek.com runoob.com man.linuxde.net v.gd/4A2G5b v.gd/VBg0IE v.gd/kVkm7n v.gd/jCKP1G linuxprobe.com linuxtechi.com howtoforge.com linuxstory.org systutorials.com ghacks.net linuxopsys.com v.gd/2P9wTx v.gd/FtfpqE v.gd/eMfHsm v.gd/Ub7mqv v.gd/RReVk0 v.gd/vS3uTI v.gd/4Zxmba v.gd/1BnFph
Total Pageviews
Sunday, 28 April 2024
网络抓包常用命令
Labels:
tcpdump
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment