linux下tcpdump,tshark抓包分析HTTP协议

劲松

前言
      和第三方调试接口时,单独请求传送数据无问题,但跑起来代码就不行.  HTTP返回417错误
到底是网络原因还是,接口传过来的数据有问题?

抓包分析
1. tcpdump -s 0 tcp port 80 -w log.cap
参数解释
 -s     Snarf snaplen bytes of data from each packet rather than the default of 68 .
         Setting snaplen to 0 means use the required length to catch whole packets.
-w   -w     Write the raw packets to file rather than parsing and printing them out.

2. 将log.cap下载到本地windows,使用wireshark软件打开文件即可．
  使用 wireshark 打开以后, 按Info的排序,或者过滤.
  找到POST请求发过来的内容.  解析header,cookie ,length信息.

备注:
tcpdump
To print all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets.

tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

使用wireshark文本工具 tshark 抓包

tshark是大名鼎鼎的开源网络协议分析工具wireshark （原名叫ethereal）的命令行版本，wireshark可对多达千余种网络协议进行解码分析。Wireshark和tcpdump均使用libpcap库（参见libpcap编程教程）进行网络截包。
摘自 http://hi.baidu.com/kissdev/blog/item/f82bc74eb481030cb2de053a.html

yum install wireshark
tshark输出结果示列 :
1)请求一个不存在的链接:
  0.000000 192.168.1.90 -> 192.168.1.111 TCP 49752 > http [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=1321429535 TSER=0 WS=7
  0.000007 192.168.1.111 -> 192.168.1.90 TCP http > 49752 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=787925312 TSER=1321429535 WS=7
  0.000062 192.168.1.90 -> 192.168.1.111 TCP 49752 > http [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=1321429535 TSER=787925312
  0.000197 192.168.1.90 -> 192.168.1.111 HTTP GET /abc HTTP/1.0
  0.000209 192.168.1.111 -> 192.168.1.90 TCP http > 49752 [ACK] Seq=1 Ack=122 Win=5888 Len=0 TSV=787925312 TSER=1321429535
  0.000520 192.168.1.111 -> 192.168.1.90 HTTP HTTP/1.0 404 Not Found  (text/html)
  0.000829 192.168.1.90 -> 192.168.1.111 TCP 49752 > http [ACK] Seq=122 Ack=504 Win=6912 Len=0 TSV=1321429536 TSER=787925313
  0.001305 192.168.1.90 -> 192.168.1.111 TCP 49752 > http [FIN, ACK] Seq=122 Ack=504 Win=6912 Len=0 TSV=1321429536 TSER=787925313
  0.001334 192.168.1.111 -> 192.168.1.90 TCP http > 49752 [FIN, ACK] Seq=504 Ack=123 Win=5888 Len=0 TSV=787925313 TSER=1321429536
  0.001424 192.168.1.90 -> 192.168.1.111 TCP 49752 > http [ACK] Seq=123 Ack=505 Win=6912 Len=0 TSV=1321429536 TSER=787925313

2)请求一个静态文件
  1.565378 192.168.1.90 -> 192.168.1.111 TCP 49753 > http [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=1321431100 TSER=0 WS=7
  1.565393 192.168.1.111 -> 192.168.1.90 TCP http > 49753 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=787926878 TSER=1321431100 WS=7
  1.565488 192.168.1.90 -> 192.168.1.111 TCP 49753 > http [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=1321431101 TSER=787926878
  1.565599 192.168.1.90 -> 192.168.1.111 HTTP GET / HTTP/1.0
  1.565610 192.168.1.111 -> 192.168.1.90 TCP http > 49753 [ACK] Seq=1 Ack=119 Win=5888 Len=0 TSV=787926878 TSER=1321431101
  1.565882 192.168.1.111 -> 192.168.1.90 HTTP HTTP/1.0 200 OK  (text/html)
  1.566132 192.168.1.90 -> 192.168.1.111 TCP 49753 > http [ACK] Seq=119 Ack=283 Win=6912 Len=0 TSV=1321431101 TSER=787926878
  1.567394 192.168.1.90 -> 192.168.1.111 TCP 49753 > http [FIN, ACK] Seq=119 Ack=283 Win=6912 Len=0 TSV=1321431102 TSER=787926878
  1.567422 192.168.1.111 -> 192.168.1.90 TCP http > 49753 [FIN, ACK] Seq=283 Ack=120 Win=5888 Len=0 TSV=787926880 TSER=1321431102
  1.567510 192.168.1.90 -> 192.168.1.111 TCP 49753 > http [ACK] Seq=120 Ack=284 Win=6912 Len=0 TSV=1321431103 TSER=787926880

3)请求一个动态文件
  3.908095 192.168.1.90 -> 192.168.1.111 TCP 49754 > http [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=1321433443 TSER=0 WS=7
  3.908118 192.168.1.111 -> 192.168.1.90 TCP http > 49754 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=787929221 TSER=1321433443 WS=7
  3.908214 192.168.1.90 -> 192.168.1.111 TCP 49754 > http [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=1321433443 TSER=787929221
  3.908328 192.168.1.90 -> 192.168.1.111 HTTP GET /test.php HTTP/1.0
  3.908342 192.168.1.111 -> 192.168.1.90 TCP http > 49754 [ACK] Seq=1 Ack=127 Win=5888 Len=0 TSV=787929221 TSER=1321433443
  3.924431 192.168.1.111 -> 192.168.1.90 TCP [TCP segment of a reassembled PDU]
  3.924504 192.168.1.111 -> 192.168.1.90 HTTP HTTP/1.0 200 OK  (text/html)
  3.924584 192.168.1.90 -> 192.168.1.111 TCP 49754 > http [ACK] Seq=127 Ack=167 Win=6912 Len=0 TSV=1321433460 TSER=787929237
  3.925423 192.168.1.90 -> 192.168.1.111 TCP 49754 > http [FIN, ACK] Seq=127 Ack=168 Win=6912 Len=0 TSV=1321433461 TSER=787929237
  3.925433 192.168.1.111 -> 192.168.1.90 TCP http > 49754 [ACK] Seq=168 Ack=128 Win=5888 Len=0 TSV=787929238 TSER=1321433461


tshark 抓包时可以直接设置过滤条件:
tshark 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -R'http.request.method == "GET" || http.request.method == "HEAD"'