前言:
网络抓包工具的使用场景
- 网络安全测试
项目上线后,很可能有安全隐患问题需要处理,而网络到底哪些地方需要加强,哪些地方是符合安全标准的,这些需要使用抓包工具来获取实际的日志
2. 复杂网络问题的快速定位
某些项目可能网络环境会比较复杂,例如多种网络混杂,而有些问题会隐藏的比较深,比如,某个页面前端是可以正常打开,但你可能并不清楚此页面是否是预想的方式打开,或者网络某个地方出现了隐蔽的环路,这些比较复杂的问题还是使用抓包工具来快速的定位比较好的
3. 爬虫项目的目标嗅探
主要是爬虫的目标很有可能有各种加密,而这些秘密有极大概率是隐藏在网络流量内的,因此,抓包工具可以助你迅速准确的编写各类复杂爬虫。
Tcpdump的简单介绍
它使用 libpcap 库来抓取网络数据包,这个库在几乎在所有的 Linux/Unix 中都有。熟悉 tcpdump 的使用能够帮助你分析调试网络数据,本文将通过一个个具体的示例来介绍它在不同场景下的使用方法。不管你是系统管理员,程序员,云原生工程师还是 yaml 工程师,掌握 tcpdump 的使用都能让你如虎添翼,升职加薪。
在centos下,如果是最小化安装,需要yum安装,安装命令非常简单,yum install tcpdump –y 即可
该程序类似ab命令,基本是开箱即用(安装完就可以用的意思),非常的简单,功能不是特别的多,相比于其它程序例如wireshark
参数列表
设置不解析域名提升速度
-n 不把ip转化成域名,直接显示 ip,避免执行 DNS lookups 的过程,速度会快很多
-nn 不把协议和端口号转化成名字,速度也会快很多。
-N 不打印出host 的域名部分.。比如,,如果设置了此选现,tcpdump 将会打印’nic’ 而不是 ‘nic.ddn.mil’.
过滤指定网卡的数据包
-i 指定要过滤的网卡接口,如果要查看所有网卡,可以 -i any
过滤特定流向的数据包
-Q 选择是入方向还是出方向的数据包,可选项有:in, out, inout,也可以使用 --direction=[direction] 这种写法
常用的一些参数
-A 以ASCII码方式显示每一个数据包(不显示链路层头部信息). 在抓取包含网页数据的数据包时, 可方便查看数据
-l 基于行的输出,便于你保存查看,或者交给其它工具分析
tcpdump -nn -A -s1500 -l | egrep -i 'User-Agent:|Host’
通过 egrep 可以同时提取用户代理和主机名(或其他头文件):
-q 简洁地打印输出。即打印很少的协议相关信息, 从而输出行都比较简短.
-c 捕获 count 个包 tcpdump 就退出
-s tcpdump 默认只会截取前 96 字节的内容,要想截取所有的报文内容,可以使用 -s number, number 就是你要截取的报文字节数,如果是 0 的话,表示截取报文全部内容。
-S 使用绝对序列号,而不是相对序列号
-C file-size,tcpdump 在把原始数据包直接保存到文件中之前, 检查此文件大小是否超过file-size. 如果超过了, 将关闭此文件,另创建一个文件继续用于原始数据包的记录. 新创建的文件名与-w 选项指定的文件名一致, 但文件名后多了一个数字.该数字会从1开始随着新创建文件的增多而增加. file-size的单位是百万字节(nt: 这里指1,000,000个字节,并非1,048,576个字节, 后者是以1024字节为1k, 1024k字节为1M计算所得, 即1M=1024 * 1024 = 1,048,576)
-F 使用file 文件作为过滤条件表达式的输入, 此时命令行上的输入将被忽略.
过滤结果输出到文件
-w 使用 -w 参数后接一个以 .pcap 后缀命令的文件名,就可以将 tcpdump 抓到的数据保存到文件中。使用 wireshark 打开此文件便可进行分析 tcpdump icmp -w icmp.pcap
-r 从文件中读取数据,读取后,我们照样可以使用上述的过滤器语法进行过滤分析。 tcpdump icmp -r all.pcap
对输出内容进行控制的参数
-D 显示所有可用网络接口的列表
-e 每行的打印输出中将包括数据包的数据链路层头部信息
-E 揭秘IPSEC数据
-L 列出指定网络接口所支持的数据链路层的类型后退出
-Z 后接用户名,在抓包时会受到权限的限制。如果以root用户启动tcpdump,tcpdump将会有超级用户权限。
-d 打印出易读的包匹配码
-dd 以C语言的形式打印出包匹配码.
-ddd 以十进制数的形式打印出包匹配码
控制详细内容的输出
-v 产生详细的输出. 比如包的TTL,id标识,数据包长度,以及IP包的一些选项。同时它还会打开一些附加的包完整性检测,比如对IP或ICMP包头部的校验和。
-vv 产生比-v更详细的输出. 比如NFS回应包中的附加域将会被打印, SMB数据包也会被完全解码。(摘自网络,目前我还未使用过)
-vvv 产生比-vv更详细的输出。比如 telent 时所使用的SB, SE 选项将会被打印, 如果telnet同时使用的是图形界面,其相应的图形选项将会以16进制的方式打印出来(摘自网络,目前我还未使用过)
控制时间的显示
-t 在每行的输出中不输出时间
-tt 在每行的输出中会输出时间戳
-ttt 输出每两行打印的时间间隔(以毫秒为单位)
-tttt 在每行打印的时间戳之前添加日期的打印(此种选项,输出的时间最直观)
显示数据包的头部
-x 以16进制的形式打印每个包的头部数据(但不包括数据链路层的头部)
-xx 以16进制的形式打印每个包的头部数据(包括数据链路层的头部)
-X 以16进制和 ASCII码形式打印出每个包的数据(但不包括连接层的头部),这在分析一些新协议的数据包很方便。
-XX 以16进制和 ASCII码形式打印出每个包的数据(包括连接层的头部),这在分析一些新协议的数据包很方便。
option 可选参数:将在后边一一解释。
proto 类过滤器:根据协议进行过滤,可识别的关键词有: tcp, udp, icmp, ip, ip6, arp, rarp,ether,wlan, fddi, tr, decnet
type 类过滤器:可识别的关键词有:host, net, port, portrange,这些词后边需要再接参数。
direction 类过滤器:根据数据流向进行过滤,可识别的关键字有:src, dst,同时你可以使用逻辑运算符进行组合,比如 src or dst
OK,其实这么多参数看起来很多,但没有什么,大部分使用不到的,仅仅部分参数是高频使用,下面就此工具的参数结合实例做一个简单的说明。
一,
监听指定网卡 参数 i
例如,我的Linux虚拟机,该虚拟机就一个ens33的网卡,监听流过此网卡的数据,并且显示详细信息:
[root@node1 ~]# tcpdump -vv -i ens33 |more tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 00:45:35.541931 IP (tos 0x10, ttl 64, id 61217, offset 0, flags [DF], proto TCP (6), length 76) server0.ssh > 192.168.123.1.57930: Flags [P.], cksum 0x869f (correct), seq 354227367:354227403, ack 2554328704, win 274, length 36 00:45:35.542034 IP (tos 0x10, ttl 64, id 61218, offset 0, flags [DF], proto TCP (6), length 164) server0.ssh > 192.168.123.1.57930: Flags [P.], cksum 0xcb1d (correct), seq 36:160, ack 1, win 274, length 124 00:45:35.542196 IP (tos 0x0, ttl 64, id 62863, offset 0, flags [DF], proto UDP (17), length 72) server0.43079 > public2.alidns.com.domain: [udp sum ok] 27602+ PTR? 1.123.168.192.in-addr.arpa. (44) 00:45:35.542322 IP (tos 0x0, ttl 64, id 15391, offset 0, flags [DF], proto TCP (6), length 52) 192.168.123.1.57930 > server0.ssh: Flags [.], cksum 0x03a5 (correct), seq 1, ack 36, win 4101, options [nop,nop,sack 1 {0:36}], length 0 00:45:35.583563 IP (tos 0x0, ttl 64, id 15392, offset 0, flags [DF], proto TCP (6), length 40) 192.168.123.1.57930 > server0.ssh: Flags [.], cksum 0x8cec (correct), seq 1, ack 160, win 4101, length 0 00:45:35.587940 IP (tos 0x0, ttl 128, id 65357, offset 0, flags [none], proto UDP (17), length 149) public2.alidns.com.domain > server0.43079: [udp sum ok] 27602 NXDomain q: PTR? 1.123.168.192.in-addr.arpa. 0/1/0 ns: 168.192.in-addr.arpa. SOA prisoner.iana.org. hostmaster.root-servers.org. 1 604800 60 604800 604800 (121) 00:45:35.588840 IP (tos 0x0, ttl 64, id 62874, offset 0, flags [DF], proto UDP (17), length 68) server0.51572 > public2.alidns.com.domain: [udp sum ok] 20994+ PTR? 6.6.6.223.in-addr.arpa. (40) 00:45:35.634474 IP (tos 0x0, ttl 128, id 65358, offset 0, flags [none], proto UDP (17), length 100) public2.alidns.com.domain > server0.51572: [udp sum ok] 20994 q: PTR? 6.6.6.223.in-addr.arpa. 1/0/0 6.6.6.223.in-addr.arpa. PTR public2.alidns.com. (72) 00:45:35.753081 IP (tos 0x0, ttl 64, id 50245, offset 0, flags [DF], proto TCP (6), length 60) server1.45136 > server0.2380: Flags [S], cksum 0xe926 (correct), seq 4107944122, win 29200, options [mss 1460,sackOK,TS val 19891455 ecr 0,nop,wscale 7], length 0 00:45:35.753123 IP (tos 0x0, ttl 64, id 400, offset 0, flags [DF], proto TCP (6), length 40) server0.2380 > server1.45136: Flags [R.], cksum 0x4935 (correct), seq 0, ack 4107944123, win 0, length 0 00:45:35.753140 IP (tos 0x0, ttl 64, id 52130, offset 0, flags [DF], proto TCP (6), length 60) server1.45140 > server0.2380: Flags [S], cksum 0xd6b9 (correct), seq 4171255645, win 29200, options [mss 1460,sackOK,TS val 19891455 ecr 0,nop,wscale 7], length 0 00:45:35.753145 IP (tos 0x0, ttl 64, id 401, offset 0, flags [DF], proto TCP (6), length 40) server0.2380 > server1.45140: Flags [R.], cksum 0x36c8 (correct), seq 0, ack 4171255646, win 0, length 0 00:45:35.841681 IP (tos 0x0, ttl 64, id 8501, offset 0, flags [DF], proto TCP (6), length 60) server0.57066 > server1.2379: Flags [S], cksum 0x2774 (correct), seq 2700492840, win 29200, options [mss 1460,sackOK,TS val 211902749 ecr 0,nop,wscale 7], length 0 00:45:35.841916 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60) 40)
OK,这样的输出会非常的会,因为有用到xshell通过ssh协议连接此虚拟机了嘛。输出会非常快的不停输出,因此使用了more通道
那么,这么多内容,到底表示的是什么意思呢?也就是说如何正确理解我们抓到的包代表什么呢?
00:45:35.541931 IP (tos 0x10, ttl 64, id 61217, offset 0, flags [DF], proto TCP (6), length 76) server0.ssh > 192.168.123.1.57930: Flags [P.], cksum 0x869f (correct), seq 354227367:354227403, ack 2554328704, win 274, length 36
以这一段为例,00:45:35.541931表示抓到数据的时间戳,这个是非常精确的时间,flags是旗标,具体含义不清楚,后面的proto TCP表示该数据是使用的tcp协议,第二行 server0.ssh主机名+服务名,des是192.168.123.1 端口是57930,P. 表示SYN的应答,下面是第二行的flag的简单介绍(数据方向要知道,是tcp协议,虚拟机server0到192.168.123.1,这个192.168.123.1是我的网关)
[S]
: SYN(开始连接)[.]
: 没有 Flag[P]
: PSH(推送数据)[F]
: FIN (结束连接)[R]
: RST(重置连接)
00:45:35.542196 IP (tos 0x0, ttl 64, id 62863, offset 0, flags [DF], proto UDP (17), length 72) server0.43079 > public2.alidns.com.domain: [udp sum ok] 27602+ PTR? 1.123.168.192.in-addr.arpa. (44)
在以这一段为例,此段表示我在使用阿里云的DNS解析192.168.123.1这个端口,那这有一个常识,DNS使用的是udp协议(数据方向要知道,是tcp协议,虚拟机server0到阿里云的DNS,这个public2.alidns.com.domain就是阿里云DNS)
确实是使用的阿里云的DNS:
[root@node1 ~]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 223.6.6.6
二,
tcpdump的输出过滤
其实呢,一般是使用参数 i 就可以了,但有一个问题,输出太TM的多了,严重影响视力 考虑到输出太多,还是需要一些过滤,能让我们看到想看的数据
本例是在虚拟机server0中安装httpd服务,然后在宿主机内使用浏览器访问该服务的首页,具体命令和输出结果如下:
命令使用了-vv 此参数表示中等程度的详细日志,最高就是-vvv啦,-e表示显示数据链路层的信息,也就是目标和源的mac地址什么的都显示,但由于是-vv,显示的内容还是非常多的,可以看到有几个404,但这些无所吊畏,关键是网卡的mac地址,宿主机使用的浏览器版本什么的信息都抓到了,还有server0的IP地址什么的也显示了,以及httpd的版本,这些信息是非常关键的哦
[root@node1 ~]# tcpdump -i ens33 -vv -e port 80 |more tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 01:18:10.567545 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 33921, offset 0, flags [DF], proto TCP (6), length 40) 192.168.123.1.51900 > server0.http: Flags [F.], cksum 0x5b8f (correct), seq 25081266, ack 3031668207, win 4102, length 0 01:18:10.567596 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 20714, offset 0, flags [DF], proto TCP (6), length 40) server0.http > 192.168.123.1.51900: Flags [.], cksum 0x6aa0 (correct), seq 1, ack 1, win 245, length 0 01:18:10.567620 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 33922, offset 0, flags [DF], proto TCP (6), length 40) 192.168.123.1.51899 > server0.http: Flags [F.], cksum 0x30e1 (correct), seq 234186194, ack 2457347651, win 4102, length 0 01:18:10.567629 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 20715, offset 0, flags [DF], proto TCP (6), length 40) server0.http > 192.168.123.1.51899: Flags [.], cksum 0x3fe9 (correct), seq 1, ack 1, win 254, length 0 01:18:10.567641 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 33923, offset 0, flags [DF], proto TCP (6), length 52) 192.168.123.1.51913 > server0.http: Flags [S], cksum 0xe259 (correct), seq 2266679347, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 01:18:10.567667 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52) server0.http > 192.168.123.1.51913: Flags [S.], cksum 0xca6a (correct), seq 4244677566, ack 2266679348, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 01:18:10.567680 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 33924, offset 0, flags [DF], proto TCP (6), length 52) 192.168.123.1.51914 > server0.http: Flags [S], cksum 0x514b (correct), seq 2355123195, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 01:18:10.567692 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52) server0.http > 192.168.123.1.51914: Flags [S.], cksum 0x0944 (correct), seq 3950044518, ack 2355123196, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 01:18:10.567932 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 33925, offset 0, flags [DF], proto TCP (6), length 40) 192.168.123.1.51913 > server0.http: Flags [.], cksum 0x6d43 (correct), seq 1, ack 1, win 4106, length 0 01:18:10.567950 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 33926, offset 0, flags [DF], proto TCP (6), length 40) 192.168.123.1.51914 > server0.http: Flags [.], cksum 0xac1c (correct), seq 1, ack 1, win 4106, length 0 01:18:10.567954 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 513: (tos 0x0, ttl 64, id 33927, offset 0, flags [DF], proto TCP (6), length 499) 192.168.123.1.51913 > server0.http: Flags [P.], cksum 0xb25d (correct), seq 1:460, ack 1, win 4106, length 459: HTTP, length: 459 GET / HTTP/1.1 Host: 192.168.123.11 Connection: keep-alive Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 01:18:10.567986 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 38779, offset 0, flags [DF], proto TCP (6), length 40) server0.http > 192.168.123.1.51913: Flags [.], cksum 0x7a95 (correct), seq 1, ack 460, win 237, length 0 01:18:10.568546 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 1514: (tos 0x0, ttl 64, id 38780, offset 0, flags [DF], proto TCP (6), length 1500) server0.http > 192.168.123.1.51913: Flags [.], cksum 0xed50 (correct), seq 1:1461, ack 460, win 237, length 1460: HTTP, length: 1460 HTTP/1.1 403 Forbidden Date: Tue, 10 Oct 2023 17:18:10 GMT Server: Apache/2.4.6 (CentOS) Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT ETag: "1321-5058a1e728280" Accept-Ranges: bytes Content-Length: 4897 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <title>Apache HTTP Server Test Page powered by CentOS</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <!-- Bootstrap --> <link href="/noindex/css/bootstrap.min.css" rel="stylesheet"> <link rel="stylesheet" href="noindex/css/open-sans.css" type="text/css" /> <style type="text/css"><!-- body { font-family: "Open Sans", Helvetica, sans-serif; font-weight: 100; color: #ccc; background: rgba(10, 24, 55, 1); font-size: 16px; } h2, h3, h4 { font-weight: 200; } h2 { font-size: 28px; } .jumbotron { margin-bottom: 0; color: #333; background: rgb(212,212,221); /* Old browsers */ background: radial-gradient(ellipse at center top, rgba(255,255,255,1) 0%,rgba(174,174,183,1) 100%); /* W3C */ } .jumbotron h1 { font-size: 128px; font-weight: 700; color: white; text-shadow: 0px 2px 0px #abc, 0px 4px 10px rgba(0,0,0,0.15), 0px 5px 2px rgba(0,0,0,0.1), [!http] 01:18:10.568577 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 1514: (tos 0x0, ttl 64, id 38781, offset 0, flags [DF], proto TCP (6), length 1500) server0.http > 192.168.123.1.51913: Flags [.], cksum 0xc442 (correct), seq 1461:2921, ack 460, win 237, length 1460: HTTP 01:18:10.568595 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 1514: (tos 0x0, ttl 64, id 38782, offset 0, flags [DF], proto TCP (6), length 1500) server0.http > 192.168.123.1.51913: Flags [.], cksum 0x2407 (correct), seq 2921:4381, ack 460, win 237, length 1460: HTTP 01:18:10.568639 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 879: (tos 0x0, ttl 64, id 38783, offset 0, flags [DF], proto TCP (6), length 865) server0.http > 192.168.123.1.51913: Flags [P.], cksum 0xe705 (correct), seq 4381:5206, ack 460, win 237, length 825: HTTP 01:18:10.568796 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 33928, offset 0, flags [DF], proto TCP (6), length 40) 192.168.123.1.51913 > server0.http: Flags [.], cksum 0x5723 (correct), seq 460, ack 5206, win 4106, length 0 01:18:10.585181 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 455: (tos 0x0, ttl 64, id 33929, offset 0, flags [DF], proto TCP (6), length 441) 192.168.123.1.51913 > server0.http: Flags [P.], cksum 0xb661 (correct), seq 460:861, ack 5206, win 4106, length 401: HTTP, length: 401 GET /noindex/css/fonts/Bold/OpenSans-Bold.woff HTTP/1.1 Host: 192.168.123.11 Connection: keep-alive Origin: http://192.168.123.11 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36 Accept: */* Referer: http://192.168.123.11/noindex/css/open-sans.css Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 01:18:10.585276 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 457: (tos 0x0, ttl 64, id 33930, offset 0, flags [DF], proto TCP (6), length 443) 192.168.123.1.51914 > server0.http: Flags [P.], cksum 0x79fb (correct), seq 1:404, ack 1, win 4106, length 403: HTTP, length: 403 GET /noindex/css/fonts/Light/OpenSans-Light.woff HTTP/1.1 Host: 192.168.123.11 Connection: keep-alive Origin: http://192.168.123.11 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36 Accept: */* Referer: http://192.168.123.11/noindex/css/open-sans.css Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 01:18:10.585308 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 53682, offset 0, flags [DF], proto TCP (6), length 40) server0.http > 192.168.123.1.51914: Flags [.], cksum 0xb9a6 (correct), seq 1, ack 404, win 237, length 0 01:18:10.585557 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 508: (tos 0x0, ttl 64, id 38784, offset 0, flags [DF], proto TCP (6), length 494) server0.http > 192.168.123.1.51913: Flags [P.], cksum 0xae1f (correct), seq 5206:5660, ack 861, win 245, length 454: HTTP, length: 454 HTTP/1.1 404 Not Found Date: Tue, 10 Oct 2023 17:18:10 GMT Server: Apache/2.4.6 (CentOS) Content-Length: 239 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /noindex/css/fonts/Bold/OpenSans-Bold.woff was not found on this server.</p> </body></html> 01:18:10.585943 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 511: (tos 0x0, ttl 64, id 53683, offset 0, flags [DF], proto TCP (6), length 497) server0.http > 192.168.123.1.51914: Flags [P.], cksum 0xbb5c (correct), seq 1:458, ack 404, win 237, length 457: HTTP, length: 457 HTTP/1.1 404 Not Found Date: Tue, 10 Oct 2023 17:18:10 GMT Server: Apache/2.4.6 (CentOS) Content-Length: 241 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /noindex/css/fonts/Light/OpenSans-Light.woff was not found on this server.</p> </body></html> 01:18:10.589160 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 454: (tos 0x0, ttl 64, id 33931, offset 0, flags [DF], proto TCP (6), length 440) 192.168.123.1.51914 > server0.http: Flags [P.], cksum 0xe28b (correct), seq 404:804, ack 458, win 4104, length 400: HTTP, length: 400 GET /noindex/css/fonts/Bold/OpenSans-Bold.ttf HTTP/1.1 Host: 192.168.123.11 Connection: keep-alive Origin: http://192.168.123.11 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36 Accept: */* Referer: http://192.168.123.11/noindex/css/open-sans.css Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 01:18:10.589311 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 507: (tos 0x0, ttl 64, id 53684, offset 0, flags [DF], proto TCP (6), length 493) server0.http > 192.168.123.1.51914: Flags [P.], cksum 0x52d1 (correct), seq 458:911, ack 804, win 245, length 453: HTTP, length: 453 HTTP/1.1 404 Not Found Date: Tue, 10 Oct 2023 17:18:10 GMT Server: Apache/2.4.6 (CentOS) Content-Length: 238 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /noindex/css/fonts/Bold/OpenSans-Bold.ttf was not found on this server.</p> </body></html> 01:18:10.590131 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 456: (tos 0x0, ttl 64, id 33932, offset 0, flags [DF], proto TCP (6), length 442) 192.168.123.1.51914 > server0.http: Flags [P.], cksum 0x4dd9 (correct), seq 804:1206, ack 911, win 4102, length 402: HTTP, length: 402 GET /noindex/css/fonts/Light/OpenSans-Light.ttf HTTP/1.1 Host: 192.168.123.11 Connection: keep-alive Origin: http://192.168.123.11 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36 Accept: */* Referer: http://192.168.123.11/noindex/css/open-sans.css Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 01:18:10.590241 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 509: (tos 0x0, ttl 64, id 53685, offset 0, flags [DF], proto TCP (6), length 495) server0.http > 192.168.123.1.51914: Flags [P.], cksum 0xc611 (correct), seq 911:1366, ack 1206, win 254, length 455: HTTP, length: 455 HTTP/1.1 404 Not Found Date: Tue, 10 Oct 2023 17:18:10 GMT Server: Apache/2.4.6 (CentOS) Content-Length: 240 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /noindex/css/fonts/Light/OpenSans-Light.ttf was not found on this server.</p> </body></html> 01:18:10.626356 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 33934, offset 0, flags [DF], proto TCP (6), length 40) 192.168.123.1.51913 > server0.http: Flags [.], cksum 0x53ce (correct), seq 861, ack 5660, win 4104, length 0 01:18:10.630824 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 33935, offset 0, flags [DF], proto TCP (6), length 40) 192.168.123.1.51914 > server0.http: Flags [.], cksum 0xa218 (correct), seq 1206, ack 1366, win 4100, length 0 01:18:15.591467 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 38785, offset 0, flags [DF], proto TCP (6), length 40) server0.http > 192.168.123.1.51913: Flags [F.], cksum 0x62e0 (correct), seq 5660, ack 861, win 245, length 0 01:18:15.591687 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 33937, offset 0, flags [DF], proto TCP (6), length 40) 192.168.123.1.51913 > server0.http: Flags [.], cksum 0x53cd (correct), seq 861, ack 5661, win 4104, length 0 01:18:15.594413 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 53686, offset 0, flags [DF], proto TCP (6), length 40) server0.http > 192.168.123.1.51914: Flags [F.], cksum 0xb11d (correct), seq 1366, ack 1206, win 254, length 0 01:18:15.594532 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 33938, offset 0, flags [DF], proto TCP (6), length 40) 192.168.123.1.51914 > server0.http: Flags [.], cksum 0xa217 (correct), seq 1206, ack 1367, win 4100, length 0 01:18:25.903287 00:50:56:c0:00:08 (oui Unknown) > 00:0c:29:23:ff:58 (oui Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 33939, offset 0, flags [DF], proto TCP (6), length 40) 192.168.123.1.51913 > server0.http: Flags [F.], cksum 0x53cc (correct), seq 861, ack 5661, win 4104, length 0 01:18:25.903320 00:0c:29:23:ff:58 (oui Unknown) > 00:50:56:c0:00:08 (oui Unknown), ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 28459, offset 0, flags [DF], proto TCP (6), length 40)
未完待续!!!