1.tcpdump介绍
- 在网络问题的调试中,tcpdump应该说是一个必不可少的工具,和大部分linux下优秀工具一样,它的特点就是简单而强大。它是基于Unix系统的命令行式的数据包嗅探工具,可以抓取流动在网卡上的数据包。
- 默认情况下,tcpdump不会抓取本机内部通讯的报文。 根据网络协议栈的规定,对于报文,即使是目的地是本机,也需要经过本机的网络协议层,所以本机通讯肯定是通过API进入了内核,并且完成了路由选择。【比如本机的TCP通信,也必须要socket通信的基本要素:src ip port dst ip port】
- 如果要使用tcpdump抓取其他主机MAC地址的数据包,必须开启网卡混杂模式,所谓混杂模式,用最简单的语言就是让网卡抓取任何经过它的数据包,不管这个数据包是不是发给它或者是它发出的。 一般而言,Unix不会让普通用户设置混杂模式,因为这样可以看到别人的信息,比如telnet的用户名和密码,这样会引起一些安全上的问题,所以只有root用户可以开启混杂模式,开启混杂模式的命令是:ifconfig en0 promisc, en0是你要打开混杂模式的网卡。
Linux抓包原理:
- Linux抓包是通过注册一种虚拟的底层网络协议来完成对网络报文(准确的说是网络设备)消息的处理权。当网卡接收到一个网络报文之后,它会遍历系统中所有已经注册的网络协议,例如以太网协议、x25协议处理模块来尝试进行报文的解析处理,这一点和一些文件系统的挂载相似,就是让系统中所有的已经注册的文件系统来进行尝试挂载,如果哪一个认为自己可以处理,那么就完成挂载。
- 当抓包模块把自己伪装成一个网络协议的时候,系统在收到报文的时候就会给这个伪协议一次机会,让它来对网卡收到的报文进行一次处理,此时该模块就会趁机对报文进行窥探,也就是把这个报文完完整整的复制一份,假装是自己接收到的报文,汇报给抓包模块。
2.tcpdump使用
2.1 语法
tcpdump [ -AdDefIKlLnNOpqRStuUvxX ] [ -B buffer_size ] [ -c count ] [ -C file_size ] [ -G rotate_seconds ] [ -F file ] [ -i interface ] [ -m module ] [ -M secret ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ] [ -E spi@ipaddr algo:secret,... ] [ -y datalinktype ] [ -z postrotate-command ] [ -Z user ] [ expression ]
1.类型的关键字
host(缺省类型): 指明一台主机,如:host 159.48.22.2 net: 指明一个网络地址,如:net 205.0.0.0 port: 指明端口号,如:port 22
2.确定方向的关键字
src: src 159.48.22.2, IP包源地址是159.48.22.2 dst: dst net 205.0.0.0, 目标网络地址是205.0.0.0 dst or src(缺省值) dst and src
3.协议的关键字:缺省值是监听所有协议的信息包
fddi ip arp rarp tcp udp
4.其他关键字
gateway broadcast less greater
5.常用表达式:多条件时可以用括号,但是要用\转义
非 : ! or "not" (去掉双引号) 且 : && or "and" 或 : || or "or"
2.2 选项
-A:以ASCII编码打印每个报文(不包括链路层的头),这对分析网页来说很方便; -a:将网络地址和广播地址转变成名字; -c<数据包数目>:在收到指定的包的数目后,tcpdump就会停止; -C:用于判断用 -w 选项将报文写入的文件的大小是否超过这个值,如果超过了就新建文件(文件名后缀是1、2、3依次增加); -d:将匹配信息包的代码以人们能够理解的汇编格式给出; -dd:将匹配信息包的代码以c语言程序段的格式给出; -ddd:将匹配信息包的代码以十进制的形式给出; -D:列出当前主机的所有网卡编号和名称,可以用于选项 -i; -e:在输出行打印出数据链路层的头部信息; -f:将外部的Internet地址以数字的形式打印出来; -F<表达文件>:从指定的文件中读取表达式,忽略其它的表达式; -i<网络界面>:监听主机的该网卡上的数据流,如果没有指定,就会使用最小网卡编号的网卡(在选项-D可知道,但是不包括环路接口),linux 2.2 内核及之后的版本支持 any 网卡,用于指代任意网卡; -l:如果没有使用 -w 选项,就可以将报文打印到 标准输出终端(此时这是默认); -n:显示ip,而不是主机名; -N:不列出域名; -O:不将数据包编码最佳化; -p:不让网络界面进入混杂模式; -q:快速输出,仅列出少数的传输协议信息; -r<数据包文件>:从指定的文件中读取包(这些包一般通过-w选项产生); -s<数据包大小>:指定抓包显示一行的宽度,-s0表示可按包长显示完整的包,经常和-A一起用,默认截取长度为60个字节,但一般ethernet MTU都是1500字节。所以,要抓取大于60字节的包时,使用默认参数就会导致包数据丢失; -S:用绝对而非相对数值列出TCP关联数; -t:在输出的每一行不打印时间戳; -tt:在输出的每一行显示未经格式化的时间戳记; -T<数据包类型>:将监听到的包直接解释为指定的类型的报文,常见的类型有rpc (远程过程调用)和snmp(简单网络管理协议); -v:输出一个稍微详细的信息,例如在ip包中可以包括ttl和服务类型的信息; -vv:输出详细的报文信息; -x/-xx/-X/-XX:以十六进制显示包内容,几个选项只有细微的差别,详见man手册; -w<数据包文件>:直接将包写入文件中,并不分析和打印出来; expression:用于筛选的逻辑表达式;
2.3 命令实践
1.直接启动tcpdump,将抓取所有经过第一个网络接口上的数据包
[root@localhost ~]# tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 07:28:18.573605 IP 192.168.2.195.23282 > 192.168.2.252.24118: UDP, length 172 07:28:18.574144 IP 192.168.2.252.36558 > 192.168.2.195.17168: UDP, length 172
2.抓取所有经过指定网络接口上的数据包
[root@localhost ~]# tcpdump -i ens37 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes 21:20:31.431060 IP localhost.localdomain.ssh > 192.168.2.252.64705: Flags [P.], seq 1904493269:1904493457, ack 1808492261, win 257, length 188 21:20:31.431604 IP 192.168.2.252.64705 > localhost.localdomain.ssh: Flags [.], ack 188, win 4098, length 0
3.抓取所有经过ens37,目的或源地址是192.168.2.195的网络数据
[root@localhost ~]# tcpdump -i ens37 host 192.168.2.195 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes 21:24:05.041207 IP localhost.localdomain.ssh > 192.168.2.252.64705: Flags [P.], seq 1904781305:1904781493, ack 1808494885, win 257, length 188 21:24:05.041799 IP 192.168.2.252.64705 > localhost.localdomain.ssh: Flags [.], ack 188, win 4095, length 0 21:24:05.042899 IP localhost.localdomain.37266 > gateway.domain: 26682+ PTR? 252.2.168.192.in-addr.arpa. (44)
4.抓取主机192.168.2.195除了和主机192.168.2.161之外的所有主机通信的数据包
[root@vos23-253 ~]# tcpdump -n host 192.168.2.195 and ! 192.168.2.161
5.抓取主机192.168.2.195和主机192.168.2.161或192.168.1.192的通信
[root@vos23-253 ~]# tcpdump host 192.168.2.195 and \(192.168.2.161 or 192.168.2.192 \)
6.抓取主机192.168.2.195除了和主机192.168.2.161之外所有主机通信的ip包
[root@vos23-253 ~]# tcpdump ip -n host 192.168.2.195 and ! 192.168.2.161
7.抓取主机192.168.2.195发送的所有数据
[root@localhost ~]# tcpdump -i ens37 src host 192.168.2.195 (注意数据流向) tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes 22:03:26.464844 IP localhost.localdomain.ssh > 192.168.2.252.64705: Flags [P.], seq 1905084757:1905084945, ack 1808509393, win 257, length 188 22:03:26.469440 IP localhost.localdomain.39264 > gateway.domain: 27217+ PTR? 252.2.168.192.in-addr.arpa. (44) 22:03:26.481412 IP localhost.localdomain.53247 > gateway.domain: 6371+ PTR? 195.2.168.192.in-addr.arpa. (44) 22:03:26.487318 IP localhost.localdomain.58260 > gateway.domain: 52148+ PTR? 1.2.168.192.in-addr.arpa. (42) 22:03:26.487878 IP localhost.localdomain.ssh > 192.168.2.252.64705: Flags [P.], seq 188:368, ack 1, win 257, length 180 22:03:26.492947 IP localhost.localdomain.ssh > 192.168.2.252.64705: Flags [P.], seq 368:860, ack 1, win 257, length 492 22:03:26.496669 IP localhost.localdomain.ssh > 192.168.2.252.64705: Flags [P.], seq 860:1016, ack 1, win 257, length 156
8.抓取主机192.168.2.195接收的所有数据
[root@localhost ~]# tcpdump -i ens37 dst host 192.168.2.195 (注意数据流向) tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes 22:05:38.212869 IP 192.168.2.252.64705 > localhost.localdomain.ssh: Flags [.], ack 1905088285, win 4095, length 0 22:05:38.218244 IP gateway.domain > localhost.localdomain.53967: 14803 NXDomain* 0/0/0 (44) 22:05:38.229078 IP gateway.domain > localhost.localdomain.46026: 48360 NXDomain* 0/0/0 (44) 22:05:38.232544 IP gateway.domain > localhost.localdomain.49773: 29420 NXDomain* 0/0/0 (42) 22:05:38.233906 IP 192.168.2.252.64705 > localhost.localdomain.ssh: Flags [.], ack 473, win 4100, length 0 22:05:38.278512 IP 192.168.2.252.64705 > localhost.localdomain.ssh: Flags [.], ack 621, win 4099, length 0 22:05:38.323606 IP 192.168.2.252.64705 > localhost.localdomain.ssh: Flags [.], ack 769, win 4099, length 0 22:05:38.367239 IP 192.168.2.252.64705 > localhost.localdomain.ssh: Flags [.], ack 917, win 4098, length 0
9.抓取主机192.168.2.195所有在TCP 80端口的数据包
[root@localhost ~]# tcpdump -i ens37 host 192.168.2.195 and tcp port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes 22:09:41.001031 IP 192.168.2.252.56896 > localhost.localdomain.http: Flags [S], seq 4142713941, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 22:09:41.001115 IP localhost.localdomain.http > 192.168.2.252.56896: Flags [S.], seq 2314038867, ack 4142713942, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 22:09:41.001867 IP 192.168.2.252.56897 > localhost.localdomain.http: Flags [S], seq 1124231281, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 22:09:41.001951 IP localhost.localdomain.http > 192.168.2.252.56897: Flags [S.], seq 3765993047, ack 1124231282, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
10.抓取HTTP主机192.168.2.195在80端口接收到的数据包
[root@localhost ~]# tcpdump -i ens37 host 192.168.2.195 and dst port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes 22:14:53.001984 IP 192.168.2.252.57017 > localhost.localdomain.http: Flags [S], seq 522768429, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 22:14:53.003398 IP 192.168.2.252.57018 > localhost.localdomain.http: Flags [S], seq 638329607, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 22:14:53.004030 IP 192.168.2.252.57017 > localhost.localdomain.http: Flags [.], ack 3320819599, win 513, length 0 22:14:53.004096 IP 192.168.2.252.57018 > localhost.localdomain.http: Flags [.], ack 285611684, win 513, length 0 22:14:53.162771 IP 192.168.2.252.56947 > localhost.localdomain.http: Flags [F.], seq 2938864200, ack 2243393952, win 1020, length 0 22:14:53.163069 IP 192.168.2.252.56946 > localhost.localdomain.http: Flags [F.], seq 2820151409, ack 882247900, win 1024, length 0 22:14:53.163179 IP 192.168.2.252.57023 > localhost.localdomain.http: Flags [S], seq 3156484712, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 22:14:53.163531 IP 192.168.2.252.57024 > localhost.localdomain.http: Flags [S], seq 21775267, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 22:14:53.163890 IP 192.168.2.252.57023 > localhost.localdomain.http: Flags [.], ack 990188203, win 1024, length 0 22:14:53.163943 IP 192.168.2.252.57024 > localhost.localdomain.http: Flags [.], ack 19856703, win 1024, length 0 22:14:53.164541 IP 192.168.2.252.57024 > localhost.localdomain.http: Flags [P.], seq 0:403, ack 1, win 1024, length 403: HTTP: GET / HTTP/1.1 22:14:53.180512 IP 192.168.2.252.57024 > localhost.localdomain.http: Flags [.], ack 181, win 1023, length 0 22:14:53.189681 IP 192.168.2.252.57024 > localhost.localdomain.http: Flags [P.], seq 403:780, ack 181, win 1023, length 377: HTTP: GET /root/1.jpg HTTP/1.1
2.4 抓个网站试试
想抓取访问某个网站时的网络数据,比如网站http://www.baidu.com/ 怎么做呢?
1.通过tcpdump截获主机http://www.baidu.com/ 发送与接收所有的数据包
[root@localhost ~]# tcpdump -i ens37 host www.baidu.com tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes
2.再开一个终端访问百度
[root@localhost ~]# curl www.baidu.com <!DOCTYPE html> <!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title>百度一下,你就知道
终端1控制台显示:
... 22:34:15.927132 IP localhost.localdomain.58156 > 14.215.177.39.http: Flags [S], seq 943770983, win 29200, options [mss 1460,sackOK,TS val 449936864 ecr 0,nop,wscale 7], length 0 22:34:15.964430 IP 14.215.177.39.http > localhost.localdomain.58156: Flags [S.], seq 922061785, ack 943770984, win 8192, options [mss 1420,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 5], length 0 22:34:15.964500 IP localhost.localdomain.58156 > 14.215.177.39.http: Flags [.], ack 1, win 229, length 0 22:34:15.964788 IP localhost.localdomain.58156 > 14.215.177.39.http: Flags [P.], seq 1:78, ack 1, win 229, length 77: HTTP: GET / HTTP/1.1 22:34:16.001627 IP 14.215.177.39.http > localhost.localdomain.58156: Flags [.], ack 78, win 908, length 0 22:34:16.005731 IP 14.215.177.39.http > localhost.localdomain.58156: Flags [P.], seq 1:2782, ack 78, win 908, length 2781: HTTP: HTTP/1.1 200 OK 22:34:16.005786 IP localhost.localdomain.58156 > 14.215.177.39.http: Flags [.], ack 2782, win 272, length 0 22:34:16.006299 IP localhost.localdomain.58156 > 14.215.177.39.http: Flags [F.], seq 78, ack 2782, win 272, length 0 22:34:16.019073 IP 14.215.177.39.http > localhost.localdomain.58156: Flags [P.], seq 1421:2782, ack 78, win 908, length 1361: HTTP 22:34:16.019127 IP localhost.localdomain.58156 > 14.215.177.39.http: Flags [.], ack 2782, win 272, options [nop,nop,sack 1 {1421:2782}], length 0 22:34:16.058086 IP 14.215.177.39.http > localhost.localdomain.58156: Flags [.], ack 79, win 908, length 0 22:34:16.058144 IP 14.215.177.39.http > localhost.localdomain.58156: Flags [F.], seq 2782, ack 79, win 908, length 0 22:34:16.058170 IP localhost.localdomain.58156 > 14.215.177.39.http: Flags [.], ack 2783, win 272, length 0
3.确认序列号ack为何是1。这是相对值,如何显示绝对值
[root@localhost ~]# tcpdump -S -i ens37 host www.baidu.com (另一端访问百度) tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes 22:37:03.007599 IP localhost.localdomain.43828 > 14.215.177.38.http: Flags [S], seq 2579767550, win 29200, options [mss 1460,sackOK,TS val 450103944 ecr 0,nop,wscale 7], length 0 22:37:03.046689 IP 14.215.177.38.http > localhost.localdomain.43828: Flags [S.], seq 159367515, ack 2579767551, win 8192, options [mss 1420,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 5], length 0 22:37:03.046759 IP localhost.localdomain.43828 > 14.215.177.38.http: Flags [.], ack 159367516, win 229, length 0 22:37:03.047002 IP localhost.localdomain.43828 > 14.215.177.38.http: Flags [P.], seq 2579767551:2579767628, ack 159367516, win 229, length 77: HTTP: GET / HTTP/1.1 22:37:03.085555 IP 14.215.177.38.http > localhost.localdomain.43828: Flags [.], ack 2579767628, win 908, length 0 22:37:03.087793 IP 14.215.177.38.http > localhost.localdomain.43828: Flags [P.], seq 159367516:159368956, ack 2579767628, win 908, length 1440: HTTP: HTTP/1.1 200 OK 22:37:03.087850 IP localhost.localdomain.43828 > 14.215.177.38.http: Flags [.], ack 159368956, win 251, length 0 22:37:03.088470 IP 14.215.177.38.http > localhost.localdomain.43828: Flags [P.], seq 159368956:159370297, ack 2579767628, win 908, length 1341: HTTP
4.想要看到详细的http报文。怎么做?
[root@localhost ~]# tcpdump -A -i ens37 host www.baidu.com tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes 22:39:41.707406 IP localhost.localdomain.43830 > 14.215.177.38.http: Flags [S], seq 3662513049, win 29200, options [mss 1460,sackOK,TS val 450262644 ecr 0,nop,wscale 7], length 0 E..<..@.@..e.......&.6.P.M........r............ ..vt........ 22:39:41.751033 IP 14.215.177.38.http > localhost.localdomain.43830: Flags [S.], seq 3205237971, ack 3662513050, win 8192, options [mss 1420,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 5], length 0 E`.<..@.7......&.....P.6.....M.... ..g...................... 22:39:41.751103 IP localhost.localdomain.43830 > 14.215.177.38.http: Flags [.], ack 1, win 229, length 0 E..(..@.@..x.......&.6.P.M......P....... 22:39:41.751403 IP localhost.localdomain.43830 > 14.215.177.38.http: Flags [P.], seq 1:78, ack 1, win 229, length 77: HTTP: GET / HTTP/1.1 E..u..@.@..*.......&.6.P.M......P.......GET / HTTP/1.1 User-Agent: curl/7.29.0 Host: www.baidu.com Accept: */* 22:39:41.795966 IP 14.215.177.38.http > localhost.localdomain.43830: Flags [.], ack 78, win 908, length 0 E`.(..@.4..k...&.....P.6.....M..P...SC.... 22:39:41.928944 IP 14.215.177.38.http > localhost.localdomain.43830: Flags [P.], seq 1:1441, ack 78, win 908, length 1440: HTTP: HTTP/1.1 200 OK E`....@.4......&.....P.6.....M..P....#..HTTP/1.1 200 OK Accept-Ranges: bytes Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Connection: keep-alive Content-Length: 2381 Content-Type: text/html Date: Mon, 09 Mar 2020 08:39:55 GMT Etag: "588604dc-94d" Last-Modified: Mon, 23 Jan 2017 13:27:56 GMT Pragma: no-cache Server: bfe/1.0.8.18 Set-Cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/
5.将抓取的结果保存到文件test1
[root@localhost ~]# tcpdump -A -i ens37 -w test1 host www.baidu.com
6.如何读取这个文件的基本信息
[root@localhost ~]# tcpdump -r test1 reading from file test1, link-type EN10MB (Ethernet) 22:42:01.321830 IP localhost.localdomain.58162 > 14.215.177.39.http: Flags [S], seq 2706590061, win 29200, options [mss 1460,sackOK,TS val 450402259 ecr 0,nop,wscale 7], length 0
7.想要了解更多,比如上面的http报文
[root@localhost ~]# tcpdump -A -r test1 reading from file test1, link-type EN10MB (Ethernet) 22:42:01.321830 IP localhost.localdomain.58162 > 14.215.177.39.http: Flags [S], seq 2706590061, win 29200, options [mss 1460,sackOK,TS val 450402259 ecr 0,nop,wscale 7], length 0 E..<..@.@..........'.2.P.SIm......r............ ............ 22:42:01.361527 IP 14.215.177.39.http > localhost.localdomain.58162: Flags [S.], seq 2388635062, ack 2706590062, win 8192, options [mss 1420,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 5], length 0 E`.<..@.7..3...'.....P.2._...SIn.. ..Z...................... 22:42:01.361596 IP localhost.localdomain.58162 > 14.215.177.39.http: Flags [.], ack 1, win 229, length 0 E..(..@.@..........'.2.P.SIn._..P....... 22:42:01.361876 IP localhost.localdomain.58162 > 14.215.177.39.http: Flags [P.], seq 1:78, ack 1, win 229, length 77: HTTP: GET / HTTP/1.1 E..u..@.@..X.......'.2.P.SIn._..P.......GET / HTTP/1.1 User-Agent: curl/7.29.0 Host: www.baidu.com Accept: */*
8.也同时想要将确认序列号ack打印成绝对值
[root@localhost ~]# tcpdump -AS -r test1
注: 无参数的选项比如 -A, -S, -e, 等。均可以共用一个减号
'src host www.baidu.cn' 属于 expression ,如果太长,可以用单引号括起来:
[root@localhost ~]# tcpdump -i ens37 'src host www.baidu.com' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes 22:47:52.389567 IP 14.215.177.38.http > localhost.localdomain.43834: Flags [S.], seq 1091142458, ack 3695757409, win 8192, options [mss 1420,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 5], length 0 22:47:52.430102 IP 14.215.177.38.http > localhost.localdomain.43834: Flags [.], ack 78, win 908, length 0
第一列是时间戳:时、分、秒、微秒 第二列是网际网路协议的名称 第三列是报文发送方的十进制的网际网路协议地址,以及紧跟其后的端口号(偶尔会是某个协议名如 http ,如果在此处仍然显示端口号加上 -n 选项) 第四列是大于号 第五列是报文接收方的十进制的网际网路协议地址,以及紧跟其后的端口号(偶尔会是某个协议名如 http ,如果在此处仍然显示端口号加上 -n 选项) 第六列是冒号 第七列是 Flags 标识,可能的取值是 [S.] [.] [P.] [F.] 第八、九、十……列 是tcp协议报文头的一些变量值: seq 是 请求同步的 序列号 ack 是 已经同步的 序列号 win 是 当前可用窗口大小 length 是 tcp协议报文体的长度 如果加入了-S选项,会看到的 seq, ack 是 两个冒号分割的值,分别表示变更前、后的值。