### 抓取本地回路上数据包 tcpdump -ntx -i lo ### 使用 tcpdump 观察 DNS 通信过程 tcpdump -i eth0 -nt -s 500 port domain ``` [root@aliecs ~]# tcpdump -i eth0 -nt -s 500 port domain tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 500 bytes IP 172.17.27.211.19838 > 100.100.2.136.domain: 65481+ A? www.taobao.com. (32) IP 100.100.2.136.domain > 172.17.27.211.19838: 65481 4/0/1 CNAME www.taobao.com.danuoyi.tbcache.com., A 101.37.183.171, A 101.37.183.170, A 42.120.107.23 (136) IP 172.17.27.211.netscript > 100.100.2.138.domain: 6060+ PTR? 171.183.37.101.in-addr.arpa. (45) IP 100.100.2.138.domain > 172.17.27.211.netscript: 6060 NXDomain 0/1/0 (116) ``` dig结果： ``` ;; ANSWER SECTION: www.taobao.com. 86 IN CNAME www.taobao.com.danuoyi.tbcache.com. www.taobao.com.danuoyi.tbcache.com. 46 IN A 101.37.183.171 www.taobao.com.danuoyi.tbcache.com. 46 IN A 42.120.107.24 www.taobao.com.danuoyi.tbcache.com. 46 IN A 101.37.183.170 ``` > HTTP 请求包 ``` 12:40:42.378883 IP (tos 0x14, ttl 115, id 7647, offset 0, flags [DF], proto TCP (6), length 556) 1.204.29.213.10484 > 172.17.27.211.http: Flags [P.], cksum 0x5580 (correct), seq 1:517, ack 1, win 258, length 516: HTTP, length: 516 GET /?plat=pc HTTP/1.1 Host: ayouleyang.cn Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,ja;q=0.7 Cookie: _ga=GA1.2.1841278064.1560324117; _gid=GA1.2.1140883212.1562201759; PHPSESSID=2q9j5p56gd1v8k2t7age66kajg 0x0000: 4514 022c 1ddf 4000 7306 0054 01cc 1dd5 E..,..@.s..T.... 0x0010: ac11 1bd3 28f4 0050 fb41 fd3f 7716 0212 ....(..P.A.?w... 0x0020: 5018 0102 5580 0000 4745 5420 2f3f 706c P...U...GET./?pl 0x0030: 6174 3d70 6320 4854 5450 2f31 2e31 0d0a at=pc.HTTP/1.1.. 0x0040: 486f 7374 3a20 6179 6f75 6c65 7961 6e67 Host:.ayouleyang 0x0050: 2e63 6e0d 0a43 6f6e 6e65 6374 696f 6e3a .cn..Connection: 0x0060: 206b 6565 702d 616c 6976 650d 0a55 7067 .keep-alive..Upg 0x0070: 7261 6465 2d49 6e73 6563 7572 652d 5265 rade-Insecure-Re 0x0080: 7175 6573 7473 3a20 310d 0a55 7365 722d quests:.1..User- 0x0090: 4167 656e 743a 204d 6f7a 696c 6c61 2f35 Agent:.Mozilla/5 0x00a0: 2e30 2028 5769 6e64 6f77 7320 4e54 2031 .0.(Windows.NT.1 0x00b0: 302e 303b 2057 4f57 3634 2920 4170 706c 0.0;.WOW64).Appl 0x00c0: 6557 6562 4b69 742f 3533 372e 3336 2028 eWebKit/537.36.( 0x00d0: 4b48 544d 4c2c 206c 696b 6520 4765 636b KHTML,.like.Geck 0x00e0: 6f29 2043 6872 6f6d 652f 3639 2e30 2e33 o).Chrome/69.0.3 0x00f0: 3439 372e 3130 3020 5361 6661 7269 2f35 497.100.Safari/5 0x0100: 3337 2e33 360d 0a41 6363 6570 743a 2074 37.36..Accept:.t 0x0110: 6578 742f 6874 6d6c 2c61 7070 6c69 6361 ext/html,applica 0x0120: 7469 6f6e 2f78 6874 6d6c 2b78 6d6c 2c61 tion/xhtml+xml,a 0x0130: 7070 6c69 6361 7469 6f6e 2f78 6d6c 3b71 pplication/xml;q 0x0140: 3d30 2e39 2c69 6d61 6765 2f77 6562 702c =0.9,image/webp, 0x0150: 696d 6167 652f 6170 6e67 2c2a 2f2a 3b71 image/apng,*/*;q 0x0160: 3d30 2e38 0d0a 4163 6365 7074 2d45 6e63 =0.8..Accept-Enc 0x0170: 6f64 696e 673a 2067 7a69 702c 2064 6566 oding:.gzip,.def 0x0180: 6c61 7465 0d0a 4163 6365 7074 2d4c 616e late..Accept-Lan 0x0190: 6775 6167 653a 207a 682d 434e 2c7a 683b guage:.zh-CN,zh; 0x01a0: 713d 302e 392c 656e 3b71 3d30 2e38 2c6a q=0.9,en;q=0.8,j 0x01b0: 613b 713d 302e 370d 0a43 6f6f 6b69 653a a;q=0.7..Cookie: 0x01c0: 205f 6761 3d47 4131 2e32 2e31 3834 3132 ._ga=GA1.2.18412 0x01d0: 3738 3036 342e 3135 3630 3332 3431 3137 78064.1560324117 0x01e0: 3b20 5f67 6964 3d47 4131 2e32 2e31 3134 ;._gid=GA1.2.114 0x01f0: 3038 3833 3231 322e 3135 3632 3230 3137 0883212.15622017 0x0200: 3539 3b20 5048 5053 4553 5349 443d 3271 59;.PHPSESSID=2q 0x0210: 396a 3570 3536 6764 3176 386b 3274 3761 9j5p56gd1v8k2t7a 0x0220: 6765 3636 6b61 6a67 0d0a 0d0a ge66kajg.... ``` > 解包过程（HTTP的响应包） ``` 12:40:42.378993 IP (tos 0x0, ttl 64, id 31643, offset 0, flags [DF], proto TCP (6), length 376) 172.17.27.211.http > 1.204.29.213.10484: Flags [P.], cksum 0xe8ef (incorrect -> 0x7a29), seq 1:337, ack 517, win 60, length 336: HTTP, length: 336 HTTP/1.1 302 Moved Temporarily Server: nginx Date: Thu, 04 Jul 2019 04:40:42 GMT Content-Type: text/html Content-Length: 138 Connection: keep-alive Location: https://ayouleyang.cn/?plat=pc <html> <head><title>302 Found</title></head> <body> <center><h1>302 Found</h1></center> <hr><center>nginx</center> </body> </html> 0x0000: 4500 0178 7b9b 4000 4006 d65f ac11 1bd3 E..x{.@.@.._.... 0x0010: 01cc 1dd5 0050 28f4 7716 0212 fb41 ff43 .....P(.w....A.C 0x0020: 5018 003c e8ef 0000 4854 5450 2f31 2e31 P..<....HTTP/1.1 0x0030: 2033 3032 204d 6f76 6564 2054 656d 706f .302.Moved.Tempo 0x0040: 7261 7269 6c79 0d0a 5365 7276 6572 3a20 rarily..Server:. 0x0050: 6e67 696e 780d 0a44 6174 653a 2054 6875 nginx..Date:.Thu 0x0060: 2c20 3034 204a 756c 2032 3031 3920 3034 ,.04.Jul.2019.04 0x0070: 3a34 303a 3432 2047 4d54 0d0a 436f 6e74 :40:42.GMT..Cont 0x0080: 656e 742d 5479 7065 3a20 7465 7874 2f68 ent-Type:.text/h 0x0090: 746d 6c0d 0a43 6f6e 7465 6e74 2d4c 656e tml..Content-Len 0x00a0: 6774 683a 2031 3338 0d0a 436f 6e6e 6563 gth:.138..Connec 0x00b0: 7469 6f6e 3a20 6b65 6570 2d61 6c69 7665 tion:.keep-alive 0x00c0: 0d0a 4c6f 6361 7469 6f6e 3a20 6874 7470 ..Location:.http 0x00d0: 733a 2f2f 6179 6f75 6c65 7961 6e67 2e63 s://ayouleyang.c 0x00e0: 6e2f 3f70 6c61 743d 7063 0d0a 0d0a 3c68 n/?plat=pc....<h 0x00f0: 746d 6c3e 0d0a 3c68 6561 643e 3c74 6974 tml>..<head><tit 0x0100: 6c65 3e33 3032 2046 6f75 6e64 3c2f 7469 le>302.Found</ti 0x0110: 746c 653e 3c2f 6865 6164 3e0d 0a3c 626f tle></head>..<bo 0x0120: 6479 3e0d 0a3c 6365 6e74 6572 3e3c 6831 dy>..<center><h1 0x0130: 3e33 3032 2046 6f75 6e64 3c2f 6831 3e3c >302.Found</h1>< 0x0140: 2f63 656e 7465 723e 0d0a 3c68 723e 3c63 /center>..<hr><c 0x0150: 656e 7465 723e 6e67 696e 783c 2f63 656e enter>nginx</cen 0x0160: 7465 723e 0d0a 3c2f 626f 6479 3e0d 0a3c ter>..</body>..< 0x0170: 2f68 746d 6c3e 0d0a /html>.. ```