Analyze HTTP requests using tcpdump

Advertisement: The akcms I wrote is flexible, small, fast, and serverless. You are welcome to try it out with your Webmaster. tcpdump is a tool for intercepting and analyzing network data packets in Linux. it has great reference value for optimizing the system. Once tcpdump is installed, it is not installed by default. if tcpdump is installed under CentOS: yuminstalltcpdump installs advertisement under Ubuntu: I write AKCMS, which is flexible, small, fast, and does not pick up servers. You are welcome to try it out with your webmaster.

TcpdumpIt is a tool for intercepting and analyzing network data packets in Linux and has great reference value for optimizing the system.

1. Installation

Tcpdump is not installed by default. it is installed in CentOS:

Yum install tcpdump

Install in Ubuntu:

Apt-get install tcpdump

Start 2: interception

The execution of tcpdump is very simple. you just need to input it directly. However, this will intercept all the data packets, dazzled, and the displayed content cannot be used at all. Generally, it is added with parameters, such:

The most common method is to intercept network data packets of a host with an IP address:

Tcpdump host 192.168.0.123

3. analyze a complete request

For the sake of simplicity, I intercepted a piece of "clean" data packet, showing the whole process of a request initiated by the local machine to a URL:

23:30:01. 828266 IP 192.168.0.251.34245> li527-105.members.linode.com.http: Flags [S], seq 2340440979, win 14600, options [mss 1460, sackOK, TS val 237397584 ecr 0, nop, wscale 7], length 0
23:30:01. 931109 IP li527-105.members.linode.com.http> 192.168.0.251.34245: Flags [S.], seq 64288983, ack 2340440980, win 14480, options [mss 1440, sackOK, TS val 3220226885 ecr 237397584, nop, wscale 7], length 0
23:30:01. 931221 IP 192.168.0.251.34245> li527-105.members.linode.com.http: Flags [.], ack 1, win 115, options [nop, nop, TS val 237397594 ecr 3220226885], length 0
23:30:01. 931544 IP 192.168.0.251.34245> li527-105.members.linode.com.http: Flags [P.], seq, ack 1, win 115, options [nop, nop, TS val 237397594 ecr 3220226885], length 132
23:30:02. 031923 IP li527-105.members.linode.com.http> 192.168.0.251.34245: Flags [.], ack 133, win 122, options [nop, nop, TS val 3220226987 ecr 237397594], length 0
23:30:02. 032171 IP li527-105.members.linode.com.http> 192.168.0.251.34245: Flags [P.], seq, ack 133, win 122, options [nop, nop, TS val 3220226988 ecr 237397594], length 322
23:30:02. 032233 IP 192.168.0.251.34245> li527-105.members.linode.com.http: Flags [.], ack 323, win 123, options [nop, nop, TS val 237397604 ecr 3220226988], length 0
23:30:02. 034852 IP 192.168.0.251.34245> li527-105.members.linode.com.http: Flags [F.], seq 133, ack 323, win 123, options [nop, nop, TS val 237397605 ecr 3220226988], length 0
23:30:02. 139101 IP li527-105.members.linode.com.http> 192.168.0.251.34245: Flags [F.], seq 323, ack 134, win 122, options [nop, nop, TS val 3220227091 ecr 237397605], length 0
23:30:02. 139233 IP 192.168.0.251.34245> li527-105.members.linode.com.http: Flags [.], ack 324, win 123, options [nop, nop, TS val 237397615 ecr 3220227091], length 0

The TCP protocol needs to establish a connection through three "handshakes", and the intercepted data packet also starts from three handshakes. we can see that the status of the first three packets (Flags) is:

[S], [S.], [.]

First, the client sends a 10-digit serial number to the server. after receiving the serial number, the server + 1 is returned. the client checks whether the serial number is correct, returns 1 to the server. According to the above description, we know that the three packages meet the requirements: seq + 1 = ack of the second package; ack = 1 of the third package

After the connection is established, the specific data interaction is completed. the tcpdump script and the-X parameter can display the specific data content in hexadecimal and ASCII mode, which is skipped here.

The TCP protocol needs to be disconnected after four waves. the last three packets above are the waves. Careful friends will find the four waves mentioned above, but there are only three packets. this is not a mistake.

The status of the last three packages is:

[F.], [F.], [.]

First, the client sends a serial number to tell the server that it is going to be disconnected. The server then sends back a serial number !"

Four waves can only see three data packets because of the ACK delay sending mechanism. To improve performance, TCP collects ACK messages instead of sending them immediately. in the following situations, TCP sends the ACK messages:

1. more than MSS (it can be understood that too many resources are saved and cannot be placed)
2 with FIN
3. the system is set to disable latency (TCP_NODELAY)

There should be an ACK in front of the second to last, because it does not meet the above three, so it is delayed (generally 40 ms or 200 ms, when the last and second packets meet the condition (with FIN), only three packets can be seen four times. If the system disables delayed sending, four packets are displayed.

The above are my own understandings. if you do not understand it, please correct me.