How to capture HTTP packets using tcpdump

Tcpdump-XvvennSs0-ieth0tcp [20:2] 0x4745ortcp [20:2] 0x48540x4745 for GET first two letters GE0x4854 for HTTP first two letters HT description: usually: a normal TCP connection, there will be three stages: 1. TCP three-way handshake; 2. data transmission; 3. several concepts in TCP four-way handshake: SYN:

Tcpdump-XvvennSs 0-I eth0 tcp [20:2] = 0x4745 ortcp [20:2] = 0x4854

0x4745 is the first two letters of "GET" "GE"

0x4854 is the first two letters of "HTTP" "HT"

Note: A normal TCP connection usually has three phases: 1. Three handshakes over TCP; 2. data transmission; 3. four waves over TCP

The following concepts:

SYN: (synchronous Sequence number, Synchronize Sequence Numbers)
ACK: (confirm Number, Acknowledgement Number)
FIN: (end mark, FINish)
TCP three-way handshake (create OPEN)

The client initiates a request to create a TCP link with the service. here is SYN (J)
After receiving the creation request from the client, the server returns two messages: SYN (K) + ACK (J + 1)
After receiving the ACK information from the server (J and J + 1), the client returns the following message: ACK (K + 1)
After the server receives the ACK information from the client for verification (K and K + 1), the server does not return any information and enters the data communication stage.
Data communication

Client/Server read/write data packets
TCP handshake (close finish)

The client initiates a close request and sends a message: FIN (M)
After the server receives the message, it first returns ACK (M + 1), indicating that it has received the message.
The server finally sends a FIN (N) message to the client before it is ready to close, asking whether the client is ready to close
After the client receives the message sent from the server, it returns a confirmation message: ACK (N + 1)
Finally, when both the server and client are confirmed, they close or recycle the corresponding TCP link.
Detailed status descriptions (and linux-related parameter adjustments)

SYN_SEND
The client attempts to connect to the server through the open method. That is, after step 1 in the TCP three-way handshake, note that the client status is
Sysctl-w net. ipv4.tcp _ syn_retries = 2. as a client, you can set the number of retries of the SYN packet. the default value is 5 (about 180 s). If the principal is referenced: only two retries are performed. The modern network is enough.
SYN_RECEIVED
After the service accepts the SYN of the creation request, that is, step 1 in the TCP three-way handshake, before the ACK packet is sent
Note that the server status is normal, generally around 15. if it is large, it is suspected to be under SYN_FLOOD attacks.
Sysctl-w net. ipv4.tcp _ max_syn_backlog = 4096. set the number of waiting queues in this status. the default value is 1024. when the value is increased, the syn-flood can be properly prevented. For more information, see man 7 tcp
Sysctl-w net. ipv4.tcp _ syncookies = 1. enable syncookie. when the synbacklog queue is insufficient, a mechanism is provided to temporarily exchange syn links
Sysctl-w net. ipv4.tcp _ synack_retries = 2. as the number of retries of the ACK packet returned by the server, if the principal is referenced five times (about 180 s) by default: only two retries are performed, and the modern network is enough.
ESTABLISHED
The status after the client receives the ACK package from the server. after the server issues the ACK, it is ESTABLISHED.
Sysctl-w net. ipv4.tcp _ keepalive_time = 1200. the default value is 7200 seconds (2 hours). The system performs a heartbeat check for idle connections. ipv4.tcp _ keepalive_probes * net. ipv4.tcp _ keepalive_intvl = the default value is 11. terminate the corresponding tcp link and adjust the heartbeat check frequency as appropriate.
Currently, online monitoring waring: 600, critial: 800
FIN_WAIT1
After a FIN request is sent, that is, step 2 of the TCP handshake
CLOSE_WAIT
After receiving the FIN from the client, the party passively closes the handshake, that is, step 2 of the TCP Four handshakes.
FIN_WAIT2
After receiving the ACK from the passive closing side, the active closing side is Step 1 of the TCP Four handshakes.
Sysctl-w net. ipv4.tcp _ fin_timeout = 30. you can set the timeout time after the passive shutdown party returns FIN to effectively recycle the link to avoid syn-flood.
LASK_ACK
The passive shutdown party initiates another FIN request after sending ACK for a period of time (ensure that the client has received it. That is, step 1 of the four TCP handshakes
TIME_WAIT
The party that closes the service proactively sends an ACK message after receiving the passively closed FIN package. That is, step 1 of the four TCP handshakes
Sysctl-w net. ipv4.tcp _ tw_recycle = 1, Enablingthis option is not recommended since this causes problems whenworking with NAT (Network Address Translation)
Sysctl-w net. ipv4.tcp _ tw_reuse = 1, fast recycle and reuse the TIME_WAIT link. it seems that there is a conflict with tw_recycle. can it be recycled if it cannot be reused?
Net. ipv4.tcp _ max_tw_buckets: maximum number of connections in the time_wait status. the default value is 180000.

Description

After receiving the FIN request from the passive closing party, the active closing party changes its status from FIN_WAIT2 to TIME_WAIT after successfully sending an ACK to the other party, however, you must wait two times for the MSL (Maximum SegmentLifetime, which is the time when a datagram exists in the internetwork) before both parties can change the status to CLOSED to close the connection. Currently, the time required to maintain the TIME_WAIT status in RHEL is 60 seconds.
The keepAlive policy can effectively avoid three-way handshakes and four-off actions.
Other important network parameters
Net. ipv4.tcp _ rmem parameter
Default value: min = 4096 default = 87380 max = 4194304
Net. ipv4.tcp _ wmem parameter
Default value: min = 4096 default = 16384 max = 4194304
Tcpdump

Tcpdump is a package capture tool provided by linux. it is suitable for online server packet capture through command line. for windows or ubuntu, you can select some graphical tools, wireshark is recommended for ubuntu. it is easy to install sudo apt.

Command line format:

Tcpdump [-adeflnNOpqStvx] [-c quantity] [-F file name] [-I network interface] [-r file name] [-s snaplen] [-T type] [-w file name] [expression]

Common parameters:

-L changes the standard output to the buffer row format;
-N does not convert the network address into a name;

-C. after receiving the specified number of packages, tcpdump stops;
-I indicates the network interface of the listener;
-W directly writes the package into the file and does not analyze or print it out;
-S specifies the package size. Common-s 0 indicates the maximum value of 65535. the minimum transmission unit MTU in half linux is 1500, which is enough.

-X directly outputs package data. this parameter is not set by default and can only be output through a file specified by-w.

Common expressions:

Keyword about the type, mainly including host, net, port
Key words in the transmission direction, including src, dst, dst or src, dst and src
Protocol keywords, including fddi, ip, arp, rarp, tcp, udp, and other types
Logical operation. The non-operation is 'not ''! ', And the operation is 'and',' & '; or the operation is 'or',' |'
Other important keywords: gateway, broadcast, less, greater
Example:

1. http packet capture (directly output package data on the terminal)
Tcpdump tcp port 80-n-X-s 0 specify port 80 for output

2. capture http packet data and specify a file for output package
Tcpdump tcp port 80-n-s 0-w/tmp/tcp. cap

The corresponding/tmp/tcp. cap information can be viewed by the naked eye, such as http Header and content information.

3. combined with pipeline flow
Tcpdump tcp port 80-n-s 0-X-l | grep xxxx

In this way, data packets can be matched and filtered by string in real time.

4. mod_proxyReverse proxyPacket capture
Apache + jetty on the online server, implements a reverse proxy through apache mod_proxy, port 80 apache, and Port 7001jetty

Apache port data packet capture: tcpdump tcp port 80-n-s 0-X-I eth0 note: specify the eth0 network interface

Jetty port data packet capture: tcpdump tcp port 7001-n-s 0-X-I lo note: specify the Loopback network interface

5. only monitor specific ip hosts
Tcpdump tcp host 10.16.2.85 and port 2100-s 0-X

A combination of tcp expressions is required. here, the host indicates listening only to this ip address.

Tips:

1. it can be combined with tcpdump (command) + wireshark (graphical)

Operation:

Run tcpdump-w/tmp/tcp. cap on the server to specify the output external file
Scp/tmp/tcp. cap copy the file to your local device
Wireshark & start wireshark
Open the copied File through File-> Open, so that data packets can be analyzed.
The rest is very convenient.
2. directly install wireshark + X11 on the server and output it to the local machine in reverse direction.

Note:

Wireshark if you want to enable network monitoring, you need to start it in the root mode. Otherwise, you cannot directly capture packets through the NIC.
The reverse output of X11 requires the client to support the X11 protocol. if ubuntu is born with easy support, a software installation is required for windows.