抓包工具使用說明v11

cvBS項(xiàng)目抓包工具使用說明南京中興軟創(chuàng)科技股份有限公司2010年4月資料版本：Version1.1日期：2010年4月密級(jí)：口公開資料回內(nèi)部資料□保密資料□機(jī)密資料狀態(tài)：□初稿回討論稿□發(fā)布文檔控制記錄修改記錄日期作者版本修改記錄2010-4-9耿自強(qiáng)V1.0初稿2010-4-15耿自強(qiáng)V1.1更改抓包案例審閱姓名時(shí)間職位TOC\o"1-5"\h\z\o"CurrentDocument"常用操作系統(tǒng)抓包工具列表: 4\o"CurrentDocument"安裝說明 5\o"CurrentDocument"AIX： 5\o"CurrentDocument"HPUX： 5\o"CurrentDocument"Solaris 5\o"CurrentDocument"Linux 6\o"CurrentDocument"Windows 6\o"CurrentDocument"命令使用詳解 7\o"CurrentDocument"tcpdump命令 7\o"CurrentDocument"windump命令 7\o"CurrentDocument"常用場景舉例及參數(shù)解釋 8使用tcpdump命令抓取OLC收到的DCC包，OLC對(duì)外服務(wù)端口為6001，協(xié)議為diametero 8使用tcpdump命令抓取UIP收到的MML包，UIP對(duì)外服務(wù)端口為9004，協(xié)議為TCPo 12操作系統(tǒng)抓包工具AIXtcpdump，iptraceHPUXnettl，tcpdumpSolarissnoop,tcpdumpLinuxtcpdumpWindowswindump，wireshark，sniffer1.常用操作系統(tǒng)抓包工具列表:1.常用操作系統(tǒng)抓包工具列表:■1為統(tǒng)一版本，針對(duì)UNIX/LINUX平臺(tái)使用用tcpdump進(jìn)行抓包，Windows平臺(tái)使用windump進(jìn)行抓包，通過windows平臺(tái)wireshark進(jìn)行包分析。各軟件包下載地址如下：Libpcap下載：ftp://cvbs:cvbs$08@/抓包工具/libpcap-1.1.1.tar.gzTcpdump下載：ftp://cvbs:cvbs$08@/抓包工具/tcpdump-4.1.1.tar.gzWireshark下載：ftp://cvbs:cvbs$08@/抓包工具/wireshark-win32-1.2.7.exeWindump下載：ftp://cvbs:cvbs$08@/抓包工具/WinDump.exeWinPcap下載：ftp://cvbs:cvbs$08@/抓包工具/WinPcap411.exe安裝說明AIX:系統(tǒng)安裝時(shí)，一般默認(rèn)安裝，無需單獨(dú)安裝tcpdumpHPUX:需要安裝libpcap及tcpdump，軟件請通過公司FTP下載，安裝包為源碼，各UNIX平臺(tái)通用。由于是源碼，需要安裝編譯器（編譯器安裝詳見cvBS集成安裝手冊）。安裝libcap將安裝文件libpcap-1.1.1.tar.gz上傳到服務(wù)器/tmp下#cdtmp#gunziplibpcap-1.1.1.tar.gz#tar-xflibpcap-1.1.1.tarcdlibpcap-1.1.1./configuremakemakeinstall安裝tcpdump將安裝文件tcpdump-4.1.1.tar.gz上傳到服務(wù)器/tmp下#cdtmp#gunziptcpdump-4.1.1.tar.gz#tar-xftcpdump-4.1.1.taicdtcpdump-4.1.1./configuremakemakeinstall安裝完成后，請編輯環(huán)境變量，增加PATH=/usr/local/sbin:$PATH;exportPATHSolaris需要安裝libpcap及tcpdump，軟件請通過公司FTP下載，安裝包為源碼，各UNIX平臺(tái)通用。由于是源碼，需要安裝Studio編譯器（編譯器安裝詳見cvBS集成安裝手冊）。安裝libcap將安裝文件libpcap-l.l.l.tar.gz上傳到服務(wù)器/tmp下#cdtmp#gunziplibpcap-l.l.l.tar.gz#tar-xflibpcap-l.l.l.tarcdlibpcap-l.l.l./configuremakemakeinstall安裝tcpdump將安裝文件tcpdump-4.1.1.tar.gz上傳到服務(wù)器/tmp下#cdtmp#gunziptcpdump-4.1.1.tar.gz#tar-xftcpdump-4.1.1.taicdtcpdump-4.1.1./configuremakemakeinstall安裝完成后，請編輯環(huán)境變量，增加PATH=/usr/local/sbin:$PATH;exportPATHLinux系統(tǒng)安裝時(shí)，一般默認(rèn)安裝，無需單獨(dú)安裝tcpdumpWindows從公司ftp下載WinDump.exe、wireshark-win32-1.34.exe、WinPcap_4_1_1.exe復(fù)制WinDump.exe至%SystemRoot%目錄，其他兩個(gè)雙擊安裝。命令使用詳解tcpdump命令Usage:tcpdump[-aAbdDefIKILnNOpqRStuUvxX][-Bsize][-ccount][-Cfile_size][-Ealgo:secret][-Ffile][-Gseconds][-iinterface][-Msecret][-rfile][-ssnaplen][-Ttype][-wfile][-Wfilecount][-ydatalinktype][-zcommand][-Zuser][expression]詳細(xì)解釋見《tcpdump中文MAN手冊.doc》windump命令Usage:windump[-aAdDeflLnNOpqRStuUvxX][-Bsize][-ccount][-Cfile_size][-Ealgo:secret][-Ffile][-iinterface][-Msecret][-rfile][-ssnaplen][-Ttype][-wfile][-Wfilecount][-ydatalinktype][-Zuser][expression]詳細(xì)命令解釋與tcpdump一致。常用場景舉例及參數(shù)解釋OCS系統(tǒng)中，對(duì)外接口一般為OLC、UIP和CSIP,下面分別以O(shè)LC、UIP為例，進(jìn)行抓包分析。環(huán)境介紹：主機(jī)操作系統(tǒng)對(duì)外服務(wù)IPOLCAIXUIPAIX4發(fā)包測試機(jī)WINDOWS84A.使用tcpdump命令抓取OLC收到的DCC包，OLC對(duì)外服務(wù)端口為6001,協(xié)議為diameter。telnet至,查看服務(wù)地址位于哪塊網(wǎng)卡上，使用netstat-in命令，由下圖可見，位于en2#netstat-inN；5Lt[|PMtuI'letTjorkAddressIpktaTerraOpktaOerraColl已1\匚11.500link#20.11.25.已彳.cu.le36928430285174030enO1500193.169.136928430285174030enl1.500link#30.11.25.e7.cd.If271173702S2694220已hl1.500.1.227117370282694220en21500link#4□.14.5e.C-5.Id.fc72432020455438330en21.500193.169.27243202045.5438330已福1.50010.17.85.472432020455438330en2150010.17.857243202□45543833□en：31.500link#5□.14.5e.c.5.ld.fd26999.570281346430已曲1.50011.11.126999570281346430liZ-016896link#l41871300419251500loO16896127127.0.□.141871300419251500loO16896::141871300419251500使用tcpdump-D命令，查看主機(jī)網(wǎng)卡編號(hào)，如下圖，可見en2編號(hào)為3。#tcpdump一DenOenlen2en3loO由以上命令得出tcpdump抓包命令為：tcpdump-i3-w/tmp/olc-diameter.cap-s6000port6001andhost84命令解釋：-w保存至文件，如不設(shè)置，則為標(biāo)準(zhǔn)輸出-s數(shù)據(jù)包的截取長度-i網(wǎng)卡編號(hào)port端口號(hào)host主機(jī)ip地址抓包過程及分析：登錄OLC主機(jī)，輸入“tcpdump-i3-w/tmp/olc-diameter.cap-s6000port6001andhost84”命令后，使用測試工具從測試機(jī)(84)向OLC發(fā)送包文如下：3001,"1",”80”,”272”,”4”,"SCP236.;3370744586;617233”,"SCP236.”,"”,"”,TOC\o"1-5"\h\z”4”,"version1.p2psms@”,”4”,”0”,”0”,4101"6288211050114”,4101”4”,”0”,"2996”,5601"8",5601”456”,5601”344”,5601”345”,5601”2”,5601”0”,56014101"6288211050114”,56014101”1”,56014102"088211050114”,56014102將抓包得到的olc-diameter.cap傳送至自己的機(jī)器，使用wireshark打開分析。

No.TimeSourceDestirLationProtocolInfo10.00000084TCPfjsv-gssagt>xll[SYN]Seq=0win=€20.00004984TCPxll>fjsv-gssagt[SYN,ACK]Seq=030.00029884TCPfjsv-gssagt>xll[ack]seq=lAck=l40.0045984XllRequests:create'ft'indov-*[MalformedPa50.11016610.17.85.184TCPxll>fjsv-gssagt[ACK]seq=lAck=i60.20104584XllReply:tounknownrequest[Malformec70.3932684TCPfjsv-gssagt>xll[ACK]seq=133Ack811.3278L984XllRequests:createwindow[MaiformedPa911.35689010.17.85.184XllReply:tounknownrequest[Malformec1011.5583484TCPfjsv-gssagt>xll[ACK]seq=661AckDecrypt!onKeys...802.11Chanriel vChannelOffset:AllFramesvHoneVFCSFilter：田Frame5802.11Chanriel vChannelOffset:AllFramesvHoneVFCSFilter：ffiEthernetII,src:Ibm_c5:ld:fc(00:14:5e:c5:ld:fc),Dst:wistron_le:69:71(00:If:16:le:69:71)ElinternetProtocol,Src:(),Dst:84(84}000000100020003046901090OC6o03001Obozodo9Obo6400e11618736000000100020003046901090OC6o03001Obozodo9Obo6400e11618736e791416f88f12bfoo5foo5f083ooa855o5dc1Lof1aodabo1ofo5f3oc69oe1co52J8oolo5ao405■■■■ICjaa△■■■■■￡■?(N.@.<.10..U...U??.C| P?Profile：HefaultQFile： :\Documents：=ULdSettings\alex,",Packets:10Hisplayed：10Harked：0Loadtime:0:00.156Profile：Hefault由于6001端口默認(rèn)是xll協(xié)議，需要將6001端口改為diameter協(xié)議，在圖中點(diǎn)擊右鍵，選擇DecodeAs。然后將6001端口改為diameter協(xié)議，如下圖所示:TCPXllTCPXllTCPfjsv-gssagt>xll[ack]seq=lAck=lRequests:createwindow[MaiformeclPaxll>fjsv-gssagt[ack]seq=lAck=lReply:tounknownrequest[Malformecfjsv-gssagt>xll[ACK]seq=133Ack0.000298 840.004592 840.110166 0.201045 0.393261 848484TCPXllTCPXllTCPfjsv-gssagt>xll[ack]seq=lAck=lRequests:createwindow[MaiformeclPaxll>fjsv-gssagt[ack]seq=lAck=lReply:tounknownrequest[Malformecfjsv-gssagt>xll[ACK]seq=133Ack0.000298 840.004592 840.110166 0.201045 0.393261 848484Apply802.11Channel0.0000000.000049Destiriation84二hariTLEjlOffset:FCSFilter：AllFrainesvNoneVProtocolTCPTCP811.32781910.17.85.184911.3568901011.5583428484IMarkPacket[.toggle'IIgnorePacket[.toggle.]S'SetTimeReference[.toggle.]i：createwindow[MalformedPaIdunknownrequest[Malformecagt>xll[ACK]Seq=661AckSS國國國Frame8:582bytesonwire(4656bits),582bytesEthernetII,Src:wistron_le:69:71(00:lf:16:le:69internetProtocolsSrc:84(84TransmissioncontrolProtocol,srcPort:fjsv-gssaxll,Request,opcode:1(createwindow)+[MalformedPacket:xll]ApplyasFilterPrep：ai_eaFilterConvereationFilterColorizeConvereationSCTFFoilo胃FoilowFoilow:5e:c5:Id:fc)Cop?TCPimpSSLStre：ainStre：=unStre：=uri)sseq:133,Ack:125,Len:IlecodeAs...000000100020003000400050o25foo-

oosfco-48634L1-4-0803^oObIo3-■o8fQomLcoIo92-fo7ob3do7Qao-I141085^5cbQuc5dao4Le6b2om59odo5LIf06al000136j-q6m52ae_l_

Iad082^le83a310b9631-T—I7L9a6o9OO9H9oo66oo8o8o6-■85d11eo58oo6-■00b8Of100761Oa日Print...50: ShowPacketinNewV讓M口胃ooto 0000 7465 .1SCP236.chinate~r，逮 一一r~rc~r』。File：。File：:\DocumentsaridSettings\aleK,",Packets:10Displayed：10Marked：0Loadtime:0:00.156Profile:Detault點(diǎn)擊OK之后，顯示如下，在DiameterProtocol中即可看到發(fā)送包文內(nèi)容。85.18485.6Destination10.17.8510.17.85Ch:aririelOffset:85.18485.6Destination10.17.8510.17.85Ch:aririelOffset:FCSFilter：AllFramesVNoneVrrotocolTCPTCP30.00029884TCP40.0045984DIAMETER50.11016684TCP60.20104584DIAMETER70.3932684TCP811.32781984DIAMETER911.35689084DIAMETER1011.5583484TCP0.000000 10.170.000049 10.17fjsv-gssagt>xll[SYN]Seq=0Win=65535Len=0MSS=146Cxll>fjsv-gssagt[syn,ack]5eq=0Ack=lwin=65535Lerfjsv-gssagt>xll[ACK]Seq=lAck=lwin=65535Len=0cmd=capabi1itiGS-ExchangeRequest(257)flags=R—appl=xll>fjsv-gssagt[ack]Seq=lAck=133Win=65535Len=0cmd=capabi1itiGS-ExchangeAnsv/er(257)flags= appl=cfjsv-gssagt>xll[ACK]Seq=133Ack=125win=65411Len=cmd=credit-controlRequest(272)flags=R—appl=Diamet€cmd=Credit-ControlAnswer(272)flags= appl=Diameterfjsv-gssagt>xll[ack]seq=661Ack=349win=65187Len=(±)TransmissionControlProtocol,SrcPort:fjsv-gssagt(3035),DstPort:xll(6001),Seq:133,Ack:(±)TransmissionControlProtocol,SrcPort:fjsv-gssagt(3035),DstPort:xll(6001),Seq:133,Ack:125,Len:528DiameterProtocoli±i田田田fflversion:0x01Length:528Flags:0x80commandcode:272credit-controlApplicationld:4Hop-by-Hopidentifier:0x00018ab9End-to-EndIdentifier:0x00018ab9「Answerin:91AVP：Session-Id(263)1=49f= val=SCP236.;3370744586;617233avp:origin-Host(264)1=31f=—val=5CP236.AVP:Origin-Realm(296)1=24f=val=chiavp:Destination-Realm(283)1=24f=—val=AVP:Auth-Application-Id(258)1=12f= val=DiameterCreditControl(4)avp:service-context-ld(461)1=40f= val?versionl.pZpsms^-chinatelecom.comAVP：CC-Request-Type(416)1=12f=——val=EVENT_REQUEST(4)avp：cc-Reauest-Number(415)1=12f=——val=000300040005000600070S34155D363aQ000143肝363db

V563oool366fB7 208263ooQ-3o.1SCP236.chinatelecom.com;3370744586；617233 ODiameterProtocol(diameter),528bytesPackets：10Displayed：10Marked：0Loadtime：0ODiameterProtocol(diameter),528bytesPackets：10Displayed：10Marked：0Loadtime：0:00.000|Profile:DefaultB.使用tcpdumpB.使用tcpdump命令抓EUIP收到的MML包，UIP對(duì)外服務(wù)端口為9004，協(xié)議為TCP。i.telnet至4,查看服務(wù)地址4位于哪塊網(wǎng)卡上，使用netstati.-in命令，由下圖可見，4位于en0ii.N；ii.N；5Lt[ieenuenuenuenuenuMt.u1500150015UU15001500Net.Tijnrklink#2193?169.1U.17.8510.17.8510.17.85AddressU.11.25.e7.be.cA1 1U.17.85.80Ipkt.slerrs125789773125789773125789773125789773125789773UUUUUOpkt.sOerrs133512329133512329133512329133512329133512329Coll44444UUUUU10?17.85.13enO150010.17.8510|.17.日5.14 125789773013351232940enl15UUlink#3U.11.25.e7.be.c52710150U28211382Uenl1500.2.22710150u28211382uen21500link#4U.14.5e.c5?Id.9a3981312u31099072uen21500193?169.2 3981312u31099072uen31500link#5U.14.5e.c5.Id.9b2701443u28123553uen3150022.22.22701443u28123553u1OU16896link#l8250585u8257776Uu1OU16896127127.U.U.18250585u8257776Uu1OU16896::18250585u8257776Uu使用tcpdump-D命令，查看主機(jī)網(wǎng)卡編號(hào)，如下圖，可見en0編號(hào)為1。#netstat-in#tcpdump-DenOenlen2en3loOiii.由以上命令得出tcpdump抓包命令為：iii.tcpdump-i1-w/tmp/mml.cap-s6000port9004andhost84命令解釋：-w保存至文件，如不設(shè)置，則為標(biāo)準(zhǔn)輸出-s數(shù)據(jù)包的截取長度-i網(wǎng)卡編號(hào)port端口號(hào)host主機(jī)ip地址抓包過程及分析：登錄UIP主機(jī)，輸入“tcpdump-i1-w/tmp/mml.cap-s6000port9004andhost84”命令后，使用測試工具從測試機(jī)(84)向UIP發(fā)送包文，將抓包得到的mml.cap傳送至自己的機(jī)器，使用wireshark打開分析。

FileEditViewGoCaptureAri：alyzeStatistiesTelephonyToolsHelpFilter： TExpress!on...ClearApply802.11ChannelVChannelOffset:FCSFilter：AllFramesVNoneVWirelessSettings...Decrypt!onKeys...No. TimeSourceDestination.ProtocolInfo10.000000 844TCPrapidmq-reg>9004[SYN]Seq=0Win=65535Len=0MSS=14ti2O.OOOO55484TCP9004>rapidmq-reg[SYN,ACK]seq=oAck=lwin=65535L€30.000297 844TCPrapidmq-reg>9004[ACK]Seq=lAck=lWin=65535Len=044.957956 844TCPrapidmq-reg>9004[PSH,ACK]SGq=lAck=lWin=65535L€54.960616 484TCP9004>rapidmq-reg[PSH,ACK]Seq=lAck=101Win=6553565.085252 10.17.85.1844TCPrapidmq-reg>9004[ACK]5eq=101Ack=114win=65422Ler7102.348875844TCPrapidmq-reg>9004[PSH,ACK]Seq=101Ack=114win=65428102.492479484TCP9004>rapidmq-reg[ACK]5eq=114Ack=217win=65535Ler9102.823569484TCP9004>rapidmq-reg[PSH,ACK]Seq=114Ack=217Win=655310102954902844TCPrapidmq-reg>9004[ACK]5eq=217Ack=373win=65163Ler田Frame1:62bytesonwire(496bits),62bytescaptured(496bits)ffiEthernetII,src:wistron_le:69:71(00:If:16:le:69:71),Dst:lbm_e7:be:c4(OO:ll:25:e7:be:c4)田internetProtocol,Src:84(84),Dst:4(4)(±jTransmissioncontrolProtocol,srcPort:rapidmq-reg(3094),DstPort:9004(9004),seq:0,Len:0000000112500100030a90020550€Oc0030fffff9e7bec400Ifd24000800616232cf4376c00000204012o1o000000112500100030a90020550€Oc0030fffff9e7bec400Ifd24000800616232cf4376c00000204012o1o5ao4070802Oboo850405001-1-C>i—I7.1.。。_yao16000edQ41o5b627/519ao30.00029785.1844主mg-reg>9004[PSH,ACK]Seq=lAck=lW~in=65535.957956485.1840.0000000.00005585.18485.14rapidmq-reg>9004[ack]seq=lAck=lw*in=65535Len=0rapidmq-reg>9004[5YN]5eq=0win=65535Len=0MS5=14€9004>rapidmq-reg[SYN,ACK]Seq=OAck=lWin=65535L€Destinati48點(diǎn)擊右鍵，選擇FollowTCPStream,便可得到包文內(nèi)容。802.11Chajmel二haimmlOffset:FCSFilt