抓包工具使用说明v11

cvBS项目抓包工具使用说明南京中兴软创科技股份有限公司2010年4月资料版本：Version1.1日期：2010年4月密级：口公开资料回内部资料□保密资料□机密资料状态：□初稿回讨论稿□发布文档控制记录修改记录日期作者版本修改记录2010-4-9耿自强V1.0初稿2010-4-15耿自强V1.1更改抓包案例审阅姓名时间职位TOC\o"1-5"\h\z\o"CurrentDocument"常用操作系统抓包工具列表: 4\o"CurrentDocument"安装说明 5\o"CurrentDocument"AIX： 5\o"CurrentDocument"HPUX： 5\o"CurrentDocument"Solaris 5\o"CurrentDocument"Linux 6\o"CurrentDocument"Windows 6\o"CurrentDocument"命令使用详解 7\o"CurrentDocument"tcpdump命令 7\o"CurrentDocument"windump命令 7\o"CurrentDocument"常用场景举例及参数解释 8使用tcpdump命令抓取OLC收到的DCC包，OLC对外服务端口为6001，协议为diametero 8使用tcpdump命令抓取UIP收到的MML包，UIP对外服务端口为9004，协议为TCPo 12操作系统抓包工具AIXtcpdump，iptraceHPUXnettl，tcpdumpSolarissnoop,tcpdumpLinuxtcpdumpWindowswindump，wireshark，sniffer1.常用操作系统抓包工具列表:1.常用操作系统抓包工具列表:■1为统一版本，针对UNIX/LINUX平台使用用tcpdump进行抓包，Windows平台使用windump进行抓包，通过windows平台wireshark进行包分析。各软件包下载地址如下：Libpcap下载：ftp://cvbs:cvbs$08@/抓包工具/libpcap-1.1.1.tar.gzTcpdump下载：ftp://cvbs:cvbs$08@/抓包工具/tcpdump-4.1.1.tar.gzWireshark下载：ftp://cvbs:cvbs$08@/抓包工具/wireshark-win32-1.2.7.exeWindump下载：ftp://cvbs:cvbs$08@/抓包工具/WinDump.exeWinPcap下载：ftp://cvbs:cvbs$08@/抓包工具/WinPcap411.exe安装说明AIX:系统安装时，一般默认安装，无需单独安装tcpdumpHPUX:需要安装libpcap及tcpdump，软件请通过公司FTP下载，安装包为源码，各UNIX平台通用。由于是源码，需要安装编译器（编译器安装详见cvBS集成安装手册）。安装libcap将安装文件libpcap-1.1.1.tar.gz上传到服务器/tmp下#cdtmp#gunziplibpcap-1.1.1.tar.gz#tar-xflibpcap-1.1.1.tarcdlibpcap-1.1.1./configuremakemakeinstall安装tcpdump将安装文件tcpdump-4.1.1.tar.gz上传到服务器/tmp下#cdtmp#gunziptcpdump-4.1.1.tar.gz#tar-xftcpdump-4.1.1.taicdtcpdump-4.1.1./configuremakemakeinstall安装完成后，请编辑环境变量，增加PATH=/usr/local/sbin:$PATH;exportPATHSolaris需要安装libpcap及tcpdump，软件请通过公司FTP下载，安装包为源码，各UNIX平台通用。由于是源码，需要安装Studio编译器（编译器安装详见cvBS集成安装手册）。安装libcap将安装文件libpcap-l.l.l.tar.gz上传到服务器/tmp下#cdtmp#gunziplibpcap-l.l.l.tar.gz#tar-xflibpcap-l.l.l.tarcdlibpcap-l.l.l./configuremakemakeinstall安装tcpdump将安装文件tcpdump-4.1.1.tar.gz上传到服务器/tmp下#cdtmp#gunziptcpdump-4.1.1.tar.gz#tar-xftcpdump-4.1.1.taicdtcpdump-4.1.1./configuremakemakeinstall安装完成后，请编辑环境变量，增加PATH=/usr/local/sbin:$PATH;exportPATHLinux系统安装时，一般默认安装，无需单独安装tcpdumpWindows从公司ftp下载WinDump.exe、wireshark-win32-1.34.exe、WinPcap_4_1_1.exe复制WinDump.exe至%SystemRoot%目录，其他两个双击安装。命令使用详解tcpdump命令Usage:tcpdump[-aAbdDefIKILnNOpqRStuUvxX][-Bsize][-ccount][-Cfile_size][-Ealgo:secret][-Ffile][-Gseconds][-iinterface][-Msecret][-rfile][-ssnaplen][-Ttype][-wfile][-Wfilecount][-ydatalinktype][-zcommand][-Zuser][expression]详细解释见《tcpdump中文MAN手册.doc》windump命令Usage:windump[-aAdDeflLnNOpqRStuUvxX][-Bsize][-ccount][-Cfile_size][-Ealgo:secret][-Ffile][-iinterface][-Msecret][-rfile][-ssnaplen][-Ttype][-wfile][-Wfilecount][-ydatalinktype][-Zuser][expression]详细命令解释与tcpdump一致。常用场景举例及参数解释OCS系统中，对外接口一般为OLC、UIP和CSIP,下面分别以OLC、UIP为例，进行抓包分析。环境介绍：主机操作系统对外服务IPOLCAIXUIPAIX4发包测试机WINDOWS84A.使用tcpdump命令抓取OLC收到的DCC包，OLC对外服务端口为6001,协议为diameter。telnet至,查看服务地址位于哪块网卡上，使用netstat-in命令，由下图可见，位于en2#netstat-inN；5Lt[|PMtuI'letTjorkAddressIpktaTerraOpktaOerraColl已1\匚11.500link#20.11.25.已彳.cu.le36928430285174030enO1500193.169.136928430285174030enl1.500link#30.11.25.e7.cd.If271173702S2694220已hl1.500.1.227117370282694220en21500link#4□.14.5e.C-5.Id.fc72432020455438330en21.500193.169.27243202045.5438330已福1.50010.17.85.472432020455438330en2150010.17.857243202□45543833□en：31.500link#5□.14.5e.c.5.ld.fd26999.570281346430已曲1.50011.11.126999570281346430liZ-016896link#l41871300419251500loO16896127127.0.□.141871300419251500loO16896::141871300419251500使用tcpdump-D命令，查看主机网卡编号，如下图，可见en2编号为3。#tcpdump一DenOenlen2en3loO由以上命令得出tcpdump抓包命令为：tcpdump-i3-w/tmp/olc-diameter.cap-s6000port6001andhost84命令解释：-w保存至文件，如不设置，则为标准输出-s数据包的截取长度-i网卡编号port端口号host主机ip地址抓包过程及分析：登录OLC主机，输入“tcpdump-i3-w/tmp/olc-diameter.cap-s6000port6001andhost84”命令后，使用测试工具从测试机(84)向OLC发送包文如下：3001,"1",”80”,”272”,”4”,"SCP236.;3370744586;617233”,"SCP236.”,"”,"”,TOC\o"1-5"\h\z”4”,"version1.p2psms@”,”4”,”0”,”0”,4101"6288211050114”,4101”4”,”0”,"2996”,5601"8",5601”456”,5601”344”,5601”345”,5601”2”,5601”0”,56014101"6288211050114”,56014101”1”,56014102"088211050114”,56014102将抓包得到的olc-diameter.cap传送至自己的机器，使用wireshark打开分析。

No.TimeSourceDestirLationProtocolInfo10.00000084TCPfjsv-gssagt>xll[SYN]Seq=0win=€20.00004984TCPxll>fjsv-gssagt[SYN,ACK]Seq=030.00029884TCPfjsv-gssagt>xll[ack]seq=lAck=l40.0045984XllRequests:create'ft'indov-*[MalformedPa50.11016610.17.85.184TCPxll>fjsv-gssagt[ACK]seq=lAck=i60.20104584XllReply:tounknownrequest[Malformec70.3932684TCPfjsv-gssagt>xll[ACK]seq=133Ack811.3278L984XllRequests:createwindow[MaiformedPa911.35689010.17.85.184XllReply:tounknownrequest[Malformec1011.5583484TCPfjsv-gssagt>xll[ACK]seq=661AckDecrypt!onKeys...802.11Chanriel vChannelOffset:AllFramesvHoneVFCSFilter：田Frame5802.11Chanriel vChannelOffset:AllFramesvHoneVFCSFilter：ffiEthernetII,src:Ibm_c5:ld:fc(00:14:5e:c5:ld:fc),Dst:wistron_le:69:71(00:If:16:le:69:71)ElinternetProtocol,Src:(),Dst:84(84}000000100020003046901090OC6o03001Obozodo9Obo6400e11618736000000100020003046901090OC6o03001Obozodo9Obo6400e11618736e791416f88f12bfoo5foo5f083ooa855o5dc1Lof1aodabo1ofo5f3oc69oe1co52J8oolo5ao405■■■■ICjaa△■■■■■£■・(N.@.<.10..U...U・・.C| P・Profile：HefaultQFile： :\Documents：=ULdSettings\alex,",Packets:10Hisplayed：10Harked：0Loadtime:0:00.156Profile：Hefault由于6001端口默认是xll协议，需要将6001端口改为diameter协议，在图中点击右键，选择DecodeAs。然后将6001端口改为diameter协议，如下图所示:TCPXllTCPXllTCPfjsv-gssagt>xll[ack]seq=lAck=lRequests:createwindow[MaiformeclPaxll>fjsv-gssagt[ack]seq=lAck=lReply:tounknownrequest[Malformecfjsv-gssagt>xll[ACK]seq=133Ack0.000298 840.004592 840.110166 0.201045 0.393261 848484TCPXllTCPXllTCPfjsv-gssagt>xll[ack]seq=lAck=lRequests:createwindow[MaiformeclPaxll>fjsv-gssagt[ack]seq=lAck=lReply:tounknownrequest[Malformecfjsv-gssagt>xll[ACK]seq=133Ack0.000298 840.004592 840.110166 0.201045 0.393261 848484Apply802.11Channel0.0000000.000049Destiriation84二hariTLEjlOffset:FCSFilter：AllFrainesvNoneVProtocolTCPTCP811.32781910.17.85.184911.3568901011.5583428484IMarkPacket[.toggle'IIgnorePacket[.toggle.]S'SetTimeReference[.toggle.]i：createwindow[MalformedPaIdunknownrequest[Malformecagt>xll[ACK]Seq=661AckSS国国国Frame8:582bytesonwire(4656bits),582bytesEthernetII,Src:wistron_le:69:71(00:lf:16:le:69internetProtocolsSrc:84(84TransmissioncontrolProtocol,srcPort:fjsv-gssaxll,Request,opcode:1(createwindow)+[MalformedPacket:xll]ApplyasFilterPrep：ai_eaFilterConvereationFilterColorizeConvereationSCTFFoilo胃FoilowFoilow:5e:c5:Id:fc)Cop?TCPimpSSLStre：ainStre：=unStre：=uri)sseq:133,Ack:125,Len:IlecodeAs...000000100020003000400050o25foo-

oosfco-48634L1-4-0803^oObIo3-■o8fQomLcoIo92-fo7ob3do7Qao-I141085^5cbQuc5dao4Le6b2om59odo5LIf06al000136j-q6m52ae_l_

Iad082^le83a310b9631-T—I7L9a6o9OO9H9oo66oo8o8o6-■85d11eo58oo6-■00b8Of100761Oa日Print...50: ShowPacketinNewV让M口胃ooto 0000 7465 .1SCP236.chinate~r，逮 一一r~rc~r』。File：。File：:\DocumentsaridSettings\aleK,",Packets:10Displayed：10Marked：0Loadtime:0:00.156Profile:Detault点击OK之后，显示如下，在DiameterProtocol中即可看到发送包文内容。85.18485.6Destination10.17.8510.17.85Ch:aririelOffset:85.18485.6Destination10.17.8510.17.85Ch:aririelOffset:FCSFilter：AllFramesVNoneVrrotocolTCPTCP30.00029884TCP40.0045984DIAMETER50.11016684TCP60.20104584DIAMETER70.3932684TCP811.32781984DIAMETER911.35689084DIAMETER1011.5583484TCP0.000000 10.170.000049 10.17fjsv-gssagt>xll[SYN]Seq=0Win=65535Len=0MSS=146Cxll>fjsv-gssagt[syn,ack]5eq=0Ack=lwin=65535Lerfjsv-gssagt>xll[ACK]Seq=lAck=lwin=65535Len=0cmd=capabi1itiGS-ExchangeRequest(257)flags=R—appl=xll>fjsv-gssagt[ack]Seq=lAck=133Win=65535Len=0cmd=capabi1itiGS-ExchangeAnsv/er(257)flags= appl=cfjsv-gssagt>xll[ACK]Seq=133Ack=125win=65411Len=cmd=credit-controlRequest(272)flags=R—appl=Diamet€cmd=Credit-ControlAnswer(272)flags= appl=Diameterfjsv-gssagt>xll[ack]seq=661Ack=349win=65187Len=(±)TransmissionControlProtocol,SrcPort:fjsv-gssagt(3035),DstPort:xll(6001),Seq:133,Ack:(±)TransmissionControlProtocol,SrcPort:fjsv-gssagt(3035),DstPort:xll(6001),Seq:133,Ack:125,Len:528DiameterProtocoli±i田田田fflversion:0x01Length:528Flags:0x80commandcode:272credit-controlApplicationld:4Hop-by-Hopidentifier:0x00018ab9End-to-EndIdentifier:0x00018ab9「Answerin:91AVP：Session-Id(263)1=49f= val=SCP236.;3370744586;617233avp:origin-Host(264)1=31f=—val=5CP236.AVP:Origin-Realm(296)1=24f=val=chiavp:Destination-Realm(283)1=24f=—val=AVP:Auth-Application-Id(258)1=12f= val=DiameterCreditControl(4)avp:service-context-ld(461)1=40f= val«versionl.pZpsms^-chinatelecom.comAVP：CC-Request-Type(416)1=12f=——val=EVENT_REQUEST(4)avp：cc-Reauest-Number(415)1=12f=——val=000300040005000600070S34155D363aQ000143肝363db

V563oool366fB7 208263ooQ-3o.1SCP236.chinatelecom.com;3370744586；617233 ODiameterProtocol(diameter),528bytesPackets：10Displayed：10Marked：0Loadtime：0ODiameterProtocol(diameter),528bytesPackets：10Displayed：10Marked：0Loadtime：0:00.000|Profile:DefaultB.使用tcpdumpB.使用tcpdump命令抓EUIP收到的MML包，UIP对外服务端口为9004，协议为TCP。i.telnet至4,查看服务地址4位于哪块网卡上，使用netstati.-in命令，由下图可见，4位于en0ii.N；ii.N；5Lt[ieenuenuenuenuenuMt.u1500150015UU15001500Net.Tijnrklink#2193・169.1U.17.8510.17.8510.17.85AddressU.11.25.e7.be.cA1 1U.17.85.80Ipkt.slerrs125789773125789773125789773125789773125789773UUUUUOpkt.sOerrs133512329133512329133512329133512329133512329Coll44444UUUUU10・17.85.13enO150010.17.8510|.17.日5.14 125789773013351232940enl15UUlink#3U.11.25.e7.be.c52710150U28211382Uenl1500.2.22710150u28211382uen21500link#4U.14.5e.c5・Id.9a3981312u31099072uen21500193・169.2 3981312u31099072uen31500link#5U.14.5e.c5.Id.9b2701443u28123553uen3150022.22.22701443u28123553u1OU16896link#l8250585u8257776Uu1OU16896127127.U.U.18250585u8257776Uu1OU16896::18250585u8257776Uu使用tcpdump-D命令，查看主机网卡编号，如下图，可见en0编号为1。#netstat-in#tcpdump-DenOenlen2en3loOiii.由以上命令得出tcpdump抓包命令为：iii.tcpdump-i1-w/tmp/mml.cap-s6000port9004andhost84命令解释：-w保存至文件，如不设置，则为标准输出-s数据包的截取长度-i网卡编号port端口号host主机ip地址抓包过程及分析：登录UIP主机，输入“tcpdump-i1-w/tmp/mml.cap-s6000port9004andhost84”命令后，使用测试工具从测试机(84)向UIP发送包文，将抓包得到的mml.cap传送至自己的机器，使用wireshark打开分析。

FileEditViewGoCaptureAri：alyzeStatistiesTelephonyToolsHelpFilter： TExpress!on...ClearApply802.11ChannelVChannelOffset:FCSFilter：AllFramesVNoneVWirelessSettings...Decrypt!onKeys...No. TimeSourceDestination.ProtocolInfo10.000000 844TCPrapidmq-reg>9004[SYN]Seq=0Win=65535Len=0MSS=14ti2O.OOOO55484TCP9004>rapidmq-reg[SYN,ACK]seq=oAck=lwin=65535L€30.000297 844TCPrapidmq-reg>9004[ACK]Seq=lAck=lWin=65535Len=044.957956 844TCPrapidmq-reg>9004[PSH,ACK]SGq=lAck=lWin=65535L€54.960616 484TCP9004>rapidmq-reg[PSH,ACK]Seq=lAck=101Win=6553565.085252 10.17.85.1844TCPrapidmq-reg>9004[ACK]5eq=101Ack=114win=65422Ler7102.348875844TCPrapidmq-reg>9004[PSH,ACK]Seq=101Ack=114win=65428102.492479484TCP9004>rapidmq-reg[ACK]5eq=114Ack=217win=65535Ler9102.823569484TCP9004>rapidmq-reg[PSH,ACK]Seq=114Ack=217Win=655310102954902844TCPrapidmq-reg>9004[ACK]5eq=217Ack=373win=65163Ler田Frame1:62bytesonwire(496bits),62bytescaptured(496bits)ffiEthernetII,src:wistron_le:69:71(00:If:16:le:69:71),Dst:lbm_e7:be:c4(OO:ll:25:e7:be:c4)田internetProtocol,Src:84(84),Dst:4(4)(±jTransmissioncontrolProtocol,srcPort:rapidmq-reg(3094),DstPort:9004(9004),seq:0,Len:0000000112500100030a90020550€Oc0030fffff9e7bec400Ifd24000800616232cf4376c00000204012o1o000000112500100030a90020550€Oc0030fffff9e7bec400Ifd24000800616232cf4376c00000204012o1o5ao4070802Oboo850405001-1-C>i—I7.1.。。_yao16000edQ41o5b627/519ao30.00029785.1844主mg-reg>9004[PSH,ACK]Seq=lAck=lW~in=65535.957956485.1840.0000000.00005585.18485.14rapidmq-reg>9004[ack]seq=lAck=lw*in=65535Len=0rapidmq-reg>9004[5YN]5eq=0win=65535Len=0MS5=14€9004>rapidmq-reg[SYN,ACK]Seq=OAck=lWin=65535L€Destinati48点击右键，选择FollowTCPStream,便可得到包文内容。802.11Chajmel二haimmlOffset:FCSFilt