Tcpdump,TCP三次握手四次挥手

vlambda
2020-08-17

Tcpdump,TCP三次握手四次挥手

实验环境：

虚拟机 Centos 7.6 192.168.5.130 test1

使用到的命令：

tcpdump nc

1.模拟环境，监听端口8888,监听状态。

[root@test1 ~]# nc -lk 8888 &[1] 12714[root@test1 ~]# netstat -anltp|grep 8888tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN 12714/nc tcp6 0 0 :::8888 :::* LISTEN 12714/nc [root@test1 ~]#

2.tcpdump本地lo抓包

[root@test1 ~]# tcpdump -S -i lo port 8888tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes

3.连接telnet 8888端口进行测试

[root@test1 ~]# nc -nv 192.168.5.130 8888Ncat: Version 7.50 ( https://nmap.org/ncat )Ncat: Connected to 192.168.5.130:8888.

4.三次握手过程

假设 A 为客户端，B 为服务器端。

首先 B 处于 LISTEN（监听）状态，等待客户的连接请求。(A:CLOSED B:LISTEN)
A 向 B 发送连接请求报文，SYN=1，ACK=0，选择一个初始的序号 x。(A:SYN_SEND B:LISTEN)
B 收到连接请求报文，如果同意建立连接，则向 A 发送连接确认报文，SYN=1，ACK=1，确认号(期待收到的下一个序号值)为 x+1，同时也选择一个初始的序号 y。(A:LISTEN B:SYN_RECEIVED)
A 收到 B 的连接确认报文后，还要向 B 发出确认，确认号为 y+1，序号为 x+1。(A:ESTABLISHED B:SYN_RECEIVED)
B 收到 A 的确认后，连接建立。(A:ESTABLISHED B:ESTABLISHED)

[root@test1 ~]# tcpdump -S -i lo port 8888tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes06:01:33.157748 IP test1.54184 > test1.ddi-tcp-1: Flags [S], seq 3522850363, win 43690, options [mss 65495,sackOK,TS val 25709696 ecr 0,nop,wscale 7], length 006:01:33.157778 IP test1.ddi-tcp-1 > test1.54184: Flags [S.], seq 456495191, ack 3522850364, win 43690, options [mss 65495,sackOK,TS val 25709696 ecr 25709696,nop,wscale 7], length 006:01:33.157798 IP test1.54184 > test1.ddi-tcp-1: Flags [.], ack 456495192, win 342, options [nop,nop,TS val 25709696 ecr 25709696], length 0

4.断开连接

[root@test1 ~]# nc -nv 192.168.5.130 8888Ncat: Version 7.50 ( https://nmap.org/ncat )Ncat: Connected to 192.168.5.130:8888.^C[root@test1 ~]# nc -nv 192.168.5.130 8888Ncat: Version 7.50 ( https://nmap.org/ncat )Ncat: Connected to 192.168.5.130:8888.^C[root@test1 ~]#

5.四次挥手过程

A 发送连接释放报文，FIN=1。(A:FIN_WAIT1 B:ESTABLISHED)
B 收到之后发出确认，此时 TCP 属于半关闭状态，B 能向 A 发送数据但是 A 不能向 B 发送数据。(A:FIN_WAIT_2 B:CLOSED_WAIT)
当 B 不再需要连接时，发送连接释放报文，FIN=1。(A:FIN_WAIT_2 B:LAST_ACK)
A 收到后发出确认，进入 TIME-WAIT 状态，等待 2 MSL（最大报文存活时间）后释放连接。(A:TIME_WAIT B:LAST_ACK)
B 收到 A 的确认后释放连接。(B:CLOSED)

[root@test1 ~]# tcpdump -S -i lo port 8888tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes06:01:33.157748 IP test1.54184 > test1.ddi-tcp-1: Flags [S], seq 3522850363, win 43690, options [mss 65495,sackOK,TS val 25709696 ecr 0,nop,wscale 7], length 006:01:33.157778 IP test1.ddi-tcp-1 > test1.54184: Flags [S.], seq 456495191, ack 3522850364, win 43690, options [mss 65495,sackOK,TS val 25709696 ecr 25709696,nop,wscale 7], length 006:01:33.157798 IP test1.54184 > test1.ddi-tcp-1: Flags [.], ack 456495192, win 342, options [nop,nop,TS val 25709696 ecr 25709696], length 006:02:19.356626 IP test1.54184 > test1.ddi-tcp-1: Flags [F.], seq 3522850364, ack 456495192, win 342, options [nop,nop,TS val 25755895 ecr 25709696], length 006:02:19.357240 IP test1.ddi-tcp-1 > test1.54184: Flags [.], ack 3522850365, win 342, options [nop,nop,TS val 25755896 ecr 25755895], length 006:12:55.196604 IP test1.ddi-tcp-1 > test1.54184: Flags [F.], seq 456495192, ack 3522850365, win 342, options [nop,nop,TS val 26391735 ecr 25755895], length 006:12:55.196631 IP test1.54184 > test1.ddi-tcp-1: Flags [R], seq 3522850365, win 0, length 0^C7 packets captured14 packets received by filter0 packets dropped by kernel[root@test1 ~]#