tcpdump 通过主机捕获 tcp 重置

Question

tcpdump 通过主机捕获 tcp 重置

rah*_*uby 6 networking tcp wireshark tcpdump

我试图找出我的网络服务器上的 tcp 重置发生的位置。我有以下捕获：

tcpdump -fnni bond0:-nnvvS -w dump.pcap 'tcp[tcpflags] & (tcp-rst) !=0'

Run Code Online (Sandbox Code Playgroud)

当我查看wireshark中的pcap时显示我重置：

    Flags: 0x004 (RST)
    .... .... .1.. = Reset: Set
    .... .... ..0. = Syn: Not set
    .... .... ...0 = Fin: Not set

Window size value: 0
Calculated window size: 0
Window size scaling factor: -1 (unknown)
Checksum: 0x0f2f [validation disabled]
Good Checksum: False
Bad Checksum: False

Run Code Online (Sandbox Code Playgroud)

但没有告诉我是谁重置了连接。我相信 tcpdump 中有一些开关可以让我看到谁重置了连接以及可能的原因。我尝试了各种开关，但都没有运气。

在此先感谢您的帮助。

Answer 1

qua*_*nta 6

注意Src Port和Dst Port：

Transmission Control Protocol, Src Port: http (80), Dst Port: norton-lambert (2338), Seq: 1406431331, Len: 0
    Source port: http (80)
    Destination port: norton-lambert (2338)
    [Stream index: 3]
    Sequence number: 1406431331
    Header length: 20 bytes
    Flags: 0x004 (RST)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...0 .... = Acknowledgment: Not set
        .... .... 0... = Push: Not set
        .... .... .1.. = Reset: Set
            [Expert Info (Chat/Sequence): Connection reset (RST)]
                [Message: Connection reset (RST)]
                [Severity level: Chat]
                [Group: Sequence]
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set

Run Code Online (Sandbox Code Playgroud)

Src Port: http (80)表示此RST数据包是从服务器端发送的。

如果它来自客户端，那么您应该看到原因：

Transmission Control Protocol, Src Port: 57715 (57715), Dst Port: http (80), Seq: 3509013939, Len: 0
    Source port: 57715 (57715)
    Destination port: http (80)
    [Stream index: 32]
    Sequence number: 3509013939
    Acknowledgment Number: 0xd1274db3 [should be 0x00000000 because ACK flag is not set]
        [Expert Info (Warn/Protocol): Acknowledgment number: Broken TCP. The acknowledge field is nonzero while the ACK flag is no
t set]
            [Message: Acknowledgment number: Broken TCP. The acknowledge field is nonzero while the ACK flag is not set]
            [Severity level: Warn]
            [Group: Protocol]
    Header length: 20 bytes
    Flags: 0x004 (RST)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...0 .... = Acknowledgment: Not set
        .... .... 0... = Push: Not set
        .... .... .1.. = Reset: Set
            [Expert Info (Chat/Sequence): Connection reset (RST)]
                [Message: Connection reset (RST)]
                [Severity level: Chat]
                [Group: Sequence]
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set

Run Code Online (Sandbox Code Playgroud)

归档时间：	12 年，6 月前
查看次数：	32780 次
最近记录：	12 年前