WireShark对tcp通信数据的抓包

一、抓包准备工作

安装wireshark

sudo apt update

sudo apt install wireshark

运行

二、WireShark工具面板分析

上图中所显示的信息从上到下分布在 3 个面板中，每个面板包含的信息含义如下：

Packet List 面板：显示 Wireshark 捕获到的所有数据包，这些数据包从 1 进行顺序编号。

Packet Details 面板：显示一个数据包的详细内容信息，并且以层次结构进行显示。这些层次结构默认是折叠起来的，用户可以展开查看详细的内容信息。

Packet Bytes 面板：显示一个数据包未经处理的原始样子，数据是以十六进制和 ASCII 格式进行显示。

在Packet Details面板中：

Frame:物理层的数据帧概况。

Ethernet II:数据链路层以太网帧头部信息。

Internet Protocol Version 4:互联网层IP包头部信息。

Transmission Control Protocol:传输层的数据段头部信息，此处是TCP协议。

2.1面板数据解析

双击packet list面板数据包

Frame 6: 87 bytes on wire (696 bits), 87 bytes captured (696 bits) on interface lo, id 0 （第6帧数据，线路87字节，实际捕获87字节）

Section number: 1

Interface id: 0 (lo)（接口id）

Encapsulation type: Ethernet (1)（封装类型）

Arrival Time: Jan 9, 2024 09:07:39.315583109 CST（捕获日期和时间）

Time shift for this packet: 0.000000000 seconds

Epoch Time: 1704762459.315583109 seconds

Time delta from previous captured frame: 0.000184924 seconds

(此包与前一个包的时间间隔)

Time delta from previous displayed frame: 0.000184924 seconds

Time since reference or first frame: 1.000935456 seconds

(此包与第一帧的时间间隔)

Frame Number: 6 （帧序号）

Frame Length: 87 bytes (696 bits) （帧长度）

Capture Length: 87 bytes (696 bits)（捕获长度）

Frame is marked: False\] （此帧是否做了标记，false否） \[Frame is ignored: False\]（此帧是否做了标记，false否） \[Protocols in frame: eth:ethertype:ip:tcp:data\]（帧内封装层次协议结构，eth:ethertype:ip:tcp，以太网，以太网协议，ip，tcp） \[Coloring Rule Name: TCP\]（着色标记的协议名称） \[Coloring Rule String: tcp\]（着色显示的字符串） Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00) Destination: 00:00:00_00:00:00 (00:00:00:00:00:00)（目标地址） Source: 00:00:00_00:00:00 (00:00:00:00:00:00)（源mac地址） Type: IPv4 (0x0800) Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1（ipv4协议） Transmission Control Protocol, Src Port: 8877, Dst Port: 60856, Seq: 1, Ack: 17, Len: 21 Data (21 bytes)（tcp协议） ### 三、TCP三次握手抓取 1.第一次握手 第一次握手建立连接时，客户端向服务器发送SYN报文（Seq=x，SYN=1)，并进入SYN_SENT状态,等待服务器确认。 2.第二次握手 第二次握手实际上是分两部分来完成的，即SYN+ACK(请求和确认）报文。 (1）服务器收到了客户端的请求，向客户端回复一个确认信息(Ack=x+1)。 (2）服务器再向客户端发送一个SYN包(Seq=y）建立连接的请求，此时服务器进入SYN_RECV状态。 3.第三次握手 第三次握手客户端收到服务器的回复(SYN+ACK报文)。此时，客户端也要向服务器发送确认包（ACK)。此包发送完毕客户端和服务器进入ESTABLISHED 状态，完成三次握手。此时就可以进行数据传输了。 **右键追踪流，点击tcp** ![](https://file.jishuzhan.net/article/1788861264118681602/eedfa6e8b03124bbc1e3345fdac3f4a8.webp) **右边为服务端发送给客户端数据，左边为客户端发送给服务端数据** ![](https://file.jishuzhan.net/article/1788861264118681602/405eb821931b9d49916023608da1e063.webp) **以下为完整的三次握手数据：** ![](https://file.jishuzhan.net/article/1788861264118681602/15f207b0b8b8f4965c02d16f0c8f10b7.webp) #### 第一次握手抓包分析 ![](https://file.jishuzhan.net/article/1788861264118681602/3fe03878782dbddcaec74d2288b8fc91.webp) Frame 1: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface lo, id 0 Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00) Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1 Transmission Control Protocol, Src Port: 47544, Dst Port: 8887, Seq: 0, Len: 0 Source Port: 47544（源端口号） Destination Port: 8887（目标端口号） \[Stream index: 0\]（流节点号） \[Conversation completeness: Complete, WITH_DATA (31)

TCP Segment Len: 0

Sequence Number: 0 (relative sequence number)（序列号）

Sequence Number (raw): 98905648

Next Sequence Number: 1 (relative sequence number)

Acknowledgment Number: 0

Acknowledgment number (raw): 0

1010 .... = Header Length: 40 bytes (10)（标头长度）

Flags: 0x002 (SYN)（标志syn）

.... .... = Reserved: Not set

...0 .... .... = Accurate ECN: Not set

.... 0... .... = Congestion Window Reduced: Not set

.... .0.. .... = ECN-Echo: Not set

.... ..0. .... = Urgent: Not set（紧急指针）

.... ...0 .... = Acknowledgment: Not set（确认编号）

.... .... 0... = Push: Not set（紧急位）

.... .... .0.. = Reset: Not set（重置）

.... .... ..1. = Syn: Set（设置syn为一）

Expert Info (Chat/Sequence): Connection establish request (SYN): server port 8887

Connection establish request (SYN): server port 8887\]（专家信息） \[Severity level: Chat\]（安全级别） \[Group: Sequence

.... .... ...0 = Fin: Not set（fin标志位）

TCP Flags: \cdot\cdot\cdot\cdot\cdot\cdot\cdot\cdot\cdot\cdotS\cdot

Window: 65495（窗口大小）

Calculated window size: 65495\]（估计的窗口大小） Checksum: 0xfe30 \[unverified

Checksum Status: Unverified\]（校验和） Urgent Pointer: 0 Options: (20 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), Window scale TCP Option - Maximum segment size: 65495 bytes（最大段大小） TCP Option - SACK permitted（tcp sack允许选项） TCP Option - Timestamps（时间戳） TCP Option - No-Operation (NOP)（无操作指令） TCP Option - Window scale: 7 (multiply by 128)（窗口比例） \[Timestamps

第二次握手抓包分析

Frame 2: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface lo, id 0

Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)

Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1

Transmission Control Protocol, Src Port: 8887, Dst Port: 47544, Seq: 0, Ack: 1, Len: 0

Source Port: 8887（源端口）

Destination Port: 47544（目标端口）

Stream index: 0

Conversation completeness: Complete, WITH_DATA (31)

TCP Segment Len: 0

Sequence Number: 0 (relative sequence number)（序列号seq=0）

Sequence Number (raw): 1715005940

Next Sequence Number: 1 (relative sequence number)

Acknowledgment Number: 1 (relative ack number)（确认编号ack1（（seq）0+1））

Acknowledgment number (raw): 98905649

1010 .... = Header Length: 40 bytes (10)

Flags: 0x012 (SYN, ACK)（标志位）

.... .... = Reserved: Not set

...0 .... .... = Accurate ECN: Not set

.... 0... .... = Congestion Window Reduced: Not set

.... .0.. .... = ECN-Echo: Not set

.... ..0. .... = Urgent: Not set

.... ...1 .... = Acknowledgment: Set（ack确认设置）

.... .... 0... = Push: Not set

.... .... .0.. = Reset: Not set

.... .... ..1. = Syn: Set（请求位）

第三次握手抓包分析

Frame 3: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface lo, id 0

Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)

Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1

Transmission Control Protocol, Src Port: 47544, Dst Port: 8887, Seq: 1, Ack: 1, Len: 0

Source Port: 47544（源端口号）

Destination Port: 8887（目标端口号）

Stream index: 0

Conversation completeness: Complete, WITH_DATA (31)

TCP Segment Len: 0

Sequence Number: 1 (relative sequence number)（序列号seq1（sck））

Sequence Number (raw): 98905649

Next Sequence Number: 1 (relative sequence number)

Acknowledgment Number: 1 (relative ack number)（确认编号ack1（（seq）0+1））

Acknowledgment number (raw): 1715005941

1000 .... = Header Length: 32 bytes (8)

Flags: 0x010 (ACK)（标志位）

.... .... = Reserved: Not set

...0 .... .... = Accurate ECN: Not set

.... 0... .... = Congestion Window Reduced: Not set

.... .0.. .... = ECN-Echo: Not set

.... ..0. .... = Urgent: Not set

.... ...1 .... = Acknowledgment: Set（确认编号已经设置）

.... .... 0... = Push: Not set

.... .... .0.. = Reset: Not set

.... .... ..0. = Syn: Not set

四、TCP四次挥手抓取

(1)客户端通过发送一个设置了 FIN和ACK标志的TCP数据包，告诉服务器通信已经完成。

(2)服务器收到客户端发送的数据包后，发送一个 ACK 数据包来响应客户端

(3)服务器再向客户端传输一个自己的 FIN/ACK 数据包。

(4)客户端收到服务器的FIN/ACK 包时，响应服务器一个ACK数据包。然后结束通信过程。

第一次挥手抓包分析

Frame 8: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface lo, id 0

Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)

Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1

Transmission Control Protocol, Src Port: 47544, Dst Port: 8887, Seq: 17, Ack: 22, Len: 0

Source Port: 47544（源端口号）

Destination Port: 8887（目标端口号）

Stream index: 0

Conversation completeness: Complete, WITH_DATA (31)

TCP Segment Len: 0

Sequence Number: 17 (relative sequence number)(序列号seq17)

Sequence Number (raw): 98905665

Next Sequence Number: 18 (relative sequence number)\](下一个序列号18) Acknowledgment Number: 22 (relative ack number)（确认编号ack22） Acknowledgment number (raw): 1715005962 1000 .... = Header Length: 32 bytes (8) Flags: 0x011 (FIN, ACK)（标志位） 000. .... .... = Reserved: Not set ...0 .... .... = Accurate ECN: Not set .... 0... .... = Congestion Window Reduced: Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set（确认编号已设置）确认收到上次数据 .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...1 = Fin: Set（确认编号已设置）报文发送完毕，要求释放连接 \[TCP Flags: ·······A···F

第二次挥手抓包分析

Frame 9: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface lo, id 0

Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)

Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1

Transmission Control Protocol, Src Port: 8887, Dst Port: 47544, Seq: 22, Ack: 18, Len: 0

Source Port: 8887（源端口号）

Destination Port: 47544（目标端口号）

Stream index: 0

Conversation completeness: Complete, WITH_DATA (31)

TCP Segment Len: 0

Sequence Number: 22 (relative sequence number)(序列号seq2)

Sequence Number (raw): 1715005962

Next Sequence Number: 22 (relative sequence number)

Acknowledgment Number: 18 (relative ack number)（确认编号ack18）

Acknowledgment number (raw): 98905666

1000 .... = Header Length: 32 bytes (8)

Flags: 0x010 (ACK)（标志位）

.... .... = Reserved: Not set

...0 .... .... = Accurate ECN: Not set

.... 0... .... = Congestion Window Reduced: Not set

.... .0.. .... = ECN-Echo: Not set

.... ..0. .... = Urgent: Not set

.... ...1 .... = Acknowledgment: Set（确认编号已设置）

.... .... 0... = Push: Not set

.... .... .0.. = Reset: Not set

.... .... ..0. = Syn: Not set

.... .... ...0 = Fin: Not set

第三次挥手抓包分析

Frame 10: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface lo, id 0

Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)

Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1

Transmission Control Protocol, Src Port: 8887, Dst Port: 47544, Seq: 22, Ack: 18, Len: 0

Source Port: 8887（源端口号）

Destination Port: 47544（目标端口号）

Stream index: 0

Conversation completeness: Complete, WITH_DATA (31)

TCP Segment Len: 0

Sequence Number: 22 (relative sequence number)(序列号seq22)

Sequence Number (raw): 1715005962

Next Sequence Number: 23 (relative sequence number)\](下一个序列号23) Acknowledgment Number: 18 (relative ack number)（确认编号ack18） Acknowledgment number (raw): 98905666 1000 .... = Header Length: 32 bytes (8) Flags: 0x011 (FIN, ACK)（标志位） 000. .... .... = Reserved: Not set ...0 .... .... = Accurate ECN: Not set .... 0... .... = Congestion Window Reduced: Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set（确认编号已设置） .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...1 = Fin: Set（确认编号已设置） #### 第四次挥手抓包分析 ![](https://file.jishuzhan.net/article/1788861264118681602/8faec44efe05cffab16e7c140ea596c4.webp) Frame 11: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface lo, id 0 Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00) Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1 Transmission Control Protocol, Src Port: 47544, Dst Port: 8887, Seq: 18, Ack: 23, Len: 0 Source Port: 47544（源端口号） Destination Port: 8887（目标端口号） \[Stream index: 0

Conversation completeness: Complete, WITH_DATA (31)

TCP Segment Len: 0

Sequence Number: 18 (relative sequence number)(序列号seq18)

Sequence Number (raw): 98905666

Next Sequence Number: 18 (relative sequence number)

Acknowledgment Number: 23 (relative ack number)（确认编号ack23）

Acknowledgment number (raw): 1715005963

1000 .... = Header Length: 32 bytes (8)

Flags: 0x010 (ACK)（标志位）

.... .... = Reserved: Not set

...0 .... .... = Accurate ECN: Not set

.... 0... .... = Congestion Window Reduced: Not set

.... .0.. .... = ECN-Echo: Not set

.... ..0. .... = Urgent: Not set

.... ...1 .... = Acknowledgment: Set（确认编号已设置）

.... .... 0... = Push: Not set

.... .... .0.. = Reset: Not set

.... .... ..0. = Syn: Not set

.... .... ...0 = Fin: Not set

在使用软件对四次挥手抓包过程中，会出现只抓到三个包的情况，第二个包和第三个包出现了合并，这种情况通常是由于TCP的优化机制------捎带确认（piggybacking ACKs）。当服务器准备好关闭连接并发送FIN报文时，如果发现上一次接收到的客户端数据还没有发出ACK确认，则可以在同一个报文中同时设置FIN和ACK标志，即合并了第二个和第三个挥手动作。这样，原本的第二次挥手（ACK）和第三次挥手（FIN）就合并在了一个TCP报文中，因此抓包工具只会抓取到这个合并后的FIN+ACK报文以及后续的客户端ACK报文，总共是三个包。