[英]How to tell the first fin packet of tcp connection from the second with tcpdump?
I am developing a http server. 我正在开发一个http服务器。 And now i want to do some statistics, to be specific, I want to know how many of the tcp connections are closed by client, and how many of them are closed by my server.
现在我想做一些统计,具体来说,我想知道客户端关闭了多少个tcp连接,以及我的服务器关闭了多少个。
I turned the Keep-alive feature off on my http server, so the normal case is that my server sends the first FIN packet and the client sends the second one, which means the connection is closed by my server normally. 我在我的http服务器上关闭了保持活动功能,所以正常情况是我的服务器发送第一个FIN数据包而客户端发送第二个数据包,这意味着我的服务器正常关闭连接。 If they are in the reverse order, it indicates an abnormal closing, which I cares.
如果它们的顺序相反,则表示关闭异常,我关心。
Here is the question, How can I tell the first FIN packet from the second with tcpdump? 这是一个问题,如何通过tcpdump告诉第二个FIN数据包? Since both of them are set in the FIN and ACK flag bit.
由于它们都设置在FIN和ACK标志位中。
Thanks in advance and Happy new year! 在此先感谢新年快乐!
I am tunneling a connection through ssh
to my webserver, which is listening on 5000/tcp. 我正在通过
ssh
将连接隧道连接到我的web服务器,它正在监听5000 / tcp。 I ran a tcpdump
of the session, and even if you ignore timestamps, it's still clear who sent what from the TCP source port number. 我运行了一个会话的
tcpdump
,即使你忽略了时间戳,它仍然清楚谁从TCP源端口号发送了什么。
05:42:06.344592 IP localhost.5000 > localhost.37924: Flags [F.], seq 243,
ack 419, win 529, options [nop,nop,TS val 120830308 ecr 120830308], length 0
05:42:06.381872 IP localhost.37924 > localhost.5000: Flags [.], ack 244,
win 513, options [nop,nop,TS val 120830318 ecr 120830308], length 0
05:42:06.382504 IP localhost.37924 > localhost.5000: Flags [F.], seq 419,
ack 244, win 513, options [nop,nop,TS val 120830318 ecr 120830308], length 0
05:42:06.382535 IP localhost.5000 > localhost.37924: Flags [.], ack 420,
win 529, options [nop,nop,TS val 120830318 ecr 120830318], length 0
At 05:42:06.344592
, my webserver ACK'd bytes from the client and set the FIN
flag. 在
05:42:06.344592
,我的网络服务器从客户端确认了字节并设置了FIN
标志。 I know it was the webserver, because the source port is 5000. In the real world, it's even easier, your source IP address alone gives it away. 我知道它是网络服务器,因为源端口是5000.在现实世界中,它更容易,你的源IP地址就让它消失了。
At 05:42:06.382504
the client sent an ACK to the server's FIN
. 在
05:42:06.382504
,客户端向服务器的FIN
发送了ACK。 Again, we know because the source port is not 5000. 我们再次知道,因为源端口不是5000。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.