tshark tcpdump 实战笔记从网站分析到 DDoS 模拟环境说明操作系统CentOS 7服务端网卡eth0示例客户端测试机任意 Linux目标网站example.com实际请替换一、安装 tshark 和 tcpdump# 安装 epel 源sudoyuminstallepel-release-y# 安装 wireshark含 tshark和 tcpdumpsudoyuminstallwireshark tcpdump-y# 验证tshark-vtcpdump-v二、客户端分析curl 时间分解1. 创建 curl 格式化模板catcurl-format.txtEOF time_namelookup: %{time_namelookup}\n time_connect: %{time_connect}\n time_appconnect: %{time_appconnect}\n time_pretransfer: %{time_pretransfer}\n time_redirect: %{time_redirect}\n time_starttransfer: %{time_starttransfer}\n ----------\n time_total: %{time_total}\n EOF2. 测试目标网站curl-wcurl-format.txt-o/dev/null-shttp://example.com/test输出示例time_namelookup: 0.003 time_connect: 0.025 time_starttransfer: 0.218 time_total: 0.245指标含义time_namelookupDNS 解析耗时time_connectTCP 三次握手耗时time_starttransfer从开始到收到第一个字节TTFBtime_total总耗时三、服务端抓包分析配合 tcpdump tshark场景定位服务端性能瓶颈1. 服务端抓包假设客户端 IP 为 192.168.1.100# 实时抓取与该客户端的交互sudotcpdump-ieth0-s1500-wserver_trace.pcaphost192.168.1.100 and port802. 分析 TCP 握手耗时tshark-rserver_trace.pcap-Ytcp.flags.syn1 or tcp.flags.ack1\-Tfields-eframe.time_relative-etcp.stream-etcp.flags.syn-etcp.flags.ack|awk BEGIN { stream_time0 } { if ($31 $40) { syn_time$1; stream$2 } if ($31 $41 stream$2) { handshake $1 - syn_time; printf Stream %d 握手耗时 %.6f 秒\n, stream, handshake } }3. 计算 TTFB服务端处理时间tshark-rserver_trace.pcap-Yhttp.request or http.response\-Tfields-eframe.time_relative-ehttp.request.method-ehttp.request.uri-ehttp.response.code|awk /request/ { req_time$1; req_uri$3 } /response/ { ttfb $1 - req_time; printf 请求 %s TTFB %.6f 秒\n, req_uri, ttfb }4. 自动分析脚本server_analyze.sh#!/bin/bashPCAP$1CLIENT_IP$2echo服务端分析报告SYN_TIME$(tshark-r$PCAP-Ytcp.flags.syn1 and ip.src$CLIENT_IP-Tfields-eframe.time_relative2/dev/null|head-1)SYNACK_TIME$(tshark-r$PCAP-Ytcp.flags.syn1 and tcp.flags.ack1 and ip.dst$CLIENT_IP-Tfields-eframe.time_relative2/dev/null|head-1)if[-n$SYN_TIME][-n$SYNACK_TIME];thenechoTCP握手耗时:$(echo$SYNACK_TIME-$SYN_TIME|bc)秒fiREQ_TIME$(tshark-r$PCAP-Yhttp.request-Tfields-eframe.time_relative2/dev/null|head-1)RESP_FIRST$(tshark-r$PCAP-Yhttp.response-Tfields-eframe.time_relative2/dev/null|head-1)if[-n$REQ_TIME][-n$RESP_FIRST];thenechoTTFB:$(echo$RESP_FIRST-$REQ_TIME|bc)秒fiRETRANS$(tshark-r$PCAP-Ytcp.analysis.retransmission2/dev/null|wc-l)echoTCP重传次数:$RETRANS运行chmodx server_analyze.sh ./server_analyze.sh server_trace.pcap192.168.1.100四、模拟 DDoS 攻击并抓包分析1. 在服务器上启动抓包sudotcpdump-ieth0-s1500-wddos_attack.pcaptcp port 802. 使用 Python 模拟高并发攻击本机 127.0.0.1python3-c import socket, threading, time def flood(): while True: try: s socket.socket() s.connect((127.0.0.1,80))s.send(bGET / HTTP/1.1\r\nHost: example.com\r\n\r\n) # 不关闭连接耗尽资源 except: pass for i in range(500): threading.Thread(targetflood, daemonTrue).start() print(攻击中... 按 CtrlC 停止) time.sleep(999999) 3. 使用 hping3 发起 SYN Flood需要安装sudohping3-S-p80--flood--rand-source127.0.0.14. 使用 ab 进行压力测试ab-n10000-c100http://127.0.0.1/5. 实时观察连接状态watch-n1ss -tan | grep :80 | wc -l6. tshark 分析 DDoS 抓包文件6.1 查看基本信息capinfos ddos_attack.pcap6.2 TCP 标志位统计识别攻击类型tshark-rddos_attack.pcap-Ytcp-Tfields-etcp.flags|sort|uniq-c|sort-rn6.3 统计半开连接SYN Flood 特征SYN$(tshark-rddos_attack.pcap-Ytcp.flags.syn1 and tcp.flags.ack02/dev/null|wc-l)SYNACK$(tshark-rddos_attack.pcap-Ytcp.flags.syn1 and tcp.flags.ack12/dev/null|wc-l)echoSYN:$SYN, SYNACK:$SYNACK, 半开比例: $(echo scale2;$SYN*100/($SYN$SYNACK)|bc)%6.4 攻击源 IP TOP 10tshark-rddos_attack.pcap-Tfields-eip.src|sort|uniq-c|sort-rn|head-106.5 自动识别攻击类型脚本ddos_detect.sh#!/bin/bashPCAP$1TOTAL$(tshark-r$PCAP2/dev/null|wc-l)SYN$(tshark-r$PCAP-Ytcp.flags.syn1 and tcp.flags.ack02/dev/null|wc-l)ACK$(tshark-r$PCAP-Ytcp.flags.ack1 and tcp.flags.syn0 and tcp.flags.reset02/dev/null|wc-l)UDP$(tshark-r$PCAP-Yudp2/dev/null|wc-l)echoSYN占比:$(echoscale2;$SYN*100/$TOTAL|bc)%echoACK占比:$(echoscale2;$ACK*100/$TOTAL|bc)%if(($(echo $SYN$TOTAL*0.5|bc-l)));thenecho检测到 SYN Flood 攻击elif(($(echo $ACK$TOTAL*0.5|bc-l)));thenecho检测到 ACK Flood 攻击elseecho非典型 DDoS 或正常流量fi运行chmodx ddos_detect.sh ./ddos_detect.sh ddos_attack.pcap五、实战案例分析脱敏以下是一次真实抓包的输出示例已脱敏 抓包文件基本信息 File name: ddos_attack.pcap Number of packets: 484 Capture duration: 154 seconds Average packet rate: 3 packets/sec 协议分布 eth frames:484 bytes:197644 ip frames:484 bytes:197644 tcp frames:484 bytes:197644 ssh frames:233 bytes:157970 http frames:10 bytes:16946结论该流量为正常的 SSH HTTP 混合流量非 DDoS。真正的攻击需要更高的包速率1000 pps和明显的半开连接比例。六、常用 tshark 过滤表达式速查目的表达式只显示 HTTP 请求-Y http.request显示 SYN 包-Y tcp.flags.syn1 and tcp.flags.ack0显示 RST 包-Y tcp.flags.reset1按源 IP 过滤-Y ip.src192.168.1.100提取字段-T fields -e ip.src -e http.request.uri统计会话-z conv,tcp统计每秒包数-z io,stat,1七、注意事项抓包请勿在生产环境随意发起 DDoS 攻击应在隔离测试环境中进行。所有 IP、域名已替换为示例值实际操作请替换为真实地址。大流量抓包时注意磁盘空间建议使用-C和-G参数滚动保存。