tcpdump使用

1. 在work帐号下，是没有 tcpdump的，需要到root帐号下，tcpdump已经装好了。

2. 用另一台机器连接本机的redis服务。

然后，在root下，使用

# tcpdump -n -i xgbe0 host 10.117.146.16 and 10.117.146.17

首先发现是有ack包用来维持连接（其中也有ARP，根据IP地址获取物理地址）：

18:39:58.489583 IP 10.117.146.17.48391 > 10.117.146.16.6379: Flags [.], ack 1, win 70, options [nop,nop,TS val 3307108132 ecr 3307091780], length 0
18:39:58.489593 IP 10.117.146.16.6379 > 10.117.146.17.48391: Flags [.], ack 1, win 57, options [nop,nop,TS val 3307106780 ecr 3307033133], length 0
18:40:03.489565 ARP, Request who-has 10.117.146.16 tell 10.117.146.17, length 46
18:40:03.489574 ARP, Reply 10.117.146.16 is-at 6c:92:bf:28:c9:c0, length 28
18:40:13.489538 IP 10.117.146.17.48391 > 10.117.146.16.6379: Flags [.], ack 1, win 70, options [nop,nop,TS val 3307123132 ecr 3307106780], length 0
18:40:13.489555 IP 10.117.146.16.6379 > 10.117.146.17.48391: Flags [.], ack 1, win 57, options [nop,nop,TS val 3307121780 ecr 3307033133], length 0

然后，客户端发起一个命令：

10.117.146.16:6379> zrange page_rank 0 -1 
1) "bing.com"
2) "baidu.com"
3) "google.com"

发现，服务器出现了两次请求。之后，出现了3个ack。再之后，ack恢复到像之前那样的两个。

18:46:52.290830 IP 10.117.146.17.48391 > 10.117.146.16.6379: Flags [P.], seq 1:47, ack 1, win 70, options [nop,nop,TS val 3307521935 ecr 3307516378], length 46
18:46:52.290843 IP 10.117.146.16.6379 > 10.117.146.17.48391: Flags [.], ack 47, win 57, options [nop,nop,TS val 3307520581 ecr 3307521935], length 0
18:46:52.290867 IP 10.117.146.16.6379 > 10.117.146.17.48391: Flags [P.], seq 1:51, ack 47, win 57, options [nop,nop,TS val 3307520581 ecr 3307521935], length 50
18:46:52.290895 IP 10.117.146.17.48391 > 10.117.146.16.6379: Flags [.], ack 51, win 70, options [nop,nop,TS val 3307521935 ecr 3307520581], length 0
18:47:07.290512 IP 10.117.146.17.48391 > 10.117.146.16.6379: Flags [.], ack 51, win 70, options [nop,nop,TS val 3307536935 ecr 3307520581], length 0
18:47:07.290521 IP 10.117.146.16.6379 > 10.117.146.17.48391: Flags [.], ack 47, win 57, options [nop,nop,TS val 3307535581 ecr 3307521935], length 0

用以下命令可以打印出包的内容，虽然没有解码看的不太清楚：

tcpdump -n -i xgbe0 host 10.117.146.16 and 10.117.146.17 -X -nn

内容如下：

19:51:13.418725 IP 10.117.146.17.48391 > 10.117.146.16.6379: Flags [.], ack 1, win 70, options [nop,nop,TS val 3311383064 ecr 3311366709], length 0
        0x0000:  4500 0034 6a76 4000 4006 9742 0a75 9211  E..4jv@.@..B.u..
        0x0010:  0a75 9210 bd07 18eb bda4 dc02 6a58 4e41  .u..........jXNA
        0x0020:  8010 0046 662a 0000 0101 080a c55f b218  ...Ff*......._..
        0x0030:  c55f 7235                                ._r5
19:51:13.418738 IP 10.117.146.16.6379 > 10.117.146.17.48391: Flags [.], ack 1, win 57, options [nop,nop,TS val 3311381709 ecr 3311113079], length 0
        0x0000:  4500 0034 a43b 4000 4006 5d7d 0a75 9210  E..4.;@.@.]}.u..
        0x0010:  0a75 9211 18eb bd07 6a58 4e41 bda4 dc03  .u......jXNA....
        0x0020:  8010 0039 4a43 0000 0101 080a c55f accd  ...9JC......._..
        0x0030:  c55b 9377                                .[.w
19:51:15.050938 IP 10.117.146.17.48391 > 10.117.146.16.6379: Flags [P.], seq 1:47, ack 1, win 70, options [nop,nop,TS val 3311384696 ecr 3311381709], length 46
        0x0000:  4500 0062 6a77 4000 4006 9713 0a75 9211  E..bjw@.@....u..
        0x0010:  0a75 9210 bd07 18eb bda4 dc03 6a58 4e41  .u..........jXNA
        0x0020:  8018 0046 7951 0000 0101 080a c55f b878  ...FyQ......._.x
        0x0030:  c55f accd 2a34 0d0a 2436 0d0a 7a72 616e  ._..*4..$6..zran
        0x0040:  6765 0d0a 2439 0d0a 7061 6765 5f72 616e  ge..$9..page_ran
        0x0050:  6b0d 0a24 310d 0a30 0d0a 2432 0d0a 2d31  k..$1..0..$2..-1
        0x0060:  0d0a                                     ..
19:51:15.050951 IP 10.117.146.16.6379 > 10.117.146.17.48391: Flags [.], ack 47, win 57, options [nop,nop,TS val 3311383341 ecr 3311384696], length 0
        0x0000:  4500 0034 a43c 4000 4006 5d7c 0a75 9210  E..4.<@.@.]|.u..
        0x0010:  0a75 9211 18eb bd07 6a58 4e41 bda4 dc31  .u......jXNA...1
        0x0020:  8010 0039 1eb0 0000 0101 080a c55f b32d  ...9........._.-
        0x0030:  c55f b878                                ._.x
19:51:15.050973 IP 10.117.146.16.6379 > 10.117.146.17.48391: Flags [P.], seq 1:51, ack 47, win 57, options [nop,nop,TS val 3311383341 ecr 3311384696], length 50
        0x0000:  4500 0066 a43d 4000 4006 5d49 0a75 9210  E..f.=@.@.]I.u..
        0x0010:  0a75 9211 18eb bd07 6a58 4e41 bda4 dc31  .u......jXNA...1
        0x0020:  8018 0039 3964 0000 0101 080a c55f b32d  ...99d......._.-
        0x0030:  c55f b878 2a33 0d0a 2438 0d0a 6269 6e67  ._.x*3..$8..bing
        0x0040:  2e63 6f6d 0d0a 2439 0d0a 6261 6964 752e  .com..$9..baidu.
        0x0050:  636f 6d0d 0a24 3130 0d0a 676f 6f67 6c65  com..$10..google
        0x0060:  2e63 6f6d 0d0a                           .com..
19:51:15.051002 IP 10.117.146.17.48391 > 10.117.146.16.6379: Flags [.], ack 51, win 70, options [nop,nop,TS val 3311384696 ecr 3311383341], length 0
        0x0000:  4500 0034 6a78 4000 4006 9740 0a75 9211  E..4jx@.@..@.u..
        0x0010:  0a75 9210 bd07 18eb bda4 dc31 6a58 4e73  .u.........1jXNs
        0x0020:  8010 0046 1e71 0000 0101 080a c55f b878  ...F.q......._.x
        0x0030:  c55f b32d                                ._.-

从上面，可以看出来，虽然包是Sync，但是方向是反的，前面的Sync是17到16的，是发送请求，后面的Sync是16到17的，是返回结果。并且包里面的seq标号“seq 1:51”也增加了很多，说明包的长度比较大。