• network / Wireshark

    s

    wireshark 

    http://ftp.yz.yamagata-u.ac.jp/pub/network/security/wireshark/osx/

    https://1.na.dl.wireshark.org/osx/Wireshark%203.2.3%20Intel%2064.dmg

    TCP三次握手:

    https://www.iteye.com/blog/uule-2213562

    客户端–发送带有SYN标志的数据包–一次握手–服务端
    服务端–发送带有SYN/ACK标志的数据包–二次握手–客户端
    客户端–发送带有带有ACK标志的数据包–三次握手–服务端

    神屌网络闪断案例一:用户访问url:http://xxx.com/img/login.gif 出现如下异常 + 相关告警信息

    告警信息:

    系统: 炮友系统
    负责人:***
    软件:nginx 1.14.0
    报警内容:主机10.108.76.238  url:http://10.108.76.238:80/img/login.gif访问失败
    服务器IP:10.108.83.179
    环境:PRD
    LDC: 美国机房
    报警级别:严重
    报警时间:2020-04-03 12:23:13
    当前时间:2020-04-03 12:23:28
    监控项名称:Response code for step "web_cmdb_281_3476" of scenario "web_cmdb_281_3476".
    最新数据:502

    异常信息: 

    http://10.108.76.238:80/img/login.gif

    An error occurred.
    Sorry, the page you are looking for is currently unavailable.
    Please try again later.
    If you are the system administrator of this resource then you should check theerror log for details.
    Faithfully yours, nginx.

    类似如下:

    案例分析:

    系统架构 : nginx + jboss

    客户端nginx  == 10.108.76.238:21274端口

    服务端jboss == 10.97.4.120:8080端口

    nginx 抓包如下:客户端10.108.76.238发送syn包给服务端10.97.4.120,等他妈近1秒,服务端在忙什么东西(14:49:44 ~ 14:49:45 ) ,客户端发现超时1秒,开始重传SYN包给服务端确认,Fucking TCP Retransmission SYN包。

    Wireshakre 搜索条件 “tcp.port == 21274” 如下:

    1069 2020-04-03 14:49:44.764367 10.108.76.238 10.97.4.120 TCP 74 21274 → 8080 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1183650131 TSecr=0 WS=128

    1080 2020-04-03 14:49:45.764323 10.108.76.238 10.97.4.120 TCP 74 [TCP Retransmission] 21274 → 8080 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1183651131 TSecr=0 WS=128

    jboss 抓包如下:服务端10.97.4.120收到了客户端10.97.4.120SYN包,回复SYN/ACK包没传走?服务端歇B一秒,华三交换机在忙什么东西,服务端收到了客户端超时重传RST包,叫重新确认(如下29903标号行)。Tcp ACKed unseen segument (tcp看不见确认应答)

    nginx建连时发送了SYN,jboss收到后回复了SYN/ACK,收到了RST包。nginx没有收到jboss回的SYN/ACK,一秒后nginx重发了SYN,jboss收到了nginx重发的SYN。

    Wireshakre 搜索条件 “tcp.port == 21274” 如下:

    29901 2020-04-03 14:49:44.846688 10.108.76.238 10.97.4.120 TCP 74 21274 → 8080 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1183650131 TSecr=0 WS=128
    29902 2020-04-03 14:49:44.846705 10.97.4.120 10.108.76.238 TCP 66 8080 → 21274 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 SACK_PERM=1 WS=512
    29903 2020-04-03 14:49:44.846891 10.108.76.238 10.97.4.120 TCP 60 21274 → 8080 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
    30061 2020-04-03 14:49:45.846487 10.108.76.238 10.97.4.120 TCP 74 [TCP Retransmission] 21274 → 8080 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1183651131 TSecr=0 WS=128
    30062 2020-04-03 14:49:45.846499 10.97.4.120 10.108.76.238 TCP 66 [TCP Previous segment not captured] [TCP Port numbers reused] 8080 → 21274 [SYN, ACK] Seq=15621811 Ack=1 Win=14600 Len=0 MSS=1460 SACK_PERM=1 WS=512
    30063 2020-04-03 14:49:45.846599 10.108.76.238 10.97.4.120 TCP 60 [TCP ACKed unseen segment] 21274 → 8080 [RST, ACK] Seq=1 Ack=15621812 Win=0 Len=0

    加持佐证:

    [root@sftssitapp254 ~]# curl -I http://xxx.com/img/login.gif
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 10 Apr 2020 06:57:19 GMT
Content-Type: image/gif
Content-Length: 2317
Connection: keep-alive
Set-Cookie: route=2b27f67f7ef49b5a61ced2052713ac97; Path=/
X-Powered-By: SNMW-WEB1.0
Content-Disposition: 
Accept-Ranges: bytes
Last-Modified: Thu, 09 Apr 2020 08:35:32 GMT

再次探测就失败
[root@sftssitapp254 ~]# curl -I http://xxx.com/img/login.gif
curl (7) coldn't connect to host

再次探测就失败
[root@sftssitapp254 ~]# curl -I http://xxx.com:80
curl (7) coldn't connect to host 
    再次探测就失败
[root@sftssitapp254 ~]# curl -I http://10.97.4.120:8080
curl (7) coldn't connect to host

    原因分析:华三汇聚交换机,汇聚底层PBR路由规则匹配顺序错误,属于硬件芯片SDK驱动bug。

    临时方案:设备PBR接口调用关系去掉重新调用,设备ACL权限控制冻结不可新业务新增网络访问增加。

    长期方案:设备升级到R7585P07版本,整体网络中断1分钟仅1次。

    wireshark抓包常见提示含义解析

    https://www.cnblogs.com/tcheng/p/6018988.html

    https://blog.csdn.net/chenlycly/article/details/52402945

    1.【Packet size limited during capture】 
    在捕获数据包大小有限,即包没有抓全

    2.【TCP previous segment not captured】
    TCP前一段不是被俘,即缺失的那段数据在整个网络都找不到(即排除了乱序)

    3.【TCP ACKed unseen segment】
    ACK包没有被抓到

    4.【TCP Out-of-Order】
    TCP乱序

    5.【TCP Dup ACK】
    重复ACK

    6.【TCP Fast Retransmission】
    快速重传

    7.【TCP Retransmission】
    超时重传

    8.【TCP zerowindow】
    通知客户不要再发送数据

    9.【TCP window Full】
    表示这个包的发送方已经把对方所声明的接受窗口耗尽

    10.【TCP segment of a reassembled PDU】
    表示可以把属于同一个应用层PDU的TCP包虚拟地集中起来

    11.【Continuation to #】

    12.【Time-to-live exceeded (Fragment reassembly time exceeded)】
    包的重组超时

    问题1:EPSV ALL / 425 Data connection failed

    220 connect to sdoss ftp ok
USER sospdm/sospdm/ftpcmf
331 User name ok, password required
PASS ftpcmf
230 Password ok, continue
TYPE I
200 Type set to binary
CWD /sospdm
250 Directory changed to /sospdm
TYPE I
200 Type set to binary
EPSV ALL
425 Data connection failed
PASV
227 Entering Passive Mode (10,243,117,249,13,155)  

     解决1:

    取消epsv模式。

    end
  • 相关阅读:
    转--安装11g oracle
    数据可视化分析(柱状图、饼图、折线图、雷达图)
    2021双十一自动刷淘宝喵糖Auto.js脚本(安卓适用)
    最近升级了一下小老婆(8核 2x8G DDR3 128G SSD)
    [Orchard CMS系列] 创建主题(Writing a new theme)
    百度,你家云管家能靠谱点不?替你脸红!Shame on you!
    [解决]ASP.NET MVC 4/5 源码调试(source code debug)
    [解决]Kali Linux DHCP自动获取IP失败 坑爹的VMWare桥接
    SSRS 页面默认显示英文
    3.2、OSPF
  • 原文地址:https://www.cnblogs.com/lindows/p/11674905.html
Copyright © 2020-2023  润新知