RabbiMQ 数据包分析

抓包分析

  1. 启动项目会提示,开启本地一个端口,通过该端口将数据发到 MQ (5672)
2021-08-29 21:03:33.592  INFO 67718 --- [           main] o.s.a.r.c.CachingConnectionFactory       : Created new connection: rabbitConnectionFactory#4417af13:0/SimpleConnection@44e93c1f [delegate=amqp://rabbit@192.168.1.188:5672/, localPort= 60934]

Provider: helloSun Aug 29 21:03:58 CST 2021
Consumer: helloSun Aug 29 21:03:58 CST 202
  1. 使用 tcpdump 抓包分析
seth:~ seth$ sudo tcpdump port 60934
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
21:03:58.060237 IP 192.168.1.188.amqp > 192.168.1.60.60934: Flags [P.], seq 1561319276:1561319292, ack 371193347, win 506, options [nop,nop,TS val 1505813439 ecr 729215406], length 16
21:03:58.064623 IP 192.168.1.188.amqp > 192.168.1.60.60934: Flags [P.], seq 16:168, ack 115, win 506, options [nop,nop,TS val 1505813443 ecr 729215409], length 152
21:03:58.119393 IP 192.168.1.188.amqp > 192.168.1.60.60934: Flags [.], ack 136, win 506, options [nop,nop,TS val 1505813498 ecr 729215421], length 0
21:04:03.591917 IP 192.168.1.188.amqp > 192.168.1.60.60934: Flags [P.], seq 168:176, ack 136, win 506, options [nop,nop,TS val 1505818970 ecr 729215421], length 8

tcpdump + wireshark

提示:-w参数可将抓包数据保存到文件(.cap)中,再用 wireshark 打开,这样分析会更方便快捷

seth:tmp seth$ sudo tcpdump port 56428 -w mq.cap
tcpdump: data link type PKTAP
tcpdump: listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
^C8 packets captured
583 packets received by filter
0 packets dropped by kernel

image-20210829212204307

完整图片

image-20210829213025355

image-20210829213031361

image-20210829213040972

image-20210829213007307

image-20210829235134352

案例

当启动了客户端之后,抓包的窗口中就已经显示了抓到的报文,如下:

17:48:20.202499 IP 127.0.0.1.59466 > 127.0.0.1.8888: Flags [S], seq 3257142365, win 65495, options [mss 65495,sackOK,TS val 1604396091 ecr 0,nop,wscale 7], length 0
17:48:20.202511 IP 127.0.0.1.8888 > 127.0.0.1.59466: Flags [S.], seq 2103221418, ack 3257142366, win 65483, options [mss 65495,sackOK,TS val 1604396091 ecr 1604396091,nop,wscale 7], length 0
17:48:20.202520 IP 127.0.0.1.59466 > 127.0.0.1.8888: Flags [.], ack 1, win 512, options [nop,nop,TS val 1604396091 ecr 1604396091], length 0

说明

  1. 21:03:58.060237 该数据报文被抓取的系统本地时间戳
  2. IP 网络层协议类型,这里是 IPv4,如果是 IPv6 协议,该字段值是 IP6
  3. 127.0.0.1.59466 > 127.0.0.1.8888 源IP:端口和目标IP:端口
  4. Flags [S] 这是报文的标志位,下文会用表格列出Flag与报文标志位的对应关系
  5. seq 3257142365 报文的序列号,可以看到这是一个随机数
  6. win 65495 发送方的窗口大小,窗口大小参考《计算机网络》这门课
  7. options [...] 这些是选项
  8. length 0 这是报文中数据部分的长度

Flag与报文标志位的对应关系

Flag 标志位
S SYN
. ACK
F FIN
P PSH
R RST
posted @ 2021-09-26 14:01  1766Af  阅读(196)  评论(0编辑  收藏  举报