Shulou(Shulou.com)06/01 Report--

Packet capture (packet capture) is to intercept and analyze data packets sent and received by network transmission, and can even be used for forwarding, retransmission, and so on. Packet capture can be used in many scenarios, such as debugging, verification, testing, and kernel peering. Let me give you a few examples to illustrate.

Scenario 1. The SNMP service is enabled on a storage, and then you want to verify whether the service is actually started by verifying the listening status of the UDP161/162.

Details: the easiest way is to run netstat-anop to check the UDP port status with the OS entering the storage, and some students will reflex to say telnet or use nmap tools to do port scanning, but it turns out that the result is Open | Filtered, what's the point? Unless you find instructions for the use of these tools, you cannot understand the meaning of their output. But sometimes there is not too much reference documentation, for example, the UDP port status column displayed by netstat is empty and has no status. what does this mean? In fact, grasping packets on the Internet can help us. You can grab the package while telnet, and you will find that telnet initiated the TCP SYN package and was immediately dropped to Reset by the peer, so the proposal of using telnet is wrong. Using TCP to verify whether a UDP port is listening is obviously in the opposite direction. Similarly, grab the packet while doing the nmap scan, and you will find that the original UDP uses the ICMP return message to determine the port status. If the port is shut down, the peer returns port unreachable. What if no ICMP is returned? That means there is packet filtering logic in the middle, which is why the nmap scan shows open | filtered,nmap also cannot confirm the port status, because no ICMP messages are returned. Therefore, the nmap scan results can not determine the status of the port, other measures must be taken. However, this is not the focus of this scenario, our focus is that you can see the behavior of the application by grabbing the package.

Summary: there are many ways to judge the port status, but whether you have adopted the right way can be judged by grabbing the packet, which will tell you the behavior of an application and help you find out why.

Scenario 2. It is found that the communication between the application and the server is very slow.

Details: why take this scenario for example, because packet grabbing and TCP analysis are almost the immediate cause of the problem in this scenario. Through the analysis of TCP segmentation, we found the change of traffic pattern, the delay gradually changed from a few normal ms to more than a dozen ms, and saw the Window Full and the final ZeroWindow message in the subsequent traffic. Students who are familiar with TCP can immediately tell that there is a problem with the processing ability of the receiver, resulting in the inability to clean the TCP receive cache in time, making the queue length getting longer and longer. according to Little Law and Utilization Law, the response time increases exponentially, which is why we observe the change in response time. Some students asked whether it was possible for the switch / router in the middle to have such an overload. Yes, of course, but that's not the problem in our scene. Why? Because we didn't see any retransmission when we grabbed the bag.

Summary: grab the package in this case to help you rule out the problem that seems most likely to be a network problem, and TCP's behavior clearly points out the problem.

Finally, I will give you some suggestions:

Network packets can tell you the truth most of the time, so it's valuable to make good use of it.

The network packet tells you what happened, but it doesn't tell you why it happened. It's your task to understand protocol behavior and analysis.

Don't just look at the document, try to grab the package, because the truth may be different from the document.

Faced with massive data packets, you need to train your eyes and brain to filter messages.

TCP is actually a good guy. Don't blame it all the time. Understand it, analyze it, and you will find that most of the time the error is somewhere else.

The new generation of data center network is very complex, and the use of good tools will help you solve many problems.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.