https://pastein.ru/t/O0Z
Загрузка данных
root@ury:~# IP=192.168.1.193
root@ury:~# LOG=/tmp/wa.log
root@ury:~# > $LOG
root@ury:~#
root@ury:~# echo "=== START TCPDUMP — БАБУШКА СЕЙЧАС ОТКРОЕТ WHATSAPP И ПОПЫТАЕТСЯ НА
ПИСАТЬ СООБЩЕНИЕ ==="
=== START TCPDUMP — БАБУШКА СЕЙЧАС ОТКРОЕТ WHATSAPP И ПОПЫТАЕТСЯ НАПИСАТЬ СООБЩЕНИЕ ===
root@ury:~# tcpdump -i br-lan -nn -tt -l "host $IP" > $LOG 2>&1 &
ID=$root@ury:~# TCPID=$!
root@ury:~# echo "tcpdump pid=$TCPID, жду 40 секунд..."
tcpdump pid=8222, жду 40 секунд...
root@ury:~# sleep 40
head -15
echo "=== TOP DEST IPs ==="
awk -v ip="$IP" '$3 ~ ip {sub(/\.[0-9]+$/, "", $5); print $5}' $LOG | sort | uniq -c | sort -rn | head -15
echo "=== UNIQUE PORTS HER PHONE TRIES ==="
awk -v ip="$IP" '$3 ~ ip {n=split($5,a,"."); print a[n]}' $LOG | sort -u | head -20
echo "=== FIRST 40 LINES ==="
head -40 $LOG
echo "=== COUNTERS NOW ==="
nft list table inet PodkopTable 2>/dev/null | grep -E 'mark set 0x00100000 counter' | head -8
echo "=== DONE ==="
root@ury:~# kill $TCPID 2>/dev/null
root@ury:~# sleep 1
[1]+ Done tcpdump -i br-lan -nn -tt -l "host ${IP}" 1>${LOG} 2>&1
root@ury:~#
root@ury:~# echo "=== captured lines ==="
=== captured lines ===
root@ury:~# wc -l < $LOG
589
root@ury:~#
root@ury:~# echo "=== DNS REQUESTS (port 53) ==="
=== DNS REQUESTS (port 53) ===
root@ury:~# grep '\.53 ' $LOG | head -15
1777653398.325538 IP 1.0.0.1.53 > 192.168.1.193.35264: 18443 3/1/0 CNAME stun.voip.dyn.blackberry.net., CNAME eu-default-stun-voip-azure.dyn.blackberry.net., CNAME eu-stun-voip-azure.dyn.blackberry.net. (236)
1777653398.367743 IP 1.0.0.1.53 > 192.168.1.193.58051: 23189 4/0/0 CNAME stun.voip.dyn.blackberry.net., CNAME eu-default-stun-voip-azure.dyn.blackberry.net., CNAME eu-stun-voip-azure.dyn.blackberry.net., A 20.93.239.171 (174)
1777653398.367819 IP 1.0.0.1.53 > 192.168.1.193.36894: 4039 4/0/0 CNAME stun.voip.dyn.blackberry.net., CNAME eu-default-stun-voip-azure.dyn.blackberry.net., CNAME eu-stun-voip-azure.dyn.blackberry.net., A 20.93.239.174 (174)
1777653398.379015 IP 1.0.0.1.53 > 192.168.1.193.46827: 49544 3/1/0 CNAME stun.voip.dyn.blackberry.net., CNAME eu-default-stun-voip-azure.dyn.blackberry.net., CNAME eu-stun-voip-azure.dyn.blackberry.net. (236)
1777653398.677264 IP 1.1.1.1.53 > 192.168.1.193.60930: 23077 0/1/0 (98)
1777653398.692076 IP 1.1.1.1.53 > 192.168.1.193.54422: 16146 2/0/0 A 184.51.252.145, A 184.51.252.165 (68)
root@ury:~#
root@ury:~# echo "=== TOP DEST IPs ==="
=== TOP DEST IPs ===
root@ury:~# awk -v ip="$IP" '$3 ~ ip {sub(/\.[0-9]+$/, "", $5); print $5}' $LOG | sort | uniq -c | sort -rn | head -15
77 172.236.187.62.22:
16 198.18.0.8.443:
15 213.180.193.234.443:
14 8.211.3.52.443:
13 172.236.187.62:
12 149.154.167.50.443:
11 8.211.20.103.443:
11 184.51.252.165.443:
10 213.180.204.145.443:
10 213.180.193.226.443:
10 108.165.21.88.443:
9 156.251.67.241.443:
7 51.170.57.76.443:
7 146.190.207.227.53:
6 185.16.148.89.443:
root@ury:~#
root@ury:~# echo "=== UNIQUE PORTS HER PHONE TRIES ==="
=== UNIQUE PORTS HER PHONE TRIES ===
root@ury:~# awk -v ip="$IP" '$3 ~ ip {n=split($5,a,"."); print a[n]}' $LOG | sort -u | head -20
123:
19302:
22:
23:
3478:
350:
443:
509:
53:
553:
554:
62:
80:
82:
880:
8:
root@ury:~#
root@ury:~# echo "=== FIRST 40 LINES ==="
=== FIRST 40 LINES ===
root@ury:~# head -40 $LOG
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), snapshot length 262144 bytes
1777653385.079681 IP 87.250.250.119.443 > 192.168.1.193.45660: Flags [.], ack 1845577705, win 166, options [nop,nop,TS val 2961725684 ecr 2304818360], length 0
1777653385.125069 IP 192.168.1.193.45660 > 87.250.250.119.443: Flags [.], ack 1, win 323, options [nop,nop,TS val 2304879801 ecr 2960806859], length 0
1777653388.778454 IP 87.250.250.119.443 > 192.168.1.193.45656: Flags [.], ack 4052103757, win 166, options [nop,nop,TS val 284856259 ecr 2304822048], length 0
1777653388.808215 IP 192.168.1.193.45656 > 87.250.250.119.443: Flags [.], ack 1, win 1644, options [nop,nop,TS val 2304883485 ecr 283937834], length 0
1777653388.839549 IP 192.168.1.193.43522 > 8.211.20.103.443: Flags [S], seq 3449456105, win 65535, options [mss 1460,sackOK,TS val 26607753 ecr 0,nop,wscale 8], length 0
1777653388.894087 IP 8.211.20.103.443 > 192.168.1.193.43522: Flags [S.], seq 3941602240, ack 3449456106, win 42340, options [mss 1452,nop,nop,sackOK,nop,wscale 9], length 0
1777653388.896612 IP 192.168.1.193.43522 > 8.211.20.103.443: Flags [.], ack 1, win 256, length 0
1777653388.903494 IP 192.168.1.193.43522 > 8.211.20.103.443: Flags [P.], seq 1:518, ack 1, win 256, length 517
1777653388.958142 IP 8.211.20.103.443 > 192.168.1.193.43522: Flags [.], ack 518, win 83, length 0
1777653388.959015 IP 8.211.20.103.443 > 192.168.1.193.43522: Flags [.], seq 1:1453, ack 518, win 83, length 1452
1777653388.960582 IP 192.168.1.193.43522 > 8.211.20.103.443: Flags [.], ack 1453, win 268, length 0
1777653388.960856 IP 8.211.20.103.443 > 192.168.1.193.43522: Flags [.], seq 1453:2905, ack 518, win 83, length 1452
1777653388.961767 IP 192.168.1.193.43522 > 8.211.20.103.443: Flags [.], ack 2905, win 279, length 0
1777653388.962692 IP 8.211.20.103.443 > 192.168.1.193.43522: Flags [P.], seq 2905:4097, ack 518, win 83, length 1192
1777653388.963393 IP 192.168.1.193.43522 > 8.211.20.103.443: Flags [.], ack 4097, win 291, length 0
1777653388.968851 IP 8.211.20.103.443 > 192.168.1.193.43522: Flags [P.], seq 4097:4611, ack 518, win 83, length 514
1777653388.971198 IP 192.168.1.193.43522 > 8.211.20.103.443: Flags [.], ack 4611, win 302, length 0
1777653388.976870 IP 192.168.1.193.43522 > 8.211.20.103.443: Flags [P.], seq 518:611, ack 4611, win 302, length 93
1777653389.031072 IP 8.211.20.103.443 > 192.168.1.193.43522: Flags [P.], seq 4611:4901, ack 611, win 83, length 290
1777653389.044256 IP 192.168.1.193.43522 > 8.211.20.103.443: Flags [P.], seq 611:1272, ack 4901, win 313, length 661
1777653389.100083 IP 8.211.20.103.443 > 192.168.1.193.43522: Flags [P.], seq 4901:5165, ack 1272, win 83, length 264
1777653389.100800 IP 8.211.20.103.443 > 192.168.1.193.43522: Flags [P.], seq 5165:5209, ack 1272, win 83, length 44
1777653389.100844 IP 8.211.20.103.443 > 192.168.1.193.43522: Flags [P.], seq 5209:5243, ack 1272, win 83, length 34
1777653389.103691 IP 192.168.1.193.43522 > 8.211.20.103.443: Flags [.], ack 5243, win 325, length 0
1777653389.975183 IP 192.168.1.193.38408 > 8.211.3.52.443: Flags [S], seq 737851719, win 65535, options [mss 1460,sackOK,TS val 2195949219 ecr 0,nop,wscale 8], length 0
1777653390.032275 IP 8.211.3.52.443 > 192.168.1.193.38408: Flags [S.], seq 3705274540, ack 737851720, win 42480, options [mss 1416,nop,nop,sackOK,nop,wscale 9], length 0
1777653390.033548 IP 192.168.1.193.38408 > 8.211.3.52.443: Flags [.], ack 1, win 256, length 0
1777653390.038109 IP 192.168.1.193.38408 > 8.211.3.52.443: Flags [P.], seq 1:518, ack 1, win 256, length 517
1777653390.086936 ARP, Request who-has 192.168.1.193 tell 192.168.1.1, length 28
1777653390.090378 ARP, Reply 192.168.1.193 is-at 62:39:99:d5:0b:4d, length 28
1777653390.096077 IP 8.211.3.52.443 > 192.168.1.193.38408: Flags [.], ack 518, win 83, length 0
1777653390.109417 IP 8.211.3.52.443 > 192.168.1.193.38408: Flags [.], seq 1:1417, ack 518, win 83, length 1416
1777653390.110858 IP 192.168.1.193.38408 > 8.211.3.52.443: Flags [.], ack 1417, win 268, length 0
1777653390.111325 IP 8.211.3.52.443 > 192.168.1.193.38408: Flags [.], seq 1417:2833, ack 518, win 83, length 1416
1777653390.112546 IP 192.168.1.193.38408 > 8.211.3.52.443: Flags [.], ack 2833, win 279, length 0
1777653390.113680 IP 8.211.3.52.443 > 192.168.1.193.38408: Flags [.], seq 2833:4249, ack 518, win 83, length 1416
1777653390.115005 IP 192.168.1.193.38408 > 8.211.3.52.443: Flags [.], ack 4249, win 290, length 0
1777653390.115242 IP 8.211.3.52.443 > 192.168.1.193.38408: Flags [P.], seq 4249:4318, ack 518, win 83, length 69
root@ury:~#
root@ury:~# echo "=== COUNTERS NOW ==="
=== COUNTERS NOW ===
root@ury:~# nft list table inet PodkopTable 2>/dev/null | grep -E 'mark set 0x00100000 counter' | head -8
iifname @interfaces ip daddr @podkop_subnets meta l4proto tcp meta mark set 0x00100000 counter packets 42102 bytes 24356384
iifname @interfaces ip daddr @podkop_subnets meta l4proto udp meta mark set 0x00100000 counter packets 27 bytes 11514
iifname @interfaces ip daddr 198.18.0.0/15 meta l4proto tcp meta mark set 0x00100000 counter packets 2545 bytes 438379
iifname @interfaces ip daddr 198.18.0.0/15 meta l4proto udp meta mark set 0x00100000 counter packets 5591 bytes 1954522
ip daddr @podkop_subnets meta l4proto tcp meta mark set 0x00100000 counter packets 0 bytes 0
ip daddr @podkop_subnets meta l4proto udp meta mark set 0x00100000 counter packets 0 bytes 0
ip daddr 198.18.0.0/15 meta l4proto tcp meta mark set 0x00100000 counter packets 37 bytes 3278
ip daddr 198.18.0.0/15 meta l4proto udp meta mark set 0x00100000 counter packets 0 bytes 0
root@ury:~#
root@ury:~# echo "=== DONE ==="
=== DONE ===
root@ury:~#