By Valleylord

更新日期:

文章目录
  1. 1. 指定网桥IP--bip
  2. 2. 增加路由规则
  3. 3. 抓包查看结果
  4. 4. 连接mysql测试

Docker容器默认情况下通过docker虚拟的docker0网卡与其他网络节点通信,如果是与宿主机本地的其他容器或进程通信,相对比较简单,只需要通过docker0网卡转发即可;如果是要与其他宿主机上的容器通信,就需要经过本地宿主机的eth0网卡转发。本文通过实例演示不同宿主机之间的网络通信,使用的2台实验机器是Ubuntu 14.04和Centos 7。

指定网桥IP--bip

默认情况下,docker后台启动的时候,会给docker0网卡自动分配一个网段,类似172.17.0.1/16,这样,docker容器启动后就会自动在该网段获得一个IP,例如172.17.0.2。但是,如果是不同宿主机上的容器,就不能采用自动的方式来分配网段,会引发IP冲突。因此,需要先配置docker0的网卡IP,使用如下参数配置docker0的网段,

1
--bip 172.17.0.1/16

该参数可以配在/etc/default/docker(Ubuntu),/etc/sysconfig/docker(Centos)或者直接启动docker后台时加上,如docker daemon --bip 172.17.0.1/16

指定后重启docker后台进程,可以看到docker0的地址已经变化。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
// Ubuntu 192.168.2.201
# root@Ubuntu-Asus [192.168.2.201] in ~ [13:57:25]
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 6c:71:d9:7d:ad:1d brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.201/24 brd 192.168.2.255 scope global wlan0
       valid_lft forever preferred_lft forever
    inet6 fe80::6e71:d9ff:fe7d:ad1d/64 scope link 
       valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:08:03:7a:e6 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:8ff:fe03:7ae6/64 scope link 
       valid_lft forever preferred_lft forever
98: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether 74:d0:2b:71:3a:73 brd ff:ff:ff:ff:ff:ff
// Centos 192.168.2.202
[root@Centos-L410 system]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp8s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
    link/ether c8:0a:a9:c0:34:dc brd ff:ff:ff:ff:ff:ff
3: wlp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:24:d6:57:d7:a0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.202/24 brd 192.168.2.255 scope global wlp5s0
       valid_lft forever preferred_lft forever
    inet6 fe80::224:d6ff:fe57:d7a0/64 scope link 
       valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN 
    link/ether 02:42:38:14:f7:88 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:38ff:fe14:f788/64 scope link 
       valid_lft forever preferred_lft forever

但此时,不同宿主机之间的容器仍然不通,需要增加路由规则。

增加路由规则

不同宿主机之间的容器不通的原因是因为不知道如何去寻找路由,因此,需要增加路由规则。在192.168.2.201(Ubuntu,以下简称201)和192.168.2.202(Centos,以下简称202)上分别增加路由规则如下,

1
2
3
4
5
6
// Ubuntu 192.168.2.201
# root@Ubuntu-Asus [192.168.2.201] in ~ [13:57:25]
$ route add -net 172.18.0.0/16 gw 192.168.2.202 
// Centos 192.168.2.202
[root@Centos-L410 arnes]# route add -net 172.17.0.0/16 gw 192.168.2.201

增加路由规则后,202上的容器到201上的容器可以ping通,但是反过来仍然不能ping通。原因是防火墙规则导致的阻挡,202上需要清空防火墙规则,如下,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
// Centos 192.168.2.202
[root@Centos-L410 arnes]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
DROP       all  --  anywhere             anywhere            
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
Chain DOCKER (1 references)
target     prot opt source               destination         
[root@Centos-L410 arnes]# iptables -F
[root@Centos-L410 arnes]# iptables -t nat -F
[root@Centos-L410 arnes]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
Chain DOCKER (0 references)
target     prot opt source               destination

完成之后,双方容器之间双向都可以ping通。

抓包查看结果

抓包的工具是tshark和tcpdump,tcpdump一般默认都有安装,tshark需要手动安装。Ubuntu上apt-get install tshark,Centos上yum install wireshark。从201上的容器,ip172.17.0.2,ping202上的容器172.18.0.2,为了防止干扰,只ping一个包,结果如下,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
// Container on Ubuntu, 172.17.0.2
root@8cd7c7950943:/# ping 172.18.0.2 -c 1
PING 172.18.0.2 (172.18.0.2): 56 data bytes
64 bytes from 172.18.0.2: icmp_seq=0 ttl=62 time=8.500 ms
--- 172.18.0.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 8.500/8.500/8.500/0.000 ms
// Ubuntu 192.168.2.201
# root@Ubuntu-Asus [192.168.2.201] in ~ [14:43:23]
$ tshark -i docker0
tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:46: dofile has been disabled due to running Wireshark as superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user.
Running as user "root" and group "root". This could be dangerous.
Capturing on 'docker0'
  1   0.000000   172.17.0.2 -> 172.18.0.2   ICMP 98 Echo (ping) request  id=0x000f, seq=0/0, ttl=64
  2   0.005157   172.18.0.2 -> 172.17.0.2   ICMP 98 Echo (ping) reply    id=0x000f, seq=0/0, ttl=62 (request in 1)
2   3   5.014861 02:42:08:03:7a:e6 -> 02:42:ac:11:00:02 ARP 42 Who has 172.17.0.2?  Tell 172.17.0.1
  4   5.014857 02:42:ac:11:00:02 -> 02:42:08:03:7a:e6 ARP 42 Who has 172.17.0.1?  Tell 172.17.0.2
  5   5.014891 02:42:08:03:7a:e6 -> 02:42:ac:11:00:02 ARP 42 172.17.0.1 is at 02:42:08:03:7a:e6
  6   5.014897 02:42:ac:11:00:02 -> 02:42:08:03:7a:e6 ARP 42 172.17.0.2 is at 02:42:ac:11:00:02
6 
# root@Ubuntu-Asus [192.168.2.201] in ~ [14:41:57]
$ tshark -i wlan0 -f icmp
tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:46: dofile has been disabled due to running Wireshark as superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user.
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlan0'
  1   0.000000 192.168.2.201 -> 172.18.0.2   ICMP 98 Echo (ping) request  id=0x000f, seq=0/0, ttl=63
  2   0.005101   172.18.0.2 -> 192.168.2.201 ICMP 98 Echo (ping) reply    id=0x000f, seq=0/0, ttl=63 (request in 1)
2 
// Centos 192.168.2.202
[root@Centos-L410 arnes]# tshark -i docker0
Running as user "root" and group "root". This could be dangerous.
Capturing on 'docker0'
  1 0.000000000 192.168.2.201 -> 172.18.0.2   ICMP 98 Echo (ping) request  id=0x000f, seq=0/0, ttl=62
  2 0.000082760   172.18.0.2 -> 192.168.2.201 ICMP 98 Echo (ping) reply    id=0x000f, seq=0/0, ttl=64 (request in 1)
  3 5.011219748 02:42:38:14:f7:88 -> 02:42:ac:12:00:02 ARP 42 Who has 172.18.0.2?  Tell 172.18.0.1
  4 5.011242376 02:42:ac:12:00:02 -> 02:42:38:14:f7:88 ARP 42 Who has 172.18.0.1?  Tell 172.18.0.2
  5 5.011382404 02:42:38:14:f7:88 -> 02:42:ac:12:00:02 ARP 42 172.18.0.1 is at 02:42:38:14:f7:88
  6 5.011285676 02:42:ac:12:00:02 -> 02:42:38:14:f7:88 ARP 42 172.18.0.2 is at 02:42:ac:12:00:02
[root@Centos-L410 arnes]# tshark -i wlp5s0 -f icmp
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp5s0'
  1 0.000000000 192.168.2.201 -> 172.18.0.2   ICMP 98 Echo (ping) request  id=0x000f, seq=0/0, ttl=63
  2 0.000186751   172.18.0.2 -> 192.168.2.201 ICMP 98 Echo (ping) reply    id=0x000f, seq=0/0, ttl=63 (request in 1)

可见,ping的过程中,已经找到正确的路由,尤其在201的wlan0和202的wlp5s0上,可以很清楚的看到这条路由192.168.2.201 -> 172.18.0.2。反向的ping结果略有不同,如下,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
// Container on Centos, 172.18.0.2
root@52e810043448:/# ping 172.17.0.2 -c 1
PING 172.17.0.2 (172.17.0.2): 56 data bytes
64 bytes from 172.17.0.2: icmp_seq=0 ttl=62 time=7.790 ms
--- 172.17.0.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 7.790/7.790/7.790/0.000 ms
// Ubuntu 192.168.2.201
# root@Ubuntu-Asus [192.168.2.201] in ~ [14:51:07]
$ tshark -i docker0
tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:46: dofile has been disabled due to running Wireshark as superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user.
Running as user "root" and group "root". This could be dangerous.
Capturing on 'docker0'
  1   0.000000   172.18.0.2 -> 172.17.0.2   ICMP 98 Echo (ping) request  id=0x000d, seq=0/0, ttl=62
  2   0.000102   172.17.0.2 -> 172.18.0.2   ICMP 98 Echo (ping) reply    id=0x000d, seq=0/0, ttl=64 (request in 1)
2   3   5.014688 02:42:08:03:7a:e6 -> 02:42:ac:11:00:02 ARP 42 Who has 172.17.0.2?  Tell 172.17.0.1
  4   5.014700 02:42:ac:11:00:02 -> 02:42:08:03:7a:e6 ARP 42 Who has 172.17.0.1?  Tell 172.17.0.2
  5   5.014725 02:42:08:03:7a:e6 -> 02:42:ac:11:00:02 ARP 42 172.17.0.1 is at 02:42:08:03:7a:e6
  6   5.014716 02:42:ac:11:00:02 -> 02:42:08:03:7a:e6 ARP 42 172.17.0.2 is at 02:42:ac:11:00:02
6 
# root@Ubuntu-Asus [192.168.2.201] in ~ [14:51:11]
$ tshark -i wlan0 -f icmp
tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:46: dofile has been disabled due to running Wireshark as superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user.
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlan0'
  1   0.000000   172.18.0.2 -> 172.17.0.2   ICMP 98 Echo (ping) request  id=0x000d, seq=0/0, ttl=63
  2   0.000159   172.17.0.2 -> 172.18.0.2   ICMP 98 Echo (ping) reply    id=0x000d, seq=0/0, ttl=63 (request in 1)
2  
// Centos 192.168.2.202
[root@Centos-L410 arnes]# tshark -i docker0
Running as user "root" and group "root". This could be dangerous.
Capturing on 'docker0'
  1 0.000000000   172.18.0.2 -> 172.17.0.2   ICMP 98 Echo (ping) request  id=0x000d, seq=0/0, ttl=64
  2 0.007591503   172.17.0.2 -> 172.18.0.2   ICMP 98 Echo (ping) reply    id=0x000d, seq=0/0, ttl=62 (request in 1)
  3 5.012667429 02:42:38:14:f7:88 -> 02:42:ac:12:00:02 ARP 42 Who has 172.18.0.2?  Tell 172.18.0.1
  4 5.012658629 02:42:ac:12:00:02 -> 02:42:38:14:f7:88 ARP 42 Who has 172.18.0.1?  Tell 172.18.0.2
  5 5.012732729 02:42:38:14:f7:88 -> 02:42:ac:12:00:02 ARP 42 172.18.0.1 is at 02:42:38:14:f7:88
  6 5.012751586 02:42:ac:12:00:02 -> 02:42:38:14:f7:88 ARP 42 172.18.0.2 is at 02:42:ac:12:00:02
[root@Centos-L410 arnes]# tshark -i wlp5s0 -f icmp
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp5s0'
  1 0.000000000   172.18.0.2 -> 172.17.0.2   ICMP 98 Echo (ping) request  id=0x000d, seq=0/0, ttl=63
  2 0.007501200   172.17.0.2 -> 172.18.0.2   ICMP 98 Echo (ping) reply    id=0x000d, seq=0/0, ttl=63 (request in 1)

与之前的区别在于,没有给出192.168.2.202 -> 172.17.0.2这样的路由,而是直接给出了172.18.0.2 -> 172.17.0.2,需要再深入研究。如果使用的是tcpdump的话,也能得到与上述相同的结果。

综上,ping的过程中,数据包的流向如下:Ubuntu上容器 -> 201docker0 -> 201wlan0 -> 202wlp5s0 -> 202docker0 -> Centos上容器。

连接mysql测试

下面用实际的mysql连接来测试真实的网络连接,先在202上启动mysql容器,

1
2
3
4
5
[root@Centos-L410 arnes]# docker run  -p 3306:3306 -e MYSQL_ROOT_PASSWORD=111111 -d mysql mysqld
a6b839dfd602ba0880b495bae78e8c49d3f57a4a1708021209431441bf6bbd40
[root@Centos-L410 arnes]# docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                    NAMES
a6b839dfd602        mysql               "/entrypoint.sh mysql"   7 seconds ago       Up 4 seconds        0.0.0.0:3306->3306/tcp   romantic_brahmagupta

启动后,运行tshark抓取网卡上的数据包。然后,在201上启动mysql容器,运行bash,使用mysql客户端连接202上的容器,由于mysql连接上后有定时的心跳,为了防止这部分的干扰,连接后立刻运行exit退出客户端,如下,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# root@Ubuntu-Asus [192.168.2.201] in /var/lib/docker [15:20:52]
$ docker run -it --rm  mysql /bin/bash
root@7b598cc5e8c7:/# mysql -h172.18.0.2 -P3306 -uroot -p111111
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 5.7.10 MySQL Community Server (GPL)
Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> exit
Bye
root@7b598cc5e8c7:/#

201202上的抓包结果如下,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
// Ubuntu 192.168.2.201
root@Ubuntu-Asus 192.168.2.201 15:17:27 ~
# tshark -i docker0
tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:46: dofile has been disabled due to running Wireshark as superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user.
Running as user "root" and group "root". This could be dangerous.
Capturing on 'docker0'
  1   0.000000 02:42:ac:11:00:02 -> Broadcast    ARP 42 Who has 172.17.0.1?  Tell 172.17.0.2
  2   0.000033 02:42:08:03:7a:e6 -> 02:42:ac:11:00:02 ARP 42 172.17.0.1 is at 02:42:08:03:7a:e6
  3   0.000046   172.17.0.2 -> 172.18.0.2   TCP 74 59523 > mysql [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=39321424 TSecr=0 WS=128
  4   0.032752   172.18.0.2 -> 172.17.0.2   TCP 74 mysql > 59523 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=182278505 TSecr=39321424 WS=128
  5   0.032982   172.17.0.2 -> 172.18.0.2   TCP 66 59523 > mysql [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=39321432 TSecr=182278505
  6   0.057003   172.18.0.2 -> 172.17.0.2   MySQL 144 Server Greeting proto=10 version=5.7.10
  7   0.057052   172.17.0.2 -> 172.18.0.2   TCP 66 59523 > mysql [ACK] Seq=1 Ack=79 Win=29312 Len=0 TSval=39321438 TSecr=182278536
  8   0.057149   172.17.0.2 -> 172.18.0.2   MySQL 249 Login Request user=root
  9   0.091636   172.18.0.2 -> 172.17.0.2   TCP 66 mysql > 59523 [ACK] Seq=79 Ack=184 Win=30080 Len=0 TSval=182278571 TSecr=39321438
 10   0.097889   172.18.0.2 -> 172.17.0.2   MySQL 77 Response OK
 11   0.098129   172.17.0.2 -> 172.18.0.2   MySQL 103 Request Query
 12   0.125942   172.18.0.2 -> 172.17.0.2   MySQL 158 Response
 13   0.162720   172.17.0.2 -> 172.18.0.2   TCP 66 59523 > mysql [ACK] Seq=221 Ack=182 Win=29312 Len=0 TSval=39321465 TSecr=182278599
13  14   4.602119   172.17.0.2 -> 172.18.0.2   MySQL 71 Request Quit
 15   4.602301   172.17.0.2 -> 172.18.0.2   TCP 66 59523 > mysql [FIN, ACK] Seq=226 Ack=182 Win=29312 Len=0 TSval=39322574 TSecr=182278599
 16   4.670611   172.17.0.2 -> 172.18.0.2   TCP 66 [TCP Retransmission] 59523 > mysql [FIN, ACK] Seq=226 Ack=182 Win=29312 Len=0 TSval=39322592 TSecr=182278599
 17   4.675746   172.18.0.2 -> 172.17.0.2   TCP 66 [TCP Previous segment not captured] mysql > 59523 [ACK] Seq=183 Ack=227 Win=30080 Len=0 TSval=182283170 TSecr=39322592
 18   4.843638   172.18.0.2 -> 172.17.0.2   TCP 66 [TCP Retransmission] mysql > 59523 [FIN, ACK] Seq=182 Ack=227 Win=30080 Len=0 TSval=182283338 TSecr=39322592
 19   4.843713   172.17.0.2 -> 172.18.0.2   TCP 66 59523 > mysql [ACK] Seq=227 Ack=183 Win=29312 Len=0 TSval=39322635 TSecr=182283338
19  20   5.038625 02:42:08:03:7a:e6 -> 02:42:ac:11:00:02 ARP 42 Who has 172.17.0.2?  Tell 172.17.0.1
 21   5.038670 02:42:ac:11:00:02 -> 02:42:08:03:7a:e6 ARP 42 172.17.0.2 is at 02:42:ac:11:00:02
21 ^C
# root@Ubuntu-Asus [192.168.2.201] in ~ [15:21:59]
$ tshark -i wlan0 | grep mysql
tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:46: dofile has been disabled due to running Wireshark as superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user.
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlan0'
405 396  64.586967 192.168.2.201 -> 172.18.0.2   TCP 74 59523 > mysql [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=39321424 TSecr=0 WS=128
397  64.619458   172.18.0.2 -> 192.168.2.201 TCP 74 mysql > 59523 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=182278505 TSecr=39321424 WS=128
418 398  64.619905 192.168.2.201 -> 172.18.0.2   TCP 66 59523 > mysql [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=39321432 TSecr=182278505
400  64.643935 192.168.2.201 -> 172.18.0.2   TCP 66 59523 > mysql [ACK] Seq=1 Ack=79 Win=29312 Len=0 TSval=39321438 TSecr=182278536
402  64.678468   172.18.0.2 -> 192.168.2.201 TCP 66 mysql > 59523 [ACK] Seq=79 Ack=184 Win=30080 Len=0 TSval=182278571 TSecr=39321438
406  64.749772 192.168.2.201 -> 172.18.0.2   TCP 66 59523 > mysql [ACK] Seq=221 Ack=182 Win=29312 Len=0 TSval=39321465 TSecr=182278599
466 444  69.189204 192.168.2.201 -> 172.18.0.2   TCP 66 59523 > mysql [FIN, ACK] Seq=226 Ack=182 Win=29312 Len=0 TSval=39322574 TSecr=182278599
446  69.257519 192.168.2.201 -> 172.18.0.2   TCP 66 [TCP Retransmission] 59523 > mysql [FIN, ACK] Seq=226 Ack=182 Win=29312 Len=0 TSval=39322592 TSecr=182278599
471 447  69.262593   172.18.0.2 -> 192.168.2.201 TCP 66 [TCP Previous segment not captured] mysql > 59523 [ACK] Seq=183 Ack=227 Win=30080 Len=0 TSval=182283170 TSecr=39322592
448  69.430439   172.18.0.2 -> 192.168.2.201 TCP 66 [TCP Retransmission] mysql > 59523 [FIN, ACK] Seq=182 Ack=227 Win=30080 Len=0 TSval=182283338 TSecr=39322592
449  69.430616 192.168.2.201 -> 172.18.0.2   TCP 66 59523 > mysql [ACK] Seq=227 Ack=183 Win=29312 Len=0 TSval=39322635 TSecr=182283338
613 ^C
// Centos 192.168.2.202
[root@Centos-L410 docker]# tshark -i docker0
Running as user "root" and group "root". This could be dangerous.
Capturing on 'docker0'
  1 0.000000000 192.168.2.201 -> 172.18.0.2   TCP 74 59523 > mysql [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=39321424 TSecr=0 WS=128
  2 0.000094913   172.18.0.2 -> 192.168.2.201 TCP 74 mysql > 59523 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=182278505 TSecr=39321424 WS=128
  3 0.030116575 192.168.2.201 -> 172.18.0.2   TCP 66 59523 > mysql [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=39321432 TSecr=182278505
  4 0.030976025   172.18.0.2 -> 192.168.2.201 MySQL 144 Server Greeting proto=10 version=5.7.10
  5 0.056176778 192.168.2.201 -> 172.18.0.2   TCP 66 59523 > mysql [ACK] Seq=1 Ack=79 Win=29312 Len=0 TSval=39321438 TSecr=182278536
  6 0.066130572 192.168.2.201 -> 172.18.0.2   MySQL 249 Login Request user=root
  7 0.066173733   172.18.0.2 -> 192.168.2.201 TCP 66 mysql > 59523 [ACK] Seq=79 Ack=184 Win=30080 Len=0 TSval=182278571 TSecr=39321438
  8 0.066262220   172.18.0.2 -> 192.168.2.201 MySQL 77 Response OK
  9 0.093104979 192.168.2.201 -> 172.18.0.2   MySQL 103 Request Query
 10 0.093395793   172.18.0.2 -> 192.168.2.201 MySQL 158 Response
 11 0.159316774 192.168.2.201 -> 172.18.0.2   TCP 66 59523 > mysql [ACK] Seq=221 Ack=182 Win=29312 Len=0 TSval=39321465 TSecr=182278599
 12 4.599128670 192.168.2.201 -> 172.18.0.2   MySQL 71 Request Quit
 13 4.599292166   172.18.0.2 -> 192.168.2.201 TCP 66 mysql > 59523 [FIN, ACK] Seq=182 Ack=226 Win=30080 Len=0 TSval=182283104 TSecr=39322574
 14 4.665013615 192.168.2.201 -> 172.18.0.2   TCP 66 59523 > mysql [FIN, ACK] Seq=226 Ack=182 Win=29312 Len=0 TSval=39322592 TSecr=182278599
 15 4.665053144   172.18.0.2 -> 192.168.2.201 TCP 66 mysql > 59523 [ACK] Seq=183 Ack=227 Win=30080 Len=0 TSval=182283170 TSecr=39322592
 16 4.832475608   172.18.0.2 -> 192.168.2.201 TCP 66 [TCP Retransmission] mysql > 59523 [FIN, ACK] Seq=182 Ack=227 Win=30080 Len=0 TSval=182283338 TSecr=39322592
 17 4.849718662 192.168.2.201 -> 172.18.0.2   TCP 66 59523 > mysql [ACK] Seq=227 Ack=183 Win=29312 Len=0 TSval=39322635 TSecr=182283338
 18 5.014473661 02:42:38:14:f7:88 -> 02:42:ac:12:00:02 ARP 42 Who has 172.18.0.2?  Tell 172.18.0.1
 19 5.014525272 02:42:ac:12:00:02 -> 02:42:38:14:f7:88 ARP 42 172.18.0.2 is at 02:42:ac:12:00:02
^C19 packets captured
[root@Centos-L410 arnes]# tshark -i wlp5s0 | grep mysql
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp5s0'
354 318 39.616348312 192.168.2.201 -> 172.18.0.2   TCP 74 59523 > mysql [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=39321424 TSecr=0 WS=128
319 39.616526473   172.18.0.2 -> 192.168.2.201 TCP 74 mysql > 59523 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=182278505 TSecr=39321424 WS=128
321 39.646494918 192.168.2.201 -> 172.18.0.2   TCP 66 59523 > mysql [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=39321432 TSecr=182278505
324 39.672552747 192.168.2.201 -> 172.18.0.2   TCP 66 59523 > mysql [ACK] Seq=1 Ack=79 Win=29312 Len=0 TSval=39321438 TSecr=182278536
326 39.682593002   172.18.0.2 -> 192.168.2.201 TCP 66 mysql > 59523 [ACK] Seq=79 Ack=184 Win=30080 Len=0 TSval=182278571 TSecr=39321438
333 39.775693441 192.168.2.201 -> 172.18.0.2   TCP 66 59523 > mysql [ACK] Seq=221 Ack=182 Win=29312 Len=0 TSval=39321465 TSecr=182278599
379 384 44.215727358   172.18.0.2 -> 192.168.2.201 TCP 66 mysql > 59523 [FIN, ACK] Seq=182 Ack=226 Win=30080 Len=0 TSval=182283104 TSecr=39322574
386 44.281387627 192.168.2.201 -> 172.18.0.2   TCP 66 59523 > mysql [FIN, ACK] Seq=226 Ack=182 Win=29312 Len=0 TSval=39322592 TSecr=182278599
387 44.281474299   172.18.0.2 -> 192.168.2.201 TCP 66 mysql > 59523 [ACK] Seq=183 Ack=227 Win=30080 Len=0 TSval=182283170 TSecr=39322592
421 389 44.448924489   172.18.0.2 -> 192.168.2.201 TCP 66 [TCP Retransmission] mysql > 59523 [FIN, ACK] Seq=182 Ack=227 Win=30080 Len=0 TSval=182283338 TSecr=39322592
391 44.466095818 192.168.2.201 -> 172.18.0.2   TCP 66 59523 > mysql [ACK] Seq=227 Ack=183 Win=29312 Len=0 TSval=39322635 TSecr=182283338
596 ^C
1 packet dropped

由于wlan0wlp5s0上的tcp包比较多,因此使用grep mysql,只留下了所有与mysql有关的包。从抓包的结果来看,登陆的流程是,先建立tcp连接,然后验证用户名密码(Login Request user=root),验证成功后就建立连接,然后开始发送心跳。退出的过程,需要发送一个关闭的请求(Request Quit),然后关闭连接。关闭的过程中可能发生tcp包的重传(TCP Retransmission),因为这时候连接是不稳定的。

文章目录
  1. 1. 指定网桥IP--bip
  2. 2. 增加路由规则
  3. 3. 抓包查看结果
  4. 4. 连接mysql测试

欢迎来到Valleylord的博客!

本博的文章尽量原创。