【EVE-NG流量洞察】常用表达式
<table><thead>
<tr>
<th>协议/类型</th>
<th>Tcpdump过滤表达式(EVE-NG/tcpdump)</th>
<th>说明/EVE-NG使用场景</th>
</tr>
</thead>
<tbody>
<tr>
<td>ARP协议</td>
<td>arp</td>
<td>查看实时ARP请求/响应</td>
</tr>
<tr>
<td>IPv6邻居发现</td>
<td>icmp6 and ip6 == 135 or 136</td>
<td>跟踪ND请求和通告报文</td>
</tr>
<tr>
<td>LLDP协议</td>
<td>ether proto 0x88cc</td>
<td>可视化邻居发现过程</td>
</tr>
<tr>
<td>STP(802.1D)</td>
<td>ether proto 0x010b</td>
<td>观察拓扑变化/阻塞状态</td>
</tr>
<tr>
<td>OSPF协议</td>
<td>proto 89</td>
<td>监控Hello报文、LSA和邻接关系建立</td>
</tr>
<tr>
<td>BGP协议</td>
<td>tcp port 179</td>
<td>跟踪会话建立和更新报文</td>
</tr>
<tr>
<td>ICMP协议</td>
<td>icmp</td>
<td>Ping、traceroute或通用ICMP流量</td>
</tr>
<tr>
<td>TCP协议</td>
<td>tcp</td>
<td>通用TCP流量</td>
</tr>
<tr>
<td>UDP协议</td>
<td>udp</td>
<td>通用UDP流量</td>
</tr>
<tr>
<td>VLAN(802.1Q)</td>
<td>vlan</td>
<td>过滤带VLAN标签的帧</td>
</tr>
<tr>
<td>VXLAN(UDP 4789)</td>
<td>udp port 4789</td>
<td>查看VXLAN封装流量</td>
</tr>
<tr>
<td>VXLAN示例(172.16.10.1 → 8.8.8.8)</td>
<td>udp port 4789 and src 172.16.10.1 and dst 8.8.8.8</td>
<td>跟踪特定源/目的的VXLAN流量</td>
</tr>
<tr>
<td>仅ARP请求</td>
<td>arp and arp = 1</td>
<td>检测未解析的IP到MAC地址查询</td>
</tr>
<tr>
<td>仅ARP响应</td>
<td>arp and arp = 2</td>
<td>验证ARP解析是否成功</td>
</tr>
<tr>
<td>免费ARP</td>
<td>arp and src host 0.0.0.0</td>
<td>高可用故障转移或IP接管测试</td>
</tr>
<tr>
<td>ICMP目标不可达</td>
<td>icmp = 3</td>
<td>路由或防火墙丢弃问题诊断</td>
</tr>
<tr>
<td>ICMP需要分片</td>
<td>icmp = 3 and icmp = 4</td>
<td>MTU和PMTUD故障排查</td>
</tr>
<tr>
<td>Traceroute(ICMP TTL超时)</td>
<td>icmp = 11</td>
<td>实验室环境中的路径检测</td>
</tr>
<tr>
<td>仅TCP三次握手</td>
<td>tcp & (tcp-syn</td>
<td>tcp-ack) != 0</td>
</tr>
<tr>
<td>TCP重传(启发式)</td>
<td>tcp & tcp-ack != 0</td>
<td>数据包丢失或拥塞症状</td>
</tr>
<tr>
<td>TCP FIN/会话关闭</td>
<td>tcp & tcp-fin != 0</td>
<td>优雅的会话终止</td>
</tr>
<tr>
<td>非对称路由检查</td>
<td>tcp & tcp-syn != 0 and tcp & tcp-ack == 0</td>
<td>有SYN报文但无响应</td>
</tr>
<tr>
<td>仅DNS查询</td>
<td>udp port 53 and udp & 0x80 = 0</td>
<td>客户端域名解析问题</td>
</tr>
<tr>
<td>仅DNS响应</td>
<td>udp port 53 and udp & 0x80 != 0</td>
<td>验证DNS服务器行为</td>
</tr>
<tr>
<td>DHCP发现</td>
<td>udp = 1</td>
<td>客户端请求IP地址</td>
</tr>
<tr>
<td>DHCP提供</td>
<td>udp = 2</td>
<td>验证DHCP服务器可用性</td>
</tr>
<tr>
<td>HTTP GET请求</td>
<td>tcp port 80 and tcp[((tcp & 0xf0) >> 2):4] = 0x47455420</td>
<td>应用层故障排查</td>
</tr>
<tr>
<td>HTTP POST请求</td>
<td>tcp port 80 and tcp[((tcp & 0xf0) >> 2):4] = 0x504f5354</td>
<td>API或表单提交跟踪</td>
</tr>
<tr>
<td>BGP保活报文</td>
<td>tcp port 179 and tcp = 4</td>
<td>验证BGP会话稳定性</td>
</tr>
<tr>
<td>OSPF Hello报文</td>
<td>ip proto 89 and ip = 1</td>
<td>邻接关系建立故障排查</td>
</tr>
<tr>
<td>OSPF LSA报文</td>
<td>ip proto 89 and ip != 1</td>
<td>拓扑传播分析</td>
</tr>
<tr>
<td>VRRP通告</td>
<td>ip proto 112</td>
<td>网关冗余测试</td>
</tr>
<tr>
<td>RTP媒体流</td>
<td>udp portrange 10000-20000</td>
<td>语音质量故障排查</td>
</tr>
<tr>
<td>IPsec ESP流量</td>
<td>ip proto 50</td>
<td>验证加密VPN流量转发</td>
</tr>
<tr>
<td>IPsec AH流量</td>
<td>ip proto 51</td>
<td>验证认证头</td>
</tr>
<tr>
<td>IKE/ISAKMP</td>
<td>udp port 500 or udp port 4500</td>
<td>VPN协商/隧道建立故障排查</td>
</tr>
<tr>
<td>MPLS LDP发现</td>
<td>udp port 646</td>
<td>标签分发协议会话</td>
</tr>
<tr>
<td>MPLS Ping/带标签流量</td>
<td>mpls</td>
<td>MPLS封装/转发故障排查</td>
</tr>
<tr>
<td>EVPN BGP Type-2(MAC-IP)更新</td>
<td>tcp port 179 and tcp = 2</td>
<td>EVPN MAC/IP学习验证</td>
</tr>
<tr>
<td>EVPN Type-5(IP前缀)更新</td>
<td>tcp port 179 and tcp = 5</td>
<td>EVPN路由覆盖验证</td>
</tr>
<tr>
<td>Kubernetes API请求</td>
<td>tcp port 6443</td>
<td>控制平面访问故障排查</td>
</tr>
<tr>
<td>VXLAN泛洪/BUM流量</td>
<td>udp port 4789 and (dst net 239.0.0.0/8 or dst ff:ff:ff:ff:ff:ff)</td>
<td>排查覆盖网络中的广播、未知单播、组播复制问题</td>
</tr>
<tr>
<td>MPLS OAM/LSP Ping ICMP</td>
<td>mpls and icmp</td>
<td>MPLS故障排查中验证LSP连续性</td>
</tr>
<tr>
<td>VXLAN ARP抑制</td>
<td>udp port 4789 and arp</td>
<td>检查ARP抑制/VTEP学习是否生效</td>
</tr>
<tr>
<td>MPLS上的Ping/ICMP</td>
<td>ip proto 1 and mpls</td>
<td>验证端到端MPLS可达性</td>
</tr>
<tr>
<td>BGP路由刷新</td>
<td>tcp port 179 and tcp = 5</td>
<td>强制并调试动态路由更新</td>
</tr>
<tr>
<td>VXLAN组播加入/离开</td>
<td>udp port 4789 and ip multicast</td>
<td>调试VTEP组播复制</td>
</tr>
<tr>
<td>覆盖网络控制平面(EVPN/BGP)</td>
<td>tcp port 179 and (src net 10.0.0.0/24 or dst net 10.0.0.0/24)</td>
<td>聚焦覆盖网络控制平面报文</td>
</tr>
<tr>
<td>Kubernetes Kubelet节点流量</td>
<td>tcp port 10250 or 10255</td>
<td>节点代理通信检查</td>
</tr>
<tr>
<td>容器间Pod流量</td>
<td>tcp and src net 10.244.0.0/16</td>
<td>验证Pod网络连通性</td>
</tr>
<tr>
<td>防火墙NAT转换检查</td>
<td>tcp and dst host</td>
<td>确保NAT转换正确应用</td>
</tr>
<tr>
<td>防火墙策略命中</td>
<td>tcp or udp and src host</td>
<td>检查流量匹配的规则</td>
</tr>
<tr>
<td>高可用集群心跳</td>
<td>udp port 702</td>
<td>设备高可用集群心跳检测</td>
</tr>
<tr>
<td>VTEP上的VXLAN BFD</td>
<td>udp port 3784</td>
<td>检查覆盖网络中的快速故障检测</td>
</tr>
<tr>
<td>Kubernetes NodePort流量</td>
<td>tcp dst portrange 30000-32767</td>
<td>NodePort服务的外部访问</td>
</tr>
<tr>
<td>Kubernetes Ingress控制器</td>
<td>tcp port 80 or tcp port 443 and dst</td>
<td>跟踪Ingress流量转发</td>
</tr>
<tr>
<td>VXLAN ARP/MAC学习验证</td>
<td>udp port 4789 and arp</td>
<td>检查VTEP是否正确学习MAC地址</td>
</tr>
<tr>
<td>BGP路由抖动/撤销</td>
<td>tcp port 179 and tcp = 3</td>
<td>监控BGP路由撤销</td>
</tr>
</tbody>
</table>
<h3>1 关键说明</h3>
<ol>
<li>所有过滤表达式均保持原文格式,可直接在EVE-NG、tcpdump、Wireshark等工具中复用</li>
<li>技术术语采用国内通用译法(如"Gratuitous ARP"译为"免费ARP","BUM Traffic"译为"BUM流量")</li>
<li>说明部分结合EVE-NG仿真环境的实际使用场景,突出故障排查和验证目的</li>
<li>保留了端口号、协议号、十六进制值等关键技术细节,确保过滤逻辑准确</li>
</ol>
页:
[1]