文章目錄

• • • • • 1.tcpdump簡介
        • 2.tcpdump參數(shù)
        • 3.tcpdump過濾器
        • 4.tcpdump常用操作

1.tcpdump簡介

tcpdump是linux平臺的抓包工具，可以抓取TCP/IP協(xié)議的數(shù)據(jù)包，網(wǎng)絡(luò)協(xié)議，主機(jī)，端口，還提供and，or，not等邏輯語句過濾信息。

2.tcpdump參數(shù)

tcpdump幫助查看 tcpdump -h， man tcpdump

[root@master ~]# tcpdump -h tcpdump version 4.9.2 libpcap version 1.5.3 OpenSSL 1.0.2k-fips 26 Jan 2017 Usage: tcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ][ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ][ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ][ -Q|-P in|out|inout ][ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ][ --immediate-mode ] [ -T type ] [ --version ] [ -V file ][ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ][ -Z user ] [ expression ]

• -A:只使用ASCII 打印報文的全部數(shù)據(jù)
• -b：數(shù)據(jù)鏈路層選擇協(xié)議（ip，arp，rarp，ipx等）
• -c：指定抓取包的數(shù)量
• -D列出當(dāng)前系統(tǒng)所有可以用于抓包的接口
• -e：輸出鏈路層報文
• -i 指定監(jiān)聽的網(wǎng)卡，-i any 顯示所有網(wǎng)卡
• –n 表示不解析主機(jī)名，直接用 IP 顯示，默認(rèn)是用 hostname 顯示
• -nn 表示不解析主機(jī)名和端口，直接用端口號顯示，默認(rèn)顯示是端口號對應(yīng)的服務(wù)名
• -q 快速打印輸出，即只輸出少量的協(xié)議相關(guān)信息
• -s len 設(shè)置要抓取數(shù)據(jù)包長度為 len，默認(rèn)只會截取前 96bytes 的內(nèi)容，-s 0 的話，會截取全部內(nèi)容。
• -XX 同 -X，但同時顯示以太網(wǎng)頭部
• -t 不要打印時間戳
• -X 同時用 hex 和 ascii 顯示報文內(nèi)容

3.tcpdump過濾器

過濾器：通俗講就是我們抓取的數(shù)據(jù)包信息有許多是我們用不到的，通過過濾得到我們需要的信息，
這里過濾器有三類：
1.協(xié)議（protocol）:tcp,udp,icmp,ip,arp等
2.傳輸方向（dir）：src，dst，src and dst，src or dst(默認(rèn))
3.類型（type）：host，net，prot

tcpdump語法格式：tcpdump [options] [not] proto dir type

tcpdump的輸出格式

系統(tǒng)時間 源主機(jī).端口 目標(biāo)主機(jī).端口 數(shù)據(jù)包參數(shù) 20:11:12.854851 IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 1838515159:1838515347, ack 1981438263, win 83, length 188 20:11:12.854946 IP 192.168.2.29.59546 > 192.168.2.43.22: Flags [.], ack 188, win 8207, length 0

數(shù)據(jù)包類型

• [S] SYN(開始連接)
• [.] 沒有標(biāo)志
• [P] PSH(推送數(shù)據(jù))
• [F] FIN(完成連接)
• [R] RST(重置連接)

---

4.tcpdump常用操作

查看ens33網(wǎng)卡設(shè)備，對應(yīng)22端口服務(wù)的傳輸信息（-t不顯示時間信息）

[root@master ~]# tcpdump -ti ens33 port 22 IP 192.168.2.29.59546 > master.ssh: Flags [.], ack 22308, win 8208, length 0 IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 22308:22512, ack 1, win 83, length 204 IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 22512:22716, ack 1, win 83, length 204 IP 192.168.2.29.59546 > master.ssh: Flags [.], ack 22716, win 8206, length 0 IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 22716:22848, ack 1, win 83, length 132 IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 22848:22980, ack 1, win 83, length 132

查看指定網(wǎng)卡的設(shè)備，顯示端口號對應(yīng)服務(wù)

[root@master ~]# tcpdump -nnt -i ens33|head -10 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 1817580335:1817580523, ack 1981371343, win 83, length 188 IP 192.168.2.29.59546 > 192.168.2.43.22: Flags [.], ack 188, win 8209, length 0 IP 220.191.97.17.43687 > 192.168.2.29.37561: UDP, length 219 IP 192.168.2.29.37561 > 117.61.19.156.35855: UDP, length 1089 IP 192.168.2.29.37561 > 220.191.97.17.43687: UDP, length 24 IP 192.168.2.29.37561 > 220.191.97.17.43687: UDP, length 1432 IP 192.168.2.29.37561 > 183.157.124.157.31285: UDP, length 1432 IP 192.168.2.29.37561 > 101.229.237.49.34270: UDP, length 1432 IP 192.168.2.29.37561 > 183.159.234.151.3146: UDP, length 1432 IP 192.168.2.29.37561 > 183.159.234.151.3146: UDP, length 1432 tcpdump: Unable to write output: Broken pipe

查看src源方向傳輸?shù)男畔?/p> [root@master ~]# tcpdump -ti ens33 src port 22 IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 757140:757272, ack 73, win 83, length 132 IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 757272:757404, ack 73, win 83, length 132 IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 757404:757536, ack 73, win 83, length 132 IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 757536:757668, ack 73, win 83, length 132

查看dst源方向傳輸?shù)男畔?/p> [root@master ~]# tcpdump -ti ens33 dst port 22 IP 192.168.2.29.59546 > master.ssh: Flags [.], ack 6157, win 8207, length 0 IP 192.168.2.29.59546 > master.ssh: Flags [.], ack 6273, win 8207, length 0 IP 192.168.2.29.59546 > master.ssh: Flags [.], ack 6389, win 8207, length 0 IP 192.168.2.29.59546 > master.ssh: Flags [.], ack 6505, win 8212, length 0 IP 192.168.2.29.59546 > master.ssh: Flags [.], ack 6621, win 8212, length 0

查看已經(jīng)到192.168.2.29主機(jī)的的網(wǎng)卡設(shè)備ens33的22 號端口的數(shù)據(jù)包（-c抓包的數(shù)量，-v更詳細(xì)信息）

[root@master ~]# tcpdump -nnt -i ens33 dst host 192.168.2.29 and port 22 -c2 -vv tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes IP (tos 0x10, ttl 64, id 40345, offset 0, flags [DF], proto TCP (6), length 164)192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], cksum 0x862f (incorrect -> 0xd42e), seq 1836124383:1836124507, ack 1981412895, win 83, length 124 IP (tos 0x10, ttl 64, id 40346, offset 0, flags [DF], proto TCP (6), length 316)192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], cksum 0x86c7 (incorrect -> 0x21f6), seq 124:400, ack 1, win 83, length 276 2 packets captured 10 packets received by filter 0 packets dropped by kernel

查看22端口或者8443端口的數(shù)據(jù)包（-c20顯示最新20條數(shù)據(jù)信息）

[root@master ~]# tcpdump -nnt -i ens33 -c 20 'port 22 or port 8443' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 1843624239:1843624427, ack 1981514743, win 83, length 188 IP 192.168.2.29.59546 > 192.168.2.43.22: Flags [.], ack 188, win 8211, length 0 IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 188:424, ack 1, win 83, length 236 IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 424:556, ack 1, win 83, length 132 IP 192.168.2.29.59546 > 192.168.2.43.22: Flags [.], ack 556, win 8210, length 0 IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 556:688, ack 1, win 83, length 132 IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 688:936, ack 1, win 83, length 248

查看某個網(wǎng)段的數(shù)據(jù)包

[root@master ~]# tcpdump -i ens33 dst net 192.168.2 -c2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 20:04:05.239508 IP 18.236.79.218.broad.xw.sh.dynamic.163data.com.cn.58123 > 192.168.2.29.37561: UDP, length 35 20:04:05.240617 IP 183.161.235.205.30834 > 192.168.2.29.37561: UDP, length 35 2 packets captured

查詢某協(xié)議的數(shù)據(jù)包

[root@master ~]# tcpdump -i ens33 udp [root@master ~]# tcpdump -i ens33 tcp [root@master ~]# tcpdump -i ens33 icmp [root@master ~]# tcpdump -i ens33 ip

倆種方式將數(shù)據(jù)包信息保存到文本

#第一種：直接輸出到文件中 [root@master ~]# tcpdump -nnt dst host 192.168.2.29 -i ens33 -c5 > tcpdump.txt tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 5 packets captured 310 packets received by filter 0 packets dropped by kernel [root@master ~]# cat tcpdump.txt IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 1841703659:1841703847, ack 1981496079, win 83, length 188 IP 112.98.40.64.4909 > 192.168.2.29.37561: UDP, length 34 IP 27.186.136.251.29396 > 192.168.2.29.37561: UDP, length 342 IP 113.129.233.43.49542 > 192.168.2.29.37561: UDP, length 24 IP 60.186.179.149.1027 > 192.168.2.29.37561: UDP, length 37#第二種-w保存到文件內(nèi)，通過-r查看（不能通過cat查看） [root@master ~]# tcpdump -nnt dst host 192.168.2.29 -i ens33 -c5 -w tcpdump.txt tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 5 packets captured 482 packets received by filter 0 packets dropped by kernel [root@master ~]# tcpdump -r tcpdump.txt reading from file tcpdump.txt, link-type EN10MB (Ethernet) 20:25:13.839506 IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 1841706771:1841706895, ack 1981497695, win 83, length 124 20:25:13.840656 IP 36.19.167.55.14975 > 192.168.2.29.37561: UDP, length 81 20:25:13.840657 IP 123.183.132.111.4176 > 192.168.2.29.37561: UDP, length 32 20:25:13.840806 IP 106.114.153.64.aes-discovery > 192.168.2.29.37561: UDP, length 264 20:25:13.841019 IP 43.146.142.219.broad.bj.bj.dynamic.163data.com.cn.24193 > 192.168.2.29.37561: UDP, length 24

總結(jié)

以上是生活随笔為你收集整理的linux抓包-tcpdump的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。