linux抓包-tcpdump
生活随笔
收集整理的這篇文章主要介紹了
linux抓包-tcpdump
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
文章目錄
- 1.tcpdump簡介
- 2.tcpdump參數
- 3.tcpdump過濾器
- 4.tcpdump常用操作
1.tcpdump簡介
tcpdump是linux平臺的抓包工具,可以抓取TCP/IP協議的數據包,網絡協議,主機,端口,還提供and,or,not等邏輯語句過濾信息。
2.tcpdump參數
tcpdump幫助查看 tcpdump -h, man tcpdump
[root@master ~]# tcpdump -h tcpdump version 4.9.2 libpcap version 1.5.3 OpenSSL 1.0.2k-fips 26 Jan 2017 Usage: tcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ][ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ][ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ][ -Q|-P in|out|inout ][ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ][ --immediate-mode ] [ -T type ] [ --version ] [ -V file ][ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ][ -Z user ] [ expression ]- -A:只使用ASCII 打印報文的全部數據
- -b:數據鏈路層選擇協議(ip,arp,rarp,ipx等)
- -c:指定抓取包的數量
- -D列出當前系統所有可以用于抓包的接口
- -e:輸出鏈路層報文
- -i 指定監聽的網卡,-i any 顯示所有網卡
- –n 表示不解析主機名,直接用 IP 顯示,默認是用 hostname 顯示
- -nn 表示不解析主機名和端口,直接用端口號顯示,默認顯示是端口號對應的服務名
- -q 快速打印輸出,即只輸出少量的協議相關信息
- -s len 設置要抓取數據包長度為 len,默認只會截取前 96bytes 的內容,-s 0 的話,會截取全部內容。
- -XX 同 -X,但同時顯示以太網頭部
- -t 不要打印時間戳
- -X 同時用 hex 和 ascii 顯示報文內容
3.tcpdump過濾器
過濾器:通俗講就是我們抓取的數據包信息有許多是我們用不到的,通過過濾得到我們需要的信息,
這里過濾器有三類:
1.協議(protocol):tcp,udp,icmp,ip,arp等
2.傳輸方向(dir):src,dst,src and dst,src or dst(默認)
3.類型(type):host,net,prot
tcpdump語法格式:tcpdump [options] [not] proto dir type
tcpdump的輸出格式
系統時間 源主機.端口 目標主機.端口 數據包參數 20:11:12.854851 IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 1838515159:1838515347, ack 1981438263, win 83, length 188 20:11:12.854946 IP 192.168.2.29.59546 > 192.168.2.43.22: Flags [.], ack 188, win 8207, length 0數據包類型
- [S] SYN(開始連接)
- [.] 沒有標志
- [P] PSH(推送數據)
- [F] FIN(完成連接)
- [R] RST(重置連接)
4.tcpdump常用操作
查看ens33網卡設備,對應22端口服務的傳輸信息(-t不顯示時間信息)
[root@master ~]# tcpdump -ti ens33 port 22 IP 192.168.2.29.59546 > master.ssh: Flags [.], ack 22308, win 8208, length 0 IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 22308:22512, ack 1, win 83, length 204 IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 22512:22716, ack 1, win 83, length 204 IP 192.168.2.29.59546 > master.ssh: Flags [.], ack 22716, win 8206, length 0 IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 22716:22848, ack 1, win 83, length 132 IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 22848:22980, ack 1, win 83, length 132查看指定網卡的設備,顯示端口號對應服務
[root@master ~]# tcpdump -nnt -i ens33|head -10 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 1817580335:1817580523, ack 1981371343, win 83, length 188 IP 192.168.2.29.59546 > 192.168.2.43.22: Flags [.], ack 188, win 8209, length 0 IP 220.191.97.17.43687 > 192.168.2.29.37561: UDP, length 219 IP 192.168.2.29.37561 > 117.61.19.156.35855: UDP, length 1089 IP 192.168.2.29.37561 > 220.191.97.17.43687: UDP, length 24 IP 192.168.2.29.37561 > 220.191.97.17.43687: UDP, length 1432 IP 192.168.2.29.37561 > 183.157.124.157.31285: UDP, length 1432 IP 192.168.2.29.37561 > 101.229.237.49.34270: UDP, length 1432 IP 192.168.2.29.37561 > 183.159.234.151.3146: UDP, length 1432 IP 192.168.2.29.37561 > 183.159.234.151.3146: UDP, length 1432 tcpdump: Unable to write output: Broken pipe查看src源方向傳輸的信息
[root@master ~]# tcpdump -ti ens33 src port 22 IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 757140:757272, ack 73, win 83, length 132 IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 757272:757404, ack 73, win 83, length 132 IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 757404:757536, ack 73, win 83, length 132 IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 757536:757668, ack 73, win 83, length 132查看dst源方向傳輸的信息
[root@master ~]# tcpdump -ti ens33 dst port 22 IP 192.168.2.29.59546 > master.ssh: Flags [.], ack 6157, win 8207, length 0 IP 192.168.2.29.59546 > master.ssh: Flags [.], ack 6273, win 8207, length 0 IP 192.168.2.29.59546 > master.ssh: Flags [.], ack 6389, win 8207, length 0 IP 192.168.2.29.59546 > master.ssh: Flags [.], ack 6505, win 8212, length 0 IP 192.168.2.29.59546 > master.ssh: Flags [.], ack 6621, win 8212, length 0查看已經到192.168.2.29主機的的網卡設備ens33的22 號端口的數據包(-c抓包的數量,-v更詳細信息)
[root@master ~]# tcpdump -nnt -i ens33 dst host 192.168.2.29 and port 22 -c2 -vv tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes IP (tos 0x10, ttl 64, id 40345, offset 0, flags [DF], proto TCP (6), length 164)192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], cksum 0x862f (incorrect -> 0xd42e), seq 1836124383:1836124507, ack 1981412895, win 83, length 124 IP (tos 0x10, ttl 64, id 40346, offset 0, flags [DF], proto TCP (6), length 316)192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], cksum 0x86c7 (incorrect -> 0x21f6), seq 124:400, ack 1, win 83, length 276 2 packets captured 10 packets received by filter 0 packets dropped by kernel查看22端口或者8443端口的數據包(-c20顯示最新20條數據信息)
[root@master ~]# tcpdump -nnt -i ens33 -c 20 'port 22 or port 8443' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 1843624239:1843624427, ack 1981514743, win 83, length 188 IP 192.168.2.29.59546 > 192.168.2.43.22: Flags [.], ack 188, win 8211, length 0 IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 188:424, ack 1, win 83, length 236 IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 424:556, ack 1, win 83, length 132 IP 192.168.2.29.59546 > 192.168.2.43.22: Flags [.], ack 556, win 8210, length 0 IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 556:688, ack 1, win 83, length 132 IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 688:936, ack 1, win 83, length 248查看某個網段的數據包
[root@master ~]# tcpdump -i ens33 dst net 192.168.2 -c2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 20:04:05.239508 IP 18.236.79.218.broad.xw.sh.dynamic.163data.com.cn.58123 > 192.168.2.29.37561: UDP, length 35 20:04:05.240617 IP 183.161.235.205.30834 > 192.168.2.29.37561: UDP, length 35 2 packets captured查詢某協議的數據包
[root@master ~]# tcpdump -i ens33 udp [root@master ~]# tcpdump -i ens33 tcp [root@master ~]# tcpdump -i ens33 icmp [root@master ~]# tcpdump -i ens33 ip倆種方式將數據包信息保存到文本
#第一種:直接輸出到文件中 [root@master ~]# tcpdump -nnt dst host 192.168.2.29 -i ens33 -c5 > tcpdump.txt tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 5 packets captured 310 packets received by filter 0 packets dropped by kernel [root@master ~]# cat tcpdump.txt IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 1841703659:1841703847, ack 1981496079, win 83, length 188 IP 112.98.40.64.4909 > 192.168.2.29.37561: UDP, length 34 IP 27.186.136.251.29396 > 192.168.2.29.37561: UDP, length 342 IP 113.129.233.43.49542 > 192.168.2.29.37561: UDP, length 24 IP 60.186.179.149.1027 > 192.168.2.29.37561: UDP, length 37#第二種-w保存到文件內,通過-r查看(不能通過cat查看) [root@master ~]# tcpdump -nnt dst host 192.168.2.29 -i ens33 -c5 -w tcpdump.txt tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 5 packets captured 482 packets received by filter 0 packets dropped by kernel [root@master ~]# tcpdump -r tcpdump.txt reading from file tcpdump.txt, link-type EN10MB (Ethernet) 20:25:13.839506 IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 1841706771:1841706895, ack 1981497695, win 83, length 124 20:25:13.840656 IP 36.19.167.55.14975 > 192.168.2.29.37561: UDP, length 81 20:25:13.840657 IP 123.183.132.111.4176 > 192.168.2.29.37561: UDP, length 32 20:25:13.840806 IP 106.114.153.64.aes-discovery > 192.168.2.29.37561: UDP, length 264 20:25:13.841019 IP 43.146.142.219.broad.bj.bj.dynamic.163data.com.cn.24193 > 192.168.2.29.37561: UDP, length 24總結
以上是生活随笔為你收集整理的linux抓包-tcpdump的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 如何对接泡椒云,给你的Auto.js脚本
- 下一篇: 易语言linux支持多线程,详解易语言启