1.概述

今天我們要介紹的是一款網(wǎng)絡(luò)抓包工具tcpdump，重點(diǎn)討論并介紹一些有用的命令及最佳實(shí)踐。

tcpdump是一個(gè)功能最強(qiáng)大，應(yīng)用最廣泛的命令行數(shù)據(jù)包嗅探器或包分析工具，用于抓取或過濾制定接口接受或發(fā)送的TCP/IP數(shù)據(jù)包。

tcmpdump可以在大多數(shù)基于Linux/ unix的操作系統(tǒng)下使用。Tcpdump還為我們提供了一個(gè)選項(xiàng)，將捕獲的數(shù)據(jù)包保存在一個(gè)文件中，以便將來進(jìn)行分析。它以pcap格式保存文件，可以通過tcpdump命令或基于開源圖形界面的工具Wireshark(網(wǎng)絡(luò)協(xié)議分析器)查看tcpdump pcap格式文件。

2. 捕獲數(shù)據(jù)包從制定的接口

命令執(zhí)行的屏幕將持續(xù)滾動(dòng)，直到手動(dòng)中斷，當(dāng)我們執(zhí)行tcpdump命令時(shí)，默認(rèn)將從所有接口捕獲，使用-i 選項(xiàng)時(shí)只從所需的接口捕獲。

[root@ansible ~]# tcpdump -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 16:40:53.738612 IP ansible.ssh > 10.142.80.33.55482: Flags [P.], seq 1673204766:1673204958, ack 3546537066, win 306, length 192 16:40:53.738927 IP 10.142.80.33.55482 > ansible.ssh: Flags [.], ack 192, win 254, length 0 16:40:53.739498 IP ansible.53165 > 222.74.1.200.domain: 61628+ PTR? 33.80.142.10.in-addr.arpa. (43)

3. 捕獲N個(gè)數(shù)據(jù)包

當(dāng)運(yùn)行tcpdump命令時(shí)，它將捕獲指定接口的所有數(shù)據(jù)包，直到點(diǎn)擊取消按鈕。但是使用-c選項(xiàng)，可以捕獲指定數(shù)量的數(shù)據(jù)包。下面的示例將只捕獲6個(gè)包。

[root@ansible ~]# tcpdump -c 6 -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 16:44:02.963870 IP ansible.ssh > 10.142.80.33.55482: Flags [P.], seq 1673206942:1673206990, ack 3546538506, win 306, length 48 16:44:02.964230 IP 10.142.80.33.55482 > ansible.ssh: Flags [.], ack 48, win 251, length 0 16:44:02.964636 IP ansible.38452 > 222.74.1.200.domain: 60237+ PTR? 33.80.142.10.in-addr.arpa. (43) 16:44:03.197365 IP 10.142.80.145 > 224.0.0.18: VRRPv2, Advertisement, vrid 145, prio 100, authtype simple, intvl 1s, length 20 16:44:03.198255 IP 10.142.80.73 > 224.0.0.18: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20 16:44:03.251366 ARP, Request who-has 10.142.80.18 tell 10.142.80.52, length 46 6 packets captured 1331 packets received by filter 1262 packets dropped by kernel

4. 用ASCII碼打印抓包信息(不常用)

下面帶有選項(xiàng)-A的tcpdump命令以ASCII格式顯示包，它是一種字符編碼方案格式。

[root@ansible ~]# tcpdump -A -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 16:47:31.697347 IP ansible.ssh > 10.142.80.33.55482: Flags [P.], seq 1673208254:1673208302, ack 3546539194, win 306, length 48 EH.X..@.@.g. .P. .P!....c.!..c..P..2.........U..Z..4EK..q.o..3.<.i;.^8v......."m.c.....I 16:47:31.697798 IP 10.142.80.33.55482 > ansible.ssh: Flags [.], ack 48, win 252, length 0 E..(g @....c .P!

5. 展示可用的接口

使用-D option命令列出系統(tǒng)中可用的接口數(shù)量。

[root@ansible ~]# tcpdump -D 1.eth0 2.nflog (Linux netfilter log (NFLOG) interface) 3.nfqueue (Linux netfilter queue (NFQUEUE) interface) 4.any (Pseudo-device that captures on all interfaces) 5.lo [Loopback]

6. 抓包保存在文件中

正如我們所說，tcpdump具有以.pcap格式捕獲并保存文件的功能，為此只需執(zhí)行帶有-w選項(xiàng)的命令。

[root@ansible ~]# tcpdump -w 1.pcap -i eth0 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 438 packets captured 445 packets received by filter 0 packets dropped by kernel [root@ansible ~]#

7. 讀取抓包文件

讀取并分析抓包1.cap文件使用帶有-r選項(xiàng)的命令，如下所示。

[root@ansible ~]# tcpdump -r 1.pcap reading from file 1.pcap, link-type EN10MB (Ethernet) 16:55:00.870380 IP ansible.ssh > 10.142.80.33.55482: Flags [P.], seq 1673211774:1673211838, ack 3546541738, win 306, length 64 16:55:00.871112 IP 10.142.80.33.55482 > ansible.ssh: Flags [.], ack 64, win 256, length 0 16:55:00.881736 IP ansible.35590 > 10.142.81.138.7788: Flags [P.], seq 64349127:64349318, ack 3649573574, win 4698, length 191 16:55:00.881887 IP 10.142.81.138.7788 > ansible.35590: Flags [.], ack 191, win 64, length 0

8. 抓取IP地址報(bào)文

當(dāng)需要捕獲指定接口IP地址的報(bào)文時(shí)，使用帶選項(xiàng)-n的命令

[root@ansible ~]# tcpdump -n -i eth0 17:11:25.169323 IP 10.142.80.15.ssh > 10.142.80.33.55482: Flags [P.], seq 79168:79232, ack 97, win 379, length 64 17:11:25.169438 IP 10.142.80.15.ssh > 10.142.80.33.55482: Flags [P.], seq 79232:79312, ack 97, win 379, length 80 17:11:25.169554 IP 10.142.80.33.55482 > 10.142.80.15.ssh: Flags [.], ack 79232, win 252, length 0 17:11:25.169570 IP 10.142.80.15.ssh >

9. 僅抓取TCP報(bào)文

使用實(shí)例根據(jù)TCP端口抓包，選項(xiàng)為TCP。

[root@ansible ~]# tcpdump -i eth0 tcp 20:45:12.776594 IP 10.142.80.33.56850 > 10.142.80.15.ssh: Flags [.], ack 107904, win 100, length 0 20:45:12.776708 IP 10.142.80.15.ssh > 10.142.80.33.56850: Flags [P.], seq 108048:108112, ack 193, win 361, length 64 20:45:12.776879 IP 10.142.80.33.56850 > 10.142.80.15.ssh: Flags [.], ack 108048, win 100, length 0 20:45:12.790118 IP 10.142.80.33.56850 > 10.142.80.15.ssh: Flags [.], ack 108112, win 256, length 0 20:45:12.794053 IP 10.142.80.33.56850 > 10.142.80.15.ssh: Flags [P.], seq 193:241, ack 108112, win 256, length 48

10. 指定端口抓包

假設(shè)想要捕獲特定端口22的數(shù)據(jù)包，通過指定端口22執(zhí)行以下命令，如下所示。

[root@ansible ~]# tcpdump -i eth0 port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 20:47:26.026449 IP 10.142.80.15.ssh > 10.142.80.33.56850: Flags [P.], seq 4291355070:4291355246, ack 1452178660, win 361, length 176 20:47:26.026831 IP 10.142.80.33.56850 > 10.142.80.15.ssh: Flags [.], ack 176, win 256, length 0 20:47:26.026857 IP 10.142.80.15.ssh > 10.142.80.33.56850: Flags [P.], seq 176:272, ack 1, win 361, length 96 20:47:26.027112 IP 10.142.80.15.ssh > 10.142.80.33.56850: Flags [P.], seq 272:352, ack 1, win 361, length 80 20:47:26.027243 IP 10.142.80.15.ssh > 10.142.80.33.56850: Flags [P.], seq 352:416, ack 1, win 361, length 64 20:47:26.027422 IP 10.142.80.33.56850 > 10.142.80.15.ssh: Flags [.], ack 352, win 255, length 0

11. 獲取報(bào)文從指定源地址

為了捕獲來自源IP的數(shù)據(jù)包，假設(shè)您想捕獲10.142.80.33的數(shù)據(jù)包，使用如下命令。

[root@ansible ~]# tcpdump -i eth0 src 10.142.80.33 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 20:50:47.774107 IP 10.142.80.33.56850 > ansible.ssh: Flags [.], ack 4291635694, win 251, length 0

12. 獲取報(bào)文從指定目的地址

為了捕獲來自目的IP的數(shù)據(jù)包，假設(shè)要捕獲10.142.80.33的數(shù)據(jù)包，使用如下命令。

[root@ansible ~]# tcpdump -i eth0 dst 10.142.80.33 20:52:41.435801 IP ansible.ssh > 10.142.80.33.56850: Flags [P.], seq 653872:653936, ack 577, win 397, length 64 20:52:41.435935 IP ansible.ssh > 10.142.80.33.56850: Flags [P.], seq 653936:654000, ack 577, win 397, length 64 20:52:41.436053 IP ansible.ssh > 10.142.80.33.56850: Flags [P.], seq 654000:654064, ack 577, win 397, length 64

總結(jié)

以上是生活随笔為你收集整理的02Tcpdump命令详解-网络抓包工具的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。