【功能說明】

tcpdump命令是一個(gè)截獲網(wǎng)絡(luò)數(shù)據(jù)包的包分析工具。tcpdump可以將網(wǎng)絡(luò)中傳送的數(shù)據(jù)包的“頭”完全截獲下來以提供分析。它支持針對網(wǎng)絡(luò)層、協(xié)議、主機(jī)、端口等的過濾，并支持與、或、非邏輯語句協(xié)助過濾有效信息。 tcpdump命令工作時(shí)要先把網(wǎng)卡的工作模式切換到混雜模式(promiscuous mode)。因?yàn)橐薷木W(wǎng)絡(luò)接口的工作模式，所以tcpdump命令需要以root的身份運(yùn)行。

【語法格式】

tcpdump [option] [expression]? tcpdump [選項(xiàng)]? ? [表達(dá)式] 表10-23 tcpdump 命令的參數(shù)選項(xiàng)及說明 參數(shù)選項(xiàng)?? ??? ??? ?解釋說明 -A?? ??? ??? ??? ?? ?以ASCII碼的方式顯示每一個(gè)數(shù)據(jù)包(不會顯示數(shù)據(jù)包中鏈路層的頭部信息)。在抓取包含網(wǎng)頁數(shù)據(jù)的數(shù)據(jù)包時(shí)，可方便查看數(shù)據(jù) -c<數(shù)據(jù)包數(shù)目>?? ??? ?接收到指定的數(shù)據(jù)包數(shù)目后退出命令 -e?? ??? ??? ??? ??? 每行的打印輸出中將包括數(shù)據(jù)包的數(shù)據(jù)鏈路層頭部信息 -i<網(wǎng)絡(luò)接口>?? ??? ??指定要監(jiān)聽數(shù)據(jù)包的網(wǎng)絡(luò)接口 -n?? ??? ??? ??? ???不進(jìn)行DNS解析，加快顯示速度 -nn?? ??? ??? ?? ? ?不將協(xié)議和端口數(shù)字等轉(zhuǎn)換成名字 -q?? ??? ??? ?? ? ??以快速輸出的方式運(yùn)行，此選項(xiàng)僅顯示數(shù)據(jù)包的協(xié)議概要信息，輸出信息較短 -s<教據(jù)包大小>?? ?? ?設(shè)置數(shù)據(jù)包抓取長度，如果不設(shè)置則默認(rèn)為68等節(jié)，設(shè)置為0則自動(dòng)選擇合適的長度來抓取數(shù)據(jù)包 -t?? ??? ??? ??? ???在每行輸出信息中不顯示時(shí)間截標(biāo)記 -tt?? ??? ??? ??? ??在每行輸出信息中顯示無格式的時(shí)間載標(biāo)記 -ttt?? ??? ??? ??? ?顯示當(dāng)前行與前一行的延遲 -tttt?? ??? ??? ??? 在每行打印的時(shí)間戳之前添加日期 -ttttt?? ??? ??? ???顯示當(dāng)前行與第一行的延遲 -v?? ??? ??? ??? ???顯示命令執(zhí)行的詳細(xì)信息 -vv?? ??? ??? ??? ??顯示比-v選項(xiàng)更加詳細(xì)的信息 -vvv?? ??? ??? ??? ?顯示比-vv選項(xiàng)更加詳細(xì)的輸出

使用范例

不加參數(shù)運(yùn)行tcpdump命令監(jiān)聽網(wǎng)絡(luò)。

[root@lewen ~]# tcpdump #默認(rèn)清況下，直接啟動(dòng)tcpdump將監(jiān)視第一個(gè)網(wǎng)絡(luò)接口上所有流過的數(shù)據(jù)包。 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes ...使用tcpdump命令時(shí)，如果不輸入過濾規(guī)則，則輸出的數(shù)據(jù)量將會很大。 精簡輸出信息。[root@lewen ~]# tcpdump -q 04:08:32.963134 IP lewen.ssh > 10.0.0.1.10662: tcp 180 04:08:32.963256 IP lewen.ssh > 10.0.0.1.10662: tcp 116 04:08:32.963325 IP 10.0.0.1.10662 > lewen.ssh: tcp 0 04:08:32.963390 IP lewen.ssh > 10.0.0.1.10662: tcp 180 04:08:32.963492 IP lewen.ssh > 10.0.0.1.10662: tcp 116 04:08:32.964604 IP lewen.ssh > 10.0.0.1.10662: tcp 116[root@lewen ~]# tcpdump -c 5 #使用-c選項(xiàng)指定監(jiān)聽的數(shù)據(jù)包數(shù)量，這樣就不需要使用Ctrl+C了。 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 04:09:50.191752 IP lewen.ssh > 10.0.0.1.10662: Flags [P.], seq 3827665832:3827666044, ack 1911166938, win 274, length 212 04:09:50.192434 IP lewen.44182 > public1.alidns.com.domain: 5716+ PTR? 1.0.0.10.in-addr.arpa. (39) 04:09:50.245211 IP 10.0.0.1.10662 > lewen.ssh: Flags [.], ack 212, win 8212, length 0 04:09:50.257155 IP public1.alidns.com.domain > lewen.44182: 5716 NXDomain 0/1/0 (116) 04:09:50.258230 IP lewen.36787 > public1.alidns.com.domain: 45732+ PTR? 81.0.0.10.in-addr.arpa. (40) 5 packets captured 21 packets received by filter 0 packets dropped by kernel

監(jiān)聽指定網(wǎng)卡收到的數(shù)據(jù)包

[root@lewen ~]# tcpdump -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 04:11:33.924611 IP 10.0.0.1.10662 > lewen.ssh: Flags [.], ack 651624, win 8209, length 0 04:11:33.924679 IP lewen.ssh > 10.0.0.1.10662: Flags [P.], seq 651624:651884, ack 105, win 274, length 260 04:11:33.924776 IP lewen.ssh > 10.0.0.1.10662: Flags [P.], seq 651884:652048, ack 105, win 274, length 164 04:11:33.924834 IP 10.0.0.1.10662 > lewen.ssh: Flags [.], ack 652048, win 8207, length 0 04:11:33.924901 IP lewen.ssh > 10.0.0.1.10662: Flags [P.], seq 652048:652308, ack 105, win 274, length 260 04:11:33.929182 IP lewen.ssh > 10.0.0.1.10662: Flags [P.], seq 652308:652472, ack 105, win 274, length 164 04:11:33.931108 IP 10.0.0.1.10662 > lewen.ssh: Flags [.], ack 652472, win 8212, length 0 04:11:33.931140 IP lewen.ssh > 10.0.0.1.10662: Flags [P.], seq 652472:652636, ack 105, win 274, length 16404:11:33.931140：當(dāng)前時(shí)間，精確到微秒。 IP lewen.ssh > 10.0.0.1.10662：從主機(jī)lewen的SSH端口發(fā)送數(shù)據(jù)到10.0.0.1的10662端口，“>”代表數(shù)據(jù)流向。 Flags[P.]：TCP包中的標(biāo)志信息，S是SYN標(biāo)志的縮寫，F(FIN)、P(PUSH)、R(RST)、"."(沒有標(biāo)記)。 seq：數(shù)據(jù)包中的數(shù)據(jù)的順序號。 ack：下次期望的順序號。 win：接收緩存的窗口大小。 length：數(shù)據(jù)包長度。

監(jiān)聽指定主機(jī)的數(shù)據(jù)包

[root@lewen ~]# tcpdump -n host 10.0.0.1 #<=使用-n選項(xiàng)不進(jìn)行DNS解析，加快顯示地度。監(jiān)聽指定主機(jī)的關(guān)鍵字為host，后面直接接主機(jī)名或了IP地址即可。本行命令的作用是監(jiān)聽所有10.0.0.1的主機(jī)收到的和發(fā)出的數(shù)據(jù)包。[root@lewen ~]# tcpdump -n src host 10.0.0.1 #<-只監(jiān)聽從10.0.0.1發(fā)出的數(shù)據(jù)包，即源地址為10.0.0.1，關(guān)鍵字為src(source，原地址)。 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 20:20:55.821984 IP 10.0.0.1.14389 > 10.0.0.7.ssh: Flags [.], ack 3862927143, win 4106, length 0 20:20:55.866408 IP 10.0.0.1.14389 > 10.0.0.7.ssh: Flags [.], ack 149, win 4105, length 0 20:20:55.907580 IP 10.0.0.1.14389 > 10.0.0.7.ssh: Flags [.], ack 297, win 4105, length 0 20:20:55.950705 IP 10.0.0.1.14389 > 10.0.0.7.ssh: Flags [.], ack 445, win 4104, length 0 20:20:55.991940 IP 10.0.0.1.14389 > 10.0.0.7.ssh: Flags [.], ack 593, win 4103, length 0 20:20:56.032129 IP 10.0.0.1.14389 > 10.0.0.7.ssh: Flags [.], ack 741, win 4103, length 0[root@lewen ~]# tcpdump -n dst host 10.0.0.1 #<==只監(jiān)聽10.0.0.1收到的數(shù)據(jù)包，即目標(biāo)地址為10.0.0.1，關(guān)就字為dst(destination，目的地)。 20:22:13.074240 IP 10.0.0.7.ssh > 10.0.0.1.14389: Flags [P.], seq 506496:506660, ack 53, win 252, length 164 20:22:13.074331 IP 10.0.0.7.ssh > 10.0.0.1.14389: Flags [P.], seq 506660:506824, ack 53, win 252, length 164

監(jiān)聽指定端口的數(shù)據(jù)包

[root@lewen ~]# tcpdump -nn port 22 #使用-n選項(xiàng)不進(jìn)行DNS解析，但是其會將一些協(xié)議、端口進(jìn)行轉(zhuǎn)換，比如22端口轉(zhuǎn)為ssh。因此本例使用nn 選項(xiàng)。監(jiān)聽指定端口的關(guān)鍵字是port，后面接上端口號即可20:24:26.193100 IP 10.0.0.1.14389 > 10.0.0.7.22: Flags [.], ack 556296, win 4101, length 0 20:24:26.193225 IP 10.0.0.7.22 > 10.0.0.1.14389: Flags [P.], seq 556296:556556, ack 105, win 252, length 260 20:24:26.193535 IP 10.0.0.7.22 > 10.0.0.1.14389: Flags [P.], seq 556556:556720, ack 105, win 252, length 164

監(jiān)聽指定協(xié)議的數(shù)據(jù)包。

[root@lewen ~]# tcpdump -n arp #<--監(jiān)聽ARP數(shù)據(jù)包，因此表達(dá)式直接寫arp即可。 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 20:26:43.219758 ARP, Request who-has 10.0.0.96 tell 10.0.0.210, length 46 20:26:43.511133 ARP, Request who-has 10.0.0.95 tell 10.0.0.210, length 46 20:26:44.224050 ARP, Request who-has 10.0.0.96 tell 10.0.0.210, length 46 20:26:44.512986 ARP, Request who-has 10.0.0.95 tell 10.0.0.210, length 46 20:26:45.230012 ARP, Request who-has 10.0.0.96 tell 10.0.0.210, length 46[root@lewen ~]# tcpdump -n icmp #<-監(jiān)聽icmp數(shù)據(jù)包(想要查著下面的監(jiān)拉數(shù)據(jù)，可以使用其他機(jī)器ping本機(jī)即可) tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 20:27:31.377258 IP 10.0.0.210 > 10.0.0.2: ICMP 10.0.0.210 udp port 49207 unreachable, length 127 20:27:31.479590 IP 10.0.0.210 > 10.0.0.2: ICMP 10.0.0.210 udp port 48776 unreachable, length 135常見的協(xié)議關(guān)鍵字有ip、arp、icmp、tcp、udp等類型。

?多個(gè)過濾條件混合使用

前面的幾種方法都是使用單個(gè)過濾條件過濾數(shù)據(jù)包，其實(shí)過濾條件可以混合使用，因?yàn)閠cpdump命令支持邏輯運(yùn)算符and(與)、or(或)、！(非)。[root@lewen ~]# tcpdump -n ip host 10.0.0.7 and ! 10.0.0.1 #<==獲取主機(jī)10.0.0.7與所有主機(jī)(除了主機(jī)10.0.0.1之外)通信的ip數(shù)據(jù)包。 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 20:29:42.366445 IP 10.0.0.210.51642 > 10.0.0.7.zabbix-agent: Flags [S], seq 1999440710, win 29200, options [mss 1460,sackOK,TS val 75899232 ecr 0,nop,wscale 7], length 0 20:29:42.366483 IP 10.0.0.7.zabbix-agent > 10.0.0.210.51642: Flags [S.], seq 920922656, ack 1999440711, win 28960, options [mss 1460,sackOK,TS val 80531477 ecr 75899232,nop,wscale 7], length 0 20:29:42.366628 IP 10.0.0.210.51642 > 10.0.0.7.zabbix-agent: Flags [.], ack 1, win 229, options [nop,nop,TS val 75899232 ecr 80531477], length 0 20:29:42.366674 IP 10.0.0.210.51642 > 10.0.0.7.zabbix-agent: Flags [P.], seq 1:15, ack 1, win 229, options [nop,nop,TS val 75899232 ecr 80531477], length 14 20:29:42.366681 IP 10.0.0.7.zabbix-agent > 10.0.0.210.51642: Flags [.], ack 15, win 227, options [nop,nop,TS val 80531477 ecr 75899232], length 0 20:29:42.371129 IP 10.0.0.210.51644 > 10.0.0.7.zabbix-agent: Flags [S], seq 2767440940, win 29200, options [mss 1460,sackOK,TS val 75899236 ecr 0,nop,wscale 7], length 0 20:29:42.371153 IP 10.0.0.7.zabbix-agent > 10.0.0.210.51644: Flags [S.], seq 3632462468, ack 2767440941, win 28960, options [mss 1460,sackOK,TS val 80531482 ecr 75899236,nop,wscale 7], length 0 20:29:42.371313 IP 10.0.0.210.51644 > 10.0.0.7.zabbix-agent: Flags [.], ack 1, win 229, options [nop,nop,TS val 75899237 ecr 80531482], length 0 20:29:42.371397 IP 10.0.0.210.51644 > 10.0.0.7.zabbix-agent: Flags [P.], seq 1:25, ack 1, win 229, options [nop,nop,TS val 75899237 ecr 8

利用tcpdump抓包詳解tcp/ip 連接和斷開過程的案例。

1)正常的TCP連接的三個(gè)階段。

TCP三次握手

數(shù)據(jù)傳送

TCP四次斷開

2)TCP連接圖示。 TCP連接的狀態(tài)機(jī)制如圖10-6所示。 3)TCP的狀態(tài)標(biāo)識。

• SYN:(同步序列編號，Synchronize Sequence Numbers)該標(biāo)志僅在三次握手建立TCP連接時(shí)有效。表示一個(gè)新的TCP連接請求。
• ACK:(確認(rèn)編號，Acknowledgement Number)是對TCP請求的確認(rèn)標(biāo)志，同時(shí)提示對端系統(tǒng)已經(jīng)成功接收了所有的數(shù)據(jù)。
• FIN:(結(jié)束標(biāo)志，FINish)用來結(jié)束一個(gè)TCP回話。但對應(yīng)端口仍然處于開放狀態(tài)，準(zhǔn)備接收后續(xù)數(shù)據(jù)。

There are 8 bits in the control bits section of the TCe header: CWR | ECE?| URG?| ACK| PSH | RST|SYN|FIN [root@doit ~]# tcpdump tcp dst port 80 or src 104.243.30.169 -i eth0 -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 20:35:59.136119 IP 104.243.30.169.26038 > 111.40.18.151.14656: Flags [P.], seq 2702154317:2702154529, ack 1793279353, win 501, length 212 20:35:59.136535 IP 104.243.30.169.26038 > 111.40.18.151.14656: Flags [P.], seq 212:408, ack 1, win 501, length 196 20:35:59.137177 IP 104.243.30.169.26038 > 111.40.18.151.14656: Flags [P.], seq 408:588, ack 1, win 501, length 180 20:35:59.137818 IP 104.243.30.169.26038 > 111.40.18.151.14656: Flags [P.], seq 588:768, ack 1, win 501, length 180 20:35:59.138447 IP 104.243.30.169.26038 > 111.40.18.151.14656: Flags [P.], seq 768:948, ack 1, win 501, length 180 20:35:59.139087 IP 104.243.30.169.26038 > 111.40.18.151.14656: Flags [P.], seq 948:1128, ack 1, win 501, length 180 20:35:59.139729 IP 104.243.30.169.26038 > 111.40.18.151.14656: Flags [P.], seq 1128:1308, ack 1, win 501, length 180 20:35:59.140360 IP 104.243.30.169.26038 > 111.40.18.151.14656: Flags [P.], seq 1308:1488, ack 1, win 501, length 180 20:35:59.140996 IP 104.243.30.169.26038 > 111.40.18.151.14656: Flags [P.], seq 1488:1668, ack 1, win 501, length 180 20:35:59.141636 IP 104.243.30.169.26038 > 111.40.18.151.14656: Flags [P.], seq 1668:1848, ack 1, win 501, length 180 20:35:59.142273 IP 104.243.30.169.26038 > 111.40.18.151.14656: Flags [P.], seq 1848:2028, ack 1, win 501, length 180 20:35:59.142908 IP 104.243.30.169.26038 > 111.40.18.151.14656: Flags [P.], seq 2028:2208, ack 1, win 501, length 180

總結(jié)

以上是生活随笔為你收集整理的10.22 tcpdump：监听网络流量的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。