tcpdump命令-白红宇

tcpdump命令

阅读量：2430 次

发布时间：2019-05-10

本文共 6185 字，大约阅读时间需要 20 分钟。

一概述

tcpdump是一款sniffer工具，它可以截获所有经过网络接口的数据包并提供分析。常见的linux发行版中均自带有tcpdump。它执行的一般格式如下：

tcpdump [选项] [表达式]

二命令选项

-i选项：指定监听端口，如果不指定会搜索所有的网络接口并找一个最早的匹配

~]# tcpdump -i eth0        # 监听eth0~]# tcpdump -i any         # linux内核版本2.2以后支持监听所有端口

-w选项：保存为文件，-表示标准输出

~]# tcpdump -i eth0 -w -w - | strings # 将获取的数据包用字符展示~]# tcpdump -i eth0 -w test.pcap  # 把抓包结果写入test.cap中

-nn选项：第一个n表示显示ip，不要显示主机名，第二个表示端口显示数字，不要显示协议

~]# tcpdump -i eth1 -nn 08:32:08.828632 IP 192.168.0.100.54273 > 192.168.0.101.22: Flags [.], ack 95792, win 2053, length 008:32:08.828679 IP 192.168.0.101.22 > 192.168.0.100.54273: Flags [P.], seq 95792:96064, ack 129, win 159, length 272

-c选项：指定抓包数量，到达后程序退出

~]# tcpdump -i eth1 -c 1000

-C选项：指定文件最的最大大小，如果超过则写入另一个文件中，一般和-w 配合使用。默认的文件大小是MB。

~]# tcpdump -i eth1 -w test.pcap -C 10  # 指定文件最大大小为10M

-X 选项：包的内容显示为hex 和ascii

~]# tcpdump -i eth1 -X 08:40:57.955505 IP 192.168.0.101.ssh > 192.168.0.100.54273: Flags [.], seq 6011568:6013028, ack 1473, win 159, length 14600x0000:  4510 05dc bdf9 4000 4006 f4f8 c0a8 0065  E.....@.@......e0x0010:  c0a8 0064 0016 d401 eff8 7227 0aa1 3f84  ...d......r'..?.0x0020:  5010 009f 87e8 0000 05da 443d ac31 b06b  P.........D=.1.k0x0030:  7c5a 366e c0df af68 cb7c 0319 69ae afcb  |Z6n...h.|..i...0x0040:  05b4 4416 9270 8be6 f03e fef2 05d1 18fd  ..D..p...>......0x0050:  bdbc e661 3fe3 0b3d 7ac2 ca33 bd8e 462c  ...a?..=z..3..F,

-XX 选项：包的内容显示为hex 和ascii (会显示链路层信息, -X 选项中不会显示链路层)

~]# tcpdump -i eth1 -XX08:42:44.475363 IP 192.168.0.101.ssh > 192.168.0.100.54273: Flags [.], seq 2845745:2848665, ack 704, win 159, length 29200x0000:  5800 e35b 5ed5 000c 29a3 d63e 0800 4510  X..[^...)..>..E.0x0010:  0b90 c788 4000 4006 e5b5 c0a8 0065 c0a8  ....@.@......e..0x0020:  0064 0016 d401 f026 6797 0aa1 4564 5010  .d.....&g...EdP.0x0030:  009f 8d9c 0000 97fc 8d09 ab92 41d4 dc15  ............A...0x0040:  ed01 6875 1250 ecca 42d2 9476 6b23 cd5f  ..hu.P..B..vk#._0x0050:  9f15 411f dfb2 d310 0b29 8b4f 4ff4 2b68  ..A......).OO.+h

-A 选项： ascii 显示

~]# tcpdump -i eth1 -A08:44:21.673333 IP 192.168.0.101.ssh > 192.168.0.100.54273: Flags [.], seq 3121105:3124025, ack 704, win 159, length 2920E....'@.@......e...d.....X...J.P.......4.nA.W.6(.F.\.A.....   |.x=.!..aE.}..........=..."...)T,6..`...?3..T...Pd....RN

-D 选项：看目前机器上有哪些网络接口

~]# tcpdump -D1.eth12.usbmon1 (USB bus number 1)3.usbmon2 (USB bus number 2)4.any (Pseudo-device that captures on all interfaces)5.lo

-S 选项：打印真实的，绝对的tcp seq no

~]# tcpdump -i eth1 -S08:51:22.930725 IP 192.168.0.101.ssh > 192.168.0.100.54273: Flags [P.], seq 4033163239:4033163431, ack 178352484, win 159, length 19208:51:22.930764 IP 192.168.0.101.ssh > 192.168.0.100.54273: Flags [P.], seq 4033163431:4033163735, ack 178352484, win 159, length 30408:51:22.930859 IP 192.168.0.100.54273 > 192.168.0.101.ssh: Flags [.], ack 4033163735, win 2053, length 008:51:22.930865 IP 192.168.0.101.ssh > 192.168.0.100.54273: Flags [P.], seq 4033163735:4033163927, ack 178352484, win 159, length 19208:51:22.930909 IP 192.168.0.101.ssh > 192.168.0.100.54273: Flags [P.], seq 4033163927:4033164231, ack 178352484, win 159, length 304

-s 选型：指定包大小，默认抓取包长度是65535

~]# tcpdump -i eth1 -s 1024

-t 选项：不要打时间戳

~]# tcpdump -i eth1 -t IP 192.168.0.101.ssh > 192.168.0.100.54273: Flags [P.], seq 90880:91040, ack 1, win 159, length 160IP 192.168.0.100.54273 > 192.168.0.101.ssh: Flags [.], ack 91040, win 2048, length 0IP 192.168.0.101.ssh > 192.168.0.100.54273: Flags [P.], seq 91040:91280, ack 1, win 159, length 240IP 192.168.0.101.ssh > 192.168.0.100.54273: Flags [P.], seq 91280:91440, ack 1, win 159, length 160

-tt 选项：打出timstamp,从1970-1-1 以来的秒数，以及微秒数。

~]# tcpdump -i eth1 -tt1522770881.814290 IP 192.168.0.100.54273 > 192.168.0.101.ssh: Flags [.], ack 365345, win 2053, length 01522770881.814301 IP 192.168.0.101.ssh > 192.168.0.100.54273: Flags [P.], seq 365345:365521, ack 128, win 159, length 1761522770881.814369 IP 192.168.0.101.ssh > 192.168.0.100.54273: Flags [P.], seq 365521:365809, ack 128, win 159, length 2881522770881.814460 IP 192.168.0.100.54273 > 192.168.0.101.ssh: Flags [.], ack 365809, win 2051, length 01522770881.814468 IP 192.168.0.101.ssh > 192.168.0.100.54273: Flags [P.], seq 365809:365985, ack 128, win 159, length 17

-v选项：详细信息

~]# tcpdump -i eth1 -v 08:58:35.950388 IP (tos 0x10, ttl 64, id 63475, offset 0, flags [DF], proto TCP (6), length 552)192.168.0.101.ssh > 192.168.0.100.54273: Flags [P.], cksum 0x8434 (incorrect -> 0x0c6f), seq 369712:370224, ack 65, win 159, length 51208:58:35.950495 IP (tos 0x0, ttl 128, id 17636, offset 0, flags [DF], proto TCP (6), length 40)192.168.0.100.54273 > 192.168.0.101.ssh: Flags [.], cksum 0x50d3 (correct), ack 370224, win 2053, length 008:58:35.950507 IP (tos 0x10, ttl 64, id 63476, offset 0, flags [DF], proto TCP (6), length 344)

-vv选项：更详细信息

~]# tcpdump -i eth1 -vv08:59:40.972415 IP (tos 0x10, ttl 64, id 5377, offset 0, flags [DF], proto TCP (6), length 552)192.168.0.101.ssh > 192.168.0.100.54273: Flags [P.], cksum 0x8434 (incorrect -> 0x5ba8), seq 2963297:2963809, ack 704, win 159, length 51208:59:40.972461 IP (tos 0x10, ttl 64, id 5378, offset 0, flags [DF], proto TCP (6), length 344)192.168.0.101.ssh > 192.168.0.100.54273: Flags [P.], cksum 0x8364 (incorrect -> 0x0740), seq 2963809:2964113, ack 704, win 159, length 30408:59:40.972461 IP (tos 0x0, ttl 128, id 21379, offset 0, flags [DF], proto TCP (6), length 40)

-r选项：读取文件

~]# tcpdump -r test.pcapreading from file test.pcap, link-type EN10MB (Ethernet)09:00:49.171533 IP 192.168.0.101.ssh > 192.168.0.100.54273: Flags [P.], seq 4037798087:4037798231, ack 178364420, win 159, length 14409:00:49.172084 IP 192.168.0.100.54273 > 192.168.0.101.ssh: Flags [.], ack 144, win 2047, length 009:00:59.295931 IP 192.168.0.100.54586 > 192.168.0.101.ssh: Flags [P.], seq 4153344934:4153344998, ack 1802289491, win 2049, length 6409:00:59.295996 IP 192.168.0.101.ssh > 192.168.0.100.54586: Flags [.], ack 64, win 159, length 009:00:59.298608 IP 192.168.0.101.ssh > 192.168.0.100.54586: Flags [P.], seq 1:65, ack 64, win 159, length 64

三表达式介绍

表达式用来描述报文的过滤条件，只有满足过滤条件的数据包才会被捕获，不满足过滤条件的数据包将被丢弃。表达式的关键字分为以下三类：

类型关键字 host, port ,net ,portrange

方向关键字 src，dst

协议关键字 ether, arp, ip, tcp, udp

逻辑关键字 and, or, not

四常见使用方法

转载地址：http://ygcmb.baihongyu.com/

你可能感兴趣的文章