Linux抓包工具–Tcpdump
描述
Tcpdump – dump traffic on a network;
tcpdump是类Unix系统下用于网络分析的问题排查的工具;
tcpdump支持针对网络层、协议、主机、网络或端口的过滤,并提供and、or、not等逻辑语句进行详细匹配;
命令解释
- 命令格式
tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ]
[ -c count ]
[ -C file_size ] [ -G rotate_seconds ] [ -F file ]
[ -i interface ] [ -j tstamp_type ] [ -m module ] [ -M secret ]
[ --number ] [ -Q|-P in|out|inout ]
[ -r file ] [ -V file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
[ --time-stamp-precision=tstamp_precision ]
[ --immediate-mode ] [ --version ]
[ expression ]
-
简易理解命令格式
tcpdump [option] [proto] [dir] [type]
- option 指 -csivw 等可选参数
- proto 指 tcp/udp/icmp/arp/ip/ip6 等网络协议过滤规则
- dir 指 src/dst 报文方向过滤规则
- type 指 host/net/port/portrange 等报文详细信息过滤规则
-
报文输出结构
16:12:59.147595 IP 172.16.36.216.8190 > 120.2.2.100.35688: Flags [P.], seq 306:324, ack 239, win 1143, options [nop,nop,TS val 114256936 ecr 4089685146], length 18
- 第一列:报文抓取时间信息(16:12:59.147595)
- 第二列:报文网络协议(IP)
- 第三列:报文源ip和端口号(172.16.36.216.8190)
- 第四列:数据流向(>)
- 第五列:报文目的ip和端口号(120.2.2.100.35688)
- 第六列:报文详细内容
使用方式
-
tcpdump常用选项
选项 描述 -D 列出可监听的接口 -i 指定监听接口,默认监听第一个网络接口 -P/Q 设置抓取的包是进(in)还是出(out),默认抓取双向(inout) -s 设置截取数据包文的长度,默认截取96字节,0表示报文全部内容 -c 设置抓取的报文数,达到数量后自动退出 -q 简洁打印 -n 打印报文信息中ip地址显示为数字,即不将ip转为域名 -nn 打印报文信息中ip地址和端口号均显示为数字,否则显示为主机名和端口服务名 -e 打印报文信息中显示源、目的mac -XX 打印报文信息同时输出16进制和ASCII的头部信息 -vv 更加详细的打印报文信息 -w 将抓取的报文写入到文件 -r 从文件中读取报文并显示 -C 限制写入文件的大小,单位1000000byte,达到限制后生成新文件 -G 限制写入文件的时间,单位s(秒),达到限制后生成新文件 -
选项示例
- 指定监听接口
[root@centos-36_2 tmp]# tcpdump -i em2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 16:28:31.595244 IP 120.0.11.222.snmp > centos-36_2.44722: GetResponse(196) interfaces.ifTable.ifEntry.ifAdminStatus.1=1 16:28:31.602364 IP centos-36_2.ssh > 172.16.36.25.evb-elm: Flags [P.], seq 447760258:447760498, ack 2828329192, win 160, length 240 16:28:31.602617 IP 172.16.36.25.evb-elm > centos-36_2.ssh: Flags [.], ack 240, win 8209, length 0 [root@centos-36_2 tmp]#
- 监听接口时不做主机名解析
[root@centos-36_2 tmp]# tcpdump -i em2 -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 16:33:53.219281 IP 172.16.36.2.ssh > 172.16.36.25.evb-elm: Flags [P.], seq 448755026:448755266, ack 2828334664, win 160, length 240 16:33:53.219503 IP 172.16.36.2.ssh > 172.16.36.25.evb-elm: Flags [P.], seq 240:464, ack 1, win 160, length 224 [root@centos-36_2 tmp]#
- 监听接口时不做主机名和端口服务名解析
[root@centos-36_2 tmp]# tcpdump -i em2 -nn -c 3 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 16:37:20.941472 IP 172.16.36.2.22 > 172.16.36.25.1504: Flags [P.], seq 449317922:449318162, ack 2828340520, win 160, length 240 16:37:20.941693 IP 172.16.36.25.1504 > 172.16.36.2.22: Flags [.], ack 240, win 8208, length 0 16:37:20.941763 IP 172.16.36.2.22 > 172.16.36.25.1504: Flags [P.], seq 240:464, ack 1, win 160, length 224 3 packets captured 4 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#
- 监听接口时仅捕获入方向报文
[root@centos-36_2 tmp]# tcpdump -i em2 -nn -c3 -P in Warning: -P switch is not compatible with the upstream version. You should use -Q instead. tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 16:43:55.240671 IP 120.0.11.136.161 > 172.16.36.2.44722: GetResponse(51) .1.3.6.1.6.3.1.1.6.1.0=1461109654 .1.3.6.1.6.3.1.1.6.1.0=1461109654 16:43:55.241257 IP 172.16.36.25.1504 > 172.16.36.2.22: Flags [.], ack 449356178, win 8209, length 0 16:43:55.281595 IP 172.16.36.25.1504 > 172.16.36.2.22: Flags [.], ack 193, win 8208, length 0 3 packets captured 8 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#
- 监听接口时截取报文部分信息
[root@centos-36_2 tmp]# tcpdump -i em2 -nn -c3 -s 40 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 40 bytes 17:05:45.292772 IP 172.16.36.2.22 > 172.16.36.25.1504: [|tcp] 17:05:45.292970 IP 172.16.36.2.22 > 172.16.36.25.1504: [|tcp] 17:05:45.293025 IP 172.16.36.25.1504 > 172.16.36.2.22: [|tcp] 3 packets captured 5 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#
- 监听接口时简洁打印报文信息
[root@centos-36_2 tmp]# tcpdump -i em2 -nn -c3 -q tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 17:03:37.927450 IP 172.16.36.2.22 > 172.16.36.25.1504: tcp 240 17:03:37.927631 IP 172.16.36.25.1504 > 172.16.36.2.22: tcp 0 17:03:37.927697 IP 172.16.36.2.22 > 172.16.36.25.1504: tcp 160 3 packets captured 4 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#
- 监听接口时打印报文mac信息
[root@centos-36_2 tmp]# tcpdump -i em3 -nn -c2 -e tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em3, link-type EN10MB (Ethernet), capture size 262144 bytes 17:34:52.798600 04:f9:38:d8:1c:30 > 01:80:c2:00:00:00, 802.3, length 105: LLC, dsap STP (0x42) Individual, ssap STP (0x42) Command, ctrl 0x03: STP 802.1s, Rapid STP, CIST Flags [Learn, Forward, Agreement], length 102 17:34:53.156985 14:18:77:33:97:d6 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 70: 192.166.160.22.62553 > 255.255.255.255.1092: UDP, length 28 2 packets captured 4 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#
- 监听接口时打印报文16进制和ASCII的头部信息
[root@centos-36_2 tmp]# tcpdump -i em3 -nn -c2 -XX tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em3, link-type EN10MB (Ethernet), capture size 262144 bytes 17:36:29.365933 ARP, Request who-has 192.166.160.2 tell 192.166.160.12, length 46 0x0000: ffff ffff ffff 80f6 2e11 3b13 0806 0001 ..........;..... 0x0010: 0800 0604 0001 80f6 2e11 3b13 c0a6 a00c ..........;..... 0x0020: 0000 0000 0000 c0a6 a002 0000 0000 0000 ................ 0x0030: 0000 0000 0000 0000 0000 0000 ............ 17:36:29.823062 ARP, Request who-has 192.166.160.2 tell 192.166.160.22, length 46 0x0000: ffff ffff ffff 1418 7733 97d6 0806 0001 ........w3...... 0x0010: 0800 0604 0001 1418 7733 97d6 c0a6 a016 ........w3...... 0x0020: 0000 0000 0000 c0a6 a002 0000 0000 0000 ................ 0x0030: 0000 0000 0000 0000 0000 0000 ............ 2 packets captured 2 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#
- 监听接口时打印报文详细信息
[root@centos-36_2 tmp]# tcpdump -i em3 -nn -c2 -vv tcpdump: listening on em3, link-type EN10MB (Ethernet), capture size 262144 bytes 17:37:05.966828 IP (tos 0x0, ttl 128, id 32746, offset 0, flags [none], proto UDP (17), length 78) 192.166.160.68.137 > 192.166.160.255.137: [udp sum ok] >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST TrnID=0xD1EC OpCode=0 NmFlags=0x11 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=TSS.UPDRV.COM NameType=0x00 (Workstation) QuestionType=0x20 QuestionClass=0x1 1 packets captured 1 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#
- 监听接口时将抓取的报文写入文件
[root@centos-36_2 tmp]# tcpdump -i em3 -nn -c2 -w mypacket.pcap tcpdump: listening on em3, link-type EN10MB (Ethernet), capture size 262144 bytes 2 packets captured 2 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]# ll mypacket.pcap \-rw-r--r-- 1 tcpdump tcpdump 208 8月 9 17:39 mypacket.pcap [root@centos-36_2 tmp]#
- 读取文件中的报文信息
[root@centos-36_2 tmp]# tcpdump -nn -r mypacket.pcap reading from file mypacket.pcap, link-type EN10MB (Ethernet) 17:39:10.643065 IP 192.166.160.22.137 > 192.166.160.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 17:39:10.911644 ARP, Request who-has 192.166.160.26 tell 192.166.160.29, length 46 [root@centos-36_2 tmp]#
- 监听接口将报文写入文件,达到2min或文件大小超过1M时生成新文件
[root@centos-36_2 tmp]# tcpdump -i em2 -nn -w /tmp/capture-%H%M.pcap -G 120 -C 1& [1] 86939 [root@centos-36_2 tmp]# tcpdump: listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes [root@centos-36_2 tmp]# [root@centos-36_2 tmp]# ll -h | grep capture \-rw-r--r-- 1 tcpdump tcpdump 977K 8月 10 15:13 capture-1511.pcap \-rw-r--r-- 1 tcpdump tcpdump 528K 8月 10 15:13 capture-1511.pcap1 \-rw-r--r-- 1 tcpdump tcpdump 982K 8月 10 15:15 capture-1513.pcap \-rw-r--r-- 1 tcpdump tcpdump 245K 8月 10 15:15 capture-1513.pcap1 \-rw-r--r-- 1 tcpdump tcpdump 977K 8月 10 15:16 capture-1515.pcap \-rw-r--r-- 1 tcpdump tcpdump 738K 8月 10 15:17 capture-1515.pcap1 \-rw-r--r-- 1 tcpdump tcpdump 977K 8月 10 15:19 capture-1517.pcap \-rw-r--r-- 1 tcpdump tcpdump 527K 8月 10 15:19 capture-1517.pcap1 \-rw-r--r-- 1 tcpdump tcpdump 977K 8月 10 15:20 capture-1519.pcap \-rw-r--r-- 1 tcpdump tcpdump 364K 8月 10 15:21 capture-1519.pcap1 [root@centos-36_2 tmp]#
-
tcpdump常用过滤条件
过滤条件 描述 ether 过滤指定二层协议的报文 host 过滤指定ip的报文 net 过滤指定ip网段的报文 port 过滤指定端口的报文 portrange 过滤指定端口范围的报文 tcp 过滤tcp报文 udp 过滤udp报文 icmp 过滤icmp报文 arp 过滤arp报文 src 指定过滤规则为源(ip/prot) dst 指定过滤规则为目的(ip/prot) 过滤条件之间可以使用
and/or/not
(&&/||/!
)进行组合; -
过滤条件示例
- 过滤指定目的mac的报文
[root@centos-36_2 tmp]# tcpdump -nn -i em2 -c2 -e ether dst 28:a6:db:b6:46:7e tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 18:53:49.879219 44:a8:42:44:64:8d > 28:a6:db:b6:46:7e, ethertype IPv4 (0x0800), length 179: 172.16.36.2.44722 > 120.0.11.139.161: GetBulk(121) N=0 M=2 .1.3.6.1.2.1.10.127.1.1.1.1.1 .1.3.6.1.2.1.10.127.1.1.1.1.2 .1.3.6.1.2.1.10.127.1.1.1.1.6 .1.3.6.1.2.1.10.127.1.1.4.1.5 .1.3.6.1.2.1.10.127.1.1.4.1.6 .1.3.6.1.4.1.4491.2.1.20.1.24.1.1 18:53:49.891230 44:a8:42:44:64:8d > 28:a6:db:b6:46:7e, ethertype IPv4 (0x0800), length 66: 172.16.36.2.7799 > 120.0.61.253.12268: Flags [.], ack 651313966, win 716, options [nop,nop,TS val 3950308240 ecr 214005535], length 0 2 packets captured 3 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#
- 过滤指定源ip的报文
[root@centos-36_2 tmp]# tcpdump -nn -i em2 -c3 src host 172.16.36.25 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 18:26:43.685737 IP 172.16.36.25.1504 > 172.16.36.2.22: Flags [.], ack 451414338, win 8208, length 0 18:26:43.727125 IP 172.16.36.25.1504 > 172.16.36.2.22: Flags [.], ack 193, win 8207, length 0 18:26:43.770972 IP 172.16.36.25.1504 > 172.16.36.2.22: Flags [.], ack 385, win 8207, length 0 3 packets captured 3 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#
- 过滤ICMP报文
[root@centos-36_2 tmp]# tcpdump -nn -i em2 -c3 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 18:27:52.131020 IP 172.16.36.20 > 172.16.36.2: ICMP echo request, id 6994, seq 1, length 64 18:27:52.131062 IP 172.16.36.2 > 172.16.36.20: ICMP echo reply, id 6994, seq 1, length 64 18:27:53.143968 IP 172.16.36.20 > 172.16.36.2: ICMP echo request, id 6994, seq 2, length 64 3 packets captured 4 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#
- 过滤目的端口号是22的报文
[root@centos-36_2 tmp]# tcpdump -nn -i em2 -c3 dst port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 18:29:03.971793 IP 172.16.36.25.1504 > 172.16.36.2.22: Flags [.], ack 451421250, win 8207, length 0 18:29:04.015298 IP 172.16.36.25.1504 > 172.16.36.2.22: Flags [.], ack 193, win 8212, length 0 18:29:04.057272 IP 172.16.36.25.1504 > 172.16.36.2.22: Flags [.], ack 385, win 8211, length 0 3 packets captured 3 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#
- 过滤指定目的ip且指定源端口号的报文
[root@centos-36_2 tmp]# tcpdump -nn -i em2 -c3 src port 22 and dst host 172.16.36.25 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 18:31:22.495543 IP 172.16.36.2.22 > 172.16.36.25.1504: Flags [P.], seq 451438898:451439138, ack 2828520008, win 160, length 240 18:31:22.495814 IP 172.16.36.2.22 > 172.16.36.25.1504: Flags [P.], seq 240:464, ack 1, win 160, length 224 18:31:22.495953 IP 172.16.36.2.22 > 172.16.36.25.1504: Flags [P.], seq 464:656, ack 1, win 160, length 192 3 packets captured 4 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#
- 过滤指定目的ip1或ip2的报文
[root@centos-36_2 tmp]# tcpdump -nn -i em2 -c2 "dst host 172.16.36.12 or 172.16.36.15" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 18:34:11.642070 IP 172.16.36.2 > 172.16.36.15: ICMP echo request, id 12190, seq 1, length 64 18:34:13.562678 IP 172.16.36.2 > 172.16.36.12: ICMP echo request, id 12193, seq 1, length 64 2 packets captured 4 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]# [root@centos-36_2 tmp]# tcpdump -nn -i em2 -c3 dst host "172.16.36.12 || 172.16.36.15" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 18:37:50.894034 IP 172.16.36.2 > 172.16.36.15: ICMP echo request, id 12421, seq 1, length 64 18:37:52.073669 IP 172.16.36.2 > 172.16.36.12: ICMP echo request, id 12423, seq 1, length 64 18:37:56.590839 ARP, Request who-has 172.16.36.12 tell 172.16.36.3, length 46 3 packets captured 3 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#
-
tcpdump特殊过滤条件
proto [expr:size]
- proto:指定协议(ether/ip/arp/tcp/udp/icmp/ipv6);
- expr:为数值时表示与指定的协议头开始处的字节偏移量;也可以是一个表达式;
- size:是可选的,expr为数值时,size表示从字节偏移量开始取的字节数量;
length
- greater: 过滤长度大于n的报文
- less: 过滤长度小于n的报文
-
特殊过滤条件示例
- 过滤广播或组播mac报文
[root@centos-36_2 tmp]# tcpdump -i em1 -nn -c 2 -e ether broadcast tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em1, link-type EN10MB (Ethernet), capture size 262144 bytes 11:37:59.654385 14:18:77:33:97:d6 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 192.166.160.1 tell 192.166.160.22, length 46 11:37:59.667181 80:f6:2e:11:3b:13 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 192.166.160.2 tell 192.166.160.12, length 46 2 packets captured 2 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]# [root@centos-36_2 tmp]# tcpdump -i em1 -nn -c 2 -e ether multicast tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em1, link-type EN10MB (Ethernet), capture size 262144 bytes 11:38:18.565275 14:18:77:33:97:d6 > 33:33:00:01:00:03, ethertype IPv6 (0x86dd), length 84: fe80::ac98:797:791a:ae9b.64558 > ff02::1:3.5355: UDP, length 22 11:38:18.565292 14:18:77:33:97:d6 > 01:00:5e:00:00:fc, ethertype IPv4 (0x0800), length 64: 192.166.160.22.65051 > 224.0.0.252.5355: UDP, length 22 2 packets captured 2 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#
- 过滤广播或组播ip报文
[root@centos-36_2 tmp]# tcpdump -i em2 -nn -c 2 ip broadcast tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 11:39:50.102639 IP 172.16.36.34.481 > 255.255.255.255.748: UDP, length 86 11:39:50.102735 IP 172.16.36.34.481 > 255.255.255.255.748: UDP, length 80 2 packets captured 4 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]# [root@centos-36_2 tmp]# tcpdump -i em2 -nn -c 2 ip multicast tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 11:39:59.399929 IP 172.16.36.62 > 224.0.0.18: VRRPv2, Advertisement, vrid 234, prio 200, authtype simple, intvl 1s, length 20 11:40:00.143633 IP 172.16.36.20 > 224.0.0.18: VRRPv2, Advertisement, vrid 123, prio 200, authtype simple, intvl 1s, length 20 2 packets captured 12 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#
- 过滤IP头中total-length大于200的报文
[root@centos-36_2 tmp]# tcpdump -i em2 -nn -c 2 "ip[2:2]>200" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 11:47:02.455478 IP 172.16.36.2.22 > 172.16.36.25.1504: Flags [P.], seq 451771858:451772098, ack 2828654792, win 165, length 240 11:47:02.455758 IP 172.16.36.2.22 > 172.16.36.25.1504: Flags [P.], seq 240:464, ack 1, win 165, length 224 2 packets captured 3 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#
- 过滤TCP且规定长度的报文
[root@OpenWrtEXT:my_script]#tcpdump -i eth0 -s 0 tcp and greater 83 -c 2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 19:33:32.987707 IP 172.16.36.217.8190 > 120.2.2.100.42828: Flags [P.], seq 1601883578:1601883596, ack 1366637051, win 1142, options [nop,nop,TS val 115460908 ecr 1430406092], length 18 19:33:34.333856 IP 172.16.36.215.8190 > 120.2.2.100.41168: Flags [P.], seq 18:36, ack 15, win 1143, options [nop,nop,TS val 115460969 ecr 4124341605], length 18 2 packets captured 8 packets received by filter 0 packets dropped by kernel [root@OpenWrtEXT:my_script]# [root@OpenWrtEXT:my_script]#tcpdump -i eth0 -s 0 tcp and less 83 -c 5 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 19:33:45.686332 IP 172.16.36.20.59870 > 172.16.36.25.6069: Flags [S], seq 2418787523, win 64240, options [mss 1460,sackOK,TS val 1145549881 ecr 0,nop,wscale 8], length 0 19:33:45.686339 IP 172.16.36.25.6069 > 172.16.36.20.59870: Flags [R.], seq 0, ack 2418787524, win 0, length 0 2 packets captured 11 packets received by filter 0 packets dropped by kernel [root@OpenWrtEXT:my_script]#
- 根据ip protocol字段过滤IGMP报文
[root@centos-36_2 tmp]# tcpdump -i em2 -nn -c 2 ip[9:1]=2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 13:58:35.993945 IP 172.16.36.24 > 224.0.0.1: igmp query v3 13:58:36.152321 IP 172.16.36.63 > 239.255.255.250: igmp v2 report 239.255.255.250 2 packets captured 2 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#
- 根据ether type字段过滤ARP报文
[root@centos-36_2 tmp]# tcpdump -i em2 -nn -c 2 ether[12:2]=2054 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 14:01:40.746018 ARP, Request who-has 172.16.36.156 tell 172.16.36.1, length 46 14:01:40.746484 ARP, Request who-has 172.16.36.157 tell 172.16.36.1, length 46 2 packets captured 3 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#
- 根据IGMP type字段过滤report报文
[root@centos-36_2 tmp]# tcpdump -i em2 -nn -c 2 igmp[0:1]=22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 14:03:45.951527 IP 172.16.36.62 > 224.0.0.251: igmp v2 report 224.0.0.251 14:03:50.144141 IP 172.16.36.25 > 239.255.255.250: igmp v2 report 239.255.255.250 2 packets captured 2 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#