tcpdump

功能:倾向于玩咯传输数据 支持对网络层,协议,主机,网络端口的过滤

格式:

tcpdump [-adeflnNOpqStvx][-c<数据包数目>][-dd][-ddd][-F<表达文件>][-i<网络界面>][-r<数据包文件>][-s<数据包大小>][-tt][-T<数据包类型>][-vv][-w<数据包文件>][输出数据栏位]

参数:

  • -a 尝试将网络和广播地址转换成名称。
  • -c<数据包数目> 收到指定的数据包数目后,就停止进行倾倒操作。
  • -d 把编译过的数据包编码转换成可阅读的格式,并倾倒到标准输出。
  • -dd 把编译过的数据包编码转换成C语言的格式,并倾倒到标准输出。
  • -ddd 把编译过的数据包编码转换成十进制数字的格式,并倾倒到标准输出。
  • -e 在每列倾倒资料上显示连接层级的文件头。
  • -f 用数字显示网际网络地址。
  • -F<表达文件> 指定内含表达方式的文件。
  • -i<网络界面> 使用指定的网络截面送出数据包。
  • -l 使用标准输出列的缓冲区。
  • -n 不把主机的网络地址转换成名字。
  • -N 不列出域名。
  • -O 不将数据包编码最佳化。
  • -p 不让网络界面进入混杂模式。
  • -q 快速输出,仅列出少数的传输协议信息。
  • -r<数据包文件> 从指定的文件读取数据包数据。
  • -s<数据包大小> 设置每个数据包的大小。
  • -S 用绝对而非相对数值列出TCP关联数。
  • -t 在每列倾倒资料上不显示时间戳记。
  • -tt 在每列倾倒资料上显示未经格式化的时间戳记。
  • -T<数据包类型> 强制将表达方式所指定的数据包转译成设置的数据包类型。
  • -v 详细显示指令执行过程。
  • -vv 更详细显示指令执行过程。
  • -x 用十六进制字码列出数据包资料。
  • -w<数据包文件> 把数据包数据写入指定的文件。
  •  *and*        *and(*or* )    * and ! *

实例:

tcpdump tcp包的内容

root@localhost ~]# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
10:55:34.290764 IP localhost.ssh > 106.125.57.115.25483: Flags [P.], seq 3376045293:3376045505, ack 1281327862, win 543, length 212
10:55:34.291183 IP localhost.58612 > 100.100.2.138.domain: 29854+ PTR? 115.57.125.106.in-addr.arpa. (45)
10:55:34.291469 IP 100.100.2.138.domain > localhost.58612: 29854 NXDomain 0/1/0 (133)
10:55:34.292536 IP localhost.48579 > 100.100.2.136.domain: 27411+ PTR? 138.2.100.100.in-addr.arpa. (44)
10:55:34.292633 IP 100.100.2.136.domain > localhost.48579: 27411 NXDomain* 0/1/0 (99)
10:55:34.292661 IP localhost.ssh > 106.125.57.115.25483: Flags [P.], seq 212:408, ack 1, win 543, length 196
10:55:34.292851 IP localhost.35956 > 100.100.2.138.domain: 48688+ PTR? 136.2.100.100.in-addr.arpa. (44)
10:55:34.292888 IP localhost.ssh > 106.125.57.115.25483: Flags [P.], seq 408:652, ack 1, win 543, length 244
10:55:34.293016 IP 100.100.2.138.domain > localhost.35956: 48688 NXDomain* 0/1/0 (99)

-c  收到指定数的数据后,就停止操作

[root@localhost ~]# tcpdump -c 10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
10:57:27.302769 IP localhost.ssh > 106.125.57.115.25483: Flags [P.], seq 3376052129:3376052341, ack 1281328850, win 543, length 212
10:57:27.303301 IP localhost.54133 > 100.100.2.138.domain: 14853+ PTR? 115.57.125.106.in-addr.arpa. (45)
10:57:27.303525 IP 100.100.2.138.domain > localhost.54133: 14853 NXDomain 0/1/0 (133)
10:57:27.308711 IP localhost.59943 > 100.100.2.136.domain: 18986+ PTR? 138.2.100.100.in-addr.arpa. (44)
10:57:27.308793 IP localhost.ssh > 106.125.57.115.25483: Flags [P.], seq 212:408, ack 1, win 543, length 196
10:57:27.308825 IP 100.100.2.136.domain > localhost.59943: 18986 NXDomain* 0/1/0 (99)
10:57:27.309048 IP localhost.58997 > 100.100.2.138.domain: 30470+ PTR? 136.2.100.100.in-addr.arpa. (44)
10:57:27.309222 IP 100.100.2.138.domain > localhost.58997: 30470 NXDomain* 0/1/0 (99)
10:57:27.309582 IP localhost.ssh > 106.125.57.115.25483: Flags [P.], seq 408:652, ack 1, win 543, length 244
10:57:27.309830 IP localhost.ssh > 106.125.57.115.25483: Flags [P.], seq 652:1312, ack 1, win 543, length 660
10 packets captured
10 packets received by filter
0 packets dropped by kernel

-q精简显示

[root@localhost ~]# tcpdump -qc 10 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:02:03.466815 IP localhost.ssh > 106.125.57.115.25483: tcp 212
11:02:03.467307 IP localhost.39442 > 100.100.2.138.domain: UDP, length 45
11:02:03.467590 IP 100.100.2.138.domain > localhost.39442: UDP, length 133
11:02:03.468566 IP localhost.55467 > 100.100.2.136.domain: UDP, length 44
11:02:03.468608 IP localhost.ssh > 106.125.57.115.25483: tcp 116
11:02:03.468806 IP 100.100.2.136.domain > localhost.55467: UDP, length 99
11:02:03.468948 IP localhost.42535 > 100.100.2.138.domain: UDP, length 44
11:02:03.468983 IP localhost.ssh > 106.125.57.115.25483: tcp 212
11:02:03.469058 IP 100.100.2.138.domain > localhost.42535: UDP, length 99
11:02:03.469299 IP localhost.ssh > 106.125.57.115.25483: tcp 484
10 packets captured
10 packets received by filter
0 packets dropped by kernel

-i 抓取所有经过指定网卡的数据包

[root@localhost ~]# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:06:22.957358 IP localhost.ssh > 106.125.57.115.25483: Flags [P.], seq 3376747721:3376747933, ack 1281350306, win 543, length 212
11:06:22.962253 IP localhost.41012 > 100.100.2.138.domain: 44494+ PTR? 115.57.125.106.in-addr.arpa. (45)
11:06:22.962471 IP 100.100.2.138.domain > localhost.41012: 44494 NXDomain 0/1/0 (133)
11:06:22.963652 IP localhost.53828 > 100.100.2.136.domain: 35310+ PTR? 138.2.100.100.in-addr.arpa. (44)
11:06:22.963731 IP localhost.ssh > 106.125.57.115.25483: Flags [P.], seq 212:408, ack 1, win 543, length 196
11:06:22.963871 IP 100.100.2.136.domain > localhost.53828: 35310 NXDomain* 0/1/0 (99)
11:06:22.964053 IP localhost.36199 > 100.100.2.138.domain: 32069+ PTR? 136.2.100.100.in-addr.arpa. (44)
11:06:22.964088 IP localhost.ssh > 106.125.57.115.25483: Flags [P.], seq 408:652, ack 1, win 543, length 244
  

host 匹配目标地址或者是源地址 (实例上是 localhost) 

[root@localhost ~]# tcpdump -i eth0 host localhost -c 10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:14:07.929107 IP localhost.ssh > 106.125.57.115.25483: Flags [P.], seq 3397743149:3397743361, ack 1281356322, win 756, length 212
11:14:07.929461 IP localhost.34036 > 100.100.2.138.domain: 37099+ PTR? 115.57.125.106.in-addr.arpa. (45)
11:14:07.929672 IP 100.100.2.138.domain > localhost.34036: 37099 NXDomain 0/1/0 (133)
11:14:07.930558 IP localhost.35114 > 100.100.2.136.domain: 57200+ PTR? 138.2.100.100.in-addr.arpa. (44)
11:14:07.930608 IP localhost.ssh > 106.125.57.115.25483: Flags [P.], seq 212:408, ack 1, win 756, length 196
11:14:07.930664 IP 100.100.2.136.domain > localhost.35114: 57200 NXDomain* 0/1/0 (99)
11:14:07.930877 IP localhost.40428 > 100.100.2.138.domain: 27290+ PTR? 136.2.100.100.in-addr.arpa. (44)
11:14:07.930913 IP localhost.ssh > 106.125.57.115.25483: Flags [P.], seq 408:652, ack 1, win 756, length 244
11:14:07.931004 IP 100.100.2.138.domain > localhost.40428: 27290 NXDomain* 0/1/0 (99)
11:14:07.931215 IP localhost.ssh > 106.125.57.115.25483: Flags [P.], seq 652:1312, ack 1, win 756, length 660
10 packets captured
10 packets received by filter
0 packets dropped by kernel

 过滤端口 -tnn dst port 80

 

  

 

上一篇:Linux 知:tcpdump


下一篇:tcpdump抓包与分析