一文搞定tcpdump基本用法
一、一些简单的介绍
- 使用了独立于系统的libpcap的接口。libpcap是linux平台下的网络数据包捕获函数包,大多数网络监控软件都以它为基础。
- tcpdump将打印网络接口上与自己定义的布尔表达式相匹配的信息包的包头部分。
- -w选项可以将抓包数据保存下来,利用wireshark等工具进一步分析。解码分析时,分析的大部分对象都是16进制,所以一般都会用该参数配合wireshark使用
- -r选线可以指定从文件中读取抓包数据,而不是从网络接口(网卡)中读取数据包。
- -c选项可以指定tcpdump捕获一定数量的数据包,但是SIGINT(终止进程、ctrl+c)或SIGTERM(软件终止信号、kill(1))可以让tcpdump提前中断。
- 可以通过原语来进行针对某一协议、地址、主机或者端口的过滤。
- 使用tcpdump需要有root权限。
- 网卡的混杂模式:是网卡的一种工作模式,一般在抓取网卡数据包时使用。
- device eth0 entered promiscuous mode 是指网卡 eth0 进入了混杂模式。
- device eth0 left promiscuous mode 网卡 eth0 离开了混杂模式。
- ifconfig eth0 promisc 设置网卡eth0为混杂模式
- ifconfig eth0 -promisc 取消网卡eth0的混杂模式
二、原理的简单介绍
- 内核态的抓包原理
- BPF:是伯克利包过滤器。
- BufferQ:缓冲队列,供应程序读取的包。
- tcpdump调用libpcap的接口在linux系统链路层抓包。而linux本身指定的许多访问控制规则都是基于三层或三层以上的过滤规则,所以tcpdump可以抓取过滤规则之前的数据包。
- 网络中数据包的分类
- 广播包:指IP子网内广播的数据包。适用范围较小只在本地子网有效。通过路由器和网络设备控制传输。
- 单播包:发送者和每一接受者中点对点的网络连接。
- 组播包:借助组播路由协议建立树形路由,在尽可能远的分岔路口才开始复制和奋发。(224.0.0.0~224.0.0.255是预留的组播地址)
- 网卡的不同接受模式
- 广播模式:该模式下网卡能接收网络中的广播信息。
- 组播模式:该模式下网卡能接收网络中的组播信息。
- 直接模式:该模式下网卡能接收网络中目的地址为自己的数据包。
- 混杂模式:该模式下网卡能接收网络中一切通过该网卡的数据包。
- 数据包接收流程
- 网卡收到数据包,获取数据包中的目的MAC地址。
- 根据网卡驱动设置的网卡接受模式去判断是否接受该数据。
- 若接受该数据:发出中断信号通知CPU;CPU收到中断信号后根据发出该中断信号的网卡驱动程序的网卡驱动程序地址调用网卡驱动程序;网卡驱动程序处理数据;驱动程序将数据放入信号堆栈;系统接触到数据。
- 若不接受该数据:网卡直接丢弃该数据;系统不会接触到数据。
三、tcpdump的可用原语
3.1 ip协议相关
- dst host host-ipaddr:信息包的ip包头目标地址为host-ipaddr时,布尔表达式为True
[root@Tyson'sComputer ~]# tcpdump -i ens33 -vnn -c 1 dst host 192.168.0.106
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
01:10:03.673075 IP (tos 0x0, ttl 64, id 16278, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.105.61237 > 192.168.0.106.22: Flags [.], cksum 0x5346 (correct), ack 1305983704, win 2052, length 0
1 packet captured
1 packet received by filter
0 packets dropped by kernel
- src host host-ipaddr:信息包的ip包头源地址为host-ipaddr时,布尔表达式为True
[root@Tyson'sComputer ~]# tcpdump -i ens33 -vnn -c 1 src host 192.168.0.106
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
01:10:41.765360 IP (tos 0x10, ttl 64, id 6206, offset 0, flags [DF], proto TCP (6), length 172)
192.168.0.106.22 > 192.168.0.105.61237: Flags [P.], cksum 0x82c2 (incorrect -> 0xa560), seq 1305986852:1305986984, ack 4200326642, win 255, length 132
1 packet captured
1 packet received by filter
0 packets dropped by kernel
- host host-ipaddr
- 信息包的ip包头目标地址或源地址为host-ipaddr时,布尔表达式为True
- 可前置关键字ip、ip6、arp、rarp
[root@Tyson'sComputer ~]# tcpdump -i ens33 -vnn -c 1 ip host 192.168.0.106
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
01:12:59.059575 IP (tos 0x10, ttl 64, id 6388, offset 0, flags [DF], proto TCP (6), length 172)
192.168.0.106.22 > 192.168.0.105.61237: Flags [P.], cksum 0x82c2 (incorrect -> 0x952b), seq 1306004764:1306004896, ack 4200335222, win 255, length 132
1 packet captured
1 packet received by filter
0 packets dropped by kernel
3.2 以太网协议相关
- ether dst ehost-addr:信息包的以太网目标地址为host-ipaddr时,布尔表达式为True
[root@Tyson'sComputer ~]# tcpdump -i ens33 -vnn -c 1 ether dst 00-0c-29-d2-ca-67
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
01:16:42.894832 IP (tos 0x0, ttl 64, id 16841, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.105.61237 > 192.168.0.106.22: Flags [.], cksum 0x793b (correct), ack 1306020008, win 2050, length 0
1 packet captured
1 packet received by filter
0 packets dropped by kernel
- ether src ehost-addr:信息包的以太网源地址为host-ipaddr时,布尔表达式为True
[root@Tyson'sComputer ~]# tcpdump -i ens33 -vnn -c 1 ether src 00-0c-29-d2-ca-67
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
01:17:37.039629 IP (tos 0x10, ttl 64, id 6633, offset 0, flags [DF], proto TCP (6), length 172)
192.168.0.106.22 > 192.168.0.105.61237: Flags [P.], cksum 0x82c2 (incorrect -> 0x0542), seq 1306024544:1306024676, ack 4200347146, win 255, length 132
1 packet captured
1 packet received by filter
0 packets dropped by kernel
- ether host ehost-addr:信息包的以太网目标地址或源地址为host-ipaddr时,布尔表达式为True
[root@Tyson'sComputer ~]# tcpdump -i ens33 -vnn -c 1 ether host 00-0c-29-d2-ca-67
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
11:46:19.555566 IP (tos 0x10, ttl 64, id 61184, offset 0, flags [DF], proto TCP (6), length 172)
192.168.0.106.22 > 192.168.0.105.54999: Flags [P.], cksum 0x82c2 (incorrect -> 0xde1e), seq 2182248108:2182248240, ack 2364553553, win 255, length 132
1 packet captured
1 packet received by filter
0 packets dropped by kernel
3.3 网关相关
- gateway host:信息包使用host作为网关时,布尔表达式为True。
- 这个用法很少了,大部分是使用ether host ehost-addr 代替。
[root@Tyson'sComputer ~]# tcpdump 'gateway snup' tcpdump: 'gateway' not supported in this configuration
3.4 网络号相关
- dst net addr:信息包的IP包头目标地址的网络号为addr时,布尔表达式为True
[root@Tyson'sComputer ~]# tcpdump -i ens33 -vnn -c 1 dst net 192.168.0.0/24
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
12:06:19.030478 IP (tos 0x10, ttl 64, id 61901, offset 0, flags [DF], proto TCP (6), length 172)
192.168.0.106.22 > 192.168.0.105.54999: Flags [P.], cksum 0x82c2 (incorrect -> 0x2add), seq 2182311952:2182312084, ack 2364588497, win 255, length 132
1 packet captured
2 packets received by filter
0 packets dropped by kernel
- src net addr:信息包的IP包头源地址的网络号为addr时,布尔表达式为True
[root@Tyson'sComputer ~]# tcpdump -i ens33 -vnn -c 1 src net 192.168.0.0/24
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
12:06:48.825334 IP (tos 0x10, ttl 64, id 61933, offset 0, flags [DF], proto TCP (6), length 172)
192.168.0.106.22 > 192.168.0.105.54999: Flags [P.], cksum 0x82c2 (incorrect -> 0xe4d7), seq 2182315264:2182315396, ack 2364590005, win 255, length 132
1 packet captured
2 packets received by filter
0 packets dropped by kernel
- net addr:信息包的IP包头目标地址或源地址的网络号为addr时,布尔表达式为True
[root@Tyson'sComputer ~]# tcpdump -i ens33 -vnn -c 1 net 192.168.0.0/24
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
12:07:08.922141 IP (tos 0x10, ttl 64, id 61962, offset 0, flags [DF], proto TCP (6), length 172)
192.168.0.106.22 > 192.168.0.105.54999: Flags [P.], cksum 0x82c2 (incorrect -> 0xef18), seq 2182318420:2182318552, ack 2364591357, win 255, length 132
1 packet captured
2 packets received by filter
0 packets dropped by kernel
- net addr mask netmask:信息包的IP包头目标地址或源地址的网络号为addr且掩码匹配的时,布尔表达式为True
- 该语法对IPv6网络无效
[root@Tyson'sComputer ~]# tcpdump -i ens33 -vnn -c 1 net 192.168.0.0 mask 255.255.255.0
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
12:07:46.647637 IP (tos 0x10, ttl 64, id 61991, offset 0, flags [DF], proto TCP (6), length 172)
192.168.0.106.22 > 192.168.0.105.54999: Flags [P.], cksum 0x82c2 (incorrect -> 0xdaa9), seq 2182320424:2182320556, ack 2364592709, win 255, length 132
1 packet captured
1 packet received by filter
0 packets dropped by kernel
- net addr/len:信息包的IP包头带有长度为len的网络掩码时布尔表达式为True
[root@Tyson'sComputer ~]# tcpdump -i ens33 -vnn -c 1 net 192.168.0.0/24
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
12:08:28.222361 IP (tos 0x10, ttl 64, id 62018, offset 0, flags [DF], proto TCP (6), length 172)
192.168.0.106.22 > 192.168.0.105.54999: Flags [P.], cksum 0x82c2 (incorrect -> 0x50a1), seq 2182322340:2182322472, ack 2364593957, win 255, length 132
1 packet captured
1 packet received by filter
0 packets dropped by kernel
3.5 端口相关
- dst port portnum:当信息包的使用IP(v6)/TCP或IP(v6)/UDP协议栈且目标端口值为portnum时布尔表达式为True。
[root@Tyson'sComputer ~]# tcpdump -i ens33 -vnn -c 1 dst port 22
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
12:11:27.522941 IP (tos 0x0, ttl 64, id 21657, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.105.54999 > 192.168.0.106.22: Flags [.], cksum 0xb18d (correct), ack 2182327416, win 2051, length 0
1 packet captured
1 packet received by filter
0 packets dropped by kernel
- 支持的端口是在
/etc/services中定义的。 - 也可以使用端口名称
[root@Tyson'sComputer ~]# tcpdump -i ens33 -vnn -c 1 dst port ssh
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
12:14:04.677979 IP (tos 0x0, ttl 64, id 21982, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.105.54999 > 192.168.0.106.22: Flags [.], cksum 0x2da6 (correct), ack 2182748884, win 2048, length 0
1 packet captured
1 packet received by filter
0 packets dropped by kernel
- 不同的协议可能使用相同的端口,那么在这种情况下,不同协议的流量都会显示。
- 所以可以通过前置关键字tcp或udp来筛选
[root@Tyson'sComputer ~]# tcpdump -i ens33 -vnn -c 1 tcp src port ssh
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
12:17:38.405954 IP (tos 0x10, ttl 64, id 62633, offset 0, flags [DF], proto TCP (6), length 172)
192.168.0.106.22 > 192.168.0.105.54999: Flags [P.], cksum 0x82c2 (incorrect -> 0x5f85), seq 2182764324:2182764456, ack 2364608829, win 255, length 132
1 packet captured
1 packet received by filter
0 packets dropped by kernel
- src port portnum:当信息包的使用IP/TCP或IP/UDP协议栈且源端口值为portnum时布尔表达式为True。
[root@Tyson'sComputer ~]# tcpdump -i ens33 -vnn -c 1 src port ssh
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
12:16:35.726544 IP (tos 0x10, ttl 64, id 62576, offset 0, flags [DF], proto TCP (6), length 172)
192.168.0.106.22 > 192.168.0.105.54999: Flags [P.], cksum 0x82c2 (incorrect -> 0xc094), seq 2182757760:2182757892, ack 2364606489, win 255, length 132
1 packet captured
1 packet received by filter
0 packets dropped by kernel
- port portnum:当信息包的使用IP/TCP或IP/UDP协议栈且目标端口或源端口值为portnum时布尔表达式为True。
[root@Tyson'sComputer ~]# tcpdump -i ens33 -vnn -c 1 tcp port ssh tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
12:18:03.275948 IP (tos 0x10, ttl 64, id 62654, offset 0, flags [DF], proto TCP (6), length 172)
192.168.0.106.22 > 192.168.0.105.54999: Flags [P.], cksum 0x82c2 (incorrect -> 0xb8d0), seq 2182766648:2182766780, ack 2364609765, win 255, length 132
1 packet captured
2 packets received by filter
0 packets dropped by kernel
3.6 信息包长度相关
- less length:当信息包的长度小于length时布尔表达式为True
- greater length:当信息包的长度大于length时布尔表达式为True
[root@Tyson'sComputer ~]# tcpdump -i ens33 -vnn -c 1 less 500 and greater 100
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
12:18:56.467847 IP (tos 0x10, ttl 64, id 62711, offset 0, flags [DF], proto TCP (6), length 172)
192.168.0.106.22 > 192.168.0.105.54999: Flags [P.], cksum 0x82c2 (incorrect -> 0xafe7), seq 2182771020:2182771152, ack 2364612261, win 255, length 132
1 packet captured
2 packets received by filter
0 packets dropped by kernel
3.7 协议相关
首选需要知道的基础概念,协议标题链:在IP标题和TCP标题之间,信息包还可能包含多个标题如:认证标题、路由标题或逐跳点选项标题。
- ip proto protocol-name
- 当信息包为protocol-name类型的IP信息包时,布尔表达式为True。protocol-name可以是协议序号或协议名称(icmp、icmp6、igmp、igrp、pim、ah、esp、vrrp、udp、tcp)。
- 需要过滤tcp、udp和icmp时需要用反斜杠转义。
- 不追踪协议标题链
[root@Tyson'sComputer ~]# tcpdump -i ens33 -vnn -c 1 ip proto 1 tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 12:23:29.608377 IP (tos 0x0, ttl 64, id 22435, offset 0, flags [none], proto ICMP (1), length 60) 192.168.0.105 > 192.168.0.106: ICMP echo request, id 1, seq 3, length 40 1 packet captured 2 packets received by filter 0 packets dropped by kernel [root@Tyson'sComputer ~]# tcpdump -i ens33 -vnn -c 1 ip proto '\tcp'
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
12:57:41.167112 IP (tos 0x0, ttl 64, id 25398, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.105.54999 > 192.168.0.106.22: Flags [.], cksum 0xe89d (correct), ack 2182804312, win 2047, length 0
1 packet captured
1 packet received by filter
0 packets dropped by kernel
- ip6 proto
- protocol-name:当信息包为protocol-name类型的IPV6信息包,布尔表达式为True。
- 不追踪协议标题链
- ip protochain protocol-name
- 信息包为IP信息包且协议标题链包含protocol-name类型的协议标题,则布尔表达式为True。
- ip6 protochain protocol-name
- 信息包为IPv6信息包且协议标题链包含protocol-name类型的协议标题,则布尔表达式为True。
- ether proto protocol-name
- 信息包为ether类型协议时,布尔表达式为True。protocol-name可以是数字或名称:ip、ip6、arp、rarp、atalk、aarp、decnet、sca、lat、mopdl、moprc、iso、stp、ipx或netbeui(需要通过反斜杠转义)
[root@Tyson'sComputer ~]# tcpdump -i ens33 -vnn -c 1 ether proto '\ip'
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
12:56:56.635569 IP (tos 0x10, ttl 64, id 63076, offset 0, flags [DF], proto TCP (6), length 172)
192.168.0.106.22 > 192.168.0.105.54999: Flags [P.], cksum 0x82c2 (incorrect -> 0x9cb0), seq 2182799952:2182800084, ack 2364628289, win 255, length 132
1 packet captured
1 packet received by filter
0 packets dropped by kernel
3.8 广播和组播相关
- ether broadcast:当信息包为以太网广播包时,布尔表达式为True。
[root@Tyson'sComputer ~]# tcpdump -i ens33 -vnn -c 1 ether broadcast
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
12:27:09.277758 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 150)
192.168.0.1.54215 > 255.255.255.255.5001: UDP, length 122
1 packet captured
2 packets received by filter
0 packets dropped by kernel
- ip broadcast:当信息包为IPv4广播包时,布尔表达式为True。
[root@Tyson'sComputer ~]# tcpdump -i ens33 -vnn -c 1 ip broadcast tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
12:26:49.117544 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 150)
192.168.0.1.54215 > 255.255.255.255.5001: UDP, length 122
1 packet captured
1 packet received by filter
0 packets dropped by kernel
- ether multicast:当信息包为以太网多点广播包时,布尔表达式为True。
[root@Tyson'sComputer ~]# tcpdump -i ens33 -vnn -c 1 ether multicast
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
12:47:46.844738 IP (tos 0x0, ttl 4, id 8781, offset 0, flags [none], proto UDP (17), length 165)
192.168.0.105.50199 > 239.255.255.250.1900: UDP, length 137
1 packet captured
1 packet received by filter
0 packets dropped by kernel
- ip multicast:当信息包是IP多点广播包时,布尔表达式为True。
[root@Tyson'sComputer ~]# tcpdump -i ens33 -vnn -c 1 ip multicast tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
12:48:54.939269 IP (tos 0x0, ttl 4, id 8787, offset 0, flags [none], proto UDP (17), length 165)
192.168.0.105.50199 > 239.255.255.250.1900: UDP, length 137
1 packet captured
1 packet received by filter
0 packets dropped by kernel
- ip6 multicast:当信息包是IPv6多点广播信息包时,布尔表达式为True。
[root@Tyson'sComputer ~]# tcpdump -i ens33 -vnn -c 1 ip6 multicast
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
12:51:09.986178 IP6 (flowlabel 0xdba91, hlim 1, next-header UDP (17) payload length: 31) fe80::1cd5:52f7:7452:3394.59253 > ff02::1:3.5355: [udp sum ok] UDP, length 23
1 packet captured
2 packets received by filter
0 packets dropped by kernel
3.9 其他较不常用的原语
- decent src host
- decent dst host
- decent host host
- ifname interface
- on interface
- relenum num
- action act
- netbeui
- vlan [vlan_id]
- tcp、udp和icmp
- expr relop expr
3.10 原语总结
- 类型:host、net、port、ip proto、protochain等
- 传输方向:src、dst、dst or src、dst and src等
- 协议:ip、arp、rarp、tcp、udp、icmp、http等
- 单位原语格式
- 协议 + [传输方向] + 类型 + 具体数值
- eg:
ip src host 192.168.0.106 - eg:
src ip proto '\tcp'
四、tcpdump原语组合方式
- !或not
- && 或 and
- || 或 or
- 必要时用括号提高某一部分表达式的优先级
五、tcpdump 参数
5.1 重要参数
- -a
- 将网络地址和广播地址转换成名字
- -A
- 以ASCII格式打印出所有分组,并将链路层头最小化,方便去捕获web页面内容。
[root@Tyson'sComputer ~]# tcpdump -i ens33 -vnn -A host www.baidu.com tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 14:37:40.529809 IP (tos 0x0, ttl 64, id 22417, offset 0, flags [DF], proto TCP (6), length 60) 172.16.230.77.50264 > 14.215.177.39.80: Flags [S], cksum 0x528b (incorrect -> 0x4599), seq 273784045, win 29200, options [mss 1460,sackOK,TS val 9882492 ecr 0,nop,wscale 7], length 0 E...X.P.Q........r.R..........
...|........
14:37:40.583775 IP (tos 0x0, ttl 55, id 22417, offset 0, flags [DF], proto TCP (6), length 60)
14.215.177.39.80 > 172.16.230.77.50264: Flags [S.], cksum 0xc516 (correct), seq 3549089316, ack 273784046, win 8192, options [mss 1440,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 5], length 0
E..<[email protected]......'...M.P.X...$.Q.... ......................... 14:37:40.583831 IP (tos 0x0, ttl 64, id 22418, offset 0, flags [DF], proto TCP (6), length 40) 172.16.230.77.50264 > 14.215.177.39.80: Flags [.], cksum 0x5277 (incorrect -> 0x48fa), ack 1, win 229, length 0 E..(W.@[email protected]...'.X.P.Q.....%P...Rw..
14:37:40.583980 IP (tos 0x0, ttl 64, id 22419, offset 0, flags [DF], proto TCP (6), length 184)
172.16.230.77.50264 > 14.215.177.39.80: Flags [P.], cksum 0x5307 (incorrect -> 0x206e), seq 1:145, ack 1, win 229, length 144: HTTP, length: 144
GET / HTTP/1.1
Host: www.baidu.com
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.21.0
- -c numbers
- 收到指定数量的分组后,tcpdmp就会停止。
- -D
- 列出系统中所有可以用以tcpdump截包的网络接口。显示的接口序号或接口名称可以通过-i指定。
[root@Tyson'sComputer ~]# tcpdump -i ens33 -vnn -D
1.bluetooth0 (Bluetooth adapter number 0)
2.nflog (Linux netfilter log (NFLOG) interface)
3.nfqueue (Linux netfilter queue (NFQUEUE) interface)
4.usbmon1 (USB bus number 1)
5.usbmon2 (USB bus number 2)
6.ens33
7.ens37
8.any (Pseudo-device that captures on all interfaces)
9.lo [Loopback]
- -q
- 快速输出,只输出较少的信息
[root@Tyson'sComputer ~]# tcpdump -i ens33 -vnn -c 10 -q
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
14:45:28.741311 IP (tos 0x10, ttl 64, id 49128, offset 0, flags [DF], proto TCP (6), length 172)
- -w
- 将结果输出到文件中,输出的文件以.pcap作为后缀,可以在其他平台上用wireshark打开。
- -r
- 从指定文件读取数据包,这个数据包一般是通过-w生成的
[root@Tyson'sComputer learntcpdump]# tcpdump -i ens33 -vnn -c 5 -q -w test_01.pcap tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 5 packets captured 5 packets received by filter 0 packets dropped by kernel [root@Tyson'sComputer learntcpdump]# tcpdump -i ens33 -vnn -c 5 -q -r test_01.pcap
reading from file test_01.pcap, link-type EN10MB (Ethernet)
14:47:14.927658 IP (tos 0x10, ttl 64, id 49303, offset 0, flags [DF], proto TCP (6), length 172)
172.16.230.77.22 > 172.16.230.33.61528: tcp 132
14:47:14.927881 IP (tos 0x0, ttl 64, id 18549, offset 0, flags [DF], proto TCP (6), length 40)
172.16.230.33.61528 > 172.16.230.77.22: tcp 0
14:47:15.223367 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.16.230.1 tell 172.16.230.77, length 28
14:47:15.224989 ARP, Ethernet (len 6), IPv4 (len 4), Reply 172.16.230.1 is-at 00:12:7f:04:33:46, length 46
14:47:15.930304 IP (tos 0x10, ttl 64, id 49304, offset 0, flags [DF], proto TCP (6), length 92)
172.16.230.77.22 > 172.16.230.33.61528: tcp 52
- -S
[root@Tyson'sComputer learntcpdump]# tcpdump -i ens33 -vnn -c 1 ip proto '\tcp'
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
14:52:03.246984 IP (tos 0x10, ttl 64, id 49572, offset 0, flags [DF], proto TCP (6), length 172)
172.16.230.77.22 > 172.16.230.33.61528: Flags [P.], cksum 0x252f (incorrect -> 0x2f51), seq 1610077566:1610077698, ack 4005464801, win 281, length 132
1 packet captured
1 packet received by filter
0 packets dropped by kernel
- -s snaplen
- 从每个分组中读取最开始的snap len个字节
- 默认情况下是读取68个字节,对IP、ICMP、TCP和UDP而言已经足够,但是可能阶段名称服务器和NFS信息包的协议信息。
- -s 0表示不限制长度,输出整个包。
- 应该将snaplen设置成到感兴趣的信息的最小长度。否则会增加获得快照的时间和减少缓存的数量。
[root@Tyson'sComputer learntcpdump]# tcpdump -i ens33 -vnn -c 5 -s 8 proto '\tcp'
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 8 bytes
14:55:35.111005 [|ether]
14:55:35.111355 [|ether]
14:55:35.111542 [|ether]
14:55:35.111693 [|ether]
14:55:35.111733 [|ether]
5 packets captured
8 packets received by filter
0 packets dropped by kernel
- -t
- 在每一行转储行上省略时间戳显示
[root@Tyson'sComputer ~]# tcpdump -i ens33 -t -vnn -c 1 ip proto '\tcp'
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
IP (tos 0x10, ttl 64, id 38602, offset 0, flags [DF], proto TCP (6), length 172)
192.168.0.106.22 > 192.168.0.105.52440: Flags [P.], cksum 0x82c2 (incorrect -> 0xe571), seq 1860148461:1860148593, ack 3132104578, win 255, length 132
1 packet captured
2 packets received by filter
0 packets dropped by kernel
- -tt
- 在每一行中输出非格式化的时间戳
[root@Tyson'sComputer ~]# tcpdump -i ens33 -tt -vnn -c 1 ip proto '\tcp'
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
1550314546.539873 IP (tos 0x10, ttl 64, id 38636, offset 0, flags [DF], proto TCP (6), length 172)
192.168.0.106.22 > 192.168.0.105.52440: Flags [P.], cksum 0x82c2 (incorrect -> 0x57d7), seq 1860150693:1860150825, ack 3132106190, win 255, length 132
1 packet captured
1 packet received by filter
0 packets dropped by kernel
- -ttt
- 在每一行输出date处理过后的时间戳
[root@Tyson'sComputer ~]# tcpdump -i ens33 -ttt -vnn -c 1 ip proto '\tcp'
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
00:00:00.000000 IP (tos 0x10, ttl 64, id 38668, offset 0, flags [DF], proto TCP (6), length 172)
192.168.0.106.22 > 192.168.0.105.52440: Flags [P.], cksum 0x82c2 (incorrect -> 0xb799), seq 1860152837:1860152969, ack 3132107698, win 255, length 132
1 packet captured
2 packets received by filter
0 packets dropped by kernel
- -v
- -vv
- -vvv
- 以上三点,输出的信息详细度递增
[root@Tyson'sComputer ~]# tcpdump -i ens33 -vnn -c 1 ip proto '\tcp' tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 19:01:02.113400 IP (tos 0x10, ttl 64, id 38866, offset 0, flags [DF], proto TCP (6), length 172) 192.168.0.106.22 > 192.168.0.105.52440: Flags [P.], cksum 0x82c2 (incorrect -> 0x8ba4), seq 1860167677:1860167809, ack 3132116970, win 255, length 132 1 packet captured 2 packets received by filter 0 packets dropped by kernel [root@Tyson'sComputer ~]# tcpdump -i ens33 -vvnn -c 1 ip proto '\tcp'
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
19:01:05.694262 IP (tos 0x0, ttl 64, id 28280, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.105.52440 > 192.168.0.106.22: Flags [.], cksum 0xe8d9 (correct), seq 3132118322, ack 1860170017, win 2052, length 0
1 packet captured
1 packet received by filter
0 packets dropped by kernel
[root@Tyson'sComputer ~]# tcpdump -i ens33 -vvvnn -c 1 ip proto '\tcp'
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
19:01:08.591836 IP (tos 0x10, ttl 64, id 38925, offset 0, flags [DF], proto TCP (6), length 172)
192.168.0.106.22 > 192.168.0.105.52440: Flags [P.], cksum 0x82c2 (incorrect -> 0xa920), seq 1860172393:1860172525, ack 3132119778, win 255, length 132
1 packet captured
1 packet received by filter
0 packets dropped by kernel
- -i
- 指定抓取数据包的接口
- 若未指定则会去抓取-D参数列出的网络接口所所截获的包(本地回环口除外)
5.2 非常用参数
- -C file_size:指定用-w参数写入文件的文件大小。
- -d:将匹配信息包的代码用汇编格式显示
- -dd:将匹配信息包的代码用C语言程序段格式显示
- -ddd:将匹配信息包的代码用十进制格式显示
- -E:
Use spi@ipaddr algo:secret for decrypting IPsec ESP
packets that are addressed to addr and contain
Security Parameter Index value spi. This combina‐
tion may be repeated with comma or newline separa‐
tion.
- -e:在输出行打印数据链路层的头部信息
- -f:将外部internet地址以数字形式打印显示
- -F:从指定文件中读取表达式,忽略命令行中给出的表达式
- -l:使标准输出变成缓冲行形式,可以把数据导出到文件
- -L:列出网络接口的已知数据链路
- -m:从文件module导入SMI MIB模块定义
- -M:指定TCP-MD5选项的验证码
- -b:在数据链路层上选择协议,包括ip、arp、rarp、ipx等协议
- -n:不把网络地址换成名字(不进行域名解析,速度更快)
- -nn:直接以ip和端口显示
- -N:输出主机名中的域名部分
- -O:不允许分组匹配代码优化程序
- -p:不将网络接口设置为混杂模式
- -T:将监听到的包直接解析为指定的类型的报文,常见的类型有rpc、cnfp、snmp
- -u:输出未解码的NFS句柄
- -X:以十六进制与ASCII方式输出,用于抓取http等明文传输协议
- -XX:同上
- -B:buffer_size:设置系统捕获缓冲区大小
- -K:跳过TCP校验和验证
六、常用场景案例
原语总结
- 类型:host、net、port、ip >proto、protochain等
- 传输方向:src、dst、dst or >src、dst and src等
- 协议:ip、arp、rarp、tcp、udp>、icmp、http等
- 单位原语格式
- 协议 + [传输方向] + 类型 + >具体数值
- eg:
ip src host 192.168.0.106- eg:
src ip proto '\tcp'
- 抓取包含10.10.10.122的数据包
tcpdump -i ens33 -vnn host 10.10.10.122
- 抓取包含10.10.10.0/24网段的数据包
tcpdump -i ens33 -vnn net 10.10.10.0/24tcpdump -i ens33 -vnn net 10.10.10.0 mask 255.255.255.0
- 抓取包含端口22的数据包
tcpdump -i ens33 -vnn port 22
- 抓取udp协议的数据包
tcpdump -i ens33 -vnn udp
- 抓取icmp协议的数据包
tcpdump -i ens33 -vnn icmp
- 抓取arp协议的数据包
tcpdump -i ens33 -vnn arp
- 抓取ip协议的数据包
tcpdump -i ens33 -vnn ip proto iptcpdump -i ens33 -vnn ip
- 抓取源ip是10.10.10.122的数据包
tcpdump -i ens33 -vnn src host 10.10.10.122
- 抓取目标ip是10.10.10.122的数据包
tcpdump -i ens33 -vnn dst host 10.10.10.122
- 抓取源端口是22的数据包
tcpdump -i ens33 -vnn src port 22
- 抓取源ip是10.10.10.253且目的端口是22的数据包
tcpdump -i ens33 -vnn src host 10.10.10.122 and dst port 22
- 抓取源ip是10.10.10.122或者端口是22的数据包
tcpdump -i ens33 -vnn src host 10.10.10.122 or port 22
- 抓取源ip是10.10.10.122且端口不是22的数据包
tcpdump -i ens33 -vnn src host 10.10.10.122 and not port 22
- 抓取源ip是10.10.10.2且端口是22,或源ip是10.10.10.65且目的端口是80的数据包。
tcpdump -i ens33 -vnn \(src host 10.10.10.2 and port 22 \) or \(src ip host 10.10.10.65 and prot 80\)
- 抓取源ip是10.10.10.59且目的端口是22,或者源ip是10.10.10.68且目的端口是80的数据包
tcpdump -i ens33 -vnn '\(src host 10.10.10.59 and dst port 22\) 'or '\(src host 10.10.10.68 and dst prot 80\)'
- 把抓取的数据包记录存到/tmp/fill文件中,当抓取100个数据包后就退出程序
tcpdump -i ens33 -c 100 -w /tmp/fill
- 从/tmp/fill记录中读取tcp协议的数据包。
tcpdump -i ens33 -r /tmp/fill tcp
- 从/tmp/fill记录中读取包含10.10.10.58的数据包。
tcpdump -i ens33 -r /tmp/fill host 10.10.10.58
- 过滤数据包类型是多播并且端口不是22、不是icmp协议的数据包。
tcpdump -i ens33 ether multicast and not port 22 and 'not icmp'
- 过滤协议类型是ip并且目标端口是22的数据包
tcpdump -i ens33 -n ip and dst prot 22- tcpdump可识别的关键字包括ip、igmp、tcp、udp、icmp、arp等
- 过滤抓取mac地址是某个具体的mac地址、协议类型是arp的数据包
tcpdump -i ens33 ether src host 00:0c:29:2f:a7:50 and arp
- 过滤抓取协议类型是ospf的数据包
tcpdump -i ens33 ip proto ospf- 直接在tcpdump中使用的协议关键字只有ip、igmp、tcp、udp、icmp、arp等,其他的传输层协议没有可直接识别的关键字
- 可以使用关键字
proto或者ip proto加上在/etc/protocols中能够找到的协议或者相应的协议编号进行过滤。 - 更加高层的协议,例如http协议需要用端口号来过滤
- 过滤长度大于200字节的报文
tcpdump -i ens33 greater 200
- 过滤协议类型为tcp的数据包
tcpdump tcp- 还可以查看TCP报文里面更详细的部分,
tcpdump proto[字节偏移:字节长度],tcpdump -i ens33 -c 1 -vnn ip[9]=6,这里指定的是ip包头第十个字节(协议值)为6(TCP协议)。
- 过滤出广播包和多播包
tcpdump -i ens33 -c 1 ip multicast and ip broadcasttcpdump -i ens33 -c 1 -vnn 'ether[0] & 1 != 0'- 保证目标地址最后一位不为0,只有目标地址最后一位为0,与运算之后才会为0,否则目标地址是低位为0高位不为0的情况,也就是广播包或者多播包。
[root@Tyson'sComputer ~]# tcpdump -i ens33 -c 1 -vnn 'ether[0] & 1 != 0'
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:06:24.474565 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 150)
192.168.0.1.54215 > 255.255.255.255.5001: UDP, length 122
1 packet captured
1 packet received by filter
0 packets dropped by kernel
- 查找端口号大于23的所有tcp数据流
tcpdump -i ens33 -c 1 -vnn 'tcp[0:2] & 0xffff > 0x0017 '
[root@Tyson'sComputer ~]# tcpdump -i ens33 -c 1 -vnn 'tcp[0:2] & 0xffff > 0x0017 '
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:13:28.120060 IP (tos 0x0, ttl 64, id 29264, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.105.52440 > 192.168.0.106.22: Flags [.], cksum 0xd64f (correct), ack 1860219453, win 2049, length 0
1 packet captured
1 packet received by filter
0 packets dropped by kernel