Linux的各种抓包情况

tcpdump

抓包的主要目的是测试端口、网络协议通不通，以及对抓取的数据包进行分析、测试

1、抓取主机上所有来自四面八方的数据包

[root@AAA-caiji1 Log]# tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:37:02.100344 IP 133.38.7.144.11811 > 133.37.22.83.radius: RADIUS, 
Unknown Command (202), id: 0xa4 length: 345
11:37:02.100352 IP 133.38.7.145.11811 > 133.37.22.83.radius: RADIUS, 
Unknown Command (137), id: 0x9b length: 33

2、抓取本机指定网卡上的数据包，-i 指定的本机网卡eth0

[root@AAA-caiji1 Log]# tcpdump -i eth0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:03:12.238556 IP 133.38.7.144.11811 > 133.37.22.83.radius: RADIUS, 
Unknown Command (177), id: 0x49 length: 480
10:03:12.238559 IP 133.38.7.146.11811 > 133.37.22.83.radius: RADIUS, 
Unknown Command (93), id: 0x27 length: 524

3、监听本机端口数据包，指定网卡eth0，端口1812

[root@AAA-caiji1 Log]# tcpdump -i eth0 -s 0 port 1812

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:46:41.940333 IP 133.38.7.144.11811 > 133.37.22.83.radius: RADIUS, 	
Unknown Command (130), id: 0x14 length: 606
11:46:41.940333 IP 133.38.7.146.11811 > 133.37.22.83.radius: RADIUS, 
Unknown Command (160), id: 0xe4 length: 33
11:46:41.940894 IP 133.38.7.144.11811 > 133.37.22.83.radius: RADIUS, 
Unknown Command (131), id: 0x14 length: 606

4、ICMP协议数据包（从一台主机对本机发起的ping）

[root@AAA-caiji1 Log]# tcpdump host 133.37.22.84
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:49:12.200801 IP 133.37.22.84 > 133.37.22.83: ICMP echo request, id 18010, 
seq 	1, length 64
11:49:12.200954 IP 133.37.22.83 > 133.37.22.84: ICMP echo reply, id 18010, 
seq 1, length 64

5、抓取来自于某个主机的数据包，src host x.x.x.x

[root@AAA-caiji1 Log]# tcpdump -i eth0 src host 133.38.7.144
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:00:06.768507 IP 133.38.7.144.11811 > 133.37.22.83.radius: RADIUS, 
Unknown Command (134), id: 0x22 length: 602
12:00:06.769007 IP 133.38.7.144.11811 > 133.37.22.83.radius: RADIUS,
 Unknown Command (135), id: 0x22 length: 344
12:00:06.769400 IP 133.38.7.144.11811 > 133.37.22.83.radius: RADIUS,
Unknown Command (136), id: 0x22 length: 288

6、抓包生成文件保存，将端口1812上抓到的包保存为b.cap文件，-w xxx.cap

[root@AAA-caiji1 Log]# tcpdump -i eth0 -s 0 port 1812 -w b.cap 

抓包文件分析软件：Wireshark，对于各种抓包报文的解析规则，涉及更深层次的协议知识

摘自：https://www.cnblogs.com/leocorn/p/9797213.html