怎么判断 tcpdump 抓的包是 UDP 协议还是 TCP 协议 ?




有时候想抓个包,比如 53 端口的包:

tcpdump -i eth1  port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
14:19:01.545430 IP testsvr1_in.50145 > 12.12.12.12.domain: 12328+ PTR? 6.2.66.100.in-addr.arpa. (43)
14:19:01.545631 IP testsvr1_in.40356 > 12.12.12.12.domain: 42024+ PTR? 7.64.240.10.in-addr.arpa. (44)
14:19:01.547521 IP 12.12.12.12.domain > testsvr1_in.50145: 12328 NXDomain* 0/1/0 (97)
14:19:01.549520 IP 12.12.12.12.domain > testsvr1_in.40356: 42024 NXDomain* 0/1/0 (91)
14:19:01.553631 IP testsvr1_in.42410 > 12.12.12.12.domain: 39216+ PTR? 9.138.123.10.in-addr.arpa. (45)
14:19:01.553890 IP 12.12.12.12.domain > testsvr1_in.42410: 39216 NXDomain* 0/1/0 (92)
14:19:01.556864 IP testsvr1_in.50261 > 12.12.12.12.domain: 41101+ PTR? 10.34.110.100.in-addr.arpa. (45)
14:19:01.560803 IP 12.12.12.12.domain > testsvr1_in.50261: 41101 NXDomain* 0/1/0 (100)
14:19:01.566489 IP testsvr1_in.48541 > 12.12.12.12.domain: 55695+ PTR? 7.31.114.9.in-addr.arpa. (43)
14:19:01.568374 IP testsvr1_in.37978 > 12.12.12.12.domain: 46239+ PTR? 10.30.114.9.in-addr.arpa. (43)
14:19:01.568587 IP 12.12.12.12.domain > testsvr1_in.48541: 55695 NXDomain* 0/1/0 (90)
14:19:01.570414 IP 12.12.12.12.domain > testsvr1_in.37978: 46239 NXDomain* 0/1/0 (90)
14:19:01.585314 IP testsvr1_in.44524 > 12.12.12.12.domain: 39097+ PTR? 1.163.23.9.in-addr.arpa. (42)
14:19:01.586466 IP testsvr1_in.56737 > 12.12.12.12.domain: 60430+ PTR? 9.20.44.9.in-addr.arpa. (42)
14:19:01.587269 IP testsvr1_in.42586 > 12.12.12.12.domain: 33842+ PTR? 9.7.127.9.in-addr.arpa. (42)
14:19:01.587358 IP 12.12.12.12.domain > testsvr1_in.44524: 39097 NXDomain* 0/1/0 (89)
14:19:01.587511 IP 12.12.12.12.domain > testsvr1_in.42586: 33842 NXDomain* 0/1/0 (89)
14:19:01.589940 IP 12.12.12.12.domain > testsvr1_in.56737: 60430 NXDomain* 0/1/0 (89)

会发现这个包信息,看不出来是什么协议的。

如果想看这个协议协议信息怎么搞呢?

很简单,加个 -v 即可看到 proto 信息了,如下:

tcpdump -i eth1 -v  port 53
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
13:44:47.529020 IP (tos 0x0, ttl 64, id 44377, offset 0, flags [DF], proto UDP (17), length 67)
    testsvr1_in.54668 > 10.20.64.17.domain: 25676+ A? ntp.cloud.com. (39)
13:44:47.529029 IP (tos 0x0, ttl 64, id 44378, offset 0, flags [DF], proto UDP (17), length 67)
    testsvr1_in.54668 > 10.20.64.17.domain: 52317+ AAAA? ntp.cloud.com. (39)
13:44:47.529307 IP (tos 0x0, ttl 64, id 44379, offset 0, flags [DF], proto UDP (17), length 72)
    testsvr1_in.43197 > 10.20.64.17.domain: 14414+ PTR? 177.64.240.10.in-addr.arpa. (44)
13:44:47.531106 IP (tos 0x60, ttl 59, id 12456, offset 0, flags [none], proto UDP (17), length 125)
    10.20.64.17.domain > testsvr1_in.54668: 52317 0/1/0 (97)

这个 -v 指详细的输出,比普通输出多了一些TTL和服务类型信息。




如果想过滤下,比如只看 UDP 协议的信息输出:

tcpdump -i eth1 -vnn udp port 53

这里的 nn 经常会跟 -v 一起合并使用,顺便解释记录下:

-n 是指不进行 IP 地址到 主机名 的转换。

如果不使用这一项,
当系统中存在某一主机的主机名时,tcpdump 会把 IP地址转换为主机名显示,
比如:

tcpdump -i eth1  port 53
14:19:01.545430 IP testsvr1_in.50145 > 1.20.4.1.domain: 

使用 -n 后变成了:

tcpdump -i eth1 -n  port 53
14:19:01.545430 IP 12.11.2.1_in.50145 > 1.20.4.1.domain: 

-nn 是指不进行端口名称的转换。

上面这条信息使用 -nn 后就变成了:

tcpdump -i eth1 -nn port 53
14:31:20.890512 IP 10.56.2.4.57210 > 10.20.64.17.53:



你可能感兴趣的:(计算机网络,tcpdump,网络)