根据使用者的定义对网络上的数据包进行截获的包分析工具。tcpdump将网络中传送的数据包的“头”完全截获下来提供分析。它支持针对网络层、协议、主机、网络或端口的过滤,并提供了and、 or、not等逻
辑语句来帮助过滤不必要的信息;
1 root@ubuntu:~# tcpdump 2 tcpdump: WARNING: eth0: no IPv4 address assigned 3 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 4 listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 5 15:49:27.651478 IP 222.132.16.50.ssh > 101.80.4.77.39226: Flags [P.], seq 521262791:521262891, ack 1468597115, win 261, options [nop,nop,TS val 626565253 ecr 2398027], length 100 6 15:49:27.652686 IP 222.132.16.50.ssh > 101.80.4.77.39226: Flags [P.], seq 100:296, ack 1, win 261, options [nop,nop,TS val 626565253 ecr 2398027], length 196 7 15:49:27.654052 IP 222.132.16.50.ssh > 101.80.4.77.39226: Flags [P.], seq 296:684, ack 1, win 261, options [nop,nop,TS val 626565253 ecr 2398027], length 388 8 15:49:27.654312 IP 222.132.16.50.ssh > 101.80.4.77.39226: Flags [P.], seq 684:896, ack 1, win 261, options [nop,nop,TS val 626565253 ecr 2398027], length 212 9 15:49:27.654514 IP 222.132.16.50.ssh > 101.80.4.77.39226: Flags [P.], seq 896:1108, ack 1, win 261, options [nop,nop,TS val 626565253 ecr 2398027], length 212 10 15:49:27.654722 IP 222.132.16.50.ssh > 101.80.4.77.39226: Flags [P.], seq 1108:1320, ack 1, win 261, options [nop,nop,TS val 626565253 ecr 2398027], length 212 11 15:49:27.654886 IP 222.132.16.50.ssh > 101.80.4.77.39226: Flags [P.], seq 1320:1532, ack 1, win 261, options [nop,nop,TS val 626565253 ecr 2398027], length 212
指定网卡:tcpdump -i eth1 #-i (interface)
指定抓取源主机:tcpdump host node2 #hostname node2, 该主机名必须在本地硬解析即在/etc/hosts文件存在解析
指定抓取源ip :tcpdump host 10.0.0.1 // tcpdump -i eth1 host 10.0.0.1
tcpdump -i eth1 host \(10.0.0.53 or 222.16.232.50\)
抓取回发给某ip的包:tcpdump -i eth1 dst host 10.0.0.53 //dst 即destination,目的地
抓取来源于某ip的包:tcpdump -i eth1 src host 10.0.0.53 //src 即source, 源头
指定端口: tcpdump -i eth1 port 23 host 10.0.0.53
参数说明:
-n : 不要使用通讯协定或主机名称,直接使用IP 或 port number
-ee:使用更详细的资讯来显示
增加(add)与删除(del)路由的相关参数:
-net :表示后面接的路由为一个网域;
-host:表示后面接的为连接到单步主机的路由;
netmask:与网域有关,netmask决定网域的大小;
gw: gateway的简写,后续接的是ip值;
dev :如果只是要指定那块网卡连接出去,则使用这个设定; 后面接eth0、eth1等;