tcpdump是linux平台的抓包工具,可以抓取TCP/IP协议的数据包,网络协议,主机,端口,还提供and,or,not等逻辑语句过滤信息。
tcpdump帮助查看 tcpdump -h, man tcpdump
[root@master ~]# tcpdump -h
tcpdump version 4.9.2
libpcap version 1.5.3
OpenSSL 1.0.2k-fips 26 Jan 2017
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ]
[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
[ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
[ -Q|-P in|out|inout ]
[ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
[ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
[ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ]
[ -Z user ] [ expression ]
过滤器:通俗讲就是我们抓取的数据包信息有许多是我们用不到的,通过过滤得到我们需要的信息,
这里过滤器有三类:
1.协议(protocol):tcp,udp,icmp,ip,arp等
2.传输方向(dir):src,dst,src and dst,src or dst(默认)
3.类型(type):host,net,prot
tcpdump语法格式:tcpdump [options] [not] proto dir type
tcpdump的输出格式
系统时间 源主机.端口 目标主机.端口 数据包参数
20:11:12.854851 IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 1838515159:1838515347, ack 1981438263, win 83, length 188
20:11:12.854946 IP 192.168.2.29.59546 > 192.168.2.43.22: Flags [.], ack 188, win 8207, length 0
数据包类型
查看ens33网卡设备,对应22端口服务的传输信息(-t不显示时间信息)
[root@master ~]# tcpdump -ti ens33 port 22
IP 192.168.2.29.59546 > master.ssh: Flags [.], ack 22308, win 8208, length 0
IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 22308:22512, ack 1, win 83, length 204
IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 22512:22716, ack 1, win 83, length 204
IP 192.168.2.29.59546 > master.ssh: Flags [.], ack 22716, win 8206, length 0
IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 22716:22848, ack 1, win 83, length 132
IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 22848:22980, ack 1, win 83, length 132
查看指定网卡的设备,显示端口号对应服务
[root@master ~]# tcpdump -nnt -i ens33|head -10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 1817580335:1817580523, ack 1981371343, win 83, length 188
IP 192.168.2.29.59546 > 192.168.2.43.22: Flags [.], ack 188, win 8209, length 0
IP 220.191.97.17.43687 > 192.168.2.29.37561: UDP, length 219
IP 192.168.2.29.37561 > 117.61.19.156.35855: UDP, length 1089
IP 192.168.2.29.37561 > 220.191.97.17.43687: UDP, length 24
IP 192.168.2.29.37561 > 220.191.97.17.43687: UDP, length 1432
IP 192.168.2.29.37561 > 183.157.124.157.31285: UDP, length 1432
IP 192.168.2.29.37561 > 101.229.237.49.34270: UDP, length 1432
IP 192.168.2.29.37561 > 183.159.234.151.3146: UDP, length 1432
IP 192.168.2.29.37561 > 183.159.234.151.3146: UDP, length 1432
tcpdump: Unable to write output: Broken pipe
查看src源方向传输的信息
[root@master ~]# tcpdump -ti ens33 src port 22
IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 757140:757272, ack 73, win 83, length 132
IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 757272:757404, ack 73, win 83, length 132
IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 757404:757536, ack 73, win 83, length 132
IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 757536:757668, ack 73, win 83, length 132
查看dst源方向传输的信息
[root@master ~]# tcpdump -ti ens33 dst port 22
IP 192.168.2.29.59546 > master.ssh: Flags [.], ack 6157, win 8207, length 0
IP 192.168.2.29.59546 > master.ssh: Flags [.], ack 6273, win 8207, length 0
IP 192.168.2.29.59546 > master.ssh: Flags [.], ack 6389, win 8207, length 0
IP 192.168.2.29.59546 > master.ssh: Flags [.], ack 6505, win 8212, length 0
IP 192.168.2.29.59546 > master.ssh: Flags [.], ack 6621, win 8212, length 0
查看已经到192.168.2.29主机的的网卡设备ens33的22 号端口的数据包(-c抓包的数量,-v更详细信息)
[root@master ~]# tcpdump -nnt -i ens33 dst host 192.168.2.29 and port 22 -c2 -vv
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
IP (tos 0x10, ttl 64, id 40345, offset 0, flags [DF], proto TCP (6), length 164)
192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], cksum 0x862f (incorrect -> 0xd42e), seq 1836124383:1836124507, ack 1981412895, win 83, length 124
IP (tos 0x10, ttl 64, id 40346, offset 0, flags [DF], proto TCP (6), length 316)
192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], cksum 0x86c7 (incorrect -> 0x21f6), seq 124:400, ack 1, win 83, length 276
2 packets captured
10 packets received by filter
0 packets dropped by kernel
查看22端口或者8443端口的数据包(-c20显示最新20条数据信息)
[root@master ~]# tcpdump -nnt -i ens33 -c 20 'port 22 or port 8443'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 1843624239:1843624427, ack 1981514743, win 83, length 188
IP 192.168.2.29.59546 > 192.168.2.43.22: Flags [.], ack 188, win 8211, length 0
IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 188:424, ack 1, win 83, length 236
IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 424:556, ack 1, win 83, length 132
IP 192.168.2.29.59546 > 192.168.2.43.22: Flags [.], ack 556, win 8210, length 0
IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 556:688, ack 1, win 83, length 132
IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 688:936, ack 1, win 83, length 248
查看某个网段的数据包
[root@master ~]# tcpdump -i ens33 dst net 192.168.2 -c2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:04:05.239508 IP 18.236.79.218.broad.xw.sh.dynamic.163data.com.cn.58123 > 192.168.2.29.37561: UDP, length 35
20:04:05.240617 IP 183.161.235.205.30834 > 192.168.2.29.37561: UDP, length 35
2 packets captured
查询某协议的数据包
[root@master ~]# tcpdump -i ens33 udp
[root@master ~]# tcpdump -i ens33 tcp
[root@master ~]# tcpdump -i ens33 icmp
[root@master ~]# tcpdump -i ens33 ip
俩种方式将数据包信息保存到文本
#第一种:直接输出到文件中
[root@master ~]# tcpdump -nnt dst host 192.168.2.29 -i ens33 -c5 > tcpdump.txt
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
5 packets captured
310 packets received by filter
0 packets dropped by kernel
[root@master ~]# cat tcpdump.txt
IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 1841703659:1841703847, ack 1981496079, win 83, length 188
IP 112.98.40.64.4909 > 192.168.2.29.37561: UDP, length 34
IP 27.186.136.251.29396 > 192.168.2.29.37561: UDP, length 342
IP 113.129.233.43.49542 > 192.168.2.29.37561: UDP, length 24
IP 60.186.179.149.1027 > 192.168.2.29.37561: UDP, length 37
#第二种-w保存到文件内,通过-r查看(不能通过cat查看)
[root@master ~]# tcpdump -nnt dst host 192.168.2.29 -i ens33 -c5 -w tcpdump.txt
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
5 packets captured
482 packets received by filter
0 packets dropped by kernel
[root@master ~]# tcpdump -r tcpdump.txt
reading from file tcpdump.txt, link-type EN10MB (Ethernet)
20:25:13.839506 IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 1841706771:1841706895, ack 1981497695, win 83, length 124
20:25:13.840656 IP 36.19.167.55.14975 > 192.168.2.29.37561: UDP, length 81
20:25:13.840657 IP 123.183.132.111.4176 > 192.168.2.29.37561: UDP, length 32
20:25:13.840806 IP 106.114.153.64.aes-discovery > 192.168.2.29.37561: UDP, length 264
20:25:13.841019 IP 43.146.142.219.broad.bj.bj.dynamic.163data.com.cn.24193 > 192.168.2.29.37561: UDP, length 24