Linux命令—tcpdump

作用：网络抓包.

常用选项

-c N: 在收到 N 个数据包后退出.
-n: 以数字形式显示地址.
-nn: 以数字形式显示端口号.
-i Interface 侦听指定的网络接口.
-Q direction: 指定数据包的方向（进入、出去、或者两者皆可）；direction 可取值为 in，out，inout.
-A: 以 ASCII 码的形式打印数据包的内容.
-x: 以十六进制的形式打印数据包的内容.
-e: 打印链路层头部信息.
-t: 不要打印时间戳.

1. 侦听指定的网络接口

从指定的接口进入或出去：

[root@localhost ~]# tcpdump -i eth0 -n -nn -c 2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
06:14:09.335167 IP 192.168.122.132.22 > 192.168.122.1.53800: Flags [P.], seq 3166421438:3166421626, ack 545579750, win 295, options [nop,nop,TS val 17230918 ecr 2091022108], length 188
06:14:09.335332 IP 192.168.122.1.53800 > 192.168.122.132.22: Flags [.], ack 188, win 1424, options [nop,nop,TS val 2091022134 ecr 17230918], length 0
2 packets captured
2 packets received by filter
0 packets dropped by kernel

从指定的接口进入：

[root@localhost ~]# tcpdump -i eth0 -Q in -c 2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
06:21:19.100727 IP 192.168.122.1.53800 > 192.168.122.132.ssh: Flags [.], ack 3166430042, win 1424, options [nop,nop,TS val 2091418841 ecr 17660684], length 0
06:21:19.101696 IP 192.168.122.1.domain > 192.168.122.132.53181: 22222 NXDomain 0/0/0 (46)
2 packets captured
6 packets received by filter
0 packets dropped by kernel

从指定的接口出去：

[root@localhost ~]# tcpdump -i eth0 -Q out -c 2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
06:42:18.231062 IP 192.168.122.132.ssh > 192.168.122.1.53800: Flags [P.], seq 3169833758:3169833946, ack 545616298, win 295, options [nop,nop,TS val 18919814 ecr 2092581077], length 188
06:42:18.231775 IP 192.168.122.132.48232 > 192.168.122.1.domain: 39110+ PTR? 1.122.168.192.in-addr.arpa. (44)
2 packets captured
6 packets received by filter
0 packets dropped by kernel

2. 侦听指定的主机

指定地址为源地址或目的地址：

[root@localhost ~]# tcpdump -i eth0 host 192.168.122.1 -c 2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
06:20:25.095802 IP 192.168.122.132.ssh > 192.168.122.1.53800: Flags [P.], seq 3166428670:3166428858, ack 545584350, win 295, options [nop,nop,TS val 17606679 ecr 2091368949], length 188
06:20:25.095965 IP 192.168.122.1.53800 > 192.168.122.132.ssh: Flags [.], ack 188, win 1424, options [nop,nop,TS val 2091368990 ecr 17606679], length 0
2 packets captured
6 packets received by filter
0 packets dropped by kernel

指定地址为源地址（等价于结合 -Q in）：

[root@localhost ~]# tcpdump -i eth0 src host 192.168.122.1 -c 2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
06:22:54.673517 IP 192.168.122.1.53800 > 192.168.122.132.ssh: Flags [.], ack 3166431854, win 1424, options [nop,nop,TS val 2091507061 ecr 17756257], length 0
06:22:54.674494 IP 192.168.122.1.domain > 192.168.122.132.58001: 47541 NXDomain 0/0/0 (46)
2 packets captured
3 packets received by filter
0 packets dropped by kernel

指定地址为目的地址（等价于结合 -Q out）：

[root@localhost ~]# tcpdump -i eth0 dst host 192.168.122.1 -c 2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
06:24:13.192880 IP 192.168.122.132.ssh > 192.168.122.1.53800: Flags [P.], seq 3166433542:3166433730, ack 545587194, win 295, options [nop,nop,TS val 17834776 ecr 2091579506], length 188
06:24:13.194190 IP 192.168.122.132.49025 > 192.168.122.1.domain: 23295+ PTR? 1.122.168.192.in-addr.arpa. (44)
2 packets captured
3 packets received by filter
0 packets dropped by kernel

3. 侦听指定的协议

[root@localhost ~]# tcpdump -i eth0 arp
[root@localhost ~]# tcpdump -i eth0 icmp
[root@localhost ~]# tcpdump -i eth0 ip
[root@localhost ~]# tcpdump -i eth0 tcp
[root@localhost ~]# tcpdump -i eth0 udp

4. 侦听指定的端口

源端口或目的端口、源端口、目的端口：

[root@localhost ~]# tcpdump -i eth0 port 22 -c 2
[root@localhost ~]# tcpdump -i eth0 src port 22 -c 2
[root@localhost ~]# tcpdump -i eth0 dst port 22 -c 2

5. 监听指定的网络

源网络或目的网络、源网络、目的网络：

[root@localhost ~]# tcpdump -i eth0 net 192.168.122.0/24 -c 2
[root@localhost ~]# tcpdump -i eth0 src net 192.168.122.0/24 -c 2
[root@localhost ~]# tcpdump -i eth0 dst net 192.168.122.0/24 -c 2

6. 逻辑运算

[root@localhost ~]# tcpdump -i eth0 host 192.168.122.1 and tcp and port 22 -c 2
[root@localhost ~]# tcpdump -i eth0 host 192.168.122.1 or www.baidu.com -c 2
[root@localhost ~]# tcpdump -i eth0 not host 192.168.122.2

and：逻辑与.
or：逻辑或.
not：逻辑非.

7. 打印数据包的内容

以 ASCII 码的形式：

[root@localhost ~]# tcpdump -i eth0 host www.baidu.com -A
...
06:45:55.722338 IP 182.61.200.7.http > 192.168.122.132.35802: Flags [.], seq 1:1453, ack 112, win 908, length 1452: HTTP: HTTP/1.1 200 OK
E.....@.$....=....z..P..........P....Q..HTTP/1.1 200 OK
Content-Length: 2381
Content-Type: text/html
Server: bfe
Date: Wed, 18 Aug 2021 12:07:56 GMT


 ...........................         
        
 
 
  ...... hao123 ......

 
 以十六进制的形式： 
 [root@localhost ~]# tcpdump -i eth0 host www.baidu.com -x
...
06:54:27.609068 IP 182.61.200.6.http > 192.168.122.132.37184: Flags [.], ack 113, win 2452, length 0
        0x0000:  4500 0028 2919 4000 2406 7446 b63d c806
        0x0010:  c0a8 7a84 0050 9140 4465 0105 79ee 1aab
        0x0020:  5010 0994 813b 0000 
 8. 打印链路层头部 
 [root@localhost ~]# tcpdump -i eth0 -e -c 1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
06:50:34.476023 52:54:00:3a:b8:ec (oui Unknown) > 52:54:00:95:7c:07 (oui Unknown), ethertype IPv4 (0x0800), length 254: 192.168.122.132.ssh > 192.168.122.1.53800: Flags [P.], seq 3169847186:3169847374, ack 545618982, win 295, options [nop,nop,TS val 19416059 ecr 2093039151], length 188
1 packet captured
6 packets received by filter
0 packets dropped by kernel

Linux命令—tcpdump

你可能感兴趣的:(Linux命令—tcpdump)