首先查看当前设备上有几个网卡
#ifconfig
em1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.20.1.232 netmask 255.255.255.0 broadcast 172.20.1.255
inet6 fe80::569f:35ff:fe1d:90ce prefixlen 64 scopeid 0x20<link>
ether 54:9f:35:1d:90:ce txqueuelen 1000 (Ethernet)
RX packets 41967785 bytes 12381472598 (11.5 GiB)
RX errors 0 dropped 9565 overruns 0 frame 0
TX packets 10415926 bytes 5771086680 (5.3 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16
em2: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 54:9f:35:1d:90:d0 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 17
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 6733776 bytes 5017337440 (4.6 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6733776 bytes 5017337440 (4.6 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
使用tcpdump命令,如果我们想查看网卡em1上的通信包,就添加参数-i em1;tcp port 554指的是过滤条件,多个过滤条件之间用and连接。
#tcpdump -i em1 tcp port 554
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
14:32:21.535221 IP 172.20.1.177.49444 > 172.20.1.232.rtsp: Flags [S], seq 773779494, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
14:32:21.535286 IP 172.20.1.232.rtsp > 172.20.1.177.49444: Flags [R.], seq 0, ack 773779495, win 0, length 0
14:32:22.034397 IP 172.20.1.177.49444 > 172.20.1.232.rtsp: Flags [S], seq 773779494, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
14:32:22.034456 IP 172.20.1.232.rtsp > 172.20.1.177.49444: Flags [R.], seq 0, ack 1, win 0, length 0
14:32:22.538449 IP 172.20.1.177.49444 > 172.20.1.232.rtsp: Flags [S], seq 773779494, win 8192, options [mss 1460,nop,nop,sackOK], length 0
14:32:22.538494 IP 172.20.1.232.rtsp > 172.20.1.177.49444: Flags [R.], seq 0, ack 1, win 0, length 0
14:32:22.538924 IP 172.20.1.177.49447 > 172.20.1.232.rtsp: Flags [S], seq 1476281833, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
14:32:22.538964 IP 172.20.1.232.rtsp > 172.20.1.177.49447: Flags [R.], seq 0, ack 1476281834, win 0, length 0
14:32:23.048457 IP 172.20.1.177.49447 > 172.20.1.232.rtsp: Flags [S], seq 1476281833, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
14:32:23.048529 IP 172.20.1.232.rtsp > 172.20.1.177.49447: Flags [R.], seq 0, ack 1, win 0, length 0
14:32:23.548504 IP 172.20.1.177.49447 > 172.20.1.232.rtsp: Flags [S], seq 1476281833, win 8192, options [mss 1460,nop,nop,sackOK], length 0
14:32:23.548560 IP 172.20.1.232.rtsp > 172.20.1.177.49447: Flags [R.], seq 0, ack 1, win 0, length 0
14:32:23.558961 IP 172.20.1.177.49452 > 172.20.1.232.rtsp: Flags [S], seq 1537317808, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
14:32:23.559010 IP 172.20.1.232.rtsp > 172.20.1.177.49452: Flags [R.], seq 0, ack 1537317809, win 0, length 0
14:32:24.068521 IP 172.20.1.177.49452 > 172.20.1.232.rtsp: Flags [S], seq 1537317808, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
14:32:24.068578 IP 172.20.1.232.rtsp > 172.20.1.177.49452: Flags [R.], seq 0, ack 1, win 0, length 0
14:32:24.568551 IP 172.20.1.177.49452 > 172.20.1.232.rtsp: Flags [S], seq 1537317808, win 8192, options [mss 1460,nop,nop,sackOK], length 0
14:32:24.568606 IP 172.20.1.232.rtsp > 172.20.1.177.49452: Flags [R.], seq 0, ack 1, win 0, length 0
tcpdump命令需要在root用户下执行。如果想要保存通信报文,可将输出结果重定向到一个snoop文件。snoop文件可以用wireshark等工具软件打开。