查看哪个yum源提供的tcpdump命令
[root@node1 ~]# yum provides tcpdump
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.ustc.edu.cn
* epel: mirror.sjtu.edu.cn
* extras: mirrors.ustc.edu.cn
* updates: mirrors.ustc.edu.cn
14:tcpdump-4.9.2-4.el7_7.1.x86_64 : A network traffic monitoring tool
Repo : base
安装tcpdump命令
[root@node1 ~]# yum install tcpdump #安装tcpdump
抓指定数量的包
-i 指定抓包的网卡
-nn Don't convert protocol and port numbers etc. to names either
-v 可视化输出
-c count:抓包次数
[root@nginx ~]# tcpdump -i ens33 -nnv -c 5
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
00:57:13.632712 IP (tos 0x10, ttl 64, id 33976, offset 0, flags [DF], proto TCP (6), length 164)
192.168.118.129.22 > 192.168.118.1.63949: Flags [P.], cksum 0x6e6a (incorrect -> 0xb0de), seq 3953381314:3953381438, ack 4231427335, win 501, length 124
00:57:13.632849 IP (tos 0x10, ttl 64, id 33977, offset 0, flags [DF], proto TCP (6), length 172)
192.168.118.129.22 > 192.168.118.1.63949: Flags [P.], cksum 0x6e72 (incorrect -> 0x16ba), seq 124:256, ack 1, win 501, length 132
00:57:13.632908 IP (tos 0x10, ttl 64, id 33978, offset 0, flags [DF], proto TCP (6), length 236)
192.168.118.129.22 > 192.168.118.1.63949: Flags [P.], cksum 0x6eb2 (incorrect -> 0x1285), seq 256:452, ack 1, win 501, length 196
00:57:13.632909 IP (tos 0x0, ttl 128, id 26096, offset 0, flags [DF], proto TCP (6), length 40)
192.168.118.1.63949 > 192.168.118.129.22: Flags [.], cksum 0x0af5 (correct), ack 124, win 4103, length 0
00:57:13.633054 IP (tos 0x0, ttl 128, id 26097, offset 0, flags [DF], proto TCP (6), length 40)
192.168.118.1.63949 > 192.168.118.129.22: Flags [.], cksum 0x09af (correct), ack 452, win 4101, length 0
5 packets captured
6 packets received by filter
0 packets dropped by kernel
[root@nginx ~]#
抓指定数量的包并保存到文件
-i 指定抓包的网卡
-nn Don't convert protocol and port numbers etc. to names either
-v 可视化输出
-c count:抓包次数
-w 写入到指定文件
[root@nginx ~]# tcpdump -i ens33 -nnv -c 100 -w ./file.tcpdump
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
100 packets captured
194 packets received by filter
0 packets dropped by kernel
[root@nginx ~]#
[root@nginx ~]# vim file.tcpdump #乱码,因为tcpdump无法使用普通方式查看
tcpdump读文件
上面我们抓了指定数量的包并写入到了file.tcpdump文件,需要使用tcpdump命令才能进行查看:
[root@nginx ~]# tcpdump -r file.tcpdump
reading from file file.tcpdump, link-type EN10MB (Ethernet)
01:01:53.212876 IP 127.0.0.1.ssh > 192.168.118.1.63949: Flags [P.], seq 3953390274:3953390398, ack 4231429431, win 501, length 124
01:01:53.213025 IP 192.168.118.1.63949 > 127.0.0.1.ssh: Flags [.], ack 124, win 4102, length 0
01:01:53.232629 IP 192.168.118.132.44432 > 127.0.0.1.16363: Flags [S], seq 321335141, win 29200, options [mss 1460,sackOK,TS val 654969671 ecr 0,nop,wscale 7], length 0
01:01:53.232634 IP 192.168.118.132.39595 > 127.0.0.1.16363: Flags [S], seq 89052019, win 29200, options [mss 1460,sackOK,TS val 654969671 ecr 0,nop,wscale 7], length 0
01:01:53.232635 IP 192.168.118.132.39309 > 127.0.0.1.16364: Flags [S], seq 693878963, win 29200, options [mss 1460,sackOK,TS val 654969671 ecr 0,nop,wscale 7], length 0
01:01:53.232656 IP 127.0.0.1.16363 > 192.168.118.132.44432: Flags [R.], seq 0, ack 321335142, win 0, length 0
01:01:53.232675 IP 127.0.0.1.16363 > 192.168.118.132.39595: Flags [R.], seq 0, ack 89052020, win 0, length 0
01:01:53.232686 IP 127.0.0.1.16364 > 192.168.118.132.39309: Flags [R.], seq 0, ack 693878964, win 0, length 0
说明:把file.tcpdump文件文件导出来,配合使用wireshark软件查看file.tcpdump文件效果更好。
抓取指定端口数据包
[root@nginx ~]# tcpdump -i ens33 -nnv port 22
抓取指定网段的数据包
[root@nginx ~]# tcpdump -i ens33 -nnv net 192.168.118.0/24
抓取指定主机的数据包
[root@nginx ~]# tcpdump -i ens33 -nnv host 192.168.118.131
抓取指定协议的数据包
[root@nginx ~]# tcpdump -i ens33 -nnv arp
[root@nginx ~]# tcpdump -i ens33 -nnv icmp
[root@nginx ~]# tcpdump -i ens33 -nnv udp
[root@nginx ~]# tcpdump -i ens33 -nnv tcp
[root@nginx ~]# tcpdump -i ens33 -nnv ip
[root@nginx ~]# tcpdump -i ens33 -nnv vrrp
多条件联合进行数据抓包
and与(同时满足条件才行)、 or或 、not 非
[root@nginx ~]# tcpdump -i ens33 -nnv host 192.168.118.130 and host 192.168.118.131
[root@nginx ~]# tcpdump -i ens33 -nnv host 192.168.118.131 and port 22
[root@nginx ~]# tcpdump -i ens33 -nnv host 192.168.118.130 and \(port 22 or port 80\)
[root@nginx ~]# tcpdump -i ens33 -nnv host 192.168.118.130 or host 192.168.118.131
[root@nginx ~]# tcpdump -i ens33 -nnv host 192.168.118.130 or \(host 192.168.118.131 and port 22\)
[root@nginx ~]# tcpdump -i ens33 -nnv host 192.168.118.131 and port 22 or port 80
[root@nginx ~]# tcpdump -i ens33 -nnv not port 80