安装:
[root@localhost ~]# yum -y install tcpdump
用法:
[root@localhost ~]# tcpdump -nn -i ens33
-nn:表示将两个(源地址/目标地址)hostname以ip显示
-i:指定网卡名称
指定端口:
[root@localhost ~]# tcpdump -nn -i ens33 port 80
*只抓80端口的数据包
取反:(只抓除了80端口的所有包)
[root@localhost ~]# tcpdump -nn -i ens33 not port 80
多条件:
[root@localhost ~]# tcpdump -nn -i ens33 not port 80 and host 192.168.234.1
*只抓 ip为192.168.234.1的地址除了80端口的包
-c参数:指定抓包数量
[root@localhost ~]# tcpdump -nn -i ens33 -c 10
-w参数:将数据包写入指定文件
[root@localhost ~]# tcpdump -nn -i ens33 -c 5 -w /tmp/1.cap
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
5 packets captured
5 packets received by filter
0 packets dropped by kernel
查看数据包文件:tcpdump -r
[root@localhost ~]# tcpdump -r /tmp/1.cap
reading from file /tmp/1.cap, link-type EN10MB (Ethernet)
23:04:16.355507 IP localhost.localdomain.ssh > 192.168.234.1.52014: Flags [P.], seq 2733320790:2733320922, ack 2721249905, win 266, length 132
23:04:16.355793 IP 192.168.234.1.52014 > localhost.localdomain.ssh: Flags [.], ack 132, win 8211, length 0
23:04:22.622548 IP 192.168.234.1.52014 > localhost.localdomain.ssh: Flags [P.], seq 1:69, ack 132, win 8211, length 68
23:04:22.622708 IP localhost.localdomain.ssh > 192.168.234.1.52014: Flags [P.], seq 132:184, ack 69, win 266, length 52
23:04:22.667220 IP 192.168.234.1.52014 > localhost.localdomain.ssh: Flags [.], ack 184, win 8210, length 0
补充:
tshark工具: 查看指定网卡80端口的web访问情况
安装:
[root@localhost ~]# yum -y install wireshark
命令:
[root@localhost ~]# tshark -n -t a -R http.request -T fields -e "frame.time" -e "ip.src" -e "http.host" -e "http.request.method" -e "http.request.uri"
*可以查看访问时间、访问IP、访问的域名、访问的文件、HTTP请求类型(类似web访问日志)