1.安装tcpdump
安装命令:yum install tcpdump -y
2.tcpdump命令
NAME
tcpdump - dump traffic on a network
SYNOPSIS
tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ]
[ -c count ]
[ -C file_size ] [ -G rotate_seconds ] [ -F file ]
[ -i interface ] [ -j tstamp_type ] [ -m module ] [ -M secret ]
[ --number ] [ -Q|-P in|out|inout ]
[ -r file ] [ -V file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
[ --time-stamp-precision=tstamp_precision ]
[ --immediate-mode ] [ --version ]
[ expression ]
3.基本应用
- 过滤主机IP:tcpdump -i eth0 host 104.238.132.163 说明:过滤经过网卡0,且主机IP为104.238.132.163的数据包
- 过滤端口:tcpdump -i eth0 port 1234 说明:过滤经过网卡0,且端口为1234的数据包
- 过滤指定协议的数据包:tcpdump -i eth0 udp 说明:过滤经过网卡0的udp协议数据包
- 抓取本地环回数据包:tcpdump -i lo udp 说明:主要区别就是抓取的网卡,本地环回则取,lo,其它内容不变
- 抓取特定类型的数据包:
- 抓取所有经过网卡1的SYN类型数据包 :tcpdump -i eth0 'tcp[tcpflags] = tcp-syn'
- 逻辑过滤语句:tcpdump -i eth1 '((tcp) and ((dst net 172.16) and (not dst host 192.168.1.200)))' 说明:抓取所有经过网卡1,目的网络是172.16,但目的主机不是192.168.1.200的TCP数据
- 抓包存取: tcpdump -i eth1 host 172.16.7.206 and port 80 -w /tmp/xxx.cap 说明:抓取所有经过网卡1,目的主机为
- 172.16.7.206的端口80的网络数据并存储
4. 遇到的问题
- tcpdump: packet printing is not supported for link type NFLOG: use -w
是因为默认网卡的问题,则通过ifconfig 查看一下当前的网卡信息ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.6.128 netmask 255.255.255.0 broadcast 192.168.6.255 inet6 fe80::ef0d:79fa:8ef6:3358 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:6e:fe:db txqueuelen 1000 (Ethernet) RX packets 1895 bytes 127294 (124.3 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 3245 bytes 803811 (784.9 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 64 bytes 5568 (5.4 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 64 bytes 5568 (5.4 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
对应的网卡是,ens33 ,则执行,tcpdump -i ens33 即可
- 抓包并写入文件中:tcpdump -i ens33 -c 5000 -w one.cap 此条命令的意思是,监听ens33网卡,抓5000个包停止,并将文件写入one.cap文件中
- 停止抓包:ctrl + c 或者 找到tcpdump 的进程id pid ,然后通过 kill -9 [pid] 去关闭