Linux抓包

首先查看当前设备上有几个网卡

#ifconfig

em1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.20.1.232  netmask 255.255.255.0  broadcast 172.20.1.255
        inet6 fe80::569f:35ff:fe1d:90ce  prefixlen 64  scopeid 0x20<link>
        ether 54:9f:35:1d:90:ce  txqueuelen 1000  (Ethernet)
        RX packets 41967785  bytes 12381472598 (11.5 GiB)
        RX errors 0  dropped 9565  overruns 0  frame 0
        TX packets 10415926  bytes 5771086680 (5.3 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 16  

em2: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 54:9f:35:1d:90:d0  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 17  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 6733776  bytes 5017337440 (4.6 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6733776  bytes 5017337440 (4.6 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

使用tcpdump命令，如果我们想查看网卡em1上的通信包，就添加参数-i em1；tcp port 554指的是过滤条件，多个过滤条件之间用and连接。

#tcpdump -i em1 tcp port 554

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
14:32:21.535221 IP 172.20.1.177.49444 > 172.20.1.232.rtsp: Flags [S], seq 773779494, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
14:32:21.535286 IP 172.20.1.232.rtsp > 172.20.1.177.49444: Flags [R.], seq 0, ack 773779495, win 0, length 0
14:32:22.034397 IP 172.20.1.177.49444 > 172.20.1.232.rtsp: Flags [S], seq 773779494, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
14:32:22.034456 IP 172.20.1.232.rtsp > 172.20.1.177.49444: Flags [R.], seq 0, ack 1, win 0, length 0
14:32:22.538449 IP 172.20.1.177.49444 > 172.20.1.232.rtsp: Flags [S], seq 773779494, win 8192, options [mss 1460,nop,nop,sackOK], length 0
14:32:22.538494 IP 172.20.1.232.rtsp > 172.20.1.177.49444: Flags [R.], seq 0, ack 1, win 0, length 0
14:32:22.538924 IP 172.20.1.177.49447 > 172.20.1.232.rtsp: Flags [S], seq 1476281833, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
14:32:22.538964 IP 172.20.1.232.rtsp > 172.20.1.177.49447: Flags [R.], seq 0, ack 1476281834, win 0, length 0
14:32:23.048457 IP 172.20.1.177.49447 > 172.20.1.232.rtsp: Flags [S], seq 1476281833, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
14:32:23.048529 IP 172.20.1.232.rtsp > 172.20.1.177.49447: Flags [R.], seq 0, ack 1, win 0, length 0
14:32:23.548504 IP 172.20.1.177.49447 > 172.20.1.232.rtsp: Flags [S], seq 1476281833, win 8192, options [mss 1460,nop,nop,sackOK], length 0
14:32:23.548560 IP 172.20.1.232.rtsp > 172.20.1.177.49447: Flags [R.], seq 0, ack 1, win 0, length 0
14:32:23.558961 IP 172.20.1.177.49452 > 172.20.1.232.rtsp: Flags [S], seq 1537317808, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
14:32:23.559010 IP 172.20.1.232.rtsp > 172.20.1.177.49452: Flags [R.], seq 0, ack 1537317809, win 0, length 0
14:32:24.068521 IP 172.20.1.177.49452 > 172.20.1.232.rtsp: Flags [S], seq 1537317808, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
14:32:24.068578 IP 172.20.1.232.rtsp > 172.20.1.177.49452: Flags [R.], seq 0, ack 1, win 0, length 0
14:32:24.568551 IP 172.20.1.177.49452 > 172.20.1.232.rtsp: Flags [S], seq 1537317808, win 8192, options [mss 1460,nop,nop,sackOK], length 0
14:32:24.568606 IP 172.20.1.232.rtsp > 172.20.1.177.49452: Flags [R.], seq 0, ack 1, win 0, length 0

tcpdump命令需要在root用户下执行。如果想要保存通信报文，可将输出结果重定向到一个snoop文件。snoop文件可以用wireshark等工具软件打开。