作用:网络抓包.
1. 常用选项
-c N: 在收到 N 个数据包后退出.-n: 以数字形式显示地址.-nn: 以数字形式显示端口号.-i Interface侦听指定的网络接口.-Q direction: 指定数据包的方向(进入、出去、或者两者皆可);direction 可取值为in,out,inout.-A: 以 ASCII 码的形式打印数据包的内容.-x: 以十六进制的形式打印数据包的内容.-e: 打印链路层头部信息.-t: 不要打印时间戳.
2. 侦听指定的网络接口
-
从指定的接口进入或出去:
[root@localhost ~]# tcpdump -i eth0 -n -nn -c 2 ... 06:14:09.335167 IP 192.168.122.132.22 > 192.168.122.1.53800: Flags [P.], seq 3166421438:3166421626, ack 545579750, win 295, options [nop,nop,TS val 17230918 ecr 2091022108], length 188 06:14:09.335332 IP 192.168.122.1.53800 > 192.168.122.132.22: Flags [.], ack 188, win 1424, options [nop,nop,TS val 2091022134 ecr 17230918], length 0 ... -
从指定的接口进入:
[root@localhost ~]# tcpdump -i eth0 -Q in -c 2 ... 06:21:19.100727 IP 192.168.122.1.53800 > 192.168.122.132.ssh: Flags [.], ack 3166430042, win 1424, options [nop,nop,TS val 2091418841 ecr 17660684], length 0 06:21:19.101696 IP 192.168.122.1.domain > 192.168.122.132.53181: 22222 NXDomain 0/0/0 (46) ... -
从指定的接口出去:
[root@localhost ~]# tcpdump -i eth0 -Q out -c 2 ... 06:42:18.231062 IP 192.168.122.132.ssh > 192.168.122.1.53800: Flags [P.], seq 3169833758:3169833946, ack 545616298, win 295, options [nop,nop,TS val 18919814 ecr 2092581077], length 188 06:42:18.231775 IP 192.168.122.132.48232 > 192.168.122.1.domain: 39110+ PTR? 1.122.168.192.in-addr.arpa. (44) ...
3. 侦听指定的主机
-
指定地址为源地址或目的地址:
[root@localhost ~]# tcpdump -i eth0 host 192.168.122.1 -c 2 ... 06:20:25.095802 IP 192.168.122.132.ssh > 192.168.122.1.53800: Flags [P.], seq 3166428670:3166428858, ack 545584350, win 295, options [nop,nop,TS val 17606679 ecr 2091368949], length 188 06:20:25.095965 IP 192.168.122.1.53800 > 192.168.122.132.ssh: Flags [.], ack 188, win 1424, options [nop,nop,TS val 2091368990 ecr 17606679], length 0 ... -
指定地址为源地址(等价于结合
-Q in):[root@localhost ~]# tcpdump -i eth0 src host 192.168.122.1 -c 2 ... 06:22:54.673517 IP 192.168.122.1.53800 > 192.168.122.132.ssh: Flags [.], ack 3166431854, win 1424, options [nop,nop,TS val 2091507061 ecr 17756257], length 0 06:22:54.674494 IP 192.168.122.1.domain > 192.168.122.132.58001: 47541 NXDomain 0/0/0 (46) ... -
指定地址为目的地址(等价于结合
-Q out):[root@localhost ~]# tcpdump -i eth0 dst host 192.168.122.1 -c 2 ... 06:24:13.192880 IP 192.168.122.132.ssh > 192.168.122.1.53800: Flags [P.], seq 3166433542:3166433730, ack 545587194, win 295, options [nop,nop,TS val 17834776 ecr 2091579506], length 188 06:24:13.194190 IP 192.168.122.132.49025 > 192.168.122.1.domain: 23295+ PTR? 1.122.168.192.in-addr.arpa. (44) ...
4. 侦听指定的协议
[root@localhost ~]# tcpdump -i eth0 arp
[root@localhost ~]# tcpdump -i eth0 icmp
[root@localhost ~]# tcpdump -i eth0 ip
[root@localhost ~]# tcpdump -i eth0 tcp
[root@localhost ~]# tcpdump -i eth0 udp
5. 侦听指定的端口
源端口或目的端口、源端口、目的端口:
[root@localhost ~]# tcpdump -i eth0 port 22 -c 2
[root@localhost ~]# tcpdump -i eth0 src port 22 -c 2
[root@localhost ~]# tcpdump -i eth0 dst port 22 -c 2
6. 监听指定的网络
源网络或目的网络、源网络、目的网络:
[root@localhost ~]# tcpdump -i eth0 net 192.168.122.0/24 -c 2
[root@localhost ~]# tcpdump -i eth0 src net 192.168.122.0/24 -c 2
[root@localhost ~]# tcpdump -i eth0 dst net 192.168.122.0/24 -c 2
7. 逻辑运算
[root@localhost ~]# tcpdump -i eth0 host 192.168.122.1 and tcp and port 22 -c 2
[root@localhost ~]# tcpdump -i eth0 host 192.168.122.1 or www.baidu.com -c 2
[root@localhost ~]# tcpdump -i eth0 not host 192.168.122.2
and:逻辑与.or:逻辑或.not:逻辑非.
8. 打印数据包的内容
-
以 ASCII 码的形式:
[root@localhost ~]# tcpdump -i eth0 host www.baidu.com -A ... 06:45:55.722338 IP 182.61.200.7.http > 192.168.122.132.35802: Flags [.], seq 1:1453, ack 112, win 908, length 1452: HTTP: HTTP/1.1 200 OK E.....@.$....=....z..P..........P....Q..HTTP/1.1 200 OK Content-Length: 2381 Content-Type: text/html Server: bfe Date: Wed, 18 Aug 2021 12:07:56 GMT <!DOCTYPE html> <!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title>...........................</title></head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> </div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <input type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input type=hidden name=tn value=baidu><span class="bg s_ipt_wr"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus></span><span class="bg s_btn_wr"><input type=submit id=su value=............ class="bg s_btn"></span> </form> </div> </div> <div id=u1> <a href=http://news.baidu.com name=tj_trnews class=mnav>......</a> <a href=http://www.hao123.com name=tj_trhao123 class=mnav>hao123</a> <a href=http://map.baidu.com name=tj_trmap class=mnav>......</a> <a href=http://v.baidu.com name=tj_trvide -
以十六进制的形式:
[root@localhost ~]# tcpdump -i eth0 host www.baidu.com -x ... 06:54:27.609068 IP 182.61.200.6.http > 192.168.122.132.37184: Flags [.], ack 113, win 2452, length 0 0x0000: 4500 0028 2919 4000 2406 7446 b63d c806 0x0010: c0a8 7a84 0050 9140 4465 0105 79ee 1aab 0x0020: 5010 0994 813b 0000 -
打印链路层头部:
[root@localhost ~]# tcpdump -i eth0 -e -c 1 ... 06:50:34.476023 52:54:00:3a:b8:ec (oui Unknown) > 52:54:00:95:7c:07 (oui Unknown), ethertype IPv4 (0x0800), length 254: 192.168.122.132.ssh > 192.168.122.1.53800: Flags [P.], seq 3169847186:3169847374, ack 545618982, win 295, options [nop,nop,TS val 19416059 ecr 2093039151], length 188 ...
4419
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
