tcpdump 用于捕获和分析网络流量。系统管理员可以使用它来查看实时流量或将输出保存到文件中并在以后进行分析。下面列出6个常用选项 |
-D 选项
tcpdump的-D
获取接口设备列表。看到此列表后,可以决定要在哪个接口上捕获流量。它还告诉你接口是否已启动、正在运行,以及它是否是环回接口,如下所示:
[root@localhost ~]# tcpdump -D 1.ens160 [Up, Running] 2.lo [Up, Running, Loopback] 3.any (Pseudo-device that captures on all interfaces) [Up, Running] 4.bluetooth-monitor (Bluetooth Linux Monitor) [none] 5.nflog (Linux netfilter log (NFLOG) interface) [none] 6.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none] 7.usbmon0 (All USB buses) [none] 8.usbmon1 (USB bus number 1) 9.usbmon2 (USB bus number 2)
-c [数字]选项
-c
选项捕获 X 个数据包,然后停止。否则,tcpdump 将无限地继续运行。因此,当只想捕获一小部分数据包样本时,可以使用此选项。但是如果接口上没有数据流量,tcpdump 会一直等待。
[root@localhost ~]# tcpdump -c 5 -i any dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 17:33:47.713379 IP localhost.localdomain.ssh > 192.168.43.1.39970: Flags [P.], seq 714380127:714380371, ack 1854022435, win 388, length 244 17:33:47.713785 IP localhost.localdomain.36821 > _gateway.domain: 36365+ PTR? 1.43.168.192.in-addr.arpa. (43) 17:33:47.713939 IP 192.168.43.1.39970 > localhost.loc