code>tcpdump用于捕获和分析网络流量。系统管理员可以使用它来查看实时流量或将输出保存到文件中并在以后进行分析。下面列出5个常用选项 |
-r选项
如果你导出了一个 .pcap
文件,你就会知道不能使用文本编辑器来读取文件内容。因此,你应该使用-r file.pcap
选项。它读取现有捕获的文件并将它们显示出来。
# 导出.pcap文件 [root@localhost ~]# tcpdump -c 4 -i any port 53 -nn -w dns.pcap -v dropped privs to tcpdump tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 4 packets captured 8 packets received by filter 0 packets dropped by kernel # 使用-r选项读取.pcap文件 [root@localhost ~]# tcpdump -r dns.pcap reading from file dns.pcap, link-type LINUX_SLL (Linux cooked) dropped privs to tcpdump 19:33:54.533792 IP localhost.localdomain.48048 > _gateway.domain: 30912+ A? www.bai. (25) 19:33:54.533835 IP localhost.localdomain.48048 > _gateway.domain: 51681+ AAAA? www.bai. (25) 19:33:54.537733 IP _gateway.domain > localhost.localdomain.48048: 51681 NXDomain 0/1/0 (100) 19:33:54.539312 IP _gateway.domain > localhost.localdomain.48048: 30912 NXDomain 0/1/0 (100)
host 选项
如果要过滤特定主机的流量,可以使用host
选项后面添加ip 或者主机名来捕获特定主机的数据包。
[root@localhost ~]# tcpdump host redhat.com -i any -c5 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 20:27:19.762717 IP localhost.localdomain.59096 > redirect.redhat.com.https: Flags [S], seq 2565597156, win 29200, options [mss 1460,sackOK,TS val 178