tcpdump 用于捕获和分析网络流量。系统管理员可以使用它来查看实时流量或将输出保存到文件中并在以后进行分析。下面列出6个常用选项 |
基于 TCP 标志的过滤器
可以根据各种 tcp 标志过滤 TCP 流量。这是一个基于 tcp-ack
标志的过滤示例。
[root@localhost ~]# tcpdump -i any "tcp[tcpflags] & tcp-ack !=0" -c5 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 16:25:08.738925 IP localhost.localdomain.ssh > 192.168.43.1.39970: Flags [P.], seq 725364803:725365047, ack 1854457395, win 1842, length 244 16:25:08.739562 IP 192.168.43.1.39970 > localhost.localdomain.ssh: Flags [.], ack 244, win 4106, length 0 16:25:08.742750 IP localhost.localdomain.ssh > 192.168.43.1.39970: Flags [P.], seq 244:552, ack 1, win 1842, length 308 16:25:08.742822 IP localhost.localdomain.ssh > 192.168.43.1.39970: Flags [P.], seq 552:732, ack 1, win 1842, length 180 16:25:08.742882 IP localhost.localdomain.ssh > 192.168.43.1.39970: Flags [P.], seq 732:912, ack 1, win 1842, length 180 5 packets captured 5 packets received by filter 0 packets dropped by kernel
格式化输出内容
tcpdump 还可以通过对十六进制使用 -X
选项或对 ASCII 使用 -A
选项来调整输出格式。
[root@localhost ~]# tcpdump -i any -c3 -X dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 16:37:30.318137 IP localhost.localdomain.ssh > 192.168.43.1.39970: Flags [P.], seq 725376559:725376803, ack 1854460843, win 1842, length 244 0x0000: 4548 011c 0faf 4000 4006 5210 c0a8 2b83 EH....@.@.R...+. 0x0010: c0a8 2b01 0016 9c22 2b3c 5e2f 6e88 d3ab ..+...."+<^/n... 0x0020: 5018 0732 d8e3 0000 0000 00d0 d1ce 67d9 P..2..........g. 0x0030: b8e9 5171 dd56 bfbb 2d3e 7ce7 9a9b 60a5 ..Qq.V..->|...`. 0x0040: 152d 4295 9f8f d6ba dec2 895e 3921 2d76 .-B........^9!-v 0x0050: c5c6 5b6b 7161 61eb 0b30 1eae b622 2f14 ..[kqaa..0..."/. 0x0060: dfe5 0afc b91a 8a16 e3f1 62ae df5a 6728 ..........b..Zg( 0x0070: 4b9f 942d b762 a178 9d5e 5f70 96c2 fbad K..-.b.x.^_p.... 0x0080: 53f3 1bc5 80da 0e14 394c e31b 6b6a 02fc S.......9L..kj.. 0x0090: 203e 9a22 75c3 02ea c8d5 a2ec 5d30 60db .>."u.......]0`. 0x00a0: 64bf 4819 f2d4 ae88 c593 3b0c 90a2 273d d.H.......;...'= 0x00b0: 8f42 bf91 27bf b324 4f5f aec6 5d57 c27f .B..'..$O_..]W.. 0x00c0: 3c72 77de 6da5 97b9 52e8 7695 a964 d2a2 b.. 16:37:30.318540 IP localhost.localdomain.50573 > _gateway.domain: 47072+ PTR? 1.43.168.192.in-addr.arpa. (43) 0x0000: 4500 0047 a7e5 4000 4011 baea c0a8 2b83 E..G..@.@.....+. 0x0010: c0a8 2b02 c58d 0035 0033 d81a b7e0 0100 ..+....5.3...... 0x0020: 0001 0000 0000 0000 0131 0234 3303 3136 .........1.43.16 0x0030: 3803 3