什么是tcpdump?
TCPDump可以将网络中传送的数据包完全截获下来提供分析。它支持针对网络层、协议、主机、网络或端口的过滤,并提供and、or、not等逻辑语句来帮助你去掉无用的信息。
TcpDump是Linux中强大的网络数据采集分析工具之一。tcpdump 就是 dump the traffic on a network,根据使用者的定义对网络上的数据包进行截获的包分析工具。
tcpdump提供了源代码,公开了接口,因此具备很强的可扩展性,对于网络维护和入侵者都是非常有用的工具。
tcpdump存在于基本的 FreeBSD系统中,由于它需要将网络接口设置为混杂模式,普通用户不能正常执行,但具备root权限的用户可以直接执行它来获取网络上的信息。
下载tcpdump
[root@master ~]# yum install tcpdump -y
已加载插件:fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.cqu.edu.cn
* epel: ftp.yz.yamagata-u.ac.jp
* epel-debuginfo: mirror.cloudhosting.lv
* epel-source: ftp.yz.yamagata-u.ac.jp
* extras: mirrors.bfsu.edu.cn
* updates: mirrors.bfsu.edu.cn
epel/x86_64/primary_db | 7.0 MB 00:02:13
正在解决依赖关系
--> 正在检查事务
---> 软件包 tcpdump.x86_64.14.4.9.2-4.el7_7.1 将被 安装
--> 正在处理依赖关系 libpcap >= 14:1.5.3-10,它被软件包 14:tcpdump-4.9.2-4.el7_7.1.x86_64 需要
--> 正在处理依赖关系 libpcap.so.1()(64bit),它被软件包 14:tcpdump-4.9.2-4.el7_7.1.x86_64 需要
--> 正在检查事务
---> 软件包 libpcap.x86_64.14.1.5.3-13.el7_9 将被 安装
--> 解决依赖关系完成
依赖关系解决
=================================================================================================================================================================================================================
Package 架构 版本 源 大小
=================================================================================================================================================================================================================
正在安装:
tcpdump x86_64 14:4.9.2-4.el7_7.1 base 422 k
为依赖而安装:
libpcap x86_64 14:1.5.3-13.el7_9 updates 139 k
事务概要
=================================================================================================================================================================================================================
安装 1 软件包 (+1 依赖软件包)
总下载量:560 k
安装大小:1.3 M
Downloading packages:
(1/2): libpcap-1.5.3-13.el7_9.x86_64.rpm | 139 kB 00:00:00
(2/2): tcpdump-4.9.2-4.el7_7.1.x86_64.rpm | 422 kB 00:00:01
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
总计 369 kB/s | 560 kB 00:00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
正在安装 : 14:libpcap-1.5.3-13.el7_9.x86_64 1/2
正在安装 : 14:tcpdump-4.9.2-4.el7_7.1.x86_64 2/2
验证中 : 14:libpcap-1.5.3-13.el7_9.x86_64 1/2
验证中 : 14:tcpdump-4.9.2-4.el7_7.1.x86_64 2/2
已安装:
tcpdump.x86_64 14:4.9.2-4.el7_7.1
作为依赖被安装:
libpcap.x86_64 14:1.5.3-13.el7_9
完毕!
tcpdump的常见选项
-a 将网络地址和广播地址转变成名字
-d 将匹配信息包的代码以人们能够理解的汇编格式给出
-dd 将匹配信息包的代码以c语言程序段的格式给出
-ddd 将匹配信息包的代码以十进制的形式给出
-e 在输出行打印出数据链路层的头部信息
-f 将外部的Internet地址以数字的形式打印出来
-l 使标准输出变为缓冲行形式
-n 不把网络地址转换成名字
-t 在输出的每一行不打印时间戳
-v 输出一个稍微详细的信息,例如在ip包中可以包括ttl和服务类型的信息
-vv 输出详细的报文信息
-c 在收到指定的包的数目后,tcpdump就会停止
-F 从指定的文件中读取表达式,忽略其它的表达式
-i 指定监听的网络接口
-r 从指定的文件中读取包(这些包一般通过-w选项产生)
-w 直接将包写入文件中,并不分析和打印出来
-T 将监听到的包直接解释为指定的类型的报文,常见的类型有rpc
查看tcpdump版本
[root@master ~]# tcpdump -h
tcpdump version 4.9.2
libpcap version 1.5.3
OpenSSL 1.0.2k-fips 26 Jan 2017
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ]
[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
[ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
[ -Q|-P in|out|inout ]
[ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
[ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
[ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ]
[ -Z user ] [ expression ]
案例
1.监听所有经过此网卡的数据包(默认监听在第一块网卡)
[root@master ~]# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bluetooth0, link-type BLUETOOTH_HCI_H4_WITH_PHDR (Bluetooth HCI UART transport layer plus pseudo-header), capture size 262144 bytes
2.捕获主机192.168.1.103经过网卡ens33的所有数据包(可以是主机名,但要能解析出IP地址)
# 系统可能有多块网卡共存
[root@master ~]# tcpdump host 192.168.1.103
tcpdump: Bluetooth link-layer type filtering not implemented
# 接-i指定网卡接口
[root@master ~]# tcpdump -i ens33 host 192.168.1.103
22:42:59.436682 IP 192.168.1.103.63743 > master.ssh: Flags [.], ack 207888, win 4102, length 0
22:42:59.436692 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 207888:208036, ack 37, win 261, length 148
22:42:59.436768 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 208036:208280, ack 37, win 261, length 244
22:42:59.436856 IP 192.168.1.103.63743 > master.ssh: Flags [.], ack 208280, win 4100, length 0
22:42:59.436860 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 208280:208428, ack 37, win 261, length 148
22:42:59.436935 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 208428:208672, ack 37, win 261, length 244
22:42:59.437027 IP 192.168.1.103.63743 > master.ssh: Flags [.], ack 208672, win 4106, length 0
22:42:59.437029 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 208672:208820, ack 37, win 261, length 148
22:42:59.437142 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 208820:209064, ack 37, win 261, length 244
22:42:59.437261 IP 192.168.1.103.63743 > master.ssh: Flags [.], ack 209064, win 4104, length 0
22:42:59.437267 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 209064:209212, ack 37, win 261, length 148
22:42:59.437381 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 209212:209456, ack 37, win 261, length 244
22:42:59.437481 IP 192.168.1.103.63743 > master.ssh: Flags [.], ack 209456, win 4103, length 0
22:42:59.437482 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 209456:209604, ack 37, win 261, length 148
22:42:59.437596 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 209604:209848, ack 37, win 261, length 244
22:42:59.437730 IP 192.168.1.103.63743 > master.ssh: Flags [.], ack 209848, win 4101, length 0
22:42:59.437744 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 209848:209996, ack 37, win 261, length 148
22:42:59.437817 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 209996:210240, ack 37, win 261, length 244
22:42:59.437917 IP 192.168.1.103.63743 > master.ssh: Flags [.], ack 210240, win 4106, length 0
22:42:59.437920 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 210240:210388, ack 37, win 261, length 148
22:42:59.438025 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 210388:210632, ack 37, win 261, length 244
22:42:59.438136 IP 192.168.1.103.63743 > master.ssh: Flags [.], ack 210632, win 4104, length 0
22:42:59.438138 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 210632:210780, ack 37, win 261, length 148
22:42:59.438243 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 210780:211024, ack 37, win 261, length 244
22:42:59.438342 IP 192.168.1.103.63743 > master.ssh: Flags [.], ack 211024, win 4103, length 0
22:42:59.438348 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 211024:211172, ack 37, win 261, length 148
22:42:59.438459 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 211172:211416, ack 37, win 261, length 244
22:42:59.438571 IP 192.168.1.103.63743 > master.ssh: Flags [.], ack 211416, win 4101, length 0
22:42:59.438580 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 211416:211564, ack 37, win 261, length 148
22:42:59.438688 IP 192.168.1.103.63743 > master.ssh: Flags [P.], seq 37:73, ack 211564, win 4101, length 36
^C
3.指定抓包数量 (-c 2 :抓取2个数据包)
[root@master ~]# tcpdump -i ens33 -c 2 host 192.168.1.103
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
22:44:22.642773 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 2794978288:2794978476, ack 2129941800, win 261, length 188
22:44:22.684687 IP 192.168.1.103.63743 > master.ssh: Flags [.], ack 188, win 4105, length 0
2 packets captured
2 packets received by filter
0 packets dropped by kernel
4.将抓包信息写入文件
[root@master tcp]# tcpdump -i ens33 -c 4 -w test.txt
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
4 packets captured
5 packets received by filter
0 packets dropped by kernel
[root@master tcp]# ls
test.txt
5.读取记录文件 -r
[root@master tcp]# tcpdump -r test.txt
reading from file test.txt, link-type EN10MB (Ethernet)
22:50:14.974932 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 2794984412:2794984536, ack 2129946500, win 261, length 124
22:50:15.027185 IP 192.168.1.103.63743 > master.ssh: Flags [.], ack 124, win 4104, length 0
22:50:15.184387 ARP, Request who-has slave tell master, length 28
22:50:15.184756 IP master > gateway: ICMP echo request, id 51993, seq 4198, length 184
6.打印出所有可工作的接口 -D
[root@master tcp]# tcpdump -D
1.bluetooth0 (Bluetooth adapter number 0)
2.nflog (Linux netfilter log (NFLOG) interface)
3.nfqueue (Linux netfilter queue (NFQUEUE) interface)
4.usbmon1 (USB bus number 1)
5.usbmon2 (USB bus number 2)
6.ens33
7.any (Pseudo-device that captures on all interfaces)
8.lo [Loopback]
7.显示更详细的数据包信息 -v -vv
[root@master tcp]# tcpdump -i ens33 host 192.168.1.103 -vv
22:54:10.581131 IP (tos 0x0, ttl 128, id 2352, offset 0, flags [DF], proto TCP (6), length 40)
192.168.1.103.63743 > master.ssh: Flags [.], cksum 0xee76 (correct), seq 217, ack 1795136, win 4103, length 0
22:54:10.581167 IP (tos 0x10, ttl 64, id 33136, offset 0, flags [DF], proto TCP (6), length 524)
master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x862e (incorrect -> 0x4830), seq 1795136:1795620, ack 217, win 261, length 484
22:54:10.581235 IP (tos 0x10, ttl 64, id 33137, offset 0, flags [DF], proto TCP (6), length 316)
master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x855e (incorrect -> 0xbb45), seq 1795620:1795896, ack 217, win 261, length 276
22:54:10.581318 IP (tos 0x0, ttl 128, id 2353, offset 0, flags [DF], proto TCP (6), length 40)
192.168.1.103.63743 > master.ssh: Flags [.], cksum 0xeb7b (correct), seq 217, ack 1795896, win 4106, length 0
22:54:10.581352 IP (tos 0x10, ttl 64, id 33138, offset 0, flags [DF], proto TCP (6), length 524)
master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x862e (incorrect -> 0x787c), seq 1795896:1796380, ack 217, win 261, length 484
22:54:10.581413 IP (tos 0x10, ttl 64, id 33139, offset 0, flags [DF], proto TCP (6), length 316)
master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x855e (incorrect -> 0x77af), seq 1796380:1796656, ack 217, win 261, length 276
22:54:10.587370 IP (tos 0x0, ttl 128, id 2354, offset 0, flags [DF], proto TCP (6), length 40)
192.168.1.103.63743 > master.ssh: Flags [.], cksum 0xe886 (correct), seq 217, ack 1796656, win 4103, length 0
22:54:10.587405 IP (tos 0x10, ttl 64, id 33140, offset 0, flags [DF], proto TCP (6), length 800)
master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x8742 (incorrect -> 0x8dd0), seq 1796656:1797416, ack 217, win 261, length 760
22:54:10.587542 IP (tos 0x10, ttl 64, id 33141, offset 0, flags [DF], proto TCP (6), length 524)
master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x862e (incorrect -> 0xcc25), seq 1797416:1797900, ack 217, win 261, length 484
22:54:10.587659 IP (tos 0x0, ttl 128, id 2355, offset 0, flags [DF], proto TCP (6), length 40)
192.168.1.103.63743 > master.ssh: Flags [.], cksum 0xe3a7 (correct), seq 217, ack 1797900, win 4106, length 0
22:54:10.587660 IP (tos 0x10, ttl 64, id 33142, offset 0, flags [DF], proto TCP (6), length 316)
master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x855e (incorrect -> 0xa748), seq 1797900:1798176, ack 217, win 261, length 276
22:54:10.595313 IP (tos 0x10, ttl 64, id 33143, offset 0, flags [DF], proto TCP (6), length 524)
master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x862e (incorrect -> 0x2d7d), seq 1798176:1798660, ack 217, win 261, length 484
22:54:10.599356 IP (tos 0x0, ttl 128, id 2356, offset 0, flags [DF], proto TCP (6), length 40)
192.168.1.103.63743 > master.ssh: Flags [.], cksum 0xe0b2 (correct), seq 217, ack 1798660, win 4103, length 0
22:54:10.599377 IP (tos 0x10, ttl 64, id 33144, offset 0, flags [DF], proto TCP (6), length 316)
master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x855e (incorrect -> 0x232f), seq 1798660:1798936, ack 217, win 261, length 276
22:54:10.607374 IP (tos 0x10, ttl 64, id 33145, offset 0, flags [DF], proto TCP (6), length 524)
master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x862e (incorrect -> 0x4015), seq 1798936:1799420, ack 217, win 261, length 484
22:54:10.611237 IP (tos 0x0, ttl 128, id 2357, offset 0, flags [DF], proto TCP (6), length 40)
192.168.1.103.63743 > master.ssh: Flags [.], cksum 0xddb7 (correct), seq 217, ack 1799420, win 4106, length 0
22:54:10.611251 IP (tos 0x10, ttl 64, id 33146, offset 0, flags [DF], proto TCP (6), length 316)
master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x855e (incorrect -> 0xfefb), seq 1799420:1799696, ack 217, win 261, length 276
[root@master tcp]# tcpdump -i ens33 host 192.168.1.103 -v
22:54:43.569727 IP (tos 0x0, ttl 128, id 3671, offset 0, flags [DF], proto TCP (6), length 40)
192.168.1.103.63743 > master.ssh: Flags [.], cksum 0x37fe (correct), ack 958212, win 4101, length 0
22:54:43.569793 IP (tos 0x10, ttl 64, id 35758, offset 0, flags [DF], proto TCP (6), length 308)
master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x8556 (incorrect -> 0xe982), seq 958212:958480, ack 145, win 261, length 268
22:54:43.577699 IP (tos 0x10, ttl 64, id 35759, offset 0, flags [DF], proto TCP (6), length 544)
master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x8642 (incorrect -> 0x65c7), seq 958480:958984, ack 145, win 261, length 504
22:54:43.581781 IP (tos 0x0, ttl 128, id 3672, offset 0, flags [DF], proto TCP (6), length 40)
192.168.1.103.63743 > master.ssh: Flags [.], cksum 0x34f5 (correct), ack 958984, win 4106, length 0
22:54:43.581841 IP (tos 0x10, ttl 64, id 35760, offset 0, flags [DF], proto TCP (6), length 308)
master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x8556 (incorrect -> 0x8af0), seq 958984:959252, ack 145, win 261, length 268
22:54:43.585638 IP (tos 0x10, ttl 64, id 35761, offset 0, flags [DF], proto TCP (6), length 508)
master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x861e (incorrect -> 0xe0da), seq 959252:959720, ack 145, win 261, length 468
22:54:43.589868 IP (tos 0x0, ttl 128, id 3673, offset 0, flags [DF], proto TCP (6), length 40)
192.168.1.103.63743 > master.ssh: Flags [.], cksum 0x3218 (correct), ack 959720, win 4103, length 0
22:54:43.589927 IP (tos 0x10, ttl 64, id 35762, offset 0, flags [DF], proto TCP (6), length 308)
master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x8556 (incorrect -> 0x8c00), seq 959720:959988, ack 145, win 261, length 268
22:54:43.593747 IP (tos 0x10, ttl 64, id 35763, offset 0, flags [DF], proto TCP (6), length 508)
master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x861e (incorrect -> 0x0b51), seq 959988:960456, ack 145, win 261, length 468
22:54:43.597789 IP (tos 0x0, ttl 128, id 3674, offset 0, flags [DF], proto TCP (6), length 40)
192.168.1.103.63743 > master.ssh: Flags [.], cksum 0x2f35 (correct), ack 960456, win 4106, length 0
22:54:43.597833 IP (tos 0x10, ttl 64, id 35764, offset 0, flags [DF], proto TCP (6), length 308)
master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x8556 (incorrect -> 0x43b7), seq 960456:960724, ack 145, win 261, length 268
22:54:43.605692 IP (tos 0x10, ttl 64, id 35765, offset 0, flags [DF], proto TCP (6), length 508)
master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x861e (incorrect -> 0x19c5), seq 960724:961192, ack 145, win 261, length 468
22:54:43.609677 IP (tos 0x0, ttl 128, id 3675, offset 0, flags [DF], proto TCP (6), length 40)
192.168.1.103.63743 > master.ssh: Flags [.], cksum 0x2c58 (correct), ack 961192, win 4103, length 0
22:54:43.609724 IP (tos 0x10, ttl 64, id 35766, offset 0, flags [DF], proto TCP (6), length 308)
master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x8556 (incorrect -> 0xda5e), seq 961192:961460, ack 145, win 261, length 268
22:54:43.612481 IP (tos 0x0, ttl 128, id 3676, offset 0, flags [DF], proto TCP (6), length 76)
192.168.1.103.63743 > master.ssh: Flags [P.], cksum 0x6f0d (correct), seq 145:181, ack 961192, win 4103, length 36
8.查看数据包,包含mac地址
[root@aliyun ~]# tcpdump -e
22:59:18.536419 ee:ff:ff:ff:ff:ff (oui Unknown) > 00:16:3e:24:c7:4b (oui Unknown), ethertype IPv4 (0x0800), length 74: 110.52.211.134.22954 > iZbp1i0ub0xc19m2oo581kZ.ssh: Flags [.], ack 13784, win 514, options [nop,nop,sack 2 {16732:20156}{14856:15124}], length 0
22:59:18.536423 00:16:3e:24:c7:4b (oui Unknown) > ee:ff:ff:ff:ff:ff (oui Unknown), ethertype IPv4 (0x0800), length 138: iZbp1i0ub0xc19m2oo581kZ.ssh > 110.52.211.134.22954: Flags [P.], seq 31096:31180, ack 1, win 292, length 84
22:59:18.536425 ee:ff:ff:ff:ff:ff (oui Unknown) > 00:16:3e:24:c7:4b (oui Unknown), ethertype IPv4 (0x0800), length 74: 110.52.211.134.22954 > iZbp1i0ub0xc19m2oo581kZ.ssh: Flags [.], ack 13784, win 514, options [nop,nop,sack 2 {16732:20424}{14856:15124}], length 0
22:59:18.536428 ee:ff:ff:ff:ff:ff (oui Unknown) > 00:16:3e:24:c7:4b (oui Unknown), ethertype IPv4 (0x0800), length 74: 110.52.211.134.22954 > iZbp1i0ub0xc19m2oo581kZ.ssh: Flags [.], ack 13784, win 514, options [nop,nop,sack 2 {16732:20692}{14856:15124}], length 0
22:59:18.536430 ee:ff:ff:ff:ff:ff (oui Unknown) > 00:16:3e:24:c7:4b (oui Unknown), ethertype IPv4 (0x0800), length 74: 110.52.211.134.22954 > iZbp1i0ub0xc19m2oo581kZ.ssh: Flags [.], ack 13784, win 514, options [nop,nop,sack 2 {16732:20960}{14856:15124}], length 0
22:59:18.536517 00:16:3e:24:c7:4b (oui Unknown) > ee:ff:ff:ff:ff:ff (oui Unknown), ethertype IPv4 (0x0800), length 1874: iZbp1i0ub0xc19m2oo581kZ.ssh > 110.52.211.134.22954: Flags [P.], seq 31180:33000, ack 1, win 292, length 1820
22:59:18.536547 00:16:3e:24:c7:4b (oui Unknown) > ee:ff:ff:ff:ff:ff (oui Unknown), ethertype IPv4 (0x0800), length 322: iZbp1i0ub0xc19m2oo581kZ.ssh > 110.52.211.134.22954: Flags [P.], seq 33000:33268, ack 1, win 292, length 268
22:59:18.537386 ee:ff:ff:ff:ff:ff (oui Unknown) > 00:16:3e:24:c7:4b (oui Unknown), ethertype IPv4 (0x0800), length 74: 110.52.211.134.22954 > iZbp1i0ub0xc19m2oo581kZ.ssh: Flags [.], ack 13784, win 514, options [nop,nop,sack 2 {16732:21228}{14856:15124}], length 0
22:59:18.537392 00:16:3e:24:c7:4b (oui Unknown) > ee:ff:ff:ff:ff:ff (oui Unknown), ethertype IPv4 (0x0800), length 322: iZbp1i0ub0xc19m2oo581kZ.ssh > 110.52.211.134.22954: Flags [P.], seq 33268:33536, ack 1, win 292, length 268
22:59:18.537395 ee:ff:ff:ff:ff:ff (oui Unknown) > 00:16:3e:24:c7:4b (oui Unknown), ethertype IPv4 (0x0800), length 74: 110.52.211.134.22954 > iZbp1i0ub0xc19m2oo581kZ.ssh: Flags [.], ack 13784, win 514, options [nop,nop,sack 2 {16732:21496}{14856:15124}], length 0
22:59:18.537398 ee:ff:ff:ff:ff:ff (oui Unknown) > 00:16:3e:24:c7:4b (oui Unknown), ethertype IPv4 (0x0800), length 74: 110.52.211.134.22954 > iZbp1i0ub0xc19m2oo581kZ.ssh: Flags [.], ack 13784, win 514, options [nop,nop,sack 2 {16732:21764}{14856:15124}], length 0
22:59:18.537400 ee:ff:ff:ff:ff:ff (oui Unknown) > 00:16:3e:24:c7:4b (oui Unknown), ethertype IPv4 (0x0800), length 74: 110.52.211.134.22954 > iZbp1i0ub0xc19m2oo581kZ.ssh: Flags [.], ack 13784, win 514, options [nop,nop,sack 2 {16732:22032}{14856:15124}], length 0
22:59:18.537452 00:16:3e:24:c7:4b (oui Unknown) > ee:ff:ff:ff:ff:ff (oui Unknown), ethertype IPv4 (0x0800), length 1378: iZbp1i0ub0xc19m2oo581kZ.ssh > 110.52.211.134.22954: Flags [P.], seq 33536:34860, ack 1, win 292, length 1324
22:59:18.537481 00:16:3e:24:c7:4b (oui Unknown) > ee:ff:ff:ff:ff:ff (oui Unknown), ethertype IPv4 (0x0800), length 322: iZbp1i0ub0xc19m2oo581kZ.ssh > 110.52.211.134.22954: Flags [P.], seq 34860:35128, ack 1, win 292, length 268
22:59:18.537509 00:16:3e:24:c7:4b (oui Unknown) > ee:ff:ff:ff:ff:ff (oui Unknown), ethertype IPv4 (0x0800), length 322: iZbp1i0ub0xc19m2oo581kZ.ssh > 110.52.211.134.22954: Flags [P.], seq 35128:35396, ack 1, win 292, length 268
小练习
# 抓取ens33 接口的icmp或arp数据包
tcpdump -i ens33 icmp or arp -vv
# 抓取源ip 192.168.1.120的tcp,源端口为80
tcpdump -i ens33 src host 192.168.1.120 and tcp and src port 80 -vv
# 抓取源ip 192.168.1.120的udp和目的ip 114.114.114.114 目的端口是53
tcpdump -i ens33 src host 192.168.1.120 and udp and dst host 114.114.114.114 and dst port 53 -vv
# 抓取tcp 目的端口是22
tcpdump -i ens33 tcp dst port 22 -vv
# 抓取 源网段192.168.102.0/24 和tcp 目的端口是22的
tcpdump -i ens33 src net 192.168.102.0/24 and tcp dst port 22 -vv
#抓取源网段192.168.2.0/24 和 tcp 的目的端口是22的数据包
tcpdump -i ens33 src net 192.168.2.0/24 and tcp dst port 22 or dst port 80
# 抓取源网段192.168.2.0/24 和tcp 目的端口为22 或者目的端口是80的
tcpdump -i ens33 src net 192.168.2.0/24 and tcp dst port 22 or dst port 80 -vv
# 抓取源网段192.168.2.0/24 和(目的端口是22或目的端口是80)
tcpdump -i ens33 src net 192.168.2.0/24 and \( dst port 22 or dst port 80 \)