tcpdump

最新推荐文章于 2023-10-10 19:41:56 发布

韩未零

最新推荐文章于 2023-10-10 19:41:56 发布

阅读量343

点赞数

分类专栏：计算机网络文章标签： tcpdump 服务器测试工具

本文链接：https://blog.csdn.net/qq_60271706/article/details/132125295

版权

计算机网络专栏收录该内容

28 篇文章 2 订阅

订阅专栏

什么是tcpdump？

TCPDump可以将网络中传送的数据包完全截获下来提供分析。它支持针对网络层、协议、主机、网络或端口的过滤，并提供and、or、not等逻辑语句来帮助你去掉无用的信息。

TcpDump是Linux中强大的网络数据采集分析工具之一。tcpdump 就是 dump the traffic on a network，根据使用者的定义对网络上的数据包进行截获的包分析工具。

tcpdump提供了源代码，公开了接口，因此具备很强的可扩展性，对于网络维护和入侵者都是非常有用的工具。

tcpdump存在于基本的 FreeBSD系统中，由于它需要将网络接口设置为混杂模式，普通用户不能正常执行，但具备root权限的用户可以直接执行它来获取网络上的信息。

下载tcpdump

[root@master ~]# yum install tcpdump -y
已加载插件：fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.cqu.edu.cn
 * epel: ftp.yz.yamagata-u.ac.jp
 * epel-debuginfo: mirror.cloudhosting.lv
 * epel-source: ftp.yz.yamagata-u.ac.jp
 * extras: mirrors.bfsu.edu.cn
 * updates: mirrors.bfsu.edu.cn
epel/x86_64/primary_db                                                                                                                                                                    | 7.0 MB  00:02:13     
正在解决依赖关系
--> 正在检查事务
---> 软件包 tcpdump.x86_64.14.4.9.2-4.el7_7.1 将被 安装
--> 正在处理依赖关系 libpcap >= 14:1.5.3-10，它被软件包 14:tcpdump-4.9.2-4.el7_7.1.x86_64 需要
--> 正在处理依赖关系 libpcap.so.1()(64bit)，它被软件包 14:tcpdump-4.9.2-4.el7_7.1.x86_64 需要
--> 正在检查事务
---> 软件包 libpcap.x86_64.14.1.5.3-13.el7_9 将被 安装
--> 解决依赖关系完成

依赖关系解决

=================================================================================================================================================================================================================
 Package                                         架构                                           版本                                                       源                                               大小
=================================================================================================================================================================================================================
正在安装:
 tcpdump                                         x86_64                                         14:4.9.2-4.el7_7.1                                         base                                            422 k
为依赖而安装:
 libpcap                                         x86_64                                         14:1.5.3-13.el7_9                                          updates                                         139 k

事务概要
=================================================================================================================================================================================================================
安装  1 软件包 (+1 依赖软件包)

总下载量：560 k
安装大小：1.3 M
Downloading packages:
(1/2): libpcap-1.5.3-13.el7_9.x86_64.rpm                                                                                                                                                  | 139 kB  00:00:00     
(2/2): tcpdump-4.9.2-4.el7_7.1.x86_64.rpm                                                                                                                                                 | 422 kB  00:00:01     
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
总计                                                                                                                                                                             369 kB/s | 560 kB  00:00:01     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  正在安装    : 14:libpcap-1.5.3-13.el7_9.x86_64                                                                                                                                                             1/2 
  正在安装    : 14:tcpdump-4.9.2-4.el7_7.1.x86_64                                                                                                                                                            2/2 
  验证中      : 14:libpcap-1.5.3-13.el7_9.x86_64                                                                                                                                                             1/2 
  验证中      : 14:tcpdump-4.9.2-4.el7_7.1.x86_64                                                                                                                                                            2/2 

已安装:
  tcpdump.x86_64 14:4.9.2-4.el7_7.1                                                                                                                                                                              

作为依赖被安装:
  libpcap.x86_64 14:1.5.3-13.el7_9                                                                                                                                                                               

完毕！

tcpdump的常见选项

-a 　将网络地址和广播地址转变成名字

-d 　将匹配信息包的代码以人们能够理解的汇编格式给出

-dd 　将匹配信息包的代码以c语言程序段的格式给出

-ddd 　将匹配信息包的代码以十进制的形式给出

-e 　在输出行打印出数据链路层的头部信息

-f 　将外部的Internet地址以数字的形式打印出来

-l 　使标准输出变为缓冲行形式

-n 　不把网络地址转换成名字

-t 　在输出的每一行不打印时间戳

-v 　输出一个稍微详细的信息，例如在ip包中可以包括ttl和服务类型的信息

-vv 　输出详细的报文信息

-c 　在收到指定的包的数目后，tcpdump就会停止

-F 　从指定的文件中读取表达式,忽略其它的表达式

-i 　指定监听的网络接口

-r 　从指定的文件中读取包(这些包一般通过-w选项产生)

-w 　直接将包写入文件中，并不分析和打印出来

-T 　将监听到的包直接解释为指定的类型的报文，常见的类型有rpc

查看tcpdump版本

[root@master ~]# tcpdump -h
tcpdump version 4.9.2
libpcap version 1.5.3
OpenSSL 1.0.2k-fips  26 Jan 2017
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ]
		[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
		[ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
		[ -Q|-P in|out|inout ]
		[ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
		[ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
		[ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ]
		[ -Z user ] [ expression ]

案例

1.监听所有经过此网卡的数据包（默认监听在第一块网卡）

[root@master ~]# tcpdump 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bluetooth0, link-type BLUETOOTH_HCI_H4_WITH_PHDR (Bluetooth HCI UART transport layer plus pseudo-header), capture size 262144 bytes

2.捕获主机192.168.1.103经过网卡ens33的所有数据包（可以是主机名，但要能解析出IP地址）

# 系统可能有多块网卡共存
[root@master ~]# tcpdump host 192.168.1.103
tcpdump: Bluetooth link-layer type filtering not implemented

# 接-i指定网卡接口
[root@master ~]# tcpdump -i ens33 host 192.168.1.103
22:42:59.436682 IP 192.168.1.103.63743 > master.ssh: Flags [.], ack 207888, win 4102, length 0
22:42:59.436692 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 207888:208036, ack 37, win 261, length 148
22:42:59.436768 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 208036:208280, ack 37, win 261, length 244
22:42:59.436856 IP 192.168.1.103.63743 > master.ssh: Flags [.], ack 208280, win 4100, length 0
22:42:59.436860 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 208280:208428, ack 37, win 261, length 148
22:42:59.436935 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 208428:208672, ack 37, win 261, length 244
22:42:59.437027 IP 192.168.1.103.63743 > master.ssh: Flags [.], ack 208672, win 4106, length 0
22:42:59.437029 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 208672:208820, ack 37, win 261, length 148
22:42:59.437142 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 208820:209064, ack 37, win 261, length 244
22:42:59.437261 IP 192.168.1.103.63743 > master.ssh: Flags [.], ack 209064, win 4104, length 0
22:42:59.437267 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 209064:209212, ack 37, win 261, length 148
22:42:59.437381 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 209212:209456, ack 37, win 261, length 244
22:42:59.437481 IP 192.168.1.103.63743 > master.ssh: Flags [.], ack 209456, win 4103, length 0
22:42:59.437482 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 209456:209604, ack 37, win 261, length 148
22:42:59.437596 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 209604:209848, ack 37, win 261, length 244
22:42:59.437730 IP 192.168.1.103.63743 > master.ssh: Flags [.], ack 209848, win 4101, length 0
22:42:59.437744 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 209848:209996, ack 37, win 261, length 148
22:42:59.437817 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 209996:210240, ack 37, win 261, length 244
22:42:59.437917 IP 192.168.1.103.63743 > master.ssh: Flags [.], ack 210240, win 4106, length 0
22:42:59.437920 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 210240:210388, ack 37, win 261, length 148
22:42:59.438025 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 210388:210632, ack 37, win 261, length 244
22:42:59.438136 IP 192.168.1.103.63743 > master.ssh: Flags [.], ack 210632, win 4104, length 0
22:42:59.438138 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 210632:210780, ack 37, win 261, length 148
22:42:59.438243 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 210780:211024, ack 37, win 261, length 244
22:42:59.438342 IP 192.168.1.103.63743 > master.ssh: Flags [.], ack 211024, win 4103, length 0
22:42:59.438348 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 211024:211172, ack 37, win 261, length 148
22:42:59.438459 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 211172:211416, ack 37, win 261, length 244
22:42:59.438571 IP 192.168.1.103.63743 > master.ssh: Flags [.], ack 211416, win 4101, length 0
22:42:59.438580 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 211416:211564, ack 37, win 261, length 148
22:42:59.438688 IP 192.168.1.103.63743 > master.ssh: Flags [P.], seq 37:73, ack 211564, win 4101, length 36
^C

3.指定抓包数量（-c 2 ：抓取2个数据包）

[root@master ~]# tcpdump -i ens33 -c 2 host 192.168.1.103
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
22:44:22.642773 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 2794978288:2794978476, ack 2129941800, win 261, length 188
22:44:22.684687 IP 192.168.1.103.63743 > master.ssh: Flags [.], ack 188, win 4105, length 0
2 packets captured
2 packets received by filter
0 packets dropped by kernel

4.将抓包信息写入文件

[root@master tcp]# tcpdump -i ens33 -c 4 -w test.txt
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
4 packets captured
5 packets received by filter
0 packets dropped by kernel
[root@master tcp]# ls
test.txt

5.读取记录文件 -r

[root@master tcp]# tcpdump -r test.txt 
reading from file test.txt, link-type EN10MB (Ethernet)
22:50:14.974932 IP master.ssh > 192.168.1.103.63743: Flags [P.], seq 2794984412:2794984536, ack 2129946500, win 261, length 124
22:50:15.027185 IP 192.168.1.103.63743 > master.ssh: Flags [.], ack 124, win 4104, length 0
22:50:15.184387 ARP, Request who-has slave tell master, length 28
22:50:15.184756 IP master > gateway: ICMP echo request, id 51993, seq 4198, length 184

6.打印出所有可工作的接口 -D

[root@master tcp]# tcpdump -D
1.bluetooth0 (Bluetooth adapter number 0)
2.nflog (Linux netfilter log (NFLOG) interface)
3.nfqueue (Linux netfilter queue (NFQUEUE) interface)
4.usbmon1 (USB bus number 1)
5.usbmon2 (USB bus number 2)
6.ens33
7.any (Pseudo-device that captures on all interfaces)
8.lo [Loopback]

7.显示更详细的数据包信息 -v -vv

[root@master tcp]# tcpdump -i ens33  host 192.168.1.103 -vv

22:54:10.581131 IP (tos 0x0, ttl 128, id 2352, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.1.103.63743 > master.ssh: Flags [.], cksum 0xee76 (correct), seq 217, ack 1795136, win 4103, length 0
22:54:10.581167 IP (tos 0x10, ttl 64, id 33136, offset 0, flags [DF], proto TCP (6), length 524)
    master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x862e (incorrect -> 0x4830), seq 1795136:1795620, ack 217, win 261, length 484
22:54:10.581235 IP (tos 0x10, ttl 64, id 33137, offset 0, flags [DF], proto TCP (6), length 316)
    master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x855e (incorrect -> 0xbb45), seq 1795620:1795896, ack 217, win 261, length 276
22:54:10.581318 IP (tos 0x0, ttl 128, id 2353, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.1.103.63743 > master.ssh: Flags [.], cksum 0xeb7b (correct), seq 217, ack 1795896, win 4106, length 0
22:54:10.581352 IP (tos 0x10, ttl 64, id 33138, offset 0, flags [DF], proto TCP (6), length 524)
    master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x862e (incorrect -> 0x787c), seq 1795896:1796380, ack 217, win 261, length 484
22:54:10.581413 IP (tos 0x10, ttl 64, id 33139, offset 0, flags [DF], proto TCP (6), length 316)
    master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x855e (incorrect -> 0x77af), seq 1796380:1796656, ack 217, win 261, length 276
22:54:10.587370 IP (tos 0x0, ttl 128, id 2354, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.1.103.63743 > master.ssh: Flags [.], cksum 0xe886 (correct), seq 217, ack 1796656, win 4103, length 0
22:54:10.587405 IP (tos 0x10, ttl 64, id 33140, offset 0, flags [DF], proto TCP (6), length 800)
    master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x8742 (incorrect -> 0x8dd0), seq 1796656:1797416, ack 217, win 261, length 760
22:54:10.587542 IP (tos 0x10, ttl 64, id 33141, offset 0, flags [DF], proto TCP (6), length 524)
    master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x862e (incorrect -> 0xcc25), seq 1797416:1797900, ack 217, win 261, length 484
22:54:10.587659 IP (tos 0x0, ttl 128, id 2355, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.1.103.63743 > master.ssh: Flags [.], cksum 0xe3a7 (correct), seq 217, ack 1797900, win 4106, length 0
22:54:10.587660 IP (tos 0x10, ttl 64, id 33142, offset 0, flags [DF], proto TCP (6), length 316)
    master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x855e (incorrect -> 0xa748), seq 1797900:1798176, ack 217, win 261, length 276
22:54:10.595313 IP (tos 0x10, ttl 64, id 33143, offset 0, flags [DF], proto TCP (6), length 524)
    master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x862e (incorrect -> 0x2d7d), seq 1798176:1798660, ack 217, win 261, length 484
22:54:10.599356 IP (tos 0x0, ttl 128, id 2356, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.1.103.63743 > master.ssh: Flags [.], cksum 0xe0b2 (correct), seq 217, ack 1798660, win 4103, length 0
22:54:10.599377 IP (tos 0x10, ttl 64, id 33144, offset 0, flags [DF], proto TCP (6), length 316)
    master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x855e (incorrect -> 0x232f), seq 1798660:1798936, ack 217, win 261, length 276
22:54:10.607374 IP (tos 0x10, ttl 64, id 33145, offset 0, flags [DF], proto TCP (6), length 524)
    master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x862e (incorrect -> 0x4015), seq 1798936:1799420, ack 217, win 261, length 484
22:54:10.611237 IP (tos 0x0, ttl 128, id 2357, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.1.103.63743 > master.ssh: Flags [.], cksum 0xddb7 (correct), seq 217, ack 1799420, win 4106, length 0
22:54:10.611251 IP (tos 0x10, ttl 64, id 33146, offset 0, flags [DF], proto TCP (6), length 316)
    master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x855e (incorrect -> 0xfefb), seq 1799420:1799696, ack 217, win 261, length 276


[root@master tcp]# tcpdump -i ens33  host 192.168.1.103 -v

22:54:43.569727 IP (tos 0x0, ttl 128, id 3671, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.1.103.63743 > master.ssh: Flags [.], cksum 0x37fe (correct), ack 958212, win 4101, length 0
22:54:43.569793 IP (tos 0x10, ttl 64, id 35758, offset 0, flags [DF], proto TCP (6), length 308)
    master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x8556 (incorrect -> 0xe982), seq 958212:958480, ack 145, win 261, length 268
22:54:43.577699 IP (tos 0x10, ttl 64, id 35759, offset 0, flags [DF], proto TCP (6), length 544)
    master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x8642 (incorrect -> 0x65c7), seq 958480:958984, ack 145, win 261, length 504
22:54:43.581781 IP (tos 0x0, ttl 128, id 3672, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.1.103.63743 > master.ssh: Flags [.], cksum 0x34f5 (correct), ack 958984, win 4106, length 0
22:54:43.581841 IP (tos 0x10, ttl 64, id 35760, offset 0, flags [DF], proto TCP (6), length 308)
    master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x8556 (incorrect -> 0x8af0), seq 958984:959252, ack 145, win 261, length 268
22:54:43.585638 IP (tos 0x10, ttl 64, id 35761, offset 0, flags [DF], proto TCP (6), length 508)
    master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x861e (incorrect -> 0xe0da), seq 959252:959720, ack 145, win 261, length 468
22:54:43.589868 IP (tos 0x0, ttl 128, id 3673, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.1.103.63743 > master.ssh: Flags [.], cksum 0x3218 (correct), ack 959720, win 4103, length 0
22:54:43.589927 IP (tos 0x10, ttl 64, id 35762, offset 0, flags [DF], proto TCP (6), length 308)
    master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x8556 (incorrect -> 0x8c00), seq 959720:959988, ack 145, win 261, length 268
22:54:43.593747 IP (tos 0x10, ttl 64, id 35763, offset 0, flags [DF], proto TCP (6), length 508)
    master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x861e (incorrect -> 0x0b51), seq 959988:960456, ack 145, win 261, length 468
22:54:43.597789 IP (tos 0x0, ttl 128, id 3674, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.1.103.63743 > master.ssh: Flags [.], cksum 0x2f35 (correct), ack 960456, win 4106, length 0
22:54:43.597833 IP (tos 0x10, ttl 64, id 35764, offset 0, flags [DF], proto TCP (6), length 308)
    master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x8556 (incorrect -> 0x43b7), seq 960456:960724, ack 145, win 261, length 268
22:54:43.605692 IP (tos 0x10, ttl 64, id 35765, offset 0, flags [DF], proto TCP (6), length 508)
    master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x861e (incorrect -> 0x19c5), seq 960724:961192, ack 145, win 261, length 468
22:54:43.609677 IP (tos 0x0, ttl 128, id 3675, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.1.103.63743 > master.ssh: Flags [.], cksum 0x2c58 (correct), ack 961192, win 4103, length 0
22:54:43.609724 IP (tos 0x10, ttl 64, id 35766, offset 0, flags [DF], proto TCP (6), length 308)
    master.ssh > 192.168.1.103.63743: Flags [P.], cksum 0x8556 (incorrect -> 0xda5e), seq 961192:961460, ack 145, win 261, length 268
22:54:43.612481 IP (tos 0x0, ttl 128, id 3676, offset 0, flags [DF], proto TCP (6), length 76)
    192.168.1.103.63743 > master.ssh: Flags [P.], cksum 0x6f0d (correct), seq 145:181, ack 961192, win 4103, length 36

8.查看数据包，包含mac地址

[root@aliyun ~]# tcpdump -e

22:59:18.536419 ee:ff:ff:ff:ff:ff (oui Unknown) > 00:16:3e:24:c7:4b (oui Unknown), ethertype IPv4 (0x0800), length 74: 110.52.211.134.22954 > iZbp1i0ub0xc19m2oo581kZ.ssh: Flags [.], ack 13784, win 514, options [nop,nop,sack 2 {16732:20156}{14856:15124}], length 0
22:59:18.536423 00:16:3e:24:c7:4b (oui Unknown) > ee:ff:ff:ff:ff:ff (oui Unknown), ethertype IPv4 (0x0800), length 138: iZbp1i0ub0xc19m2oo581kZ.ssh > 110.52.211.134.22954: Flags [P.], seq 31096:31180, ack 1, win 292, length 84
22:59:18.536425 ee:ff:ff:ff:ff:ff (oui Unknown) > 00:16:3e:24:c7:4b (oui Unknown), ethertype IPv4 (0x0800), length 74: 110.52.211.134.22954 > iZbp1i0ub0xc19m2oo581kZ.ssh: Flags [.], ack 13784, win 514, options [nop,nop,sack 2 {16732:20424}{14856:15124}], length 0
22:59:18.536428 ee:ff:ff:ff:ff:ff (oui Unknown) > 00:16:3e:24:c7:4b (oui Unknown), ethertype IPv4 (0x0800), length 74: 110.52.211.134.22954 > iZbp1i0ub0xc19m2oo581kZ.ssh: Flags [.], ack 13784, win 514, options [nop,nop,sack 2 {16732:20692}{14856:15124}], length 0
22:59:18.536430 ee:ff:ff:ff:ff:ff (oui Unknown) > 00:16:3e:24:c7:4b (oui Unknown), ethertype IPv4 (0x0800), length 74: 110.52.211.134.22954 > iZbp1i0ub0xc19m2oo581kZ.ssh: Flags [.], ack 13784, win 514, options [nop,nop,sack 2 {16732:20960}{14856:15124}], length 0
22:59:18.536517 00:16:3e:24:c7:4b (oui Unknown) > ee:ff:ff:ff:ff:ff (oui Unknown), ethertype IPv4 (0x0800), length 1874: iZbp1i0ub0xc19m2oo581kZ.ssh > 110.52.211.134.22954: Flags [P.], seq 31180:33000, ack 1, win 292, length 1820
22:59:18.536547 00:16:3e:24:c7:4b (oui Unknown) > ee:ff:ff:ff:ff:ff (oui Unknown), ethertype IPv4 (0x0800), length 322: iZbp1i0ub0xc19m2oo581kZ.ssh > 110.52.211.134.22954: Flags [P.], seq 33000:33268, ack 1, win 292, length 268
22:59:18.537386 ee:ff:ff:ff:ff:ff (oui Unknown) > 00:16:3e:24:c7:4b (oui Unknown), ethertype IPv4 (0x0800), length 74: 110.52.211.134.22954 > iZbp1i0ub0xc19m2oo581kZ.ssh: Flags [.], ack 13784, win 514, options [nop,nop,sack 2 {16732:21228}{14856:15124}], length 0
22:59:18.537392 00:16:3e:24:c7:4b (oui Unknown) > ee:ff:ff:ff:ff:ff (oui Unknown), ethertype IPv4 (0x0800), length 322: iZbp1i0ub0xc19m2oo581kZ.ssh > 110.52.211.134.22954: Flags [P.], seq 33268:33536, ack 1, win 292, length 268
22:59:18.537395 ee:ff:ff:ff:ff:ff (oui Unknown) > 00:16:3e:24:c7:4b (oui Unknown), ethertype IPv4 (0x0800), length 74: 110.52.211.134.22954 > iZbp1i0ub0xc19m2oo581kZ.ssh: Flags [.], ack 13784, win 514, options [nop,nop,sack 2 {16732:21496}{14856:15124}], length 0
22:59:18.537398 ee:ff:ff:ff:ff:ff (oui Unknown) > 00:16:3e:24:c7:4b (oui Unknown), ethertype IPv4 (0x0800), length 74: 110.52.211.134.22954 > iZbp1i0ub0xc19m2oo581kZ.ssh: Flags [.], ack 13784, win 514, options [nop,nop,sack 2 {16732:21764}{14856:15124}], length 0
22:59:18.537400 ee:ff:ff:ff:ff:ff (oui Unknown) > 00:16:3e:24:c7:4b (oui Unknown), ethertype IPv4 (0x0800), length 74: 110.52.211.134.22954 > iZbp1i0ub0xc19m2oo581kZ.ssh: Flags [.], ack 13784, win 514, options [nop,nop,sack 2 {16732:22032}{14856:15124}], length 0
22:59:18.537452 00:16:3e:24:c7:4b (oui Unknown) > ee:ff:ff:ff:ff:ff (oui Unknown), ethertype IPv4 (0x0800), length 1378: iZbp1i0ub0xc19m2oo581kZ.ssh > 110.52.211.134.22954: Flags [P.], seq 33536:34860, ack 1, win 292, length 1324
22:59:18.537481 00:16:3e:24:c7:4b (oui Unknown) > ee:ff:ff:ff:ff:ff (oui Unknown), ethertype IPv4 (0x0800), length 322: iZbp1i0ub0xc19m2oo581kZ.ssh > 110.52.211.134.22954: Flags [P.], seq 34860:35128, ack 1, win 292, length 268
22:59:18.537509 00:16:3e:24:c7:4b (oui Unknown) > ee:ff:ff:ff:ff:ff (oui Unknown), ethertype IPv4 (0x0800), length 322: iZbp1i0ub0xc19m2oo581kZ.ssh > 110.52.211.134.22954: Flags [P.], seq 35128:35396, ack 1, win 292, length 268

小练习

# 抓取ens33 接口的icmp或arp数据包
tcpdump -i ens33 icmp or arp -vv

# 抓取源ip 192.168.1.120的tcp，源端口为80
tcpdump -i ens33 src host 192.168.1.120 and tcp and src port 80 -vv

# 抓取源ip 192.168.1.120的udp和目的ip 114.114.114.114 目的端口是53
tcpdump -i ens33 src host 192.168.1.120 and udp and dst host 114.114.114.114 and dst port 53 -vv

# 抓取tcp 目的端口是22
tcpdump -i ens33  tcp dst port 22 -vv

# 抓取 源网段192.168.102.0/24 和tcp 目的端口是22的
tcpdump -i ens33 src net 192.168.102.0/24 and tcp dst port 22 -vv

#抓取源网段192.168.2.0/24 和 tcp 的目的端口是22的数据包
tcpdump -i ens33 src net 192.168.2.0/24 and tcp dst port 22 or dst port 80

# 抓取源网段192.168.2.0/24 和tcp 目的端口为22 或者目的端口是80的
tcpdump -i ens33 src net 192.168.2.0/24 and tcp dst port 22 or dst port 80 -vv

# 抓取源网段192.168.2.0/24 和（目的端口是22或目的端口是80）
tcpdump -i ens33 src net 192.168.2.0/24 and  \( dst port  22 or dst port 80 \)