10.10 Linux下抓包
tcpdump
yum install -y tcpdump
//安装
[root@centos-01 ~]# tcpdump -nn -i ens33 //-nn表示第3-4列显示为IP地址+端口号,否则将会是主机名+服务。 -i表示网卡,interface。
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
16:45:18.532009 IP 192.168.27.128.22 > 192.168.27.1.1891: Flags [P.], seq 2684718525:2684718737, ack 311414141, win 296, length 212
16:45:18.540380 IP 192.168.27.128.22 > 192.168.27.1.1891: Flags [P.], seq 212:408, ack 1, win 296, length 196
16:45:18.542187 IP 192.168.27.1.1891 > 192.168.27.128.22: Flags [.], ack 408, win 253, length 0
16:45:18.542263 IP 192.168.27.128.22 > 192.168.27.1.1891: Flags [P.], seq 408:572, ack 1, win 296, length 164
16:45:18.550287 IP 192.168.27.128.22 > 192.168.27.1.1891: Flags [P.], seq 572:832, ack 1, win 296, length 260
16:45:18.554025 IP 192.168.27.1.1891 > 192.168.27.128.22: Flags [.], ack 832, win 252, length 0
16:45:18.554068 IP 192.168.27.128.22 > 192.168.27.1.1891: Flags [P.], seq 832:996, ack 1, win 296, length 164
16:45:18.562529 IP 192.168.27.128.22 > 192.168.27.1.1891: Flags [P.], seq 996:1256, ack 1, win 296, length 260
16:45:18.564910 IP 192.168.27.1.1891 > 192.168.27.128.22: Flags [.], ack 1256, win 256, length 0
16:45:18.564979 IP 192.168.27.128.22 > 192.168.27.1.1891: Flags [P.], seq 1256:1420, ack 1, win 296, length 164
tcpdump -nn -i ens33 -c 100 //表示抓100个包
tcpdump -nn -i ens33 port 22
tcpdump -nn -i ens33 tcp and not port 22
tcpdump -nn -i ens33 port 22 and port 53
tcpdump -nn -i ens33 -c 100 -w /tmp/12.cap //指定抓包存放的路径
tcpdump -r /tmp/12.cap //因为12.cap是二进制数据包,不是文本,所以不能cat,应该用这种方式读取。
wireshark
yum install -y wireshark
安装wireshark
tshark -n -i eth1 -R 'mysql.query' -T fields -e "ip.src" -e "mysql.query" //抓取eth1网卡上的mysql查询有哪些,仅适合mysql端口号为3306的情况。
但日常工作中,tcpdump就已经够用了。