一.概述
一般情况下,在lLinux系统的使用和运维过程中,连接网络是必不可少的一个环节。在某些场景中,网络数据的收集与分析显得格外重要。tcpdump作为一款流行的网络数据抓取和收集工具,我们很有必要去了解一下。
本次验证tcpdump的操作系统为:CentOS Linux release 7.5.1804 (Core)
安装tcpdump:
[root@ChatDevOps ~]# yum -y install tcpdump
二.获取帮助资料
2.1 tcpdump --help
在使用Linux命令之前,如果遇到不熟悉的命令选项,就通过--help或者-h选项来对命令及选项做一个初步的了解。在tcpdump的--help中,使用方法及步骤太过于简略,此处不再赘述。
2.2 man tcpdump
部分内容如下:
NAME
tcpdump - dump traffic on a network
SYNOPSIS
tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ]
[ -c count ]
[ -C file_size ] [ -G rotate_seconds ] [ -F file ]
[ -i interface ] [ -j tstamp_type ] [ -m module ] [ -M secret ]
[ --number ] [ -Q|-P in|out|inout ]
[ -r file ] [ -V file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
[ --time-stamp-precision=tstamp_precision ]
[ --immediate-mode ] [ --version ]
[ expression ]
三.实践
1.显示所有可以被tcpdump的接口,使用选项-D。
[root@ChatDevOps ~]# tcpdump -D
1.nflog (Linux netfilter log (NFLOG) interface)
2.nfqueue (Linux netfilter queue (NFQUEUE) interface)
3.usbmon1 (USB bus number 1)
4.usbmon2 (USB bus number 2)
5.ens33
6.any (Pseudo-device that captures on all interfaces)
7.lo [Loopback]
2.获取指定接口的数据的信息,使用选项-i。
[root@ChatDevOps ~]# tcpdump -i ens33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
23:43:37.837417 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 2765734802:2765735014, ack 3454639695, win 251, length 212
23:43:37.838749 IP ChatDevOps.59877 > public1.alidns.com.domain: 23489+ PTR? 1.1.1.10.in-addr.arpa. (39)
2 packets captured
14 packets received by filter
0 packets dropped by kernel
输出内容挺多的,刷得很快。可以根据标准输出的内容快速获取网络连接信息,按Ctrl+c退出。
3.抓取指定接口(设备)的数据包数量。使用的选项是-c。
[root@ChatDevOps ~]# tcpdump -c 10 -i ens33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
00:47:33.754369 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 2765810766:2765810978, ack 3454668519, win 251, length 212
00:47:33.757822 IP ChatDevOps.40048 > public1.alidns.com.domain: 25834+ PTR? 1.1.1.10.in-addr.arpa. (39)
00:47:33.797033 IP 10.1.1.1.55011 > ChatDevOps.ssh: Flags [.], ack 212, win 2053, length 0
00:47:34.053798 IP public1.alidns.com.domain > ChatDevOps.40048: 25834 NXDomain 0/1/0 (116)
00:47:34.056344 IP ChatDevOps.41574 > public1.alidns.com.domain: 1158+ PTR? 21.1.1.10.in-addr.arpa. (40)
00:47:34.702924 IP public1.alidns.com.domain > ChatDevOps.41574: 1158 NXDomain 0/1/0 (117)
00:47:34.703374 IP ChatDevOps.59986 > public1.alidns.com.domain: 12257+ PTR? 5.5.5.223.in-addr.arpa. (40)
00:47:34.703561 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 212:392, ack 1, win 251, length 180
00:47:34.745614 IP 10.1.1.1.55011 > ChatDevOps.ssh: Flags [.], ack 392, win 2052, length 0
00:47:34.856428 IP public1.alidns.com.domain > ChatDevOps.59986: 12257 1/0/0 PTR public1.alidns.com. (72)
10 packets captured
10 packets received by filter
0 packets dropped by kernel
4.指定抓取包的时间戳,使用选项-tttt。
[root@ChatDevOps ~]# tcpdump -c 10 -tttt -i ens33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
2018-08-29 00:52:46.759937 IP 10.1.1.1.55011 > ChatDevOps.ssh: Flags [.], ack 2765814682, win 2050, length 0
2018-08-29 00:52:46.766774 IP ChatDevOps.40898 > public1.alidns.com.domain: 57359+ PTR? 21.1.1.10.in-addr.arpa. (40)
2018-08-29 00:52:46.767024 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 1:213, ack 0, win 251, length 212
2018-08-29 00:52:46.809552 IP 10.1.1.1.55011 > ChatDevOps.ssh: Flags [.], ack 213, win 2049, length 0
2018-08-29 00:52:49.829346 ARP, Request who-has ChatDevOps (00:0c:29:ce:40:b0 (oui Unknown)) tell 10.1.1.1, length 46
2018-08-29 00:52:49.829370 ARP, Reply ChatDevOps is-at 00:0c:29:ce:40:b0 (oui Unknown), length 28
2018-08-29 00:52:51.771436 IP ChatDevOps.40898 > public1.alidns.com.domain: 57359+ PTR? 21.1.1.10.in-addr.arpa. (40)
2018-08-29 00:52:51.783425 ARP, Request who-has gateway tell ChatDevOps, length 28
2018-08-29 00:52:51.783707 ARP, Reply gateway is-at 00:50:56:f5:98:bc (oui Unknown), length 46
2018-08-29 00:52:52.497640 IP public1.alidns.com.domain > ChatDevOps.40898: 57359 NXDomain 0/1/0 (117)
10 packets captured
22 packets received by filter
0 packets dropped by kernel
5.仅仅抓取ip数据包,使用选项-n。
[root@ChatDevOps ~]# tcpdump -c 10 -tttt -n -i ens33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
2018-08-29 00:55:27.770507 IP 10.1.1.21.ssh > 10.1.1.1.55011: Flags [P.], seq 2765822722:2765822934, ack 3454673575, win 251, length 212
2018-08-29 00:55:27.770973 IP 10.1.1.21.ssh > 10.1.1.1.55011: Flags [P.], seq 212:408, ack 1, win 251, length 196
2018-08-29 00:55:27.771107 IP 10.1.1.21.ssh > 10.1.1.1.55011: Flags [P.], seq 408:588, ack 1, win 251, length 180
2018-08-29 00:55:27.771237 IP 10.1.1.21.ssh > 10.1.1.1.55011: Flags [P.], seq 588:768, ack 1, win 251, length 180
2018-08-29 00:55:27.771387 IP 10.1.1.21.ssh > 10.1.1.1.55011: Flags [P.], seq 768:948, ack 1, win 251, length 180
2018-08-29 00:55:27.771570 IP 10.1.1.21.ssh > 10.1.1.1.55011: Flags [P.], seq 948:1128, ack 1, win 251, length 180
2018-08-29 00:55:27.771690 IP 10.1.1.21.ssh > 10.1.1.1.55011: Flags [P.], seq 1128:1308, ack 1, win 251, length 180
2018-08-29 00:55:27.771804 IP 10.1.1.21.ssh > 10.1.1.1.55011: Flags [P.], seq 1308:1488, ack 1, win 251, length 180
2018-08-29 00:55:27.771944 IP 10.1.1.1.55011 > 10.1.1.21.ssh: Flags [.], ack 1488, win 2053, length 0
2018-08-29 00:55:27.772102 IP 10.1.1.21.ssh > 10.1.1.1.55011: Flags [P.], seq 1488:1764, ack 1, win 251, length 276
10 packets captured
10 packets received by filter
0 packets dropped by kernel
6.把抓取的数据包存取到文件,使用-w选项。
[root@ChatDevOps ~]# tcpdump -c 10 -tttt -n -i ens33 -w tcpdump.pcap
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
10 packets captured
10 packets received by filter
0 packets dropped by kernel
该文件如果不指定路径的话,默认在当前操作目录下。不能直接被读取,需要使用tcpdump进行读取。这个命令也可以如下:
[root@ChatDevOps ~]# tcpdump -c 100 -tttt -n -i ens33 -w tcpdump.pcap greater 1024
[root@ChatDevOps ~]# tcpdump -c 100 -tttt -n -i ens33 -w tcpdump.pcap less 1024
7.从tcpdump文件中读取抓取的数据包。
[root@ChatDevOps ~]# tcpdump -r tcpdump.pcap
reading from file tcpdump.pcap, link-type EN10MB (Ethernet)
00:57:57.825513 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 2765825694:2765825842, ack 3454674579, win 251, length 148
00:57:57.825818 IP 10.1.1.1.55011 > ChatDevOps.ssh: Flags [.], ack 148, win 2053, length 0
00:57:58.203184 IP 10.1.1.1.58879 > 239.255.255.250.ssdp: UDP, length 174
00:57:59.203638 IP 10.1.1.1.58879 > 239.255.255.250.ssdp: UDP, length 174
00:58:05.116911 IP 10.1.1.1.56434 > ChatDevOps.ssh: Flags [P.], seq 4162589724:4162589776, ack 2392121475, win 2048, length 52
00:58:05.117228 IP ChatDevOps.ssh > 10.1.1.1.56434: Flags [.], ack 52, win 251, length 0
00:58:07.235581 IP 10.1.1.1.55011 > ChatDevOps.ssh: Flags [P.], seq 1:53, ack 148, win 2053, length 52
00:58:07.235886 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 148:200, ack 53, win 251, length 52
00:58:07.277502 IP 10.1.1.1.55011 > ChatDevOps.ssh: Flags [.], ack 200, win 2052, length 0
00:58:09.821038 IP 10.1.1.1.55011 > ChatDevOps.ssh: Flags [P.], seq 53:105, ack 200, win 2052, length 52
8.抓取指定接口的指定一些TCP/IP四层模型中网络层和传输层协议(如:TCP/UDP/ICMP/IAGMP/ARP/IP/RARP)的数据包。
[root@ChatDevOps ~]# tcpdump -c 10 -i ens33 tcp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
01:14:15.388381 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 2765855386:2765855598, ack 3454691347, win 340, length 212
01:14:15.389466 IP 10.1.1.1.55011 > ChatDevOps.ssh: Flags [.], ack 212, win 2049, length 0
01:14:15.959479 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 212:488, ack 1, win 340, length 276
01:14:15.959737 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 488:652, ack 1, win 340, length 164
01:14:15.959908 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 652:816, ack 1, win 340, length 164
01:14:15.960083 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 816:980, ack 1, win 340, length 164
01:14:15.960238 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 980:1144, ack 1, win 340, length 164
01:14:15.960388 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 1144:1308, ack 1, win 340, length 164
01:14:15.960557 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 1308:1472, ack 1, win 340, length 164
01:14:15.960721 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 1472:1636, ack 1, win 340, length 164
10 packets captured
10 packets received by filter
0 packets dropped by kernel
[root@ChatDevOps ~]# tcpdump -c 10 -i ens33 udp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
01:17:56.217920 IP 10.1.1.1.63463 > 239.255.255.250.ssdp: UDP, length 174
01:17:56.219257 IP ChatDevOps.48491 > public1.alidns.com.domain: 53308+ PTR? 250.255.255.239.in-addr.arpa. (46)
01:17:57.218813 IP 10.1.1.1.63463 > 239.255.255.250.ssdp: UDP, length 174
01:17:58.220117 IP 10.1.1.1.63463 > 239.255.255.250.ssdp: UDP, length 174
01:17:59.221545 IP 10.1.1.1.63463 > 239.255.255.250.ssdp: UDP, length 174
01:18:01.222170 IP ChatDevOps.48491 > public1.alidns.com.domain: 53308+ PTR? 250.255.255.239.in-addr.arpa. (46)
01:18:01.460643 IP public1.alidns.com.domain > ChatDevOps.48491: 53308 NXDomain 0/1/0 (103)
01:18:01.462527 IP ChatDevOps.46097 > public1.alidns.com.domain: 63425+ PTR? 1.1.1.10.in-addr.arpa. (39)
01:18:02.742698 IP public1.alidns.com.domain > ChatDevOps.46097: 63425 NXDomain 0/1/0 (116)
01:18:02.743371 IP ChatDevOps.60483 > public1.alidns.com.domain: 54493+ PTR? 5.5.5.223.in-addr.arpa. (40)
10 packets captured
13 packets received by filter
0 packets dropped by kernel
[root@ChatDevOps ~]# tcpdump -c 10 -i ens33 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
01:20:40.492456 IP ChatDevOps > 61.135.169.121: ICMP echo request, id 9516, seq 1, length 64
01:20:40.834752 IP 61.135.169.121 > ChatDevOps: ICMP echo reply, id 9516, seq 1, length 64
01:20:41.492751 IP ChatDevOps > 61.135.169.121: ICMP echo request, id 9516, seq 2, length 64
01:20:42.131624 IP 61.135.169.121 > ChatDevOps: ICMP echo reply, id 9516, seq 2, length 64
01:20:42.493242 IP ChatDevOps > 61.135.169.121: ICMP echo request, id 9516, seq 3, length 64
01:20:42.800717 IP 61.135.169.121 > ChatDevOps: ICMP echo reply, id 9516, seq 3, length 64
01:20:43.495523 IP ChatDevOps > 61.135.169.121: ICMP echo request, id 9516, seq 4, length 64
01:20:44.495944 IP ChatDevOps > 61.135.169.121: ICMP echo request, id 9516, seq 5, length 64
01:20:44.501359 IP 61.135.169.121 > ChatDevOps: ICMP echo reply, id 9516, seq 5, length 64
01:20:45.498312 IP ChatDevOps > 61.135.169.121: ICMP echo request, id 9516, seq 6, length 64
10 packets captured
10 packets received by filter
0 packets dropped by kernel
9.抓取指定端口上的数据包。
[root@ChatDevOps ~]# tcpdump -c 10 -i ens33 port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
01:42:31.847590 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 2765881522:2765881734, ack 3454706475, win 340, length 212
01:42:31.847902 IP 10.1.1.1.55011 > ChatDevOps.ssh: Flags [.], ack 212, win 2049, length 0
01:42:32.302931 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 212:488, ack 1, win 340, length 276
01:42:32.303095 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 488:652, ack 1, win 340, length 164
01:42:32.303185 IP 10.1.1.1.55011 > ChatDevOps.ssh: Flags [.], ack 652, win 2053, length 0
01:42:32.303329 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 652:912, ack 1, win 340, length 260
01:42:32.303569 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 912:1076, ack 1, win 340, length 164
01:42:32.303646 IP 10.1.1.1.55011 > ChatDevOps.ssh: Flags [.], ack 1076, win 2051, length 0
01:42:32.303747 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 1076:1336, ack 1, win 340, length 260
01:42:32.303876 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 1336:1500, ack 1, win 340, length 164
10 packets captured
11 packets received by filter
0 packets dropped by kernel
[root@ChatDevOps ~]# tcpdump -c 10 -i ens33 tcp port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
01:43:34.120931 IP 10.1.1.1.55011 > ChatDevOps.ssh: Flags [.], ack 2765885010, win 2048, length 0
01:43:34.123537 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 1:213, ack 0, win 340, length 212
01:43:34.164702 IP 10.1.1.1.55011 > ChatDevOps.ssh: Flags [.], ack 213, win 2047, length 0
01:43:34.645137 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 213:569, ack 0, win 340, length 356
01:43:34.645386 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 569:733, ack 0, win 340, length 164
01:43:34.645551 IP 10.1.1.1.55011 > ChatDevOps.ssh: Flags [.], ack 733, win 2053, length 0
01:43:34.645737 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 733:993, ack 0, win 340, length 260
01:43:34.645922 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 993:1157, ack 0, win 340, length 164
01:43:34.646021 IP 10.1.1.1.55011 > ChatDevOps.ssh: Flags [.], ack 1157, win 2051, length 0
01:43:34.646194 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 1157:1417, ack 0, win 340, length 260
10 packets captured
10 packets received by filter
0 packets dropped by kernel
10.抓取指定源、目的IP上的数据包。
[root@ChatDevOps ~]# tcpdump -c 10 -i ens33 src 223.5.5.5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
01:48:17.072240 IP public1.alidns.com > ChatDevOps: ICMP echo reply, id 9555, seq 35, length 64
01:48:17.372803 IP public1.alidns.com.domain > ChatDevOps.38253: 55537 NXDomain 0/1/0 (117)
01:48:17.414638 IP public1.alidns.com.domain > ChatDevOps.51867: 7178 1/0/0 PTR public1.alidns.com. (72)
01:48:18.070799 IP public1.alidns.com > ChatDevOps: ICMP echo reply, id 9555, seq 36, length 64
01:48:19.082138 IP public1.alidns.com > ChatDevOps: ICMP echo reply, id 9555, seq 37, length 64
01:48:20.099136 IP public1.alidns.com > ChatDevOps: ICMP echo reply, id 9555, seq 38, length 64
01:48:21.081299 IP public1.alidns.com > ChatDevOps: ICMP echo reply, id 9555, seq 39, length 64
01:48:22.079008 IP public1.alidns.com > ChatDevOps: ICMP echo reply, id 9555, seq 40, length 64
01:48:23.090255 IP public1.alidns.com > ChatDevOps: ICMP echo reply, id 9555, seq 41, length 64
01:48:24.230821 IP public1.alidns.com > ChatDevOps: ICMP echo reply, id 9555, seq 42, length 64
10 packets captured
11 packets received by filter
0 packets dropped by kernel
[root@ChatDevOps ~]# tcpdump -c 10 -i ens33 dst 223.5.5.5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
01:48:38.069626 IP ChatDevOps > public1.alidns.com: ICMP echo request, id 9555, seq 56, length 64
01:48:38.073248 IP ChatDevOps.48285 > public1.alidns.com.domain: 46129+ PTR? 5.5.5.223.in-addr.arpa. (40)
01:48:38.135949 IP ChatDevOps.44970 > public1.alidns.com.domain: 27616+ PTR? 21.1.1.10.in-addr.arpa. (40)
01:48:39.072184 IP ChatDevOps > public1.alidns.com: ICMP echo request, id 9555, seq 57, length 64
01:48:40.076144 IP ChatDevOps > public1.alidns.com: ICMP echo request, id 9555, seq 58, length 64
01:48:41.077810 IP ChatDevOps > public1.alidns.com: ICMP echo request, id 9555, seq 59, length 64
01:48:42.079204 IP ChatDevOps > public1.alidns.com: ICMP echo request, id 9555, seq 60, length 64
01:48:43.080601 IP ChatDevOps > public1.alidns.com: ICMP echo request, id 9555, seq 61, length 64
01:48:44.082011 IP ChatDevOps > public1.alidns.com: ICMP echo request, id 9555, seq 62, length 64
01:48:45.083420 IP ChatDevOps > public1.alidns.com: ICMP echo request, id 9555, seq 63, length 64
10 packets captured
10 packets received by filter
0 packets dropped by kernel
11.抓取两台主机之间的数据包。
[root@ChatDevOps ~]# tcpdump -c 10 -i ens33 tcp and \( host 223.5.5.5 or host 10.1.1.21 \)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
01:54:54.268935 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 2765927618:2765927830, ack 3454734639, win 340, length 212
01:54:54.269117 IP 10.1.1.1.55011 > ChatDevOps.ssh: Flags [.], ack 212, win 2051, length 0
01:54:54.561897 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 212:488, ack 1, win 340, length 276
01:54:54.562176 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 488:652, ack 1, win 340, length 164
01:54:54.562286 IP 10.1.1.1.55011 > ChatDevOps.ssh: Flags [.], ack 652, win 2050, length 0
01:54:54.562493 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 652:912, ack 1, win 340, length 260
01:54:54.562660 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 912:1076, ack 1, win 340, length 164
01:54:54.562808 IP 10.1.1.1.55011 > ChatDevOps.ssh: Flags [.], ack 1076, win 2048, length 0
01:54:54.563029 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 1076:1336, ack 1, win 340, length 260
01:54:54.563212 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 1336:1500, ack 1, win 340, length 164
10 packets captured
11 packets received by filter
0 packets dropped by kernel
[root@ChatDevOps ~]# tcpdump -c 10 -i ens33 src 10.1.1.21 and port 22 and dst 10.1.1.1 and port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
01:57:36.392318 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 2765943782:2765943994, ack 3454748435, win 362, length 212
01:57:36.904661 IP ChatDevOps.ssh > 10.1.1.1.56434: Flags [P.], seq 2392278579:2392278711, ack 4162603348, win 251, length 132
01:57:37.010706 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 212:520, ack 1, win 362, length 308
01:57:37.046307 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 520:684, ack 1, win 362, length 164
01:57:37.046546 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 684:848, ack 1, win 362, length 164
01:57:37.046669 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 848:1012, ack 1, win 362, length 164
01:57:37.046842 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 1012:1176, ack 1, win 362, length 164
01:57:37.046999 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 1176:1340, ack 1, win 362, length 164
01:57:37.047214 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 1340:1504, ack 1, win 362, length 164
01:57:37.047399 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 1504:1668, ack 1, win 362, length 164
10 packets captured
10 packets received by filter
0 packets dropped by kernel
12.以HEX或ASCII格式抓取数据包,分别使用选项-XX和-A即可。
[root@ChatDevOps ~]# tcpdump -c 3 -i ens33 -XX
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
02:03:21.704787 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 2765959902:2765960114, ack 3454752171, win 362, length 212
0x0000: 0050 56c0 0008 000c 29ce 40b0 0800 4510 .PV.....).@...E.
0x0010: 00fc 3612 4000 4006 edc2 0a01 0115 0a01 ..6.@.@.........
0x0020: 0101 0016 d6e3 a4dd 32de cdeb 55ab 5018 ........2...U.P.
0x0030: 016a 1706 0000 0000 00b0 bcc9 c244 c5bc .j...........D..
0x0040: fb53 12de b143 b265 a9cb 7a34 670b f634 .S...C.e..z4g..4
0x0050: d2a5 d977 8de5 1bb0 6166 5394 e0dc 8311 ...w....afS.....
0x0060: 1e63 1c33 0cae e945 d639 f505 583f dd45 .c.3...E.9..X?.E
0x0070: abd7 3822 4d63 2649 0e8d 19ac 2713 4732 ..8"Mc&I....'.G2
0x0080: 7d7f eb9b df16 295a 94c9 1c68 e456 8319 }.....)Z...h.V..
0x0090: dc94 469a 8fbf a84b 7203 b010 0869 3193 ..F....Kr....i1.
0x00a0: 7957 afad 19d3 3610 b0aa 4488 df5f 3f4b yW....6...D.._?K
0x00b0: 1f03 83f9 a480 0d08 cc6b 234c 5804 0787 .........k#LX...
0x00c0: 180e 5cd0 e681 5c2a cd2f 216e 1f32 53dd ..\...\*./!n.2S.
0x00d0: aa8e 1b22 c6d4 f8c0 896d 2b04 c00d 52f9 ...".....m+...R.
0x00e0: 56b3 0189 1672 3e1f 35ce 72bc f8f1 3aaf V....r>.5.r...:.
0x00f0: 82e7 b2f6 c8af c3a5 36af 0616 c21d 6808 ........6.....h.
0x0100: 246c bb48 2609 5583 d667 $l.H&.U..g
02:03:21.704989 IP 10.1.1.1.55011 > ChatDevOps.ssh: Flags [.], ack 212, win 2049, length 0
0x0000: 000c 29ce 40b0 0050 56c0 0008 0800 4500 ..).@..PV.....E.
0x0010: 0028 7afc 4000 8006 69bc 0a01 0101 0a01 .(z.@...i.......
0x0020: 0115 d6e3 0016 cdeb 55ab a4dd 33b2 5010 ........U...3.P.
0x0030: 0801 be9b 0000 0000 0000 0000 ............
02:03:21.705899 IP ChatDevOps.58309 > public1.alidns.com.domain: 46252+ PTR? 1.1.1.10.in-addr.arpa. (39)
0x0000: 0050 56f5 98bc 000c 29ce 40b0 0800 4500 .PV.....).@...E.
0x0010: 0043 e88b 4000 4011 62fe 0a01 0115 df05 .C..@.@.b.......
0x0020: 0505 e3c5 0035 002f ef60 b4ac 0100 0001 .....5./.`......
0x0030: 0000 0000 0000 0131 0131 0131 0231 3007 .......1.1.1.10.
0x0040: 696e 2d61 6464 7204 6172 7061 0000 0c00 in-addr.arpa....
0x0050: 01 .
3 packets captured
10 packets received by filter
0 packets dropped by kernel
[root@ChatDevOps ~]# tcpdump -c 3 -i ens33 -A
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
02:03:53.931462 IP 10.1.1.1.55011 > ChatDevOps.ssh: Flags [.], ack 2765963078, win 2048, length 0
E..({,@...i.
...
.........WG..?FP....l........
02:03:53.933710 IP ChatDevOps.40263 > public1.alidns.com.domain: 12427+ PTR? 21.1.1.10.in-addr.arpa. (40)
E..D..@.@.:.
........G.5.0.a0............21.1.1.10.in-addr.arpa.....
02:03:53.934052 IP ChatDevOps.ssh > 10.1.1.1.55011: Flags [P.], seq 1:213, ack 0, win 362, length 212
E...6.@.@...
...
.........?F..WGP..j..........T.IP.9~<..>....5...{..>> ..N.8.j.>...%.$.X;JE......}../z..Z...L..!.N6<.!'..^F...&..:+-}9.2.c.Bd.."...6Y...(W......!..QY.CWG.....s.[. L.>ED.......>.,1u..........-..> L.."... .......|.;.z|.0AB.R)z...q...N$...
3 packets captured
12 packets received by filter
0 packets dropped by kernel
四.总结
1.tcpdump的使用比较简单,上文已经列举了该工具的常用用法。
2.需要加强对TCP/IP四层参考模型的理解,文中涉及到的协议包括网络层和传输层的常见协议。