tupdump的基本应用

tcpdump

  tcpdump是一款非常流行的抓包工具，用来抓取互联网上传输的数据包，也可以说是一款嗅探器，能够和windows下面的wireshark相媲美。
 首先我们来抓取一个数据包，小试一把牛刀：

[root@localhost ~]# tcpdump -i eth0 -c 1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:27:33.458653 IP bogon.ssh > bogon.52027: Flags [P.], seq 4269539797:4269540005, ack 4135839282, w
1 packets captured
6 packets received by filter
0 packets dropped by kernel

参数

1. -i 选项表示抓取数据包的网卡，即interface。
2. -c选项表示抓取数据包的数量，即count。
3. -nn Don’t convert protocol and port numbers etc. to names either. 不解析端口协议号，也不进行域名解析
4. port 80 过滤网页浏览的数据
5. -e选项表示增加以太网头的信息输出
6. -l选项表示让输出变为行输出
7. -t选项表示不打印时间戳
8. -v选项表示输出更详细的信息

我们来做一下对比：

[root@localhost ~]# tcpdump -i eth0 -c 1 -nn -e
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:38:30.318434 00:50:56:94:7d:88 > c4:ca:d9:38:19:e5, ethertype IPv4 (0x0800), length 262: 10.10.9.110.22 > 10.10.29.110.52027: Flags [P.], seq 4269624821:4269625029, ack 4135864306, win 159, length 208
1 packets captured
2 packets received by filter
0 packets dropped by kernel
[root@localhost ~]# 

[root@localhost ~]# tcpdump -i eth0 -c 2 -nn -e -v  -l -t
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
00:50:56:94:7d:88 > c4:ca:d9:38:19:e5, ethertype IPv4 (0x0800), length 198: (tos 0x10, ttl 64, id 26367, offset 0, flags [DF], proto TCP (6), length 184)
    10.10.9.110.22 > 10.10.29.110.52027: Flags [P.], cksum 0x3b9a (incorrect -> 0x5866), seq 4269628629:4269628773, ack 4135866562, win 159, length 144
c4:ca:d9:38:19:e5 > 00:50:56:94:7d:88, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 123, id 3152, offset 0, flags [DF], proto TCP (6), length 40)
    10.10.29.110.52027 > 10.10.9.110.22: Flags [.], cksum 0xc6bb (correct), ack 144, win 16301, length 0
2 packets captured
2 packets received by filter
0 packets dropped by kernel

有时候我们需要把过滤条件写到文件里面，-F就起到作用了。我们有时候不希望抓取的数据包信息显示在屏幕上而是保存到文件里，我们就要用到-w选项了。如果想对保存的数据包进行回放，可以用-r选项。具体应用见下面的三个例子：

[root@localhost ~]# tcpdump -F port.txt -v -c 2 -e
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:44:33.226078 00:50:56:94:7d:88 (oui Unknown) > c4:ca:d9:38:19:e5 (oui Unknown), ethertype IPv4 (0x0800), length 75: (tos 0x0, ttl 64, id 53073, offset 0, flags [DF], proto UDP (17), length 61)
    bogon.34741 > dns.bjtuhbxy.cn.domain: 53931+ A? mirrors.163.com. (33)
12:44:33.226152 00:50:56:94:7d:88 (oui Unknown) > c4:ca:d9:38:19:e5 (oui Unknown), ethertype IPv4 (0x0800), length 75: (tos 0x0, ttl 64, id 53074, offset 0, flags [DF], proto UDP (17), length 61)
    bogon.34741 > dns.bjtuhbxy.cn.domain: 18297+ AAAA? mirrors.163.com. (33)
2 packets captured
7 packets received by filter
0 packets dropped by kernel

[root@localhost ~]# tcpdump -F port.txt -v -c 2 -e -w test.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
2 packets captured
3 packets received by filter
0 packets dropped by kernel

[root@localhost ~]# tcpdump -r test.pcap 
reading from file test.pcap, link-type EN10MB (Ethernet)
12:46:10.354929 IP bogon.52144 > 123.58.190.209.http: Flags [F.], seq 1450397317, ack 1746331904, win 267, options [nop,nop,TS val 163072698 ecr 3886187693], length 0
12:46:10.355238 IP bogon.34804 > dns.bjtuhbxy.cn.domain: 10269+ A? mirrors.163.com. (33)

至于tcpdump的流量过滤内容比较多，我单独会介绍。

转载于:https://blog.51cto.com/652465/2056053