原标题:在Linux命令行中使用tcpdump「超详细」
灵活,强大的命令行工具有助于减轻网络问题排查的痛苦。
根据我作为系统管理员的经验,我经常发现网络连接问题难以排除故障。 对于那些情况,tcpdump是一个伟大的朋友。
Tcpdump是一个命令行实用程序,允许捕获和分析通过系统的网络流量。它通常用于帮助解决网络问题,以及安全工具。
tcpdump是一个功能强大且功能多样的工具,包含许多选项和过滤器,可用于各种情况。 由于它是一个命令行工具,因此最好在远程服务器或GUI不可用的设备上运行,以收集以后可以分析的数据。 它也可以在后台启动,也可以使用cron等工具作为预定作业启动。
在本文中,我们将介绍一些tcpdump最常见的功能。
1.在Linux上安装
Tcpdump包含在几个Linux发行版中,所以很可能已经安装了它。使用以下命令检查系统上是否安装了tcpdump:
$whichtcpdump
/usr/sbin/tcpdump
如果未安装tcpdump,则可以使用分发包管理器安装它。例如,在CentOS或Red Hat Enterprise Linux上,如下所示:
$sudoyum install-ytcpdump
Tcpdump需要libpcap,这是一个用于网络数据包捕获的库。如果未安装,它将自动添加为依赖项。
现在准备开始抓取数据包。
2.使用tcpdump抓取数据包
要抓取数据包以进行故障排除或分析,tcpdump需要提升权限,因此在以下示例中,大多数命令都以sudo为前缀。
首先,使用命令tcpdump -D查看哪些接口可用于捕获:
$sudotcpdump-D
1.eth0
2.virbr0
3.eth1
4.any(Pseudo-device that captures on all interfaces)
5.lo[Loopback]
在上面的示例中,可以看到计算机中可用的所有接口。特殊接口any允许在任何活动界面中捕获。
让我们来开始捕获一些数据包。通过运行此命令捕获任何接口中的所有数据包:
$sudotcpdump-iany
tcpdump: verbose output suppressed, use-vor-vvforfull protocol decode
listening on any, link-type LINUX_SLL(Linux cooked), capturesize262144bytes
09:56:18.293641IP rhel75.localdomain.ssh>192.168.64.1.56322: Flags[P.],seq3770820720:3770820916, ack3503648727, win309, options[nop,nop,TS val76577898ecr510770929], length196
09:56:18.293794IP 192.168.64.1.56322>rhel75.localdomain.ssh: Flags[.], ack196, win391, options[nop,nop,TS val510771017ecr76577898], length0
09:56:18.295058IP rhel75.59883>gateway.domain:2486+ PTR? 1.64.168.192.in-addr.arpa.(43)
09:56:18.310225IP gateway.domain>rhel75.59883:2486NXDomain*0/1/0(102)
09:56:18.312482IP rhel75.49685>gateway.domain:34242+ PTR? 28.64.168.192.in-addr.arpa.(44)
09:56:18.322425IP gateway.domain>rhel75.49685:34242NXDomain*0/1/0(103)
09:56:18.323164IP rhel75.56631>gateway.domain:29904+ PTR? 1.122.168.192.in-addr.arpa.(44)
09:56:18.323342IP rhel75.localdomain.ssh>192.168.64.1.56322: Flags[P.],seq196:584, ack1, win309, options[nop,nop,TS val76577928ecr510771017], length388
09:56:18.323563IP 192.168.64.1.56322>rhel75.localdomain.ssh: Flags[.], ack584, win411, options[nop,nop,TS val510771047ecr76577928], length0
09:56:18.335569IP gateway.domain>rhel75.56631:29904NXDomain*0/1/0(103)
09:56:18.336429IP rhel75.44007>gateway.domain:61677+ PTR? 98.122.168.192.in-addr.arpa.(45)
09:56:18.336655IP gateway.domain>rhel75.44007:61677*1/0/0PTR rhel75.(65)
09:56:18.337177IP rhel75.localdomain.ssh>192.168.64.1.56322: Flags[P.],seq584:1644, ack1, win309, options[nop,nop,TS val76577942ecr510771047], length1060
----SKIPPING LONG OUTPUT-----
09:56:19.342939IP 192.168.64.1.56322>rhel75.localdomain.ssh: Flags[.], ack1752016, win1444, options[nop,nop,TS val510772067ecr76578948], length0
^C
9003packets captured
9010packets received by filter
7packets dropped by kernel
$
Tcpdump继续捕获数据包,直到收到中断信号。可以按Ctrl + C中断捕获。正如在此示例中所看到的,tcpdump捕获了超过9,000个数据包。在这种情况下,由于我使用ssh连接到此服务器,tcpdump捕获了所有这些包。要限制捕获的数据包数并停止tcpdump,请使用-c选项:
$sudotcpdump-iany-c5
tcpdump: verbose output suppressed, use-vor-vvforfull protocol decode
listening on any, link-type LINUX_SLL(Linux cooked), capturesize262144bytes
11:21:30.242740IP rhel75.localdomain.ssh>192.168.64.1.56322: Flags[P.],seq3772575680:3772575876, ack3503651743, win309, options[nop,nop,TS val81689848ecr515883153], length196
11:21:30.242906IP 192.168.64.1.56322>rhel75.localdomain.ssh: Flags[.], ack196, win1443, options[nop,nop,TS val515883235ecr81689848], length0
11:21:30.244442IP rhel75.43634>gateway.domain:57680+ PTR? 1.64.168.192.in-addr.arpa.(43)
11:21:30.244829IP gateway.domain>rhel75.43634:57680NXDomain0/0/0(43)
11:21:30.247048IP rhel75.33696>gateway.domain:37429+ PTR? 28.64.168.192.in-addr.arpa.(44)
5packets captured
12packets received by filter
0packets dropped by kernel
$
在这种情况下,tcpdump在捕获五个数据包后自动停止捕获。这在不同的场景中很有用,例如,如果正在排除连接并捕获一些初始包就足够了。当我们应用过滤器捕获特定数据包时,这甚至更有用(如下所示)。
默认情况下,tcpdump将IP地址和端口解析为名称,如上例所示。在排除网络问题时,通常更容易使用IP地址和端口号;使用选项-n和端口解析与-nn禁用名称解析:
$ sudotcpdump -iany -c5-nn
tcpdump: verbose output suppressed, use -vor -vvforfull protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size262144bytes
23:56:24.292206IP 192.168.64.28.22 >192.168.64.1.35110: Flags [P.], seq166198580:166198776, ack 2414541257, win 309, options [nop,nop,TS val 615664ecr 540031155], length 196
23:56:24.292357IP 192.168.64.1.35110 >192.168.64.28.22: Flags [.], ack 196, win 1377, options [nop,nop,TS val 540031229ecr 615664], length 0
23:56:24.292570IP 192.168.64.28.22 >192.168.64.1.35110: Flags [P.], seq196:568, ack 1, win 309, options [nop,nop,TS val 615664ecr 540031229], length 372
23:56:24.292655IP 192.168.64.1.35110 >192.168.64.28.22: Flags [.], ack 568, win 1400, options [nop,nop,TS val 540031229ecr 615664], length 0
23:56:24.292752IP 192.168.64.28.22 >192.168.64.1.35110: Flags [P.], seq568:908, ack 1, win 309, options [nop,nop,TS val 615664ecr 540031229], length 340
5packets captured
6packets received by filter
0packets dropped by kernel
如上所示,捕获输出现在显示IP地址和端口号。这还可以防止tcpdump发出DNS查找,这有助于在排除网络问题时降低网络流量。
现在已经能够捕获网络数据包了,让我们来探索一下这些输出意味着什么。
3.了解输出格式
Tcpdump能够捕获和解码许多不同的协议,例如TCP,UDP,ICMP等等。虽然我们不能在这里介绍所有这些,但为了帮助入门,让我们探索TCP数据包。可以在tcpdump的手册页中找到有关不同协议格式的更多详细信息。tcpdump捕获的典型TCP数据包如下所示:
08:41:13.729687 IP 192.168.64.28.22 > 192.168.64.1.41916: Flags [P.], seq 196:568, ack 1, win 309, options [nop,nop,TS val 117964079 ecr 816509256], length 372
字段可能会根据发送的数据包类型而有所不同,但这是一般格式。
第一个字段08:41:13.729687表示根据本地时钟接收的数据包的时间戳。
接下来,IP表示网络层协议 - 在这种情况下是IPv4。对于IPv6数据包,值为IP6。
下一个字段192.168.64.28.22是源IP地址和端口。接下来是目标IP地址和端口,由192.168.64.1.41916表示。
在源和目标之后,可以找到TCP 标记 [P.]。 该字段的典型值包括:
值
标记类型
描述
S
SYN
连接开始
F
FIN
连接结束
P
PUSH
数据 push
R
RST
连接重置
.
ACK
确认
该字段也可以是这些值的组合,例如用于SYN-ACK分组的[S.]。
接下来是数据包中包含的数据的序列号。对于捕获的第一个数据包,这是一个绝对数字。后续数据包使用相对数字,以便更容易遵循。在该示例中,序列是seq 196:568,这意味着该分组包含该流的字节196到568。
接下来是Ack编号:ack 1.在这种情况下,它是1,因为这是发送数据的一方。对于接收数据的一方,该字段表示该流上的下一个预期字节(数据)。例如,此流程中下一个数据包的Ack编号为568。
下一个字段是窗口大小win 309,它表示接收缓冲区中可用的字节数,后跟TCP选项,例如MSS(最大段大小)或窗口比例。有关TCP协议选项的详细信息,请参阅传输控制协议(TCP)参数。
最后,我们有数据包长度,长度372,它表示有效载荷数据的长度(以字节为单位)。长度是序列号中最后一个字节和第一个字节之间的差值。
现在让我们学习如何过滤包以缩小结果范围,并更轻松地解决特定问题。
4.过滤数据包
如上所述,tcpdump可以捕获太多的软件包,其中一些甚至与正在排除故障的问题无关。 例如,如果正在解决与Web服务器的连接问题,那么对SSH流量不感兴趣,因此从输出中删除SSH数据包可以更轻松地处理真正的问题。
tcpdump最强大的功能之一是它能够使用各种参数过滤捕获的数据包,例如源和目标IP地址,端口,协议等。让我们看看一些最常见的参数。
协议
要根据协议过滤数据包,请在命令行中指定协议。例如,仅使用以下命令捕获ICMP数据包:
$sudotcpdump-iany-c5icmp
tcpdump: verbose output suppressed, use-vor-vvforfull protocol decode
listening on any, link-type LINUX_SLL(Linux cooked), capturesize262144bytes
在另一个终端中,尝试ping另一台机器:
$ pingopensource.com
PING opensource.com (54.204.39.132)56(84)bytes of data.
64bytes from ec2-54-204-39-132.compute-1.amazonaws.com (54.204.39.132): icmp_seq=1ttl=47time=39.6ms
回到tcpdump捕获,请注意tcpdump仅捕获并显示与ICMP相关的数据包。在这种情况下,tcpdump不显示解析名称opensource.com时生成的名称解析数据包:
09:34:20.136766IP rhel75 >ec2-54-204-39-132.compute-1.amazonaws.com: ICMP echorequest, id20361, seq1, length 64
09:34:20.176402IP ec2-54-204-39-132.compute-1.amazonaws.com >rhel75: ICMP echoreply, id20361, seq1, length 64
09:34:21.140230IP rhel75 >ec2-54-204-39-132.compute-1.amazonaws.com: ICMP echorequest, id20361, seq2, length 64
09:34:21.180020IP ec2-54-204-39-132.compute-1.amazonaws.com >rhel75: ICMP echoreply, id20361, seq2, length 64
09:34:22.141777IP rhel75 >ec2-54-204-39-132.compute-1.amazonaws.com: ICMP echorequest, id20361, seq3, length 64
5packets captured
5packets received by filter
0packets dropped by kernel
主机
使用主机过滤器将捕获限制为仅限与特定主机相关的数据包:
$sudotcpdump-iany-c5-nnhost 54.204.39.132
tcpdump: verbose output suppressed, use-vor-vvforfull protocol decode
listening on any, link-type LINUX_SLL(Linux cooked), capturesize262144bytes
09:54:20.042023IP 192.168.122.98.39326>54.204.39.132.80: Flags[S],seq1375157070, win29200, options[mss1460,sackOK,TS val122350391ecr0,nop,wscale7], length0
09:54:20.088127IP 54.204.39.132.80>192.168.122.98.39326: Flags[S.],seq1935542841, ack1375157071, win28960, options[mss1460,sackOK,TS val522713542ecr122350391,nop,wscale9], length0
09:54:20.088204IP 192.168.122.98.39326>54.204.39.132.80: Flags[.], ack1, win229, options[nop,nop,TS val122350437ecr522713542], length0
09:54:20.088734IP 192.168.122.98.39326>54.204.39.132.80: Flags[P.],seq1:113, ack1, win229, options[nop,nop,TS val122350438ecr522713542], length112: HTTP: GET/HTTP/1.1
09:54:20.129733IP 54.204.39.132.80>192.168.122.98.39326: Flags[.], ack113, win57, options[nop,nop,TS val522713552ecr122350438], length0
5packets captured
5packets received by filter
0packets dropped by kernel
在此示例中,tcpdump仅捕获并显示与主机54.204.39.132之间的数据包。
端口
要根据所需的服务或端口过滤数据包,请使用端口过滤器。例如,使用以下命令捕获与Web(HTTP)服务相关的数据包:
$sudotcpdump-iany-c5-nnport80
tcpdump: verbose output suppressed, use-vor-vvforfull protocol decode
listening on any, link-type LINUX_SLL(Linux cooked), capturesize262144bytes
09:58:28.790548IP 192.168.122.98.39330>54.204.39.132.80: Flags[S],seq1745665159, win29200, options[mss1460,sackOK,TS val122599140ecr0,nop,wscale7], length0
09:58:28.834026IP 54.204.39.132.80>192.168.122.98.39330: Flags[S.],seq4063583040, ack1745665160, win28960, options[mss1460,sackOK,TS val522775728ecr122599140,nop,wscale9], length0
09:58:28.834093IP 192.168.122.98.39330>54.204.39.132.80: Flags[.], ack1, win229, options[nop,nop,TS val122599183ecr522775728], length0
09:58:28.834588IP 192.168.122.98.39330>54.204.39.132.80: Flags[P.],seq1:113, ack1, win229, options[nop,nop,TS val122599184ecr522775728], length112: HTTP: GET/HTTP/1.1
09:58:28.878445IP 54.204.39.132.80>192.168.122.98.39330: Flags[.], ack113, win57, options[nop,nop,TS val522775739ecr122599184], length0
5packets captured
5packets received by filter
0packets dropped by kernel
追踪IP/主机名
还可以根据源或目标IP地址或主机名过滤数据包。例如,要从主机192.168.122.98捕获数据包:
$sudotcpdump-iany-c5-nnsrc 192.168.122.98
tcpdump: verbose output suppressed, use-vor-vvforfull protocol decode
listening on any, link-type LINUX_SLL(Linux cooked), capturesize262144bytes
10:02:15.220824IP 192.168.122.98.39436>192.168.122.1.53:59332+ A? opensource.com.(32)
10:02:15.220862IP 192.168.122.98.39436>192.168.122.1.53:20749+ AAAA? opensource.com.(32)
10:02:15.364062IP 192.168.122.98.39334>54.204.39.132.80: Flags[S],seq1108640533, win29200, options[mss1460,sackOK,TS val122825713ecr0,nop,wscale7], length0
10:02:15.409229IP 192.168.122.98.39334>54.204.39.132.80: Flags[.], ack669337581, win229, options[nop,nop,TS val122825758ecr522832372], length0
10:02:15.409667IP 192.168.122.98.39334>54.204.39.132.80: Flags[P.],seq0:112, ack1, win229, options[nop,nop,TS val122825759ecr522832372], length112: HTTP: GET/HTTP/1.1
5packets captured
5packets received by filter
0packets dropped by kernel
请注意,tcpdumps捕获了源IP地址为192.168.122.98的数据包,用于多种服务,例如名称解析(端口53)和HTTP(端口80)。由于源IP不同,因此不显示响应数据包。
相反,可以使用dst过滤器按目标IP /主机名进行过滤:
$sudotcpdump-iany-c5-nndst 192.168.122.98
tcpdump: verbose output suppressed, use-vor-vvforfull protocol decode
listening on any, link-type LINUX_SLL(Linux cooked), capturesize262144bytes
10:05:03.572931IP 192.168.122.1.53>192.168.122.98.47049:22481/0/0A 54.204.39.132(48)
10:05:03.572944IP 192.168.122.1.53>192.168.122.98.47049:337700/0/0(32)
10:05:03.621833IP 54.204.39.132.80>192.168.122.98.39338: Flags[S.],seq3474204576, ack3256851264, win28960, options[mss1460,sackOK,TS val522874425ecr122993922,nop,wscale9], length0
10:05:03.667767IP 54.204.39.132.80>192.168.122.98.39338: Flags[.], ack113, win57, options[nop,nop,TS val522874436ecr122993972], length0
10:05:03.672221IP 54.204.39.132.80>192.168.122.98.39338: Flags[P.],seq1:643, ack113, win57, options[nop,nop,TS val522874437ecr122993972], length642: HTTP: HTTP/1.1302Found
5packets captured
5packets received by filter
0packets dropped by kernel
复杂过滤
还可以使用逻辑运算符组合过滤器,或者创建更复杂的表达式。例如,要从源IP地址192.168.122.98和仅HTTP服务过滤数据包,请使用以下命令:
$sudotcpdump-iany-c5-nnsrc 192.168.122.98 and port80
tcpdump: verbose output suppressed, use-vor-vvforfull protocol decode
listening on any, link-type LINUX_SLL(Linux cooked), capturesize262144bytes
10:08:00.472696IP 192.168.122.98.39342>54.204.39.132.80: Flags[S],seq2712685325, win29200, options[mss1460,sackOK,TS val123170822ecr0,nop,wscale7], length0
10:08:00.516118IP 192.168.122.98.39342>54.204.39.132.80: Flags[.], ack268723504, win229, options[nop,nop,TS val123170865ecr522918648], length0
10:08:00.516583IP 192.168.122.98.39342>54.204.39.132.80: Flags[P.],seq0:112, ack1, win229, options[nop,nop,TS val123170866ecr522918648], length112: HTTP: GET/HTTP/1.1
10:08:00.567044IP 192.168.122.98.39342>54.204.39.132.80: Flags[.], ack643, win239, options[nop,nop,TS val123170916ecr522918661], length0
10:08:00.788153IP 192.168.122.98.39342>54.204.39.132.80: Flags[F.],seq112, ack643, win239, options[nop,nop,TS val123171137ecr522918661], length0
5packets captured
5packets received by filter
0packets dropped by kernel
可以通过使用括号对过滤器进行分组来创建更复杂的表达式。在这种情况下,请用引号括起整个过滤器表达式,以防止shell将它们与shell表达式混淆:
$ sudotcpdump-iany-c5-nn"port 80 and (src 192.168.122.98 or src 54.204.39.132)"
tcpdump: verbose output suppressed, use-vor-vvforfull protocol decode
listening on any, link-type LINUX_SLL(Linux cooked), capturesize262144bytes
10:10:37.602214IP 192.168.122.98.39346>54.204.39.132.80: Flags[S],seq871108679, win29200, options[mss1460,sackOK,TS val123327951ecr0,nop,wscale7], length0
10:10:37.650651IP 54.204.39.132.80>192.168.122.98.39346: Flags[S.],seq854753193, ack871108680, win28960, options[mss1460,sackOK,TS val522957932ecr123327951,nop,wscale9], length0
10:10:37.650708IP 192.168.122.98.39346>54.204.39.132.80: Flags[.], ack1, win229, options[nop,nop,TS val123328000ecr522957932], length0
10:10:37.651097IP 192.168.122.98.39346>54.204.39.132.80: Flags[P.],seq1:113, ack1, win229, options[nop,nop,TS val123328000ecr522957932], length112: HTTP: GET/HTTP/1.1
10:10:37.692900IP 54.204.39.132.80>192.168.122.98.39346: Flags[.], ack113, win57, options[nop,nop,TS val522957942ecr123328000], length0
5packets captured
5packets received by filter
0packets dropped by kernel
在此示例中,我们仅过滤HTTP服务(端口80)和源IP地址192.168.122.98或54.204.39.132的数据包。这是检查同一流程两侧的快速方法。
5.检查包内容
在前面的示例中,我们仅检查数据包的标头,以获取源,目标,端口等信息。有时,这就是解决网络连接问题所需的全部内容。但是,有时我们需要检查数据包的内容,以确保我们发送的消息包含我们需要的消息或我们收到的预期响应。 要查看数据包内容,tcpdump提供了两个附加标志:-X以十六进制打印内容,ASCII或-A以ASCII格式打印内容。
例如,检查Web请求的HTTP内容,如下所示:
$sudotcpdump-iany-c10-nn-Aport80
tcpdump: verbose output suppressed, use-vor-vvforfull protocol decode
listening on any, link-type LINUX_SLL(Linux cooked), capturesize262144bytes
13:02:14.871803IP 192.168.122.98.39366>54.204.39.132.80: Flags[S],seq2546602048, win29200, options[mss1460,sackOK,TS val133625221ecr0,nop,wscale7], length0
E..<..>
............................
13:02:14.910734 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [S.], seq 1877348646, ack 2546602049, win 28960, options [mss 1460,sackOK,TS val 525532247 ecr 133625221,nop,wscale 9], length 0
E..<.. a..........>
.R.W....... ................
13:02:14.910832IP 192.168.122.98.39366>54.204.39.132.80: Flags[.], ack1, win229, options[nop,nop,TS val133625260ecr525532247], length0
E..4..@.@.....zb6.'....P...Ao..'...........
.....R.W................
13:02:14.911808IP 192.168.122.98.39366>54.204.39.132.80: Flags[P.],seq1:113, ack1, win229, options[nop,nop,TS val133625261ecr525532247], length112: HTTP: GET/HTTP/1.1
E.....@.@..1..zb6.'....P...Ao..'...........
.....R.WGET/HTTP/1.1
User-Agent: Wget/1.14(linux-gnu)
Accept:*/*
Host: opensource.com
Connection: Keep-Alive
................
13:02:14.951199IP 54.204.39.132.80>192.168.122.98.39366: Flags[.], ack113, win57, options[nop,nop,TS val525532257ecr133625261], length0
E..4.F@./.."6.'...zb.P..o..'.......9.2.....
.R.a....................
13:02:14.955030 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [P.], seq 1:643, ack 113, win 57, options [nop,nop,TS val 525532258 ecr 133625261], length 642: HTTP: HTTP/1.1 302 Found
E....G@./...6.'...zb.P..o..'.......9.......
.R.b....HTTP/1.1 302 Found
Server: nginx
Date: Sun, 23 Sep 2018 17:02:14 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 207
X-Content-Type-Options: nosniff
Location: https://opensource.com/
Cache-Control: max-age=1209600
Expires: Sun, 07 Oct 2018 17:02:14 GMT
X-Request-ID: v-6baa3acc-bf52-11e8-9195-22000ab8cf2d
X-Varnish: 632951979
Age: 0
Via: 1.1 varnish (Varnish/5.2)
X-Cache: MISS
Connection: keep-alive
302 FoundFound
The document has moved here.
................
13:02:14.955083 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [.], ack 643, win 239, options [nop,nop,TS val 133625304 ecr 525532258], length 0
E..4..@.@.....zb6.'....P....o..............
.....R.b................
13:02:15.195524 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [F.], seq 113, ack 643, win 239, options [nop,nop,TS val 133625545 ecr 525532258], length 0
E..4..@.@.....zb6.'....P....o..............
.....R.b................
13:02:15.236592 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [F.], seq 643, ack 114, win 57, options [nop,nop,TS val 525532329 ecr 133625545], length 0
E..4.H@./.. 6.'...zb.P..o..........9.I.....
.R......................
13:02:15.236656 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [.], ack 644, win 239, options [nop,nop,TS val 133625586 ecr 525532329], length 0
E..4..@.@.....zb6.'....P....o..............
.....R..................
10 packets captured
10 packets received by filter
0 packets dropped by kernel
这有助于解决API调用问题,假设调用使用普通HTTP。对于加密连接,此输出不太有用。
6.将捕获保存到文件
tcpdump提供的另一个有用功能是能够将捕获保存到文件中,以便稍后分析结果。例如,这允许你在批处理模式下捕获数据包,并在早上验证结果。当有太多数据包需要分析时,它也会有所帮助,因为实时捕获可能发生得太快。
要将数据包保存到文件而不是在屏幕上显示,请使用选项-w:
$sudotcpdump-iany-c10-nn-wwebserver.pcap port80
[sudo]passwordforricardo:
tcpdump: listening on any, link-type LINUX_SLL(Linux cooked), capturesize262144bytes
10packets captured
10packets received by filter
0packets dropped by kernel
此命令将输出保存在名为webserver.pcap的文件中。.pcap扩展名代表“数据包捕获”,是此文件格式的约定。
如此示例所示,屏幕上不会显示任何内容,并且根据选项-c10捕获10个数据包后捕获完成。 如果需要一些反馈以确保捕获数据包,请使用选项-v。
Tcpdump以二进制格式创建文件,因此不能简单地使用文本编辑器打开它。要读取文件的内容,请使用-r选项执行tcpdump:
$ tcpdump-nn-rwebserver.pcap
reading fromfilewebserver.pcap, link-type LINUX_SLL(Linux cooked)
13:36:57.679494IP 192.168.122.98.39378>54.204.39.132.80: Flags[S],seq3709732619, win29200, options[mss1460,sackOK,TS val135708029ecr0,nop,wscale7], length0
13:36:57.718932IP 54.204.39.132.80>192.168.122.98.39378: Flags[S.],seq1999298316, ack3709732620, win28960, options[mss1460,sackOK,TS val526052949ecr135708029,nop,wscale9], length0
13:36:57.719005IP 192.168.122.98.39378>54.204.39.132.80: Flags[.], ack1, win229, options[nop,nop,TS val135708068ecr526052949], length0
13:36:57.719186IP 192.168.122.98.39378>54.204.39.132.80: Flags[P.],seq1:113, ack1, win229, options[nop,nop,TS val135708068ecr526052949], length112: HTTP: GET/HTTP/1.1
13:36:57.756979IP 54.204.39.132.80>192.168.122.98.39378: Flags[.], ack113, win57, options[nop,nop,TS val526052959ecr135708068], length0
13:36:57.760122IP 54.204.39.132.80>192.168.122.98.39378: Flags[P.],seq1:643, ack113, win57, options[nop,nop,TS val526052959ecr135708068], length642: HTTP: HTTP/1.1302Found
13:36:57.760182IP 192.168.122.98.39378>54.204.39.132.80: Flags[.], ack643, win239, options[nop,nop,TS val135708109ecr526052959], length0
13:36:57.977602IP 192.168.122.98.39378>54.204.39.132.80: Flags[F.],seq113, ack643, win239, options[nop,nop,TS val135708327ecr526052959], length0
13:36:58.022089IP 54.204.39.132.80>192.168.122.98.39378: Flags[F.],seq643, ack114, win57, options[nop,nop,TS val526053025ecr135708327], length0
13:36:58.022132IP 192.168.122.98.39378>54.204.39.132.80: Flags[.], ack644, win239, options[nop,nop,TS val135708371ecr526053025], length0
$
由于不再直接从网络接口捕获数据包,因此不需要sudo来读取该文件。
还可以使用我们讨论过的任何过滤器来过滤文件中的内容,就像使用实时数据一样。 例如,通过执行以下命令从源IP地址54.204.39.132检查捕获文件中的数据包:
$ tcpdump -nn-rwebserver.pcap src 54.204.39.132
reading from filewebserver.pcap, link-type LINUX_SLL (Linux cooked)
13:36:57.718932IP 54.204.39.132.80 >192.168.122.98.39378: Flags [S.], seq1999298316, ack 3709732620, win 28960, options [mss 1460,sackOK,TS val 526052949ecr 135708029,nop,wscale 9], length 0
13:36:57.756979IP 54.204.39.132.80 >192.168.122.98.39378: Flags [.], ack 113, win 57, options [nop,nop,TS val 526052959ecr 135708068], length 0
13:36:57.760122IP 54.204.39.132.80 >192.168.122.98.39378: Flags [P.], seq1:643, ack 113, win 57, options [nop,nop,TS val 526052959ecr 135708068], length 642: HTTP: HTTP/1.1302Found
13:36:58.022089IP 54.204.39.132.80 >192.168.122.98.39378: Flags [F.], seq643, ack 114, win 57, options [nop,nop,TS val 526053025ecr 135708327], length 0
下一步是什么?
tcpdump的这些基本功能将帮助你开始使用这个功能强大的多功能工具。要了解更多信息,请参阅tcpdump网站和手册页。
tcpdump命令行界面为捕获和分析网络流量提供了极大的灵活性。如果你需要图形工具来了解更复杂的流程,请查看Wireshark。
Wireshark的一个好处是它可以读取tcpdump捕获的.pcap文件。 可以使用tcpdump在没有GUI的远程计算机中捕获数据包,并使用Wireshark分析结果文件,但这是另一个主题。
原文链接:
https://opensource.com/article/18/10/introduction-tcpdump返回搜狐,查看更多
责任编辑: