tcpdump常用

最新推荐文章于 2024-06-30 00:30:10 发布
最新推荐文章于 2024-06-30 00:30:10 发布
阅读量718 收藏 2
点赞数
文章标签: tcpdump 网络 tcp/ip
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_45782719/article/details/126594928
版权 
tcpdump
每个Flags含义如下:

Flags 

含义                   

[S] SYN                    

[.] ACK                    

[S.] SYN、ACK                 

[P.] PUSH                   

[R.] RST                    

[F.] FIN                    

[DF] Don't Fragment(不分片),当DF=0时,允许分片

[FP.] FIN、PUSH、ACK          

tcpdump -i eth0 -vvvnn -port 3002 						#监控 eth0 网卡的 3002 端口,并对host进行解析,打印出详细信息
tcpdump src host 20.50.193.170 and src tcp port 3002 	#抓取对外发出的流量包:对外的主机为 20.50.193.170,对外的端口号为 3002 ,包的类型为 tcp 类型
tcpdump dst host 20.50.193.170 and dst tcp port 3002 	#抓取流入目标端的流量包:流入的主机为 20.50.193.170,端口号为 3002 ,包的类型为 tcp 类型
tcpdump dst  port 80 -vvnn 								#抓取eth0网卡的目标端80端口数据包

vpc网络:
源端:8.130.29.250 80/172.26.172.18
目标端:8.130.106.94/172.26.172.19
1.
[root@iZ0jlj6khvl4gocccvez8yZ ~]# telnet 172.26.172.18 80
Trying 8.130.29.250...
Connected to 8.130.29.250.
Escape character is '^]'.
2.
[root@LINUX ~]# tcpdump  -i eth0 dst port 80 -vvvnn

数据流如下:
 172.26.172.19.54852 > 172.26.172.18.80: Flags [.], cksum 0x9bde (correct), seq 5, ack 310, win 237, options [nop,nop,TS val 718353 ecr 5780396], length 0
17:13:46.434853 IP (tos 0x10, ttl 64, id 64125, offset 0, flags [DF], proto TCP (6), length 52)
    172.26.172.19.54852 > 172.26.172.18.80: Flags [F.], cksum 0x9bdc (correct), seq 5, ack 311, win 237, options [nop,nop,TS val 718353 ecr 5780396], length 0
 ----------
公网ip:
源端:8.130.29.250 80/172.26.172.18
目标端:8.130.106.94/172.26.172.19
1.
[root@iZ0jlj6khvl4gocccvez8yZ ~]# telnet 8.130.29.250 80
Trying 8.130.29.250...
Connected to 8.130.29.250.
Escape character is '^]'.

2.
[root@LINUX ~]# tcpdump  -i eth0 dst port 80 -vvvnn

数据流:
8.130.106.94.51060 > 172.26.172.18.80: Flags [S], cksum 0xc60e (correct), seq 3405619494, win 29200, options [mss 1460,sackOK,TS val 2756801 ecr 0,nop,wscale 7], length 0
17:47:44.885250 IP (tos 0x14, ttl 63, id 45544, offset 0, flags [DF], proto TCP (6), length 52)
    8.130.106.94.51060 > 172.26.172.18.80: Flags [.], cksum 0x352f (correct), seq 3405619495, ack 2234997945, win 229, options [nop,nop,TS val 2756802 ecr 7818846], length 0

-----
结论:可通过tcpdump抓取本机网卡的80 端口进行流量的查询,查询流量走的 【VPC带宽】还是【公网带宽】 

tcpdump -i eth0  icmp -c 100 							#抓取ICMP流量包 100个


[root@LINUX ~]# tcpdump  -i eth0 dst port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

0 packets captured
5 packets received by filter
0 packets dropped by kernel
[root@LINUX ~]# tcpdump  -i eth0 dst port 80 -vvvnn
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:47:27.031035 IP (tos 0x0, ttl 64, id 20806, offset 0, flags [DF], proto TCP (6), length 806)
    172.26.172.18.57584 > 100.100.30.26.80: Flags [P.], cksum 0xddc3 (incorrect -> 0x8920), seq 4078467807:4078468573, ack 1557971244, win 468, length 766: HTTP
17:47:28.940747 IP (tos 0x0, ttl 64, id 20807, offset 0, flags [DF], proto TCP (6), length 610)
    172.26.172.18.57584 > 100.100.30.26.80: Flags [P.], cksum 0xdcff (incorrect -> 0x0092), seq 766:1336, ack 1, win 468, length 570: HTTP
17:47:34.312611 IP (tos 0x14, ttl 63, id 28166, offset 0, flags [DF], proto TCP (6), length 57)
    8.130.106.94.51056 > 172.26.172.18.80: Flags [P.], cksum 0x2a06 (correct), seq 1813661346:1813661351, ack 2189176691, win 229, options [nop,nop,TS val 2746230 ecr 7759426], length 5: HTTP
17:47:34.313712 IP (tos 0x14, ttl 63, id 28167, offset 0, flags [DF], proto TCP (6), length 52)
    8.130.106.94.51056 > 172.26.172.18.80: Flags [.], cksum 0x6ff1 (correct), seq 5, ack 310, win 237, options [nop,nop,TS val 2746231 ecr 7808275], length 0
17:47:34.313788 IP (tos 0x14, ttl 63, id 28168, offset 0, flags [DF], proto TCP (6), length 52)
    8.130.106.94.51056 > 172.26.172.18.80: Flags [F.], cksum 0x6fef (correct), seq 5, ack 311, win 237, options [nop,nop,TS val 2746231 ecr 7808275], length 0
17:47:35.868136 IP (tos 0x0, ttl 64, id 20808, offset 0, flags [DF], proto TCP (6), length 46)
    172.26.172.18.57584 > 100.100.30.26.80: Flags [P.], cksum 0xdacb (incorrect -> 0x60c2), seq 1336:1342, ack 11, win 468, length 6: HTTP
17:47:44.884151 IP (tos 0x14, ttl 63, id 45543, offset 0, flags [DF], proto TCP (6), length 60)
    8.130.106.94.51060 > 172.26.172.18.80: Flags [S], cksum 0xc60e (correct), seq 3405619494, win 29200, options [mss 1460,sackOK,TS val 2756801 ecr 0,nop,wscale 7], length 0
17:47:44.885250 IP (tos 0x14, ttl 63, id 45544, offset 0, flags [DF], proto TCP (6), length 52)
    8.130.106.94.51060 > 172.26.172.18.80: Flags [.], cksum 0x352f (correct), seq 3405619495, ack 2234997945, win 229, options [nop,nop,TS val 2756802 ecr 7818846], length 0
17:48:19.783291 IP (tos 0x0, ttl 64, id 20809, offset 0, flags [DF], proto TCP (6), length 1506)
    172.26.172.18.57584 > 100.100.30.26.80: Flags [P.], cksum 0xe07f (incorrect -> 0x825d), seq 1342:2808, ack 11, win 468, length 1466: HTTP
17:48:19.964427 IP (tos 0x0, ttl 64, id 20811, offset 0, flags [DF], proto TCP (6), length 46)
    172.26.172.18.57584 > 100.100.30.26.80: Flags [P.], cksum 0xdacb (incorrect -> 0x5af8), seq 2808:2814, ack 21, win 468, length 6: HTTP
17:48:27.638192 IP (tos 0x0, ttl 64, id 20812, offset 0, flags [DF], proto TCP (6), length 806)
    172.26.172.18.57584 > 100.100.30.26.80: Flags [P.], cksum 0xddc3 (incorrect -> 0xad08), seq 2814:3580, ack 21, win 468, length 766: HTTP
17:48:29.245733 IP (tos 0x0, ttl 64, id 20813, offset 0, flags [DF], proto TCP (6), length 610)
    172.26.172.18.57584 > 100.100.30.26.80: Flags [P.], cksum 0xdcff (incorrect -> 0xeb6e), seq 3580:4150, ack 21, win 468, length 570: HTTP
17:48:44.946284 IP (tos 0x14, ttl 63, id 45545, offset 0, flags [DF], proto TCP (6), length 52)
    8.130.106.94.51060 > 172.26.172.18.80: Flags [F.], cksum 0x5ff1 (correct), seq 0, ack 2, win 229, options [nop,nop,TS val 2816863 ecr 7878907], length 0
17:49:04.080238 IP (tos 0x0, ttl 64, id 20814, offset 0, flags [DF], proto TCP (6), length 46)
    172.26.172.18.57584 > 100.100.30.26.80: Flags [P.], cksum 0xdacb (incorrect -> 0x55b0), seq 4150:4156, ack 31, win 468, length 6: HTTP
17:49:28.451032 IP (tos 0x0, ttl 64, id 20815, offset 0, flags [DF], proto TCP (6), length 806)
    172.26.172.18.57584 > 100.100.30.26.80: Flags [P.], cksum 0xddc3 (incorrect -> 0x6ff6), seq 4156:4922, ack 31, win 468, length 766: HTTP
17:49:28.451109 IP (tos 0x0, ttl 64, id 20816, offset 0, flags [DF], proto TCP (6), length 2888)
    172.26.172.18.57584 > 100.100.30.26.80: Flags [.], cksum 0xe5e5 (incorrect -> 0xb348), seq 4922:7770, ack 31, win 468, length 2848: HTTP
17:49:28.482561 IP (tos 0x0, ttl 64, id 20818, offset 0, flags [DF], proto TCP (6), length 350)
    172.26.172.18.57584 > 100.100.30.26.80: Flags [P.], cksum 0xdbfb (incorrect -> 0x19e2), seq 7770:8080, ack 31, win 468, length 310: HTTP
17:49:29.536449 IP (tos 0x0, ttl 64, id 20819, offset 0, flags [DF], proto TCP (6), length 610)
    172.26.172.18.57584 > 100.100.30.26.80: Flags [P.], cksum 0xdcff (incorrect -> 0x8f80), seq 8080:8650, ack 31, win 468, length 570: HTTP
17:49:48.173481 IP (tos 0x0, ttl 64, id 20820, offset 0, flags [DF], proto TCP (6), length 46)
    172.26.172.18.57584 > 100.100.30.26.80: Flags [P.], cksum 0xdacb (incorrect -> 0x4412), seq 8650:8656, ack 41, win 468, length 6: HTTP
17:50:01.450052 IP (tos 0x0, ttl 64, id 20821, offset 0, flags [DF], proto TCP (6), length 550)
    172.26.172.18.57584 > 100.100.30.26.80: Flags [P.], cksum 0xdcc3 (incorrect -> 0x709b), seq 8656:9166, ack 41, win 468, length 510: HTTP
17:50:01.470261 IP (tos 0x0, ttl 64, id 20822, offset 0, flags [DF], proto TCP (6), length 1464)
    172.26.172.18.57584 > 100.100.30.26.80: Flags [.], cksum 0xe055 (incorrect -> 0xe349), seq 9166:10590, ack 41, win 468, length 1424: HTTP
17:50:01.481692 IP (tos 0x0, ttl 64, id 20823, offset 0, flags [DF], proto TCP (6), length 82)
    172.26.172.18.57584 > 100.100.30.26.80: Flags [P.], cksum 0xdaef (incorrect -> 0x045e), seq 10590:10632, ack 41, win 468, length 42: HTTP

22 packets captured
33 packets received by filter
0 packets dropped by kernel
[root@LINUX ~]# tcpdump  -i eth0 src port 80 -vvvnn
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes






17:53:16.654042 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    172.26.172.18.80 > 8.130.106.94.51074: Flags [S.], cksum 0xcb3b (incorrect -> 0xf937), seq 562334937, ack 4083231034, win 28960, options [mss 1460,sackOK,TS val 8150616 ecr 3088571,nop,wscale 7], length 0
17:53:28.657024 IP (tos 0x0, ttl 52, id 46108, offset 0, flags [DF], proto TCP (6), length 50)
    100.100.30.26.80 > 172.26.172.18.57584: Flags [P.], cksum 0x1eed (correct), seq 1557971324:1557971334, ack 4078484193, win 2010, length 10: HTTP
17:53:28.697675 IP (tos 0x0, ttl 52, id 46109, offset 0, flags [DF], proto TCP (6), length 40)
    100.100.30.26.80 > 172.26.172.18.57584: Flags [.], cksum 0x1fab (correct), seq 10, ack 7, win 2010, length 0
17:53:30.779252 IP (tos 0x0, ttl 52, id 46110, offset 0, flags [DF], proto TCP (6), length 40)
    100.100.30.26.80 > 172.26.172.18.57584: Flags [.], cksum 0x1d73 (correct), seq 10, ack 577, win 2008, length 0
17:53:31.261657 IP (tos 0x0, ttl 52, id 46111, offset 0, flags [DF], proto TCP (6), length 40)
    100.100.30.26.80 > 172.26.172.18.57584: Flags [.], cksum 0x1a75 (correct), seq 10, ack 1343, win 2008, length 0

5 packets captured
14 packets received by filter
0 packets dropped by kernel
[root@LINUX ~]# tcpdump  -i eth0 dst port 80 -vvvnn
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:54:07.112650 IP (tos 0x14, ttl 63, id 2436, offset 0, flags [DF], proto TCP (6), length 57)
    8.130.106.94.51074 > 172.26.172.18.80: Flags [P.], cksum 0xcd23 (correct), seq 4083231034:4083231039, ack 562334938, win 229, options [nop,nop,TS val 3139030 ecr 8150616], length 5: HTTP
17:54:07.113712 IP (tos 0x14, ttl 63, id 2437, offset 0, flags [DF], proto TCP (6), length 52)
    8.130.106.94.51074 > 172.26.172.18.80: Flags [.], cksum 0x0cc5 (correct), seq 5, ack 310, win 237, options [nop,nop,TS val 3139031 ecr 8201075], length 0
17:54:07.113799 IP (tos 0x14, ttl 63, id 2438, offset 0, flags [DF], proto TCP (6), length 52)
    8.130.106.94.51074 > 172.26.172.18.80: Flags [F.], cksum 0x0cc3 (correct), seq 5, ack 311, win 237, options [nop,nop,TS val 3139031 ecr 8201075], length 0
17:54:08.104133 IP (tos 0x14, ttl 63, id 8019, offset 0, flags [DF], proto TCP (6), length 60)
    8.130.106.94.51078 > 172.26.172.18.80: Flags [S], cksum 0x91d1 (correct), seq 3496933094, win 29200, options [mss 1460,sackOK,TS val 3140021 ecr 0,nop,wscale 7], length 0
17:54:08.105262 IP (tos 0x14, ttl 63, id 8020, offset 0, flags [DF], proto TCP (6), length 52)
    8.130.106.94.51078 > 172.26.172.18.80: Flags [.], cksum 0x21a4 (correct), seq 3496933095, ack 4113494804, win 229, options [nop,nop,TS val 3140023 ecr 8202066], length 0
17:54:12.771479 IP (tos 0x0, ttl 64, id 20845, offset 0, flags [DF], proto TCP (6), length 46)
    172.26.172.18.57584 > 100.100.30.26.80: Flags [P.], cksum 0xdacb (incorrect -> 0x19c2), seq 4078487229:4078487235, ack 1557971344, win 468, length 6: HTTP

6 packets captured
15 packets received by filter
0 packets dropped by kernel
[root@LINUX ~]# tcpdump  -i eth0 dst port 80 -vvvnn
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes


17:54:45.291697 IP (tos 0x10, ttl 64, id 28749, offset 0, flags [DF], proto TCP (6), length 60)
    172.26.172.19.54982 > 172.26.172.18.80: Flags [S], cksum 0x9115 (correct), seq 931859124, win 29200, options [mss 1460,sackOK,TS val 3177209 ecr 0,nop,wscale 7], length 0
17:54:45.291982 IP (tos 0x10, ttl 64, id 28750, offset 0, flags [DF], proto TCP (6), length 52)
    172.26.172.19.54982 > 172.26.172.18.80: Flags [.], cksum 0xedcf (correct), seq 931859125, ack 2569597167, win 229, options [nop,nop,TS val 3177210 ecr 8239254], length 0

2 packets captured
5 packets received by filter
0 packets dropped by kernel
[root@LINUX ~]# tcpdump  -i eth0 src port 80 -vvvnn
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes


17:55:11.183893 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    172.26.172.18.80 > 172.26.172.19.54986: Flags [S.], cksum 0xb089 (incorrect -> 0x6efc), seq 3849604976, ack 3916284803, win 28960, options [mss 1460,sackOK,TS val 8265146 ecr 3203102,nop,wscale 7], length 0
17:55:31.397816 IP (tos 0x0, ttl 52, id 46123, offset 0, flags [DF], proto TCP (6), length 40)
    100.100.30.26.80 > 172.26.172.18.57584: Flags [.], cksum 0xff08 (correct), seq 1557971354, ack 4078492535, win 2008, length 0
17:55:32.724423 IP (tos 0x0, ttl 52, id 46124, offset 0, flags [DF], proto TCP (6), length 40)
    100.100.30.26.80 > 172.26.172.18.57584: Flags [.], cksum 0xfc0a (correct), seq 0, ack 767, win 2008, length 0
上一篇博客分享了tcpdump使用过滤条件抓包的一些用法,如果没有特殊的要求,基本能够满足一般的抓包要求,这篇博客分享如何在抓包的过程中将过滤条件更加具体化。

tcpdump常用选项在上一篇博客已经做过介绍,下面列出来方便查看,更多的选项请参考tcpdump官网。

常用选项介绍
-n 禁止IP名称解析。
-nn 禁止IP和端口名称解析。
-i 指定捕获哪个网卡的网络数据包。
-w 指定将包写入哪个文件,如果文件不存在则创建该文件;如果存在则覆盖其内容。
-f 指定过滤表达式,例如指定捕获哪个端口,哪个协议等。
-r 指定从哪个文件读取网络数据包文件。
-F 指定使用哪个文件的过滤表达式抓包。
-D 列出所有可以使用tcpdump抓包的网卡。
-c 指定捕获或者读取包的个数,-c后面直接接数字即可。
-l 抓包时保存到文件的同时查看包的内容。
-t 不打印时间戳。
-tt 秒级时间戳。
-ttt 打印时间戳到微秒或者纳秒,取决于 –time-stamp-precision option 选项。
-s 指定每个包捕获的字节数。-s0将不限制大小,如果想捕获完整的包可以这么设置。
-S 打印绝对的tcp序列号,而不是相对的序列号。
-v/-vv/-vvv 打印详细信息,v的个数越多, 打印内容越详细。
命令概览
该博客主要介绍如下命令的使用:

> #捕获IPv6的包
> tcpdump -i ens33 ip6 -c3

> #捕获icmp的包
> tcpdump -i ens33 icmp -c3

> #捕获udp包
> tcpdump -nni ens33 udp -c4

> #使用数字代表协议
> tcpdump -nni ens33 proto 17 -c1 -v

> #指定目标端口范围25-110
> tcpdump -nni ens33 dst portrange 25-110 -c3

> #捕获任意网卡的包
> tcpdump -nni any -c3

> #根据网络数据包的大小进行捕获
> tcpdump -nni any less 32 -c3

> #指定源IP和目标端口
> tcpdump -i ens33 -nnvvS src 192.168.248.134 and dst port 53

> #捕获从网络A到网络B的包
> tcpdump -i ens33 -nvX src net 192.168.248.0/24 and dst net 10.0.0.0/8 or 14.215.177.0/24

> #捕获非ICMP包
> tcpdump -nni ens33 dst 14.215.177.39 and not icmp -c3

> #捕获端口不是53的包
> tcpdump -nni ens33 src 192.168.248.134 and not port 53 -c3

> #提取User-Agent
> tcpdump -nni ens33 -A -s 1500 -l | grep "User-Agent:"

> #提取User-Agent和Host
> tcpdump -nni ens33 -A -s 1500 -l | egrep "User-Agent:|Host:"

> #提取HTTP请求URL
> tcpdump -i ens33 -s0 -vnl |egrep -i "POST /|GET /|Host:"

> #提取HTTP请求的密码字段
> tcpdump -i ens33 -s0 -Anl |egrep -i "POST /|pwd=|passwd=|password=|Host:"

> #捕获Cookie
> tcpdump -i ens33 -s0 -Al |egrep -i "Set-Cookie|Host:|Cookie:"

> #捕获非ping命令产生的ICMP包
> tcpdump -nni ens33 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'

简单命令
1. 指定协议类型
1)捕获IPv6的包

这里直接在后面接ip6即可,捕获3个包直接输出。

[sunft@localhost ~]$ sudo su
[sudo] sunft 的密码:
[root@localhost sunft]# tcpdump -i ens33 ip6 -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
21:59:04.628607 IP6 fe80::24b1:28c6:e76:62f > gateway: ICMP6, neighbor solicitation, who has gateway, length 32
21:59:05.629175 IP6 fe80::24b1:28c6:e76:62f > gateway: ICMP6, neighbor solicitation, who has gateway, length 32
21:59:06.805183 IP6 fe80::24b1:28c6:e76:62f > ff02::1:ffc0:2222: ICMP6, neighbor solicitation, who has gateway, length 32
3 packets captured
3 packets received by filter
0 packets dropped by kernel

2)捕获icmp包

这里在后面接icmp即可,捕获3个包并显示出来。

[root@localhost sunft]# tcpdump -i ens33 icmp -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
22:17:16.066307 IP localhost > 14.215.177.39: ICMP echo request, id 3354, seq 1, length 64
22:17:16.070765 IP 14.215.177.39 > localhost: ICMP echo reply, id 3354, seq 1, length 64
22:17:18.106814 IP localhost > 14.215.177.39: ICMP echo request, id 3354, seq 2, length 64
3 packets captured
3 packets received by filter
0 packets dropped by kernel

3)捕获udp包

第一步: 在终端输入如下命令,对网卡进行监听

[root@localhost sunft]# tcpdump -nni ens33 udp -c4
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
22:23:03.108888 IP 192.168.248.134.39477 > 192.168.248.2.53: 25720+ A? www.baidu.com. (31)
22:23:03.111247 IP 192.168.248.2.53 > 192.168.248.134.39477: 25720 2/0/0 A 14.215.177.39, A 14.215.177.38 (63)
22:23:11.144382 IP 192.168.248.134.60917 > 192.168.248.2.53: 61648+ A? www.baidu.com. (31)
22:23:11.146571 IP 192.168.248.2.53 > 192.168.248.134.60917: 61648 2/0/0 A 14.215.177.39, A 14.215.177.38 (63)
4 packets captured
4 packets received by filter
0 packets dropped by kernel

第二步: 在另外一个终端查询百度的IP

[sunft@localhost ~]$ nslookup www.baidu.com
Server:		192.168.248.2
Address:	192.168.248.2#53

Non-authoritative answer:
Name:	www.baidu.com
Address: 14.215.177.39
Name:	www.baidu.com
Address: 14.215.177.38

4)使用数字代表协议

部分协议有其对应的十进制形式,具体请参考文章末尾的参考材料。这里的proto 17代表UDP协议。

[root@localhost sunft]# tcpdump -nni ens33 proto 17 -c1 -v
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
22:45:13.789092 IP (tos 0x0, ttl 64, id 30301, offset 0, flags [none], proto UDP (17), length 59)
    192.168.248.134.62450 > 192.168.248.2.53: 65418+ A? www.baidu.com. (31)
1 packet captured
1 packet received by filter
0 packets dropped by kernel

2. 端口范围
下面的例子捕获目标端口为25-110的3个包并显示出来。

[root@localhost sunft]# tcpdump -nni ens33 dst portrange 25-110 -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:14:17.482566 IP 192.168.248.134.54275 > 117.18.237.29.80: Flags [.], ack 1058826142, win 30732, length 0
20:14:26.026503 IP 192.168.248.134.57943 > 104.86.182.64.80: Flags [.], ack 826562746, win 31088, length 0
20:14:26.218510 IP 192.168.248.134.54271 > 117.18.237.29.80: Flags [.], ack 214582950, win 30732, length 0
3 packets captured
3 packets received by filter
0 packets dropped by kernel

3. 任意网卡
可以使用**-i any**指定捕获来自所有网卡的网络数据包。下面的例子从所有的网卡随机捕获3个包。

[root@localhost sunft]# tcpdump -nni any -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
20:10:36.401132 IP6 ::1.34187 > ::1.6150: Flags [S], seq 597567463, win 43690, options [mss 65476,sackOK,TS val 4294844481 ecr 0,nop,wscale 7], length 0
20:10:36.401142 IP6 ::1.6150 > ::1.34187: Flags [R.], seq 0, ack 597567464, win 0, length 0
20:10:36.401683 IP 192.168.248.134.54356 > 192.168.248.134.6150: Flags [S], seq 1007347807, win 43690, options [mss 65495,sackOK,TS val 4294844482 ecr 0,nop,wscale 7], length 0
3 packets captured
8 packets received by filter
0 packets dropped by kernel

4. 根据包的大小抓包
下面的例子捕获包的字节数小于32的包,类似的命令还有:

tcpdump <= 12
tcpdump less 32
tcpdump greater 64

[root@localhost sunft]# tcpdump -nni any less 32 -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
20:24:46.272538 ARP, Request who-has 192.168.248.2 tell 192.168.248.134, length 28
20:25:18.223937 ARP, Request who-has 192.168.248.2 tell 192.168.248.134, length 28
20:26:22.687704 ARP, Request who-has 192.168.248.2 tell 192.168.248.134, length 28
3 packets captured
3 packets received by filter
0 packets dropped by kernel

组合命令
tcpdump可以使用组合命令如下,使用英文或者编程中的符号均可:

表示并且:and &&
表示或者:or ||
表示除了:not !
1. 特定IP和目标端口
下面的例子指定源IP和目标地址,将捕获的包直接打印输出。

[root@localhost sunft]# tcpdump -i ens33 -nnvvS src 192.168.248.134 and dst port 53
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
23:20:32.665037 IP (tos 0x0, ttl 64, id 18881, offset 0, flags [none], proto UDP (17), length 59)
    192.168.248.134.19811 > 192.168.248.2.53: [bad udp cksum 0x7213 -> 0xd53b!] 44784+ A? www.baidu.com. (31)
^C
1 packet captured
1 packet received by filter
0 packets dropped by kernel

2. 从一个网络到另一个网络
下面的例子捕获从网络192.168.248.0/24 到10.0.0.0/8 或14.215.177.0/24 网络数据包,并且以16进制的形式显示出来。

[root@localhost sunft]# tcpdump -i ens33 -nvX src net 192.168.248.0/24 and dst net 10.0.0.0/8 or 14.215.177.0/24
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:40:12.015817 IP (tos 0x0, ttl 64, id 13253, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.248.134 > 14.215.177.39: ICMP echo request, id 4237, seq 116, length 64
	0x0000:  4500 0054 33c5 4000 4001 8db6 c0a8 f886  E..T3.@.@.......
	0x0010:  0ed7 b127 0800 3780 108d 0074 ac10 c45d  ...'..7....t...]
	0x0020:  0000 0000 803d 0000 0000 0000 1011 1213  .....=..........
	0x0030:  1415 1617 1819 1a1b 1c1d 1e1f 2021 2223  .............!"#
	0x0040:  2425 2627 2829 2a2b 2c2d 2e2f 3031 3233  $%&'()*+,-./0123
	0x0050:  3435 3637                                4567

3. 显示特定目的地址的所有非ICMP包
下面的例子捕获所有去往14.215.177.39的非ICMP包。

[root@localhost sunft]# tcpdump -nni ens33 dst 14.215.177.39 and not icmp -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:47:15.778919 IP 192.168.248.134.47817 > 14.215.177.39.443: Flags [P.], seq 1004614837:1004615422, ack 1412106833, win 64240, length 585
20:47:15.803720 IP 192.168.248.134.47817 > 14.215.177.39.443: Flags [.], ack 1281, win 64240, length 0
20:47:15.805020 IP 192.168.248.134.47817 > 14.215.177.39.443: Flags [.], ack 9012, win 64240, length 0
3 packets captured
4 packets received by filter
0 packets dropped by kernel


4. 捕获非特定端口的包
下面的例子先捕获源地址是192.168.248.134,端口不是53的网络数据包。第二条命令不指定端口,第二个包端口号是53。模拟该场景只需要在终端输入nslookup 域名查询域名的IP既可。

[root@localhost sunft]# tcpdump -nni ens33 src 192.168.248.134 and not port 53 -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:52:44.752134 IP 192.168.248.134.44515 > 54.71.96.255.443: Flags [.], ack 481446081, win 46720, length 0
20:52:45.839762 IP 192.168.248.134.18390 > 117.18.237.29.80: Flags [.], ack 971127717, win 30693, length 0
20:52:46.351895 IP 192.168.248.134.18362 > 117.18.237.29.80: Flags [.], ack 643063100, win 35415, length 0
3 packets captured
3 packets received by filter
0 packets dropped by kernel
[root@localhost sunft]# tcpdump -nni ens33 src 192.168.248.134 -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:56:15.856140 ARP, Request who-has 192.168.248.2 tell 192.168.248.134, length 28
20:56:17.661719 IP 192.168.248.134.32617 > 192.168.248.2.53: 59708+ A? www.baidu.com. (31)


5. 提取HTTP User Agents
下面的例子从捕获的包中输出带有User-Agent: 的行。

[root@localhost sunft]# tcpdump -nni ens33 -A -s 1500 -l | grep "User-Agent:"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 1500 bytes
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
^C159 packets captured
159 packets received by filter
0 packets dropped by kernel

6. 提取User-Agent和Host
下面的例子从捕获的包中过滤出含有User-Agent: 和Host: 行。

[root@localhost sunft]# tcpdump -nni ens33 -A -s 1500 -l | egrep "User-Agent:|Host:"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 1500 bytes
Host: detectportal.firefox.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Host: detectportal.firefox.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Host: ocsp2.globalsign.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
^C440 packets captured
440 packets received by filter
0 packets dropped by kernel

7. 提取HTTP请求URL
下面的例子从捕获的包中输出带有 “POST /|GET /|Host:” 的行。

[root@localhost sunft]# tcpdump -i ens33 -s0 -vnl |egrep -i "POST /|GET /|Host:"
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
	GET /success.txt HTTP/1.1
	Host: detectportal.firefox.com
	POST /gsorganizationvalsha2g2 HTTP/1.1
	Host: ocsp2.globalsign.com
^C141 packets captured
141 packets received by filter
0 packets dropped by kernel


8. 提取HTTP请求的密码字段
下面的例子从捕获的包中输出显示包含 “POST /|pwd=|passwd=|password=|Host:” 的行,尝试了两个网站未捕获到密码相关的信息,捕获到了POST / 和Host: 信息。

[root@localhost sunft]# tcpdump -i ens33 -s0 -Anl |egrep -i "POST /|pwd=|passwd=|password=|Host:"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
21:21:15.665274 IP 192.168.248.134.43313 > 203.208.40.56.http: Flags [P.], seq 1:456, ack 1, win 29200, length 455: HTTP: POST /gts1o1 HTTP/1.1
E.....@.@.........(8.1.P.. x;M:.P.r.....POST /gts1o1 HTTP/1.1
Host: ocsp.pki.goog
21:21:15.668271 IP 192.168.248.134.43315 > 203.208.40.56.http: Flags [P.], seq 1:455, ack 1, win 29200, length 454: HTTP: POST /gts1o1 HTTP/1.1
E...I.@.@.B.......(8.3.P....3.e.P.r.....POST /gts1o1 HTTP/1.1
Host: ocsp.pki.goog
Host: www.lagou.com
^C1387 packets captured
1387 packets received by filter
0 packets dropped by kernel


9. 捕获Cookie
下面的例子过滤出网络数据包中带有Cookie的行,Host字段做了处理。

[root@localhost sunft]# tcpdump -i ens33 -s0 -Al |egrep -i "Set-Cookie|Host:|Cookie:"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
Host: www.xxxxxxx.com
Cookie: PHPSESSID=c3h8rr3p53840hes7jnokqpkm7; UM_distinctid=16e461159b850d-0158e82f770eed8-38694646-ae786-16e461159b93ed; CNZZDATA1274340067=1698433595-1573133535-%7C1573133535


10. 捕获非ping命令产生的ICMP包
下面的例子捕获非ping命令产生的ICMP包,该现象可以使用traceroute 命令产生。

[root@localhost sunft]# tcpdump -nni ens33 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
21:41:26.959040 IP 192.168.248.2 > 192.168.248.134: ICMP time exceeded in-transit, length 68
21:41:26.959049 IP 192.168.248.2 > 192.168.248.134: ICMP time exceeded in-transit, length 68
21:41:26.959050 IP 192.168.248.2 > 192.168.248.134: ICMP time exceeded in-transit, length 68

参考材料
https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
https://www.thegeekdiary.com/18-practical-tcpdump-command-examples-a-network-sniffer-tool-primer/
https://hackertarget.com/tcpdump-examples/

weixin_45782719
关注
  • 0
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
tcpdump使用过滤条件抓包(进阶篇)
BruceLeeNumberOne的博客
11-08 1万+
引言 这是有关网络协议的第四篇博客。 上一篇博客分享了tcpdump使用过滤条件抓包的一些用法,如果没有特殊的要求,基本能够满足一般的抓包要求,这篇博客如何在抓包的过程中将过滤条件更加具体化。 如果对tcpdump常用的命令行选项不了解,请查看上一篇博客或者查看tcpdump官网。 常用选项介绍 -s0 : Snap length, is the size of the packet to cap...
tcpdump使用过滤条件抓包(基础篇)
BruceLeeNumberOne的博客
10-31 1万+
引言 这是有关网络协议的第三篇文章。 前两篇文章分享了tcpdump和tshark最基本的用法。这篇文章原本是想翻译tcpdump官方文档,但是网上已经有了现成的翻译版本,作者已经对比较难懂的部分做了说明,当然作者也有略过一部分的说明。Tcpdump实际上非常复杂,需要对网络协议有全面又细致的掌握,有兴趣可以参考tcpdump官方文档。 这篇文章主要从使用的角度对tcpdump常用的命令进行分享,...
TCPdump 过滤条件
学习记录
09-15 761
1、IPv6 tcpdump -i xx ipv6 -v unreachable: 1 too-big: 2 time-exceeded: 3 echo-request: 128 echo-reply: 129 router-solicitation: 133 router-advertisement: 134 neighbor-solicitation: 135 neighbor-advertisement: 136 tc...
tcpdump 过滤条件抓包
最新发布
zengliguang的专栏
06-30 612
例如,如果您想查看特定主机与特定端口之间的 TCP 流量,可以使用。又如,如果您要监测某个网段内的所有 UDP 流量,可以使用。
[转]tcpdump详细用法
Magicbreaker的专栏
10-20 2301
一、tcpdump简明用法Usage: tcpdump [-adeflnNOpqRStuvxX] [ -c count ] [ -C file_size ]                 [ -F file ] [ -i interface ] [ -r file ] [ -s snaplen ]                 [ -T type ] [ -U user ] [ -w fi
tcpdump抓包
03-16
#### 四、tcpdump常用参数说明 - **-i**:指定监听的网络接口。 - **-v**:增加输出的详细程度,可以多次使用(-vv、-vvv)。 - **-nn**:禁止DNS反向解析,显示IP地址而非主机名。 - **-c**:设置捕获的最大数据包...
TCPDUMP详解
12-05
TCPDUMP的表达式用于定义过滤规则,常用的关键词包括: - **host**: 指定主机地址。 - **net**: 指定网络地址。 - **port**: 指定端口号。 - **src**: 指定源地址。 - **dst**: 指定目的地址。 - **srcordst**: ...
tcpdump(windows版).zip
01-27
以下是一些常用tcpdump命令行选项: - `-i`:指定监听的网络接口。 - `-n`:不进行DNS解析,显示IP地址而非域名。 - `-v` 或 `-vv`:增加输出的详细程度。 - `-c`:捕获指定数量的数据包后停止。 - `-w`:将捕获的...
tcpdump 命令的常用选项介绍.doc
05-13
tcpdump 命令的常用选项介绍 tcpdump 命令是一个功能强大的网络流量捕获和分析工具,系统管理员可以使用它来查看实时流量或将输出保存到文件中并在以后进行分析。下面是 tcpdump 命令的常用选项的介绍: -D 选项:...
服务端tcpdump.zip
08-05
在IT领域,网络诊断是日常运维工作中的重要环节,而`tcpdump`是Linux系统下常用网络抓包工具,用于捕获和分析网络流量。本教程将详细介绍如何在Linux服务器上安装并使用`tcpdump`。 首先,让我们了解`tcpdump`的...
tcpdump高级过滤技巧
04-11
tcpdump高级过滤技巧,很多常用的数据抓取实例。
tcpdump 命令详解
化天际的相遇---博客
11-15 225
https://www.cnblogs.com/ggjucheng/archive/2012/01/14/2322659.html
tcpdump抓包命令和wireshark过滤条件
西瓜游侠的博客
01-14 1072
1、抓包 tcpdump -i any -s 0 -w asd.cap tcp 这个是http的(不指定端口) tcpdump -i any -s 0 -w asd.cap tcp port 6041 这个是http的(指定端口) 2、wireshark常用过滤(多个条件用and) 过滤源ip地址:ip.src == 1.1.1.1 过滤目的ip地...
tcpdump过滤某个端口
phymat.nico的专栏
10-23 1518
tcpdump过滤某个端口 一般我们使用Tcpdump时都是使用: Java代码 tcpdump -i ethx www.2cto.com 下面这条命令就是查看80端口的访问量,进行排序,取前20位 Java代码 tcpdump -i eth0 -tnn dst port 80 -c 1000 | awk -F"." '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -nr |head -20 ...
过滤tcpdump 某些端口的信息
zhaozhanyong的专栏
07-29 1001
tcpdump -i ethx not port 22 and not port ?? 或  tcpdump -i ethx ! port 22 and ! port ??   其中x为网卡号,??为端口号
【博客562】tcpdump在生产中的常见用法与复杂过滤规则
qq_43684922的博客
12-18 1166
基本语法:一般使用语法 proto [ expr : size ]。proto:指定要查看的报文头——ip则查看IP头,tcp则查看TCP头。expr:给出从报文头索引0开始的位移。即:报文头的第一个字节为0,第二字节为1size:可选的,指定需要使用的字节数,1,2或4。
tcpdump抓包命令,过滤IP端口,保存为pcap文件,抓本机上的包
一名Java后端程序员,分享日常bug和一些好玩的东西!
10-16 1万+
tcpdump抓包命令: # tcpdump -i eth0 -Xvnn -s0 host ${对方IP} and port ${本机端口} > ./tmp.log & tcpdump -i eth0 -Xvnn -s0 host 192.168.2.18 and port 8080 > ./tmp.log & # 保存为pcap文件在Wireshark上打开查看 tcpdump -i eth0 -Xvnn -s0 host 192.168.2.18 and port 8080
tcpdump常用与高级过滤方法整理
wfj_uestc的博客
05-06 7975
这里写自定义目录标题欢迎使用Markdown编辑器新的改变功能快捷键合理的创建标题,有助于目录的生成如何改变文本的样式插入链接与图片如何插入一段漂亮的代码片生成一个适合你的列表创建一个表格设定内容居中、居左、居右SmartyPants创建一个自定义列表如何创建一个注脚注释也是必不可少的KaTeX数学公式新的甘特图功能,丰富你的文章UML 图表FLowchart流程图导出与导入导出导入 欢迎使用Ma...
tcpdump抓包通过IP或端口过滤抓包方法
热门推荐
抱富的博客
10-21 1万+
1.通过ip过滤抓包方法 tcpdump -i any -s 0 -w 100.pcap net 172.16.1.139 or 172.16.1.159 2.通过端口过滤抓包方法 tcpdump sctp or udp port 2123 or udp portrange 10000-11000 -i any -s 0 -w 01.pcap
tcpdump常用方式
06-06
tcpdump 是一款常用网络抓包工具,可以捕获网络数据包并对其进行分析。常用tcpdump 命令如下: 1. 捕获所有数据包:`tcpdump -i eth0` 2. 捕获指定端口的数据包:`tcpdump -i eth0 port 80` 3. 捕获指定 IP 地址的数据包:`tcpdump -i eth0 host 192.168.1.1` 4. 捕获指定源 IP 地址的数据包:`tcpdump -i eth0 src host 192.168.1.1` 5. 捕获指定目标 IP 地址的数据包:`tcpdump -i eth0 dst host 192.168.1.1` 6. 捕获指定协议类型的数据包:`tcpdump -i eth0 icmp` 7. 捕获指定数据包数量的数据包:`tcpdump -i eth0 -c 100` 8. 将抓到的数据包保存到文件中:`tcpdump -i eth0 -w output.pcap` 9. 从文件中读取数据包并对其进行分析:`tcpdump -r input.pcap` 10. 显示数据包的详细内容:`tcpdump -i eth0 -v` 以上是 tcpdump 常用的一些命令和参数,可以根据具体需求进行调整和组合。使用 tcpdump 工具可以帮助我们深入了解网络数据包的结构和内容,便于进行网络故障排除和安全分析。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值