10流量监控工具TCPDUMP

流量监控工具TCPDUMP

在网络中，数据的采集和分析是不可少的，通过数据的采集后分析可以查看到网络中的流量通信情况，从而定位到网络中的故障及攻击

一、流量监控工具

1、Windows流量监控工具

• Wireshark

• 科莱网络分析系统

2、Linux 流量监控工具

• TCPDump

二、TCPDump

1、概述

• Linux作为网络服务器，特别是作为路由器和网关时，数据的采集和分析是不可少的。TcpDump是Linux中强大的网络数据采集分析工具之一。
• TCPDump（dump the traffic on a network），根据使用者的定义对网络上的数据包进行截获的包分析工具，支持针对网络层、协议、主机、网络或端口的过滤，并提供and、or、not等逻辑语句来帮助你去掉无用的信息。
• 基于数据包的五元组（源IP、目的IP、源端口、目的端口、协议）

2、安装并查看帮助信息

[root@CentOS7-4 ~]# yum -y install tcpdump

[root@CentOS7-4 ~]# tcpdump --help
tcpdump version 4.9.2
libpcap version 1.5.3
OpenSSL 1.0.2k-fips  26 Jan 2017
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ]
		[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
		[ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
		[ -Q|-P in|out|inout ]
		[ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
		[ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
		[ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ]
		[ -Z user ] [ expression ]

三、常用语法

1、抓取ARP协议

-i    #指定网络接口
-b    #在网络层上选择协议
[root@CentOS7-4 ~]# tcpdump -b arp -i ens33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
15:02:59.069282 ARP, Request who-has CentOS7-4 (00:0c:29:b6:ef:bb (oui Unknown)) tell 192.168.88.1, length 46
15:02:59.069299 ARP, Reply CentOS7-4 is-at 00:0c:29:b6:ef:bb (oui Unknown), length 28
15:02:59.102235 ARP, Request who-has CentOS7-4 tell gateway, length 46
15:02:59.102250 ARP, Reply CentOS7-4 is-at 00:0c:29:b6:ef:bb (oui Unknown), length 28
15:03:04.114332 ARP, Request who-has gateway tell CentOS7-4, length 28
15:03:04.114488 ARP, Reply gateway is-at 00:50:56:e8:bb:df (oui Unknown), length 46

2、指定网卡和主机抓包

#host    后面跟主机
[root@CentOS7-4 ~]# tcpdump -i any host 192.168.88.2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
15:17:02.032051 ARP, Request who-has gateway tell CentOS7-4, length 28
15:17:02.032205 ARP, Reply gateway is-at 00:50:56:e8:bb:df (oui Unknown), length 46
15:17:02.032623 IP CentOS7-4.54231 > gateway.domain: 6102+ PTR? 2.88.168.192.in-addr.arpa. (43)
15:17:02.100822 IP gateway.domain > CentOS7-4.54231: 6102 NXDomain 0/1/0 (98)
15:17:02.101743 IP CentOS7-4.35760 > gateway.domain: 39657+ PTR? 131.88.168.192.in-addr.arpa. (45)
15:17:02.170818 IP gateway.domain > CentOS7-4.35760: 39657 NXDomain 0/1/0 (80)

3、写入文件并查阅报文(-w、-r)

[root@CentOS7-4 ~]# tcpdump -i any host 192.168.88.1 -nn -v -w client.pcap
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
^C29 packets captured
32 packets received by filter
0 packets dropped by kernel
#-nn    禁止反向解析
#-v        显示详细抓包信息
#-w        写入到client.pcap
[root@CentOS7-4 ~]# ls
1.txt  anaconda-ks.cfg   client.pcap  mymkdir  zhangsan

4、指定来源IP或目的IP或网段(src、dst、net)

[root@CentOS7-4 ~]# tcpdump -i any src host 192.168.88.1 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
15:51:32.001476 IP 192.168.88.1.61800 > 192.168.88.131.22: Flags [.], ack 1379754916, win 4104, length 0
15:51:32.059966 IP 192.168.88.1.61800 > 192.168.88.131.22: Flags [.], ack 141, win 4103, length 0
15:51:32.119785 IP 192.168.88.1.61800 > 192.168.88.131.22: Flags [.], ack 281, win 4102, length 0
15:51:32.160232 IP 192.168.88.1.61800 > 192.168.88.131.22: Flags [.], ack 421, win 4102, length 0
15:51:32.219927 IP 192.168.88.1.61800 > 192.168.88.131.22: Flags [.], ack 561, win 4101, length 0
15:51:32.279714 IP 192.168.88.1.61800 > 192.168.88.131.22: Flags [.], ack 701, win 4101, length 0

5、指定每个报文抓包字节数(-s)

[root@CentOS7-4 ~]# tcpdump -nn -i any -s 84 host 192.168.1.1  
 #imcp协议默认为“56字节”数据字节+“28字节”的ICMP头，一共是84字节

6、抓传输层指定端口（tcp、udp）

[root@CentOS7-4 ~]# tcpdump -nn -i any tcp port 80

7、使用逻辑表达式(or、and、not)

[root@CentOS7-4 ~]# tcpdump -nn -i any host 192.168.1.1 and icmp

8、指定数据包大小过滤(greater、less)

[root@CentOS7-4 ~]# tcpdump -nn -s 0 -i any host 192.168.1.1 and greater 1000 and icmp        
#大于1000字节

9、抓取指定Flag位的报文

[root@CentOS7-4 ~]# tcpdump -nn -i any -s 0 -c 1 'tcp[tcpflags] & tcp-syn != 0'

10、捕获DHCP的请求和响应

[root@CentOS7-4 ~]# tcpdump -v -n port 67 or 68

11、配合shell获取最高的IP数

[root@CentOS7-4 ~]# tcpdump -nnn -t -c 200 | cut -f 1,2,3,4 -d ``'.'` `| sort | uniq -c | sort -nr | head -n 20