1, netstat
netstat -su//udp 查网卡收包情况
netstat -st//tcp
netstat -anp | grep "^tcp"
2, ping traceroute inetd rlogin 略
3, tcpdump,详细请参考: http://www.cnblogs.com/ggjucheng/archive/2012/01/14/2322659.html
tcpdump,可以持续监视多种协议,如tail -f参数一样,持续监视
root用户/普通用户sudo,普通用户输入tcpdump可能没反应。
语法:
1.类型限定词: host,port,net(子网,如net 192.168.1.0/24)
2.逻辑运算符: and,or,not,!,(),如tcpdump 'port 80 and (host 192.168.1.10 or host 192.168.1.11)'
3.传输方向限定词: src,dst
4.协议限定词: ether(Ethernet), tcp,udp,icmp,arp,rarp(reverse ARP)全小写
5.原语: 算术运算符(+,-,*,/,>,<,>=,<=,!=等), broadcast, gateway, greater, less.
例子:
1、监视指定网卡接口上所有流过的数据包
tcpdump <==> tcpdump -i eth0
tcpdump -i lo //发向localhost的数据包
2、指定host或ip
tcpdump host www.baidu.com <==> tcpdump host 61.135.169.105
3、指定发送端/接收端的ip, port(host可用src,dst修饰,tcp/udp与之是并列关系:tcp and host...)
tcpdump src host 192.168.1.10
tcpdump udp dst port 514
4、指定端口和ip
tcpdump tcp port 23 and host 192.168.1.10
5、指定tcpflags(开始和结束数据包)
tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and host www.baidu.com'
tcpdump '(tcp-syn|tcp-fin) != 0 and host www.baidu.com'
以上两个都行,但是必须加单引号"'"
6、指定data长度(应用层的数据长度,TCP/IP报头不算:整个ip数据包的长度减去ip头的长度,再减去tcp头的长度)
SYN,FIN,ACK等,不包含数据的(length=0)
tcpdump 'ip[2:2] - ((ip[0]&0xf)<<2) - ((tcp[12]&0xf0)>>2) == 0' 可以
tcpdump 'ip[2:2] - (ip[0]&0xf)<<2 - (tcp[12]&0xf0)>>2 == 0' 不可以
ip[2:2] IP包的第[2-3]个octets,整个ip数据包的长度,
((ip[0]&0xf)<<2) ip头的长度(ip[0]&0xf代表包中的IHL域(4bits), 范围[0-31]bits, 要换算成字节数需要乘以4???为什么
((tcp[12]&0xf0)>>2) tcp头长度
7、保存到文件,而不是在console输出
tcpdump -w test.pcap -i eth1 tcp port 6881 or udp \( 33210 or 33220 \)
8、输出解析
root@river-virtual-machine:~# tcpdump udp port 516 and host 192.168.22.112
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
//-s 64 可以改变输出capture size 64 bytes
16:35:43.550064 IP river-virtual-machine.local.37599 > 61.135.169.125.http: Flags [F.], seq 954321585, ack 1948466921, win 14600, length 0
系统时间 来源主机.端口 > 目标主机.端口 数据包参数(Flags [F.], seq 954321585, ack 1948466921, win 14600, length 0)
999980 packets captured
1000000 packets received by filter
20 packets dropped by kernel
//20 是libcap缓冲区溢出,tcpdump没有及时取出处理,dropped by tcpdump kernel
用loggen发送完8916条后立即停止tcpdump:只处理了31条
31 packets captured
8916 packets received by filter
8885 packets dropped by kernel