linux命令之tcpdump
1.tcpdump介绍
linux命令tcpdump是用来将网络中传送的数据包完全截获下来以进行相关分析,常用的分析工具是wireshark
2.tcpdump用法
tcpdump [参数]
| 参数 | 说明 |
| -a | 将网络地址和广播地址转变成名字 |
| -A | 以ASCII格式打印出所有分组,并将链路层的头最小化 |
| -b | 数据链路层上选择协议,包括ip/arp/rarp/ipx都在这一层 |
| -d | 将匹配信息包的代码以人们能够理解的汇编格式输出 |
| -dd | 将匹配信息包的代码以c语言程序段的格式输出 |
| -ddd | 将匹配信息包的代码以十进制的形式输出 |
| -D | 打印系统中所有可以监控的网络接口 |
| -e | 在输出行打印出数据链路层的头部信息 |
| -f | 将外部的Internet地址以数字的形式打印出来,既不显示主机名 |
| -F | 从指定的文件中读取表达式,忽略其他的表达式 |
| -l (小写L) | 使标准输出变为缓冲形式,可以数据导出到文件 |
| -L | 列出网络接口已知的数据链路 |
| -N | 不输出主机名中的域名部分,如www.xxx.com只输出www |
| -nn | 不进行端口名称的转换 |
| -P | 不将网络接口设置为混杂模式 |
| -q | 快速输出,即只输出较少的协议信息 |
| -r | 从指定的文件中读取数据,一般是-w保存的文件 |
| -i | 指定端口 |
| -n | 指定协议 |
| -T | 将监听到的包直接解析为指定的类型的报文,常见的类型有rpc(远程过程调用)和snmp(简单网络管理协议) |
| -t | 在输出的每一行不打印时间戳 |
| -tt | 在每一行中输出非格式化的时间戳 |
| -ttt | 输出本行和前面以后之间的时间差 |
| -tttt | 在每一行中输出data处理的默认格式的时间戳 |
| -s | 抓取数据包时,设置抓取长度,默认为68字节;-s 0为抓取完整的数据包 |
| -S | 将tcp的序列号以绝对值形式输出,而不是相对值 |
| -c | 在收到指定数量的分组后,tcpdump就会停止 |
| -w | 定义保存文件名称,默认后缀为.cap,方便使用wireshark工具进行分析 |
| -u | 输出未解码的NFS句柄 |
| -v | 输出稍微详细的信息,例如在IP包中可以包括ttl和服务类型的信息 |
| -vv | 输出详细的报文信息 |
| -vvv | 输出更详细的报文信息 |
| -C | 文件大小,为MB |
| -W | 文件个数 |
| -X | 以十六进制和ASCII格式同时显示数据包的内容,这对于调式或深入分析数据包的有效载荷非常有用 |
tcpdump常用关键字
| 关键字 | 包括 | 说明 |
| 类型关键字 | host,net,port | host 192.168.10.110表示这是一台主机; net 192.168.10.0表示这是一个网络地址; port 22指明端口号是22; 如果没有指明类型,则默认的类型是host; |
| 传输方向关键字 | src,dst | src 192.168.10.110说明数据包源地址是192.168.10.110; dst net 192.168.0.0指明目的网络地址是192.168.0.0; 默认是监控主机对主机的src和dst,即默认监听本机和目标主机的所有数据; |
| 协议关键字 | tcp,udp,icmp,ip,arp等 | |
| 其它关键字 | gateway,broadcast,less,greater,not,!,and,or,&&,|| | tcpdump -i ens33 #监听指定网卡ens33的所有传输数据包; tcpdump -i ens33 host 192.168.10.110 #捕获主机192.168.10.110经过本机网卡ens33的所有数据包(也可以是主机名,但要求可以解析出来IP地址); tcpdump host 192.168.10.110 and \(192.168.10.111 or 192.168.10.112\) #捕获主机192.168.10.110和主机192.168.10.111或192.168.10.112的所有通信数据包; tcpdump ip host rsso and not www.xxx.com #捕获主机rsso与其他主机之间(不包括www.xxx.com)通信的IP数据包 tcpdump ip host rsso and ! www.xxx.com #捕获主机rsso与其他所有主机的通信数据包(不包括www.xxx.com) tcpdump -i ens33 src rsso #捕获源主机rsso发送的所有的经过ens33网卡的所有数据包 tcpdump -i ens33 dst host www.xxx.com #捕获所有发送到主机www.xxx.com的数据包 tcpdump ip dst 192.168.10.110 and src 192.168.10.112 and port 80 and host ! www.xxx.com OR tcpdump ip dst 192.168.10.110 and src 192.168.10.111 and port 80 and host not www.xxx.com(not 和 !都是取反的意思) #监听主机192.168.10.110和192.168.10.111之间ip协议为80端口且排除www.xxx.com通信的所有数据包; tcpdump arp #捕获arp协议的数据包; tcpdump tcp port 22 and host 192.168.10.110 #捕获主机192.168.10.110接收和发出tcp协议的ssh数据包; tcpdump udp port 53 #监听本机udp的53端口数据包,udp是dns协议端口; |
总结:tcpdump的语法类似于数据库查询语句,可以指定各种查询的条件进行组合,还可以进行"与"、"或"、"非"的条件判断进行更精确的数据搜集,语法如下:
tcpdump [协议类型] [源或目标] [主机名称或IP] [or/and/not/!条件组合] [源或目标] [主机名或IP] [or/and/not/!条件组合] [端口] [端口号] …… [or/and/not/!条件组合] [条件]tcpdump ip dst 192.168.10.110 and src 192.168.10.111 and port 80 and host ! www.xxx.com
#监听主机192.168.10.110和192.168.10.111之间ip协议为80端口且排除www.xxx.com通信的所有数据包;
3.实例
3.1.抓取ens33网络端口数据包,抓取100次并保存至root目录下
命令:
tcpdump -i ens33 -c 100 -w /root/ens33.cap
备注:报文打印在shell里会太多且不方便查看,我们可以保存成文件;然后通过xftp导出到本地,可以详细查看。导出的文件可以设置为.cap或者.pcap的格式,可以直接用Wireshark工具打开;可以用Wireshark工具分析报文具体信息。
[root@rhel77 ~]# tcpdump -i ens33 -c 100 -w /root/ens33.cap
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
100 packets captured
101 packets received by filter
0 packets dropped by kernel
[root@rhel77 ~]# ls -l ens33.cap (使用wireshark进行分析)
-rw-r--r-- 1 tcpdump tcpdump 65910 Nov 13 09:54 ens33.cap
[root@rhel77 ~]#
3.2.查看tcpdump帮助
命令:
man tcpdump
......
TCPDUMP(8) System Manager's Manual TCPDUMP(8)
NAME
tcpdump - dump traffic on a network
SYNOPSIS
tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ]
[ -c count ]
[ -C file_size ] [ -G rotate_seconds ] [ -F file ]
[ -i interface ] [ -j tstamp_type ] [ -m module ] [ -M secret ]
[ --number ] [ -Q|-P in|out|inout ]
[ -r file ] [ -V file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
Manual page tcpdump(8) line 1 (press h for help or q to quit)
......OR
tcpdump -h
[root@rsso ~]# tcpdump -h
tcpdump version 4.9.2
libpcap version 1.5.3
OpenSSL 1.0.2k-fips 26 Jan 2017
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ]
[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
[ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
[ -Q|-P in|out|inout ]
[ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
[ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
[ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ]
[ -Z user ] [ expression ]
[root@rsso ~]#
3.3.监听指定端口,以十六进制和ASCII格式同时显示数据包的内容,抓取2次
命令:
tcpdump -i ens33 -X -c 2
[root@rsso ~]# tcpdump -i ens33 -X -c 2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
14:13:27.797437 IP rsso.boc.com.ssh > gateway.49819: Flags [P.], seq 58167224:58167436, ack 849658874, win 284, length 212
0x0000: 4510 00fc d433 4000 4006 cff8 c0a8 0a6e E....3@.@......n
0x0010: c0a8 0a01 0016 c29b 0377 8fb8 32a4 c3fa .........w..2...
0x0020: 5018 011c 96ae 0000 0000 00b0 94c9 df51 P..............Q
0x0030: 8f70 6c2c f1ef 3e84 e1b7 7afa 25a1 2e9b .pl,..>...z.%...
0x0040: 952c 61e5 f56f 3588 f1d5 f367 c333 a5c4 .,a..o5....g.3..
0x0050: 6e23 8bed 60c1 a3c7 9071 58d9 1565 6f7d n#..`....qX..eo}
0x0060: babe 8556 a49a 7d1a e852 f244 0bde d633 ...V..}..R.D...3
0x0070: f417 878d 0eee 96f1 a96d 2e7b eb5f cd0a .........m.{._..
0x0080: 55cc b0cb 765b 7cb0 b412 0819 fd75 f74c U...v[|......u.L
0x0090: 671d 5a69 2472 b923 d460 91cf 7bad 3050 g.Zi$r.#.`..{.0P
0x00a0: 5a67 eb0a af81 2f2f 2d1e 8889 1dc7 8223 Zg....//-......#
0x00b0: a655 8408 886b c7b0 0fae cd93 6d80 d6a8 .U...k......m...
0x00c0: 176e 847d 3401 2f74 1ae3 7443 18ad 07ea .n.}4./t..tC....
0x00d0: 07fd 4c76 9460 47e3 9adc 9d15 07b3 4d5f ..Lv.`G.......M_
0x00e0: 62fd ea2c 638f afe1 fe8a a0ff 855b 075e b..,c........[.^
0x00f0: f852 3dcb b3df 9ea6 86ce fdb6 .R=.........
14:13:27.797781 IP gateway.49819 > rsso.boc.com.ssh: Flags [.], ack 212, win 4095, length 0
0x0000: 4500 0028 0b87 4000 8006 5989 c0a8 0a01 E..(..@...Y.....
0x0010: c0a8 0a6e c29b 0016 32a4 c3fa 0377 908c ...n....2....w..
0x0020: 5010 0fff bcc1 0000 0000 0000 0000 P.............
2 packets captured
2 packets received by filter
0 packets dropped by kernel
[root@rsso ~]#
3.4.监听所有的网卡接口
命令:
tcpdump -i any -X -c 2
[root@rsso ~]# tcpdump -i any -X -c 2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
14:20:00.376955 IP rsso.boc.com.ssh > gateway.49819: Flags [P.], seq 58172988:58173200, ack 849662206, win 284, length 212
0x0000: 4510 00fc d476 4000 4006 cfb5 c0a8 0a6e E....v@.@......n
0x0010: c0a8 0a01 0016 c29b 0377 a63c 32a4 d0fe .........w.<2...
0x0020: 5018 011c 96ae 0000 0000 00b0 cabd 1f07 P...............
0x0030: 264c 1b42 a142 3039 b766 0c54 e20b b0d0 &L.B.B09.f.T....
0x0040: a6bb 8cb9 52b5 0ce0 a33d db86 8838 a81c ....R....=...8..
0x0050: ec6e f3cb a4dc f719 8664 690d afcc 5d12 .n.......di...].
0x0060: a47b 6b5a 344a 3492 16db 6f80 bc6a 468f .{kZ4J4...o..jF.
0x0070: 2494 44b4 07bc 8c8f 8d0a a595 b5c8 6c7c $.D...........l|
0x0080: a4db 1b96 5178 8366 bc6d 5e7b 131a 8220 ....Qx.f.m^{....
0x0090: 72f5 2c48 e23c 76ae b410 40c1 7f73 6f48 r.,H.<v...@..soH
0x00a0: 4b65 1aca e9aa 23af 0086 99f8 4252 9eb3 Ke....#.....BR..
0x00b0: 9c61 ae68 17a2 6ef4 37ba c036 4e70 2f56 .a.h..n.7..6Np/V
0x00c0: 4a11 4164 c2f4 4e2c 5009 d733 3791 4905 J.Ad..N,P..37.I.
0x00d0: 3273 36c4 bbcd 4d9b 9d3e 3710 6a00 d6ca 2s6...M..>7.j...
0x00e0: 9184 6d3e b681 916e e4aa 2154 0546 8feb ..m>...n..!T.F..
0x00f0: 6486 1904 9642 08b2 72b8 588f 0000 0000 d....B..r.X.....
0x0100: 0000 0000 0000 0000 0000 0000 ............
14:20:00.377180 IP gateway.49819 > rsso.boc.com.ssh: Flags [.], ack 212, win 4096, length 0
0x0000: 4500 0028 0bec 4000 8006 5924 c0a8 0a01 E..(..@...Y$....
0x0010: c0a8 0a6e c29b 0016 32a4 d0fe 0377 a710 ...n....2....w..
0x0020: 5010 1000 9938 0000 0000 0000 0000 0000 P....8..........
0x0030: 0000 0000 0000 0000 0000 0000 0000 ..............
2 packets captured
10 packets received by filter
0 packets dropped by kernel
[root@rsso ~]#
3.5.不把IP转换成域名
命令:
tcpdump -i ens33 -X -c 2 -n
[root@rsso ~]# tcpdump -i ens33 -X -c 2 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
14:21:14.936181 IP 192.168.10.110.ssh > 192.168.10.1.49819: Flags [P.], seq 58178320:58178532, ack 849665306, win 284, length 212
0x0000: 4510 00fc d4ae 4000 4006 cf7d c0a8 0a6e E.....@.@..}...n
0x0010: c0a8 0a01 0016 c29b 0377 bb10 32a4 dd1a .........w..2...
0x0020: 5018 011c 96ae 0000 0000 00b0 7fec b29f P...............
0x0030: d80d 4814 9cb0 f6d7 f401 ed7c 0d9a ce2d ..H........|...-
0x0040: 7859 cdd2 9c3a 005e aa76 d736 1b0c 8173 xY...:.^.v.6...s
0x0050: 4ac8 9d9b 152f a294 2d09 439d 8505 ba02 J..../..-.C.....
0x0060: cf6d c5dd a444 d71c 564d e5f5 bcd8 b67e .m...D..VM.....~
0x0070: 5a32 6b61 84ef 6892 ef8c 4ad5 3fd7 1060 Z2ka..h...J.?..`
0x0080: 609e 8c33 7065 23f2 f2a5 e1f1 b627 05ac `..3pe#......'..
0x0090: 2364 0b82 e047 1ce7 f957 0231 5549 44b2 #d...G...W.1UID.
0x00a0: e798 0a40 3a16 67e4 4279 41c0 e764 1984 ...@:.g.ByA..d..
0x00b0: a4a6 eabf db73 a695 e954 ef86 2051 2e3f .....s...T...Q.?
0x00c0: bc61 9b33 6b3e cde3 f516 663d 0823 a649 .a.3k>....f=.#.I
0x00d0: 5dd7 07fd 8b7e c0ed c20c 3314 ca21 b4a0 ]....~....3..!..
0x00e0: 0aa0 6bd6 e582 9165 01fc 3ec1 1616 00bc ..k....e..>.....
0x00f0: dce6 dbb9 f68f 52fb 35b7 c54a ......R.5..J
14:21:14.936472 IP 192.168.10.1.49819 > 192.168.10.110.ssh: Flags [.], ack 212, win 4098, length 0
0x0000: 4500 0028 0c40 4000 8006 58d0 c0a8 0a01 E..(.@@...X.....
0x0010: c0a8 0a6e c29b 0016 32a4 dd1a 0377 bbe4 ...n....2....w..
0x0020: 5010 1002 7846 0000 0000 0000 0000 P...xF........
2 packets captured
3 packets received by filter
0 packets dropped by kernel
[root@rsso ~]#
3.6.不把协议和端口转换成名字
命令:
tcpdump -i ens33 -X -c 2 -nn
[root@rsso ~]# tcpdump -i ens33 -X -c 2 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
14:22:03.382325 IP 192.168.10.110.22 > 192.168.10.1.49819: Flags [P.], seq 58180692:58180904, ack 849665634, win 284, length 212
0x0000: 4510 00fc d4b9 4000 4006 cf72 c0a8 0a6e E.....@.@..r...n
0x0010: c0a8 0a01 0016 c29b 0377 c454 32a4 de62 .........w.T2..b
0x0020: 5018 011c 96ae 0000 0000 00b0 7a81 72e2 P...........z.r.
0x0030: b8fe a9e0 6928 33ef b142 9cbf 265a f54d ....i(3..B..&Z.M
0x0040: 57be d301 1ee0 c2ea 0e4f 1cf4 f282 05b1 W........O......
0x0050: 27b0 79c9 9dc1 2802 6cda f598 141c 6650 '.y...(.l.....fP
0x0060: af33 21e8 1502 7e31 b179 17f8 114e 455e .3!...~1.y...NE^
0x0070: c917 fff4 387c f5cb e19a 1be0 f739 e056 ....8|.......9.V
0x0080: 6ab5 87d2 2f99 1419 5257 4e61 b598 abc1 j.../...RWNa....
0x0090: cf1d cabc c9b6 50e0 c71c fa8a 344c b58c ......P.....4L..
0x00a0: 9a6a 0c33 7ee3 e24f 2e28 8f9f 623c 276a .j.3~..O.(..b<'j
0x00b0: 25cd eec5 4d1d e7b3 02d0 a546 01e5 d067 %...M......F...g
0x00c0: f719 56e0 2314 dc49 4fc0 e38b 7157 c272 ..V.#..IO...qW.r
0x00d0: fdc1 d00b 3fa6 f3d7 47e7 307c f498 c98c ....?...G.0|....
0x00e0: 1d10 b004 3e19 a768 9468 fd22 a7de 2203 ....>..h.h."..".
0x00f0: af53 0aec 2a59 5616 d220 a247 .S..*YV....G
14:22:03.382528 IP 192.168.10.1.49819 > 192.168.10.110.22: Flags [.], ack 212, win 4098, length 0
0x0000: 4500 0028 0c4d 4000 8006 58c3 c0a8 0a01 E..(.M@...X.....
0x0010: c0a8 0a6e c29b 0016 32a4 de62 0377 c528 ...n....2..b.w.(
0x0020: 5010 1002 6dba 0000 0000 0000 0000 P...m.........
2 packets captured
2 packets received by filter
0 packets dropped by kernel
[root@rsso ~]#
3.7.不打印出host的域名部分,将会打印rsso而不是rsso.boc.com
命令:
tcpdump -i ens33 -X -c 2 -N
[root@rsso ~]# tcpdump -i ens33 -X -c 2 -N
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
14:24:13.168758 IP rsso.ssh > gateway.49819: Flags [P.], seq 58183512:58183724, ack 849666394, win 284, length 212
0x0000: 4510 00fc d4ce 4000 4006 cf5d c0a8 0a6e E.....@.@..]...n
0x0010: c0a8 0a01 0016 c29b 0377 cf58 32a4 e15a .........w.X2..Z
0x0020: 5018 011c 96ae 0000 0000 00b0 0e69 f220 P............i..
0x0030: 57fc 92b9 1c95 8b44 7b14 4151 0921 778a W......D{.AQ.!w.
0x0040: 205e c545 0d46 5696 8e07 df5b 1e61 f450 .^.E.FV....[.a.P
0x0050: fc29 eeee 2005 9751 dc81 f508 22be 89e2 .).....Q...."...
0x0060: 8220 9511 a7e6 87ad 304e d814 3b14 2875 ........0N..;.(u
0x0070: 0880 f68e 9b47 6959 1c61 94a7 2593 5399 .....GiY.a..%.S.
0x0080: c6a4 6f8d acf6 900b 249c 4ffc e8cd 4f17 ..o.....$.O...O.
0x0090: 49f3 0ee8 1549 cb31 8136 7fbb beb2 e9e0 I....I.1.6......
0x00a0: 08de 0aaf b11e 27f9 3409 402a 8fdb 8eb4 ......'.4.@*....
0x00b0: f081 27ff ad69 6d0f 9709 7471 92ef 3802 ..'..im...tq..8.
0x00c0: 4928 786e b56f 5043 0b8c acd4 d183 f59e I(xn.oPC........
0x00d0: 10ab d341 b304 66b5 55ec 87d7 2a92 7ea0 ...A..f.U...*.~.
0x00e0: 8293 1f4b 04c1 de4f 951f 46ec 9d0d 5821 ...K...O..F...X!
0x00f0: 37ef 90ed 9c36 f528 4138 e1a9 7....6.(A8..
14:24:13.169221 IP gateway.49819 > rsso.ssh: Flags [.], ack 212, win 4096, length 0
0x0000: 4500 0028 0c6a 4000 8006 58a6 c0a8 0a01 E..(.j@...X.....
0x0010: c0a8 0a6e c29b 0016 32a4 e15a 0377 d02c ...n....2..Z.w.,
0x0020: 5010 1000 5fc0 0000 0000 0000 0000 P..._.........
2 packets captured
2 packets received by filter
0 packets dropped by kernel
[root@rsso ~]#
3.8.在每行的输出中不显示时间
命令:
tcpdump -i ens33 -X -c 2 -t
[root@rsso ~]# tcpdump -i ens33 -X -c 2 -t
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
IP rsso.boc.com.ssh > gateway.49819: Flags [P.], seq 58185952:58186164, ack 849666878, win 284, length 212
0x0000: 4510 00fc d4dc 4000 4006 cf4f c0a8 0a6e E.....@.@..O...n
0x0010: c0a8 0a01 0016 c29b 0377 d8e0 32a4 e33e .........w..2..>
0x0020: 5018 011c 96ae 0000 0000 00b0 3bf3 83d1 P...........;...
0x0030: 5b37 29e8 ab4f 56c3 58a9 9c03 9974 a7fb [7)..OV.X....t..
0x0040: 03ed 62c2 9366 e5a1 eaba d5d7 1fc9 2465 ..b..f........$e
0x0050: bb14 3986 e12f 9492 dfd8 aa67 7c22 f03a ..9../.....g|".:
0x0060: b3ad 8add 44d8 8ce0 1ef0 2107 a45a 80c9 ....D.....!..Z..
0x0070: 8df4 2577 0daf 89b0 f8dd 6fe2 f4f2 1329 ..%w......o....)
0x0080: e039 da09 0806 4996 f574 2956 6243 10ca .9....I..t)VbC..
0x0090: 71ec 9cb8 5398 03b5 72e9 0209 2e35 05a1 q...S...r....5..
0x00a0: 8e15 e672 3f2f 28d7 d3fe 6ac3 b958 ef4f ...r?/(...j..X.O
0x00b0: 9865 41b5 3c7d 6c2b f730 01b1 ebd3 d273 .eA.<}l+.0.....s
0x00c0: a053 f86e 8838 eaad 1d2d 0043 5d54 e7af .S.n.8...-.C]T..
0x00d0: 860c f9c2 eed5 c98d eb77 aa86 35e1 055d .........w..5..]
0x00e0: d736 1392 f87b f1d8 de5e 68bb c982 01f8 .6...{...^h.....
0x00f0: e518 78f1 dfb0 283c e851 252f ..x...(<.Q%/
IP gateway.49819 > rsso.boc.com.ssh: Flags [.], ack 212, win 4097, length 0
0x0000: 4500 0028 0c7c 4000 8006 5894 c0a8 0a01 E..(.|@...X.....
0x0010: c0a8 0a6e c29b 0016 32a4 e33e 0377 d9b4 ...n....2..>.w..
0x0020: 5010 1001 5453 0000 0000 0000 0000 P...TS........
2 packets captured
2 packets received by filter
0 packets dropped by kernel
[root@rsso ~]#
3.9.在每行的输出中输出时间戳
命令:
tcpdump -i ens33 -X -c 2 -tt
[root@rsso ~]# tcpdump -i ens33 -X -c 2 -tt
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
1743402453.296093 IP rsso.boc.com.ssh > gateway.49819: Flags [P.], seq 58188588:58188800, ack 849667482, win 284, length 212
0x0000: 4510 00fc d4ee 4000 4006 cf3d c0a8 0a6e E.....@.@..=...n
0x0010: c0a8 0a01 0016 c29b 0377 e32c 32a4 e59a .........w.,2...
0x0020: 5018 011c 96ae 0000 0000 00b0 1e29 6c77 P............)lw
0x0030: 3c89 a1fc e8f2 1fa6 516c 5635 39d8 833d <.......QlV59..=
0x0040: 5015 5196 9ef9 ebd7 0923 bfc2 5f7a e887 P.Q......#.._z..
0x0050: e507 4cfb c01f d7fd 4735 3128 1d1b a8cc ..L.....G51(....
0x0060: e729 e8c6 4808 ed53 e539 2982 cef0 f922 .)..H..S.9)...."
0x0070: cbf7 d5dd 1c81 17e9 7e2f 7869 7543 b28d ........~/xiuC..
0x0080: d197 0376 430e 5b14 de53 b73c 629c debb ...vC.[..S.<b...
0x0090: 1764 5074 4954 eabe 9c7a 65cc 4ab8 f312 .dPtIT...ze.J...
0x00a0: d515 24ba 3c28 6db1 52b5 7a93 4ffe a1ef ..$.<(m.R.z.O...
0x00b0: 09de cc7b 4736 f654 b0c4 84ed 0e83 20f8 ...{G6.T........
0x00c0: 68b3 2db8 e870 e5ef 3204 aa82 c37c 4e44 h.-..p..2....|ND
0x00d0: 94e6 e978 f1cb 42b6 c14a e94c 6854 b0a0 ...x..B..J.LhT..
0x00e0: 55c7 d7a6 d69c b19c 66c7 00c5 850b ef95 U.......f.......
0x00f0: f531 82f5 8e91 5bed 37b7 16b5 .1....[.7...
1743402453.296289 IP gateway.49819 > rsso.boc.com.ssh: Flags [.], ack 212, win 4096, length 0
0x0000: 4500 0028 0c94 4000 8006 587c c0a8 0a01 E..(..@...X|....
0x0010: c0a8 0a6e c29b 0016 32a4 e59a 0377 e400 ...n....2....w..
0x0020: 5010 1000 47ac 0000 0000 0000 0000 P...G.........
2 packets captured
2 packets received by filter
0 packets dropped by kernel
[root@rsso ~]#
3.10.输出每行打印的时间间隔(以毫秒为单位)
命令:
tcpdump -i ens33 -X -c 2 -ttt
[root@rsso ~]# tcpdump -i ens33 -X -c 2 -ttt
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
00:00:00.000000 IP rsso.boc.com.ssh > gateway.49819: Flags [P.], seq 58190740:58190952, ack 849667706, win 284, length 212
0x0000: 4510 00fc d4f7 4000 4006 cf34 c0a8 0a6e E.....@.@..4...n
0x0010: c0a8 0a01 0016 c29b 0377 eb94 32a4 e67a .........w..2..z
0x0020: 5018 011c 96ae 0000 0000 00b0 d373 85de P............s..
0x0030: b8ad 39be 174f 5315 e943 c7ec 9b77 af9e ..9..OS..C...w..
0x0040: 50fc 25b8 db8d 5c4d 69ee bf58 f82d b424 P.%...\Mi..X.-.$
0x0050: 7f3e 92f6 b59f 82e2 463b d5dc 295c 9dfa .>......F;..)\..
0x0060: b87e 3b5e 8f71 e4b5 df1d 9f70 997c c4aa .~;^.q.....p.|..
0x0070: b186 1bdb 6b47 a8c8 1c33 04c5 a94b f4da ....kG...3...K..
0x0080: 73b5 d11c 7af1 80ce 1238 40a3 ec0b c283 s...z....8@.....
0x0090: 8604 95b2 8609 7a49 1bbf 1c17 36ec 4a83 ......zI....6.J.
0x00a0: 8af0 b57f 8867 3811 898d 3fb9 ae67 92d3 .....g8...?..g..
0x00b0: e68e e5f0 2c6f ed33 67cd f676 7c45 a859 ....,o.3g..v|E.Y
0x00c0: 1d1a 0dff 5c90 974d 5600 7682 aad1 d001 ....\..MV.v.....
0x00d0: e3f2 a17a 138f 132e a7b9 fdda f620 8cd9 ...z............
0x00e0: 4cf9 f548 9e5c 2d70 0684 9056 9244 890d L..H.\-p...V.D..
0x00f0: 4f8b 2a55 22e7 afd2 8227 78e5 O.*U"....'x.
00:00:00.000192 IP gateway.49819 > rsso.boc.com.ssh: Flags [.], ack 212, win 4098, length 0
0x0000: 4500 0028 0c9d 4000 8006 5873 c0a8 0a01 E..(..@...Xs....
0x0010: c0a8 0a6e c29b 0016 32a4 e67a 0377 ec68 ...n....2..z.w.h
0x0020: 5010 1002 3e62 0000 0000 0000 0000 P...>b........
2 packets captured
2 packets received by filter
0 packets dropped by kernel
[root@rsso ~]#
3.11.在每行打印的时间戳之前添加日期的打印(输出的时间最为直观)
命令:
tcpdump -i ens33 -X -c 2 -tttt
[root@rsso ~]# tcpdump -i ens33 -X -c 2 -tttt
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
2025-03-31 14:28:20.815975 IP rsso.boc.com.ssh > gateway.49819: Flags [P.], seq 58193424:58193636, ack 849668310, win 284, length 212
0x0000: 4510 00fc d507 4000 4006 cf24 c0a8 0a6e E.....@.@..$...n
0x0010: c0a8 0a01 0016 c29b 0377 f610 32a4 e8d6 .........w..2...
0x0020: 5018 011c 96ae 0000 0000 00b0 0098 9525 P..............%
0x0030: fd28 c9fa b4ed 6c31 cf83 36f4 7939 9e7b .(....l1..6.y9.{
0x0040: 693f e4f9 2e42 1434 d25a 3374 e381 f136 i?...B.4.Z3t...6
0x0050: bd01 fede 7f62 3d2d aad5 7c78 b175 c0ec .....b=-..|x.u..
0x0060: e488 3298 844e 6432 bd1c 7efe b8d0 c34c ..2..Nd2..~....L
0x0070: 189d f61d 54ec 5961 0c94 7454 ad86 067e ....T.Ya..tT...~
0x0080: db7d 0a2d b850 b29d e249 86b9 14fc 03d6 .}.-.P...I......
0x0090: 0218 10bd dcd7 1ccd 1cd7 5b6a d716 3cad ..........[j..<.
0x00a0: 44d8 f08c e005 6301 d67c a184 30d4 8f36 D.....c..|..0..6
0x00b0: 9ce0 6874 459a 4e8a 2155 ff1c 143a 9a30 ..htE.N.!U...:.0
0x00c0: 1f9a 4c58 eb9a 84a6 e0c6 91ec 6f46 97b1 ..LX........oF..
0x00d0: a41a 860c 8116 5e67 8e1d 700b 9153 90fe ......^g..p..S..
0x00e0: 658e e295 8cc2 f3cf 67e5 a07e f1c8 b9f9 e.......g..~....
0x00f0: e53a f5f2 2959 fb3d 73d0 26eb .:..)Y.=s.&.
2025-03-31 14:28:20.816199 IP gateway.49819 > rsso.boc.com.ssh: Flags [.], ack 212, win 4096, length 0
0x0000: 4500 0028 0cb5 4000 8006 585b c0a8 0a01 E..(..@...X[....
0x0010: c0a8 0a6e c29b 0016 32a4 e8d6 0377 f6e4 ...n....2....w..
0x0020: 5010 1000 318c 0000 0000 0000 0000 P...1.........
2 packets captured
2 packets received by filter
0 packets dropped by kernel
[root@rsso ~]#
3.12.产生详细的输出
命令:
tcpdump -i ens33 -X -c 2 -v
备注:比如包的TTL、id标识、数据包长度,以及IP包的一些选项。同时它还会打开 一些附加的包完整性检测,比如对IP或ICMP包头部的校验和
[root@rsso ~]# tcpdump -i ens33 -X -c 2 -v
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
14:33:17.590360 IP (tos 0x10, ttl 64, id 54581, offset 0, flags [DF], proto TCP (6), length 188)
rsso.boc.com.ssh > gateway.49819: Flags [P.], cksum 0x966e (incorrect -> 0xff92), seq 58202340:58202488, ack 849669726, win 284, length 148
0x0000: 4510 00bc d535 4000 4006 cf36 c0a8 0a6e E....5@.@..6...n
0x0010: c0a8 0a01 0016 c29b 0378 18e4 32a4 ee5e .........x..2..^
0x0020: 5018 011c 966e 0000 0000 0070 9fbc 6fdb P....n.....p..o.
0x0030: eeae 97f8 22dd 9588 d812 7753 f962 3602 ....".....wS.b6.
0x0040: fded 3927 489e f74b 77e3 04c8 2b05 4dc6 ..9'H..Kw...+.M.
0x0050: 8914 c3e3 f013 9842 bf9d 4a5e 3d61 e767 .......B..J^=a.g
0x0060: 1140 8cb7 11fc 67a7 3c3a 6f9f 05a0 e35e .@....g.<:o....^
0x0070: f8e8 7c5e 8065 308d 14f8 39aa ac6b 14b5 ..|^.e0...9..k..
0x0080: a44b 66d8 baa3 d287 3df7 3def 9912 4233 .Kf.....=.=...B3
0x0090: 36bf fee5 6e0f 4be1 fad4 913a c52f 0696 6...n.K....:./..
0x00a0: 918f 8907 1e21 51e0 e126 fce5 2179 77ef .....!Q..&..!yw.
0x00b0: ed3f 1637 2620 f600 4f6e 4fe1 .?.7&...OnO.
14:33:17.590590 IP (tos 0x0, ttl 128, id 3308, offset 0, flags [DF], proto TCP (6), length 40)
gateway.49819 > rsso.boc.com.ssh: Flags [.], cksum 0x096f (correct), ack 148, win 4097, length 0
0x0000: 4500 0028 0cec 4000 8006 5824 c0a8 0a01 E..(..@...X$....
0x0010: c0a8 0a6e c29b 0016 32a4 ee5e 0378 1978 ...n....2..^.x.x
0x0020: 5010 1001 096f 0000 0000 0000 0000 P....o........
2 packets captured
2 packets received by filter
0 packets dropped by kernel
[root@rsso ~]#
3.13.产生比-v更详细的输出
命令:
tcpdump -i ens33 -X -c 2 -vv
备注:比如NFS回应包中的附加域将会被打印,SMB数据包也会被完全解码
[root@rsso ~]# tcpdump -i ens33 -X -c 2 -vv
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
14:33:39.991693 IP (tos 0x10, ttl 64, id 54599, offset 0, flags [DF], proto TCP (6), length 188)
rsso.boc.com.ssh > gateway.49819: Flags [P.], cksum 0x966e (incorrect -> 0x3655), seq 58204896:58205044, ack 849670330, win 284, length 148
0x0000: 4510 00bc d547 4000 4006 cf24 c0a8 0a6e E....G@.@..$...n
0x0010: c0a8 0a01 0016 c29b 0378 22e0 32a4 f0ba .........x".2...
0x0020: 5018 011c 966e 0000 0000 0070 93ae 1984 P....n.....p....
0x0030: df83 22fa 998c b267 36d3 fe45 070e 7239 .."....g6..E..r9
0x0040: db41 cbbc 15ea 88d0 8aea c32a 1ec8 3e24 .A.........*..>$
0x0050: 2b13 479a 7a23 8e84 3af7 d5c6 303c 032a +.G.z#..:...0<.*
0x0060: cdb6 8a80 327d 008d d886 184a 0c03 2807 ....2}.....J..(.
0x0070: 8a57 9cf1 2ce2 0dbf 24cb 4da4 910a a47b .W..,...$.M....{
0x0080: 986b 505b 4dbb 1af6 b138 b678 31fe ce57 .kP[M....8.x1..W
0x0090: 0443 33bc 26a3 e4ba d2ae a974 b142 2221 .C3.&......t.B"!
0x00a0: 50a6 8e22 8474 c920 d96d 5c78 90fe 9f20 P..".t...m\x....
0x00b0: e5b9 5bac 43fd e119 9147 ea6a ..[.C....G.j
14:33:39.991963 IP (tos 0x0, ttl 128, id 3331, offset 0, flags [DF], proto TCP (6), length 40)
gateway.49819 > rsso.boc.com.ssh: Flags [.], cksum 0xfd17 (correct), seq 1, ack 148, win 4096, length 0
0x0000: 4500 0028 0d03 4000 8006 580d c0a8 0a01 E..(..@...X.....
0x0010: c0a8 0a6e c29b 0016 32a4 f0ba 0378 2374 ...n....2....x#t
0x0020: 5010 1000 fd17 0000 0000 0000 0000 P.............
2 packets captured
2 packets received by filter
0 packets dropped by kernel
[root@rsso ~]#
3.14.产生比-vv更详细的输出
备注:telent时所使用的SB、SE选项将会被打印,如果telnet同时使用的是图形界面,其相应的图形选项将会以16进制的方式打印出来。
命令:
tcpdump -i ens33 -X -c 2 -vvv
[root@rsso ~]# tcpdump -i ens33 -X -c 2 -vvv
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
14:33:53.899064 IP (tos 0x10, ttl 64, id 54607, offset 0, flags [DF], proto TCP (6), length 188)
rsso.boc.com.ssh > gateway.49819: Flags [P.], cksum 0x966e (incorrect -> 0x7fea), seq 58207020:58207168, ack 849670554, win 284, length 148
0x0000: 4510 00bc d54f 4000 4006 cf1c c0a8 0a6e E....O@.@......n
0x0010: c0a8 0a01 0016 c29b 0378 2b2c 32a4 f19a .........x+,2...
0x0020: 5018 011c 966e 0000 0000 0070 1460 99bf P....n.....p.`..
0x0030: 52ff 988d 999d c49c ccf3 5c83 404e b9ef R.........\.@N..
0x0040: e5d7 b4f6 1e5a 7e4d da99 af63 a500 8410 .....Z~M...c....
0x0050: fb5c 03c7 3cbc 82ac a27e 31e2 e532 2dde .\..<....~1..2-.
0x0060: f0db 45ae 826c a348 d164 b2bc dbf0 3218 ..E..l.H.d....2.
0x0070: 92db cbf8 1427 912e d026 d75e 92a8 1276 .....'...&.^...v
0x0080: 9f8b 6826 dbf7 c414 4247 80be 169b f68c ..h&....BG......
0x0090: 71d9 0123 c8fe b0a9 335b e85a 9993 21df q..#....3[.Z..!.
0x00a0: f8b5 d5ce 2b87 dc4e f34c dee1 a39e 72f7 ....+..N.L....r.
0x00b0: b0b9 37f8 8a71 f383 7a0a bb89 ..7..q..z...
14:33:53.899290 IP (tos 0x0, ttl 128, id 3341, offset 0, flags [DF], proto TCP (6), length 40)
gateway.49819 > rsso.boc.com.ssh: Flags [.], cksum 0xf3e9 (correct), seq 1, ack 148, win 4098, length 0
0x0000: 4500 0028 0d0d 4000 8006 5803 c0a8 0a01 E..(..@...X.....
0x0010: c0a8 0a6e c29b 0016 32a4 f19a 0378 2bc0 ...n....2....x+.
0x0020: 5010 1002 f3e9 0000 0000 0000 0000 P.............
2 packets captured
2 packets received by filter
0 packets dropped by kernel
[root@rsso ~]#
3.15.抓包指定文件大小和个数
命令:
tcpdump -i any -C 1 -W 4 -w /tmp/ztj
说明:该选项使得tcpdump在把原始数据包直接保存到文件中之前,检查此文件大小是否超过file-size。如果超过了,将关闭此文件,另创一个文件继续保存原始数据包。新创建的文件名与-w选项指定的文件名一致,但文件名后多了一个数字,该数字会从1开始随着新创建文件的增多而增加。file-size的单位是百万字节(这里指1,000,000个字节,并非1,048,576个字节)
备注:指定一个单位后(1MB)就换文件,最多写4个文件,名字是rr0、rr1、rr2、rr3
3.16.选择是入方向还是出方向的数据包
命令:
tcpdump -i ens33 -X -c 2 -vvv -Q inout
[root@rsso ~]# tcpdump -i ens33 -X -c 2 -vvv -Q inout
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
14:51:01.558467 IP (tos 0x10, ttl 64, id 55357, offset 0, flags [DF], proto TCP (6), length 188)
rsso.boc.com.ssh > gateway.49819: Flags [P.], cksum 0x966e (incorrect -> 0x6ee6), seq 58306868:58307016, ack 849706658, win 284, length 148
0x0000: 4510 00bc d83d 4000 4006 cc2e c0a8 0a6e E....=@.@......n
0x0010: c0a8 0a01 0016 c29b 0379 b134 32a5 7ea2 .........y.42.~.
0x0020: 5018 011c 966e 0000 0000 0070 54f5 08be P....n.....pT...
0x0030: 3440 2979 c514 abcf e202 b9a1 c252 8383 4@)y.........R..
0x0040: d557 599f e1d4 3dbd 7345 e53f c7fa db3c .WY...=.sE.?...<
0x0050: b48f 96a8 1e3b 3943 1a31 d171 8f9d b0ec .....;9C.1.q....
0x0060: fcdd 2cd9 888a c366 a6c1 2c8f a56f e983 ..,....f..,..o..
0x0070: aa64 8cb0 c6e2 50d7 f332 1c94 396f 6e1c .d....P..2..9on.
0x0080: 33cb 7801 5804 1d0d 9d30 2d4d 48b5 89a0 3.x.X....0-MH...
0x0090: 3f04 aa13 b7af 3cff 280b d0b1 34a1 7f11 ?.....<.(...4...
0x00a0: 3e2e 1c88 8824 0d27 2dda 33bb bd4d 4712 >....$.'-.3..MG.
0x00b0: a889 d365 2a8b 4b95 2e4b bd1f ...e*.K..K..
14:51:01.558675 IP (tos 0x0, ttl 128, id 5076, offset 0, flags [DF], proto TCP (6), length 40)
gateway.49819 > rsso.boc.com.ssh: Flags [.], cksum 0xe0d7 (correct), seq 1, ack 148, win 4098, length 0
0x0000: 4500 0028 13d4 4000 8006 513c c0a8 0a01 E..(..@...Q<....
0x0010: c0a8 0a6e c29b 0016 32a5 7ea2 0379 b1c8 ...n....2.~..y..
0x0020: 5010 1002 e0d7 0000 0000 0000 0000 P.............
2 packets captured
2 packets received by filter
0 packets dropped by kernel
[root@rsso ~]# tcpdump -i ens33 -X -c 2 -vvv -Q in
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
14:51:11.556282 IP (tos 0x0, ttl 128, id 5092, offset 0, flags [DF], proto TCP (6), length 40)
gateway.49819 > rsso.boc.com.ssh: Flags [.], cksum 0xd644 (correct), seq 849707038, ack 58309344, win 4097, length 0
0x0000: 4500 0028 13e4 4000 8006 512c c0a8 0a01 E..(..@...Q,....
0x0010: c0a8 0a6e c29b 0016 32a5 801e 0379 bae0 ...n....2....y..
0x0020: 5010 1001 d644 0000 0000 0000 0000 P....D........
14:51:11.606545 IP (tos 0x0, ttl 128, id 5093, offset 0, flags [DF], proto TCP (6), length 40)
gateway.49819 > rsso.boc.com.ssh: Flags [.], cksum 0xd462 (correct), seq 0, ack 485, win 4095, length 0
0x0000: 4500 0028 13e5 4000 8006 512b c0a8 0a01 E..(..@...Q+....
0x0010: c0a8 0a6e c29b 0016 32a5 801e 0379 bcc4 ...n....2....y..
0x0020: 5010 0fff d462 0000 0000 0000 0000 P....b........
2 packets captured
4 packets received by filter
0 packets dropped by kernel
[root@rsso ~]# tcpdump -i ens33 -X -c 2 -vvv -Q out
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
14:51:13.528047 IP (tos 0x10, ttl 64, id 55379, offset 0, flags [DF], proto TCP (6), length 188)
rsso.boc.com.ssh > gateway.49819: Flags [P.], cksum 0x966e (incorrect -> 0xd417), seq 58310904:58311052, ack 849707418, win 284, length 148
0x0000: 4510 00bc d853 4000 4006 cc18 c0a8 0a6e E....S@.@......n
0x0010: c0a8 0a01 0016 c29b 0379 c0f8 32a5 819a .........y..2...
0x0020: 5018 011c 966e 0000 0000 0070 7e60 1a54 P....n.....p~`.T
0x0030: feee 0fc9 d7d8 d09c d463 23f9 75f1 c860 .........c#.u..`
0x0040: eda8 a804 480b 2ff8 1b91 a3ad cf13 02f5 ....H./.........
0x0050: bf6a 396c 52ee f79b 4dda 4566 917a c32a .j9lR...M.Ef.z.*
0x0060: cc73 a762 d7dd dd4c 4dad 9e19 b05f 5be6 .s.b...LM...._[.
0x0070: 6345 8c23 b558 1762 398d a7ba 2777 eec4 cE.#.X.b9...'w..
0x0080: d2b9 2036 9dc2 f7db f0fa 3f1d db12 8708 ...6......?.....
0x0090: 996a 38bc 85e8 012e 8e17 cddb 9be6 7b0b .j8...........{.
0x00a0: 5ba1 f570 7927 3e26 c2a7 8502 9299 94d6 [..py'>&........
0x00b0: f0e5 bb63 cb95 70c0 9897 0354 ...c..p....T
14:51:13.529748 IP (tos 0x10, ttl 64, id 55380, offset 0, flags [DF], proto TCP (6), length 1164)
rsso.boc.com.ssh > gateway.49819: Flags [P.], cksum 0x9a3e (incorrect -> 0x1479), seq 148:1272, ack 1, win 284, length 1124
0x0000: 4510 048c d854 4000 4006 c847 c0a8 0a6e E....T@.@..G...n
0x0010: c0a8 0a01 0016 c29b 0379 c18c 32a5 819a .........y..2...
0x0020: 5018 011c 9a3e 0000 0000 0440 27a2 d1f3 P....>.....@'...
0x0030: b06b 9151 4084 e3ab c0de e310 7b3e 4585 .k.Q@.......{>E.
0x0040: 4511 8ff3 1f84 76c4 87ab 3e94 a8f4 7cc9 E.....v...>...|.
0x0050: 05a5 ddef f010 cdbd 1775 3d6d fe36 e51b .........u=m.6..
0x0060: a189 846f 0662 31b8 8f2f daf3 0328 f3b0 ...o.b1../...(..
0x0070: a0bc d48c a357 ee61 1b10 06cb b13b 75d1 .....W.a.....;u.
0x0080: f0b8 94dd 027a 3bcf ab69 a9e5 6d96 0acb .....z;..i..m...
0x0090: f58c d2f3 14a6 598b a3ed 3e7d fca0 aaa9 ......Y...>}....
0x00a0: b356 7a17 4869 3319 2d74 c38c e3e9 3605 .Vz.Hi3.-t....6.
0x00b0: e83d 326e 6f25 b627 aa3c 282b a164 5ccf .=2no%.'.<(+.d\.
0x00c0: 7806 6cc2 0e00 1a95 d4d9 ae00 a9fc bb0d x.l.............
0x00d0: 30bf 505e 7282 a81f afbd 1f11 ec1c 9b9e 0.P^r...........
0x00e0: 2a3e 0fe0 ed61 95a6 4bce 6115 d33a 2806 *>...a..K.a..:(.
0x00f0: d736 097e e527 b129 910c a2a5 c49d 7ed0 .6.~.'.)......~.
0x0100: c3e5 59e5 98a4 cc5c 91e6 408d 22dc 9794 ..Y....\..@."...
0x0110: 5c78 1f48 81ed 9dee 208b 37e6 9a02 82a7 \x.H......7.....
0x0120: 6b33 d845 d47f 4d2a f143 e9c2 a5ce ccfa k3.E..M*.C......
0x0130: 117c 3d46 cc6f 7da6 8413 ef46 806a ffd5 .|=F.o}....F.j..
0x0140: f964 15e4 3ecc f8fa da51 d977 ddad 9f39 .d..>....Q.w...9
0x0150: 8abf b394 a060 fb17 3736 f5ab 85da f403 .....`..76......
0x0160: 6d8a 13d3 e19a 3a92 f10b 14ed e375 0643 m.....:......u.C
0x0170: fd7e 15c9 20d1 c8b7 70a0 0f26 9221 38db .~......p..&.!8.
0x0180: 274d 12b4 0bb8 8f9f 07cb e8bd ec69 5a2b 'M...........iZ+
0x0190: a3bb cac8 356d a40f 175e 4cae a7ee bcd8 ....5m...^L.....
0x01a0: b877 ca12 f2c5 45e3 3df0 3ac9 5b40 cfee .w....E.=.:.[@..
0x01b0: 33d9 2f42 c0dc df66 5cc1 1011 7b8d 22e3 3./B...f\...{.".
0x01c0: c782 46a1 f26b 887f 2ab9 7873 9540 72e9 ..F..k..*.xs.@r.
0x01d0: 12b3 2819 9928 7275 db09 c9bd f32f 4396 ..(..(ru...../C.
0x01e0: d488 e8a6 4748 2f4c 351c 7bf7 cdda 25df ....GH/L5.{...%.
0x01f0: ee95 f6af 6ec6 0bb4 eeb0 d1cd 7f2a 94fa ....n........*..
0x0200: a6d2 2951 5533 2bf4 c3d4 8154 e674 4dd2 ..)QU3+....T.tM.
0x0210: dc49 40b1 d95d 4a00 3174 2dae 0e7c 382e .I@..]J.1t-..|8.
0x0220: d982 1631 4943 8376 3960 354b 6869 8bac ...1IC.v9`5Khi..
0x0230: c590 11ea f0fc 736a a2bb 5fcf cbff 0fa2 ......sj.._.....
0x0240: b3a2 d0f7 c42d dbc5 f13f 5de7 3764 940f .....-...?].7d..
0x0250: 767f bb66 2db4 13a3 f126 0c7a 739f aff0 v..f-....&.zs...
0x0260: b066 9747 0430 27f9 413f 24ff 59a4 2047 .f.G.0'.A?$.Y..G
0x0270: b2f1 0247 9fd1 3bc1 eb51 5164 d416 7c45 ...G..;..QQd..|E
0x0280: 3967 9980 eb7f efc6 2f37 6695 f6f8 e5f4 9g....../7f.....
0x0290: d4e8 4e8e 2a4a e7c7 6f28 9b1f a53d 0d12 ..N.*J..o(...=..
0x02a0: 35a7 60a5 2c13 f677 a22b 055e 8c0d 6441 5.`.,..w.+.^..dA
0x02b0: f575 da54 650e c786 1cc8 e777 6155 c173 .u.Te......waU.s
0x02c0: bfa1 7d48 2fce 4806 29e4 aed1 212c 9987 ..}H/.H.)...!,..
0x02d0: 8de4 2e55 4ef9 d873 0192 d335 2273 db94 ...UN..s...5"s..
0x02e0: 8eb3 81ce 5577 d92d a767 6957 4035 c4d3 ....Uw.-.giW@5..
0x02f0: 8d35 2af3 c6ba b95d e0ca 991b 7e1b b735 .5*....]....~..5
0x0300: e3b4 2e11 fcc0 3697 3f3e 166a 7fa5 3fcb ......6.?>.j..?.
0x0310: 0f58 39a7 a3a2 78df 00a0 34f5 3041 703d .X9...x...4.0Ap=
0x0320: 0ded c1e7 bae8 4837 f69a b075 e751 91ba ......H7...u.Q..
0x0330: 0110 8c2c 9968 c048 f52f 8368 d111 efa2 ...,.h.H./.h....
0x0340: 81c6 4677 5e23 cbd2 ccda abf9 4c18 a0f8 ..Fw^#......L...
0x0350: fac2 1228 7533 4500 4df0 6c72 82d8 c820 ...(u3E.M.lr....
0x0360: 65b2 1ae9 3be5 744b aa01 18df 7ebd 1b84 e...;.tK....~...
0x0370: e43c b0d0 d881 51b2 fd48 6552 de59 8326 .<....Q..HeR.Y.&
0x0380: 952f 7275 49a7 2850 e24b 04fb 50a3 ee2f ./ruI.(P.K..P../
0x0390: a263 1119 4040 29a6 6974 b4f3 0fb8 2299 .c..@@).it....".
0x03a0: d32e c37f d9f6 2cc8 eb40 53c7 baf9 3148 ......,..@S...1H
0x03b0: c4f0 42b8 b958 adac 1de4 d779 11d8 fdee ..B..X.....y....
0x03c0: f5d4 4ad2 123b cf65 c642 a852 8720 d86b ..J..;.e.B.R...k
0x03d0: 1317 4fcb 03d2 6a90 0a10 f661 2090 aea1 ..O...j....a....
0x03e0: 86f2 c8ea 26a1 fb32 9872 14a8 6a9b 2efe ....&..2.r..j...
0x03f0: 128e f0bc f73c 13e0 1733 d10e b6ee 319e .....<...3....1.
0x0400: 9098 bfc8 64b7 fdae 5faa 119d 987f 837e ....d..._......~
0x0410: 4765 168f 0c1a a586 ddcc 7105 223f 744c Ge........q."?tL
0x0420: b40a f941 d3a2 dd7d fde9 cfed 2ba2 2c06 ...A...}....+.,.
0x0430: 3d9f 8244 0051 f2ca 5b18 0a19 65d6 4094 =..D.Q..[...e.@.
0x0440: 0d1e 44f3 7c24 a2dd ce9d d92c f417 5acf ..D.|$.....,..Z.
0x0450: 2f1e 9849 4f43 ecf9 f4fe 5cde 22c1 f233 /..IOC....\."..3
0x0460: 8b68 7166 a3cd 2dae 734e c899 0fd4 e0ec .hqf..-.sN......
0x0470: 8949 1c59 b468 4962 3f49 d808 1bf4 44bb .I.Y.hIb?I....D.
0x0480: bde4 97af 8881 ea77 8eac 539d .......w..S.
2 packets captured
3 packets received by filter
0 packets dropped by kernel
[root@rsso ~]#
3.17.简洁打印输出
命令:
tcpdump -i ens33 -X -c 2 -vvv -q
[root@rsso ~]# tcpdump -i ens33 -X -c 2 -vvv -q
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
14:52:18.831613 IP (tos 0x10, ttl 64, id 55407, offset 0, flags [DF], proto TCP (6), length 188)
rsso.boc.com.ssh > gateway.49819: tcp 148
0x0000: 4510 00bc d86f 4000 4006 cbfc c0a8 0a6e E....o@.@......n
0x0010: c0a8 0a01 0016 c29b 0379 e068 32a5 8562 .........y.h2..b
0x0020: 5018 011c 966e 0000 0000 0070 235f db46 P....n.....p#_.F
0x0030: df2b c5a0 8f61 2743 257f 72b9 f366 b00f .+...a'C%.r..f..
0x0040: d7c4 57b0 be29 e4c0 b893 7a62 d66b 408c ..W..)....zb.k@.
0x0050: 4379 36a2 73ab a30a c32a 6072 a4eb 911b Cy6.s....*`r....
0x0060: 857e 2176 7a70 35b7 84b1 a905 a042 7422 .~!vzp5......Bt"
0x0070: 16b8 9c51 8999 8235 7da7 7d30 0847 dd54 ...Q...5}.}0.G.T
0x0080: 6871 31b7 381d b837 83e4 8fd5 7da7 7cbd hq1.8..7....}.|.
0x0090: be1d b418 4fd0 4d5a 4055 8487 81b5 bb17 ....O.MZ@U......
0x00a0: 2b59 78ad d900 7592 136d 709e 5d31 86d1 +Yx...u..mp.]1..
0x00b0: b492 0552 201f c5b7 6373 2961 ...R....cs)a
14:52:18.831874 IP (tos 0x0, ttl 128, id 5147, offset 0, flags [DF], proto TCP (6), length 40)
gateway.49819 > rsso.boc.com.ssh: tcp 0
0x0000: 4500 0028 141b 4000 8006 50f5 c0a8 0a01 E..(..@...P.....
0x0010: c0a8 0a6e c29b 0016 32a5 8562 0379 e0fc ...n....2..b.y..
0x0020: 5010 1004 aae1 0000 0000 0000 0000 P.............
2 packets captured
2 packets received by filter
0 packets dropped by kernel
[root@rsso ~]# 3.18.显示所有可用网络接口的列表
命令:
tcpdump -D
[root@rsso ~]# tcpdump -D
1.nflog (Linux netfilter log (NFLOG) interface)
2.nfqueue (Linux netfilter queue (NFQUEUE) interface)
3.usbmon1 (USB bus number 1)
4.usbmon2 (USB bus number 2)
5.ens33
6.any (Pseudo-device that captures on all interfaces)
7.lo [Loopback]
[root@rsso ~]#
3.19.列出网络接口的已知数据链路
命令:
tcpdump -L
[root@rsso ~]# tcpdump -L
Data link types for nflog (use option -y to set):
NFLOG (Linux netfilter log messages) (printing not supported)
IPV4 (Raw IPv4)
[root@rsso ~]#
3.20.指定每个包的捕获长度
命令:
tcpdump -i ens33 -X -c 2 -vvv -s 30
说明:单位是byte,而不是默认的262144bytes;如果超过了设定的大小限制,包就会被截断 ,而在打印行出现[lproto]这种标识,这个proto就是被截断的报文的协议名字。但是抓取len越长,包的处理时间越长,并且会减少tcpdump可缓存的数据包的数量,从而会导致数据包的丢失,所以在能抓取我们想要的包的前提下,抓取长度越小越好(tcpdump -s 0 使用默认长度262144) 。另外:不通的tcpdump版本,这个默认抓取的报文长度不一样
[root@rsso ~]# tcpdump -i ens33 -X -c 2 -vvv -s 30
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 30 bytes
14:54:39.164256 IP [|ip]
0x0000: 4510 00ac d8a7 4000 4006 cbd4 c0a8 0a6e E.....@.@......n
14:54:39.164643 IP [|ip]
0x0000: 4500 0028 1472 4000 8006 509e c0a8 0a01 E..(.r@...P.....
2 packets captured
3 packets received by filter
0 packets dropped by kernel
[root@rsso ~]#
3.21.以ASCII格式打印出所有的分组并且读取此文件
命令:
tcpdump -A -r /tmp/aa.cap
[root@rsso ~]# tcpdump -A -r /tmp/aa.cap
reading from file /tmp/aa.cap, link-type EN10MB (Ethernet)
13:43:47.998048 IP rsso.boc.com.ssh > gateway.51842: Flags [P.], seq 598307050:598307198, ack 2762082058, win 284, length 148
E....n@.@.....
n..
.....#.p....
P....n.....pW..I.......<..AD5y...g....M`.].........#..:Z..n......>.....k...XI...uBY.M!..k{...^.M....7. {.s...VM.....g..............Sq...z]y3...Mn<_..$.."..\
13:43:48.054743 IP gateway.51842 > rsso.boc.com.ssh: Flags [.], ack 148, win 508, length 0
E..(4.@...0p..
...
n.......
#.q~P.............
[root@rsso ~]#
3.22.同时以十六进制和 ASCII 字符串打印报文的全部数据
命令:
tcpdump -X -r /tmp/aa.cap
备注:-X和-A不能同时使用
[root@rsso ~]# tcpdump -X -r /tmp/aa.cap
reading from file /tmp/aa.cap, link-type EN10MB (Ethernet)
13:43:47.998048 IP rsso.boc.com.ssh > gateway.51842: Flags [P.], seq 598307050:598307198, ack 2762082058, win 284, length 148
0x0000: 4510 00bc 986e 4000 4006 0bfe c0a8 0a6e E....n@.@......n
0x0010: c0a8 0a01 0016 ca82 23a9 70ea a4a2 070a ........#.p.....
0x0020: 5018 011c 966e 0000 0000 0070 57ce 9f49 P....n.....pW..I
0x0030: dcaf e813 8a03 dc3c db94 4144 3579 83f6 .......<..AD5y..
0x0040: 9967 d907 8cb4 4d60 b55d a89a 87d4 bd1f .g....M`.]......
0x0050: 86ab 8d23 aaef 3a5a cb86 6e02 e1cf bd17 ...#..:Z..n.....
0x0060: 9b3e b2f6 a39d 2e6b b719 8058 49dd dd0d .>.....k...XI...
0x0070: 7542 59af 4d21 daa6 6b7b 9cdd 195e d64d uBY.M!..k{...^.M
0x0080: a9ed 81a9 3799 097b 1b73 9192 c556 4da1 ....7..{.s...VM.
0x0090: 8fa1 849f 67e7 d499 c9a7 84e1 a711 e6c1 ....g...........
0x00a0: ac14 0853 7189 c69d 7a5d 7933 9290 904d ...Sq...z]y3...M
0x00b0: 6e3c 5fbd 1224 b39d 229d ec5c n<_..$.."..\
13:43:48.054743 IP gateway.51842 > rsso.boc.com.ssh: Flags [.], ack 148, win 508, length 0
0x0000: 4500 0028 34a0 4000 8006 3070 c0a8 0a01 E..(4.@...0p....
0x0010: c0a8 0a6e ca82 0016 a4a2 070a 23a9 717e ...n........#.q~
0x0020: 5010 01fc 0cac 0000 0000 0000 0000 P.............
[root@rsso ~]#
3.23.使用文件表达式进行抓包
命令:
vim filter_rule
tcp port 22tcpdump -i ens33 -F filter_rule -c 2
备注:此时命令行上的输入过滤规则将被忽略,只以文件里的规则为准,这种情况适用于将表达式放置在文件中长期维护
[root@rsso ~]# tcpdump -i ens33 -F filter_rule -X -c 2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
15:04:06.281745 IP rsso.boc.com.ssh > gateway.49819: Flags [P.], seq 58378668:58378880, ack 849737254, win 284, length 212
0x0000: 4510 00fc dac9 4000 4006 c962 c0a8 0a6e E.....@.@..b...n
0x0010: c0a8 0a01 0016 c29b 037a c9ac 32a5 f626 .........z..2..&
0x0020: 5018 011c 96ae 0000 0000 00b0 9393 4da3 P.............M.
0x0030: a733 ae2a 9673 7a0b e95c 63a9 6e3c 9c3c .3.*.sz..\c.n<.<
0x0040: b341 3e67 73a7 7b6a e620 b365 19d1 eac7 .A>gs.{j...e....
0x0050: 4f71 d412 9eb5 f408 527a 493e 028e 416f Oq......RzI>..Ao
0x0060: 8a96 d79e dd60 7ee4 4019 39b8 2579 2200 .....`~.@.9.%y".
0x0070: fdcd e9c8 af91 cf82 6dfa 93c2 7d5c c5d5 ........m...}\..
0x0080: 3c87 d016 6f55 5f44 c177 a5c2 fefd 10d1 <...oU_D.w......
0x0090: d0fc a3a8 039f 6d68 03ac c9d1 9693 a2af ......mh........
0x00a0: a220 9022 3f4c 92ed 3b35 2f57 2684 d854 ..."?L..;5/W&..T
0x00b0: 9081 c5cf 8273 23f9 e24a deca 6622 a80b .....s#..J..f"..
0x00c0: 4c2f b02d 06cf 0208 0a63 0c00 4ab6 f7a3 L/.-.....c..J...
0x00d0: b6da e4d5 0085 aea6 e571 96ad 8c92 0901 .........q......
0x00e0: 47be 95ae b60e 0321 56e1 ba7f 2b8f ab68 G......!V...+..h
0x00f0: 8010 890e a733 af36 ef3f b540 .....3.6.?.@
15:04:06.282238 IP gateway.49819 > rsso.boc.com.ssh: Flags [.], ack 212, win 4097, length 0
0x0000: 4500 0028 17da 4000 8006 4d36 c0a8 0a01 E..(..@...M6....
0x0010: c0a8 0a6e c29b 0016 32a5 f626 037a ca80 ...n....2..&.z..
0x0020: 5010 1001 509b 0000 0000 0000 0000 P...P.........
2 packets captured
2 packets received by filter
0 packets dropped by kernel
[root@rsso ~]#
3.24.对标准输出进行行缓冲
命令:
tcpdump -i ens33 -X -c 2 -l |tee tt.cap
[root@rsso ~]# tcpdump -i ens33 -X -c 2 -l |tee tt.cap
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
2 packets captured
2 packets received by filter
0 packets dropped by kernel
15:08:58.350124 IP rsso.boc.com.ssh > gateway.49819: Flags [P.], seq 58404700:58404912, ack 849749934, win 284, length 212
0x0000: 4510 00fc dbce 4000 4006 c85d c0a8 0a6e E.....@.@..]...n
0x0010: c0a8 0a01 0016 c29b 037b 2f5c 32a6 27ae .........{/\2.'.
0x0020: 5018 011c 96ae 0000 0000 00b0 9ed4 6b2a P.............k*
0x0030: 5ead bbd3 4dfe 741f e849 1586 3d99 a7e4 ^...M.t..I..=...
0x0040: c5fc a10b 138e d6a3 d611 f6e4 ae7d 45f3 .............}E.
0x0050: 3e18 b61e 0828 1084 4feb 7c5b 1907 382b >....(..O.|[..8+
0x0060: 848c 310c 80a2 be15 b592 c14f 0914 96e5 ..1........O....
0x0070: 08b9 fbbd 0346 db67 fba0 983e 8bc6 dd83 .....F.g...>....
0x0080: 2fc2 fafe b105 5cb8 8f70 ed87 cfb9 1451 /.....\..p.....Q
0x0090: f017 d2e3 ca91 c757 0321 2ac0 8a6a 400c .......W.!*..j@.
0x00a0: e56c fb56 8272 61c6 5bde f1f9 8e61 682d .l.V.ra.[....ah-
0x00b0: e0f0 9ed4 6ac5 1ad0 1adc 132d 5497 3849 ....j......-T.8I
0x00c0: 9717 ecd3 7e49 b681 b351 60f4 9347 0997 ....~I...Q`..G..
0x00d0: 9b91 b5da fd14 207f 3752 7770 b7c4 b980 ........7Rwp....
0x00e0: 058b 933b 0fe7 fd0e a8ca a578 5ff7 5f7c ...;.......x_._|
0x00f0: d1d3 43c6 4e2c c87b f974 8329 ..C.N,.{.t.)
15:08:58.350379 IP gateway.49819 > rsso.boc.com.ssh: Flags [.], ack 212, win 4097, length 0
0x0000: 4500 0028 1973 4000 8006 4b9d c0a8 0a01 E..(.s@...K.....
0x0010: c0a8 0a6e c29b 0016 32a6 27ae 037b 3030 ...n....2.'..{00
0x0020: 5010 1001 b962 0000 0000 0000 0000 P....b........
[root@rsso ~]# cat tt.cap
15:08:58.350124 IP rsso.boc.com.ssh > gateway.49819: Flags [P.], seq 58404700:58404912, ack 849749934, win 284, length 212
0x0000: 4510 00fc dbce 4000 4006 c85d c0a8 0a6e E.....@.@..]...n
0x0010: c0a8 0a01 0016 c29b 037b 2f5c 32a6 27ae .........{/\2.'.
0x0020: 5018 011c 96ae 0000 0000 00b0 9ed4 6b2a P.............k*
0x0030: 5ead bbd3 4dfe 741f e849 1586 3d99 a7e4 ^...M.t..I..=...
0x0040: c5fc a10b 138e d6a3 d611 f6e4 ae7d 45f3 .............}E.
0x0050: 3e18 b61e 0828 1084 4feb 7c5b 1907 382b >....(..O.|[..8+
0x0060: 848c 310c 80a2 be15 b592 c14f 0914 96e5 ..1........O....
0x0070: 08b9 fbbd 0346 db67 fba0 983e 8bc6 dd83 .....F.g...>....
0x0080: 2fc2 fafe b105 5cb8 8f70 ed87 cfb9 1451 /.....\..p.....Q
0x0090: f017 d2e3 ca91 c757 0321 2ac0 8a6a 400c .......W.!*..j@.
0x00a0: e56c fb56 8272 61c6 5bde f1f9 8e61 682d .l.V.ra.[....ah-
0x00b0: e0f0 9ed4 6ac5 1ad0 1adc 132d 5497 3849 ....j......-T.8I
0x00c0: 9717 ecd3 7e49 b681 b351 60f4 9347 0997 ....~I...Q`..G..
0x00d0: 9b91 b5da fd14 207f 3752 7770 b7c4 b980 ........7Rwp....
0x00e0: 058b 933b 0fe7 fd0e a8ca a578 5ff7 5f7c ...;.......x_._|
0x00f0: d1d3 43c6 4e2c c87b f974 8329 ..C.N,.{.t.)
15:08:58.350379 IP gateway.49819 > rsso.boc.com.ssh: Flags [.], ack 212, win 4097, length 0
0x0000: 4500 0028 1973 4000 8006 4b9d c0a8 0a01 E..(.s@...K.....
0x0010: c0a8 0a6e c29b 0016 32a6 27ae 037b 3030 ...n....2.'..{00
0x0020: 5010 1001 b962 0000 0000 0000 0000 P....b........
[root@rsso ~]#
3.25.抓取一个来自IP主机、port端口的包
命令:
tcpdump -i ens33 src 192.168.10.110 and port 22 -X -c 2
[root@rsso ~]# tcpdump -i ens33 src 192.168.10.110 and port 22 -X -c 2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
15:13:02.581172 IP rsso.boc.com.ssh > gateway.49819: Flags [P.], seq 58793448:58793660, ack 849760258, win 284, length 212
0x0000: 4510 00fc e56f 4000 4006 bebc c0a8 0a6e E....o@.@......n
0x0010: c0a8 0a01 0016 c29b 0381 1de8 32a6 5002 ............2.P.
0x0020: 5018 011c 96ae 0000 0000 00b0 4b88 fd3e P...........K..>
0x0030: befe 20cd ab0c f95b 3173 4a8d 4257 ad4a .......[1sJ.BW.J
0x0040: 7f36 7268 ccdf 0d47 051e cf91 af7d 3cd9 .6rh...G.....}<.
0x0050: e23c bd9d 48b5 da77 8848 4e86 2e44 0623 .<..H..w.HN..D.#
0x0060: cda3 3bb4 b15f 6a67 2a75 a6c6 331b 9f17 ..;.._jg*u..3...
0x0070: 7c96 0205 e841 a161 1559 8309 68e1 66d0 |....A.a.Y..h.f.
0x0080: 3b10 5dfb 91c9 970a 35d4 4ad1 654f 4dc6 ;.].....5.J.eOM.
0x0090: 639a 09fc 2893 ef3a 816d b4bc 104a c8d8 c...(..:.m...J..
0x00a0: 60f6 4775 2969 b769 ca05 0f59 dd64 cdef `.Gu)i.i...Y.d..
0x00b0: 0536 bfbd cb35 db8a 9581 de0f 4b17 3be6 .6...5......K.;.
0x00c0: 6289 8e86 895b 4ec5 860f 4586 22b0 84ec b....[N...E."...
0x00d0: 23db 020c 5fe3 bafe e5ed b21c 7785 c026 #..._.......w..&
0x00e0: 0a1d 5d05 ba25 8a51 a96c 8040 678e 985d ..]..%.Q.l.@g..]
0x00f0: d410 f8e3 d2da f89e e1b8 f4ea ............
15:13:02.582220 IP rsso.boc.com.ssh > gateway.49819: Flags [P.], seq 212:1496, ack 1, win 284, length 1284
0x0000: 4510 052c e570 4000 4006 ba8b c0a8 0a6e E..,.p@.@......n
0x0010: c0a8 0a01 0016 c29b 0381 1ebc 32a6 5002 ............2.P.
0x0020: 5018 011c 9ade 0000 0000 04e0 453b bf7a P...........E;.z
0x0030: 7e2e 2a18 bb88 303f 67c1 1009 9590 b537 ~.*...0?g......7
0x0040: 0db0 20f0 2b91 10cc d2b1 c2b0 8fa5 3fe0 ....+.........?.
0x0050: 0ef8 f5a1 9292 06af 7cab d587 f3a7 f82d ........|......-
0x0060: b42f 0819 ecff f3c0 05c1 0027 31a6 d8b6 ./.........'1...
0x0070: 8129 68d0 24cd 557e 9e43 9b39 a2f0 625a .)h.$.U~.C.9..bZ
0x0080: 99dd ed1d 6a4a 9ae4 b418 94ef d9b0 816b ....jJ.........k
0x0090: 007f 8991 c4c9 12fa 530b 1048 8ac8 b02d ........S..H...-
0x00a0: 1eaa 1403 cde4 01ff e2ba fecd 9742 4666 .............BFf
0x00b0: 5d95 2402 948b e032 13eb c6e4 b814 73a4 ].$....2......s.
0x00c0: bd14 e3e3 60f1 e54f 4dae 061b 7322 c11b ....`..OM...s"..
0x00d0: 92e8 f001 dfa1 ae08 94e5 de92 0950 2494 .............P$.
0x00e0: a57e 0159 7955 f43c 8cd1 f59e 70f3 373b .~.YyU.<....p.7;
0x00f0: e9eb d62f 3f1c feeb ca86 ed82 86ef 6154 .../?.........aT
0x0100: 3658 af3b 5550 3645 9ad5 a840 5667 0a2e 6X.;UP6E...@Vg..
0x0110: 32e7 acba e0ea 1c04 20d5 f06d d7f4 bbbb 2..........m....
0x0120: fa28 175d adaa dcd8 799c a952 fd6a 6fce .(.]....y..R.jo.
0x0130: 1897 a5bc 4aac a0c9 9a56 2700 8037 db92 ....J....V'..7..
0x0140: 88cc e84a e1c1 25da 6828 70c7 408f bfb7 ...J..%.h(p.@...
0x0150: df98 9e92 2705 6947 6e3b b37c 184f 693e ....'.iGn;.|.Oi>
0x0160: 0b9e 5015 0ac0 cf86 07ef 5035 8630 8d60 ..P.......P5.0.`
0x0170: 6756 eb5c 2936 c4fd bd59 4082 85b1 6729 gV.\)6...Y@...g)
0x0180: db7b ff82 5787 a78f 4d36 f7bc 4876 e418 .{..W...M6..Hv..
0x0190: e279 9801 a278 d326 2411 bedd 6f84 8202 .y...x.&$...o...
0x01a0: 0d08 b34e 2b26 a158 77b3 498a aaea f5ee ...N+&.Xw.I.....
0x01b0: 4308 2513 4f49 7541 29f5 78a5 0d52 2a93 C.%.OIuA).x..R*.
0x01c0: 1d50 40c1 a088 362d 9ec5 4e49 c69a 3d70 .P@...6-..NI..=p
0x01d0: d698 a488 ec55 1cf2 77d5 b47c 6333 9fa7 .....U..w..|c3..
0x01e0: 5345 4fc6 8723 3148 9e08 9f3b 07c8 1433 SEO..#1H...;...3
0x01f0: 9012 bfbf 31d5 f5ad a488 b15d c437 2e4a ....1......].7.J
0x0200: a442 c13d 7f7a 281e edc2 3cad 73d2 0fe4 .B.=.z(...<.s...
0x0210: 9a80 1e63 476b 3ca8 d02f 886a 67d4 5ef8 ...cGk<../.jg.^.
0x0220: 1795 e7d4 6fb3 99f1 3530 ce90 8ec3 b515 ....o...50......
0x0230: 2b6c 2f24 1b6e 41ec f8db 1e0f 2fd1 e520 +l/$.nA...../...
0x0240: b7b0 dd32 a5b0 7d26 fc90 3f4f 43c7 bd54 ...2..}&..?OC..T
0x0250: 125d 0bdb 5e3e 72c0 30e4 1669 a033 bde7 .]..^>r.0..i.3..
0x0260: 16b9 3994 d481 fff4 f183 8483 a013 a68f ..9.............
0x0270: 138f 74e1 a45b f55b 2831 8d5d f59d 6b15 ..t..[.[(1.]..k.
0x0280: aa30 9f6a 6e17 7088 760d 66c7 032b dec0 .0.jn.p.v.f..+..
0x0290: e44b da92 579e 6c04 9e09 506a bb8e c70a .K..W.l...Pj....
0x02a0: b636 f3fa a30c 0642 20e4 72b6 4c5f 28f3 .6.....B..r.L_(.
0x02b0: f5ef 0406 7101 a7d0 c163 7bb1 fd6f 1cc4 ....q....c{..o..
0x02c0: c9a7 493e 7e92 b49c 6f62 0290 66c3 eea4 ..I>~...ob..f...
0x02d0: 92e8 2abe 2d4b 7696 1e3f 9059 bb67 70d7 ..*.-Kv..?.Y.gp.
0x02e0: f9b7 20c4 ed8f cab6 e891 9547 543a 60fb ...........GT:`.
0x02f0: e92e 1c69 f94b 0a14 8a17 31fc 35d4 4cac ...i.K....1.5.L.
0x0300: de37 d760 ea69 a33c 711e 8d87 7cd6 a7a6 .7.`.i.<q...|...
0x0310: 163e 0d59 3d5b 5b0b 51d6 d311 b654 e550 .>.Y=[[.Q....T.P
0x0320: a899 97a7 4455 cc88 5279 3571 48c7 dbb9 ....DU..Ry5qH...
0x0330: eaf6 6a38 f4b0 521f f69b 1917 4f87 612c ..j8..R.....O.a,
0x0340: dd7d 4387 0b95 66c7 3e87 36ef 332c 91db .}C...f.>.6.3,..
0x0350: aafd d0fe bc4e 26c5 7b24 3702 f07d 7ea6 .....N&.{$7..}~.
0x0360: b8f9 f4be a668 481d 5dca aa19 ea72 7f1b .....hH.]....r..
0x0370: 9dcc 6a05 c8d2 b61b 3a0c 19d6 e4eb b605 ..j.....:.......
0x0380: d744 c191 bf76 15f1 553f 075d 7e0a e0f5 .D...v..U?.]~...
0x0390: 751b 9eb8 a141 463d ee8a 65f4 8322 02c4 u....AF=..e.."..
0x03a0: bc3d 0451 616d 34d4 0d06 b20c 872f 5399 .=.Qam4....../S.
0x03b0: 22df 1df3 5974 051f 090b 3d50 8327 f2b9 "...Yt....=P.'..
0x03c0: b6c2 593a 91e2 5ca2 d4a3 e02c 3283 fa6c ..Y:..\....,2..l
0x03d0: 5800 d28c 3ab7 48c8 472e 38b4 a47a 2f66 X...:.H.G.8..z/f
0x03e0: d345 7a16 91f8 e454 2a3c 0928 f5df 3765 .Ez....T*<.(..7e
0x03f0: 5938 5171 91d2 9e48 fca3 c884 b347 7658 Y8Qq...H.....GvX
0x0400: 04a3 8f20 6861 81ae f1e5 158b 8391 815b ....ha.........[
0x0410: 965e 0682 1694 af09 944d 0023 1d88 a7fd .^.......M.#....
0x0420: 3651 5f6b d66b c71f e0b8 ea31 bae5 3f72 6Q_k.k.....1..?r
0x0430: 7224 c04f 8141 e6c3 2549 4aa1 769f ab39 r$.O.A..%IJ.v..9
0x0440: fb84 4418 0e6a 8231 ae26 8498 fbe4 b505 ..D..j.1.&......
0x0450: 7939 01c5 867c fe74 1f07 832b bfd3 fcb2 y9...|.t...+....
0x0460: aa1c c7c6 a546 461d 47b0 a9fa e167 e712 .....FF.G....g..
0x0470: 086e f77b d886 c0e3 46fd 4444 75bf 75a9 .n.{....F.DDu.u.
0x0480: f0d4 19ed 1582 dbe6 a6e1 0cb0 d183 16b9 ................
0x0490: 0fbd aba4 ab80 ba92 1fa4 c43d 4ba4 77d6 ...........=K.w.
0x04a0: 82fc 8887 9384 8637 8630 c6b8 5de5 230b .......7.0..].#.
0x04b0: a406 f3b2 8ed1 583e 9924 c66f 52f7 0eb2 ......X>.$.oR...
0x04c0: 1997 76a0 b057 944e 9ef8 0c22 9e4c 6340 ..v..W.N...".Lc@
0x04d0: 6327 f476 adad 03a5 0777 ba1f 180e 0206 c'.v.....w......
0x04e0: eba3 2d29 7241 80c1 bee6 bd53 b0d1 2ede ..-)rA.....S....
0x04f0: 4d3c b4c1 4c60 83a7 93ef 6dfa 0982 14c7 M<..L`....m.....
0x0500: 5465 b854 7e9a 1a1c befd fdbb 4a0b b16f Te.T~.......J..o
0x0510: 1aca 3847 d4d9 83ef ca68 af86 cf56 ef9d ..8G.....h...V..
0x0520: 6138 e64b 5a09 a585 1069 d94a a8.KZ....i.J
2 packets captured
2 packets received by filter
0 packets dropped by kernel
[root@rsso ~]#
3.26.抓取udp 22端口或tcp 22端口的包
命令:
tcpdump -i ens33 -X -c 2 tcp port 22 or udp port 22
[root@rsso ~]# tcpdump -i ens33 -X -c 2 tcp port 22 or udp port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
15:14:10.372787 IP rsso.boc.com.ssh > gateway.49819: Flags [P.], seq 58807596:58807808, ack 849765834, win 284, length 212
0x0000: 4510 00fc e5e1 4000 4006 be4a c0a8 0a6e E.....@.@..J...n
0x0010: c0a8 0a01 0016 c29b 0381 552c 32a6 65ca ..........U,2.e.
0x0020: 5018 011c 96ae 0000 0000 00b0 c2d6 ff0f P...............
0x0030: 844c 9c11 8ca0 154c cf33 7a73 cd26 60ac .L.....L.3zs.&`.
0x0040: 6294 eacc a592 4899 2ac2 ea3f 5cf3 795e b.....H.*..?\.y^
0x0050: f02d 2957 96f5 da4b 13be 79c0 a7be 961f .-)W...K..y.....
0x0060: bb1c 6a77 72af 9c1d d380 b7e6 55a8 551d ..jwr.......U.U.
0x0070: f6df 9bc7 1bbf d69d 1530 61cb 01c1 613c .........0a...a<
0x0080: eba3 9f60 1233 ffeb f1cd ae8b d960 2ed5 ...`.3.......`..
0x0090: e0c7 92cc 9924 3c27 b82e 4ed4 f5dd 7a98 .....$<'..N...z.
0x00a0: a160 7a95 5b8b 7624 c5a8 aac6 c9bb 24a3 .`z.[.v$......$.
0x00b0: 2893 7c32 79d5 638d 42bf 1228 1fd6 3ba8 (.|2y.c.B..(..;.
0x00c0: a852 f8e1 390b 4c30 f590 f524 55b3 21d8 .R..9.L0...$U.!.
0x00d0: 195e 3c2e 87c5 6257 12da 0de0 add5 f5fb .^<...bW........
0x00e0: 8e95 961d 4c20 2c59 9ee6 c00e 1a94 d5c9 ....L.,Y........
0x00f0: f6a3 f3c6 6d87 ae3a 9580 b181 ....m..:....
15:14:10.373012 IP gateway.49819 > rsso.boc.com.ssh: Flags [.], ack 212, win 4097, length 0
0x0000: 4500 0028 1f8c 4000 8006 4584 c0a8 0a01 E..(..@...E.....
0x0010: c0a8 0a6e c29b 0016 32a6 65ca 0381 5600 ...n....2.e...V.
0x0020: 5010 1001 5570 0000 0000 0000 0000 P...Up........
2 packets captured
2 packets received by filter
0 packets dropped by kernel
[root@rsso ~]#
3.27.抓取不是53端口的报文
命令:
tcpdump -i ens33 -X -c 2 not tcp port 53
[root@rsso ~]# tcpdump -i ens33 -X -c 2 not tcp port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
15:17:06.550364 IP rsso.boc.com.ssh > gateway.49819: Flags [P.], seq 58816256:58816468, ack 849770226, win 284, length 212
0x0000: 4510 00fc e639 4000 4006 bdf2 c0a8 0a6e E....9@.@......n
0x0010: c0a8 0a01 0016 c29b 0381 7700 32a6 76f2 ..........w.2.v.
0x0020: 5018 011c 96ae 0000 0000 00b0 8637 88b4 P............7..
0x0030: 54a8 fa2f 4670 3d39 b997 b24d 885c 8a70 T../Fp=9...M.\.p
0x0040: 906b 392a f340 d344 73da f9de 37e7 c75d .k9*.@.Ds...7..]
0x0050: 6029 e424 2e03 d206 e577 c558 70d4 5d91 `).$.....w.Xp.].
0x0060: ecb0 45a3 e7ef c1f6 2982 0ba7 d618 eedb ..E.....).......
0x0070: 9f57 fa15 d6ca 34b3 81bb 09be 163d 0abc .W....4......=..
0x0080: 0206 9b29 3325 2ee4 a49e e390 b0fa 7e54 ...)3%........~T
0x0090: 3770 bb3d 0cb1 d9a9 cc9e f4b9 65aa d65b 7p.=........e..[
0x00a0: cc8e 53b7 946a f893 9fdb 395d 4a29 162b ..S..j....9]J).+
0x00b0: 6020 b550 f9af 16cc 1579 6100 1723 fcf8 `..P.....ya..#..
0x00c0: 3ade 98a3 6a8b c25f 32ba 6a58 c82d 964b :...j.._2.jX.-.K
0x00d0: 9218 a10e a84f 59dd 1466 c8f2 39d4 7910 .....OY..f..9.y.
0x00e0: d442 34e1 7bc6 e6ce ca66 46ee 2b5d e563 .B4.{....fF.+].c
0x00f0: a91c 767e 914e c4eb 4bb6 6f37 ..v~.N..K.o7
15:17:06.550578 IP gateway.49819 > rsso.boc.com.ssh: Flags [.], ack 212, win 4098, length 0
0x0000: 4500 0028 2018 4000 8006 44f8 c0a8 0a01 E..(..@...D.....
0x0010: c0a8 0a6e c29b 0016 32a6 76f2 0381 77d4 ...n....2.v...w.
0x0020: 5010 1002 2273 0000 0000 0000 0000 P..."s........
2 packets captured
2 packets received by filter
0 packets dropped by kernel
[root@rsso ~]#
3.28.多个过滤进行组合抓取
命令:
tcpdump -i ens33 -X -c 2 dst 192.168.10.110 and \(dst port 3389 or 22\)
OR
tcpdump -i ens33 -X -c 2 "dst 192.168.10.110 and (dst port 3389 or 22)"
备注:而括号在shell中是特殊符号,需要转义或使用双引号
[root@rsso ~]# tcpdump -i ens33 -X -c 2 dst 192.168.10.110 and \(dst port 3389 or 22\)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
15:18:36.707014 IP gateway.49819 > rsso.boc.com.ssh: Flags [.], ack 58839376, win 4100, length 0
0x0000: 4500 0028 2156 4000 8006 43ba c0a8 0a01 E..(!V@...C.....
0x0010: c0a8 0a6e c29b 0016 32a6 a722 0381 d150 ...n....2.."...P
0x0020: 5010 1004 98c4 0000 0000 0000 0000 P.............
15:18:36.764902 IP gateway.49819 > rsso.boc.com.ssh: Flags [.], ack 357, win 4099, length 0
0x0000: 4500 0028 2157 4000 8006 43b9 c0a8 0a01 E..(!W@...C.....
0x0010: c0a8 0a6e c29b 0016 32a6 a722 0381 d2b4 ...n....2.."....
0x0020: 5010 1003 9761 0000 0000 0000 0000 P....a........
2 packets captured
2 packets received by filter
0 packets dropped by kernel
[root@rsso ~]# tcpdump -i ens33 -X -c 2 "dst 192.168.10.110 and (dst port 3389 or 22)"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
15:19:48.891398 IP gateway.49819 > rsso.boc.com.ssh: Flags [.], ack 58840976, win 4100, length 0
0x0000: 4500 0028 2163 4000 8006 43ad c0a8 0a01 E..(!c@...C.....
0x0010: c0a8 0a6e c29b 0016 32a6 a88a 0381 d790 ...n....2.......
0x0020: 5010 1004 911c 0000 0000 0000 0000 P.............
15:19:48.947463 IP gateway.49819 > rsso.boc.com.ssh: Flags [.], ack 357, win 4099, length 0
0x0000: 4500 0028 2164 4000 8006 43ac c0a8 0a01 E..(!d@...C.....
0x0010: c0a8 0a6e c29b 0016 32a6 a88a 0381 d8f4 ...n....2.......
0x0020: 5010 1003 8fb9 0000 0000 0000 0000 P.............
2 packets captured
2 packets received by filter
0 packets dropped by kernel
[root@rsso ~]#
3.29.抓包包大小小于32bytes的数据包
命令:
tcpdump -i ens33 -X -c 2 less 32
[root@rsso ~]# tcpdump -i ens33 -X -c 2 less 32
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
[root@rsso ~]#
3.30.抓取包大小大于32bytes的数据包
命令:
tcpdump -i ens33 -X -c 2 greater 32
[root@rsso ~]# tcpdump -i ens33 -X -c 2 greater 32
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
15:25:13.634240 IP rsso.boc.com.ssh > gateway.49819: Flags [P.], seq 59465920:59466132, ack 849814402, win 284, length 212
0x0000: 4510 00fc f4b0 4000 4006 af7b c0a8 0a6e E.....@.@..{...n
0x0010: c0a8 0a01 0016 c29b 038b 60c0 32a7 2382 ..........`.2.#.
0x0020: 5018 011c 96ae 0000 0000 00b0 9ecb 2fb7 P............./.
0x0030: d89e d763 5708 924d fc17 9db7 3681 e49e ...cW..M....6...
0x0040: 01b7 2f84 4ab5 00ae 2654 b364 93aa d192 ../.J...&T.d....
0x0050: 5bcc 3956 b8ea fb93 2bba 7505 a64f 10ac [.9V....+.u..O..
0x0060: bc85 e6bf bb14 43c8 898c 2f2c 0033 5b44 ......C.../,.3[D
0x0070: 37c5 679f 2d77 821e 843c ff97 cfe9 46f1 7.g.-w...<....F.
0x0080: c5fb a19a 7b5f 469a 80d3 832b 310e b595 ....{_F....+1...
0x0090: 2e83 4d48 c378 aefa 7076 a108 d7f9 27e3 ..MH.x..pv....'.
0x00a0: 8fa0 ae8c 4c2c af36 3320 9cfa cf13 e799 ....L,.63.......
0x00b0: c16f 613d fc1e be57 0d98 6a2b affe 522d .oa=...W..j+..R-
0x00c0: c5a3 4a0b fa24 17b6 2535 1f17 317c dfd3 ..J..$..%5..1|..
0x00d0: 4107 9027 4653 e711 ba3c 7931 9821 59ed A..'FS...<y1.!Y.
0x00e0: 483a 5269 a86f 80be 3fc6 723d c226 607a H:Ri.o..?.r=.&`z
0x00f0: 1b28 3a88 8a5f d208 5e1b ac6f .(:.._..^..o
15:25:13.634460 IP gateway.49819 > rsso.boc.com.ssh: Flags [.], ack 212, win 4096, length 0
0x0000: 4500 0028 292a 4000 8006 3be6 c0a8 0a01 E..()*@...;.....
0x0010: c0a8 0a6e c29b 0016 32a7 2382 038b 6194 ...n....2.#...a.
0x0020: 5010 1000 8c1a 0000 0000 0000 0000 P.............
2 packets captured
2 packets received by filter
0 packets dropped by kernel
[root@rsso ~]#
4.总结
tcpdump过滤规则和参数梳理
tcpdump option proto dir type
option:常用参数
[-aAbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ]
[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
[ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
[ -Q|-P in|out|inout ]
[ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
[ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
[ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ]
[ -Z user ] [ expression ]
proto:协议
tcp udp icmp
ip ip6
arp rarp
ether wlandir:方向
src
dst
src or dsttype:过滤规则及其组合
host
net
port
portrange
扫一扫
1603
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
