zoukankan      html  css  js  c++  java
  • tcpdump

    介绍一下常用的几个命令
    tcpdump -c num -i int -nn -XX -vvv
        
    抓包选项:
     -c count:指定要抓取的包数量
     -i interface:指定tcpdump需要监听的接口
     -nn:表示以ip和port的方式显示来源主机和目的主机,而不是用主机名和服务
    输出选项
     -e:输出的每行中都将包括数据链路层头部信息,例如源MAC和目标MAC。
     -XX:输出包的头部数据,会以16进制和ASCII两种方式同时输出
     -vvv:当分析和打印的时候,产生详细的输出
    其他功能选项:
     -D:列出可用于抓包的接口。将会列出接口的数值编号和接口名

    文件操作:
     -w xx.pcap 将抓取的包结果写入文件中
     -r xx.pcap 显示文件中的包内容
    tcpdump表达式
    一个基本的表达式单元格式为"proto dir type ID"---------tcp dst port 10
     proto:通过给定协议限定匹配的数据包类型(tcp/udp/arp/ip/ether/icmp)
     dir:指定ID的方向。(src-源主机,dst-目的主机)
     type:指定ID的类型(host/net/port/portrange)

    表达式单元之间可以使用操作符" and / && / or / || / not / ! "进行连接
    监听指定协议的数据
    tcpdump -i eth0 -nn 'icmp'
    
    监听指定的主机
    tcpdump -i eth0 -nn 'host 10.240.176.172'   --接收和发送的包都会被抓取
    tcpdump -i eth0 -nn 'src host 10.240.176.172'  --只抓取发送的包
    tcpdump -i eth0 -nn 'dst host 10.240.176.172'  --只抓取接收的包
    
    监听指定的端口
    tcpdump -i eth0 -nn 'port 80'
    
    监听指定主机和端口
    tcpdump -i eth0 -nn 'port 80 and src host 10.240.176.172'
    
    监听除某个端口外的其他端口
    tcpdump -i eth0 -nn '!port 20'
    使用scapy进行发包,tcpdump收包:主要监听第二层的包/TCP(回环端口)
    
    aok = IP(dst='10.240.176.144',ttl=(1,3))
    
    sendp(aok,iface='lo')
    ...
    Sent 3 packets
    
    tcpdump -i lo -vvv
    08:28:48.194231 00:00:01:00:42:cd (oui Unknown) > 45:00:00:14:00:01 (oui Unknown), ethertype Unknown (0x0af0), length 20:
            0x0000:  b0ac 0af0 b090                           ......
    08:28:48.194932 00:00:02:00:41:cd (oui Unknown) > 45:00:00:14:00:01 (oui Unknown), ethertype Unknown (0x0af0), length 20:
            0x0000:  b0ac 0af0 b090                           ......
    08:28:48.195800 00:00:03:00:40:cd (oui Unknown) > 45:00:00:14:00:01 (oui Unknown), ethertype Unknown (0x0af0), length 20:
            0x0000:  b0ac 0af0 b090
    
    >>> send(aok,iface='lo')
    ...
    Sent 3 packets.
    tcpdump -i lo -vvv
    0 packets captured
    0 packets received by filter
    0 packets dropped by kernel
    
    >>> sendp(aok,iface='lo')
    ...
    Sent 3 packets.
    [root@localhost /]# tcpdump -i lo -vvv 'dst host 10.240.176.144'
    tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
    0 packets captured
    0 packets received by filter
    0 packets dropped by kernel
    >>> send(aok,iface='ens32')
    ...
    Sent 3 packets.
    [root@localhost /]# tcpdump -i ens32 -vvv 'dst host 10.240.176.144'
    tcpdump: listening on ens32, link-type EN10MB (Ethernet), capture size 65535 bytes
    08:32:13.857317 IP (tos 0x0, ttl 1, id 1, offset 0, flags [none], proto Options (0), length 20)
        10.240.176.172 > 10.240.176.144:  ip 0
    08:32:13.861459 IP (tos 0x0, ttl 2, id 1, offset 0, flags [none], proto Options (0), length 20)
        10.240.176.172 > 10.240.176.144:  ip 0
    08:32:13.862699 IP (tos 0x0, ttl 3, id 1, offset 0, flags [none], proto Options (0), length 20)
        10.240.176.172 > 10.240.176.144:  ip 0
    
    >>> sendp(aok,iface='ens32')
    ...
    Sent 3 packets.
    [root@localhost /]# tcpdump -i ens32 -vvv 'dst host 10.240.176.144'
    0 packets captured
    1 packet received by filter
    0 packets dropped by kernel
  • 相关阅读:
    vim 去掉自动注释和自动回车
    性别回归
    表情识别
    python list按字典的key值排序
    pytorch学习率策略
    python将list元素转为数字
    php面向对象
    mysql
    mysql
    mysql
  • 原文地址:https://www.cnblogs.com/eilinge/p/9239206.html
Copyright © 2011-2022 走看看