tcpdump抓包工具的使用

个人原创，转载请注明，否则依法追究法律责任

2018-02-28  16:01:26

tcpdump 倾倒网络传输数据，直接启动tcpdump将监视第一个网络接口上所有流过的数据包。

1 不接任何参数，表示监听本机的eth0网卡。

如果不指定网卡，默认tcpdump只会监视第一个网络接口，一般是eth0，下面的例子都没有指定网络接口。
[root@shiyan ~]# yum -y install tcpdump    -----------------> 最小化系统里没有这个命令，先安装
[root@shiyan ~]# tcpdump > a.tx
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C12 packets captured   -------------------->按下Ctrl + C 结束抓包，否则会一直的抓下去
12 packets received by filter
0 packets dropped by kernel
[root@shiyan ~]# cat a.tx
17:11:06.066490 IP 192.168.115.80.ssh > 192.168.115.118.53014: Flags [P.], seq 1346400485:1346400693, ack 499039341, win 159, length 208
17:11:06.066758 IP 192.168.115.80.46406 > cache-a.guangzhou.gd.cn.domain: 41439+ PTR? 118.115.168.192.in-addr.arpa. (46)
17:11:06.071645 IP cache-a.guangzhou.gd.cn.domain > 192.168.115.80.46406: 41439 NXDomain 0/0/0 (46)
17:11:06.072785 IP 192.168.115.80.48303 > cache-a.guangzhou.gd.cn.domain: 51978+ PTR? 80.115.168.192.in-addr.arpa. (45)
17:11:06.077045 IP cache-a.guangzhou.gd.cn.domain > 192.168.115.80.48303: 51978 NXDomain 0/0/0 (45)
17:11:06.077137 IP 192.168.115.80.55070 > cache-a.guangzhou.gd.cn.domain: 21987+ PTR? 86.128.96.202.in-addr.arpa. (44)

抓取eth0网卡,并写入文件

tcpdump -n -i eth0 -w eth0.tcp

tcpdump的选项介绍

　　　-a 　　　将网络地址和广播地址转变成名字；
　　　-d 　　　将匹配信息包的代码以人们能够理解的汇编格式给出；
　　　-dd 　　 将匹配信息包的代码以c语言程序段的格式给出；
　　　-ddd 　 将匹配信息包的代码以十进制的形式给出；
　　　-e 　　　在输出行打印出数据链路层的头部信息，包括源mac和目的mac，以及网络层的协议；
　　　-f 　　　将外部的Internet地址以数字的形式打印出来；
　　　-l 　　　使标准输出变为缓冲行形式；
　　　-n 　　　指定将每个监听到数据包中的域名转换成IP地址后显示，不把网络地址转换成名字；
     -nn：    指定将每个监听到的数据包中的域名转换成IP、端口从应用名称转换成端口号后显示
　　　-t 　　　在输出的每一行不打印时间戳；
　　　-v 　　　输出一个稍微详细的信息，例如在ip包中可以包括ttl和服务类型的信息；
　　　-vv 　　　输出详细的报文信息；
　　　-c 　　　在收到指定的包的数目后，tcpdump就会停止；
　　　-F 　　　从指定的文件中读取表达式,忽略其它的表达式；
　　　-i 　　　指定监听的网络接口；
     -p：    将网卡设置为非混杂模式，不能与host或broadcast一起使用
　　　-r 　　　从指定的文件中读取包(这些包一般通过-w选项产生)；
　　　-w 　　　直接将包写入文件中，并不分析和打印出来；
     -s snaplen         snaplen表示从一个包中截取的字节数。0表示包不截断，抓完整的数据包。默认的话 tcpdump 只显示部分数据包,默认68字节。
　　　-T 　　　将监听到的包直接解释为指定的类型的报文，常见的类型有rpc （远程过程调用）和snmp（简单网络管理协议；）
     -X            告诉tcpdump命令，需要把协议头和包内容都原原本本的显示出来（tcpdump会以16进制和ASCII的形式显示），这在进行协议分析时是绝对的利器。

2 指定内网中某台主机进行监听：tcpdump host 192.168.115.93
[root@shiyan ~]# tcpdump host 192.168.115.93
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:12:17.294247 ARP, Request who-has shiyan tell 192.168.115.93, length 46
17:12:37.569616 ARP, Request who-has 192.168.115.93 tell 192.168.115.80, length 28
17:12:37.569837 ARP, Reply 192.168.115.93 is-at 00:e0:4c:f4:8d:7a (oui Unknown), length 46
17:12:37.569842 IP 192.168.115.80 > 192.168.115.93: ICMP echo request, id 4703, seq 1, length 64
17:12:37.570027 IP 192.168.115.93 > 192.168.115.80: ICMP echo reply, id 4703, seq 1, length 64
17:12:38.569404 IP 192.168.115.80 > 192.168.115.93: ICMP echo request, id 4703, seq 2, length 64
17:12:38.569714 IP 192.168.115.93 > 192.168.115.80: ICMP echo reply, id 4703, seq 2, length 64

在13.173机器监听13.167机器的httpd服务

[root@localhost ~]# tcpdump host 192.168.13.167  -------------------------------> 可以抓取到不经过本机的数据包（wirlshark没有这个功能）
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:05:34.252126 ARP, Request who-has 192.168.13.254 tell 192.168.13.167, length 46
16:05:34.252380 ARP, Reply 192.168.13.254 is-at 00:50:56:f9:32:a6 (oui Unknown), length 46
16:05:34.252383 IP 192.168.13.167.bootpc > 192.168.13.254.bootps: BOOTP/DHCP, Request from 00:0c:29:30:ff:a0 (oui Unknown), length 300
16:05:34.252624 IP 192.168.13.254.bootps > 192.168.13.167.bootpc: BOOTP/DHCP, Reply, length 300
16:05:34.296671 ARP, Request who-has 192.168.13.167 (Broadcast) tell 0.0.0.0, length 46
16:05:35.297810 ARP, Request who-has 192.168.13.167 (Broadcast) tell 0.0.0.0, length 46
16:05:41.886341 IP 192.168.13.1.53831 > 192.168.13.167.ssh: Flags [P.], seq 2116832879:2116832927, ack 2216944518, win 252, length 48
16:05:41.886349 IP 192.168.13.167.ssh > 192.168.13.1.53831: Flags [.], ack 48, win 634, length 0
16:05:46.688388 ARP, Request who-has 192.168.13.167 (00:0c:29:30:ff:a0 (oui Unknown)) tell 192.168.13.1, length 46
16:05:46.688399 ARP, Reply 192.168.13.167 is-at 00:0c:29:30:ff:a0 (oui Unknown), length 46
16:05:49.826057 IP 192.168.13.1.54035 > 192.168.13.167.http: Flags [S], seq 1070489598, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:05:49.826070 IP 192.168.13.1.54036 > 192.168.13.167.http: Flags [S], seq 3015543207, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:05:49.826072 IP 192.168.13.1.54035 > 192.168.13.167.http: Flags [.], ack 673044770, win 256, length 0
16:05:49.826074 IP 192.168.13.167.http > 192.168.13.1.54035: Flags [S.], seq 673044769, ack 1070489599, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
16:05:49.826076 IP 192.168.13.1.54036 > 192.168.13.167.http: Flags [.], ack 1571007700, win 256, length 0
16:05:49.826078 IP 192.168.13.167.http > 192.168.13.1.54036: Flags [S.], seq 1571007699, ack 3015543208, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
16:05:49.851846 IP 192.168.13.1.54035 > 192.168.13.167.http: Flags [P.], seq 1:590, ack 1, win 256, length 589
16:05:49.851861 IP 192.168.13.167.http > 192.168.13.1.54035: Flags [.], ack 590, win 494, length 0
16:05:49.854139 IP 192.168.13.167.http > 192.168.13.1.54035: Flags [P.], seq 1:152, ack 590, win 494, length 151
16:05:49.854147 IP 192.168.13.1.54035 > 192.168.13.167.http: Flags [.], ack 153, win 256, length 0
16:05:49.854149 IP 192.168.13.167.http > 192.168.13.1.54035: Flags [F.], seq 152, ack 590, win 494, length 0
16:05:49.859953 IP 192.168.13.1.54035 > 192.168.13.167.http: Flags [F.], seq 590, ack 153, win 256, length 0
16:05:49.859964 IP 192.168.13.167.http > 192.168.13.1.54035: Flags [.], ack 591, win 494, length 0
16:05:51.223523 IP 192.168.13.1.54036 > 192.168.13.167.http: Flags [.], ack 1, win 256, options [nop,nop,sack 1 {0:1}], length 0
16:05:51.223537 IP 192.168.13.167.http > 192.168.13.1.54036: Flags [S.], seq 1571007699, ack 3015543208, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
^C
25 packets captured
25 packets received by filter
0 packets dropped by kernel

3 截获指定主机和指定端口的数据包
如果想要获取主机210.27.48.1接收或发出的telnet包，使用如下命令

[root@shiyan ~]# tcpdump tcp port 80 and host 192.168.115.118
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

抓取80端口的数据包过程：
yum -y install httpd
echo 111111111111111 >/var/www/html/index.html
service httpd restart
tcpdump tcp port 80 -----------> 关注该命令下的内容
其他的电脑web浏览器访问：http://192.168.13.167,继续关注上述命令下新增内容
[root@bogon ~]# tcpdump tcp port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes ---------------->以下是网页访问后的数据包情况

15:45:56.561135 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [S], seq 1718240131, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:45:56.561189 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [S.], seq 2754432551, ack 1718240132, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
15:45:56.564132 IP 192.168.13.1.53950 > 192.168.13.167.http: Flags [S], seq 66995158, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:45:56.564153 IP 192.168.13.167.http > 192.168.13.1.53950: Flags [S.], seq 827140384, ack 66995159, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
15:45:56.564380 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [.], ack 1, win 256, length 0
15:45:56.564387 IP 192.168.13.1.53950 > 192.168.13.167.http: Flags [.], ack 1, win 256, length 0
15:45:56.573137 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [P.], seq 1:496, ack 1, win 256, length 495
15:45:56.573190 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [.], ack 496, win 490, length 0
15:45:56.575931 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [.], seq 1:2921, ack 496, win 490, length 2920
15:45:56.576287 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [.], ack 2921, win 256, length 0
15:45:56.576338 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [.], seq 2921:4381, ack 496, win 490, length 1460
15:45:56.576486 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [P.], seq 4381:5660, ack 496, win 490, length 1279
15:45:56.576617 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [.], ack 5660, win 256, length 0
15:45:56.577674 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [F.], seq 5660, ack 496, win 490, length 0
15:45:56.577798 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [.], ack 5661, win 256, length 0
15:45:56.578929 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [F.], seq 496, ack 5661, win 256, length 0
15:45:56.578944 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [.], ack 497, win 490, length 0
15:45:57.961343 IP 192.168.13.167.http > 192.168.13.1.53950: Flags [S.], seq 827140384, ack 66995159, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
15:45:57.961536 IP 192.168.13.1.53950 > 192.168.13.167.http: Flags [.], ack 1, win 256, options [nop,nop,sack 1 {0:1}], length 0
15:46:07.071688 IP 192.168.13.1.53950 > 192.168.13.167.http: Flags [F.], seq 1, ack 1, win 256, length 0
15:46:07.071973 IP 192.168.13.167.http > 192.168.13.1.53950: Flags [.], ack 2, win 457, length 0
15:46:07.072293 IP 192.168.13.167.http > 192.168.13.1.53950: Flags [F.], seq 1, ack 2, win 457, length 0
15:46:07.072521 IP 192.168.13.1.53950 > 192.168.13.167.http: Flags [.], ack 2, win 256, length 0
^C --------------------------------------------> 按下 Ctrl + C,否则会一直的抓下去。
23 packets captured
23 packets received by filter
0 packets dropped by kernel