安装
yum -y install tcpdump
基本用法
#抓取网口eth0流量包 # tcpdump -i eth0 -nnv #指定抓取100个包 # tcpdump -i eth0 -nnv -c 100 #把抓包输出写入文件 # tcpdump -i eth0 -nnv -w /file1.tcpdump #读取 # tcpdump -nnv -r /file1.tcpdump
注意:使用w参数写入的是二进制文件,无法直接读取使用tcpdump -r读取 也可以下载使用抓包工具wireshark读取
条件 port,host,net
# tcpdump -i eth0 -nnv not port 80 # tcpdump -i eth0 -nnv port 22 # tcpdump -i eth0 -nnv port 80 # tcpdump -i eth0 -nnv net 192.168.0.0/24 # tcpdump -i eth0 -nnv host 192.168.0.15 # tcpdump -i eth0 -nnv dst port 22 # tcpdump -i eth0 -nnv src port 22
协议作为条件
# tcpdump -i eth0 -nnv arp # tcpdump -i eth0 -nnv icmp # tcpdump -i eth0 -nnv udp #udp协议 # tcpdump -i eth0 -nnv tcp #tcp协议,三次握手及四次断开 # tcpdump -i eth0 -nnv ip #ip协议 # tcpdump -i eth0 -nnv vrrp #keepalived使用协议
多条件:与或非 and or not
# tcpdump -i eth0 -nnv not net 192.168.0.0/24 # tcpdump -i eth0 -nnv not port 80 # tcpdump -i eth0 -nnv host 192.168.0.15 and port 22 # tcpdump -i eth0 -nnv host 192.168.0.15 and host 192.168.0.33 # tcpdump -i eth0 -nnv host 192.168.0.15 or host 192.168.0.33 # tcpdump -i eth0 -nnv ( host 192.168.0.15 and port 22 ) or ( host 192.168.0.33 and port 80 ) # tcpdump -i eth0 -nnv host 192.168.0.110 and port 22 or port 80 # tcpdump -i eth0 -nnv host 192.168.0.110 and ( port 22 or port 80) # tcpdump -i eth0 -nnv host 192.168.0.110 and port 80 # tcpdump -i eth0 -nnv host 192.168.0.110 and ! port 80
tcp数据报头,有8位标识位部分
CWR | ECE | URG | ACK | PSH | RST | SYN | FIN
# man tcpdump
#条件为TCP仅有SYN标记的
# tcpdump -i eth0 -nnv tcp[13]==2 |C|E|U|A|P|R|S|F| |--------------- | |0 0 0 0 0 0 1 0 | |--------------- | |7 6 5 4 3 2 1 0| # tcpdump -i eth0 -nnv tcp[13]==2 and port 22 -w ssh-conn.tcpdump 条件是:TCP仅有SYN/ACK标记的 # tcpdump -i eth0 -nnv tcp[13]==18 |C|E|U|A|P|R|S|F| |--------------- | |0 0 0 1 0 0 1 0 | |--------------- | |7 6 5 4 3 2 1 0| # tcpdump -i eth0 -nnv tcp[13]==17