zoukankan      html  css  js  c++  java
  • linux抓包工具tcpdump

    tcpdump可以将网络中传送的数据包的“头”完全截获下来提供分析。它支持针对网络层、协议、主机、网络或端口的过滤,并提供and、or、not等逻辑语句来帮助你去掉无用的信息

    tcpdump抓的包可以保存成后缀为pcap的文件,使用wireshark等软件进行查看

    1. 针对特定网口(-i)

    # tcpdump -i eth0

    2. 抓取指定数目(-c)

    # tcpdump -i eth1 -c 2
    18:36:32.012254 IP localhost.ssh > localhost.56622: Flags [P.], seq 2097153123:2097153319, ack 2140086774, 
    win 167, length 196
    18:36:32.012532 IP localhost.40562 > localhost.domain: 7522+ PTR? 247.40.168.192.
    in-addr.arpa. (45)

    3. 抓到包写入文件(-w)

    # tcpdump -i eth1 -w tmp.pcap

    4. 读取tcpdump保存文件(-r)

    # tcpdump -r tmp 
    18:25:05.383176 IP localhost.34143 > 117.78.24.10.https: Flags [S], seq 1566333953, 
    win 14600, options [mss 1460,sackOK,TS val 1098325899 ecr 0,nop,wscale 7], length 0

    5. 增加抓包时间戳(-tttt)

    # tcpdump -i eth1 -tttt
    2015-12-22 18:42:13.124678 IP localhost.34150 > 117.78.24.10.https: Flags [S], 
    seq 228138319, win 14600, options [mss 1460,sackOK,TS val 1099353640 ecr 0,nop,wscale 7], length 0

    6. 指定抓包端口

    # tcpdump -i eth1 port 443
    18:46:32.045119 IP localhost.34153 > 117.78.24.10.https: Flags [S], seq 3477177793, 
    win 14600, options [mss 1460,sackOK,TS val 1099612561 ecr 0,nop,wscale 7], length 0

    7. 抓取特定ip

    # tcpdump -i eth1 dst 117.78.24.10
    18:51:26.337375 IP localhost.34165 > 117.78.24.10.https: Flags [S], seq 1561820168, 
    win 14600, options [mss 1460,sackOK,TS val 1099906853 ecr 0,nop,wscale 7], length 0
    
    # tcpdump -i eth1 host 192.168.40.157 and 117.78.24.10
    18:47:55.776518 IP localhost.34157 > 117.78.24.10.https: Flags [S], seq 1999366796,
    win 14600, options [mss 1460,sackOK,TS val 1099696292 ecr 0,nop,wscale 7], length 0
    18:47:55.780307 IP 117.78.24.10.https > localhost.34157: Flags [S.], seq 1636741313,
    ack 1999366797, win 5792, options [mss 1460,sackOK,TS val 676770270 ecr 1099696292,nop,wscale 7], length 0

    8. 抓取特定端口

    //src
    # tcpdump -i eth1 src port 443                                        
    18:58:43.339368 IP 117.78.24.10.https > localhost.34181: Flags [S.], seq 3480165730, 
    ack 2569376925, win 5792, options [mss 1460,sackOK,TS val 678114226 ecr 1100343852,nop,wscale 7], length 0
    
    //dst
    # tcpdump -i eth1 dst port 443    
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    
    18:59:44.073262 IP localhost.34183 > 117.78.24.10.https: Flags [S], seq 408796353, 
    win 14600, options [mss 1460,sackOK,TS val 1100404589 ecr 0,nop,wscale 7], length 0

    9. 抓取详细信息(-vv)

    # tcpdump -i eth0 -v
    192.168.1.106.53458 > 192.168.1.10.ftp: Flags [S], cksum 0x0056 (correct), seq 2898677069, 
    win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
    06:46:49.599097 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)

    10. 抓取报文(-x)

    # tcpdump -i eth0 -x
    06:48:05.205316 IP 192.168.1.106.53459 > 192.168.1.10.ftp: Flags [S], seq 4037915061, 
    win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
            0x0000:  4500 0034 2730 4000 8006 4fcf c0a8 016a
            0x0010:  c0a8 010a d0d3 0015 f0ad b1b5 0000 0000
            0x0020:  8002 2000 5805 0000 0204 05b4 0103 0302
            0x0030:  0101 0402

    11. 链路层头(-e)

    # tcpdump -e
    21:51:18.401466 00:0c:29:12:ee:b1 (oui Unknown) > 00:e0:4c:07:a8:0b (oui Unknown), ethertype IPv4 (0x0800), length 170: ubuntu.local.ssh > 192.168.1.107.49825: Flags [P.], seq 1109847835:1109847951, ack 1806812279, win 1123, length 116

    可以打印出源和目的地址, 以及包的长度

    12. arp报文(-n)

    # tcpdump -n arp
    21:56:40.235632 ARP, Request who-has 192.168.1.111 tell 192.168.1.1, length 46

    13. 其他参数

    # tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 -w ./tmp.pcap
    tcp:tcp、udp、icmp这些选项等都要放到第一个参数的位置,用来过滤数据报的类型
    -t:不显示时间戳 
    -s 0:抓取数据包时默认抓取长度为68字节。加上-s 0后可以抓到完整的数据包 
    dst port ! 22:不抓取目标端口是22的数据包 
  • 相关阅读:
    堆排序
    冒泡排序
    描述字符串写入文件
    Java Socket编程,读服务器几个字符,再写入本地显示。
    final,finally,finalize区别
    圆桌问题 (a)
    表达式
    计算系数
    乌龟棋
    显示图像(多源dfs)
  • 原文地址:https://www.cnblogs.com/zhangxuechao/p/11709858.html
Copyright © 2011-2022 走看看