碼上歡樂
相關內容    簡體    繁體

tcpdump命令

本文轉載自   查看原文   2017-12-07 17:36   1365    Linux運維

  tcpdump是Linux下強大的抓包工具,不僅可以分析數據包流向,還可以對數據包內容進行監聽。通過分析數據包流向,可以了解一條連接是如何建立雙向連接的。
  tcpdump允許用戶(一般是root)攔截和顯示發送或收到過網絡連接到該計算機的TCP/IP和其他數據包。

1 用法及常用參數一覽

tcpdump [-AennqX] [-i 接口] [-w 存儲文件名] [-c 次數] [-r 文件] [所要抓取的數據包格式]
常用選項與參數:
-A    # 數據包的內容以ASCII顯示,通常用來抓取WWW的網頁數據包
-e    # 使用數據鏈路層(osi第2層)的MAC數據包數據來顯示
-nn   # 直接以IP及port顯示,而不用主機名與服務名顯示
-q    # 列出較為簡短的數據包信息,每一行內容比較精簡
-X    # 列出十六進制(hex)以及ASCII數據包內容,對於監聽數據包內容很有用
-i    # 后接要監聽的網絡接口,如eth0/eth1/lo/ppp0等
-w    # 后接文件名,將監聽的數據包數據存儲到文件中
-r    # 后接文件名,從文件中讀出數據,這個文件必須存在,且是由-w所產生的
-c    # 監聽的數據包數,如果沒有這個參數,tcpdump會一直監聽,直到按Ctrl+C為止

'host 127.0.0.1'   # 針對單台主機抓包
'net 192.168'      # 針對某個網絡抓包
'src host 127.0.0.1' 'dst net 192.168'  # 同時加上源(src)和目標限制(dst)
'tcp port 21'      # 針對通信協議(tcp/udp/arp/ether)、端口檢測

還可以利用and 與 or 進行數據包的整合顯示

 

2 常用命令示例

 (1) 查看某塊網卡的80端口數據包流向

[@bjzw_11_210 logs]# tcpdump -i eth1 port 80 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
13:47:06.904009 IP 10.149.35.123.52723 > 10.146.11.210.80: S 2680202536:2680202536(0) win 14600 <mss 1460>
13:47:06.904155 IP 10.146.11.210.80 > 10.149.35.123.52723: S 1981317955:1981317955(0) ack 2680202537 win 5840 <mss 1460>
13:47:06.905537 IP 10.149.35.123.52723 > 10.146.11.210.80: . ack 1 win 14600
13:47:06.905573 IP 10.149.35.123.52723 > 10.146.11.210.80: P 1:1045(1044) ack 1 win 14600
13:47:06.905579 IP 10.146.11.210.80 > 10.149.35.123.52723: . ack 1045 win 8352
13:47:06.908920 IP 10.146.11.210.80 > 10.149.35.123.52723: P 1:268(267) ack 1045 win 8352
13:47:06.908943 IP 10.146.11.210.80 > 10.149.35.123.52723: F 268:268(0) ack 1045 win 8352
......
13:47:09.275055 IP 10.148.40.118.64051 > 10.146.11.210.80: S 2641310142:2641310142(0) win 14600 <mss 1460,nop,wscale 8>
13:47:09.275080 IP 10.146.11.210.80 > 10.148.40.118.64051: S 1613833543:1613833543(0) ack 2641310143 win 5840 <mss 1460>
13:47:09.277054 IP 10.148.40.118.64051 > 10.146.11.210.80: . ack 1 win 14600
13:47:09.277094 IP 10.148.40.118.64051 > 10.146.11.210.80: P 1:894(893) ack 1 win 14600
13:47:09.277102 IP 10.146.11.210.80 > 10.148.40.118.64051: . ack 894 win 7144
13:47:09.280479 IP 10.146.11.210.80 > 10.148.40.118.64051: P 1:268(267) ack 894 win 7144
13:47:09.280523 IP 10.146.11.210.80 > 10.148.40.118.64051: F 268:268(0) ack 894 win 7144
13:47:09.282447 IP 10.148.40.118.64051 > 10.146.11.210.80: . ack 268 win 15544
13:47:09.282672 IP 10.148.40.118.64051 > 10.146.11.210.80: F 894:894(0) ack 269 win 15544
13:47:09.282699 IP 10.146.11.210.80 > 10.148.40.118.64051: . ack 895 win 7144

530 packets captured                        <== 捕獲的數據包數量
530 packets received by filter              <== 通過過濾所得的總數據包數量
0 packets dropped by kernel                 <== 被內核所丟棄的數據包
[@bjzw_11_210 logs]#

分析其中標紅哪行的含義(如果第一次看肯定看暈):

13:47:09.277094 捕獲該數據包的時間,單位為“時:分:秒”;
IP 通信協議是IP;
10.148.40.118.64051 傳送段的ip和端口分別是10.148.40.118和64051;
> 數據包的傳輸方向(流向);
10.146.11.210.80 接收端的ip和端口分別是10.146.11.210和80;
P 1:894(893) 該數據包帶有PUSH傳輸標志,且傳輸的是整體數據的1~894 bytes;
ack 1 ack相關的資料; 
win 14600 窗口大小為14600字節。

(2) 本機執行tcpdump -i lo -nn;另一個窗口登錄試試本機

 

[root@localhost ~]# tcpdump -i lo -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
04:16:47.369125 IP 127.0.0.1.42878 > 127.0.0.1.22: Flags [S], seq 765824415, win 43690, options [mss 65495,sackOK,TS val 9866687 ecr 0,nop,wscale 7], length 0
06:24:59.562849 IP 127.0.0.1.22 > 127.0.0.1.42878: Flags [S.], seq 1387677067, ack 765824416, win 43690, options [mss 65495,sackOK,TS val 9866687 ecr 9866687,nop,wscale 7], length 0
04:16:47.369260 IP 127.0.0.1.42878 > 127.0.0.1.22: Flags [.], ack 1, win 342, options [nop,nop,TS val 9866687 ecr 9866687], length 0
04:16:47.386090 IP 127.0.0.1.42878 > 127.0.0.1.22: Flags [P.], seq 1:24, ack 1, win 342, options [nop,nop,TS val 9866704 ecr 9866687], length 23
04:16:47.386108 IP 127.0.0.1.22 > 127.0.0.1.42878: Flags [.], ack 24, win 342, options [nop,nop,TS val 9866704 ecr 9866704], length 0
04:16:47.390350 IP 127.0.0.1.22 > 127.0.0.1.42878: Flags [P.], seq 1:24, ack 24, win 342, options [nop,nop,TS val 9866708 ecr 9866704], length 23
04:16:47.390376 IP 127.0.0.1.42878 > 127.0.0.1.22: Flags [.], ack 24, win 342, options [nop,nop,TS val 9866708 ecr 9866708], length 0
04:16:47.391295 IP 127.0.0.1.42878 > 127.0.0.1.22: Flags [P.], seq 24:1992, ack 24, win 342, options [nop,nop,TS val 9866709 ecr 9866708], length 1968
04:16:47.397549 IP 127.0.0.1.22 > 127.0.0.1.42878: Flags [P.], seq 24:1664, ack 1992, win 1365, options [nop,nop,TS val 9866715 ecr 9866709], length 1640
04:16:47.397580 IP 127.0.0.1.42878 > 127.0.0.1.22: Flags [.], ack 1664, win 1365, options [nop,nop,TS val 9866715 ecr 9866715], length 0
04:16:47.400135 IP 127.0.0.1.42878 > 127.0.0.1.22: Flags [P.], seq 1992:2040, ack 1664, win 1365, options [nop,nop,TS val 9866718 ecr 9866715], length 48
04:16:47.408615 IP 127.0.0.1.22 > 127.0.0.1.42878: Flags [P.], seq 1664:1944, ack 2040, win 1365, options [nop,nop,TS val 9866726 ecr 9866718], length 280
04:16:47.448039 IP 127.0.0.1.42878 > 127.0.0.1.22: Flags [.], ack 1944, win 1391, options [nop,nop,TS val 9866766 ecr 9866726], length 0
04:16:49.841492 IP 127.0.0.1.42878 > 127.0.0.1.22: Flags [P.], seq 2040:2056, ack 1944, win 1391, options [nop,nop,TS val 9869159 ecr 9866726], length 16
04:16:49.881209 IP 127.0.0.1.22 > 127.0.0.1.42878: Flags [.], ack 2056, win 1365, options [nop,nop,TS val 9869199 ecr 9869159], length 0
04:16:49.881259 IP 127.0.0.1.42878 > 127.0.0.1.22: Flags [P.], seq 2056:2108, ack 1944, win 1391, options [nop,nop,TS val 9869199 ecr 9869199], length 52
04:16:49.881271 IP 127.0.0.1.22 > 127.0.0.1.42878: Flags [.], ack 2108, win 1365, options [nop,nop,TS val 9869199 ecr 9869199], length 0
04:16:49.881467 IP 127.0.0.1.22 > 127.0.0.1.42878: Flags [P.], seq 1944:1996, ack 2108, win 1365, options [nop,nop,TS val 9869199 ecr 9869199], length 52
04:16:49.881484 IP 127.0.0.1.42878 > 127.0.0.1.22: Flags [.], ack 1996, win 1391, options [nop,nop,TS val 9869199 ecr 9869199], length 0
04:16:49.881691 IP 127.0.0.1.42878 > 127.0.0.1.22: Flags [P.], seq 2108:2176, ack 1996, win 1391, options [nop,nop,TS val 9869199 ecr 9869199], length 68
04:16:49.884696 IP 127.0.0.1.22 > 127.0.0.1.42878: Flags [P.], seq 1996:2080, ack 2176, win 1365, options [nop,nop,TS val 9869202 ecr 9869199], length 84
04:16:49.892264 IP 127.0.0.1.42878 > 127.0.0.1.22: Flags [P.], seq 2176:2548, ack 2080, win 1391, options [nop,nop,TS val 9869210 ecr 9869202], length 372
04:16:49.897077 IP 127.0.0.1.22 > 127.0.0.1.42878: Flags [P.], seq 2080:2164, ack 2548, win 1396, options [nop,nop,TS val 9869215 ecr 9869210], length 84
04:16:49.937155 IP 127.0.0.1.42878 > 127.0.0.1.22: Flags [.], ack 2164, win 1391, options [nop,nop,TS val 9869255 ecr 9869215], length 0
04:16:53.913025 IP 127.0.0.1.42878 > 127.0.0.1.22: Flags [P.], seq 2548:2696, ack 2164, win 1391, options [nop,nop,TS val 9873231 ecr 9869215], length 148
04:16:53.949433 IP 127.0.0.1.22 > 127.0.0.1.42878: Flags [P.], seq 2164:2200, ack 2696, win 1426, options [nop,nop,TS val 9873267 ecr 9873231], length 36
04:16:53.949456 IP 127.0.0.1.42878 > 127.0.0.1.22: Flags [.], ack 2200, win 1391, options [nop,nop,TS val 9873267 ecr 9873267], length 0
04:16:53.949612 IP 127.0.0.1.42878 > 127.0.0.1.22: Flags [P.], seq 2696:2816, ack 2200, win 1391, options [nop,nop,TS val 9873267 ecr 9873267], length 120
04:16:53.989219 IP 127.0.0.1.22 > 127.0.0.1.42878: Flags [.], ack 2816, win 1426, options [nop,nop,TS val 9873307 ecr 9873267], length 0
04:16:54.210424 IP 127.0.0.1.22 > 127.0.0.1.42878: Flags [P.], seq 2200:2252, ack 2816, win 1426, options [nop,nop,TS val 9873528 ecr 9873267], length 52
04:16:54.212101 IP 127.0.0.1.42878 > 127.0.0.1.22: Flags [P.], seq 2816:3276, ack 2252, win 1391, options [nop,nop,TS val 9873530 ecr 9873528], length 460
04:16:54.212113 IP 127.0.0.1.22 > 127.0.0.1.42878: Flags [.], ack 3276, win 1457, options [nop,nop,TS val 9873530 ecr 9873530], length 0
04:16:54.221228 IP 127.0.0.1.22 > 127.0.0.1.42878: Flags [P.], seq 2252:2360, ack 3276, win 1457, options [nop,nop,TS val 9873539 ecr 9873530], length 108
04:16:54.227211 IP 127.0.0.1.22 > 127.0.0.1.42878: Flags [P.], seq 2360:2460, ack 3276, win 1457, options [nop,nop,TS val 9873545 ecr 9873530], length 100
04:16:54.227280 IP 127.0.0.1.42878 > 127.0.0.1.22: Flags [.], ack 2460, win 1391, options [nop,nop,TS val 9873545 ecr 9873539], length 0
04:16:54.227838 IP 127.0.0.1.22 > 127.0.0.1.42878: Flags [P.], seq 2460:2496, ack 3276, win 1457, options [nop,nop,TS val 9873545 ecr 9873545], length 36
04:16:54.267040 IP 127.0.0.1.42878 > 127.0.0.1.22: Flags [.], ack 2496, win 1391, options [nop,nop,TS val 9873585 ecr 9873545], length 0
04:16:54.361233 IP 127.0.0.1.22 > 127.0.0.1.42878: Flags [P.], seq 2496:2564, ack 3276, win 1457, options [nop,nop,TS val 9873679 ecr 9873585], length 68
04:16:54.361251 IP 127.0.0.1.42878 > 127.0.0.1.22: Flags [.], ack 2564, win 1391, options [nop,nop,TS val 9873679 ecr 9873679], length 0
04:16:54.361863 IP 127.0.0.1.22 > 127.0.0.1.42878: Flags [P.], seq 2564:2632, ack 3276, win 1457, options [nop,nop,TS val 9873680 ecr 9873679], length 68
04:16:54.361875 IP 127.0.0.1.42878 > 127.0.0.1.22: Flags [.], ack 2632, win 1391, options [nop,nop,TS val 9873680 ecr 9873680], length 0

 

摘出第三行:

04:16:47.369125 IP 127.0.0.1.42878 > 127.0.0.1.22: Flags [S]【表明是syn建立連接包(即三次握手的第一次握手)】, seq 765824415【seq 序號, win 43690 【窗口大小】, 
options【TCP首部可選字段】[mss 65495【表示mss是發送端(客戶端)通告的最大報文段長度,發送端將不接收超過這個長度的TCP報文段(這個值和MTU有一定關系)】,sackOK【發送端支持並同意使用SACK選項】,TS val 9866687 ecr 0,
nop,wscale 7【nop是一個空操作選項, wscale指出發送端使用的窗口擴大因子為7】], length 0

 

(3)監聽eth0網卡,且通信協議為port22,目標數據來源為192.168.0.100的數據包的命令

tcpdump -i eth0 -nn 'port 22 and src host 192.168.0.100'

 

 

 
 
 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 #linux包之tcpdump之tcpdump命令 Linux tcpdump命令詳解 tcpdump抓包命令 Linux tcpdump命令詳解 tcpdump抓包命令 tcpdump命令及輸出詳解 tcpdump命令詳解 tcpdump命令抓包參數 tcpdump抓包命令詳解 TCPdump抓包命令詳解
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM