一、命令詳解
tcpdump命令是一個截獲網絡數據包的包分析工具。tcpdump可以將網絡中傳送的數據包的"頭"完全截獲下來以提供分析。它支持針對網絡層、協議層、主機、端口等的過濾,並支持與、或、非邏輯語句協助過濾有效信息。 tcpdump命令工作時要先把網卡的工作模式切換到混雜模式(promiscuous mode)。因為要修改網絡接口的工作模式。所以tcpdump命令需要以root的身份運行。
語法格式:
tcpdump [option] [expression]
tcpdump [選項] [表達式]
說明:
在tcpdump命令及后面的選項和表達式里,每個元素之間都至少要有一個空格。
選項說明
| 參數選項 | 解釋說明(帶*的為重點) |
| -A | 以ASCII碼的方式顯示每一個數據包(不會顯示數據包中的鏈路層的頭部嘻嘻)。在抓取包含網頁數據的數據包時,可方便查看數據 |
| -c <數據包數目> | 接收到指定的數據包數目后退出命令 |
| -e | 每行的打印輸出中將包括數據包的數據鏈路層頭部信息 |
| -i <網絡接口> | 指定要監聽數據包的網絡接口* |
| -n | 不進行DNS解析,加快顯示速度* |
| -nn | 不將協議和端口數字等轉換成名字* |
| -q | 以快速輸出的方式運行,此選項僅顯示數據包的協議概要信息,輸出信息較短* |
| -s <數據包大小> | 設置數據包抓取長度,如果不設置則默認為68字節,設置為0則自動選擇合適長度來抓取數據包 |
| -t | 在每行輸出信息中不顯示時間戳標記 |
| -tt | 在每行輸出信息匯總不顯示無格式的時間戳標記 |
| -ttt | 顯示當前行與前一行的延遲 |
| -tttt | 在每行打印的時間戳之前添加日志 |
| -ttttt | 顯示當前行與第一行的延遲 |
| -v | 顯示命令執行的詳細信息 |
| -vv | 顯示比-v選項更佳詳細的信息 |
| -vvv | 顯示比-vv選項更加詳細的輸出 |
tcpdump命令安裝
yum -y install tcpdump
二、使用范例
示例一、不加參數運行tcpdump命令監聽網絡
[root@localhost /]# tcpdump #<==默認情況下,直接啟動tcpdump將監視第一個網絡接口上所以流過的數據包 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 14:35:03.112228 IP 192.168.121.129.ssh > 192.168.121.1.51078: Flags [P.], seq 2923122276:2923122460, ack 3597148564, win 585, options [nop,nop,TS val 5261893 ecr 1045340817], length 184 14:35:03.112347 IP 192.168.121.1.51078 > 192.168.121.129.ssh: Flags [.], ack 184, win 4090, options [nop,nop,TS val 1045340914 ecr 5261893], length 0 14:35:03.112605 IP 192.168.121.129.50800 > 192.168.121.2.domain: 43519+ PTR? 1.121.168.192.in-addr.arpa. (44) 14:35:03.125630 ARP, Request who-has 192.168.121.129 tell 192.168.121.2, length 46 14:35:03.125638 ARP, Reply 192.168.121.129 is-at 00:0c:29:63:29:db (oui Unknown), length 28 14:35:03.125690 IP 192.168.121.2.domain > 192.168.121.129.50800: 43519 NXDomain*- 0/0/0 (44) 14:35:03.125817 IP 192.168.121.129.57593 > 192.168.121.2.domain: 48319+ PTR? 129.121.168.192.in-addr.arpa. (46) 14:35:03.165269 IP 192.168.121.2.domain > 192.168.121.129.57593: 48319 NXDomain*- 0/0/0 (46) 14:35:03.165625 IP 192.168.121.129.35799 > 192.168.121.2.domain: 26078+ PTR? 2.121.168.192.in-addr.arpa. (44) 14:35:03.166321 IP 192.168.121.129.ssh > 192.168.121.1.51078: Flags [P.], seq 184:560, ack 1, win 585, options [nop,nop,TS val 5261947 ecr 1045340914], length 376 14:35:03.166562 IP 192.168.121.1.51078 > 192.168.121.129.ssh: Flags [.], ack 560, win 4084, options [nop,nop,TS val 1045340967 ecr 5261947], length 0 14:35:03.178026 IP 192.168.121.2.domain > 192.168.121.129.35799: 26078 NXDomain*- 0/0/0 (44) 14:35:03.179413 IP 192.168.121.129.ssh > 192.168.121.1.51078: Flags [P.], seq 560:1704, ack 1, win 585, options [nop,nop,TS val 5261960 ecr 1045340967], length 1144 14:35:03.179594 IP 192.168.121.1.51078 > 192.168.121.129.ssh: Flags [.], ack 1704, win 4060, options [nop,nop,TS val 1045340980 ecr 5261960], length 0 ^C 97 packets captured 97 packets received by filter 0 packets dropped by kernel
使用tcpdump命令時,如果不輸入過來規則,則輸出的數據量將會很大。
示例二:精簡輸出信息
[root@localhost /]# tcpdump -q #<==默認情況下,tcpdump命令的輸出信息較多,為了顯示精簡的信息,可以使用-q選項 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 14:38:26.706220 IP 192.168.121.129.ssh > 192.168.121.1.51078: tcp 184 14:38:26.706323 IP 192.168.121.1.51078 > 192.168.121.129.ssh: tcp 0 14:38:26.706655 IP 192.168.121.129.51379 > 192.168.121.2.domain: UDP, length 44 14:38:26.720091 IP 192.168.121.2.domain > 192.168.121.129.51379: UDP, length 44 14:38:26.720449 IP 192.168.121.129.43737 > 192.168.121.2.domain: UDP, length 46 14:38:26.753629 IP 192.168.121.2.domain > 192.168.121.129.43737: UDP, length 46 14:38:26.753879 IP 192.168.121.129.41780 > 192.168.121.2.domain: UDP, length 44 14:38:26.754338 IP 192.168.121.129.ssh > 192.168.121.1.51078: tcp 168 14:38:26.754564 IP 192.168.121.1.51078 > 192.168.121.129.ssh: tcp 0 14:38:26.766716 IP 192.168.121.2.domain > 192.168.121.129.41780: UDP, length 44 14:38:26.767268 IP 192.168.121.129.ssh > 192.168.121.1.51078: tcp 664 14:38:26.767547 IP 192.168.121.1.51078 > 192.168.121.129.ssh: tcp 0 14:38:26.768272 IP 192.168.121.129.ssh > 192.168.121.1.51078: tcp 168 14:38:26.768435 IP 192.168.121.1.51078 > 192.168.121.129.ssh: tcp 0 803 packets captured 803 packets received by filter 0 packets dropped by kernel [root@localhost /]# tcpdump -c 5 #<==使用-c選項指定監聽的數據包數量,這樣就不需要使用Ctrl+C了。 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 14:47:54.835455 IP 192.168.121.129.ssh > 192.168.121.1.51078: Flags [P.], seq 2924737100:2924737284, ack 3597158404, win 585, options [nop,nop,TS val 6033616 ecr 1046110972], length 184 14:47:54.835645 IP 192.168.121.1.51078 > 192.168.121.129.ssh: Flags [.], ack 184, win 4090, options [nop,nop,TS val 1046111182 ecr 6033616], length 0 14:47:54.836241 IP 192.168.121.129.52725 > 192.168.121.2.domain: 41821+ PTR? 1.121.168.192.in-addr.arpa. (44) 14:47:54.846751 ARP, Request who-has 192.168.121.129 tell 192.168.121.2, length 46 14:47:54.846765 ARP, Reply 192.168.121.129 is-at 00:0c:29:63:29:db (oui Unknown), length 28 5 packets captured 14 packets received by filter 0 packets dropped by kernel
示例三:監聽指定網卡收到的數據包
[root@localhost /]# tcpdump -i eth0 #<==使用-i選項可以指定要監聽的網卡 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 14:42:16.383512 IP 192.168.121.129.ssh > 192.168.121.1.51078: Flags [P.], seq 2924691140:2924691324, ack 3597156644, win 585, options [nop,nop,TS val 5695164 ecr 1045773040], length 184 14:42:16.383746 IP 192.168.121.1.51078 > 192.168.121.129.ssh: Flags [.], ack 184, win 4090, options [nop,nop,TS val 1045773052 ecr 5695164], length 0 14:42:16.384243 IP 192.168.121.129.47300 > 192.168.121.2.domain: 39880+ PTR? 1.121.168.192.in-addr.arpa. (44) 14:42:16.397463 IP 192.168.121.2.domain > 192.168.121.129.47300: 39880 NXDomain*- 0/0/0 (44) 14:42:16.397628 IP 192.168.121.129.49148 > 192.168.121.2.domain: 8740+ PTR? 129.121.168.192.in-addr.arpa. (46) 14:42:16.429776 IP 192.168.121.2.domain > 192.168.121.129.49148: 8740 NXDomain*- 0/0/0 (46) 14:42:16.430063 IP 192.168.121.129.48011 > 192.168.121.2.domain: 54037+ PTR? 2.121.168.192.in-addr.arpa. (44) 14:42:16.430268 IP 192.168.121.129.ssh > 192.168.121.1.51078: Flags [P.], seq 184:560, ack 1, win 585, options [nop,nop,TS val 5695211 ecr 1045773052], length 376 14:42:16.430475 IP 192.168.121.1.51078 > 192.168.121.129.ssh: Flags [.], ack 560, win 4084, options [nop,nop,TS val 1045773098 ecr 5695211], length 0 14:42:16.444533 IP 192.168.121.2.domain > 192.168.121.129.48011: 54037 NXDomain*- 0/0/0 (44) 14:42:16.445293 IP 192.168.121.129.ssh > 192.168.121.1.51078: Flags [P.], seq 560:1528, ack 1, win 585, options [nop,nop,TS val 5695226 ecr 1045773098], length 968 14:42:16.445427 IP 192.168.121.1.51078 > 192.168.121.129.ssh: Flags [.], ack 1528, win 4065, options [nop,nop,TS val 1045773113 ecr 5695226], length 0 ^C 240 packets captured 240 packets received by filter 0 packets dropped by kernel
以下是命令結果。
14:42:16.383512:當前時間,精確到微秒。
IP 192.168.121.129.ssh > 192.168.121.1.51078:從主機192.168.121.129的SSH端口發送數據到192.168.121.1的51078端口,">" 代表數據流向。
Flags [P.]: TCP包中的標識信息,S是SYN標志的縮寫,F(FIN)、P(PUSH)、R(RST)、"."(沒有標記)。
seq:數據包粽的數據的順序號。
ack:下次期望的順序號。
win:接收緩存的窗口大小。
length:數據包的長度。
示例四:監聽指定主機的數據包
[root@localhost /]# tcpdump -n host 192.168.121.131 #<==使用-n選項不進行DNS解析,加快顯示速度。監聽指定主機的關鍵字為host,后面直接主機名或IP地址即可。本行命令的作用是監聽所有192.168.121.131的主機收到的和發出的數據包。 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 14:59:08.905381 IP 192.168.121.1.51626 > 192.168.121.131.ssh: Flags [P.], seq 2947015398:2947015438, ack 4084885214, win 65535, length 40 14:59:08.907692 IP 192.168.121.131.ssh > 192.168.121.1.51626: Flags [P.], seq 1:41, ack 40, win 25776, length 40 14:59:08.907701 IP 192.168.121.1.51626 > 192.168.121.131.ssh: Flags [.], ack 41, win 65535, length 0 14:59:09.032865 IP 192.168.121.1.51626 > 192.168.121.131.ssh: Flags [P.], seq 40:80, ack 41, win 65535, length 40 14:59:09.034680 IP 192.168.121.131.ssh > 192.168.121.1.51626: Flags [P.], seq 41:81, ack 80, win 25776, length 40 14:59:09.034687 IP 192.168.121.1.51626 > 192.168.121.131.ssh: Flags [.], ack 81, win 65535, length 0 14:59:09.177312 IP 192.168.121.1.51626 > 192.168.121.131.ssh: Flags [P.], seq 80:120, ack 81, win 65535, length 40 14:59:09.179493 IP 192.168.121.131.ssh > 192.168.121.1.51626: Flags [P.], seq 81:121, ack 120, win 25776, length 40 14:59:09.179500 IP 192.168.121.1.51626 > 192.168.121.131.ssh: Flags [.], ack 121, win 65535, length 0 14:59:09.181494 IP 192.168.121.131.ssh > 192.168.121.1.51626: Flags [P.], seq 121:1057, ack 120, win 25776, length 936 14:59:09.181501 IP 192.168.121.1.51626 > 192.168.121.131.ssh: Flags [.], ack 1057, win 65535, length 0 ^C 11 packets captured 11 packets received by filter 0 packets dropped by kernel [root@localhost /]# tcpdump -n src host 192.168.121.131 #<==只監聽從192.168.121.131發出的數據包,即源地址為192.168.121.131,關鍵字為src(source,源地址)。 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 15:01:38.460558 ARP, Reply 192.168.121.131 is-at 00:0c:29:9e:a9:d7, length 46 15:01:38.462523 IP 192.168.121.131.ssh > 192.168.121.1.51626: Flags [P.], seq 4084886270:4084886390, ack 2947015558, win 25776, length 120 15:01:38.874518 IP 192.168.121.131.ssh > 192.168.121.1.51626: Flags [P.], seq 120:160, ack 41, win 25776, length 40 15:01:39.022528 IP 192.168.121.131.ssh > 192.168.121.1.51626: Flags [P.], seq 160:200, ack 81, win 25776, length 40 15:01:39.148409 IP 192.168.121.131.ssh > 192.168.121.1.51626: Flags [P.], seq 200:240, ack 121, win 25776, length 40 15:01:39.150529 IP 192.168.121.131.ssh > 192.168.121.1.51626: Flags [P.], seq 240:1176, ack 121, win 25776, length 936 15:01:44.946040 IP 192.168.121.131.ssh > 192.168.121.1.51626: Flags [P.], seq 1176:1216, ack 161, win 25776, length 40 15:01:45.087128 IP 192.168.121.131.ssh > 192.168.121.1.51626: Flags [P.], seq 1216:1256, ack 201, win 25776, length 40 15:01:45.340033 IP 192.168.121.131.ssh > 192.168.121.1.51626: Flags [P.], seq 1256:1296, ack 241, win 25776, length 40 15:01:45.528735 IP 192.168.121.131.ssh > 192.168.121.1.51626: Flags [P.], seq 1296:1432, ack 281, win 25776, length 136 ^C 10 packets captured 10 packets received by filter 0 packets dropped by kernel [root@localhost /]# tcpdump -n dst host 192.168.121.131 #<==只監聽192.168.121.131收到的數據包,即目標地址為192.168.121.131,關鍵字為dst(destination,目的地)。 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 15:03:54.869394 ARP, Request who-has 192.168.121.131 (00:0c:29:9e:a9:d7) tell 192.168.121.1, length 46 15:03:54.869408 IP 192.168.121.1.51626 > 192.168.121.131.ssh: Flags [P.], seq 2947015838:2947015878, ack 4084887702, win 65535, length 40 15:03:54.872671 IP 192.168.121.1.51626 > 192.168.121.131.ssh: Flags [.], ack 121, win 65535, length 0 15:03:55.067330 IP 192.168.121.1.51626 > 192.168.121.131.ssh: Flags [P.], seq 40:80, ack 121, win 65535, length 40 15:03:55.069563 IP 192.168.121.1.51626 > 192.168.121.131.ssh: Flags [.], ack 241, win 65535, length 0 15:03:55.364657 IP 192.168.121.1.51626 > 192.168.121.131.ssh: Flags [P.], seq 80:120, ack 241, win 65535, length 40 15:03:55.366673 IP 192.168.121.1.51626 > 192.168.121.131.ssh: Flags [.], ack 281, win 65535, length 0 15:03:55.504578 IP 192.168.121.1.51626 > 192.168.121.131.ssh: Flags [P.], seq 120:160, ack 281, win 65535, length 40 15:03:55.506674 IP 192.168.121.1.51626 > 192.168.121.131.ssh: Flags [.], ack 321, win 65535, length 0 15:03:55.642867 IP 192.168.121.1.51626 > 192.168.121.131.ssh: Flags [P.], seq 160:200, ack 321, win 65535, length 40 15:03:55.645251 IP 192.168.121.1.51626 > 192.168.121.131.ssh: Flags [.], ack 361, win 65535, length 0 15:03:55.649562 IP 192.168.121.1.51626 > 192.168.121.131.ssh: Flags [.], ack 1217, win 65535, length 0 15:03:55.650650 IP 192.168.121.1.51626 > 192.168.121.131.ssh: Flags [.], ack 1337, win 65535, length 0 ^C 13 packets captured 13 packets received by filter 0 packets dropped by kernel
示例五:監聽指定端口的數據包
[root@localhost /]# tcpdump -nn port 22 #<==使用-n選項不進行DNS解析,但是會將一些協議、端口轉換,比如22端口轉為ssh,監聽指定端口的關鍵字是port,后面接上端口號即可。 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 15:06:54.965260 IP 192.168.121.129.22 > 192.168.121.1.51078: Flags [P.], seq 2925446556:2925446740, ack 3597172100, win 585, options [nop,nop,TS val 7173746 ecr 1047249445], length 184 15:06:54.965490 IP 192.168.121.1.51078 > 192.168.121.129.22: Flags [.], ack 184, win 4090, options [nop,nop,TS val 1047249517 ecr 7173746], length 0 15:06:54.966443 IP 192.168.121.129.22 > 192.168.121.1.51078: Flags [P.], seq 184:560, ack 1, win 585, options [nop,nop,TS val 7173747 ecr 1047249517], length 376 15:06:54.966676 IP 192.168.121.1.51078 > 192.168.121.129.22: Flags [.], ack 560, win 4084, options [nop,nop,TS val 1047249518 ecr 7173747], length 0 15:06:54.967317 IP 192.168.121.129.22 > 192.168.121.1.51078: Flags [P.], seq 560:904, ack 1, win 585, options [nop,nop,TS val 7173748 ecr 1047249518], length 344 15:06:54.967500 IP 192.168.121.1.51078 > 192.168.121.129.22: Flags [.], ack 904, win 4085, options [nop,nop,TS val 1047249518 ecr 7173748], length 0 15:06:54.968443 IP 192.168.121.129.22 > 192.168.121.1.51078: Flags [P.], seq 904:1248, ack 1, win 585, options [nop,nop,TS val 7173749 ecr 1047249518], length 344 ^C 742 packets captured 742 packets received by filter 0 packets dropped by kernel
示例六:監聽指定協議的數據包
常見協議關鍵字由ip、arp、icmp、tcp、udp等類型
[root@localhost /]# tcpdump -n arp #<==監聽ARP數據包,因此表達式直接寫arp即可。 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 15:11:01.898359 ARP, Request who-has 192.168.121.129 tell 192.168.121.2, length 46 15:11:01.898386 ARP, Reply 192.168.121.129 is-at 00:0c:29:63:29:db, length 28 15:11:06.899494 ARP, Request who-has 192.168.121.2 tell 192.168.121.129, length 28 15:11:06.900038 ARP, Reply 192.168.121.2 is-at 00:50:56:fc:3a:9a, length 46 ^C 4 packets captured 4 packets received by filter 0 packets dropped by kernel [root@localhost /]# tcpdump -n icmp #<==監聽icmp數據包(想要查看下面的監控數據,可以使用其他服務器ping本機即可) tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 15:12:30.533308 IP 192.168.121.131 > 192.168.121.129: ICMP echo request, id 13481, seq 1, length 64 15:12:30.533330 IP 192.168.121.129 > 192.168.121.131: ICMP echo reply, id 13481, seq 1, length 64 15:12:31.535165 IP 192.168.121.131 > 192.168.121.129: ICMP echo request, id 13481, seq 2, length 64 15:12:31.535182 IP 192.168.121.129 > 192.168.121.131: ICMP echo reply, id 13481, seq 2, length 64 15:12:32.537233 IP 192.168.121.131 > 192.168.121.129: ICMP echo request, id 13481, seq 3, length 64 15:12:32.537253 IP 192.168.121.129 > 192.168.121.131: ICMP echo reply, id 13481, seq 3, length 64 15:12:33.537889 IP 192.168.121.131 > 192.168.121.129: ICMP echo request, id 13481, seq 4, length 64 15:12:33.537912 IP 192.168.121.129 > 192.168.121.131: ICMP echo reply, id 13481, seq 4, length 64 15:12:34.540105 IP 192.168.121.131 > 192.168.121.129: ICMP echo request, id 13481, seq 5, length 64 15:12:34.540129 IP 192.168.121.129 > 192.168.121.131: ICMP echo reply, id 13481, seq 5, length 64 ^C 10 packets captured 10 packets received by filter 0 packets dropped by kernel
示例七:多個過濾條件混合使用
前面的幾種方法都是使用單個過濾條件過濾數據包,其實過濾條件可以混合使用,因為tcpdump命令支持邏輯運算and(與)、or(或)、!(非)。
[root@localhost /]# tcpdump -n ip host 192.168.121.129 and ! 192.168.121.1 #<==獲取主機192.168.121.139(tcpdump主機)(除了主機192.168.121.1之外)通信的IP數據包。 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 15:23:15.489964 IP 192.168.121.131 > 192.168.121.129: ICMP echo request, id 19369, seq 1, length 64 15:23:15.489991 IP 192.168.121.129 > 192.168.121.131: ICMP echo reply, id 19369, seq 1, length 64 ^C 2 packets captured 2 packets received by filter 0 packets dropped by kernel
示例八:利用tcpdump抓包詳解TCP/IP連接和端口過程的案例
一、正常的TCP連接的三個階段。
TCP三次握手
數據傳送
TCP四次斷開
二、TCP三次握手與四次揮手
TCP連接的狀態機制圖見:https://www.cnblogs.com/hwlong/p/9060693.html
三、TCP狀態標識
SYN:(同步序列編號,Synchronize Sequence Numbers)該標志僅在三次握手建立TCP連接時有效。表示一個新的TCP連接請求。
ACK:(確認編號,Acknowledement Number)是對TCP請求的確認標志,同時提示對端系統已經成功接受了所有數據。
FIN:(結束標志,FINish)用來結束一個TCP回話。但對應端仍然處於開放狀態,准備接受后續數據。
四、使用tcpdump對tcp數據進行抓包
更新中