Linux tcpdump命令示例
如何在Linux中安装tcpdump
许多Linux发行版已经随 tcpdump的工具,如果万一你没有它的系统上,可以使用以下命令Yum安装它。# yum install tcpdump一旦 tcpdump的工具被安装在系统中,可以继续浏览他们的例子下面的命令。
1.从特定接口捕获数据包
直到你中断该命令屏幕将滚动起来,当我们执行命令 tcpdump的将它从所有的接口捕获,但与 -i选项只能从欲望接口捕捉。# tcpdump -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 11:33:31.976358 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 3500440357:3500440553, ack 3652628334, win 18760, length 196 11:33:31.976603 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 196, win 64487, length 0 11:33:31.977243 ARP, Request who-has youcl.com tell 172.16.25.126, length 28 11:33:31.977359 ARP, Reply youcl.com is-at 00:14:5e:67:26:1d (oui Unknown), length 46 11:33:31.977367 IP 172.16.25.126.54807 > youcl.com: 4240+ PTR? 125.25.16.172.in-addr.arpa. (44) 11:33:31.977599 IP youcl.com > 172.16.25.126.54807: 4240 NXDomain 0/1/0 (121) 11:33:31.977742 IP 172.16.25.126.44519 > youcl.com: 40988+ PTR? 126.25.16.172.in-addr.arpa. (44) 11:33:32.028747 IP 172.16.20.33.netbios-ns > 172.16.31.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 11:33:32.112045 IP 172.16.21.153.netbios-ns > 172.16.31.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 11:33:32.115606 IP 172.16.21.144.netbios-ns > 172.16.31.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 11:33:32.156576 ARP, Request who-has 172.16.16.37 tell old-oraclehp1.midcorp.mid-day.com, length 46 11:33:32.348738 IP youcl.com > 172.16.25.126.44519: 40988 NXDomain 0/1/0 (121)
2.只捕获N个数据包
当您运行 tcpdump的命令时,将捕获所有的数据包指定接口,直到你 击中取消按钮。 但是,使用 -c选项,可以捕获数据包的指定数目。 下面的例子将只捕获数据包 6。# tcpdump -c 5 -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 11:40:20.281355 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 3500447285:3500447481, ack 3652629474, win 18760, length 196 11:40:20.281586 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 196, win 65235, length 0 11:40:20.282244 ARP, Request who-has youcl.com tell 172.16.25.126, length 28 11:40:20.282360 ARP, Reply youcl.com is-at 00:14:5e:67:26:1d (oui Unknown), length 46 11:40:20.282369 IP 172.16.25.126.53216 > youcl.com.domain: 49504+ PTR? 125.25.16.172.in-addr.arpa. (44) 11:40:20.332494 IP youcl.com.netbios-ssn > 172.16.26.17.nimaux: Flags [P.], seq 3058424861:3058424914, ack 693912021, win 64190, length 53 NBT Session Packet: Session Message 6 packets captured 23 packets received by filter 0 packets dropped by kernel
3.以ASCII格式打印捕获的数据包
与选项 -A显示包以 ASCII格式如下 tcpdump的命令。它是一种字符编码方案格式。# tcpdump -A -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 09:31:31.347508 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 3329372346:3329372542, ack 4193416789, win 17688, length 196 M.r0...vUP.E.X.......~.%..>N..oFk.........KQ..)Eq.d.,....r^l......m\.oyE....-....g~m..Xy.6..1.....c.O.@...o_..J....i.*.....2f.mQH...Q.c...6....9.v.gb........;..4.).UiCY]..9..x.)..Z.XF....'|..E......M..u.5.......ul 09:31:31.347760 IP 192.168.0.1.nokia-ann-ch1 > 192.168.0.2.ssh: Flags [.], ack 196, win 64351, length 0 M....vU.r1~P.._.......... ^C09:31:31.349560 IP 192.168.0.2.46393 > b.resolvers.Level3.net.domain: 11148+ PTR? 1.0.168.192.in-addr.arpa. (42) E..F..@.@............9.5.2.f+............1.0.168.192.in-addr.arpa..... 3 packets captured 11 packets received by filter 0 packets dropped by kernel
4.显示可用接口
要列出系统上可用的接口数,运行带 -D选项下面的命令。# tcpdump -D 1.eth0 2.eth1 3.usbmon1 (USB bus number 1) 4.usbmon2 (USB bus number 2) 5.usbmon3 (USB bus number 3) 6.usbmon4 (USB bus number 4) 7.usbmon5 (USB bus number 5) 8.any (Pseudo-device that captures on all interfaces) 9.lo
5.以HEX和ASCII显示捕获的数据包
与选项下面的命令捕获 -XX每个数据包的数据,其中包括 十六进制的链路层报头和 ASCII格式。# tcpdump -XX -i eth0 11:51:18.974360 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 3509235537:3509235733, ack 3652638190, win 18760, length 196 0x0000: b8ac 6f2e 57b3 0001 6c99 1468 0800 4510 ..o.W...l..h..E. 0x0010: 00ec 8783 4000 4006 275d ac10 197e ac10 ....@.@.']...~.. 0x0020: 197d 0016 1129 d12a af51 d9b6 d5ee 5018 .}...).*.Q....P. 0x0030: 4948 8bfa 0000 0e12 ea4d 22d1 67c0 f123 IH.......M".g..# 0x0040: 9013 8f68 aa70 29f3 2efc c512 5660 4fe8 ...h.p).....V`O. 0x0050: 590a d631 f939 dd06 e36a 69ed cac2 95b6 Y..1.9...ji..... 0x0060: f8ba b42a 344b 8e56 a5c4 b3a2 ed82 c3a1 ...*4K.V........ 0x0070: 80c8 7980 11ac 9bd7 5b01 18d5 8180 4536 ..y.....[.....E6 0x0080: 30fd 4f6d 4190 f66f 2e24 e877 ed23 8eb0 0.OmA..o.$.w.#.. 0x0090: 5a1d f3ec 4be4 e0fb 8553 7c85 17d9 866f Z...K....S|....o 0x00a0: c279 0d9c 8f9d 445b 7b01 81eb 1b63 7f12 .y....D[{....c.. 0x00b0: 71b3 1357 52c7 cf00 95c6 c9f6 63b1 ca51 q..WR.......c..Q 0x00c0: 0ac6 456e 0620 38e6 10cb 6139 fb2a a756 ..En..8...a9.*.V 0x00d0: 37d6 c5f3 f5f3 d8e8 3316 d14f d7ab fd93 7.......3..O.... 0x00e0: 1137 61c1 6a5c b4d1 ddda 380a f782 d983 .7a.j\....8..... 0x00f0: 62ff a5a9 bb39 4f80 668a b....9O.f. 11:51:18.974759 IP 172.16.25.126.60952 > mddc-01.midcorp.mid-day.com.domain: 14620+ PTR? 125.25.16.172.in-addr.arpa. (44) 0x0000: 0014 5e67 261d 0001 6c99 1468 0800 4500 ..^g&...l..h..E. 0x0010: 0048 5a83 4000 4011 5e25 ac10 197e ac10 .HZ.@.@.^%...~.. 0x0020: 105e ee18 0035 0034 8242 391c 0100 0001 .^...5.4.B9..... 0x0030: 0000 0000 0000 0331 3235 0232 3502 3136 .......125.25.16 0x0040: 0331 3732 0769 6e2d 6164 6472 0461 7270 .172.in-addr.arp 0x0050: 6100 000c 0001 a.....
6.在文件中捕获和保存数据包
正如我们所说的,是 tcpdump的有一个功能来捕捉和保存文件的格式 .pcap,做 -w选项这才执行命令。# tcpdump -w 0001.pcap -i eth0 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 4 packets captured 4 packets received by filter 0 packets dropped by kernel
7.读取捕获的数据包文件
阅读和分析捕获的数据包 0001.pcap文件,可以使用带有 -r选项,如下图所示。# tcpdump -r 0001.pcap reading from file 0001.pcap, link-type EN10MB (Ethernet) 09:59:34.839117 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 3353041614:3353041746, ack 4193563273, win 18760, length 132 09:59:34.963022 IP 192.168.0.1.nokia-ann-ch1 > 192.168.0.2.ssh: Flags [.], ack 132, win 65351, length 0 09:59:36.935309 IP 192.168.0.1.netbios-dgm > 192.168.0.255.netbios-dgm: NBT UDP PACKET(138) 09:59:37.528731 IP 192.168.0.1.nokia-ann-ch1 > 192.168.0.2.ssh: Flags [P.], seq 1:53, ack 132, win 65351, length 5
8.捕获IP地址包
要捕获特定接口的数据包,运行和 -n选项下面的命令。# tcpdump -n -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 12:07:03.952358 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 3509512873:3509513069, ack 3652639034, win 18760, length 196 12:07:03.952602 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 196, win 64171, length 0 12:07:03.953311 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 196:504, ack 1, win 18760, length 308 12:07:03.954288 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 504:668, ack 1, win 18760, length 164 12:07:03.954502 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 668, win 65535, length 0 12:07:03.955298 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 668:944, ack 1, win 18760, length 276 12:07:03.955425 IP 172.16.23.16.netbios-ns > 172.16.31.255.netbios-ns: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST 12:07:03.956299 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 944:1236, ack 1, win 18760, length 292 12:07:03.956535 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 1236, win 64967, length 0
9.只捕获TCP数据包。
要捕获基于 TCP端口的数据包,运行带有 TCP选项下面的命令。# tcpdump -i eth0 tcp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 12:10:36.216358 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 3509646029:3509646225, ack 3652640142, win 18760, length 196 12:10:36.216592 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 196, win 64687, length 0 12:10:36.219069 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 196:504, ack 1, win 18760, length 308 12:10:36.220039 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 504:668, ack 1, win 18760, length 164 12:10:36.220260 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 668, win 64215, length 0 12:10:36.222045 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 668:944, ack 1, win 18760, length 276 12:10:36.223036 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 944:1108, ack 1, win 18760, length 164 12:10:36.223252 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 1108, win 65535, length 0 ^C12:10:36.223461 IP mid-pay.midcorp.mid-day.com.netbios-ssn > 172.16.22.183.recipe: Flags [.], seq 283256512:283256513, ack 550465221, win 65531, length 1[|SMB]
10.从特定端口捕获数据包
比方说,你要捕获数据包的特定端口22,通过指定如下图所示的端口号 22执行下面的命令。# tcpdump -i eth0 port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 10:37:49.056927 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 3364204694:3364204890, ack 4193655445, win 20904, length 196 10:37:49.196436 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 4294967244:196, ack 1, win 20904, length 248 10:37:49.196615 IP 192.168.0.1.nokia-ann-ch1 > 192.168.0.2.ssh: Flags [.], ack 196, win 64491, length 0 10:37:49.379298 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 196:616, ack 1, win 20904, length 420 10:37:49.381080 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 616:780, ack 1, win 20904, length 164 10:37:49.381322 IP 192.168.0.1.nokia-ann-ch1 > 192.168.0.2.ssh: Flags [.], ack 780, win 65535, length 0
11.从源IP捕获数据包
捕获来自源 IP数据包,说要捕获的数据包为 192.168.0.2,使用命令如下。# tcpdump -i eth0 src 192.168.0.2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 10:49:15.746474 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 3364578842:3364579038, ack 4193668445, win 20904, length 196 10:49:15.748554 IP 192.168.0.2.56200 > b.resolvers.Level3.net.domain: 11289+ PTR? 1.0.168.192.in-addr.arpa. (42) 10:49:15.912165 IP 192.168.0.2.56234 > b.resolvers.Level3.net.domain: 53106+ PTR? 2.0.168.192.in-addr.arpa. (42) 10:49:16.074720 IP 192.168.0.2.33961 > b.resolvers.Level3.net.domain: 38447+ PTR? 2.2.2.4.in-addr.arpa. (38)
12.从目标IP捕获数据包
为了抓住目标 IP数据包,说要捕获的数据包为 50.116.66.139,使用命令如下。# tcpdump -i eth0 dst 50.116.66.139 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 10:55:01.798591 IP 192.168.0.2.59896 > 50.116.66.139.http: Flags [.], ack 2480401451, win 318, options [nop,nop,TS val 7955710 ecr 804759402], length 0 10:55:05.527476 IP 192.168.0.2.59894 > 50.116.66.139.http: Flags [F.], seq 2521556029, ack 2164168606, win 245, options [nop,nop,TS val 7959439 ecr 804759284], length 0 10:55:05.626027 IP 192.168.0.2.59894 > 50.116.66.139.http: Flags [.], ack 2, win 245, options [nop,nop,TS val 7959537 ecr 804759787], length 0这篇文章可以帮助您深入探讨 tcpdump的命令,并在今后的捕获和分析数据包。有多个选项可用,您可以根据您的要求使用选项。请分享,如果你发现这篇文章有用的通过我们的评论框。