Linux命令—tcpdump

Posted 2021-09-03 gzming

作用：网络抓包.

常用选项

• -c N: 在收到 N 个数据包后退出.
• -n: 以数字形式显示地址.
• -nn: 以数字形式显示端口号.
• -i Interface 侦听指定的网络接口.
• -Q direction: 指定数据包的方向（进入、出去、或者两者皆可）；direction 可取值为 in，out，inout.
• -A: 以 ASCII 码的形式打印数据包的内容.
• -x: 以十六进制的形式打印数据包的内容.
• -e: 打印链路层头部信息.
• -t: 不要打印时间戳.

1. 侦听指定的网络接口

从指定的接口进入或出去：

[root@localhost ~]# tcpdump -i eth0 -n -nn -c 2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
06:14:09.335167 IP 192.168.122.132.22 > 192.168.122.1.53800: Flags [P.], seq 3166421438:3166421626, ack 545579750, win 295, options [nop,nop,TS val 17230918 ecr 2091022108], length 188
06:14:09.335332 IP 192.168.122.1.53800 > 192.168.122.132.22: Flags [.], ack 188, win 1424, options [nop,nop,TS val 2091022134 ecr 17230918], length 0
2 packets captured
2 packets received by filter
0 packets dropped by kernel

从指定的接口进入：

[root@localhost ~]# tcpdump -i eth0 -Q in -c 2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
06:21:19.100727 IP 192.168.122.1.53800 > 192.168.122.132.ssh: Flags [.], ack 3166430042, win 1424, options [nop,nop,TS val 2091418841 ecr 17660684], length 0
06:21:19.101696 IP 192.168.122.1.domain > 192.168.122.132.53181: 22222 NXDomain 0/0/0 (46)
2 packets captured
6 packets received by filter
0 packets dropped by kernel

从指定的接口出去：

[root@localhost ~]# tcpdump -i eth0 -Q out -c 2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
06:42:18.231062 IP 192.168.122.132.ssh > 192.168.122.1.53800: Flags [P.], seq 3169833758:3169833946, ack 545616298, win 295, options [nop,nop,TS val 18919814 ecr 2092581077], length 188
06:42:18.231775 IP 192.168.122.132.48232 > 192.168.122.1.domain: 39110+ PTR? 1.122.168.192.in-addr.arpa. (44)
2 packets captured
6 packets received by filter
0 packets dropped by kernel

2. 侦听指定的主机

指定地址为源地址或目的地址：

[root@localhost ~]# tcpdump -i eth0 host 192.168.122.1 -c 2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
06:20:25.095802 IP 192.168.122.132.ssh > 192.168.122.1.53800: Flags [P.], seq 3166428670:3166428858, ack 545584350, win 295, options [nop,nop,TS val 17606679 ecr 2091368949], length 188
06:20:25.095965 IP 192.168.122.1.53800 > 192.168.122.132.ssh: Flags [.], ack 188, win 1424, options [nop,nop,TS val 2091368990 ecr 17606679], length 0
2 packets captured
6 packets received by filter
0 packets dropped by kernel

指定地址为源地址（等价于结合 -Q in）：

[root@localhost ~]# tcpdump -i eth0 src host 192.168.122.1 -c 2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
06:22:54.673517 IP 192.168.122.1.53800 > 192.168.122.132.ssh: Flags [.], ack 3166431854, win 1424, options [nop,nop,TS val 2091507061 ecr 17756257], length 0
06:22:54.674494 IP 192.168.122.1.domain > 192.168.122.132.58001: 47541 NXDomain 0/0/0 (46)
2 packets captured
3 packets received by filter
0 packets dropped by kernel

指定地址为目的地址（等价于结合 -Q out）：

[root@localhost ~]# tcpdump -i eth0 dst host 192.168.122.1 -c 2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
06:24:13.192880 IP 192.168.122.132.ssh > 192.168.122.1.53800: Flags [P.], seq 3166433542:3166433730, ack 545587194, win 295, options [nop,nop,TS val 17834776 ecr 2091579506], length 188
06:24:13.194190 IP 192.168.122.132.49025 > 192.168.122.1.domain: 23295+ PTR? 1.122.168.192.in-addr.arpa. (44)
2 packets captured
3 packets received by filter
0 packets dropped by kernel

3. 侦听指定的协议

[root@localhost ~]# tcpdump -i eth0 arp
[root@localhost ~]# tcpdump -i eth0 icmp
[root@localhost ~]# tcpdump -i eth0 ip
[root@localhost ~]# tcpdump -i eth0 tcp
[root@localhost ~]# tcpdump -i eth0 udp

4. 侦听指定的端口

源端口或目的端口、源端口、目的端口：

[root@localhost ~]# tcpdump -i eth0 port 22 -c 2
[root@localhost ~]# tcpdump -i eth0 src port 22 -c 2
[root@localhost ~]# tcpdump -i eth0 dst port 22 -c 2

5. 监听指定的网络

源网络或目的网络、源网络、目的网络：

[root@localhost ~]# tcpdump -i eth0 net 192.168.122.0/24 -c 2
[root@localhost ~]# tcpdump -i eth0 src net 192.168.122.0/24 -c 2
[root@localhost ~]# tcpdump -i eth0 dst net 192.168.122.0/24 -c 2

6. 逻辑运算

[root@localhost ~]# tcpdump -i eth0 host 192.168.122.1 and tcp and port 22 -c 2
[root@localhost ~]# tcpdump -i eth0 host 192.168.122.1 or www.baidu.com -c 2
[root@localhost ~]# tcpdump -i eth0 not host 192.168.122.2

and：逻辑与.
or：逻辑或.
not：逻辑非.

7. 打印数据包的内容

以 ASCII 码的形式：

[root@localhost ~]# tcpdump -i eth0 host www.baidu.com -A
...
06:45:55.722338 IP 182.61.200.7.http > 192.168.122.132.35802: Flags [.], seq 1:1453, ack 112, win 908, length 1452: HTTP: HTTP/1.1 200 OK
E.....@.$....=....z..P..........P....Q..HTTP/1.1 200 OK
Content-Length: 2381
Content-Type: text/html
Server: bfe
Date: Wed, 18 Aug 2021 12:07:56 GMT

<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title>...........................</title></head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> </div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <input type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input type=hidden name=tn value=baidu><span class="bg s_ipt_wr"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus></span><span class="bg s_btn_wr"><input type=submit id=su value=............ class="bg s_btn"></span> </form> </div> </div> <div id=u1> <a href=http://news.baidu.com name=tj_trnews class=mnav>......</a> <a href=http://www.hao123.com name=tj_trhao123 class=mnav>hao123</a> <a href=http://map.baidu.com name=tj_trmap class=mnav>......</a> <a href=http://v.baidu.com name=tj_trvide

以十六进制的形式：

[root@localhost ~]# tcpdump -i eth0 host www.baidu.com -x
...
06:54:27.609068 IP 182.61.200.6.http > 192.168.122.132.37184: Flags [.], ack 113, win 2452, length 0
        0x0000:  4500 0028 2919 4000 2406 7446 b63d c806
        0x0010:  c0a8 7a84 0050 9140 4465 0105 79ee 1aab
        0x0020:  5010 0994 813b 0000

8. 打印链路层头部

[root@localhost ~]# tcpdump -i eth0 -e -c 1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
06:50:34.476023 52:54:00:3a:b8:ec (oui Unknown) > 52:54:00:95:7c:07 (oui Unknown), ethertype IPv4 (0x0800), length 254: 192.168.122.132.ssh > 192.168.122.1.53800: Flags [P.], seq 3169847186:3169847374, ack 545618982, win 295, options [nop,nop,TS val 19416059 ecr 2093039151], length 188
1 packet captured
6 packets received by filter
0 packets dropped by kernel