linux各种抓包情况说明

Posted leocorn

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了linux各种抓包情况说明相关的知识,希望对你有一定的参考价值。

  大家都知道抓包指令:tcpdump    抓包的主要目的是测试端口、网络协议通不通,以及对抓取的数据包进行分析、测试,抓包对熟悉linux的大神都不陌生,网络对于我来说也是一窍不通,只是在这里记录一下自己在工作中常用到的一些抓包使用说明。

#抓取主机上所有来自四面八方的数据包

[[email protected] Log]# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:37:02.100344 IP 133.38.7.144.11811 > 133.37.22.83.radius: RADIUS, Unknown Command (202), id: 0xa4 length: 345
11:37:02.100352 IP 133.38.7.145.11811 > 133.37.22.83.radius: RADIUS, Unknown Command (137), id: 0x9b length: 33

#抓取本机指定网卡上的数据包,-i 指定的本机网卡eth0

[[email protected] Log]# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:03:12.238556 IP 133.38.7.144.11811 > 133.37.22.83.radius: RADIUS, Unknown Command (177), id: 0x49 length: 480
10:03:12.238559 IP 133.38.7.146.11811 > 133.37.22.83.radius: RADIUS, Unknown Command (93), id: 0x27 length: 524

#监听本机端口数据包,指定网卡eth0,端口1812

[[email protected] Log]# tcpdump -i eth0 -s 0 port 1812
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:46:41.940333 IP 133.38.7.144.11811 > 133.37.22.83.radius: RADIUS, Unknown Command (130), id: 0x14 length: 606
11:46:41.940333 IP 133.38.7.146.11811 > 133.37.22.83.radius: RADIUS, Unknown Command (160), id: 0xe4 length: 33
11:46:41.940894 IP 133.38.7.144.11811 > 133.37.22.83.radius: RADIUS, Unknown Command (131), id: 0x14 length: 606

#ICMP协议数据包(从一台主机对本机发起的ping)

[[email protected] Log]# tcpdump host 133.37.22.84
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:49:12.200801 IP 133.37.22.84 > 133.37.22.83: ICMP echo request, id 18010, seq 1, length 64
11:49:12.200954 IP 133.37.22.83 > 133.37.22.84: ICMP echo reply, id 18010, seq 1, length 64

#抓取来自于某个主机的数据包,src host x.x.x.x

[[email protected] Log]# tcpdump -i eth0 src host 133.38.7.144
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:00:06.768507 IP 133.38.7.144.11811 > 133.37.22.83.radius: RADIUS, Unknown Command (134), id: 0x22 length: 602
12:00:06.769007 IP 133.38.7.144.11811 > 133.37.22.83.radius: RADIUS, Unknown Command (135), id: 0x22 length: 344
12:00:06.769400 IP 133.38.7.144.11811 > 133.37.22.83.radius: RADIUS, Unknown Command (136), id: 0x22 length: 288

 

#抓包生成文件保存,将端口1812上抓到的包保存为b.cap文件,-w xxx.cap

[[email protected] Log]# tcpdump -i eth0 -s 0 port 1812 -w b.cap 

 

抓包文件分析软件:Wireshark,对于各种抓包报文的解析规则,涉及更深层次的协议知识,后面会分享一篇关于redius协议的报文解析规则

 























以上是关于linux各种抓包情况说明的主要内容,如果未能解决你的问题,请参考以下文章

抓包工具tcpdump用法说明

测试必杀技之linux抓包神器-tcpdump

Postman 抓包

linux使用tcpdump抓包工具抓取网络数据包,多示例演示

ethereal抓包工具

怎样使用Wireshark抓包