权限:
chunli@ubuntu14:~$ sudo -s
抓10个数据包:
root@ubuntu14:~# tcpdump -c10 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 19:21:02.483477 IP ubuntu14.ssh > chunli-PC.55864: Flags [P.], seq 2689412178:2689412374, ack 3590879662, win 252, length 196 19:21:02.483649 IP chunli-PC.55864 > ubuntu14.ssh: Flags [.], ack 196, win 1010, length 0 19:21:02.796254 IP chunli-PC.56027 > 43.250.12.129.http-alt: Flags [S], seq 1547084021, win 8192, options [mss 1460,nop,nop,sackOK], length 0 19:21:02.820760 IP 43.250.12.129.http-alt > chunli-PC.56027: Flags [R.], seq 0, ack 1547084022, win 0, length 0 19:21:03.148260 IP chunli-PC.8000 > 42.62.11.74.8703: UDP, length 24 19:21:03.182062 IP 42.62.11.74.8703 > chunli-PC.8000: UDP, length 33 19:21:03.473780 IP ubuntu14.43189 > DD-WRT.domain: 57145+ PTR? 2.11.11.11.in-addr.arpa. (41) 19:21:03.475012 IP DD-WRT.domain > ubuntu14.43189: 57145* 1/0/0 PTR chunli-PC. (64) 19:21:03.475217 IP ubuntu14.42760 > DD-WRT.domain: 46008+ PTR? 8.11.11.11.in-addr.arpa. (41) 19:21:03.475859 IP DD-WRT.domain > ubuntu14.42760: 46008* 1/0/0 PTR ubuntu14. (63) 19:21:03.476067 IP ubuntu14.56347 > DD-WRT.domain: 22461+ PTR? 129.12.250.43.in-addr.arpa. (44) 19:21:03.476124 IP ubuntu14.ssh > chunli-PC.55864: Flags [P.], seq 196:456, ack 1, win 252, length 260 19:21:03.477055 IP DD-WRT.domain > ubuntu14.56347: 22461 NXDomain 0/0/0 (44) 19:21:03.477412 IP ubuntu14.58373 > DD-WRT.domain: 46973+ PTR? 74.11.62.42.in-addr.arpa. (42) 19:21:03.487709 IP ubuntu14.ssh > chunli-PC.55864: Flags [P.], seq 456:764, ack 1, win 252, length 308 19:21:03.487922 IP chunli-PC.55864 > ubuntu14.ssh: Flags [.], ack 764, win 1008, length 0 16 packets captured 350 packets received by filter 0 packets dropped by kernel root@ubuntu14:~#
将抓到的数据报保存起来:
root@ubuntu14:~# tcpdump -c10 -w tcpdump_lcl tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 10 packets captured 10 packets received by filter 0 packets dropped by kernel root@ubuntu14:~# ll total 12K drwxrwxr-x 2 chunli chunli 4.0K Aug 19 14:41 m_fork/ drwxrwxr-x 2 chunli chunli 4.0K Aug 19 17:22 m_pthread/ -rw-r--r-- 1 root root 1011 Aug 19 19:22 tcpdump_lcl 查看数据报: root@ubuntu14:~# tcpdump -r tcpdump_lcl reading from file tcpdump_lcl, link-type EN10MB (Ethernet) 19:21:59.583844 IP ubuntu14.ssh > chunli-PC.55864: Flags [P.], seq 2689415150:2689415282, ack 3590880582, win 252, length 132 19:21:59.583996 IP chunli-PC.55864 > ubuntu14.ssh: Flags [.], ack 132, win 999, length 0 19:22:00.447787 IP chunli-PC.64821 > 220.181.163.130.http: Flags [P.], seq 2790896002:2790896022, ack 3757289497, win 64536, length 20 19:22:00.480220 IP 220.181.163.130.http > chunli-PC.64821: Flags [.], ack 20, win 14600, length 0 19:22:00.480228 IP 220.181.163.130.http > chunli-PC.64821: Flags [P.], seq 1:23, ack 20, win 14600, length 22 19:22:00.689597 IP chunli-PC.64821 > 220.181.163.130.http: Flags [.], ack 23, win 64514, length 0 19:22:00.832653 IP chunli-PC.8000 > 42.62.11.74.8703: UDP, length 24 19:22:00.856595 IP chunli-PC.4012 > 183.60.19.159.8000: UDP, length 39 19:22:00.870166 IP 42.62.11.74.8703 > chunli-PC.8000: UDP, length 33 19:22:00.901091 IP 183.60.19.159.8000 > chunli-PC.4012: UDP, length 47
显示操作系统有几块网卡:
root@ubuntu14:~# tcpdump -D 1.eth0 2.any (Pseudo-device that captures on all interfaces) 3.lo root@ubuntu14:~#
指定网卡:
root@ubuntu14:~# tcpdump -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 19:27:04.640015 IP ubuntu14.ssh > chunli-PC.55864: Flags [P.], seq 2689435874:2689436070, ack 3590890382, win 252, length 196 19:27:04.640218 IP chunli-PC.55864 > ubuntu14.ssh: Flags [.], ack 196, win 918, length 0
显示详细信息:
root@ubuntu14:~# tcpdump -i eth0 -v root@ubuntu14:~# tcpdump -i eth0 -vv
不要显示域名,显示IP
root@ubuntu14:~# tcpdump -i eth0 -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 19:28:46.997705 IP 11.11.11.8.22 > 11.11.11.2.55864: Flags [P.], seq 2689449918:2689450114, ack 3590893210, win 252, length 196 19:28:46.998223 IP 11.11.11.2.55864 > 11.11.11.8.22: Flags [.], ack 196, win 863, length 0
过滤所有经过 eth1,目的/源地址
# tcpdump -i eth1 host 192.168.1.1 # tcpdump -i eth1 src host 192.168.1.1 # tcpdump -i eth1 dst host 192.168.1.1
过滤端口,目的/源端口
# tcpdump -i eth1 port 25 # tcpdump -i eth1 src port 25 # tcpdump -i eth1 dst port 25
过滤网络,目的/源网络
# tcpdump -i eth1 net 192.168 # tcpdump -i eth1 src net 192.168 # tcpdump -i eth1 dst net 192.168
过滤协议
# tcpdump -i eth1 arp # tcpdump -i eth1 ip # tcpdump -i eth1 tcp # tcpdump -i eth1 udp # tcpdump -i eth1 icmp
常用表达式
非:! or "not" (去掉双引号)
且:&& or "and"
或:|| or "or"
抓取所有经过 eth1,目的地址是 192.168.1.254 或 192.168.1.200 端口是 80 的 TCP 数据
# tcpdump -i eth1 '((tcp) and (port 80) and ((dst host 192.168.1.254) or (dst host 192.168.1.200)))'
抓取所有经过 eth1,目标 MAC 地址是 00:01:02:03:04:05 的 ICMP 数据
# tcpdump -i eth1 '((icmp) and ((ether dst host 00:01:02:03:04:05)))'
- 抓取所有经过 eth1,目的网络是 192.168,但目的主机不是 192.168.1.200 的 TCP 数据
# tcpdump -i eth1 '((tcp) and ((dst net 192.168) and (not dst host 192.168.1.200)))'
- 只抓 SYN 包
# tcpdump -i eth1 'tcp[tcpflags] = tcp-syn'
- 抓 SYN, ACK
# tcpdump -i eth1 'tcp[tcpflags] & tcp-syn != 0 and tcp[tcpflags] & tcp-ack != 0'
抓 SMTP 数据
# tcpdump -i eth1 '((port 25) and (tcp[(tcp[12]>>2):4] = 0x4d41494c))'
抓取数据区开始为"MAIL"的包,"MAIL"的十六进制为 0x4d41494c。
抓 HTTP GET 数据
# tcpdump -i eth1 'tcp[(tcp[12]>>2):4] = 0x47455420'
"GET "的十六进制是 47455420
抓 SSH 返回
# tcpdump -i eth1 'tcp[(tcp[12]>>2):4] = 0x5353482D'
"SSH-"的十六进制是 0x5353482D
# tcpdump -i eth1 '(tcp[(tcp[12]>>2):4] = 0x5353482D) and (tcp[((tcp[12]>>2)+4):2]= 0x312E)
'抓老版本的 SSH 返回信息,如"SSH-1.99.."
- 抓 DNS 请求数据
# tcpdump -i eth1 udp dst port 53
-c 参数对于运维人员来说也比较常用,因为流量比较大的服务器,靠人工 CTRL+C 还是抓的太多,于是可以用-c 参数指定抓多少个包。
# time tcpdump -nn -i eth0 'tcp[tcpflags] = tcp-syn' -c 10000 > /dev/null
上面的命令计算抓 10000 个 SYN 包花费多少时间,可以判断访问量大概是多少。
实时抓取端口号8000的GET包,然后写入GET.log
tcpdump -i eth0 '((port 8000) and (tcp[(tcp[12]>>2):4]=0x47455420))' -nnAl -w /tmp/GET.log
