tcpdump简介
Tcpdump is a command-line packet analysis tool. Much like Wireshark, you can use Tcpdump to capture and analyze packets, troubleshoot connection issues, and look for potential security issues on a network. Tcpdump is a portable command-line utility that can be used even when a GUI is not available, and when Wireshark is not installed.
Tcpdump是命令行数据包分析工具。 与Wireshark一样,您可以使用Tcpdump捕获和分析数据包,解决连接问题并查找网络上的潜在安全问题。 Tcpdump是可移植的命令行实用程序,即使没有GUI且未安装Wireshark时也可以使用。
Today, let’s take a look at how to use Tcpdump to analyze packets! Open up your terminal and follow along.
今天,让我们看一下如何使用Tcpdump分析数据包! 打开终端,然后继续。
(Getting started)
First, before we go on, remember that Tcpdump needs the ability to capture raw data packets and manipulate network interfaces to be able to operate. This means that you need to run Tcpdump as a superuser. So all of the commands that I will introduce today should be used with “Sudo”.
首先,在继续之前,请记住Tcpdump需要具有捕获原始数据包和操纵网络接口以使其能够运行的能力。 这意味着您需要以超级用户身份运行Tcpdump。 因此,我今天将介绍的所有命令都应与“ Sudo”一起使用。
First, you can use the “-D” flag to list the interfaces available for capture.
首先,您可以使用“ -D”标志列出可用于捕获的接口。
$ sudo tcpdump -D1.en0 [Up, Running]
2.bridge0 [Up, Running]
3.p2p0 [Up, Running]
4.awdl0 [Up, Running]
5.utun0 [Up, Running]
6.en1 [Up, Running]
7.en2 [Up, Running]
8.lo0 [Up, Running, Loopback]
9.vboxnet0 [Running]
10.gif0
11.stf0Let’s start capturing some packets. You can use the “-i” flag to specify the interface that you want to capture. Specifying “any” as the interface will capture from all active interfaces. You can also configure Tcpdump to capture a particular interface.
让我们开始捕获一些数据包。 您可以使用“ -i”标志来指定要捕获的接口。 指定“ any”作为接口将从所有活动接口捕获。 您还可以配置Tcpdump捕获特定的接口。
$ sudo tcpdump -i any
$ sudo tcpdump -i eth1Now, you should start seeing packet details in your terminal! Tcpdump will continue to capture packets until you interrupt it by pressing “Ctrl+C”. You can also use the “-v” flag to adjust the level of verbosity in Tcpdump’s output.
现在,您应该开始在终端中看到数据包详细信息! Tcpdump将继续捕获数据包,直到您通过按“ Ctrl + C”将其中断为止。 您也可以使用“ -v”标志来调整Tcpdump输出中的详细程度。
$ sudo tcpdump -i any -v (Verbose output)
$ sudo tcpdump -i any -vv (Even more verbose output)
$ sudo tcpdump -i any -vvv (The most verbose output)(Protocol filters)
Tcpdump has a variety of filters that allow you to capture only packets that fit your criteria. First, you can filter capture traffic based on protocol. For example, this command will listen to all TCP connections.
Tcpdump具有多种过滤器,使您仅可以捕获符合条件的数据包。 首先,您可以根据协议过滤捕获的流量。 例如,此命令将侦听所有TCP连接。
$ sudo tcpdump tcp(Port filters)
If you are only interested in traffic for a specific port, you can use the “port” filter to target your analysis.
如果您只对特定端口的流量感兴趣,则可以使用“端口”过滤器确定分析目标。
$ sudo tcpdump port 80This command will capture all traffic going through port 80. If you are more specific and want to capture traffic that has port 80 as their source or destination port, you can use the following commands.
此命令将捕获通过端口80的所有流量。如果您更具体,并且想要捕获以端口80作为其源端口或目标端口的流量,则可以使用以下命令。
$ sudo tcpdump src port 80 (Source port is 80)
$ sudo tcpdump dest port 80 (Destination port is 80)(Host filters)
On the other hand, if you are only interested in traffic for a specific host, you can use the “host” filter. The “host” filter can also be combined with an “src” or “dest” filter.
另一方面,如果您只对特定主机的流量感兴趣,则可以使用“主机”过滤器。 “主机”过滤器也可以与“ src”或“目标”过滤器组合。
$ sudo tcpdump host 1.2.3.4
$ sudo tcpdump src host 1.2.3.4 (Source host is 1.2.3.4)
$ sudo tcpdump dest host 1.2.3.4 (Destination host is 1.2.3.4)(Combining filters)
Finally, you can even combine multiple filters in Tcpdump! You can combine filters by using boolean statements such as “and”, or “or”.
最后,您甚至可以在Tcpdump中组合多个过滤器! 您可以通过使用布尔语句(例如“和”或“或”)来组合过滤器。
$ sudo tcpdump “src port 80” and “dst host 1.2.3.4”
$ sudo tcpdump “src port 80” or “src port 443”(Saving the output)
You can save the captured packets into a file rather than printing them out by using the “-w” flag.
您可以将捕获的数据包保存到文件中,而不是使用“ -w”标志将其打印出来。
$ sudo tcpdump tcp -w PATH_TO_FILEIf you want Tcpdump both to save and print the packets, you can use the “ — print” flag in conjunction with the “-w” flag.
如果您希望Tcpdump既保存又打印数据包,则可以将“ —打印”标志与“ -w”标志结合使用。
$ sudo tcpdump tcp -w PATH_TO_FILE --printThis saved file can later be read using the “-r” flag.
以后可以使用“ -r”标志读取此保存的文件。
$ sudo tcpdump -r PATH_TO_FILE(Decoding the output)
The output of Tcpdump is format dependant. A typical output line for TCP looks like this.
Tcpdump的输出取决于格式。 TCP的典型输出线如下所示。
17:42:53.490718 IP 192.168.0.1.443 > 192.168.0.114.59509: Flags [.], ack 1, win 67, length 0The first field, “17:42:53.490718” is the timestamp of the captured packet. Next, “IP” represents the network layer protocol, which in this case was IPv4.
第一个字段“ 17:42:53.490718”是捕获的数据包的时间戳。 接下来,“ IP”代表网络层协议,在这种情况下为IPv4。
The next field is the source IP and port. “ 192.168.0.1.443” means that the source IP was “192.168.0.1” and the source port was 443. Similarly, “192.168.0.114.59509” represents the destination IP and port.
下一个字段是源IP和端口。 “ 192.168.0.1.443”表示源IP为“ 192.168.0.1”,源端口为443。类似地,“ 192.168.0.114.59509”代表目标IP和端口。
“Flags [.]” represents the TCP flags. In this case, the TCP ACK flag was set. This is followed by the ACK number, “ack 1”. And the next field is the window size “win 67”, and finally, the packet length “length 0”.
“标志[。]”表示TCP标志。 在这种情况下,将设置TCP ACK标志。 其后是ACK号“ ack 1”。 接下来的字段是窗口大小“ win 67”,最后是数据包长度“ length 0”。
There are more fields in the output for different protocol types, please check Tcpdump’s documentation for more information.
输出中有更多字段用于不同的协议类型,请查看Tcpdump的文档以获取更多信息。
(Reading packet contents)
Finally, how do you read the contents of the captured packets? In Tcpdump, you can print out the packet contents by using the “-A” flag. For example, let’s say that we are trying to capture packets of some HTTP traffic.
最后,您如何读取捕获的数据包的内容? 在Tcpdump中,可以使用“ -A”标志打印出数据包内容。 例如,假设我们正在尝试捕获某些HTTP流量的数据包。
$ sudo tcpdump port 80 -AYou can run this command then access a page using HTTP. You will see the packet contents printed out in plain text.
您可以运行此命令,然后使用HTTP访问页面。 您将看到以明文形式打印出的数据包内容。
Host: www.example.com
Connection: keep-alive
User-Agent: Mozilla/5.0
Accept: image/webp,image/apng,image/*,*/*;q=0.8
Referer: http://www.example.com
Accept-Encoding: gzip, deflate
Accept-Language: en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=71mapjkikro59donut84n0cfms0(Conclusion)
Tcpdump is a powerful packet analysis tool. Today, we looked at the basic usages of Tcpdump. For more information about the tool, and more functionalities to explore, visit Tcpdump’s manual page here: https://www.tcpdump.org/manpages/tcpdump.1.html.
Tcpdump是功能强大的数据包分析工具。 今天,我们看了Tcpdump的基本用法。 有关该工具的更多信息以及要探索的更多功能,请访问Tcpdump的手册页: https : //www.tcpdump.org/manpages/tcpdump.1.html 。
