tcpdump工具的使用网站首页 学无止境

tcpdump工具的使用

坏坏-5 2024-07-18 12:01:02

简介tcpdump工具的使用

tcpdump用法

tcpdump [选项] [协议] [源目] [类型]
- 协议：tcp、udp、ip、ip6、arp、icmp、ether等
- 源目：src、dst、src or dst
- 类型：
  - host 主机IP：捕获主机地址为主机IP的数据包
  - net 网段：捕获一个网段的数据包
  - port 端口：捕获指定端口的数据包
  - portrange num-num：捕获一个指定端口范围的数据包
- 选项：
  - -w filename：将捕获到的数据包保存到文件中
  - -r filename：读取捕获的数据包文件
  - -i 网卡名：捕获所有经过该网卡的数据包
  - -s 0：捕获完整的数据包
  - -c num：捕获指定数量的数据包
  - -vvv：输出详细的数据包信息
  - -vnn：解析和打印时，产生（略多）详细输出，并且不将协议和端口号等转换为名称
从eno这个网卡捕获2000个完整的数据包，写入到1.cap文件中，置于后台执行

tcpdump  -i eno16777736 -c 2000 -s 0 -w 1.cap &

如果直接捕获了数据包，导致没有Ctrl+C暂停，需要通过ps -aux | grep tcpdump或ps -ef | grep tcpdump命令查看到该进程，使用kill -9 进程号来停止继续捕获数据包

从1.cap这个文件中读取出UDP协议并且端口是67和68的数据包

[root@localhost test]# tcpdump -r 1.cap 'udp port 67 and port 68'
reading from file 1.cap, link-type EN10MB (Ethernet)
16:49:30.130955 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:0c:29:49:e6:d9 (oui Unknown), length 300
16:49:31.146139 IP 192.168.63.254.bootps > 192.168.63.136.bootpc: BOOTP/DHCP, Reply, length 300
16:49:31.146356 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:0c:29:49:e6:d9 (oui Unknown), length 300
16:49:31.147716 IP 192.168.63.254.bootps > 192.168.63.136.bootpc: BOOTP/DHCP, Reply, length 300
tcpdump: pcap_loop: truncated dump file; tried to read 60 captured bytes, only got 26

从1.cap这个文件中读取出UDP协议并且端口是67和68的数据包，显示出详细的信息

[root@localhost test]# tcpdump -r 1.cap -vvv 'udp port 67 and port 68'
reading from file 1.cap, link-type EN10MB (Ethernet)
16:49:30.130955 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from 00:0c:29:49:e6:d9 (oui Unknown), length 300, xid 0xac6c5c1c, Flags [none] (0x0000)
          Client-Ethernet-Address 00:0c:29:49:e6:d9 (oui Unknown)
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: Discover
            Requested-IP Option 50, length 4: 192.168.43.21
            Hostname Option 12, length 9: "localhost"
            Parameter-Request Option 55, length 18:
              Subnet-Mask, BR, Time-Zone, Classless-Static-Route
              Domain-Name, Domain-Name-Server, Hostname, YD
              YS, NTP, MTU, Option 119
              Default-Gateway, Classless-Static-Route, Classless-Static-Route-Microsoft, Static-Route
              Option 252, NTP
            END Option 255, length 0
            PAD Option 0, length 0, occurs 19
16:49:31.146139 IP (tos 0x10, ttl 16, id 0, offset 0, flags [none], proto UDP (17), length 328)
    192.168.63.254.bootps > 192.168.63.136.bootpc: [udp sum ok] BOOTP/DHCP, Reply, length 300, xid 0xac6c5c1c, Flags [none] (0x0000)
          Your-IP 192.168.63.136
          Server-IP 192.168.63.254
          Client-Ethernet-Address 00:0c:29:49:e6:d9 (oui Unknown)
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: Offer
            Server-ID Option 54, length 4: 192.168.63.254
            Lease-Time Option 51, length 4: 1800
            Subnet-Mask Option 1, length 4: 255.255.255.0
            BR Option 28, length 4: 192.168.63.255
            Domain-Name Option 15, length 11: "localdomain"
            Domain-Name-Server Option 6, length 4: 192.168.63.2
            Default-Gateway Option 3, length 4: 192.168.63.2
            END Option 255, length 0
            PAD Option 0, length 0, occurs 7
16:49:31.146356 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from 00:0c:29:49:e6:d9 (oui Unknown), length 300, xid 0xac6c5c1c, Flags [none] (0x0000)
          Client-Ethernet-Address 00:0c:29:49:e6:d9 (oui Unknown)
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: Request
            Server-ID Option 54, length 4: 192.168.63.254
            Requested-IP Option 50, length 4: 192.168.63.136
            Hostname Option 12, length 9: "localhost"
            Parameter-Request Option 55, length 18:
              Subnet-Mask, BR, Time-Zone, Classless-Static-Route
              Domain-Name, Domain-Name-Server, Hostname, YD
              YS, NTP, MTU, Option 119
              Default-Gateway, Classless-Static-Route, Classless-Static-Route-Microsoft, Static-Route
              Option 252, NTP
            END Option 255, length 0
            PAD Option 0, length 0, occurs 13
16:49:31.147716 IP (tos 0x10, ttl 16, id 0, offset 0, flags [none], proto UDP (17), length 328)
    192.168.63.254.bootps > 192.168.63.136.bootpc: [udp sum ok] BOOTP/DHCP, Reply, length 300, xid 0xac6c5c1c, Flags [none] (0x0000)
          Your-IP 192.168.63.136
          Server-IP 192.168.63.254
          Client-Ethernet-Address 00:0c:29:49:e6:d9 (oui Unknown)
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: ACK
            Server-ID Option 54, length 4: 192.168.63.254
            Lease-Time Option 51, length 4: 1800
            Subnet-Mask Option 1, length 4: 255.255.255.0
            BR Option 28, length 4: 192.168.63.255
            Domain-Name Option 15, length 11: "localdomain"
            Domain-Name-Server Option 6, length 4: 192.168.63.2
            Default-Gateway Option 3, length 4: 192.168.63.2
            END Option 255, length 0
            PAD Option 0, length 0, occurs 7
tcpdump: pcap_loop: truncated dump file; tried to read 60 captured bytes, only got 26

从1.cap这个文件中读取出icmp协议的数据包

[root@localhost test]# tcpdump icmp -r 1.cap
reading from file 1.cap, link-type EN10MB (Ethernet)
16:48:47.772937 IP 192.168.43.2 > 192.168.43.1: ICMP echo request, id 4231, seq 1, length 64
16:48:47.773438 IP 192.168.43.1 > 192.168.43.2: ICMP echo reply, id 4231, seq 1, length 64
16:48:48.775018 IP 192.168.43.2 > 192.168.43.1: ICMP echo request, id 4231, seq 2, length 64
16:48:48.775369 IP 192.168.43.1 > 192.168.43.2: ICMP echo reply, id 4231, seq 2, length 64
16:48:49.775551 IP 192.168.43.2 > 192.168.43.1: ICMP echo request, id 4231, seq 3, length 64
16:48:49.775894 IP 192.168.43.1 > 192.168.43.2: ICMP echo reply, id 4231, seq 3, length 64
tcpdump: pcap_loop: truncated dump file; tried to read 60 captured bytes, only got 26

从1.cap这个文件中读取出TCP协议且目的端口是80的数据包，并以以ASCII码方式显示每一个数据包

[root@localhost test]# tcpdump -s 0 -A -r 1.cap 'tcp dst port 80'
reading from file 1.cap, link-type EN10MB (Ethernet)
16:49:55.603508 IP 192.168.63.136.49540 > 112.80.248.75.http: Flags [S], seq 320854986, win 14600, options [mss 1460,sackOK,TS val 240242 ecr 0,nop,wscale 7], length 0
E..<q.@.@.`7..?.pP.K...P..........9.h..........
...r........
16:49:55.635957 IP 192.168.63.136.49540 > 112.80.248.75.http: Flags [.], ack 956832811, win 14600, length 0
E..(q.@.@.`J..?.pP.K...P....9..+P.9.h...
16:49:55.636179 IP 192.168.63.136.49540 > 112.80.248.75.http: Flags [P.], seq 0:77, ack 1, win 14600, length 77
E..uq.@.@._...?.pP.K...P....9..+P.9.i4..GET / HTTP/1.1
User-Agent: curl/7.29.0
Host: www.baidu.com
Accept: */*


16:49:55.660280 IP 192.168.63.136.49540 > 112.80.248.75.http: Flags [.], ack 2782, win 18980, length 0
E..(q.@.@.`H..?.pP.K...P....9.'.P.J$h...
16:49:55.660467 IP 192.168.63.136.49540 > 112.80.248.75.http: Flags [F.], seq 77, ack 2782, win 18980, length 0
E..(q.@.@.`G..?.pP.K...P....9.'.P.J$h...
16:49:55.697827 IP 192.168.63.136.49540 > 112.80.248.75.http: Flags [.], ack 2783, win 18980, length 0
E..(..@.@.....?.pP.K...P....9.' P.J$....
16:50:08.926810 IP 192.168.63.136.48167 > hn.kd.ny.adsl.http: Flags [S], seq 1248815336, win 14600, options [mss 1460,sackOK,TS val 253566 ecr 0,nop,wscale 7], length 0
E..<..@.@.....?......'.PJoh.......9............
...~........
16:50:08.967342 IP 192.168.63.136.48167 > hn.kd.ny.adsl.http: Flags [.], ack 1473450910, win 14600, length 0
E..(..@.@.....?......'.PJoh.W...P.9.....
16:50:08.967642 IP 192.168.63.136.48167 > hn.kd.ny.adsl.http: Flags [P.], seq 0:295, ack 1, win 14600, length 295

E..CC.@.@..:..?.pP.L...P.G...X@.P.9.j...GET / HTTP/1.1
Host: www.baidu.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive


16:50:15.092246 IP 192.168.63.136.32929 > 112.80.248.76.http: Flags [.], ack 1388, win 16644, length 0
E..(C.@.@..T..?.pP.L...P.G...XFBP.A.h...
16:50:15.242141 IP 192.168.63.136.34566 > 104.18.21.226.http: Flags [S], seq 787615467, win 14600, options [mss 1460,sackOK,TS val 259880 ecr 0,nop,wscale 7], length 0
E..<..@.@.....?.h......P..........9.~S.........
...(........
16:50:15.496376 IP 192.168.63.136.34566 > 104.18.21.226.http: Flags [.], ack 634985297, win 14600, length 0
E..(..@.@.....?.h......P....%..QP.9.~?..
16:50:15.511763 IP 192.168.63.136.34566 > 104.18.21.226.http: Flags [P.], seq 0:462, ack 1, win 14600, length 462
tcpdump: pcap_loop: truncated dump file; tried to read 60 captured bytes, only got 26

以上内容均属原创，如有不详或错误，敬请指出。

本文作者： 坏坏

本文链接： http://t.csdn.cn/StY9n

风语者！平时喜欢研究各种技术，目前在从事后端开发工作，热爱生活、热爱工作。

上一篇
Vue3 过渡动画效果

下一篇
Nginx网站部署

站长推荐

stm32使用HAL库配置串口中断收发数据（保姆级教程）
stm32使用HAL库配置串口中断收发数据（保姆级教程）
SpringSecurity实现前后端分离认证授权
SpringSecurity实现前后端分离认证授权
U8W/U8W-Mini使用与常见问题解决
U8W/U8W-Mini使用与常见问题解决
【社区图书馆】伴我前行的一本书《The C Programming Language》
【社区图书馆】伴我前行的一本书《The C Programming Language》
【云原生进阶之容器】第六章容器网络6.6.1--Cilium网络方案概述
【云原生进阶之容器】第六章容器网络6.6.1--Cilium网络方案概述

您现在的位置是：首页 >学无止境 >tcpdump工具的使用网站首页学无止境

tcpdump工具的使用

tcpdump用法

上一篇 Vue3 过渡动画效果

下一篇 Nginx网站部署

站长推荐

上一篇
Vue3 过渡动画效果

下一篇
Nginx网站部署