tcpdump
作者:互联网
功能:倾向于玩咯传输数据 支持对网络层,协议,主机,网络端口的过滤
格式:
tcpdump [-adeflnNOpqStvx][-c<数据包数目>][-dd][-ddd][-F<表达文件>][-i<网络界面>][-r<数据包文件>][-s<数据包大小>][-tt][-T<数据包类型>][-vv][-w<数据包文件>][输出数据栏位]
参数:
- -a 尝试将网络和广播地址转换成名称。
- -c<数据包数目> 收到指定的数据包数目后,就停止进行倾倒操作。
- -d 把编译过的数据包编码转换成可阅读的格式,并倾倒到标准输出。
- -dd 把编译过的数据包编码转换成C语言的格式,并倾倒到标准输出。
- -ddd 把编译过的数据包编码转换成十进制数字的格式,并倾倒到标准输出。
- -e 在每列倾倒资料上显示连接层级的文件头。
- -f 用数字显示网际网络地址。
- -F<表达文件> 指定内含表达方式的文件。
- -i<网络界面> 使用指定的网络截面送出数据包。
- -l 使用标准输出列的缓冲区。
- -n 不把主机的网络地址转换成名字。
- -N 不列出域名。
- -O 不将数据包编码最佳化。
- -p 不让网络界面进入混杂模式。
- -q 快速输出,仅列出少数的传输协议信息。
- -r<数据包文件> 从指定的文件读取数据包数据。
- -s<数据包大小> 设置每个数据包的大小。
- -S 用绝对而非相对数值列出TCP关联数。
- -t 在每列倾倒资料上不显示时间戳记。
- -tt 在每列倾倒资料上显示未经格式化的时间戳记。
- -T<数据包类型> 强制将表达方式所指定的数据包转译成设置的数据包类型。
- -v 详细显示指令执行过程。
- -vv 更详细显示指令执行过程。
- -x 用十六进制字码列出数据包资料。
- -w<数据包文件> 把数据包数据写入指定的文件。
- *and* *and(*or* ) * and ! *
实例:
tcpdump tcp包的内容
root@localhost ~]# tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 10:55:34.290764 IP localhost.ssh > 106.125.57.115.25483: Flags [P.], seq 3376045293:3376045505, ack 1281327862, win 543, length 212 10:55:34.291183 IP localhost.58612 > 100.100.2.138.domain: 29854+ PTR? 115.57.125.106.in-addr.arpa. (45) 10:55:34.291469 IP 100.100.2.138.domain > localhost.58612: 29854 NXDomain 0/1/0 (133) 10:55:34.292536 IP localhost.48579 > 100.100.2.136.domain: 27411+ PTR? 138.2.100.100.in-addr.arpa. (44) 10:55:34.292633 IP 100.100.2.136.domain > localhost.48579: 27411 NXDomain* 0/1/0 (99) 10:55:34.292661 IP localhost.ssh > 106.125.57.115.25483: Flags [P.], seq 212:408, ack 1, win 543, length 196 10:55:34.292851 IP localhost.35956 > 100.100.2.138.domain: 48688+ PTR? 136.2.100.100.in-addr.arpa. (44) 10:55:34.292888 IP localhost.ssh > 106.125.57.115.25483: Flags [P.], seq 408:652, ack 1, win 543, length 244 10:55:34.293016 IP 100.100.2.138.domain > localhost.35956: 48688 NXDomain* 0/1/0 (99)
-c 收到指定数的数据后,就停止操作
[root@localhost ~]# tcpdump -c 10 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 10:57:27.302769 IP localhost.ssh > 106.125.57.115.25483: Flags [P.], seq 3376052129:3376052341, ack 1281328850, win 543, length 212 10:57:27.303301 IP localhost.54133 > 100.100.2.138.domain: 14853+ PTR? 115.57.125.106.in-addr.arpa. (45) 10:57:27.303525 IP 100.100.2.138.domain > localhost.54133: 14853 NXDomain 0/1/0 (133) 10:57:27.308711 IP localhost.59943 > 100.100.2.136.domain: 18986+ PTR? 138.2.100.100.in-addr.arpa. (44) 10:57:27.308793 IP localhost.ssh > 106.125.57.115.25483: Flags [P.], seq 212:408, ack 1, win 543, length 196 10:57:27.308825 IP 100.100.2.136.domain > localhost.59943: 18986 NXDomain* 0/1/0 (99) 10:57:27.309048 IP localhost.58997 > 100.100.2.138.domain: 30470+ PTR? 136.2.100.100.in-addr.arpa. (44) 10:57:27.309222 IP 100.100.2.138.domain > localhost.58997: 30470 NXDomain* 0/1/0 (99) 10:57:27.309582 IP localhost.ssh > 106.125.57.115.25483: Flags [P.], seq 408:652, ack 1, win 543, length 244 10:57:27.309830 IP localhost.ssh > 106.125.57.115.25483: Flags [P.], seq 652:1312, ack 1, win 543, length 660 10 packets captured 10 packets received by filter 0 packets dropped by kernel
-q精简显示
[root@localhost ~]# tcpdump -qc 10 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 11:02:03.466815 IP localhost.ssh > 106.125.57.115.25483: tcp 212 11:02:03.467307 IP localhost.39442 > 100.100.2.138.domain: UDP, length 45 11:02:03.467590 IP 100.100.2.138.domain > localhost.39442: UDP, length 133 11:02:03.468566 IP localhost.55467 > 100.100.2.136.domain: UDP, length 44 11:02:03.468608 IP localhost.ssh > 106.125.57.115.25483: tcp 116 11:02:03.468806 IP 100.100.2.136.domain > localhost.55467: UDP, length 99 11:02:03.468948 IP localhost.42535 > 100.100.2.138.domain: UDP, length 44 11:02:03.468983 IP localhost.ssh > 106.125.57.115.25483: tcp 212 11:02:03.469058 IP 100.100.2.138.domain > localhost.42535: UDP, length 99 11:02:03.469299 IP localhost.ssh > 106.125.57.115.25483: tcp 484 10 packets captured 10 packets received by filter 0 packets dropped by kernel
-i 抓取所有经过指定网卡的数据包
[root@localhost ~]# tcpdump -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 11:06:22.957358 IP localhost.ssh > 106.125.57.115.25483: Flags [P.], seq 3376747721:3376747933, ack 1281350306, win 543, length 212 11:06:22.962253 IP localhost.41012 > 100.100.2.138.domain: 44494+ PTR? 115.57.125.106.in-addr.arpa. (45) 11:06:22.962471 IP 100.100.2.138.domain > localhost.41012: 44494 NXDomain 0/1/0 (133) 11:06:22.963652 IP localhost.53828 > 100.100.2.136.domain: 35310+ PTR? 138.2.100.100.in-addr.arpa. (44) 11:06:22.963731 IP localhost.ssh > 106.125.57.115.25483: Flags [P.], seq 212:408, ack 1, win 543, length 196 11:06:22.963871 IP 100.100.2.136.domain > localhost.53828: 35310 NXDomain* 0/1/0 (99) 11:06:22.964053 IP localhost.36199 > 100.100.2.138.domain: 32069+ PTR? 136.2.100.100.in-addr.arpa. (44) 11:06:22.964088 IP localhost.ssh > 106.125.57.115.25483: Flags [P.], seq 408:652, ack 1, win 543, length 244
host 匹配目标地址或者是源地址 (实例上是 localhost)
[root@localhost ~]# tcpdump -i eth0 host localhost -c 10 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 11:14:07.929107 IP localhost.ssh > 106.125.57.115.25483: Flags [P.], seq 3397743149:3397743361, ack 1281356322, win 756, length 212 11:14:07.929461 IP localhost.34036 > 100.100.2.138.domain: 37099+ PTR? 115.57.125.106.in-addr.arpa. (45) 11:14:07.929672 IP 100.100.2.138.domain > localhost.34036: 37099 NXDomain 0/1/0 (133) 11:14:07.930558 IP localhost.35114 > 100.100.2.136.domain: 57200+ PTR? 138.2.100.100.in-addr.arpa. (44) 11:14:07.930608 IP localhost.ssh > 106.125.57.115.25483: Flags [P.], seq 212:408, ack 1, win 756, length 196 11:14:07.930664 IP 100.100.2.136.domain > localhost.35114: 57200 NXDomain* 0/1/0 (99) 11:14:07.930877 IP localhost.40428 > 100.100.2.138.domain: 27290+ PTR? 136.2.100.100.in-addr.arpa. (44) 11:14:07.930913 IP localhost.ssh > 106.125.57.115.25483: Flags [P.], seq 408:652, ack 1, win 756, length 244 11:14:07.931004 IP 100.100.2.138.domain > localhost.40428: 27290 NXDomain* 0/1/0 (99) 11:14:07.931215 IP localhost.ssh > 106.125.57.115.25483: Flags [P.], seq 652:1312, ack 1, win 756, length 660 10 packets captured 10 packets received by filter 0 packets dropped by kernel
过滤端口 -tnn dst port 80
标签:11,10,domain,IP,100.100,tcpdump,localhost 来源: https://www.cnblogs.com/gaiting/p/12234001.html