tcpdump 速查表
-D 列出网络设备
~]$ sudo tcpdump -D
1.eth0
2.nflog (Linux netfilter log (NFLOG) interface)
3.nfqueue (Linux netfilter queue (NFQUEUE) interface)
4.any (Pseudo-device that captures on all interfaces)
5.lo [Loopback]
-i 指定网卡
前面列出的设备可以用 -i dev 来指定抓对应网卡的数据包
-c 指定抓包数量
~]$ sudo tcpdump -i eth0 -c 3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
03:38:41.388895 IP 13.248.125.132.37196 > ip-10-31-1-74.ap-southeast-1.compute.internal.10012: Flags [.], ack 3665636334, win 2014, options [nop,nop,TS val 1083056799 ecr 1675755283], length 0
03:38:41.389146 IP 99.82.173.66.58088 > ip-10-31-1-74.ap-southeast-1.compute.internal.10012: Flags [.], ack 978012266, win 2014, options [nop,nop,TS val 1031202901 ecr 3469957515], length 0
03:38:41.390227 IP 13.248.115.61.61524 > ip-10-31-1-74.ap-southeast-1.compute.internal.10012: Flags [P.], seq 2332145948:2332146170, ack 3523970401, win 2014, options [nop,nop,TS val 1454561556 ecr 1165926638], length 222
3 packets captured
100 packets received by filter
9 packets dropped by kernel
-n 将域名解析为 IP
~]$ sudo tcpdump -i eth0 -c 3 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
03:41:34.332790 IP 13.248.98.123.58200 > 10.31.1.74.10012: Flags [P.], seq 106251671:106251871, ack 1748469091, win 2014, options [nop,nop,TS val 1392634401 ecr 817044617], length 200
03:41:34.332957 IP 10.31.1.74.10012 > 13.248.98.121.9842: Flags [P.], seq 2880652137:2880652336, ack 1075202655, win 850, options [nop,nop,TS val 1486636778 ecr 1393164829], length 199
03:41:34.332965 IP 10.31.1.74.10012 > 13.248.98.123.58200: Flags [P.], seq 420:619, ack 200, win 613, options [nop,nop,TS val 817044728 ecr 1392634401], length 199
3 packets captured
38 packets received by filter
0 packets dropped by kernel
可以看到 ip-10-31-1-74.ap-southeast-1.compute.internal 这个域名被展示为 IP 10.31.1.74
-nn 可以将端口也展示为数字,默认情况下是会把端口展示为协议名称,例如 80 端口显示为 http。
-s 限定抓包大小(capture size)
注意,这里不是筛选包大小,而是无论数据包多大,只截取指定的长度,单位是字节(bytes)。举例一个场景,如果只想看 header,就可以只要前 64 字节长度:
~]$ sudo tcpdump -i eth0 -c 3 -s 64
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 64 bytes
03:52:13.605359 IP 13.248.125.130.61304 > ip-10-31-1-74.ap-southeast-1.compute.internal.10012: Flags [.], ack 2139160988, win 2014, options [nop,nop,TS[|tcp]>
03:52:13.609252 IP 13.248.98.123.remote-winsock > ip-10-31-1-74.ap-southeast-1.compute.internal.10012: Flags [.], ack 4105886282, win 2014, options [nop,nop,TS[|tcp]>
03:52:13.609334 IP 13.248.115.67.9258 > ip-10-31-1-74.ap-southeast-1.compute.internal.10012: Flags [.], ack 3359161493, win 2014, options [nop,nop,TS[|tcp]>
3 packets captured
49 packets received by filter
0 packets dropped by kernel
-w 另存为文件
b]$ sudo tcpdump -i eth0 -n -c 3 tcp "port 10012" -w 10012.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
3 packets captured
41 packets received by filter
0 packets dropped by kernel
另存为 .pcap 文件,可以用 WireShark 打开,也可以直接用 tcpdump -r 打开。
当然,不想用 .pcap 格式的话,直接 > capture.txt 重定向到纯文本文件也是可以的。
筛选语法
host IP 筛选主机
~]$ sudo tcpdump -i eth0 -n -c 3 "host 10.31.1.8"
src host IP 筛选源主机
~]$ sudo tcpdump -i eth0 -n -c 3 "src host 10.31.1.8"
dst host IP 筛选目标主机
~]$ sudo tcpdump -i eth0 -n -c 3 "dst host 10.31.1.8"
注意,是 dst host 不是 dest host
net CIDR 筛选网络区间
源、目标网络依次类推
~]$ sudo tcpdump -i eth0 -n -c 3 "net 10.31.0.0/16"
~]$ sudo tcpdump -i eth0 -n -c 3 "src net 10.31.0.0/16"
~]$ sudo tcpdump -i eth0 -n -c 3 "dst net 10.31.0.0/16"
port PORT 筛选端口
源、目标端口依次类推
~]$ sudo tcpdump -i eth0 -n -c 3 "port 10012"
~]$ sudo tcpdump -i eth0 -n -c 3 "src port 10012"
~]$ sudo tcpdump -i eth0 -n -c 3 "dst port 10012"
tcp udp 筛选协议
~]$ sudo tcpdump -i eth0 -nn -c 3 tcp "port 10012"
~]$ sudo tcpdump -i eth0 -n -c 3 udp
ip6 筛选 IPv6
~]$ sudo tcpdump -i eth0 -n -c 3 ip6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
06:18:17.504845 IP6 fe80::48b:8dff:fe41:c1ce.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
06:20:12.584991 IP6 fe80::48b:8dff:fe41:c1ce.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
06:22:16.652850 IP6 fe80::48b:8dff:fe41:c1ce.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
3 packets captured
49 packets received by filter
0 packets dropped by kernel
and or not 组合使用
~]$ sudo tcpdump -i eth0 -n -c 3 "src net 10.31.0.0/16 and (port 10012 or port 10013)"
参考资料
https://www.redhat.com/sysadmin/tcpdump-part-one
https://www.redhat.com/sysadmin/tcpdump-part-2
https://www.redhat.com/sysadmin/tcpdump-part-3