您的位置：首页 > 理论基础 > 计算机网络

tcpdump的简单应用

2016-01-09 11:04 501 查看

tcpdump命令

Linux tcpdump命令用于倾倒网络传输数据。
TcpDump是Linux中强大的网络数据采集分析工具之一。

执行tcpdump指令可列出经过指定网络界面的数据包文件头(抓包) ，在Linux操作系统中 ，你必须是系统管理员。

语法

tcpdump [-adeflnNOpqStvx][-c][-dd][-ddd][-F][-i][-
][-s][-tt][-T][-vv][-w][输出数据栏位]

选项说明 ：

-a 尝试将网络和广播地址转换成名称。

-c 收到指定的数据包数目后 ，就停止进行倾倒操作。

-d 把编译过的数据包编码转换成可阅读的格式 ，并倾倒到标准输出。

-dd 把编译过的数据包编码转换成C语言的格式 ，并倾倒到标准输出。

-ddd 把编译过的数据包编码转换成十进制数字的格式 ，并倾倒到标准输出。

-e 在每列倾倒资料上显示连接层级的文件头。

-f 用数字显示网际网络地址。

-F 指定内含表达方式的文件。

-i 使用指定的网络截面送出数据包。

-l 使用标准输出列的缓冲区。

-n 不把主机的网络地址转换成名字。

-N 不列出域名。

-O 不将数据包编码最佳化。

-p 不让网络界面进入混杂模式。

-q 快速输出 ，仅列出少数的传输协议信息。

-   从指定的文件读取数据包数据。
-s 设置每个数据包的大小。

-S 用绝对而非相对数值列出TCP关联数。

-t 在每列倾倒资料上不显示时间戳记。

-tt 在每列倾倒资料上显示未经格式化的时间戳记。

-T 强制将表达方式所指定的数据包转译成设置的数据包类型。

-v 详细显示指令执行过程。

-vv 更详细显示指令执行过程。

-x 用十六进制字码列出数据包资料。

-w 把数据包数据写入指定的文件

参数说明：
udp 只抓udp包
tcp 只抓tcp包
icmp 只抓ICMP包
post #：抓取指定端口的包
portrance #-#:抓取指定端口范围的包
src port :抓取指定源端口的包
dst port :抓取指定目标端口的包
host 域名/IP :抓取指定域名或IP的包
greater #:抓取大于指定字节的流量
less #；抓取小于指定字节的流量

tcpdump的百度百科

tcpdump的中文man

珈蓝夜宇在WooYun知识库发表的tcpdump使用手册

使用-c选项指定显示指定数量的包。

[root@tomshen ~]# tcpdump -c 10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode  #tcpdump:详细输出,使用- v或vv显示完整执行过程。
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes    #监听eth0,链接类型EN10MB(以太网),捕获大小65535字节。
22:24:43.683614 IP 192.168.88.104.ssh > 192.168.88.1.4859: Flags [P.], seq 3802339501:3802339697, ack 361495988, win 275, length 196
22:24:43.685550 IP 192.168.88.104.ssh > 192.168.88.1.4859: Flags [P.], seq 196:376, ack 1, win 275, length 180
22:24:43.685641 IP 192.168.88.1.4859 > 192.168.88.104.ssh: Flags [.], ack 376, win 64256, length 0
22:24:43.686676 IP 192.168.88.104.ssh > 192.168.88.1.4859: Flags [P.], seq 376:636, ack 1, win 275, length 260
22:24:43.690514 IP 192.168.88.104.ssh > 192.168.88.1.4859: Flags [P.], seq 636:800, ack 1, win 275, length 164
22:24:43.690635 IP 192.168.88.1.4859 > 192.168.88.104.ssh: Flags [.], ack 800, win 64970, length 0
22:24:43.692347 IP 192.168.88.104.ssh > 192.168.88.1.4859: Flags [P.], seq 800:1060, ack 1, win 275, length 260
22:24:43.693351 IP 192.168.88.104.ssh > 192.168.88.1.4859: Flags [P.], seq 1060:1224, ack 1, win 275, length 164
22:24:43.693429 IP 192.168.88.1.4859 > 192.168.88.104.ssh: Flags [.], ack 1224, win 64758, length 0
22:24:43.694316 IP 192.168.88.104.ssh > 192.168.88.1.4859: Flags [P.], seq 1224:1484, ack 1, win 275, length 260
10 packets captured
10 packets received by filter
0 packets dropped by kernel
[root@tomshen ~]#

显示5个包，并且详细的显示指令执行过程，同时用十六进制字码列出数据包资料。

[root@tomshen ~]# tcpdump -c 5 -v -x
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:28:01.505644 IP (tos 0x10, ttl 64, id 12706, offset 0, flags [DF], proto TCP (6), length 172)
192.168.88.104.ssh > 192.168.88.1.4859: Flags [P.], cksum 0x3259 (incorrect -> 0x03a8), seq 3802363405:3802363537, ack 361497500, win 275, length 132
0x0000:  4510 00ac 31a2 4000 4006 d6df c0a8 5868
0x0010:  c0a8 5801 0016 12fb e2a3 760d 158c 039c
0x0020:  5018 0113 3259 0000 c613 498b 58a8 ccfe
0x0030:  21cd bb26 4b7e 13f8 bdb8 ab31 bbae 3b74
0x0040:  b904 3f92 bac0 c4eb 623c a188 ac3d 23f8
0x0050:  dd50 a289 dcef f082 46a7 5079 f3d6 8471
0x0060:  c0fa 81f3 94da d073 b8a4 ab6f b111 654e
0x0070:  c992 71ac 07fa 2f36 ccf2 b6e4 fc57 1627
0x0080:  3c77 1b23 76ef 13c2 5a8c 3692 89ce dee9
0x0090:  1c10 12ff 9024 2544 cca8 bc43 7627 17de
0x00a0:  0bc0 6c29 e8e6 00df 1175 030e
22:28:01.507044 IP (tos 0x10, ttl 64, id 12707, offset 0, flags [DF], proto TCP (6), length 892)
192.168.88.104.ssh > 192.168.88.1.4859: Flags [P.], cksum 0x3529 (incorrect -> 0xc5d9), seq 132:984, ack 1, win 275, length 852
0x0000:  4510 037c 31a3 4000 4006 d40e c0a8 5868
0x0010:  c0a8 5801 0016 12fb e2a3 7691 158c 039c
0x0020:  5018 0113 3529 0000 39aa 321e bd84 afcd
0x0030:  8d08 07e9 818c 151d b621 116e 8414 1940
0x0040:  5994 2092 a22e 607d 6807 424e 6032 1438
0x0050:  6226 3833 423c 8e7e 2453 4102 634a a862
0x0060:  034b d96a b549 668e d53f f03e 41a0 3fbf
0x0070:  a0d2 b194 4597 f798 2aca dddd 48ca bd3f
0x0080:  a37e 41a7 6e4e dc2f 7ded b01f 69b1 c9c5
0x0090:  93a0 67df 05c6 a775 6d9b e64f 97d9 1418
0x00a0:  1412 f0e3 05ba 3c1d 4100 465d 8fdc 6ce7
0x00b0:  2bf6 6055 4ceb d32d c9f8 9ec0 9360 487e
0x00c0:  388a aa98 b92f 4542 b2dc 402a 3d28 abd5
0x00d0:  9062 d7fd 7fcc 2217 ab31 39c7 e893 ce00
0x00e0:  764a 2af2 ffbe 7e8a 7ef0 c213 347c 1d46
0x00f0:  ba37 8f32 c186 1d54 6cb5 6757 ec3d dd7c
0x0100:  0946 7db6 af13 31ff 88e2 b949 aaf5 b0ec
0x0110:  6923 6b5d 0bb1 746a 2799 6641 627a 9517
0x0120:  f8dd ae71 dc72 5bbc 3747 1e4d 3e75 6ab0
0x0130:  2b98 6b3c 89be 78cb f552 3e49 f15c e0c0
0x0140:  50a6 ca36 cc12 da26 a475 e0c4 d4d2 eb9a
0x0150:  3b91 84d8 ee0c 1876 893d 215f 509c a36a
0x0160:  ff15 daac 10c9 c3c6 d663 20b0 5ed7 0ecb
0x0170:  9598 89d1 2705 0039 9a11 26f4 bce6 4ae3
0x0180:  67b4 a47f 07f7 773a 83f6 5d8f 842d 59b5
0x0190:  fde5 1c87 3757 7474 2af3 3719 beef 86df
0x01a0:  f90a e7b5 7b5e 2347 98a1 5d19 3d9f 6d76
0x01b0:  98f2 6e0e 0dfe 6660 8b00 24d4 72e1 63cd
0x01c0:  6425 832a ae88 40ae 7d74 0b79 f207 cdbb
0x01d0:  f17d 75ed 2b5f 6590 0c49 5bd1 7ef7 8791
0x01e0:  82b8 fd25 c784 5e0e ebed 4f85 d76f 8811
0x01f0:  ba0d 159e 7bdf 19ad 7f4e 714d e7bb 37a1
0x0200:  e8ac 383b 34eb 1fb7 309e 0f3b 7cbb ad7c
0x0210:  030d 2d1b 73c1 9684 8e7d e155 1358 02d2
0x0220:  cfb0 6203 f6d4 3fba 30b5 1f98 26c9 7fbb
0x0230:  e67d 364c 22f9 c707 9ae8 ed5c 3256 51d6
0x0240:  5923 8514 dc41 fa0a 00ec 3916 1f20 78b0
0x0250:  3077 c919 697f 0fd8 fb8f d6e0 8f23 1ffb
0x0260:  dcc7 5546 6216 37f0 bd08 dfe3 83b2 849c
0x0270:  35b6 0eb6 9d01 536f 06dd 1267 599f c5b8
0x0280:  62d7 66a2 9aa7 5ae4 95c7 4b54 df88 3f2d
0x0290:  d30d 7831 2a22 a43f 792c 6f6f 12e9 fdd5
0x02a0:  e4c2 45c9 fdd3 ac54 cfdd 0944 ac9c 032f
0x02b0:  8994 3658 6b18 52aa c00d 8613 fd06 dd01
0x02c0:  8d4c 079c 5836 492e a8fd 58dc 2b42 e3ab
0x02d0:  d93e cad9 d925 2b8f b77b 55a7 5673 672b
0x02e0:  e182 e231 5074 f14e 6428 c01b 3922 9f81
0x02f0:  3227 b453 c2f0 0990 9ec9 43b8 a294 8000
0x0300:  8c32 1ea1 79b8 9d9b 2b5e faaa 0973 1f36
0x0310:  c0b7 4439 9e41 cae0 742e a252 08e8 6da4
0x0320:  e486 fc7e be0b 98da 4e9e 19fd fb84 f7c7
0x0330:  1a2d cd18 b8e6 06e5 8d06 59c6 4f67 f220
0x0340:  aac9 a95b ed22 dae1 a181 1b39 99c8 9388
0x0350:  adae 4cf2 1f29 3fb7 6f49 0b50 8eba ce06
0x0360:  a664 23c1 6b67 168a 0692 8f44 e5ad 78c7
0x0370:  0350 9f7f f5ea 167d 796a dd3a
22:28:01.507138 IP (tos 0x0, ttl 64, id 31552, offset 0, flags [DF], proto TCP (6), length 40)
192.168.88.1.4859 > 192.168.88.104.ssh: Flags [.], cksum 0xf78c (correct), ack 984, win 64970, length 0
0x0000:  4500 0028 7b40 4000 4006 8dd5 c0a8 5801
0x0010:  c0a8 5868 12fb 0016 158c 039c e2a3 79e5
0x0020:  5010 fdca f78c 0000 0000 0000 0000
22:28:01.507964 IP (tos 0x10, ttl 64, id 12708, offset 0, flags [DF], proto TCP (6), length 2960)
192.168.88.104.ssh > 192.168.88.1.4859: Flags [.], cksum 0x3d3d (incorrect -> 0x9ea6), seq 984:3904, ack 1, win 275, length 2920
0x0000:  4510 0b90 31a4 4000 4006 cbf9 c0a8 5868
0x0010:  c0a8 5801 0016 12fb e2a3 79e5 158c 039c
0x0020:  5010 0113 3d3d 0000 a772 e021 45df e3d0
0x0030:  72d4 bfe5 d26f eaa8 c3a8 f0da d422 99bc
0x0040:  402a 1dd0 4d45 e84d 90e4 14ed ccfd e04d
0x0050:  4724 7218 211b 8dd8 7869 8341 92e8 0a5c
0x0060:  7bc4 b787 5995 4c0e 7417 dcea 7f5c 6324
0x0070:  3ae9 b8e0 2714 c5fa b457 a8b4 5a66 4d93
0x0080:  7912 f8e5 679d 0a28 59a2 aef3 dd62 dc36
0x0090:  625f 974d ccc3 02d2 0b86 9060 921b 1dc3
0x00a0:  a54b f6ef 8f41 1d66 4d84 0e2a 13da 36aa
0x00b0:  d287 3e27 079d d91a e704 b357 406e 2681
0x00c0:  1243 68c7 bf53 ec77 b05d 1fc1 e1a7 f132
0x00d0:  5f84 3c1b 97d6 9b23 6a9f 8a78 2a4e f620
0x00e0:  8f60 8916 7246 7b94 b6c6 6c88 5228 a195
0x00f0:  3421 cdab 42e6 5d33 5745 f6b3 7959 fcdb
0x0100:  05a1 af8d 1c4b e787 e894 6d0c ee23 f961
0x0110:  d43e 9d2b 72e1 d63d cae4 70e5 f521 8014
0x0120:  5ac8 70f2 8ea7 afe7 7536 d790 05a7 c48b
0x0130:  298b 0ee4 8617 fa53 74cb a1be acab c29a
0x0140:  315c 41df ad1d 8f7e 1f07 3eaf 0837 41fd
0x0150:  ff91 c8a9 0fdf f86c a2cf f761 2820 a04b
0x0160:  bfa8 4918 b968 4ddf 8c1a 3010 2905 a9d0
0x0170:  0c9a ebe4 bf33 82a3 8e11 22b2 c651 90ce
0x0180:  0ebe f253 85a4 9da9 8910 7027 d5ec f72d
0x0190:  1eea 298e 8885 d304 79f7 05ae aa19 6b3f
0x01a0:  11bd 77c7 2e1f a293 cc20 e988 3c20 05c3
0x01b0:  80b7 0fe7 8e41 c36e 97e9 91d5 be26 fd32
0x01c0:  7b2f 1544 282f f81f 132d 7cbb c7e5 3d8f
0x01d0:  9375 d693 7b3f 7e06 c52c 86d6 2106 a414
0x01e0:  48a7 87c1 963e 5247 8cc2 4e32 67ad c4a8
0x01f0:  fefe 2484 f66c c818 2f40 19ca 02eb 1115
0x0200:  0d1d a47c 0319 7d97 ba60 98e7 6251 6da2
0x0210:  c17d 823a 54af 3987 39dd a85d 7432 168f
0x0220:  bdca 4d5f 7697 bb36 f301 22d2 4c7c f4df
0x0230:  a49c 0988 501f c739 6d38 f617 995a 6afd
0x0240:  afff 9867 cfb9 a813 1ba9 ceac cc39 81c1
0x0250:  5b24 e53b 98bb 5f0d 2da9 0f7a e3c9 49e4
0x0260:  f248 8351 10de a940 d28a 3a82 46ea a7ef
0x0270:  d16f be61 b337 f520 4899 ad6d bb34 7625
0x0280:  12c6 b4e9 faa0 8180 b320 6595 efa4 66d0
0x0290:  4070 7c35 f2db bad8 4466 a9f5 f243 e996
0x02a0:  59b4 a01b ac0a f65e 395d 6f97 d406 7f00
0x02b0:  efd2 a289 c76b caaa 9617 40b3 1a09 648c
0x02c0:  d2ca aef9 5e08 0d54 c256 d372 077f cf2d
0x02d0:  d5a8 8e79 864b b019 3ee6 8b2f 9d12 b3ca
0x02e0:  0d58 4182 fde3 5761 a843 9c41 7286 25fb
0x02f0:  635f 565e c280 fd24 2253 5656 dc46 d3de
0x0300:  e532 a565 29d6 3dad 79d3 ddec 4d7d 5f0b
0x0310:  5d8a 1d19 0f21 f845 84e1 cd3a 96be f8d0
0x0320:  833e 20fa c6b8 67ff 89a6 e080 d557 3049
0x0330:  89ad 066c 6a4f 2645 13cf 38a0 c2de 7141
0x0340:  3a09 fc6a fd56 0eef 63fe 0a3f 3123 f46b
0x0350:  96c1 e7de ebe0 8e52 0720 4a16 2b60 4f9a
0x0360:  c9ba 18a4 fcf3 a024 de1e fcbd de48 ea32
0x0370:  ceed aa99 f347 51d8 a479 1709 156c ea56
0x0380:  aae3 8a71 9e39 b770 81dc b402 5d73 059e
0x0390:  b629 58ad 6cbf 4757 c710 6813 a47d e062
0x03a0:  0f1f 63e0 6b6f 31ec 85ee bfec 85e5 8620
0x03b0:  bfa8 eb42 fe09 0251 c100 7130 de8e 1dbf
0x03c0:  d003 c5f4 72c3 953c 67a2 e142 5a60 a209
0x03d0:  7bc7 1d33 0b82 1fed ad02 ab1c 71b2 6f36
0x03e0:  2c57 f51a 48fd 842d 9438 0adc 7e5a 4644
0x03f0:  1e70 8aed e701 85b2 6a0a 56cd 29d2 8f3a
0x0400:  9e6f 5658 2a88 d789 fd31 f571 2ba8 9cae
0x0410:  91da 5f97 6e97 af9c d1b8 0fe3 8f68 59a8
0x0420:  88ef 3077 365c 92fe 4506 7971 5516 9af1
0x0430:  ad90 cf19 62d2 0274 7900 79be a510 7c43
0x0440:  2a26 6126 77d3 ca57 b5fe 7201 22bf 59b8
0x0450:  a3e2 de1f 0de4 2e84 3272 86a4 e2d3 d4d4
0x0460:  8041 7ad5 cd1e 25a2 a86c 9613 11fc 59c7
0x0470:  e41f 546c 8179 0316 708b 068f d87a 63d6
0x0480:  731f fde8 3ba4 65ba aadb 8825 5cf0 81d9
0x0490:  aa41 6380 a502 9d66 d16b 03d6 0688 6926
0x04a0:  3867 3de9 0e35 88b4 9763 90ee 77c6 1224
0x04b0:  e7a6 c795 3ac8 c37b 6ede c20c 4b92 a10b
0x04c0:  1f24 e8c7 24c8 388f cb34 068a 1099 50de
0x04d0:  1722 b34c 722b 3efd e15f 9f76 57ef b61c
0x04e0:  949a dd73 0fe0 a262 d91b 0165 3b9c 7c3c
0x04f0:  7373 2777 eac6 72ed bd89 4764 627e 3970
0x0500:  4bc4 7524 ed7b 4678 8168 e67f fcdb a50a
0x0510:  a9a2 5086 9308 257d 6aff 2776 7248 730f
0x0520:  12ff f50d 8baf 2abb 94f8 2d9f 2655 8ce1
0x0530:  cf08 5d76 9d76 5369 47a0 e376 1475 f174
0x0540:  a71b 51b6 c13f b5eb 572c 5cdf 8ef6 560a
0x0550:  2ff1 b13e 58cd b1ed 0efd af65 6f0d 3d6f
0x0560:  607e 5500 5f5c f390 156e b558 c478 b8e6
0x0570:  b7e9 6415 4dd9 80cf c9dd 5dae 03f6 b66a
0x0580:  5c4c 4741 be50 f9b1 d34a d2a5 26e7 c67a
0x0590:  6a80 5d49 254c c71c 7f53 ccd5 b631 1576
0x05a0:  6372 932c 1271 6ff7 2496 ae58 3ac6 f42e
0x05b0:  c32f ac53 eb61 226b 9205 82fb db7a c37c
0x05c0:  3138 70dc 2edf 5335 9459 9193 194a 7edc
0x05d0:  a2be 303b 5229 383e a28d 4e24 b5a1 0ae0
0x05e0:  e884 eb46 2627 881d f0dd b5e6 833a 5a86
0x05f0:  a63a 9c5f 0a93 3640 6593 4fa2 1c8f b9bf
0x0600:  b3bd ca1f 2024 10b7 3d48 60c1 28aa 729c
0x0610:  6c78 d1e3 52de d4c4 f372 48b6 30e5 5914
0x0620:  6b0b 63d7 6447 e8e4 a11e 8e39 43f5 dcd0
0x0630:  93e0 ab8e 31a0 595b cfdb fb4c 8906 2c92
0x0640:  cafe b2b5 44bf f62d cbaa 0a2b 15ca 2c3a
0x0650:  7242 b16a 6c03 5f03 5fdf deb5 6df1 4164
0x0660:  9b70 5773 1ac0 6635 19df 2afa 4c12 cc17
0x0670:  99aa 636a 64ff e4b6 481b a02b c1c9 02ae
0x0680:  6d8f ef78 5510 2f07 4128 8d71 f28b 30d9
0x0690:  8721 811b a8bf 2615 af32 f0ab 4bd6 fc1c
0x06a0:  5b42 ca08 9e2b 00e6 bc8e d13e c237 2063
0x06b0:  98ff f13e 0030 d044 9a30 47fe 878c 6ac3
0x06c0:  415a 59aa 60ee 3122 7f58 3d56 1a53 8e78
0x06d0:  2d89 f446 674b c143 382d 187a 33cc 11e6
0x06e0:  dbb6 a2d4 e708 d6e8 b7e2 2da7 5d5e b60c
0x06f0:  d2bb 13e4 04e6 d970 d1e3 133c 41db 5e61
0x0700:  3e2d 181a 1acb dd83 04e7 1319 c8fa c5d3
0x0710:  d6c8 a4a1 b3fa f6a8 b5b3 7832 dbb7 b4fc
0x0720:  cd1e ed09 96ff c95d 42af 8c41 8139 6b8a
0x0730:  57c7 76d6 1db7 10a6 4309 cfe3 ad5f 3f66
0x0740:  1498 1deb 13d7 f0de 39b4 d488 8948 6f47
0x0750:  82c9 a5e2 5020 a523 959d 0e66 eb96 23e9
0x0760:  4115 5eb0 8f96 9f11 50b4 9ef9 e28e b41f
0x0770:  40e4 ef63 6e00 f35b 78f3 fdfb 0759 2d86
0x0780:  8485 8a01 5b3f dd33 0a20 f2fa 25e7 2199
0x0790:  6ad4 1247 5715 48ca 588b 4635 c0bd 5fe7
0x07a0:  c1fe 31c0 9af0 5752 a7c7 49f6 7450 d03c
0x07b0:  650d 7619 21b8 aa1f 44a9 c50c 2b26 09b1
0x07c0:  255d 1077 fa82 a95a 7b97 390b 4387 b9b3
0x07d0:  c7e5 bcb8 8c1b 72f8 383d 1c47 f0cb aa20
0x07e0:  435b 4b60 ea72 ea71 f7b6 b741 110e d981
0x07f0:  0d04 c714 463c 64a9 9381 b40a 80cd 126d
0x0800:  cf8c c07e 6fea b23b 500b b8ea 8f3d 551a
0x0810:  8332 c7ae ceaf 988c 67e2 2f9b 24b2 856f
0x0820:  9950 3fed a923 d1ad 215d 8570 7fb2 f637
0x0830:  0cc3 4886 0eaf 9f36 1ce1 f72a 2a31 7641
0x0840:  dfe9 8945 2946 09fd 30b6 b8ea df31 3fa3
0x0850:  6936 fc45 072d ac11 e355 789a 8861 1d01
0x0860:  67f4 594d d7d7 ad58 9fac 7c19 bb47 be2a
0x0870:  10bb 2069 4ea7 76a5 68e3 3ef3 31dc 9db6
0x0880:  6a09 ad29 beba 6372 1ec1 ac17 afd9 1232
0x0890:  0b25 1544 0273 4759 6b68 8642 fea8 feef
0x08a0:  c435 4fb3 b115 6117 b581 8175 7fe1 7950
0x08b0:  8d20 5891 b741 16c6 9832 070d 66f7 314e
0x08c0:  6ec2 fc4e b65a db08 8a0e 390d 56ef f0c0
0x08d0:  614b 7e12 b0d6 1fff ba42 554d 9518 e0af
0x08e0:  62a2 9174 20bb 3325 d319 a469 678c 27eb
0x08f0:  43c9 9402 8790 b520 06b4 f2b5 e75f 9e76
0x0900:  bc00 2d59 9cd1 28f7 368f fa34 a493 eb87
0x0910:  0418 6c0c f12f 3239 5ea6 d918 1772 b692
0x0920:  0474 dc86 37d9 88f9 e86e 8a27 a17f 7745
0x0930:  a767 6610 53c1 6615 1a80 c2d7 2efb dd5f
0x0940:  6c49 374b 8dfd 1d0b dbb6 b716 1fb8 1279
0x0950:  c35c 6027 01d4 f5c2 6b0d 89af 1ec4 0e1a
0x0960:  2995 9077 9314 3e62 8417 b5ac eb11 f0f2

0x0970:  6ddb d182 0db8 2001 eb21 94c2 d8ca 7d2e
0x0980:  2043 69ee a107 2f7c 587e 997e 1ea6 f302
0x0990:  d6d2 f811 a7e0 71b4 2227 a129 4f4a 812c
0x09a0:  22c6 3e4e 047f f226 98d4 f60e f79b 974e
0x09b0:  3b8e 709f cc1b 8de4 3d43 6165 cea8 4daa
0x09c0:  f3a0 3592 09aa dd7f 4d37 3274 083e 14c2
0x09d0:  01d9 0c12 156f 810c 6f37 36f0 b5e4 5974
0x09e0:  3d2f 8061 ebf9 74e9 b3d8 aec3 5f0b 03e7
0x09f0:  d4ff 862d 2e67 a0d3 3928 2c68 de2c b715
0x0a00:  a934 7613 af83 61ec 98cb b1ae 2e5b e574
0x0a10:  4778 afc3 2c34 91c1 fbd6 be26 8a48 0abb
0x0a20:  4dcf 983a 161e 5dd8 f648 e0ca d3d7 8505
0x0a30:  07e1 b006 2260 2f49 4010 17ae dc46 96af
0x0a40:  e4b5 9e00 1d1f 9f1d 3388 4c7d 8084 a646
0x0a50:  a7e3 5e8c cec2 b02d 47ae 54cd b683 d978
0x0a60:  d43b 2ab4 1125 9c5f 755d c27e c120 c66c
0x0a70:  168e ef53 1b7f b973 cfcc 9e99 4a52 0bfa
0x0a80:  2da1 9570 f0a4 158d e755 25b8 f505 9309
0x0a90:  fdb5 060e 4fa4 403e cf5a 06d6 57f1 53f8
0x0aa0:  4b67 c6f2 91f3 f214 7c3f 2432 3ba8 e9a3
0x0ab0:  e72a ba7a 9549 347b 3a5f 0b9c c0d2 9dc8
0x0ac0:  e8cd 4217 107f a6a4 5579 a2b7 7d0b 6bd1
0x0ad0:  9aa3 97b2 4c8a 59aa 99cc 4ea9 2db8 4413
0x0ae0:  ea3e 8bab 8326 cc7a 94b7 76e8 d985 14b5
0x0af0:  a6e0 f2c8 f3c6 ffb0 c4a7 5ce4 d6a9 3628
0x0b00:  cd2c 3b97 52a4 69a6 2bc9 0f65 2c0e f57d
0x0b10:  d961 1fc0 b82f 23fb 0412 80fc 9404 7eed
0x0b20:  d129 03d1 de84 729f 738a c8aa 0f50 ee42
0x0b30:  e293 471b c06d 0e9f 266a 622d e810 e25e
0x0b40:  d556 9af2 e541 0440 3b6c 0a0c de49 3cea
0x0b50:  4df4 8461 c495 d854 64b9 e2be 4d05 dff7
0x0b60:  4a28 098e e19c 54cb f983 cd31 3fb0 3e00
0x0b70:  893c 4eba 4299 70bc f76b c3f0 020e d7cb
0x0b80:  3ea4 fc3c 3369 808c 1405 c4ae 133d 9810
22:28:01.508031 IP (tos 0x0, ttl 64, id 31553, offset 0, flags [DF], proto TCP (6), length 40)
192.168.88.1.4859 > 192.168.88.104.ssh: Flags [.], cksum 0xec24 (correct), ack 3904, win 64970, length 0
0x0000:  4500 0028 7b41 4000 4006 8dd4 c0a8 5801
0x0010:  c0a8 5868 12fb 0016 158c 039c e2a3 854d
0x0020:  5010 fdca ec24 0000 0000 0000 0000
5 packets captured
6 packets received by filter
0 packets dropped by kernel
[root@tomshen ~]#

已精简模式显示5个包。

[root@tomshen ~]# tcpdump -c 5 -q
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:34:39.581825 IP 192.168.88.104.ssh > 192.168.88.1.4859: tcp 196
22:34:39.583399 IP 192.168.88.104.ssh > 192.168.88.1.4859: tcp 116
22:34:39.583480 IP 192.168.88.1.4859 > 192.168.88.104.ssh: tcp 0
22:34:39.584376 IP 192.168.88.104.ssh > 192.168.88.1.4859: tcp 180
22:34:39.585374 IP 192.168.88.104.ssh > 192.168.88.1.4859: tcp 116
5 packets captured
6 packets received by filter
0 packets dropped by kernel
[root@tomshen ~]#

显示80端口的包

[root@tomshen ~]# tcpdump port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
07:34:26.497438 IP 192.168.88.106.55758 > 115.182.41.173.http: Flags [P.], seq 2290290581:2290290588, ack 2826700970, win 245, options [nop,nop,TS val 1179606 ecr 971879623], length 7
07:34:26.529608 IP 115.182.41.173.http > 192.168.88.106.55758: Flags [P.], seq 1:4, ack 7, win 33, options [nop,nop,TS val 971929657 ecr 1179606], length 3
07:34:26.529631 IP 192.168.88.106.55758 > 115.182.41.173.http: Flags [.], ack 4, win 245, options [nop,nop,TS val 1179638 ecr 971929657], length 0
07:34:55.514670 IP 192.168.88.106.55724 > 115.182.41.173.http: Flags [P.], seq 1729578857:1729578864, ack 3459252445, win 245, options [nop,nop,TS val 1208623 ecr 971908636], length 7
07:34:55.545001 IP 115.182.41.173.http > 192.168.88.106.55724: Flags [.], ack 7, win 33, options [nop,nop,TS val 971958673 ecr 1208623], length 0
07:34:55.546918 IP 115.182.41.173.http > 192.168.88.106.55724: Flags [P.], seq 1:4, ack 7, win 33, options [nop,nop,TS val 971958674 ecr 1208623], length 3
07:34:55.546928 IP 192.168.88.106.55724 > 115.182.41.173.http: Flags [.], ack 4, win 245, options [nop,nop,TS val 1208656 ecr 971958674], length 0
.....

全是80端口的包

抓取指定目标端口的包

[root@tomshen ~]# tcpdump dst port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
07:55:18.082646 IP 192.168.88.106.55758 > 115.182.41.173.http: Flags [P.], seq 2290290756:2290290763, ack 2826701045, win 245, options [nop,nop,TS val 2431191 ecr 973131231], length 7
07:55:18.111873 IP 192.168.88.106.55758 > 115.182.41.173.http: Flags [.], ack 4, win 245, options [nop,nop,TS val 2431221 ecr 973181262], length 0
07:55:33.183203 IP 192.168.88.106.55785 > 115.182.41.173.http: Flags [P.], seq 2859604615:2859604622, ack 662399092, win 245, options [nop,nop,TS val 2446292 ecr 973146287], length 7
07:55:33.219278 IP 192.168.88.106.55785 > 115.182.41.173.http: Flags [.], ack 4, win 245, options [nop,nop,TS val 2446328 ecr 973196370], length 0
07:55:46.333157 IP 192.168.88.106.55724 > 115.182.41.173.http: Flags [P.], seq 1729579032:1729579039, ack 3459252520, win 245, options [nop,nop,TS val 2459442 ecr 973159482], length 7
07:55:46.363738 IP 192.168.88.106.55724 > 115.182.41.173.http: Flags [.], ack 4, win 245, options [nop,nop,TS val 2459472 ecr 973209513], length 0
07:55:47.634783 IP 192.168.88.106.55812 > 115.182.41.173.http: Flags [P.], seq 2211905598:2211905605, ack 4252615080, win 245, options [nop,nop,TS val 2460743 ecr 973160783], length 7
07:55:47.666886 IP 192.168.88.106.55812 > 115.182.41.173.http: Flags [.], ack 4, win 245, options [nop,nop,TS val 2460776 ecr 973210817], length 0
^C
8 packets captured
8 packets received by filter
0 packets dropped by kernel
[root@tomshen ~]#

抓取指定源IP的包

......
07:58:55.907359 IP 192.168.88.106.ssh > 192.168.88.101.hks-lm: Flags [P.], seq 380192:380356, ack 53, win 275, length 164
07:58:55.907507 IP 192.168.88.106.ssh > 192.168.88.101.hks-lm: Flags [P.], seq 380356:380520, ack 53, win 275, length 164
07:58:55.907611 IP 192.168.88.106.ssh > 192.168.88.101.hks-lm: Flags [P.], seq 380520:380684, ack 53, win 275, length 164
07:58:55.907726 IP 192.168.88.106.ssh > 192.168.88.101.hks-lm: Flags [P.], seq 380684:380848, ack 53, win 275, length 164
07:58:55.907905 IP 192.168.88.106.ssh > 192.168.88.101.hks-lm: Flags [P.], seq 380848:381012, ack 53, win 275, length 164
07:58:55.908065 IP 192.168.88.106.ssh > 192.168.88.101.hks-lm: Flags [P.], seq 381012:381176, ack 53, win 275, length 164
07:58:55.908226 IP 192.168.88.106.ssh > 192.168.88.101.hks-lm: Flags [P.], seq 381176:381340, ack 53, win 275, length 164
07:58:55.908312 IP 192.168.88.106.ssh > 192.168.88.101.hks-lm: Flags [P.], seq 381340:381504, ack 53, win 275, length 164
07:58:55.908467 IP 192.168.88.106.ssh > 192.168.88.101.hks-lm: Flags [P.], seq 381504:381668, ack 53, win 275, length 164
07:58:55.908809 IP 192.168.88.106.ssh > 192.168.88.101.hks-lm: Flags [P.], seq 381668:381832, ack 53, win 275, length 164
07:58:55.909116 IP 192.168.88.106.ssh > 192.168.88.101.hks-lm: Flags [P.], seq 381832:381996, ack 53, win 275, length 164
07:58:55.909209 IP 192.168.88.106.ssh > 192.168.88.101.hks-lm: Flags [P.], seq 381996:382160, ack 53, win 275, length 164
07:58:55.909541 IP 192.168.88.106.ssh > 192.168.88.101.hks-lm: Flags [P.], seq 382160:382324, ack 53, win 275, length 164
07:58:55.909733 IP 192.168.88.106.ssh > 192.168.88.101.hks-lm: Flags [P.], seq 382324:382488, ack 53, win 275, length 164
07:58:55.909960 IP 192.168.88.106.ssh > 192.168.88.101.hks-lm: Flags [P.], seq 382488:382652, ack 53, win 275, length 164
07:58:55.911744 IP 192.168.88.106.ssh > 192.168.88.101.hks-lm: Flags [P.], seq 382652:382816, ack 53, win 275, length 164
07:58:55.913785 IP 192.168.88.106.ssh > 192.168.88.101.hks-lm: Flags [P.], seq 382816:382980, ack 53, win 275, length 164
07:58:55.913920 IP 192.168.88.106.ssh > 192.168.88.101.hks-lm: Flags [P.], seq 382980:383144, ack 53, win 275, length 164
07:58:55.914037 IP 192.168.88.106.ssh > 192.168.88.101.hks-lm: Flags [P.], seq 383144:383308, ack 53, win 275, length 164
07:58:55.915665 IP 192.168.88.106.ssh > 192.168.88.101.hks-lm: Flags [P.], seq 383308:383472, ack 53, win 275, length 164
07:58:55.915798 IP 192.168.88.106.ssh > 192.168.88.101.hks-lm: Flags [P.], seq 383472:383636, ack 53, win 275, length 164
07:58:55.917624 IP 192.168.88.106.ssh > 192.168.88.101.hks-lm: Flags [P.], seq 383636:383800, ack 53, win 275, length 164
07:58:55.917752 IP 192.168.88.106.ssh > 192.168.88.101.hks-lm: Flags [P.], seq 383800:383964, ack 53, win 275, length 164
.....

将抓获的包存放的指定文件中

tcpdump -c 30 -w cddd.e

读取包文件

[root@tomshen ~]# tcpdump -r cddd.e
reading from file cddd.e, link-type EN10MB (Ethernet)
08:33:00.524288 IP 192.168.88.106.ssh > 192.168.88.101.hks-lm: Flags [P.], seq 980341103:980341235, ack 1070708669, win 275, length 132
08:33:00.629706 IP 192.168.88.101.hks-lm > 192.168.88.106.ssh: Flags [.], ack 132, win 64488, length 0
08:33:01.126818 IP 192.168.88.101.20141 > 234.123.12.1.20141: UDP, length 224
08:33:01.209869 IP 192.168.88.104.42171 > 234.123.12.1.20141: UDP, length 588
08:33:03.122692 IP 192.168.88.101.20141 > 234.123.12.1.20141: UDP, length 224
08:33:04.010413 IP 192.168.88.101.hks-lm > 192.168.88.106.ssh: Flags [P.], seq 1:37, ack 132, win 64488, length 36
08:33:04.073953 IP 192.168.88.106.ssh > 192.168.88.101.hks-lm: Flags [.], ack 37, win 275, length 0
08:33:05.122963 IP 192.168.88.101.20141 > 234.123.12.1.20141: UDP, length 224
08:33:05.214124 IP 192.168.88.104.42171 > 234.123.12.1.20141: UDP, length 588
08:33:07.124949 IP 192.168.88.101.20141 > 234.123.12.1.20141: UDP, length 224
08:33:07.590890 IP 192.168.88.106.55785 > 115.182.41.173.http: Flags [P.], seq 2859604930:2859604937, ack 662399227, win 245, options [nop,nop,TS val 4700699 ecr 975400781], length 7
08:33:07.622875 IP 115.182.41.173.http > 192.168.88.106.55785: Flags [P.], seq 1:4, ack 7, win 33, options [nop,nop,TS val 975450814 ecr 4700699], length 3
08:33:07.622907 IP 192.168.88.106.55785 > 115.182.41.173.http: Flags [.], ack 4, win 245, options [nop,nop,TS val 4700732 ecr 975450814], length 0
08:33:09.122974 IP 192.168.88.101.20141 > 234.123.12.1.20141: UDP, length 224
08:33:09.241345 IP 192.168.88.104.42171 > 234.123.12.1.20141: UDP, length 588
08:33:11.126629 IP 192.168.88.101.20141 > 234.123.12.1.20141: UDP, length 224
08:33:13.127813 IP 192.168.88.101.20141 > 234.123.12.1.20141: UDP, length 224
08:33:13.262415 IP 192.168.88.104.42171 > 234.123.12.1.20141: UDP, length 588
08:33:15.123672 IP 192.168.88.101.20141 > 234.123.12.1.20141: UDP, length 224
08:33:17.441918 IP 192.168.88.101.20141 > 234.123.12.1.20141: UDP, length 224
08:33:18.746724 ARP, Request who-has 192.168.88.254 tell 192.168.88.104, length 46
08:33:19.125747 IP 192.168.88.101.20141 > 234.123.12.1.20141: UDP, length 224
08:33:19.715576 IP 192.168.88.106.55724 > 115.182.41.173.http: Flags [P.], seq 1729579347:1729579354, ack 3459252655, win 245, options [nop,nop,TS val 4712824 ecr 975412897], length 7
08:33:19.747781 IP 115.182.41.173.http > 192.168.88.106.55724: Flags [P.], seq 1:4, ack 7, win 33, options [nop,nop,TS val 975462938 ecr 4712824], length 3
08:33:19.747811 IP 192.168.88.106.55724 > 115.182.41.173.http: Flags [.], ack 4, win 245, options [nop,nop,TS val 4712856 ecr 975462938], length 0
08:33:21.123612 IP 192.168.88.101.20141 > 234.123.12.1.20141: UDP, length 224
08:33:21.334791 IP 192.168.88.104.42171 > 234.123.12.1.20141: UDP, length 588
08:33:22.092873 IP 192.168.88.106.55812 > 115.182.41.173.http: Flags [P.], seq 2211905913:2211905920, ack 4252615215, win 245, options [nop,nop,TS val 4715201 ecr 975413216], length 7
08:33:22.129788 IP 115.182.41.173.http > 192.168.88.106.55812: Flags [P.], seq 1:4, ack 7, win 33, options [nop,nop,TS val 975465317 ecr 4715201], length 3
08:33:22.129821 IP 192.168.88.106.55812 > 115.182.41.173.http: Flags [.], ack 4, win 245, options [nop,nop,TS val 4715238 ecr 975465317], length 0
[root@tomshen ~]# tcpdump -r cddd.e
reading from file cddd.e, link-type EN10MB (Ethernet)
08:33:00.524288 IP 192.168.88.106.ssh > 192.168.88.101.hks-lm: Flags [P.], seq 980341103:980341235, ack 1070708669, win 275, length 132
08:33:00.629706 IP 192.168.88.101.hks-lm > 192.168.88.106.ssh: Flags [.], ack 132, win 64488, length 0
08:33:01.126818 IP 192.168.88.101.20141 > 234.123.12.1.20141: UDP, length 224
08:33:01.209869 IP 192.168.88.104.42171 > 234.123.12.1.20141: UDP, length 588
08:33:03.122692 IP 192.168.88.101.20141 > 234.123.12.1.20141: UDP, length 224
08:33:04.010413 IP 192.168.88.101.hks-lm > 192.168.88.106.ssh: Flags [P.], seq 1:37, ack 132, win 64488, length 36
08:33:04.073953 IP 192.168.88.106.ssh > 192.168.88.101.hks-lm: Flags [.], ack 37, win 275, length 0
08:33:05.122963 IP 192.168.88.101.20141 > 234.123.12.1.20141: UDP, length 224
08:33:05.214124 IP 192.168.88.104.42171 > 234.123.12.1.20141: UDP, length 588
08:33:07.124949 IP 192.168.88.101.20141 > 234.123.12.1.20141: UDP, length 224
08:33:07.590890 IP 192.168.88.106.55785 > 115.182.41.173.http: Flags [P.], seq 2859604930:2859604937, ack 662399227, win 245, options [nop,nop,TS val 4700699 ecr 975400781], length 7
08:33:07.622875 IP 115.182.41.173.http > 192.168.88.106.55785: Flags [P.], seq 1:4, ack 7, win 33, options [nop,nop,TS val 975450814 ecr 4700699], length 3
08:33:07.622907 IP 192.168.88.106.55785 > 115.182.41.173.http: Flags [.], ack 4, win 245, options [nop,nop,TS val 4700732 ecr 975450814], length 0
08:33:09.122974 IP 192.168.88.101.20141 > 234.123.12.1.20141: UDP, length 224
08:33:09.241345 IP 192.168.88.104.42171 > 234.123.12.1.20141: UDP, length 588
08:33:11.126629 IP 192.168.88.101.20141 > 234.123.12.1.20141: UDP, length 224
08:33:13.127813 IP 192.168.88.101.20141 > 234.123.12.1.20141: UDP, length 224
08:33:13.262415 IP 192.168.88.104.42171 > 234.123.12.1.20141: UDP, length 588
08:33:15.123672 IP 192.168.88.101.20141 > 234.123.12.1.20141: UDP, length 224
08:33:17.441918 IP 192.168.88.101.20141 > 234.123.12.1.20141: UDP, length 224
08:33:18.746724 ARP, Request who-has 192.168.88.254 tell 192.168.88.104, length 46
08:33:19.125747 IP 192.168.88.101.20141 > 234.123.12.1.20141: UDP, length 224
08:33:19.715576 IP 192.168.88.106.55724 > 115.182.41.173.http: Flags [P.], seq 1729579347:1729579354, ack 3459252655, win 245, options [nop,nop,TS val 4712824 ecr 975412897], length 7
08:33:19.747781 IP 115.182.41.173.http > 192.168.88.106.55724: Flags [P.], seq 1:4, ack 7, win 33, options [nop,nop,TS val 975462938 ecr 4712824], length 3
08:33:19.747811 IP 192.168.88.106.55724 > 115.182.41.173.http: Flags [.], ack 4, win 245, options [nop,nop,TS val 4712856 ecr 975462938], length 0
08:33:21.123612 IP 192.168.88.101.20141 > 234.123.12.1.20141: UDP, length 224
08:33:21.334791 IP 192.168.88.104.42171 > 234.123.12.1.20141: UDP, length 588
08:33:22.092873 IP 192.168.88.106.55812 > 115.182.41.173.http: Flags [P.], seq 2211905913:2211905920, ack 4252615215, win 245, options [nop,nop,TS val 4715201 ecr 975413216], length 7
08:33:22.129788 IP 115.182.41.173.http > 192.168.88.106.55812: Flags [P.], seq 1:4, ack 7, win 33, options [nop,nop,TS val 975465317 ecr 4715201], length 3
08:33:22.129821 IP 192.168.88.106.55812 > 115.182.41.173.http: Flags [.], ack 4, win 245, options [nop,nop,TS val 4715238 ecr 975465317], length 0
[root@tomshen ~]#

tcpdump产生的包也可以使用wireshark打开。

内容来自用户分享和网络整理，不保证内容的准确性，如有侵权内容，可联系管理员处理

标签： tcpdump 应用简单

相关文章推荐

新的分享

章节导航