tcpdump 命令的常用選項:一
tcpdump 用於捕獲和分析網路流量。系統管理員可以使用它來檢視實時流量或將輸出儲存到檔案中並在以後進行分析。下面列出6個常用選項 |
tcpdump的
-D
獲取介面裝置列表。看到此列表後,可以決定要在哪個介面上捕獲流量。它還告訴你介面是否已啟動、正在執行,以及它是否是環回介面,如下所示:
[root@localhost ~]# tcpdump -D 1.ens160 [Up, Running] 2.lo [Up, Running, Loopback] 3.any (Pseudo-device that captures on all interfaces) [Up, Running] 4.bluetooth-monitor (Bluetooth Linux Monitor) [none] 5.nflog (Linux netfilter log (NFLOG) interface) [none] 6.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none] 7.usbmon0 (All USB buses) [none] 8.usbmon1 (USB bus number 1) 9.usbmon2 (USB bus number 2)
-c
選項捕獲
X 個資料包,然後停止。否則,tcpdump 將無限地繼續執行。因此,當只想捕獲一小部分資料包樣本時,可以使用此選項。但是如果介面上沒有資料流量,tcpdump 會一直等待。
[root@localhost ~]# tcpdump -c 5 -i any dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 17:33:47.713379 IP localhost.localdomain.ssh > 192.168.43.1.39970: Flags [P.], seq 714380127:714380371, ack 1854022435, win 388, length 244 17:33:47.713785 IP localhost.localdomain.36821 > _gateway.domain: 36365+ PTR? 1.43.168.192.in-addr.arpa. (43) 17:33:47.713939 IP 192.168.43.1.39970 > localhost.localdomain.ssh: Flags [.], ack 244, win 4104, length 0 17:33:47.716053 IP _gateway.domain > localhost.localdomain.36821: 36365 NXDomain 0/1/0 (78) 17:33:47.716543 IP localhost.localdomain.57441 > _gateway.domain: 61445+ PTR? 131.43.168.192.in-addr.arpa. (45) 5 packets captured 9 packets received by filter 0 packets dropped by kernel
-n
選項不將IP地址解析為域名,直接以IP地址顯示:
[root@localhost ~]# tcpdump -c 5 -i any -n dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 17:36:38.980756 IP 192.168.43.131.ssh > 192.168.43.1.39970: Flags [P.], seq 714383039:714383283, ack 1854024303, win 388, length 244 17:36:38.981032 IP 192.168.43.131.ssh > 192.168.43.1.39970: Flags [P.], seq 244:440, ack 1, win 388, length 196 17:36:38.981096 IP 192.168.43.131.ssh > 192.168.43.1.39970: Flags [P.], seq 440:604, ack 1, win 388, length 164 17:36:38.981153 IP 192.168.43.131.ssh > 192.168.43.1.39970: Flags [P.], seq 604:768, ack 1, win 388, length 164 17:36:38.981208 IP 192.168.43.131.ssh > 192.168.43.1.39970: Flags [P.], seq 768:932, ack 1, win 388, length 164 5 packets captured 5 packets received by filter 0 packets dropped by kernel
帶有
-sXXX
的 tcpdump 可幫助你控制捕獲資料包的大小。在上一個輸出的第三行中,可以看到它表示捕獲大小 262144 位元組。可以使用
-s
選項更改捕獲資料大小。如果你只想檢查資料包標頭,則可以使用較小的大小進行捕獲:
[root@localhost ~]# tcpdump -c 5 -i any -n -s64 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 64 bytes 17:47:44.437891 IP 192.168.43.131.ssh > 192.168.43.1.39970: Flags [P.], seq 714405271:714405515, ack 1854033767, win 388, length 244 17:47:44.438153 IP 192.168.43.131.ssh > 192.168.43.1.39970: Flags [P.], seq 244:440, ack 1, win 388, length 196 17:47:44.438220 IP 192.168.43.131.ssh > 192.168.43.1.39970: Flags [P.], seq 440:604, ack 1, win 388, length 164 17:47:44.438301 IP 192.168.43.131.ssh > 192.168.43.1.39970: Flags [P.], seq 604:768, ack 1, win 388, length 164 17:47:44.438361 IP 192.168.43.131.ssh > 192.168.43.1.39970: Flags [P.], seq 768:932, ack 1, win 388, length 164 5 packets captured 5 packets received by filter 0 packets dropped by kernel
tcpdump 允許你指定使用某個埠作為源或目標的網路資料包。例如,要捕獲 DNS 流量,你可以使用埠 53。可以在
port
選項前加上 src/dst。如
src port 53
或
dst port 53
並進一步過濾它。
[root@localhost ~]# tcpdump -i any port 53 -n dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 17:50:48.158109 IP 192.168.43.131.47054 > 192.168.43.2.domain: 58704+ A? (31) 17:50:48.158152 IP 192.168.43.131.47054 > 192.168.43.2.domain: 60504+ AAAA? (31) 17:50:48.159180 IP 192.168.43.2.domain > 192.168.43.131.47054: 60504 1/1/0 CNAME (115) 17:50:48.162018 IP 192.168.43.2.domain > 192.168.43.131.47054: 58704 3/0/0 CNAME (90)
下面只獲取源埠為53的資料包,其中
-nn
選項表示不解析IP地址和埠:
[root@localhost ~]# tcpdump -c 5 -i any src port 53 -nn -s64 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 64 bytes 18:00:41.604216 IP 192.168.43.2.53 > 192.168.43.131.48245: 50676[|domain] 18:00:41.606390 IP 192.168.43.2.53 > 192.168.43.131.48245: 19947[|domain] 18:00:41.631001 IP 192.168.43.2.53 > 192.168.43.131.54536: 31350 NXDomain[|domain] 18:00:46.110591 IP 192.168.43.2.53 > 192.168.43.131.42379: 17512[|domain] 18:00:46.110603 IP 192.168.43.2.53 > 192.168.43.131.42379: 40562[|domain] 5 packets captured 5 packets received by filter 0 packets dropped by kernel
下面只獲取目的埠為53的資料包:
[root@localhost ~]# tcpdump -c 5 -i any dst port 53 -nn -s64 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 64 bytes 18:01:22.568585 IP 192.168.43.131.49444 > 192.168.43.2.53: 27625+[|domain] 18:01:22.568623 IP 192.168.43.131.49444 > 192.168.43.2.53: 42481+[|domain] 18:01:22.595257 IP 192.168.43.131.45790 > 192.168.43.2.53: 28116+[|domain] 18:01:23.850730 IP 192.168.43.131.34861 > 192.168.43.2.53: 23444+[|domain] 18:01:23.850762 IP 192.168.43.131.34861 > 192.168.43.2.53: 23964+[|domain] 5 packets captured 5 packets received by filter 0 packets dropped by kernel
如果要將 tcpdump 的輸出寫入檔案,請使用選項
-w
選項寫入檔案。如果想檢視寫了多少資料包,可以加
-v
選項。
[root@localhost ~]# tcpdump -c 4 -i any port 53 -nn -w dns.pcap -v dropped privs to tcpdump tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 4 packets captured 6 packets received by filter 0 packets dropped by kernel
tcpdump 用於收集有關網路流量資料的出色工具。資料包捕獲為故障排除和安全分析提供了有用的資訊。
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/31524109/viewspace-2850470/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- tcpdump 命令的個常用選項:一TCP
- tcpdump 命令的常用選項:二TCP
- tcpdump 命令的常用選項:三TCP
- tcpdump 命令的個常用選項:三TCP
- tcpdump 命令的個常用選項:二TCP
- tcpdump命令TCP
- 在Linux中,ls命令有哪些常用的選項?Linux
- Linux - Tcpdump命令LinuxTCP
- tcpdump命令詳解TCP
- nmap命令常用例項
- cppcheck指令常用選項
- 很有用的 GCC 命令列選項GC命令列
- 說說Linux抓包命令tcpdumpLinuxTCP
- Linux 中grep命令中 -P選項的作用Linux
- pflag - 更好的PHP命令列選項解析庫PHP命令列
- CSP201403-3:命令列選項命令列
- 10個 ssh 簡單命令選項
- 在 Linux 命令列中使用 tcpdump 抓包Linux命令列TCP
- Linux 基礎教程 30-tcpdump命令-2LinuxTCP
- 完全解析Rsync命令的17個備份選項
- linux最常用的20個命令(一)Linux
- 啟用命令選項板工具:Paletro for MacMac
- Linux 中 sed命令 h和H選項的應用Linux
- 一些常用的命令(持續更新)
- 01.Redis常用的一些命令Redis
- Linux的一些常用命令Linux
- Node.js 構建命令列工具:實現 ls 命令的 -a 和 -l 選項Node.js命令列
- 常用的docker命令Docker
- 常用的 Homebrew 命令
- 常用的ADB命令
- 常用的 nginx 命令Nginx
- 常用的 maven 命令Maven
- Docker常用的命令Docker
- 常用的linux命令Linux
- shell常用的命令
- tcpdumpTCP
- CentOS 8 安裝 Docker 以及常用命令例項CentOSDocker
- linux常用命令大全(一)Linux