tcpdump 命令的常用選項:二
code>tcpdump用於捕獲和分析網路流量。系統管理員可以使用它來檢視實時流量或將輸出儲存到檔案中並在以後進行分析。下面列出5個常用選項 |
如果你匯出了一個
.pcap
檔案,你就會知道不能使用文字編輯器來讀取檔案內容。因此,你應該使用
-r file.pcap
選項。它讀取現有捕獲的檔案並將它們顯示出來。
# 匯出.pcap檔案 [root@localhost ~]# tcpdump -c 4 -i any port 53 -nn -w dns.pcap -v dropped privs to tcpdump tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 4 packets captured 8 packets received by filter 0 packets dropped by kernel # 使用-r選項讀取.pcap檔案 [root@localhost ~]# tcpdump -r dns.pcap reading from file dns.pcap, link-type LINUX_SLL (Linux cooked) dropped privs to tcpdump 19:33:54.533792 IP localhost.localdomain.48048 > _gateway.domain: 30912+ A? (25) 19:33:54.533835 IP localhost.localdomain.48048 > _gateway.domain: 51681+ AAAA? (25) 19:33:54.537733 IP _gateway.domain > localhost.localdomain.48048: 51681 NXDomain 0/1/0 (100) 19:33:54.539312 IP _gateway.domain > localhost.localdomain.48048: 30912 NXDomain 0/1/0 (100)
如果要過濾特定主機的流量,可以使用
host
選項後面新增ip 或者主機名來捕獲特定主機的資料包。
[root@localhost ~]# tcpdump host redhat.com -i any -c5 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 20:27:19.762717 IP localhost.localdomain.59096 > redirect.redhat.com.https: Flags [S], seq 2565597156, win 29200, options [mss 1460,sackOK,TS val 178658343 ecr 0,nop,wscale 7], length 0 20:27:19.977742 IP redirect.redhat.com.https > localhost.localdomain.59096: Flags [S.], seq 1933719472, ack 2565597157, win 64240, options [mss 1460], length 0 20:27:19.977773 IP localhost.localdomain.59096 > redirect.redhat.com.https: Flags [.], ack 1, win 29200, length 0 20:27:19.983584 IP localhost.localdomain.59096 > redirect.redhat.com.https: Flags [P.], seq 1:518, ack 1, win 29200, length 517 20:27:19.983781 IP redirect.redhat.com.https > localhost.localdomain.59096: Flags [.], ack 518, win 64240, length 0 5 packets captured 9 packets received by filter 0 packets dropped by kernel
可以使用 src 或 dst 關鍵字告訴 tcpdump 捕獲的資料包是否應包含源地址或目標地址中的主機。列入下面獲取源主機地址為redhat.com的資料包,和獲取目的主機地址為redhat.com的資料包:
[root@localhost ~]# tcpdump src host redhat.com -i any -c5 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 20:29:23.090360 IP redirect.redhat.com.https > localhost.localdomain.59098: Flags [S.], seq 1420240111, ack 1139421965, win 64240, options [mss 1460], length 0 20:29:23.096748 IP redirect.redhat.com.https > localhost.localdomain.59098: Flags [.], ack 518, win 64240, length 0 20:29:23.353159 IP redirect.redhat.com.https > localhost.localdomain.59098: Flags [P.], seq 1:1381, ack 518, win 64240, length 1380 20:29:23.353434 IP redirect.redhat.com.https > localhost.localdomain.59098: Flags [.], seq 1381:2841, ack 518, win 64240, length 1460 20:29:23.353461 IP redirect.redhat.com.https > localhost.localdomain.59098: Flags [P.], seq 2841:3407, ack 518, win 64240, length 566 5 packets captured 9 packets received by filter 0 packets dropped by kernel
[root@localhost ~]# tcpdump dst host redhat.com -i any -c5 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 20:29:35.661917 IP localhost.localdomain.59100 > redirect.redhat.com.https: Flags [S], seq 4207740141, win 29200, options [mss 1460,sackOK,TS val 178783790 ecr 0,nop,wscale 7], length 0 20:29:35.886845 IP localhost.localdomain.59100 > redirect.redhat.com.https: Flags [.], ack 1287594187, win 29200, length 0 20:29:35.892463 IP localhost.localdomain.59100 > redirect.redhat.com.https: Flags [P.], seq 0:517, ack 1, win 29200, length 517 20:29:36.121990 IP localhost.localdomain.59100 > redirect.redhat.com.https: Flags [.], ack 1461, win 32120, length 0 20:29:36.122028 IP localhost.localdomain.59100 > redirect.redhat.com.https: Flags [.], ack 2921, win 35040, length 0 5 packets captured 10 packets received by filter 0 packets dropped by kernel
tcpdump 支援
and/or/not
運算子作為關鍵字,例如,
tcpdump -i ens33 “host and (port 80 or port 443)”
。在複合表示式周圍使用引號是很有必要的,這樣 bash
就不會試圖解釋括號。
[root@localhost ~]# tcpdump -i any "host and (port 80 or port 443)" -s64 -c5 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 64 bytes 20:37:12.398299 IP localhost.localdomain.52754 > 140.249.61.18.https: Flags [S], seq 3304304157, win 29200, options [mss 1460,sackOK,TS[|tcp]> 20:37:12.408805 IP 140.249.61.18.https > localhost.localdomain.52754: Flags [S.], seq 2112965730, ack 3304304158, win 64240, options [mss 1460], length 0 20:37:12.408842 IP localhost.localdomain.52754 > 140.249.61.18.https: Flags [.], ack 1, win 29200, length 0 20:37:12.414672 IP localhost.localdomain.52754 > 140.249.61.18.https: Flags [P.], seq 1:518, ack 1, win 29200, length 517 20:37:12.414948 IP 140.249.61.18.https > localhost.localdomain.52754: Flags [.], ack 518, win 64240, length 0 5 packets captured 9 packets received by filter 0 packets dropped by kernel prnews.techweb.com.cn/qiyenews/archives/63741.html
net
關鍵字可用於捕獲一個網段的資料包。net關鍵字還可以將 src 和 ds與邏輯運算子一起使用,並更精確地過濾包。下面例項是獲取源net為192.168.0.0/16網段,並且目標net不包含192.168.0.0/16網段的資料包。
[root@localhost ~]# tcpdump -i any -n "src net 192.168.0.0/16 and not dst net 192.168.0.0/16" -c4 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 20:43:25.558537 IP 192.168.43.131.34562 > 140.249.61.18.http: Flags [S], seq 3720011773, win 29200, options [mss 1460,sackOK,TS val 4199917698 ecr 0,nop,wscale 7], length 0 20:43:25.571477 IP 192.168.43.131.34562 > 140.249.61.18.http: Flags [.], ack 1199844, win 29200, length 0 20:43:25.571693 IP 192.168.43.131.34562 > 140.249.61.18.http: Flags [P.], seq 0:82, ack 1, win 29200, length 82: HTTP: GET / HTTP/1.1 20:43:25.587514 IP 192.168.43.131.34562 > 140.249.61.18.http: Flags [.], ack 546, win 29975, length 0 4 packets captured 4 packets received by filter 0 packets dropped by kernel
可以使用
ip6
關鍵字捕獲 IPv6 流量。下面是一個例子:
[root@localhost ~]# tcpdump -i any ip6 host fe80::9520:7b41:7099:c6f7 -c4 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 22:17:08.182720 IP6 localhost.localdomain > fe80::9520:7b41:7099:c6f7: ICMP6, echo request, seq 12, length 64 22:17:08.183329 IP6 fe80::9520:7b41:7099:c6f7 > localhost.localdomain: ICMP6, echo reply, seq 12, length 64 22:17:09.207102 IP6 localhost.localdomain > fe80::9520:7b41:7099:c6f7: ICMP6, echo request, seq 13, length 64 22:17:09.207555 IP6 fe80::9520:7b41:7099:c6f7 > localhost.localdomain: ICMP6, echo reply, seq 13, length 64 4 packets captured 4 packets received by filter 0 packets dropped by kernel
tcpdump 用於收集有關網路流量資料的出色工具。資料包捕獲為故障排除和安全分析提供了有用的資訊。
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/31524109/viewspace-2850471/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- tcpdump 命令的個常用選項:二TCP
- tcpdump 命令的常用選項:一TCP
- tcpdump 命令的常用選項:三TCP
- tcpdump 命令的個常用選項:一TCP
- tcpdump 命令的個常用選項:三TCP
- tcpdump命令TCP
- 在Linux中,ls命令有哪些常用的選項?Linux
- Linux - Tcpdump命令LinuxTCP
- tcpdump命令詳解TCP
- nmap命令常用例項
- cppcheck指令常用選項
- Linux的常用基本命令(二)Linux
- 很有用的 GCC 命令列選項GC命令列
- 說說Linux抓包命令tcpdumpLinuxTCP
- MySQL常用命令(二)MySql
- Docker之常用命令(二)Docker
- Storm系列(二)常用shell命令操作ORM
- Linux 中grep命令中 -P選項的作用Linux
- pflag - 更好的PHP命令列選項解析庫PHP命令列
- Linux入門(二) ~ Linux的常用命令Linux
- CSP201403-3:命令列選項命令列
- 10個 ssh 簡單命令選項
- 在 Linux 命令列中使用 tcpdump 抓包Linux命令列TCP
- Linux 基礎教程 30-tcpdump命令-2LinuxTCP
- 完全解析Rsync命令的17個備份選項
- 『現學現忘』Docker常用命令 — 20、容器常用命令(二)Docker
- 啟用命令選項板工具:Paletro for MacMac
- Linux 中 sed命令 h和H選項的應用Linux
- 【Docker 系列】docker 學習 二,Docker 的常用命令Docker
- [Docker 系列]docker 學習 二,Docker 的常用命令Docker
- Node.js 構建命令列工具:實現 ls 命令的 -a 和 -l 選項Node.js命令列
- 常用的docker命令Docker
- 常用的 Homebrew 命令
- 常用的ADB命令
- 常用的 nginx 命令Nginx
- 常用的 maven 命令Maven
- Docker常用的命令Docker
- 常用的linux命令Linux