tcpdump 命令的個常用選項:三
導讀 |
tcpdump 用於捕獲和分析網路流量。系統管理員可以使用它來檢視實時流量或將輸出儲存到檔案中並在以後進行分析。下面列出6個常用選項 |
基於 TCP 標誌的過濾器
可以根據各種 tcp 標誌過濾 TCP 流量。這是一個基於
tcp-ack
標誌的過濾示例。
[root@localhost ~]# tcpdump -i any "tcp[tcpflags] & tcp-ack !=0" -c5 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 16:25:08.738925 IP localhost.localdomain.ssh > 192.168.43.1.39970: Flags [P.], seq 725364803:725365047, ack 1854457395, win 1842, length 244 16:25:08.739562 IP 192.168.43.1.39970 > localhost.localdomain.ssh: Flags [.], ack 244, win 4106, length 0 16:25:08.742750 IP localhost.localdomain.ssh > 192.168.43.1.39970: Flags [P.], seq 244:552, ack 1, win 1842, length 308 16:25:08.742822 IP localhost.localdomain.ssh > 192.168.43.1.39970: Flags [P.], seq 552:732, ack 1, win 1842, length 180 16:25:08.742882 IP localhost.localdomain.ssh > 192.168.43.1.39970: Flags [P.], seq 732:912, ack 1, win 1842, length 180 5 packets captured 5 packets received by filter 0 packets dropped by kernel
格式化輸出內容
tcpdump 還可以透過對十六進位制使用
-X
選項或對 ASCII 使用
-A
選項來調整輸出格式。
[root@localhost ~]# tcpdump -i any -c3 -X dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 16:37:30.318137 IP localhost.localdomain.ssh > 192.168.43.1.39970: Flags [P.], seq 725376559:725376803, ack 1854460843, win 1842, length 244 0x0000: 4548 011c 0faf 4000 4006 5210 c0a8 2b83 EH....@.@.R...+. 0x0010: c0a8 2b01 0016 9c22 2b3c 5e2f 6e88 d3ab ..+...."+<^/n... 0x0020: 5018 0732 d8e3 0000 0000 00d0 d1ce 67d9 P..2..........g. 0x0030: b8e9 5171 dd56 bfbb 2d3e 7ce7 9a9b 60a5 ..Qq.V..->|...`. 0x0040: 152d 4295 9f8f d6ba dec2 895e 3921 2d76 .-B........^9!-v 0x0050: c5c6 5b6b 7161 61eb 0b30 1eae b622 2f14 ..[kqaa..0..."/. 0x0060: dfe5 0afc b91a 8a16 e3f1 62ae df5a 6728 ..........b..Zg( 0x0070: 4b9f 942d b762 a178 9d5e 5f70 96c2 fbad K..-.b.x.^_p.... 0x0080: 53f3 1bc5 80da 0e14 394c e31b 6b6a 02fc S.......9L..kj.. 0x0090: 203e 9a22 75c3 02ea c8d5 a2ec 5d30 60db .>."u.......]0`. 0x00a0: 64bf 4819 f2d4 ae88 c593 3b0c 90a2 273d d.H.......;...'= 0x00b0: 8f42 bf91 27bf b324 4f5f aec6 5d57 c27f .B..'..$O_..]W.. 0x00c0: 3c72 77de 6da5 97b9 52e8 7695 a964 d2a2<1rw.m...r.v..d.. 0x00d0:="" a23c="" dcd0="" 7ed7="" 50b4="" f685="" d6aa="" 7450="" f158="" .b.. 16:37:30.318540 IP localhost.localdomain.50573 > _gateway.domain: 47072+ PTR? 1.43.168.192.in-addr.arpa. (43) 0x0000: 4500 0047 a7e5 4000 4011 baea c0a8 2b83 E..G..@.@.....+. 0x0010: c0a8 2b02 c58d 0035 0033 d81a b7e0 0100 ..+....5.3...... 0x0020: 0001 0000 0000 0000 0131 0234 3303 3136 .........1.43.16 0x0030: 3803 3139 3207 696e 2d61 6464 7204 6172 8.192.in-addr.ar 0x0040: 7061 0000 0c00 01 pa..... 16:37:30.318743 IP 192.168.43.1.39970 > localhost.localdomain.ssh: Flags [.], ack 244, win 4103, length 0 0x0000: 4500 0028 538d 4000 8006 cf6d c0a8 2b01 E..(S.@....m..+. 0x0010: c0a8 2b83 9c22 0016 6e88 d3ab 2b3c 5f23 ..+.."..n...+<_# 0x0020: 5010 1007 5f2c 0000 0000 0000 0000 P..._,........ 3 packets captured 9 packets received by filter 0 packets dropped by kernel
使用
-A
選項,將顯示 ASCII字元。
[root@localhost ~]# tcpdump -i any -c4 -A dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 16:38:36.499869 IP localhost.localdomain.ssh > 192.168.43.1.39970: Flags [P.], seq 725380591:725380835, ack 1854462375, win 1842, length 244 EH....@.@.Q...+...+...."+..3}s..#...[.@....l..8..xN........P....V%.B.......O..7.`.B!...O........R....%.L.m..RMx........m..3.0.H.`).....^....r..n*\+/...p'..f....s...7...l.b2..Q....i@...M.X. 16:38:36.500384 IP localhost.localdomain.57135 > _gateway.domain: 50676+ PTR? 1.43.168.192.in-addr.arpa. (43) E..Gh.@.@.....+...+../.5.3...............1.43.168.192.in-addr.arpa..... 16:38:36.500580 IP 192.168.43.1.39970 > localhost.localdomain.ssh: Flags [.], ack 244, win 4106, length 0 E..(S.@....;..+...+.."..n...+localhost.localdomain.57135: 50676 NXDomain 0/1/0 (78) E..j..........+...+..5./.VRs.............1.43.168.192.in-addr.arpa..........................p.... . :...Q. 4 packets captured 9 packets received by filter 0 packets dropped by kernel
詳細資訊輸出
tcpdump
使用
-v
、
-vv
或
-vvv
來提供不同級別的詳細資訊。
下面是預設輸出:
[root@localhost ~]# tcpdump -i any -c1 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 19:40:24.112322 IP localhost.localdomain.ssh > 192.168.43.1.39970: Flags [P.], seq 725383083:725383327, ack 1854472047, win 1842, length 244 1 packet captured 6 packets received by filter 0 packets dropped by kernel
下面是使用
-v
選項:
[root@localhost ~]# tcpdump -i any -c1 -v dropped privs to tcpdump tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 19:41:00.606276 IP (tos 0x48, ttl 64, id 4249, offset 0, flags [DF], proto TCP (6), length 220) localhost.localdomain.ssh > 192.168.43.1.39970: Flags [P.], cksum 0xd8a3 (incorrect -> 0x314c), seq 725383979:725384159, ack 1854472375, win 1842, length 180 1 packet captured 7 packets received by filter 0 packets dropped by kernel
下面是使用
-vv
選項:
[root@localhost ~]# tcpdump -i any port 443 -c1 -vv dropped privs to tcpdump tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 19:51:18.409014 IP (tos 0x0, ttl 64, id 14543, offset 0, flags [DF], proto TCP (6), length 60) localhost.localdomain.52470 > 180.101.49.12.https: Flags [S], cksum 0xd1cb (incorrect -> 0x3f8f), seq 895899993, win 29200, options [mss 1460,sackOK,TS val 1518996680 ecr 0,nop,wscale 7], length 0 1 packet captured 1 packet received by filter 0 packets dropped by kernel
下面是使用
-vvv
選項:
[root@localhost ~]# tcpdump -i any -c1 -X -vvv dropped privs to tcpdump tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 19:51:55.583214 IP (tos 0x48, ttl 64, id 4909, offset 0, flags [DF], proto TCP (6), length 220) localhost.localdomain.ssh > 192.168.43.1.39970: Flags [P.], cksum 0xd8a3 (incorrect -> 0x59f9), seq 725558447:725558627, ack 1854498815, win 1842, length 180 0x0000: 4548 00dc 132d 4000 4006 4ed2 c0a8 2b83 EH...-@.@.N...+. 0x0010: c0a8 2b01 0016 9c22 2b3f 24af 6e89 67ff ..+...."+?$.n.g. 0x0020: 5018 0732 d8a3 0000 0000 0090 ef64 ad4b P..2.........d.K 0x0030: ae12 dc9c 5d75 4136 b631 e567 d66e 4043 ....]uA6.1.g.n@C 0x0040: 5315 e0c7 9153 dec2 b406 3fda 915a 998b S....S....?..Z.. 0x0050: e504 7172 cb26 e560 1a51 1cf7 925b 16f2 ..qr.&.`.Q...[.. 0x0060: b7d3 35f4 01f6 cbc8 456a 4b62 52e9 bbbf ..5.....EjKbR... 0x0070: 8fa5 1a5c 3c18 ea42 dc08 1e44 e85e b111 ...\<..B...D.^.. 0x0080: 12b5 e838 1c81 9e4d c070 a523 1274 4b02 ...8...M.p.#.tK. 0x0090: 4cf0 e7e1 5c70 1be1 8170 0ef0 8026 903e L...\p...p...&.> 0x00a0: 4920 abbf fcc0 57a5 92b0 ed6f fd68 ed96 I.....W....o.h.. 0x00b0: 53a1 3c7e 96bd 9f9d b95a 8dad 998b db5f S.<~.....Z....._ 0x00c0: 9ae9 ea52 37bd 4eaa effd 3aa7 7db8 2b3b ...R7.N...:.}.+; 0x00d0: d601 8d7a 84a4 bfd5 8e3e be22 ...z.....>." 1 packet captured 7 packets received by filter 0 packets dropped by kernel
按照協議過濾
可以使用協議名稱來過濾特定協議的資料包。下面是過濾出UDP協議的資料包:
[root@localhost ~]# tcpdump udp -i any -c3 -nn dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 19:57:15.123051 IP 192.168.43.131.55682 > 192.168.0.12.123: NTPv4, Client, length 48 19:57:15.124002 IP 192.168.0.12.123 > 192.168.43.131.55682: NTPv4, Server, length 48 19:57:41.494061 IP 192.168.43.131.68 > 192.168.43.254.67: BOOTP/DHCP, Request from 00:0c:29:71:df:91, length 276 3 packets captured 3 packets received by filter 0 packets dropped by kernel
下面是過濾出TCP協議的埠為443的資料包:
[root@localhost ~]# tcpdump tcp and port 443 -i any -c 2 -nn dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 14:41:53.357110 IP 192.168.43.131.56320 > 180.101.49.11.443: Flags [S], seq 1415602203, win 29200, options [mss 1460,sackOK,TS val 1913450260 ecr 0,nop,wscale 7], length 0 14:41:53.378144 IP 180.101.49.11.443 > 192.168.43.131.56320: Flags [S.], seq 1535386750, ack 1415602204, win 64240, options [mss 1460], length 0 2 packets captured 3 packets received by filter 0 packets dropped by kernel [root@localhost ~]#
下面例項是篩選出不包括
icmp-echo
和
icmp-echoreply
型別的icmp資料包:
[root@localhost ~]# tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply' -c4 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes 14:57:47.675667 IP localhost.localdomain > 192.168.43.1: ICMP host localhost.localdomain unreachable - admin prohibited filter, length 68 14:57:48.677588 IP localhost.localdomain > 192.168.43.1: ICMP host localhost.localdomain unreachable - admin prohibited filter, length 68 14:57:49.680887 IP localhost.localdomain > 192.168.43.1: ICMP host localhost.localdomain unreachable - admin prohibited filter, length 68 14:57:50.686504 IP localhost.localdomain > 192.168.43.1: ICMP host localhost.localdomain unreachable - admin prohibited filter, length 68 4 packets captured 4 packets received by filter 0 packets dropped by kernel
-q 選項簡化輸出資訊
如果想要簡化輸出內容,請使用
-q
選項更快速、安靜的輸出。
[root@localhost ~]# tcpdump -i any -c5 -q dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 15:00:26.440699 IP localhost.localdomain.ssh > 192.168.43.1.55202: tcp 244 15:00:26.441052 IP localhost.localdomain.39876 > _gateway.domain: UDP, length 43 15:00:26.441220 IP 192.168.43.1.55202 > localhost.localdomain.ssh: tcp 0 15:00:26.447406 IP _gateway.domain > localhost.localdomain.39876: UDP, length 78 15:00:26.447835 IP localhost.localdomain.41058 > _gateway.domain: UDP, length 45 5 packets captured 9 packets received by filter 0 packets dropped by kernel
時間戳選項
下面是列印時間戳的一些常見選項。
移除時間戳
使用
-t
選項刪除時間戳:
[root@localhost ~]# tcpdump tcp -i any -c4 -t dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes IP localhost.localdomain.ssh > 192.168.43.1.55202: Flags [P.], seq 743668214:743668458, ack 3963265225, win 343, length 244 IP 192.168.43.1.55202 > localhost.localdomain.ssh: Flags [.], ack 244, win 4102, length 0 IP localhost.localdomain.ssh > 192.168.43.1.55202: Flags [P.], seq 244:520, ack 1, win 343, length 276 IP localhost.localdomain.ssh > 192.168.43.1.55202: Flags [P.], seq 520:684, ack 1, win 343, length 164 4 packets captured 4 packets received by filter 0 packets dropped by kernel
可以看到每行資料最前面不顯示時間戳了。
輸出本行和前一行的時間差,而不是時間
下面例子使用
-ttt
選項,顯示了6行icmp資料包,可以看到每行之間的時間差:
[root@localhost ~]# tcpdump icmp -i any -c6 -ttt -nn dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 00:00:00.000000 IP 192.168.43.131 > 172.16.1.5: ICMP echo request, id 2986, seq 1, length 64 00:00:00.251269 IP 172.16.1.5 > 192.168.43.131: ICMP echo reply, id 2986, seq 1, length 64 00:00:00.749532 IP 192.168.43.131 > 172.16.1.5: ICMP echo request, id 2986, seq 2, length 64 00:00:00.253396 IP 172.16.1.5 > 192.168.43.131: ICMP echo reply, id 2986, seq 2, length 64 00:00:00.747521 IP 192.168.43.131 > 172.16.1.5: ICMP echo request, id 2986, seq 3, length 64 00:00:01.051634 IP 192.168.43.131 > 172.16.1.5: ICMP echo request, id 2986, seq 4, length 64 6 packets captured 6 packets received by filter 0 packets dropped by kernel
總結
tcpdump 用於收集有關網路流量資料的出色工具。資料包捕獲為故障排除和安全分析提供了有用的資訊。
本文原創地址:
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/69955379/viewspace-2785747/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- tcpdump 命令的常用選項:三TCP
- tcpdump 命令的個常用選項:二TCP
- tcpdump 命令的個常用選項:一TCP
- tcpdump 命令的常用選項:一TCP
- tcpdump 命令的常用選項:二TCP
- tcpdump命令常用引數TCP
- 通過例項學習 tcpdump 命令TCP
- tcpdump命令TCP
- tcpdump 命令TCP
- Linux磁碟管理常用的三個命令!Linux
- mysql的三個sql的monitor選項MySql
- 在Linux中,ls命令有哪些常用的選項?Linux
- Linux netstat 命令常用選項詳解Linux
- 10個 ssh 簡單命令選項
- Linux系統抓包命令tcpdump使用例項LinuxTCP
- 完全解析Rsync命令的17個備份選項
- tcpdump命令詳解TCP
- Linux - Tcpdump命令LinuxTCP
- nmap命令常用例項
- cppcheck指令常用選項
- 【實操案例】Linux磁碟管理常用的三個命令!Linux
- Linux中建立程式常用的三個命令詳解!Linux
- SQLServer中需要經常用到的幾個設定選項SQLServer
- tcpdump命令簡單使用TCP
- 15個Linux Grep命令使用例項(實用、常用)Linux
- linux 下的 tcpdump 抓包命令LinuxTCP
- 【Linux】tcpdump命令詳解LinuxTCP
- Linux tcpdump 命令詳解LinuxTCP
- tcpdump抓包命令詳解TCP
- 很有用的 GCC 命令列選項GC命令列
- grep命令的-o和-P選項
- 全面掌握Node命令選項
- linux常用的60個命令Linux
- tcpdump抓包規則命令大全TCP
- Android常用抓包工具之TcpDumpAndroidTCP
- linux常用命令解析三(常用系統工作命令cal)Linux
- ls命令選項詳解(轉)
- Docker(三)Docker常用命令Docker