个人原创,转载请注明,否则依法追究法律责任

2018-02-28  16:01:26

tcpdump 倾倒网络传输数据,直接启动tcpdump将监视第一个网络接口上所有流过的数据包。

1 不接任何参数,表示监听本机的eth0网卡。

如果不指定网卡,默认tcpdump只会监视第一个网络接口,一般是eth0,下面的例子都没有指定网络接口。
[root@shiyan ~]# yum -y install tcpdump    -----------------> 最小化系统里没有这个命令,先安装
[root@shiyan ~]# tcpdump > a.tx
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C12 packets captured   -------------------->按下Ctrl + C 结束抓包,否则会一直的抓下去
12 packets received by filter
0 packets dropped by kernel
[root@shiyan ~]# cat a.tx
17:11:06.066490 IP 192.168.115.80.ssh > 192.168.115.118.53014: Flags [P.], seq 1346400485:1346400693, ack 499039341, win 159, length 208
17:11:06.066758 IP 192.168.115.80.46406 > cache-a.guangzhou.gd.cn.domain: 41439+ PTR? 118.115.168.192.in-addr.arpa. (46)
17:11:06.071645 IP cache-a.guangzhou.gd.cn.domain > 192.168.115.80.46406: 41439 NXDomain 0/0/0 (46)
17:11:06.072785 IP 192.168.115.80.48303 > cache-a.guangzhou.gd.cn.domain: 51978+ PTR? 80.115.168.192.in-addr.arpa. (45)
17:11:06.077045 IP cache-a.guangzhou.gd.cn.domain > 192.168.115.80.48303: 51978 NXDomain 0/0/0 (45)
17:11:06.077137 IP 192.168.115.80.55070 > cache-a.guangzhou.gd.cn.domain: 21987+ PTR? 86.128.96.202.in-addr.arpa. (44)

2 指定内网中某台主机进行监听:tcpdump host 192.168.115.93
[root@shiyan ~]# tcpdump host 192.168.115.93
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:12:17.294247 ARP, Request who-has shiyan tell 192.168.115.93, length 46
17:12:37.569616 ARP, Request who-has 192.168.115.93 tell 192.168.115.80, length 28
17:12:37.569837 ARP, Reply 192.168.115.93 is-at 00:e0:4c:f4:8d:7a (oui Unknown), length 46
17:12:37.569842 IP 192.168.115.80 > 192.168.115.93: ICMP echo request, id 4703, seq 1, length 64
17:12:37.570027 IP 192.168.115.93 > 192.168.115.80: ICMP echo reply, id 4703, seq 1, length 64
17:12:38.569404 IP 192.168.115.80 > 192.168.115.93: ICMP echo request, id 4703, seq 2, length 64
17:12:38.569714 IP 192.168.115.93 > 192.168.115.80: ICMP echo reply, id 4703, seq 2, length 64

在13.173机器监听13.167机器的httpd服务

[root@localhost ~]# tcpdump host 192.168.13.167  -------------------------------> 可以抓取到不经过本机的数据包(wirlshark没有这个功能)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:05:34.252126 ARP, Request who-has 192.168.13.254 tell 192.168.13.167, length 46
16:05:34.252380 ARP, Reply 192.168.13.254 is-at 00:50:56:f9:32:a6 (oui Unknown), length 46
16:05:34.252383 IP 192.168.13.167.bootpc > 192.168.13.254.bootps: BOOTP/DHCP, Request from 00:0c:29:30:ff:a0 (oui Unknown), length 300
16:05:34.252624 IP 192.168.13.254.bootps > 192.168.13.167.bootpc: BOOTP/DHCP, Reply, length 300
16:05:34.296671 ARP, Request who-has 192.168.13.167 (Broadcast) tell 0.0.0.0, length 46
16:05:35.297810 ARP, Request who-has 192.168.13.167 (Broadcast) tell 0.0.0.0, length 46
16:05:41.886341 IP 192.168.13.1.53831 > 192.168.13.167.ssh: Flags [P.], seq 2116832879:2116832927, ack 2216944518, win 252, length 48
16:05:41.886349 IP 192.168.13.167.ssh > 192.168.13.1.53831: Flags [.], ack 48, win 634, length 0
16:05:46.688388 ARP, Request who-has 192.168.13.167 (00:0c:29:30:ff:a0 (oui Unknown)) tell 192.168.13.1, length 46
16:05:46.688399 ARP, Reply 192.168.13.167 is-at 00:0c:29:30:ff:a0 (oui Unknown), length 46
16:05:49.826057 IP 192.168.13.1.54035 > 192.168.13.167.http: Flags [S], seq 1070489598, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:05:49.826070 IP 192.168.13.1.54036 > 192.168.13.167.http: Flags [S], seq 3015543207, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:05:49.826072 IP 192.168.13.1.54035 > 192.168.13.167.http: Flags [.], ack 673044770, win 256, length 0
16:05:49.826074 IP 192.168.13.167.http > 192.168.13.1.54035: Flags [S.], seq 673044769, ack 1070489599, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
16:05:49.826076 IP 192.168.13.1.54036 > 192.168.13.167.http: Flags [.], ack 1571007700, win 256, length 0
16:05:49.826078 IP 192.168.13.167.http > 192.168.13.1.54036: Flags [S.], seq 1571007699, ack 3015543208, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
16:05:49.851846 IP 192.168.13.1.54035 > 192.168.13.167.http: Flags [P.], seq 1:590, ack 1, win 256, length 589
16:05:49.851861 IP 192.168.13.167.http > 192.168.13.1.54035: Flags [.], ack 590, win 494, length 0
16:05:49.854139 IP 192.168.13.167.http > 192.168.13.1.54035: Flags [P.], seq 1:152, ack 590, win 494, length 151
16:05:49.854147 IP 192.168.13.1.54035 > 192.168.13.167.http: Flags [.], ack 153, win 256, length 0
16:05:49.854149 IP 192.168.13.167.http > 192.168.13.1.54035: Flags [F.], seq 152, ack 590, win 494, length 0
16:05:49.859953 IP 192.168.13.1.54035 > 192.168.13.167.http: Flags [F.], seq 590, ack 153, win 256, length 0
16:05:49.859964 IP 192.168.13.167.http > 192.168.13.1.54035: Flags [.], ack 591, win 494, length 0
16:05:51.223523 IP 192.168.13.1.54036 > 192.168.13.167.http: Flags [.], ack 1, win 256, options [nop,nop,sack 1 {0:1}], length 0
16:05:51.223537 IP 192.168.13.167.http > 192.168.13.1.54036: Flags [S.], seq 1571007699, ack 3015543208, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
^C
25 packets captured
25 packets received by filter
0 packets dropped by kernel

3 截获指定主机和指定端口的数据包
如果想要获取主机210.27.48.1接收或发出的telnet包,使用如下命令

[root@shiyan ~]# tcpdump tcp port 80 and host 192.168.115.118
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

抓取80端口的数据包过程:
yum -y install httpd
echo 111111111111111 >/var/www/html/index.html
service httpd restart
tcpdump tcp port 80 -----------> 关注该命令下的内容
其他的电脑web浏览器访问:http://192.168.13.167,继续关注上述命令下新增内容
[root@bogon ~]# tcpdump tcp port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes ---------------->以下是网页访问后的数据包情况

15:45:56.561135 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [S], seq 1718240131, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:45:56.561189 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [S.], seq 2754432551, ack 1718240132, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
15:45:56.564132 IP 192.168.13.1.53950 > 192.168.13.167.http: Flags [S], seq 66995158, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:45:56.564153 IP 192.168.13.167.http > 192.168.13.1.53950: Flags [S.], seq 827140384, ack 66995159, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
15:45:56.564380 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [.], ack 1, win 256, length 0
15:45:56.564387 IP 192.168.13.1.53950 > 192.168.13.167.http: Flags [.], ack 1, win 256, length 0
15:45:56.573137 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [P.], seq 1:496, ack 1, win 256, length 495
15:45:56.573190 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [.], ack 496, win 490, length 0
15:45:56.575931 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [.], seq 1:2921, ack 496, win 490, length 2920
15:45:56.576287 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [.], ack 2921, win 256, length 0
15:45:56.576338 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [.], seq 2921:4381, ack 496, win 490, length 1460
15:45:56.576486 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [P.], seq 4381:5660, ack 496, win 490, length 1279
15:45:56.576617 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [.], ack 5660, win 256, length 0
15:45:56.577674 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [F.], seq 5660, ack 496, win 490, length 0
15:45:56.577798 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [.], ack 5661, win 256, length 0
15:45:56.578929 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [F.], seq 496, ack 5661, win 256, length 0
15:45:56.578944 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [.], ack 497, win 490, length 0
15:45:57.961343 IP 192.168.13.167.http > 192.168.13.1.53950: Flags [S.], seq 827140384, ack 66995159, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
15:45:57.961536 IP 192.168.13.1.53950 > 192.168.13.167.http: Flags [.], ack 1, win 256, options [nop,nop,sack 1 {0:1}], length 0
15:46:07.071688 IP 192.168.13.1.53950 > 192.168.13.167.http: Flags [F.], seq 1, ack 1, win 256, length 0
15:46:07.071973 IP 192.168.13.167.http > 192.168.13.1.53950: Flags [.], ack 2, win 457, length 0
15:46:07.072293 IP 192.168.13.167.http > 192.168.13.1.53950: Flags [F.], seq 1, ack 2, win 457, length 0
15:46:07.072521 IP 192.168.13.1.53950 > 192.168.13.167.http: Flags [.], ack 2, win 256, length 0
^C --------------------------------------------> 按下 Ctrl + C,否则会一直的抓下去。
23 packets captured
23 packets received by filter
0 packets dropped by kernel

tcpdump抓包工具的使用的更多相关文章

  1. tcpdump抓包工具

    tcpdump抓包工具 一:TCPDump介绍 ​ TcpDump可以将网络中传送的数据包的"头"完全截获下来提供分析.它支持针对网络层.协议.主机.网络或端口的过滤,并提供and ...

  2. linux下利用tcpdump抓包工具排查nginx获取客户端真实IP实例

    一.nginx后端负载服务器的API在获取客户端IP时始终只能获取nginx的代理服务器IP,排查nginx配置如下 upstream sms-resp { server ; server ; } s ...

  3. linux使用tcpdump抓包工具抓取网络数据包,多示例演示

    tcpdump是linux命令行下常用的的一个抓包工具,记录一下平时常用的方式,测试机器系统是ubuntu 12.04. tcpdump的命令格式 tcpdump的参数众多,通过man tcpdump ...

  4. Linux系统诊断必备技能之二:tcpdump抓包工具详解

    一.简述 TcpDump可以将网络中传送的数据包完全截获下来提供分析.它支持针对网络层.协议.主机.网络或端口的过滤,并提供and.or.not等逻辑语句来帮助你去掉无用的信息. Linux作为网络服 ...

  5. tcpdump抓包工具的基本使用

    为了更好的深入理解计算机网络等相关知识,例如TCP\UDP\IP等,我们就必须利用tcpdump.Wireshark等工具对网络进行分析.本篇博文主要记录一下tcpdump这个网络分析利器的一些基本使 ...

  6. Linux下通过tcpdump抓包工具获取信息

    介绍 tcpdump是网络数据包截获分析工具.支持针对网络层.协议.主机.网络或端口的过滤.并提供and.or.not等逻辑语句帮助去除无用的信息. tcpdump - dump traffic on ...

  7. tcpdump 抓包工具使用

    1. 常用命令 监听p4p1网卡上来自 192.168.162.14 的包 tcpdump -i p4p1 src host 192.168.162.14 tcpdump -i p4p1 dst po ...

  8. tcpdump抓包工具用法说明

    tcpdump采用命令行方式对接口的数据包进行筛选抓取,其丰富特性表现在灵活的表达式上. 不带任何选项的tcpdump,默认会抓取第一个网络接口,且只有将tcpdump进程终止才会停止抓包. 例如: ...

  9. 利用tcpdump抓包工具监控TCP连接的三次握手和断开连接的四次挥手

    TCP传输控制协议是面向连接的可靠的传输层协议,在进行数据传输之前,需要在传输数据的两端(客户端和服务器端)创建一个连接,这个连接由一对插口地址唯一标识,即是在IP报文首部的源IP地址.目的IP地址, ...

随机推荐

  1. linux下安装git提示”无法打开锁文件 /var/lib/dpkg/lock - open (13: 权限不够)“

    如图所示,输入命令:apt-get install git后提示权限不够 解决方法,在命令前加 sudo即可 sudo apt-get install git sudo是linux系统管理指令,是允许 ...

  2. hdu 1010 回溯加奇偶性剪枝

    普通的剪枝会超时,必须加入奇偶性剪枝. 直接上图: AC代码: #include<cstdio> #include<cstring> #include<algorithm ...

  3. 实战小项目BUG纪录

    果然,作为程序员最可爱的女朋友就是各种BUG,解决了你的开发能力和开发效率就会上升到一个新的层次.反之,在你面对BUG的时候,如果轻易的就放弃了,你也就失去了一次自我成长的机会.学习就是这样的,我们有 ...

  4. linux dns搭建

    DNS:域名解析(Domain Nmae System)正向解析:根据主机名称(域名)查找其对应的ip地址,这是最基本,最常用的功能反向解析:根据ip地址查找其对应的主机名称(域名),反垃圾邮件/安全 ...

  5. SQL中partition关键字的使用

    最近在写后台语句时候,运用到了partition这样一个关键字. 先大致说一下背景,有一种数据表,如下 现在需要取出,每一个人最近的一次打卡时间. 思路是,先把数据按照人名分组,然后在每个组里面按照时 ...

  6. iOS的GIF动画效果实现

    引言:GIF图像格式是常见的一种动态图片格式,无论是在Web端还是在移动端都经常遇到,但是考虑目前iOS还无法原生展现GIF图片,而对于GIF的原生支持暂时也没有像JPG.PNG等图像格式支持得这么全 ...

  7. Google Interview University 一套完整的学习手册帮助自己准备 Google 的面试

    https://github.com/jwasham/google-interview-university/blob/master/README-cn.md

  8. 工作中常用的linux命令(2)

    1.find :查找指定文件名的路径: 列出当前目录以及子目录中的所有文件: 在当前目录下寻找特定文件名的文件: 列出长度为零的文件: 2.ps :查看某个程序的进程,例如查询mongodb和mysq ...

  9. PHP openssl函数库

    php openssl 函数库中.提供了大量的函数.但是我们一般用的最多的,就是 openssl_encrypt string openssl_encrypt ( string $data , str ...

  10. Java中获取文件路径

    Java中获取文件路径 1.实例说明 (1)得到 ClassPath的绝对URI路径 Thread.currentThread().getContextClassLoader().getResourc ...