安装:

yum install tcpdump

命令使用:

监听特定网卡

tcpdump

抓取第一块网卡所有数据包

[root@server110 tcpdump]# tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

15:58:14.441562 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 2956277183:2956277391, ack 2178083060, win 336, length 208

15:58:14.442088 IP server110.34562 > ns-px.online.sh.cn.domain: 34223+ PTR? 169.202.16.18.in-addr.arpa. (44)

15:58:14.486822 IP 18.16.202.169.cvd > server110.ssh: Flags [.], ack 208, win 16419, length 0

15:58:14.692932 IP ns-px.online.sh.cn.domain > server110.34562: 34223 NXDomain 0/1/0 (116)

15:58:14.693416 IP server110.57017 > ns-px.online.sh.cn.domain: 12369+ PTR? 5.209.96.202.in-addr.arpa. (43)

15:58:14.693577 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 208:400, ack 1, win 336, length 192

15:58:14.695254 IP ns-px.online.sh.cn.domain > server110.57017: 12369 1/0/0 PTR ns-px.online.sh.cn. (75)

15:58:14.695519 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 400:656, ack 1, win 336, length 256

15:58:14.696577 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 656:1232, ack 1, win 336, length 576

15:58:14.697564 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 1232:1392, ack 1, win 336, length 160

15:58:14.698563 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 1392:1552, ack 1, win 336, length 160

tcpdump -i 抓取某一块网卡数据包

[root@server110 tcpdump]# ifconfig

eth0      Link encap:Ethernet  HWaddr 52:54:00:DE:05:94

          inet addr:18.16.200.110  Bcast:18.16.200.255  Mask:255.255.255.0

          inet6 addr: fe80::5054:ff:fede:594/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:50017569 errors:0 dropped:0 overruns:0 frame:0

          TX packets:27403502 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:21017784488 (19.5 GiB)  TX bytes:3969196772 (3.6 GiB)

lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          inet6 addr: ::1/128 Scope:Host

          UP LOOPBACK RUNNING  MTU:65536  Metric:1

          RX packets:191873 errors:0 dropped:0 overruns:0 frame:0

          TX packets:191873 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:31953071 (30.4 MiB)  TX bytes:31953071 (30.4 MiB)

[root@server110 tcpdump]# tcpdump -i eth0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

15:59:43.529881 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 2956715807:2956716015, ack 2178087524, win 336, length 208

15:59:43.530636 IP 18.16.202.169.cvd > server110.ssh: Flags [.], ack 208, win 16422, length 0

15:59:43.530732 IP server110.50508 > ns-px.online.sh.cn.domain: 42810+ PTR? 169.202.16.18.in-addr.arpa. (44)

15:59:43.533748 IP ns-px.online.sh.cn.domain > server110.50508: 42810 NXDomain 0/1/0 (116)

15:59:43.534054 IP server110.37348 > ns-px.online.sh.cn.domain: 43151+ PTR? 5.209.96.202.in-addr.arpa. (43)

15:59:43.534537 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 208:496, ack 1, win 336, length 288

15:59:43.540551 IP ns-px.online.sh.cn.domain > server110.37348: 43151 1/0/0 PTR ns-px.online.sh.cn. (75)

15:59:43.541536 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 496:1072, ack 1, win 336, length 576

15:59:43.542319 IP 18.16.202.169.cvd > server110.ssh: Flags [.], ack 1072, win 16425, length 0

15:59:43.542529 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 1072:1328, ack 1, win 336, length 256

15:59:43.543545 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 1328:1488, ack 1, win 336, length 160

监听特定主机

[root@server110 tcpdump]# tcpdump  host 18.16.202.169

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

16:07:16.334596 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 2957160543:2957160751, ack 2178097380, win 336, length 208

16:07:16.375768 IP 18.16.202.169.cvd > server110.ssh: Flags [.], ack 208, win 16425, length 0

16:07:16.539595 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 208:496, ack 1, win 336, length 288

16:07:16.540553 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 496:656, ack 1, win 336, length 160

16:07:16.541564 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 656:816, ack 1, win 336, length 160

16:07:16.541731 IP 18.16.202.169.cvd > server110.ssh: Flags [.], ack 656, win 16423, length 0

16:07:16.542572 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 816:1072, ack 1, win 336, length 256

16:07:16.543565 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 1072:1232, ack 1, win 336, length 160

特定来源

[root@server110 tcpdump]# tcpdump src host 18.16.202.169

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

16:08:30.681395 IP 18.16.202.169.cvd > server110.ssh: Flags [.], ack 2957168815, win 16420, length 0

16:08:30.791328 IP 18.16.202.169.cvd > server110.ssh: Flags [.], ack 161, win 16420, length 0

16:08:30.833394 IP 18.16.202.169.cvd > server110.ssh: Flags [.], ack 321, win 16419, length 0

特定目标地址

[root@server110 tcpdump]# tcpdump dst host 18.16.202.169

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

16:09:27.404603 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 2958878511:2958878719, ack 2178100804, win 336, length 208

16:09:27.408521 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 208:400, ack 1, win 336, length 192

16:09:27.409530 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 400:560, ack 1, win 336, length 160

监听特定端口

[root@server110 tcpdump]# tcpdump port 8083 -vv

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

16:10:31.361199 IP (tos 0x0, ttl 127, id 19231, offset 0, flags [DF], proto TCP (6), length 52)

    18.16.202.169.14626 > server110.us-srv: Flags [S], cksum 0x3315 (correct), seq 2299766793, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

16:10:31.361264 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)

    server110.us-srv > 18.16.202.169.14626: Flags [S.], cksum 0x4b86 (correct), seq 1167811532, ack 2299766794, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0

16:10:31.361594 IP (tos 0x0, ttl 127, id 19232, offset 0, flags [DF], proto TCP (6), length 40)

    18.16.202.169.14626 > server110.us-srv: Flags [.], cksum 0xa54c (correct), seq 1, ack 1, win 8212, length 0

监听tcp协议,并加数据包写入abc.cap

[root@server110 tcpdump]# tcpdump tcp port 8083 -w  ./abc.cap

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

^C15 packets captured

15 packets received by filter

0 packets dropped by kernel

总共15条数据,其中只包含tcp,http格式的数据

稍微复杂例子

tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.cap
  1. tcp: ip icmp arp rarp 和 tcp、udp、icmp这些选项等都要放到第一个参数的位置,用来过滤数据报的类型
  2. -i eth1 : 只抓经过接口eth1的包
  3. -t : 不显示时间戳
  4. -s 0 : 抓取数据包时默认抓取长度为68字节。加上-S 0 后可以抓到完整的数据包
  5. -c 100 : 只抓取100个数据包
  6. dst port ! 22 : 不抓取目标端口是22的数据包
  7. src net 192.168.1.0/24 : 数据包的源网络地址为192.168.1.0/24
  8. -w ./target.cap : 保存成cap文件,方便用ethereal(即wireshark)分析

参考:

Linux基础:用tcpdump抓包

Linux tcpdump命令详解

CentOS中使用tcpdump抓包的更多相关文章

  1. tcpdump抓包工具的基本使用

    为了更好的深入理解计算机网络等相关知识,例如TCP\UDP\IP等,我们就必须利用tcpdump.Wireshark等工具对网络进行分析.本篇博文主要记录一下tcpdump这个网络分析利器的一些基本使 ...

  2. 使用 tcpdump 抓包分析 TCP 三次握手、四次挥手与 TCP 状态转移

    目录 文章目录 目录 前文列表 TCP 协议 图示三次握手与四次挥手 抓包结果 抓包分析 TCP 三次握手 数据传输 四次挥手 TCP 端口状态转移 状态转移 前文列表 <常用 tcpdump ...

  3. tcpdump抓包命令

    本文转自 : http://www.cnblogs.com/ggjucheng/archive/2012/01/14/2322659.html http://www.itshouce.com.cn/l ...

  4. TCPdump抓包命令详解--摘

    http://blog.csdn.net/s_k_yliu/article/details/6665673/ http://starsliao.blog.163.com/blog/static/890 ...

  5. Android手机tcpdump抓包

    在开发过程中遇到问题时,无法非常方便的获取到数据包,导致分析解决问题比较麻烦.这里介绍如何在Android手机上实现tcpdump抓包.   1.root机器  在用tcpdump抓包过程中,需要使用 ...

  6. Wireshark和TcpDump抓包分析心得

    Wireshark和 TcpDump抓包分析心得  1. Wireshark与tcpdump介绍 Wireshark是一个网络协议检测工具,支持Windows平台和Unix平台,我一般只在Window ...

  7. tcpdump 抓包让wireshark来分析

    在linux下面用tcpdump 抓包非常方便, 但是抓的包要提取出来进行分析, 还是得用wireshark来过滤分析比较方便. 下面先介绍一下 TCPDUMP 的使用 例:tcpdump host ...

  8. tcpdump抓包并保存成cap文件

    首选介绍一下tcpdump的常用参数 tcpdump采用命令行方式,它的命令格式为: tcpdump [ -adeflnNOpqStvx ] [ -c 数量 ] [ -F 文件名 ] [ -i 网络接 ...

  9. linux使用tcpdump抓包工具抓取网络数据包,多示例演示

    tcpdump是linux命令行下常用的的一个抓包工具,记录一下平时常用的方式,测试机器系统是ubuntu 12.04. tcpdump的命令格式 tcpdump的参数众多,通过man tcpdump ...

随机推荐

  1. Fiddler_抓包应用_01

    1. 手机抓包配置 1.1. Fiddler配置 Tools->Options 抓取https的请求: 查看Fiddler端口 1.2. 获取Fiddler 所在IP (1) 可通过fiddle ...

  2. oracle根据某个字段的值进行排序

    需求:按照颜色为蓝色.红色.黄色进行排序: order by  case                  when color = '蓝色' then                   1     ...

  3. Linux 磁盘介绍(磁盘、分区、MBR、GPT)

    原文:https://www.linuxidc.com/Linux/2013-06/85717.htm 1. CHS(Cylinder-Head-Sector): was an early metho ...

  4. Hint: Fallback method 'public java.lang.String queryUserByIdFallback(java.lang.Long)' must return: User or its subclass

    1.错误日志 熔断器添加错误方法返回时,报了一个 error. com.netflix.hystrix.contrib.javanica.exception.FallbackDefinitionExc ...

  5. Android系统架构与系统源码目录

    前言 技术博客终于可以恢复正常的更新速度了,原因是我编写的进阶书籍的初稿已经完成,窃以为它将会是Android应用书籍中最有深度的一本,可以说是<Android开发艺术探索>的姊妹篇.在这 ...

  6. kubernetes集群应用部署实例

    今天,我们将要带来入门hello world示例,它是一个web留言板应用,基于PHP+Redis的两层分布式架构的web应用,前端PHP web网站通过访问后端Redis数据库完成用户留言的查询和添 ...

  7. monent API详解

    参考链接:https://www.jianshu.com/p/9c10543420de

  8. Servlet学习1

    1.首先在Tomcat的webapp目录下新建文件夹myWebapp,作为自己的web应用. 2.myWebapp下新建WEB-INF(必须这个名)目录,WEB-INF下新建classes目录放置se ...

  9. python range的用法小题

    题目(1)for i in range(10): print(i) 结果:123456789 题目(2) for lst in range(100): if lst % 7 == 0 and str( ...

  10. des加密算法java&c#

    项目中用到的数据加密方式是ECB模式的DES加密得到的十六进制字符串.技术支持让写一个.net版的加密算法.这里做一下记录. java版: 16进制使用的是bouncycastle. import c ...