TCPDUMP抓包学习

一、抓包基础

1、抓网卡ens33 的包，有多大抓多大，然后保存到a.cap中

[root@localhost ~]# tcpdump -i ens33 -s 0 -w a.cap
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes

2、读取a.cap文件

[root@localhost ~]# tcpdump -r a.cap 
reading from file a.cap, link-type EN10MB (Ethernet)
18:30:13.453516 IP localhost.localdomain.ssh > 192.168.10.1.sicct: Flags [P.], seq 1710739872:1710740004, ack 930202420, win 532, length 132
18:30:13.453754 IP 192.168.10.1.sicct > localhost.localdomain.ssh: Flags [.], ack 132, win 255, length 0
18:30:14.379791 IP 192.168.10.1 > localhost.localdomain: ICMP echo request, id 1, seq 1720, length 40
18:30:14.379825 IP localhost.localdomain > 192.168.10.1: ICMP echo reply, id 1, seq 1720, length 40
18:30:15.381526 IP 192.168.10.1 > localhost.localdomain: ICMP echo request, id 1, seq 1721, length 40
18:30:15.381556 IP localhost.localdomain > 192.168.10.1: ICMP echo reply, id 1, seq 1721, length 40
18:30:16.383090 IP 192.168.10.1 > localhost.localdomain: ICMP echo request, id 1, seq 1722, length 40
18:30:16.383121 IP localhost.localdomain > 192.168.10.1: ICMP echo reply, id 1, seq 1722, length 40
18:30:17.385139 IP 192.168.10.1 > localhost.localdomain: ICMP echo request, id 1, seq 1723, length 40
18:30:17.385273 IP localhost.localdomain > 192.168.10.1: ICMP echo reply, id 1, seq 1723, length 40
18:30:18.385827 IP 192.168.10.1 > localhost.localdomain: ICMP echo request, id 1, seq 1725, length 40
18:30:18.385866 IP localhost.localdomain > 192.168.10.1: ICMP echo reply, id 1, seq 1725, length 40
18:30:19.244187 IP 192.168.10.1.63076 > 239.255.255.250.ssdp: UDP, length 133
18:30:19.387459 IP 192.168.10.1 > localhost.localdomain: ICMP echo request, id 1, seq 1726, length 40
18:30:19.387517 IP localhost.localdomain > 192.168.10.1: ICMP echo reply, id 1, seq 1726, length 40
18:30:20.390170 IP 192.168.10.1 > localhost.localdomain: ICMP echo request, id 1, seq 1727, length 40
18:30:20.390271 IP localhost.localdomain > 192.168.10.1: ICMP echo reply, id 1, seq 1727, length 40
18:30:20.438195 IP 192.168.10.1.sicct > localhost.localdomain.ssh: Flags [P.], seq 1:53, ack 132, win 255, length 52

3、读取详细内容

[root@localhost ~]# tcpdump -A -r a.cap 
reading from file a.cap, link-type EN10MB (Ethernet)
18:30:13.453516 IP localhost.localdomain.ssh > 192.168.10.1.sicct: Flags [P.], seq 1710739872:1710740004, ack 930202420, win 532, length 132
E...] @.@.G...
...
.....e...7q.4P.......u0.L.}H....j....2.#|!..v.Y......"<....@.B~..|0.N.n..........,......v........&.(G9.b.a9...f.....Y.t.R....m...    .v....B...:.......K....
18:30:13.453754 IP 192.168.10.1.sicct > localhost.localdomain.ssh: Flags [.], ack 132, win 255, length 0
E..(..@...OX..
...
.....7q.4e..$P.............
18:30:14.379791 IP 192.168.10.1 > localhost.localdomain: ICMP echo request, id 1, seq 1720, length 40
E..<.......H..
...
...F.....abcdefghijklmnopqrstuvwabcdefghi
18:30:14.379825 IP localhost.localdomain > 192.168.10.1: ICMP echo reply, id 1, seq 1720, length 40
E..<e...@..E..

4、抓tcp  22端口的包

[root@localhost ~]# tcpdump -i ens33 tcp port 22 -w a.cap 
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes

二、抓包筛选

　　1、通过操作系统筛选

[root@localhost ~]# tcpdump -r a.cap |awk '{print $3}'|sort -u
reading from file a.cap, link-type EN10MB (Ethernet)
192.168.10.1.8323
192.168.10.1.8325
192.168.10.1.8327
192.168.10.1.8328
192.168.10.1.cruise-config
192.168.10.1.cruise-swroute
localhost.localdomain.http

　　2、通过源或目标地址筛选

[root@localhost ~]# tcpdump -n src host 192.168.10.13 -r a.cap 
reading from file a.cap, link-type EN10MB (Ethernet)
18:41:59.455482 IP 192.168.10.13.http > 192.168.10.1.8327: Flags [.], ack 819547226, win 473, length 0
18:41:59.455616 IP 192.168.10.13.http > 192.168.10.1.8325: Flags [.], ack 3409464214, win 473, length 0
18:41:59.455690 IP 192.168.10.13.http > 192.168.10.1.8323: Flags [.], ack 3567728118, win 524, length 0
18:41:59.455768 IP 192.168.10.13.http > 192.168.10.1.8328: Flags [.], ack 731030296, win 524, length 0
18:42:01.132478 IP 192.168.10.13.http > 192.168.10.1.cruise-swroute: Flags [S.], seq 2880921528, ack 2519829979, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 6], length 0
18:42:01.132938 IP 192.168.10.13.http > 192.168.10.1.cruise-config: Flags [S.], seq 430913213, ack 2320844865, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 6], length 0
18:42:01.134389 IP 192.168.10.13.http > 192.168.10.1.cruise-swroute: Flags [.], ack 441, win 473, length 0
18:42:01.136378 IP 192.168.10.13.http > 192.168.10.1.cruise-swroute: Flags [.], seq 1:4381, ack 441, win 473, length 4380: HTTP: HTTP/1.1 403 Forbidden
18:42:01.136641 IP 192.168.10.13.http > 192.168.10.1.cruise-swroute: Flags [P.], seq 4381:5242, ack 441, win 473, length 861: HTTP
18:42:01.163086 IP 192.168.10.13.http > 192.168.10.1.cruise-config: Flags [.], ack 400, win 473, length 0
18:42:01.163388 IP 192.168.10.13.http > 192.168.10.1.cruise-swroute: Flags [P.], seq 5242:5732, ack 838, win 490, length 490: HTTP: HTTP/1.1 404 Not Found
18:42:01.164423 IP 192.168.10.13.http > 192.168.10.1.cruise-config: Flags [P.], seq 1:494, ack 400, win 473, length 493: HTTP: HTTP/1.1 404 Not Found
18:42:01.178354 IP 192.168.10.13.http > 192.168.10.1.cruise-config: Flags [P.], seq 494:983, ack 796, win 490, length 489: HTTP: HTTP/1.1 404 Not Found
18:42:01.178523 IP 192.168.10.13.http > 192.168.10.1.cruise-swroute: Flags [P.], seq 5732:6223, ack 1236, win 507, length 491: HTTP: HTTP/1.1 404 Not Found
[root@localhost ~]# tcpdump -n dest host 192.168.10.13 -r a.cap 
reading from file a.cap, link-type EN10MB (Ethernet)
tcpdump: syntax error
[root@localhost ~]# tcpdump -n dst host 192.168.10.13 -r a.cap 
reading from file a.cap, link-type EN10MB (Ethernet)
18:41:59.455392 IP 192.168.10.1.8327 > 192.168.10.13.http: Flags [F.], seq 819547225, ack 2993797214, win 256, length 0
18:41:59.455603 IP 192.168.10.1.8325 > 192.168.10.13.http: Flags [F.], seq 3409464213, ack 3748071194, win 256, length 0
18:41:59.455678 IP 192.168.10.1.8323 > 192.168.10.13.http: Flags [F.], seq 3567728117, ack 80696614, win 252, length 0
18:41:59.455757 IP 192.168.10.1.8328 > 192.168.10.13.http: Flags [F.], seq 731030295, ack 1348262823, win 252, length 0
18:42:01.132300 IP 192.168.10.1.cruise-swroute > 192.168.10.13.http: Flags [S], seq 2519829978, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:42:01.132607 IP 192.168.10.1.cruise-swroute > 192.168.10.13.http: Flags [.], ack 2880921529, win 256, length 0
18:42:01.132821 IP 192.168.10.1.cruise-config > 192.168.10.13.http: Flags [S], seq 2320844864, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:42:01.133059 IP 192.168.10.1.cruise-config > 192.168.10.13.http: Flags [.], ack 430913214, win 256, length 0
18:42:01.134332 IP 192.168.10.1.cruise-swroute > 192.168.10.13.http: Flags [P.], seq 0:440, ack 1, win 256, length 440: HTTP: GET / HTTP/1.1
18:42:01.136670 IP 192.168.10.1.cruise-swroute > 192.168.10.13.http: Flags [.], ack 2921, win 256, length 0
18:42:01.136736 IP 192.168.10.1.cruise-swroute > 192.168.10.13.http: Flags [.], ack 5242, win 256, length 0
18:42:01.162692 IP 192.168.10.1.cruise-swroute > 192.168.10.13.http: Flags [P.], seq 440:837, ack 5242, win 256, length 397: HTTP: GET /noindex/css/fonts/Bold/OpenSans-Bold.woff HTTP/1.1
18:42:01.163034 IP 192.168.10.1.cruise-config > 192.168.10.13.http: Flags [P.], seq 0:399, ack 1, win 256, length 399: HTTP: GET /noindex/css/fonts/Light/OpenSans-Light.woff HTTP/1.1
18:42:01.178069 IP 192.168.10.1.cruise-config > 192.168.10.13.http: Flags [P.], seq 399:795, ack 494, win 254, length 396: HTTP: GET /noindex/css/fonts/Bold/OpenSans-Bold.ttf HTTP/1.1
18:42:01.178136 IP 192.168.10.1.cruise-swroute > 192.168.10.13.http: Flags [P.], seq 837:1235, ack 5732, win 254, length 398: HTTP: GET /noindex/css/fonts/Light/OpenSans-Light.ttf HTTP/1.1
18:42:01.372703 IP 192.168.10.1.cruise-config > 192.168.10.13.http: Flags [.], ack 983, win 252, length 0
18:42:01.381626 IP 192.168.10.1.cruise-swroute > 192.168.10.13.http: Flags [.], ack 6223, win 252, length 0

　　3、筛选端口

[root@localhost ~]# tcpdump -n port 53 -r a.cap