• 学点TCPDUMP


    [root@future ~]# yum install tcpdump

    官网地址:

    https://nmap.org/

    还有中文手册,太感动了

    https://nmap.org/man/zh/man-port-scanning-basics.html

    1.直接输入tcpdump

    输出大量信息,按ctrl+c终止,每一行都是一个数据包

    680 packets captured
    682 packets received by filter
    0 packets dropped by kernel

    2.只抓去10个包

    [root@future ~]# tcpdump -c 10
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    06:42:40.818075 IP 192.168.247.130.ssh > 192.168.247.1.36946: Flags [P.], seq 3575934398:3575934594, ack 1866571419, win 280, length 196
    06:42:40.818885 IP 192.168.247.130.46267 > 192.168.247.2.domain: 58461+ PTR? 1.247.168.192.in-addr.arpa. (44)
    06:42:40.855105 ARP, Request who-has 192.168.247.130 tell 192.168.247.2, length 46
    06:42:40.855120 ARP, Reply 192.168.247.130 is-at 00:0c:29:76:1d:45 (oui Unknown), length 28
    06:42:40.855187 IP 192.168.247.2.domain > 192.168.247.130.46267: 58461 NXDomain 0/0/0 (44)
    06:42:40.855426 IP 192.168.247.130.35720 > 192.168.247.2.domain: 25496+ PTR? 130.247.168.192.in-addr.arpa. (46)
    06:42:40.877511 IP 192.168.247.1.36946 > 192.168.247.130.ssh: Flags [.], ack 196, win 254, length 0
    06:42:40.888226 IP 192.168.247.2.domain > 192.168.247.130.35720: 25496 NXDomain 0/0/0 (46)
    06:42:40.888506 IP 192.168.247.130.41563 > 192.168.247.2.domain: 11803+ PTR? 2.247.168.192.in-addr.arpa. (44)
    06:42:40.896265 IP 192.168.247.130.ssh > 192.168.247.1.36946: Flags [P.], seq 196:376, ack 1, win 280, length 180
    10 packets captured
    11 packets received by filter
    0 packets dropped by kernel
    View Code

    抓去的包默认不回保存,我们可以加-w参数保存

    [root@future ~]# tcpdump -c 10 -w dumps.log
    tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    10 packets captured
    10 packets received by filter
    0 packets dropped by kernel

    保存下来的数据不能直接查看,使用-r参数

    [root@future ~]# tcpdump -r dumps.log 

    3.显示系统有那些网络设备

    [root@future ~]# tcpdump -D
    1.eth0
    2.nflog (Linux netfilter log (NFLOG) interface)
    3.nfqueue (Linux netfilter queue (NFQUEUE) interface)
    4.usbmon1 (USB bus number 1)
    5.usbmon2 (USB bus number 2)
    6.any (Pseudo-device that captures on all interfaces)
    7.lo

    4.指定网卡监听

    [root@future ~]# tcpdump -i eth0

    5.显示更为详细的信息,比如分片

    [root@future ~]# tcpdump -v
    或者
    [root@future ~]# tcpdump -vv

    6.不要将IP地址反解为主机名

    [root@future ~]# tcpdump -n

    7.只抓去udp包

    [root@future ~]# tcpdump udp

    8.只抓取ICMP包

    [root@future ~]# tcpdump icmp

    9.只抓取某个具体端口流量

    [root@future ~]# tcpdump port 22

    10.指定端口范围

    [root@future ~]# tcpdump portrange 1-1024

    11.指定源端口或者目标端口
    源端口:

    [root@future ~]# tcpdump src port 80

    目标端口:

    [root@future ~]# tcpdump dst port 80

    12.抓去包含指定主机名的流量包

    [root@future ~]# tcpdump host www.baidu.com

    13.抓去大于1000子节的流量

    [root@future ~]# tcpdump greater 1000

    小于1000字节的流量包

    [root@future ~]# tcpdump less 1000

    14.查看数据包内容

    [root@future ~]# tcpdump -A

    以ASCII码形式显示,内容不一定可以查看。

    15.两种形式查看数据包内容

    [root@future ~]# tcpdump -X

    二进制和ASCII显示

    16.抓去来自某个IP的数据包

    [root@future ~]# tcpdump src 192.168.247.1

    抓取目标是某个IP的数据包

    [root@future ~]# tcpdump dst 192.168.247.1

    17.使用逻辑关键字

    [root@future ~]# tcpdump tcp and src 192.168.247.1
    [root@future ~]# tcpdump tcp and src 192.168.247.1 and port 1000
    [root@future ~]# tcpdump src 192.168.247.1 or  src 192.168.247.2
    [root@future ~]# tcpdump not port 80
    [root@future ~]# tcpdump tcp and src 192.168.247.1 and not port 80
    

     

  • 相关阅读:
    Qomo 2.0 beta1 发布说明及新功能
    安徽高考少输入的6个字节猜想
    惠普ERP解决方案
    ERP的昨天、今天和明天
    MSN和QQ文件传输速度解析
    JavaScript的方法与技巧
    六步走 教你制定一个漂亮的项目计划
    《时代》评出50个最酷网站 25个网站非上不可
    从圣雄甘地名言 看安腾开放架构
    .net framework 3.0
  • 原文地址:https://www.cnblogs.com/XYJK1002/p/5351089.html
Copyright © 2020-2023  润新知