tcpdump可以将网络中传送的数据包的“头”完全截获下来提供分析。它支持针对网络层、协议、主机、网络或端口的过滤,并提供and、or、not等逻辑语句来帮助你去掉无用的信息
tcpdump抓的包可以保存成后缀为pcap的文件,使用wireshark等软件进行查看
1. 针对特定网口(-i)
# tcpdump -i eth02. 抓取指定数目(-c)
# tcpdump -i eth1 -c 2
18:36:32.012254 IP localhost.ssh > localhost.56622: Flags [P.], seq 2097153123:2097153319, ack 2140086774,
win 167, length 196
18:36:32.012532 IP localhost.40562 > localhost.domain: 7522+ PTR? 247.40.168.192.
in-addr.arpa. (45)3. 抓到包写入文件(-w)
# tcpdump -i eth1 -w tmp.pcap4. 读取tcpdump保存文件(-r)
# tcpdump -r tmp
18:25:05.383176 IP localhost.34143 > 117.78.24.10.https: Flags [S], seq 1566333953,
win 14600, options [mss 1460,sackOK,TS val 1098325899 ecr 0,nop,wscale 7], length 05. 增加抓包时间戳(-tttt)
# tcpdump -i eth1 -tttt
2015-12-22 18:42:13.124678 IP localhost.34150 > 117.78.24.10.https: Flags [S],
seq 228138319, win 14600, options [mss 1460,sackOK,TS val 1099353640 ecr 0,nop,wscale 7], length 06. 指定抓包端口
# tcpdump -i eth1 port 443
18:46:32.045119 IP localhost.34153 > 117.78.24.10.https: Flags [S], seq 3477177793,
win 14600, options [mss 1460,sackOK,TS val 1099612561 ecr 0,nop,wscale 7], length 07. 抓取特定ip
# tcpdump -i eth1 dst 117.78.24.10
18:51:26.337375 IP localhost.34165 > 117.78.24.10.https: Flags [S], seq 1561820168,
win 14600, options [mss 1460,sackOK,TS val 1099906853 ecr 0,nop,wscale 7], length 0
# tcpdump -i eth1 host 192.168.40.157 and 117.78.24.10
18:47:55.776518 IP localhost.34157 > 117.78.24.10.https: Flags [S], seq 1999366796,
win 14600, options [mss 1460,sackOK,TS val 1099696292 ecr 0,nop,wscale 7], length 0
18:47:55.780307 IP 117.78.24.10.https > localhost.34157: Flags [S.], seq 1636741313,
ack 1999366797, win 5792, options [mss 1460,sackOK,TS val 676770270 ecr 1099696292,nop,wscale 7], length 08. 抓取特定端口
//src
# tcpdump -i eth1 src port 443
18:58:43.339368 IP 117.78.24.10.https > localhost.34181: Flags [S.], seq 3480165730,
ack 2569376925, win 5792, options [mss 1460,sackOK,TS val 678114226 ecr 1100343852,nop,wscale 7], length 0
//dst
# tcpdump -i eth1 dst port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
18:59:44.073262 IP localhost.34183 > 117.78.24.10.https: Flags [S], seq 408796353,
win 14600, options [mss 1460,sackOK,TS val 1100404589 ecr 0,nop,wscale 7], length 09. 抓取详细信息(-vv)
# tcpdump -i eth0 -v
192.168.1.106.53458 > 192.168.1.10.ftp: Flags [S], cksum 0x0056 (correct), seq 2898677069,
win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
06:46:49.599097 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)10. 抓取报文(-x)
# tcpdump -i eth0 -x
06:48:05.205316 IP 192.168.1.106.53459 > 192.168.1.10.ftp: Flags [S], seq 4037915061,
win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
0x0000: 4500 0034 2730 4000 8006 4fcf c0a8 016a
0x0010: c0a8 010a d0d3 0015 f0ad b1b5 0000 0000
0x0020: 8002 2000 5805 0000 0204 05b4 0103 0302
0x0030: 0101 040211. 链路层头(-e)
# tcpdump -e
21:51:18.401466 00:0c:29:12:ee:b1 (oui Unknown) > 00:e0:4c:07:a8:0b (oui Unknown), ethertype IPv4 (0x0800), length 170: ubuntu.local.ssh > 192.168.1.107.49825: Flags [P.], seq 1109847835:1109847951, ack 1806812279, win 1123, length 116可以打印出源和目的地址, 以及包的长度
12. arp报文(-n)
# tcpdump -n arp
21:56:40.235632 ARP, Request who-has 192.168.1.111 tell 192.168.1.1, length 4613. 其他参数
# tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 -w ./tmp.pcap
tcp:tcp、udp、icmp这些选项等都要放到第一个参数的位置,用来过滤数据报的类型
-t:不显示时间戳
-s 0:抓取数据包时默认抓取长度为68字节。加上-s 0后可以抓到完整的数据包
dst port ! 22:不抓取目标端口是22的数据包