个人原创,转载请注明,否则依法追究法律责任

2018-02-28  16:01:26

tcpdump 倾倒网络传输数据,直接启动tcpdump将监视第一个网络接口上所有流过的数据包。

1 不接任何参数,表示监听本机的eth0网卡。

如果不指定网卡,默认tcpdump只会监视第一个网络接口,一般是eth0,下面的例子都没有指定网络接口。
[root@shiyan ~]# yum -y install tcpdump    -----------------> 最小化系统里没有这个命令,先安装
[root@shiyan ~]# tcpdump > a.tx
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C12 packets captured   -------------------->按下Ctrl + C 结束抓包,否则会一直的抓下去
12 packets received by filter
0 packets dropped by kernel
[root@shiyan ~]# cat a.tx
17:11:06.066490 IP 192.168.115.80.ssh > 192.168.115.118.53014: Flags [P.], seq 1346400485:1346400693, ack 499039341, win 159, length 208
17:11:06.066758 IP 192.168.115.80.46406 > cache-a.guangzhou.gd.cn.domain: 41439+ PTR? 118.115.168.192.in-addr.arpa. (46)
17:11:06.071645 IP cache-a.guangzhou.gd.cn.domain > 192.168.115.80.46406: 41439 NXDomain 0/0/0 (46)
17:11:06.072785 IP 192.168.115.80.48303 > cache-a.guangzhou.gd.cn.domain: 51978+ PTR? 80.115.168.192.in-addr.arpa. (45)
17:11:06.077045 IP cache-a.guangzhou.gd.cn.domain > 192.168.115.80.48303: 51978 NXDomain 0/0/0 (45)
17:11:06.077137 IP 192.168.115.80.55070 > cache-a.guangzhou.gd.cn.domain: 21987+ PTR? 86.128.96.202.in-addr.arpa. (44)

2 指定内网中某台主机进行监听:tcpdump host 192.168.115.93
[root@shiyan ~]# tcpdump host 192.168.115.93
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:12:17.294247 ARP, Request who-has shiyan tell 192.168.115.93, length 46
17:12:37.569616 ARP, Request who-has 192.168.115.93 tell 192.168.115.80, length 28
17:12:37.569837 ARP, Reply 192.168.115.93 is-at 00:e0:4c:f4:8d:7a (oui Unknown), length 46
17:12:37.569842 IP 192.168.115.80 > 192.168.115.93: ICMP echo request, id 4703, seq 1, length 64
17:12:37.570027 IP 192.168.115.93 > 192.168.115.80: ICMP echo reply, id 4703, seq 1, length 64
17:12:38.569404 IP 192.168.115.80 > 192.168.115.93: ICMP echo request, id 4703, seq 2, length 64
17:12:38.569714 IP 192.168.115.93 > 192.168.115.80: ICMP echo reply, id 4703, seq 2, length 64

在13.173机器监听13.167机器的httpd服务

[root@localhost ~]# tcpdump host 192.168.13.167  -------------------------------> 可以抓取到不经过本机的数据包(wirlshark没有这个功能)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:05:34.252126 ARP, Request who-has 192.168.13.254 tell 192.168.13.167, length 46
16:05:34.252380 ARP, Reply 192.168.13.254 is-at 00:50:56:f9:32:a6 (oui Unknown), length 46
16:05:34.252383 IP 192.168.13.167.bootpc > 192.168.13.254.bootps: BOOTP/DHCP, Request from 00:0c:29:30:ff:a0 (oui Unknown), length 300
16:05:34.252624 IP 192.168.13.254.bootps > 192.168.13.167.bootpc: BOOTP/DHCP, Reply, length 300
16:05:34.296671 ARP, Request who-has 192.168.13.167 (Broadcast) tell 0.0.0.0, length 46
16:05:35.297810 ARP, Request who-has 192.168.13.167 (Broadcast) tell 0.0.0.0, length 46
16:05:41.886341 IP 192.168.13.1.53831 > 192.168.13.167.ssh: Flags [P.], seq 2116832879:2116832927, ack 2216944518, win 252, length 48
16:05:41.886349 IP 192.168.13.167.ssh > 192.168.13.1.53831: Flags [.], ack 48, win 634, length 0
16:05:46.688388 ARP, Request who-has 192.168.13.167 (00:0c:29:30:ff:a0 (oui Unknown)) tell 192.168.13.1, length 46
16:05:46.688399 ARP, Reply 192.168.13.167 is-at 00:0c:29:30:ff:a0 (oui Unknown), length 46
16:05:49.826057 IP 192.168.13.1.54035 > 192.168.13.167.http: Flags [S], seq 1070489598, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:05:49.826070 IP 192.168.13.1.54036 > 192.168.13.167.http: Flags [S], seq 3015543207, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:05:49.826072 IP 192.168.13.1.54035 > 192.168.13.167.http: Flags [.], ack 673044770, win 256, length 0
16:05:49.826074 IP 192.168.13.167.http > 192.168.13.1.54035: Flags [S.], seq 673044769, ack 1070489599, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
16:05:49.826076 IP 192.168.13.1.54036 > 192.168.13.167.http: Flags [.], ack 1571007700, win 256, length 0
16:05:49.826078 IP 192.168.13.167.http > 192.168.13.1.54036: Flags [S.], seq 1571007699, ack 3015543208, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
16:05:49.851846 IP 192.168.13.1.54035 > 192.168.13.167.http: Flags [P.], seq 1:590, ack 1, win 256, length 589
16:05:49.851861 IP 192.168.13.167.http > 192.168.13.1.54035: Flags [.], ack 590, win 494, length 0
16:05:49.854139 IP 192.168.13.167.http > 192.168.13.1.54035: Flags [P.], seq 1:152, ack 590, win 494, length 151
16:05:49.854147 IP 192.168.13.1.54035 > 192.168.13.167.http: Flags [.], ack 153, win 256, length 0
16:05:49.854149 IP 192.168.13.167.http > 192.168.13.1.54035: Flags [F.], seq 152, ack 590, win 494, length 0
16:05:49.859953 IP 192.168.13.1.54035 > 192.168.13.167.http: Flags [F.], seq 590, ack 153, win 256, length 0
16:05:49.859964 IP 192.168.13.167.http > 192.168.13.1.54035: Flags [.], ack 591, win 494, length 0
16:05:51.223523 IP 192.168.13.1.54036 > 192.168.13.167.http: Flags [.], ack 1, win 256, options [nop,nop,sack 1 {0:1}], length 0
16:05:51.223537 IP 192.168.13.167.http > 192.168.13.1.54036: Flags [S.], seq 1571007699, ack 3015543208, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
^C
25 packets captured
25 packets received by filter
0 packets dropped by kernel

3 截获指定主机和指定端口的数据包
如果想要获取主机210.27.48.1接收或发出的telnet包,使用如下命令

[root@shiyan ~]# tcpdump tcp port 80 and host 192.168.115.118
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

抓取80端口的数据包过程:
yum -y install httpd
echo 111111111111111 >/var/www/html/index.html
service httpd restart
tcpdump tcp port 80 -----------> 关注该命令下的内容
其他的电脑web浏览器访问:http://192.168.13.167,继续关注上述命令下新增内容
[root@bogon ~]# tcpdump tcp port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes ---------------->以下是网页访问后的数据包情况

15:45:56.561135 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [S], seq 1718240131, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:45:56.561189 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [S.], seq 2754432551, ack 1718240132, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
15:45:56.564132 IP 192.168.13.1.53950 > 192.168.13.167.http: Flags [S], seq 66995158, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:45:56.564153 IP 192.168.13.167.http > 192.168.13.1.53950: Flags [S.], seq 827140384, ack 66995159, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
15:45:56.564380 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [.], ack 1, win 256, length 0
15:45:56.564387 IP 192.168.13.1.53950 > 192.168.13.167.http: Flags [.], ack 1, win 256, length 0
15:45:56.573137 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [P.], seq 1:496, ack 1, win 256, length 495
15:45:56.573190 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [.], ack 496, win 490, length 0
15:45:56.575931 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [.], seq 1:2921, ack 496, win 490, length 2920
15:45:56.576287 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [.], ack 2921, win 256, length 0
15:45:56.576338 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [.], seq 2921:4381, ack 496, win 490, length 1460
15:45:56.576486 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [P.], seq 4381:5660, ack 496, win 490, length 1279
15:45:56.576617 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [.], ack 5660, win 256, length 0
15:45:56.577674 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [F.], seq 5660, ack 496, win 490, length 0
15:45:56.577798 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [.], ack 5661, win 256, length 0
15:45:56.578929 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [F.], seq 496, ack 5661, win 256, length 0
15:45:56.578944 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [.], ack 497, win 490, length 0
15:45:57.961343 IP 192.168.13.167.http > 192.168.13.1.53950: Flags [S.], seq 827140384, ack 66995159, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
15:45:57.961536 IP 192.168.13.1.53950 > 192.168.13.167.http: Flags [.], ack 1, win 256, options [nop,nop,sack 1 {0:1}], length 0
15:46:07.071688 IP 192.168.13.1.53950 > 192.168.13.167.http: Flags [F.], seq 1, ack 1, win 256, length 0
15:46:07.071973 IP 192.168.13.167.http > 192.168.13.1.53950: Flags [.], ack 2, win 457, length 0
15:46:07.072293 IP 192.168.13.167.http > 192.168.13.1.53950: Flags [F.], seq 1, ack 2, win 457, length 0
15:46:07.072521 IP 192.168.13.1.53950 > 192.168.13.167.http: Flags [.], ack 2, win 256, length 0
^C --------------------------------------------> 按下 Ctrl + C,否则会一直的抓下去。
23 packets captured
23 packets received by filter
0 packets dropped by kernel

tcpdump抓包工具的使用的更多相关文章

  1. tcpdump抓包工具

    tcpdump抓包工具 一:TCPDump介绍 ​ TcpDump可以将网络中传送的数据包的"头"完全截获下来提供分析.它支持针对网络层.协议.主机.网络或端口的过滤,并提供and ...

  2. linux下利用tcpdump抓包工具排查nginx获取客户端真实IP实例

    一.nginx后端负载服务器的API在获取客户端IP时始终只能获取nginx的代理服务器IP,排查nginx配置如下 upstream sms-resp { server ; server ; } s ...

  3. linux使用tcpdump抓包工具抓取网络数据包,多示例演示

    tcpdump是linux命令行下常用的的一个抓包工具,记录一下平时常用的方式,测试机器系统是ubuntu 12.04. tcpdump的命令格式 tcpdump的参数众多,通过man tcpdump ...

  4. Linux系统诊断必备技能之二:tcpdump抓包工具详解

    一.简述 TcpDump可以将网络中传送的数据包完全截获下来提供分析.它支持针对网络层.协议.主机.网络或端口的过滤,并提供and.or.not等逻辑语句来帮助你去掉无用的信息. Linux作为网络服 ...

  5. tcpdump抓包工具的基本使用

    为了更好的深入理解计算机网络等相关知识,例如TCP\UDP\IP等,我们就必须利用tcpdump.Wireshark等工具对网络进行分析.本篇博文主要记录一下tcpdump这个网络分析利器的一些基本使 ...

  6. Linux下通过tcpdump抓包工具获取信息

    介绍 tcpdump是网络数据包截获分析工具.支持针对网络层.协议.主机.网络或端口的过滤.并提供and.or.not等逻辑语句帮助去除无用的信息. tcpdump - dump traffic on ...

  7. tcpdump 抓包工具使用

    1. 常用命令 监听p4p1网卡上来自 192.168.162.14 的包 tcpdump -i p4p1 src host 192.168.162.14 tcpdump -i p4p1 dst po ...

  8. tcpdump抓包工具用法说明

    tcpdump采用命令行方式对接口的数据包进行筛选抓取,其丰富特性表现在灵活的表达式上. 不带任何选项的tcpdump,默认会抓取第一个网络接口,且只有将tcpdump进程终止才会停止抓包. 例如: ...

  9. 利用tcpdump抓包工具监控TCP连接的三次握手和断开连接的四次挥手

    TCP传输控制协议是面向连接的可靠的传输层协议,在进行数据传输之前,需要在传输数据的两端(客户端和服务器端)创建一个连接,这个连接由一对插口地址唯一标识,即是在IP报文首部的源IP地址.目的IP地址, ...

随机推荐

  1. 业余草分享100套精选1000G架构师资料课程(超1T的IT学习资料免费送)

    业余草分享100套精选1000G架构师资料课程(超1T的IT学习资料免费送). 超过1024G的IT学习资料免费领取,你值得拥有! 领取资源方式,关注“业余草”公众号,回复对应的关键字 01.回复”我 ...

  2. Qt 开发 MS VC 控件终极篇

    Qt 开发 MS VC 控件终极篇 1. 使用 MSVC2015 通过项目向导创建 Qt ActiveQt Server 解决方案 项目配置:以下文件需要修改 1. 项目属性页->项目属性-&g ...

  3. 在kali安装中文输入法的教程

    1终端下vi /etc/apt/sources.list  修改镜像元  (按E进行编辑 具体实例不同可能没有)  按 i进入编辑 擦除原有的几个官方源改为deb http://mirrors.ali ...

  4. nyoj137 取石子(三) 楼教主男人八题之一

    思路:一堆时,N态.两堆时,当两堆数量相同,P态,不同为N态.三堆时,先手可以变成两堆一样的,必胜N态. 此时可以总结规律:堆数为偶数可能且石子数都是两两相同的,为P态.分析四堆时,当四堆中两两数量一 ...

  5. Android WebView 保持登录问题

    最近有个需求是这样的:在应用中添加一个商城,商城的实现是H5(包括登录).需要将这个H5嵌到原生应用中,并在原生代码中添加支付功能. 接到这个需求的时候,想这不是很简单么,用WebView加载这个页面 ...

  6. JavaScript的预编译和执行

    JavaScript引擎,不是逐条解释执行javascript代码,而是按照代码块一段段解释执行.所谓代码块就是使用<script>标签分隔的代码段. 整个代码块共有两个阶段,预编译阶段和 ...

  7. php学习笔记upset函数。

    如果在函数中我们不希望再使用某个变量.可以使用unset()销毁函数, ②在php函数中,我们可以给某些参数赋一个默认初值. ③可以传一个默认的参数. ④php在传递变量的时候,默认是传递值传递,如果 ...

  8. 详解Linux Initrd

    在Linux操作系统中,有一项特殊的功能--初始化内存盘INITRD(INITial Ram Disk)技术,而且内核支持压缩的文件系统映像.有了这两项功能,我们可以让Linux系统从小的初始化内存盘 ...

  9. CAN总线基础知识(一)

    1.CAN总线是什么? CAN(Controller Area Network)是ISO国际标准化的串行通信协议.广泛应用于汽车.船舶等.具有已经被大家认可的高性能和可靠性. CAN控制器通过组成总线 ...

  10. Struts2实现文件上传报错(四)

    1.具体错误如下 2014-5-2 21:38:29 com.opensymphony.xwork2.util.logging.jdk.JdkLogger error 严重: Exception oc ...