个人原创,转载请注明,否则依法追究法律责任

2018-02-28  16:01:26

tcpdump 倾倒网络传输数据,直接启动tcpdump将监视第一个网络接口上所有流过的数据包。

1 不接任何参数,表示监听本机的eth0网卡。

如果不指定网卡,默认tcpdump只会监视第一个网络接口,一般是eth0,下面的例子都没有指定网络接口。
[root@shiyan ~]# yum -y install tcpdump    -----------------> 最小化系统里没有这个命令,先安装
[root@shiyan ~]# tcpdump > a.tx
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C12 packets captured   -------------------->按下Ctrl + C 结束抓包,否则会一直的抓下去
12 packets received by filter
0 packets dropped by kernel
[root@shiyan ~]# cat a.tx
17:11:06.066490 IP 192.168.115.80.ssh > 192.168.115.118.53014: Flags [P.], seq 1346400485:1346400693, ack 499039341, win 159, length 208
17:11:06.066758 IP 192.168.115.80.46406 > cache-a.guangzhou.gd.cn.domain: 41439+ PTR? 118.115.168.192.in-addr.arpa. (46)
17:11:06.071645 IP cache-a.guangzhou.gd.cn.domain > 192.168.115.80.46406: 41439 NXDomain 0/0/0 (46)
17:11:06.072785 IP 192.168.115.80.48303 > cache-a.guangzhou.gd.cn.domain: 51978+ PTR? 80.115.168.192.in-addr.arpa. (45)
17:11:06.077045 IP cache-a.guangzhou.gd.cn.domain > 192.168.115.80.48303: 51978 NXDomain 0/0/0 (45)
17:11:06.077137 IP 192.168.115.80.55070 > cache-a.guangzhou.gd.cn.domain: 21987+ PTR? 86.128.96.202.in-addr.arpa. (44)

2 指定内网中某台主机进行监听:tcpdump host 192.168.115.93
[root@shiyan ~]# tcpdump host 192.168.115.93
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:12:17.294247 ARP, Request who-has shiyan tell 192.168.115.93, length 46
17:12:37.569616 ARP, Request who-has 192.168.115.93 tell 192.168.115.80, length 28
17:12:37.569837 ARP, Reply 192.168.115.93 is-at 00:e0:4c:f4:8d:7a (oui Unknown), length 46
17:12:37.569842 IP 192.168.115.80 > 192.168.115.93: ICMP echo request, id 4703, seq 1, length 64
17:12:37.570027 IP 192.168.115.93 > 192.168.115.80: ICMP echo reply, id 4703, seq 1, length 64
17:12:38.569404 IP 192.168.115.80 > 192.168.115.93: ICMP echo request, id 4703, seq 2, length 64
17:12:38.569714 IP 192.168.115.93 > 192.168.115.80: ICMP echo reply, id 4703, seq 2, length 64

在13.173机器监听13.167机器的httpd服务

[root@localhost ~]# tcpdump host 192.168.13.167  -------------------------------> 可以抓取到不经过本机的数据包(wirlshark没有这个功能)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:05:34.252126 ARP, Request who-has 192.168.13.254 tell 192.168.13.167, length 46
16:05:34.252380 ARP, Reply 192.168.13.254 is-at 00:50:56:f9:32:a6 (oui Unknown), length 46
16:05:34.252383 IP 192.168.13.167.bootpc > 192.168.13.254.bootps: BOOTP/DHCP, Request from 00:0c:29:30:ff:a0 (oui Unknown), length 300
16:05:34.252624 IP 192.168.13.254.bootps > 192.168.13.167.bootpc: BOOTP/DHCP, Reply, length 300
16:05:34.296671 ARP, Request who-has 192.168.13.167 (Broadcast) tell 0.0.0.0, length 46
16:05:35.297810 ARP, Request who-has 192.168.13.167 (Broadcast) tell 0.0.0.0, length 46
16:05:41.886341 IP 192.168.13.1.53831 > 192.168.13.167.ssh: Flags [P.], seq 2116832879:2116832927, ack 2216944518, win 252, length 48
16:05:41.886349 IP 192.168.13.167.ssh > 192.168.13.1.53831: Flags [.], ack 48, win 634, length 0
16:05:46.688388 ARP, Request who-has 192.168.13.167 (00:0c:29:30:ff:a0 (oui Unknown)) tell 192.168.13.1, length 46
16:05:46.688399 ARP, Reply 192.168.13.167 is-at 00:0c:29:30:ff:a0 (oui Unknown), length 46
16:05:49.826057 IP 192.168.13.1.54035 > 192.168.13.167.http: Flags [S], seq 1070489598, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:05:49.826070 IP 192.168.13.1.54036 > 192.168.13.167.http: Flags [S], seq 3015543207, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:05:49.826072 IP 192.168.13.1.54035 > 192.168.13.167.http: Flags [.], ack 673044770, win 256, length 0
16:05:49.826074 IP 192.168.13.167.http > 192.168.13.1.54035: Flags [S.], seq 673044769, ack 1070489599, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
16:05:49.826076 IP 192.168.13.1.54036 > 192.168.13.167.http: Flags [.], ack 1571007700, win 256, length 0
16:05:49.826078 IP 192.168.13.167.http > 192.168.13.1.54036: Flags [S.], seq 1571007699, ack 3015543208, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
16:05:49.851846 IP 192.168.13.1.54035 > 192.168.13.167.http: Flags [P.], seq 1:590, ack 1, win 256, length 589
16:05:49.851861 IP 192.168.13.167.http > 192.168.13.1.54035: Flags [.], ack 590, win 494, length 0
16:05:49.854139 IP 192.168.13.167.http > 192.168.13.1.54035: Flags [P.], seq 1:152, ack 590, win 494, length 151
16:05:49.854147 IP 192.168.13.1.54035 > 192.168.13.167.http: Flags [.], ack 153, win 256, length 0
16:05:49.854149 IP 192.168.13.167.http > 192.168.13.1.54035: Flags [F.], seq 152, ack 590, win 494, length 0
16:05:49.859953 IP 192.168.13.1.54035 > 192.168.13.167.http: Flags [F.], seq 590, ack 153, win 256, length 0
16:05:49.859964 IP 192.168.13.167.http > 192.168.13.1.54035: Flags [.], ack 591, win 494, length 0
16:05:51.223523 IP 192.168.13.1.54036 > 192.168.13.167.http: Flags [.], ack 1, win 256, options [nop,nop,sack 1 {0:1}], length 0
16:05:51.223537 IP 192.168.13.167.http > 192.168.13.1.54036: Flags [S.], seq 1571007699, ack 3015543208, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
^C
25 packets captured
25 packets received by filter
0 packets dropped by kernel

3 截获指定主机和指定端口的数据包
如果想要获取主机210.27.48.1接收或发出的telnet包,使用如下命令

[root@shiyan ~]# tcpdump tcp port 80 and host 192.168.115.118
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

抓取80端口的数据包过程:
yum -y install httpd
echo 111111111111111 >/var/www/html/index.html
service httpd restart
tcpdump tcp port 80 -----------> 关注该命令下的内容
其他的电脑web浏览器访问:http://192.168.13.167,继续关注上述命令下新增内容
[root@bogon ~]# tcpdump tcp port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes ---------------->以下是网页访问后的数据包情况

15:45:56.561135 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [S], seq 1718240131, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:45:56.561189 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [S.], seq 2754432551, ack 1718240132, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
15:45:56.564132 IP 192.168.13.1.53950 > 192.168.13.167.http: Flags [S], seq 66995158, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:45:56.564153 IP 192.168.13.167.http > 192.168.13.1.53950: Flags [S.], seq 827140384, ack 66995159, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
15:45:56.564380 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [.], ack 1, win 256, length 0
15:45:56.564387 IP 192.168.13.1.53950 > 192.168.13.167.http: Flags [.], ack 1, win 256, length 0
15:45:56.573137 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [P.], seq 1:496, ack 1, win 256, length 495
15:45:56.573190 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [.], ack 496, win 490, length 0
15:45:56.575931 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [.], seq 1:2921, ack 496, win 490, length 2920
15:45:56.576287 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [.], ack 2921, win 256, length 0
15:45:56.576338 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [.], seq 2921:4381, ack 496, win 490, length 1460
15:45:56.576486 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [P.], seq 4381:5660, ack 496, win 490, length 1279
15:45:56.576617 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [.], ack 5660, win 256, length 0
15:45:56.577674 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [F.], seq 5660, ack 496, win 490, length 0
15:45:56.577798 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [.], ack 5661, win 256, length 0
15:45:56.578929 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [F.], seq 496, ack 5661, win 256, length 0
15:45:56.578944 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [.], ack 497, win 490, length 0
15:45:57.961343 IP 192.168.13.167.http > 192.168.13.1.53950: Flags [S.], seq 827140384, ack 66995159, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
15:45:57.961536 IP 192.168.13.1.53950 > 192.168.13.167.http: Flags [.], ack 1, win 256, options [nop,nop,sack 1 {0:1}], length 0
15:46:07.071688 IP 192.168.13.1.53950 > 192.168.13.167.http: Flags [F.], seq 1, ack 1, win 256, length 0
15:46:07.071973 IP 192.168.13.167.http > 192.168.13.1.53950: Flags [.], ack 2, win 457, length 0
15:46:07.072293 IP 192.168.13.167.http > 192.168.13.1.53950: Flags [F.], seq 1, ack 2, win 457, length 0
15:46:07.072521 IP 192.168.13.1.53950 > 192.168.13.167.http: Flags [.], ack 2, win 256, length 0
^C --------------------------------------------> 按下 Ctrl + C,否则会一直的抓下去。
23 packets captured
23 packets received by filter
0 packets dropped by kernel

tcpdump抓包工具的使用的更多相关文章

  1. tcpdump抓包工具

    tcpdump抓包工具 一:TCPDump介绍 ​ TcpDump可以将网络中传送的数据包的"头"完全截获下来提供分析.它支持针对网络层.协议.主机.网络或端口的过滤,并提供and ...

  2. linux下利用tcpdump抓包工具排查nginx获取客户端真实IP实例

    一.nginx后端负载服务器的API在获取客户端IP时始终只能获取nginx的代理服务器IP,排查nginx配置如下 upstream sms-resp { server ; server ; } s ...

  3. linux使用tcpdump抓包工具抓取网络数据包,多示例演示

    tcpdump是linux命令行下常用的的一个抓包工具,记录一下平时常用的方式,测试机器系统是ubuntu 12.04. tcpdump的命令格式 tcpdump的参数众多,通过man tcpdump ...

  4. Linux系统诊断必备技能之二:tcpdump抓包工具详解

    一.简述 TcpDump可以将网络中传送的数据包完全截获下来提供分析.它支持针对网络层.协议.主机.网络或端口的过滤,并提供and.or.not等逻辑语句来帮助你去掉无用的信息. Linux作为网络服 ...

  5. tcpdump抓包工具的基本使用

    为了更好的深入理解计算机网络等相关知识,例如TCP\UDP\IP等,我们就必须利用tcpdump.Wireshark等工具对网络进行分析.本篇博文主要记录一下tcpdump这个网络分析利器的一些基本使 ...

  6. Linux下通过tcpdump抓包工具获取信息

    介绍 tcpdump是网络数据包截获分析工具.支持针对网络层.协议.主机.网络或端口的过滤.并提供and.or.not等逻辑语句帮助去除无用的信息. tcpdump - dump traffic on ...

  7. tcpdump 抓包工具使用

    1. 常用命令 监听p4p1网卡上来自 192.168.162.14 的包 tcpdump -i p4p1 src host 192.168.162.14 tcpdump -i p4p1 dst po ...

  8. tcpdump抓包工具用法说明

    tcpdump采用命令行方式对接口的数据包进行筛选抓取,其丰富特性表现在灵活的表达式上. 不带任何选项的tcpdump,默认会抓取第一个网络接口,且只有将tcpdump进程终止才会停止抓包. 例如: ...

  9. 利用tcpdump抓包工具监控TCP连接的三次握手和断开连接的四次挥手

    TCP传输控制协议是面向连接的可靠的传输层协议,在进行数据传输之前,需要在传输数据的两端(客户端和服务器端)创建一个连接,这个连接由一对插口地址唯一标识,即是在IP报文首部的源IP地址.目的IP地址, ...

随机推荐

  1. 接口测试执行工具Postman:模拟请求、用例执行、断言、批量运行用例、简单持续集成

    一.接口测试-postman-模拟HTTP Requests 二.接口测试-postman-权限Authorization 三.接口测试-postman-断言Writting Test 四.接口测试- ...

  2. keepalived双机热备nginx

    nginx目前是我最常用的反向代理服务,线上环境为了能更好的应对突发情况,一般会使用keepalived双机热备nginx或者使用docker跑nginx集群,keepalived是比较传统的方式,虽 ...

  3. WEB开发-动态验证码

    1.基于Python实现,用到了django后台处理,刷新验证码功能,其他语言大同小异 2.登录界面 login.html <!DOCTYPE html> <html lang=&q ...

  4. java:条件表达式

    if (results.length() == 0) { return ""; } else { return results.substring(0, results.lengt ...

  5. Nginx反向代理实现Tomcat负载均衡

    这篇短文主要介绍Tomcat的集群和用Nginx反向代理实现Tomcat负载均衡. 1.首先需要对一些知识点进行扫盲(对自己进行扫盲,囧): 集群(Cluster) 简单来说就是用N台服务器构成一个松 ...

  6. Linux SendMail发送邮件失败诊断案例(四)

    最近又碰到一起Linux下SendMail发送邮件失败的案例,邮件发送后,邮箱收不到具体邮件, 查看日志/var/log/maillog 发现有"DSN: User unknown" ...

  7. 搜索引擎case︱从搜索序列文本看高端商务车︱统计之都

    朱雪宁(北京大学光华管理学院)               王汉生(北京大学光华管理学院) 摘要:本文对100万搜索引擎用户的13亿搜索序列文本进行探索分析,对高端车用户以及商学院人群做了描述对比,并 ...

  8. R语言︱逻辑运算

    R软件包含两个逻辑值,TRUE和FALSE.在其他编程语言中也称为布尔值(Boolean values).布尔向量就是充满着逻辑值的逻辑向量.那么有如何的应用呢? 1.比较运算可以产生逻辑值  > ...

  9. 利用Eclipse中的Maven构建Web项目报错(一)

    利用Eclipse中的Maven构建Web项目 1.在进行上述操作时,pom.xml一直报错 <project xmlns="http://maven.apache.org/POM/4 ...

  10. Java中的大小写字母相互转换(不利用Java自带的方法)

    Java中的大小写字母相互转换(不利用Java自带的方法) 1.设计源码 /** * * @title:UpperAndLower.java * @Package:com.you.utils * @D ...