个人原创,转载请注明,否则依法追究法律责任

2018-02-28  16:01:26

tcpdump 倾倒网络传输数据,直接启动tcpdump将监视第一个网络接口上所有流过的数据包。

1 不接任何参数,表示监听本机的eth0网卡。

如果不指定网卡,默认tcpdump只会监视第一个网络接口,一般是eth0,下面的例子都没有指定网络接口。
[root@shiyan ~]# yum -y install tcpdump    -----------------> 最小化系统里没有这个命令,先安装
[root@shiyan ~]# tcpdump > a.tx
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C12 packets captured   -------------------->按下Ctrl + C 结束抓包,否则会一直的抓下去
12 packets received by filter
0 packets dropped by kernel
[root@shiyan ~]# cat a.tx
17:11:06.066490 IP 192.168.115.80.ssh > 192.168.115.118.53014: Flags [P.], seq 1346400485:1346400693, ack 499039341, win 159, length 208
17:11:06.066758 IP 192.168.115.80.46406 > cache-a.guangzhou.gd.cn.domain: 41439+ PTR? 118.115.168.192.in-addr.arpa. (46)
17:11:06.071645 IP cache-a.guangzhou.gd.cn.domain > 192.168.115.80.46406: 41439 NXDomain 0/0/0 (46)
17:11:06.072785 IP 192.168.115.80.48303 > cache-a.guangzhou.gd.cn.domain: 51978+ PTR? 80.115.168.192.in-addr.arpa. (45)
17:11:06.077045 IP cache-a.guangzhou.gd.cn.domain > 192.168.115.80.48303: 51978 NXDomain 0/0/0 (45)
17:11:06.077137 IP 192.168.115.80.55070 > cache-a.guangzhou.gd.cn.domain: 21987+ PTR? 86.128.96.202.in-addr.arpa. (44)

2 指定内网中某台主机进行监听:tcpdump host 192.168.115.93
[root@shiyan ~]# tcpdump host 192.168.115.93
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:12:17.294247 ARP, Request who-has shiyan tell 192.168.115.93, length 46
17:12:37.569616 ARP, Request who-has 192.168.115.93 tell 192.168.115.80, length 28
17:12:37.569837 ARP, Reply 192.168.115.93 is-at 00:e0:4c:f4:8d:7a (oui Unknown), length 46
17:12:37.569842 IP 192.168.115.80 > 192.168.115.93: ICMP echo request, id 4703, seq 1, length 64
17:12:37.570027 IP 192.168.115.93 > 192.168.115.80: ICMP echo reply, id 4703, seq 1, length 64
17:12:38.569404 IP 192.168.115.80 > 192.168.115.93: ICMP echo request, id 4703, seq 2, length 64
17:12:38.569714 IP 192.168.115.93 > 192.168.115.80: ICMP echo reply, id 4703, seq 2, length 64

在13.173机器监听13.167机器的httpd服务

[root@localhost ~]# tcpdump host 192.168.13.167  -------------------------------> 可以抓取到不经过本机的数据包(wirlshark没有这个功能)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:05:34.252126 ARP, Request who-has 192.168.13.254 tell 192.168.13.167, length 46
16:05:34.252380 ARP, Reply 192.168.13.254 is-at 00:50:56:f9:32:a6 (oui Unknown), length 46
16:05:34.252383 IP 192.168.13.167.bootpc > 192.168.13.254.bootps: BOOTP/DHCP, Request from 00:0c:29:30:ff:a0 (oui Unknown), length 300
16:05:34.252624 IP 192.168.13.254.bootps > 192.168.13.167.bootpc: BOOTP/DHCP, Reply, length 300
16:05:34.296671 ARP, Request who-has 192.168.13.167 (Broadcast) tell 0.0.0.0, length 46
16:05:35.297810 ARP, Request who-has 192.168.13.167 (Broadcast) tell 0.0.0.0, length 46
16:05:41.886341 IP 192.168.13.1.53831 > 192.168.13.167.ssh: Flags [P.], seq 2116832879:2116832927, ack 2216944518, win 252, length 48
16:05:41.886349 IP 192.168.13.167.ssh > 192.168.13.1.53831: Flags [.], ack 48, win 634, length 0
16:05:46.688388 ARP, Request who-has 192.168.13.167 (00:0c:29:30:ff:a0 (oui Unknown)) tell 192.168.13.1, length 46
16:05:46.688399 ARP, Reply 192.168.13.167 is-at 00:0c:29:30:ff:a0 (oui Unknown), length 46
16:05:49.826057 IP 192.168.13.1.54035 > 192.168.13.167.http: Flags [S], seq 1070489598, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:05:49.826070 IP 192.168.13.1.54036 > 192.168.13.167.http: Flags [S], seq 3015543207, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:05:49.826072 IP 192.168.13.1.54035 > 192.168.13.167.http: Flags [.], ack 673044770, win 256, length 0
16:05:49.826074 IP 192.168.13.167.http > 192.168.13.1.54035: Flags [S.], seq 673044769, ack 1070489599, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
16:05:49.826076 IP 192.168.13.1.54036 > 192.168.13.167.http: Flags [.], ack 1571007700, win 256, length 0
16:05:49.826078 IP 192.168.13.167.http > 192.168.13.1.54036: Flags [S.], seq 1571007699, ack 3015543208, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
16:05:49.851846 IP 192.168.13.1.54035 > 192.168.13.167.http: Flags [P.], seq 1:590, ack 1, win 256, length 589
16:05:49.851861 IP 192.168.13.167.http > 192.168.13.1.54035: Flags [.], ack 590, win 494, length 0
16:05:49.854139 IP 192.168.13.167.http > 192.168.13.1.54035: Flags [P.], seq 1:152, ack 590, win 494, length 151
16:05:49.854147 IP 192.168.13.1.54035 > 192.168.13.167.http: Flags [.], ack 153, win 256, length 0
16:05:49.854149 IP 192.168.13.167.http > 192.168.13.1.54035: Flags [F.], seq 152, ack 590, win 494, length 0
16:05:49.859953 IP 192.168.13.1.54035 > 192.168.13.167.http: Flags [F.], seq 590, ack 153, win 256, length 0
16:05:49.859964 IP 192.168.13.167.http > 192.168.13.1.54035: Flags [.], ack 591, win 494, length 0
16:05:51.223523 IP 192.168.13.1.54036 > 192.168.13.167.http: Flags [.], ack 1, win 256, options [nop,nop,sack 1 {0:1}], length 0
16:05:51.223537 IP 192.168.13.167.http > 192.168.13.1.54036: Flags [S.], seq 1571007699, ack 3015543208, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
^C
25 packets captured
25 packets received by filter
0 packets dropped by kernel

3 截获指定主机和指定端口的数据包
如果想要获取主机210.27.48.1接收或发出的telnet包,使用如下命令

[root@shiyan ~]# tcpdump tcp port 80 and host 192.168.115.118
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

抓取80端口的数据包过程:
yum -y install httpd
echo 111111111111111 >/var/www/html/index.html
service httpd restart
tcpdump tcp port 80 -----------> 关注该命令下的内容
其他的电脑web浏览器访问:http://192.168.13.167,继续关注上述命令下新增内容
[root@bogon ~]# tcpdump tcp port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes ---------------->以下是网页访问后的数据包情况

15:45:56.561135 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [S], seq 1718240131, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:45:56.561189 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [S.], seq 2754432551, ack 1718240132, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
15:45:56.564132 IP 192.168.13.1.53950 > 192.168.13.167.http: Flags [S], seq 66995158, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:45:56.564153 IP 192.168.13.167.http > 192.168.13.1.53950: Flags [S.], seq 827140384, ack 66995159, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
15:45:56.564380 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [.], ack 1, win 256, length 0
15:45:56.564387 IP 192.168.13.1.53950 > 192.168.13.167.http: Flags [.], ack 1, win 256, length 0
15:45:56.573137 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [P.], seq 1:496, ack 1, win 256, length 495
15:45:56.573190 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [.], ack 496, win 490, length 0
15:45:56.575931 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [.], seq 1:2921, ack 496, win 490, length 2920
15:45:56.576287 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [.], ack 2921, win 256, length 0
15:45:56.576338 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [.], seq 2921:4381, ack 496, win 490, length 1460
15:45:56.576486 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [P.], seq 4381:5660, ack 496, win 490, length 1279
15:45:56.576617 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [.], ack 5660, win 256, length 0
15:45:56.577674 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [F.], seq 5660, ack 496, win 490, length 0
15:45:56.577798 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [.], ack 5661, win 256, length 0
15:45:56.578929 IP 192.168.13.1.53949 > 192.168.13.167.http: Flags [F.], seq 496, ack 5661, win 256, length 0
15:45:56.578944 IP 192.168.13.167.http > 192.168.13.1.53949: Flags [.], ack 497, win 490, length 0
15:45:57.961343 IP 192.168.13.167.http > 192.168.13.1.53950: Flags [S.], seq 827140384, ack 66995159, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
15:45:57.961536 IP 192.168.13.1.53950 > 192.168.13.167.http: Flags [.], ack 1, win 256, options [nop,nop,sack 1 {0:1}], length 0
15:46:07.071688 IP 192.168.13.1.53950 > 192.168.13.167.http: Flags [F.], seq 1, ack 1, win 256, length 0
15:46:07.071973 IP 192.168.13.167.http > 192.168.13.1.53950: Flags [.], ack 2, win 457, length 0
15:46:07.072293 IP 192.168.13.167.http > 192.168.13.1.53950: Flags [F.], seq 1, ack 2, win 457, length 0
15:46:07.072521 IP 192.168.13.1.53950 > 192.168.13.167.http: Flags [.], ack 2, win 256, length 0
^C --------------------------------------------> 按下 Ctrl + C,否则会一直的抓下去。
23 packets captured
23 packets received by filter
0 packets dropped by kernel

tcpdump抓包工具的使用的更多相关文章

  1. tcpdump抓包工具

    tcpdump抓包工具 一:TCPDump介绍 ​ TcpDump可以将网络中传送的数据包的"头"完全截获下来提供分析.它支持针对网络层.协议.主机.网络或端口的过滤,并提供and ...

  2. linux下利用tcpdump抓包工具排查nginx获取客户端真实IP实例

    一.nginx后端负载服务器的API在获取客户端IP时始终只能获取nginx的代理服务器IP,排查nginx配置如下 upstream sms-resp { server ; server ; } s ...

  3. linux使用tcpdump抓包工具抓取网络数据包,多示例演示

    tcpdump是linux命令行下常用的的一个抓包工具,记录一下平时常用的方式,测试机器系统是ubuntu 12.04. tcpdump的命令格式 tcpdump的参数众多,通过man tcpdump ...

  4. Linux系统诊断必备技能之二:tcpdump抓包工具详解

    一.简述 TcpDump可以将网络中传送的数据包完全截获下来提供分析.它支持针对网络层.协议.主机.网络或端口的过滤,并提供and.or.not等逻辑语句来帮助你去掉无用的信息. Linux作为网络服 ...

  5. tcpdump抓包工具的基本使用

    为了更好的深入理解计算机网络等相关知识,例如TCP\UDP\IP等,我们就必须利用tcpdump.Wireshark等工具对网络进行分析.本篇博文主要记录一下tcpdump这个网络分析利器的一些基本使 ...

  6. Linux下通过tcpdump抓包工具获取信息

    介绍 tcpdump是网络数据包截获分析工具.支持针对网络层.协议.主机.网络或端口的过滤.并提供and.or.not等逻辑语句帮助去除无用的信息. tcpdump - dump traffic on ...

  7. tcpdump 抓包工具使用

    1. 常用命令 监听p4p1网卡上来自 192.168.162.14 的包 tcpdump -i p4p1 src host 192.168.162.14 tcpdump -i p4p1 dst po ...

  8. tcpdump抓包工具用法说明

    tcpdump采用命令行方式对接口的数据包进行筛选抓取,其丰富特性表现在灵活的表达式上. 不带任何选项的tcpdump,默认会抓取第一个网络接口,且只有将tcpdump进程终止才会停止抓包. 例如: ...

  9. 利用tcpdump抓包工具监控TCP连接的三次握手和断开连接的四次挥手

    TCP传输控制协议是面向连接的可靠的传输层协议,在进行数据传输之前,需要在传输数据的两端(客户端和服务器端)创建一个连接,这个连接由一对插口地址唯一标识,即是在IP报文首部的源IP地址.目的IP地址, ...

随机推荐

  1. Activity工作过程

    Activity工作过程: Activity.startActivity--> Activity.startActivityForResult--> Instrumentation.exe ...

  2. UVA - 11270 轮廓线DP

    其实这题还能用状压DP解决,可是时间达到2000ms只能过掉POJ2411.状压DP解法详见状压DP解POJ2411 贴上POJ2411AC代码 : 2000ms 时间复杂度h*w*(2^w)*(2^ ...

  3. AC Dream1069

    这题的加密字符 - (Fibnacci % 26),如果得到的字符小于'a',就等于加密字符 - (Fibnacci % 26)+26. 获得题目的函数如下: void getItem(){ char ...

  4. nyoj737 石子合并(一) 区间DP

    dp[x][y]表示合并[x, y]区间的石子的最小花费,将区间长度递增枚举即可. AC代码: #include<cstdio> #include<algorithm> usi ...

  5. 转:HTTPS 协议

    作者简介:罗成 腾讯云资深研发工程师 一.微信小程序接入的困境 农历新年将至,微信小程序也如期发布,开发者在接入微信小程序过程中,会遇到以下问题: 小程序要求必须通过 HTTPS 完成与服务端通信,若 ...

  6. 3_使用指针对象(Using Object Pointer)

    类的成员函数有两种调用方式,一种是由对象调用,另一种是由对象指针调用.其中,对象调用的方式为objectName.memberFunctionName(parameters),而对象指针调用的方式为o ...

  7. Ubuntu12.04LTS安装好后是空白桌面的解决步骤(更新显卡驱动)

    安装完毕启动后,明显慢的要死,登陆后竟然是一个空白的桌面环境,Ctrl+Alt+T 根本没有任何反应.唯一的反应就是右键能够创建文件和文档. 同时打开的窗口没有最大化,最小化及关闭按钮. GOOGLE ...

  8. 嵌入式linux------ffmpeg移植 编码H264(am335x编码H264)

    [cpp] view plaincopy <pre name="code" class="cpp"><pre name="code& ...

  9. MySQL插入数据异常

    MySQL插入数据异常 1.错误如下: com.mysql.jdbc.exceptions.jdbc4.MySQLIntegrityConstraintViolationException:Dupli ...

  10. 下载jQuery EasyUI出现网络问题

    下载jQuery EasyUI出现网络问题 1.具体错误如下 错误 137 (net::ERR_NAME_RESOLUTION_FAILED):未知错误 2.错误原因 由于DNS配置出现问题,导致该网 ...