你需要了解的 tcpdump 的 6 个选项你需要了解的 tcpdump 的 6 个选项你需要了解的 tcpdump 的 6 个选项你需要了解的 tcpdump 的 6 个选项
  • 业务
  • 目标
  • 支持
  • 登录
找到的结果: {phrase} (显示: {results_count} 共: {results_count_total})
显示: {results_count} 共: {results_count_total}

加载更多搜索结果...

搜索范围
模糊匹配
搜索标题
搜索内容

你需要了解的 tcpdump 的 6 个选项

发表 admin at 2024年8月26日
类别
  • 未分类
标签

本文是介绍这一强大tcpdump实用程序的系列文章的第二部分。您可以使用此实用程序捕获网络流量以进行故障排除和分析(以及窃听)。在第二部分中,我将演示捕获和查看数据。

7. 选项 -r

如果您已经完成了这一步并编写了一个pcap文件,那么您就知道不能使用简单的文本编辑器来读取文件内容。因此,您应该使用-r file.pcap。它会读取现有的捕获文件并将其打印为输出。

# tcpdump -r dns.pcap
reading from file dns.pcap, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144
Warning: interface names might be incorrect
dropped privs to tcpdump
20:33:45.240421 wlp0s20f3 Out IP kkulkarni.attlocal.net.37376 > dsldevice.attlocal.net.domain: 8860+ PTR? 89.1.168.192.in-addr.arpa. (43)
20:33:45.250107 wlp0s20f3 In  IP dsldevice.attlocal.net.domain > kkulkarni.attlocal.net.37376: 8860* 1/0/0 PTR kkulkarni.attlocal.net. (79)
20:33:45.253418 wlp0s20f3 Out IP kkulkarni.attlocal.net.54366 > dsldevice.attlocal.net.domain: 23092+ PTR? 1.112.168.192.in-addr.arpa. (44)
20:33:45.260212 wlp0s20f3 In  IP dsldevice.attlocal.net.domain > kkulkarni.attlocal.net.54366: 23092 NXDomain* 0/0/0 (44)

[您可能还喜欢: 使用 Nmap 枚举新网络 ]

8. 主机选项

如果您想要过滤特定主机的流量,则可以使用host ip或host name捕获特定主机的数据包。

# tcpdump host redhat.com -i any -c4
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
20:40:03.331999 tun0  Out IP kkulkarni > 10.4.204.55: ICMP echo request, id 3, seq 1, length 64
20:40:03.407110 tun0  In  IP 10.4.204.55 > kkulkarni: ICMP echo reply, id 3, seq 1, length 64
20:40:03.474267 tun0  Out IP kkulkarni.43846 > 10.4.204.55.hostmon: Flags [S], seq 708429466, win 64680, options [mss 1320,sackOK,TS val 2091589339 ecr 0,nop,wscale 7,tfo  cookiereq,nop,nop], length 0
20:40:03.474377 tun0  Out IP kkulkarni.43848 > 10.4.204.55.hostmon: Flags [S], seq 1993455236, win 64680, options [mss 1320,sackOK,TS val 2091589340 ecr 0,nop,wscale 7,tfo  cookiereq,nop,nop], length 0
4 packets captured
54 packets received by filter
0 packets dropped by kernel

您可以使用src或dst关键字来判断tcpdump捕获的数据包是否应在源地址或目标地址中包含主机,例如,您可以尝试运行tcpdump -i any src host localhost或tcpdump -i any dst host redhat.com

9.逻辑运算符

tcpdump支持and / or / not操作符作为关键字,例如tcpdump -i eth0 “host redhat.com and (port 80 or port 443)”。最好在复合表达式两边使用引号,这样 bash 就不会尝试解释括号。

# tcpdump -i any "host redhat.com and (port 22 or port 443)"
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
20:47:07.210126 tun0  Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [S], seq 2898988806, win 64680, options [mss 1320,sackOK,TS val 2092013075 ecr 0,nop,wscale 7], length 0
20:47:07.309977 tun0  In  IP 10.4.204.55.https > kkulkarni.58218: Flags [S.], seq 3757049161, ack 2898988807, win 3960, options [mss 1320,nop,wscale 2,nop,nop,TS val 2416723958 ecr 2092013075,sackOK,eol], length 0
20:47:07.310082 tun0  Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [.], ack 1, win 506, options [nop,nop,TS val 2092013175 ecr 2416723958], length 0
20:47:07.336927 tun0  Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [P.], seq 1:518, ack 1, win 506, options [nop,nop,TS val 2092013202 ecr 2416723958], length 517
20:47:07.430495 tun0  In  IP 10.4.204.55.https > kkulkarni.58218: Flags [.], ack 518, win 1119, options [nop,nop,TS val 2416724085 ecr 2092013202], length 0
20:47:07.439951 tun0  In  IP 10.4.204.55.https > kkulkarni.58218: Flags [.], seq 1:1309, ack 518, win 1119, options [nop,nop,TS val 2416724087 ecr 2092013202], length 1308
20:47:07.439995 tun0  Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [.], ack 1309, win 502, options [nop,nop,TS val 2092013305 ecr 2416724087], length 0
20:47:07.440032 tun0  In  IP 10.4.204.55.https > kkulkarni.58218: Flags [.], seq 1309:2617, ack 518, win 1119, options [nop,nop,TS val 2416724087 ecr 2092013202], length 1308
20:47:07.440051 tun0  Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [.], ack 2617, win 494, options [nop,nop,TS val 2092013305 ecr 2416724087], length 0
20:47:07.440070 tun0  In  IP 10.4.204.55.https > kkulkarni.58218: Flags [P.], seq 2617:3455, ack 518, win 1119, options [nop,nop,TS val 2416724087 ecr 2092013202], length 838
20:47:07.440084 tun0  Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [.], ack 3455, win 488, options [nop,nop,TS val 2092013305 ecr 2416724087], length 0
20:47:07.442272 tun0  Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [P.], seq 518:644, ack 3455, win 502, options [nop,nop,TS val 2092013307 ecr 2416724087], length 126
20:47:07.540457 tun0  In  IP 10.4.204.55.https > kkulkarni.58218: Flags [.], ack 644, win 1150, options [nop,nop,TS val 2416724191 ecr 2092013307], length 0
20:47:07.540516 tun0  In  IP 10.4.204.55.https > kkulkarni.58218: Flags [P.], seq 3455:3506, ack 644, win 1150, options [nop,nop,TS val 2416724192 ecr 2092013307], length 51
20:47:07.540549 tun0  Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [.], ack 3506, win 502, options [nop,nop,TS val 2092013406 ecr 2416724192], length 0
20:47:07.541003 tun0  Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [P.], seq 644:747, ack 3506, win 502, options [nop,nop,TS val 2092013406 ecr 2416724192], length 103
20:47:07.642712 tun0  In  IP 10.4.204.55.https > kkulkarni.58218: Flags [.], ack 747, win 1176, options [nop,nop,TS val 2416724288 ecr 2092013406], length 0
20:47:07.642759 tun0  In  IP 10.4.204.55.https > kkulkarni.58218: Flags [P.], seq 3506:3664, ack 747, win 1176, options [nop,nop,TS val 2416724289 ecr 2092013406], length 158
20:47:07.642815 tun0  Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [.], ack 3664, win 502, options [nop,nop,TS val 2092013508 ecr 2416724289], length 0
20:47:07.643276 tun0  Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [P.], seq 747:778, ack 3664, win 502, options [nop,nop,TS val 2092013508 ecr 2416724289], length 31
20:47:07.645016 tun0  Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [F.], seq 778, ack 3664, win 502, options [nop,nop,TS val 2092013510 ecr 2416724289], length 0
20:47:07.740205 tun0  In  IP 10.4.204.55.https > kkulkarni.58218: Flags [.], ack 778, win 1184, options [nop,nop,TS val 2416724391 ecr 2092013508], length 0
20:47:07.740283 tun0  In  IP 10.4.204.55.https > kkulkarni.58218: Flags [F.], seq 3664, ack 778, win 1184, options [nop,nop,TS val 2416724391 ecr 2092013508], length 0
20:47:07.740328 tun0  Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [.], ack 3665, win 502, options [nop,nop,TS val 2092013606 ecr 2416724391], length 0
20:47:07.740358 tun0  In  IP 10.4.204.55.https > kkulkarni.58218: Flags [.], ack 779, win 1184, options [nop,nop,TS val 2416724392 ecr 2092013510], length 0

20:47:22.662001 tun0  Out IP kkulkarni.46274 > 10.4.204.55.ssh: Flags [S], seq 401723346, win 64680, options [mss 1320,sackOK,TS val 2092028527 ecr 0,nop,wscale 7], length 0
20:47:22.745682 tun0  In  IP 10.4.204.55.ssh > kkulkarni.46274: Flags [R.], seq 0, ack 401723347, win 0, length 0

10. 关键词网

可以使用net关键字通过 CIDR 表示法指定要捕获的网络。您可以使用src和dst网络 CIDR 以及逻辑运算符来更精确地过滤包。

# tcpdump -i any -n "src net 192.168.0.0/16 and not dst net 10.0.0.0/8" -c4
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
20:49:05.299091 wlp0s20f3 B   IP 192.168.1.76.49154 > 255.255.255.255.ircu-3: UDP, length 188
20:49:05.300437 wlp0s20f3 Out IP 192.168.1.89.36676 > 18.211.133.65.https: Flags [.], ack 493003385, win 2033, options [nop,nop,TS val 2037223284 ecr 885784861], length 0
20:49:06.238513 wlp0s20f3 Out IP 192.168.1.89.49254 > 66.187.232.64.https: UDP, length 1384
20:49:06.238603 wlp0s20f3 Out IP 192.168.1.89.49254 > 66.187.232.64.https: UDP, length 1384
4 packets captured
5 packets received by filter
0 packets dropped by kernel

11. 关键字 ether

可以使用ether host关键字应用过滤器,将流量捕获限制到 MAC 地址。使用-e在每个转储行上打印链路级标头。例如,这可用于打印以太网和 IEEE 802.11 等协议的 MAC 层地址。以下示例捕获第 2 层广播流量:

# tcpdump ether host ff:ff:ff:ff:ff:ff -i wlp0s20f3 -e -c4
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlp0s20f3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
20:56:35.965137 cc:ab:2c:60:a4:a8 (oui Unknown) > Broadcast, ethertype Unknown (0x7373), length 121:
    0x0000:  1211 0000 0043 c76d 1204 8629 6fdb 3304  .....C.m...)o.3.
    0x0010:  6f06 5a3c 0bcf 3f58 6dad 1cf0 48c1 dd1a  o.Z<..?Xm...H...
    0x0020:  2fca 9a26 0fb3 0000 0201 8003 06cc ab2c  /..&...........,
    0x0030:  60a4 a104 0104 0701 071b 0100 0806 ccab  `...............
    0x0040:  2c60 a4a8 0901 030e 1800 0000 0000 0000  ,`..............
    0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0060:  0019 0844 1e7f 903a 6871 54              ...D...:hqT
20:56:36.886722 cc:ab:2c:60:a4:a8 (oui Unknown) > Broadcast, ethertype Unknown (0x7373), length 121:
    0x0000:  1211 0000 0043 c76d 1204 8629 6fdb 3304  .....C.m...)o.3.
    0x0010:  6f06 5a3c 0bcf 3f58 6dad 1cf0 48c1 dd1a  o.Z<..?Xm...H...
    0x0020:  2fca 9a26 0fb3 0000 0201 8003 06cc ab2c  /..&...........,
    0x0030:  60a4 a104 0104 0701 071b 0100 0806 ccab  `...............
    0x0040:  2c60 a4a8 0901 030e 1800 0000 0000 0000  ,`..............
    0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0060:  0019 0844 1e7f 903a 6871 54              ...D...:hqT
20:56:37.808286 cc:ab:2c:60:a4:a8 (oui Unknown) > Broadcast, ethertype Unknown (0x7373), length 121:
    0x0000:  1211 0000 0043 c76d 1204 8629 6fdb 3304  .....C.m...)o.3.
    0x0010:  6f06 5a3c 0bcf 3f58 6dad 1cf0 48c1 dd1a  o.Z<..?Xm...H...
    0x0020:  2fca 9a26 0fb3 0000 0201 8003 06cc ab2c  /..&...........,
    0x0030:  60a4 a104 0104 0701 071b 0100 0806 ccab  `...............
    0x0040:  2c60 a4a8 0901 030e 1800 0000 0000 0000  ,`..............
    0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0060:  0019 0844 1e7f 903a 6871 54              ...D...:hqT
20:56:39.958693 cc:ab:2c:60:a4:a8 (oui Unknown) > Broadcast, ethertype Unknown (0x7373), length 121:
    0x0000:  1211 0000 0043 c76d 1204 8629 6fdb 3304  .....C.m...)o.3.
    0x0010:  6f06 5a3c 0bcf 3f58 6dad 1cf0 48c1 dd1a  o.Z<..?Xm...H...
    0x0020:  2fca 9a26 0fb3 0000 0201 8003 06cc ab2c  /..&...........,
    0x0030:  60a4 a104 0104 0701 071b 0100 0806 ccab  `...............
    0x0040:  2c60 a4a8 0901 030e 1800 0000 0000 0000  ,`..............
    0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0060:  0019 0844 1e7f 903a 6871 54              ...D...:hqT
4 packets captured
4 packets received by filter
0 packets dropped by kernel

12. 关键字 ip6

可以使用ip6关键字捕获 IPv6 流量。以下是示例:

# tcpdump -i any ip6 host google.com -c4
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
21:00:22.825749 wlp0s20f3 Out IP6 kkulkarni.attlocal.net > ord38s18-in-x0e.1e100.net: ICMP6, echo request, id 8, seq 1, length 64
21:00:22.863347 wlp0s20f3 In  IP6 ord38s18-in-x0e.1e100.net > kkulkarni.attlocal.net: ICMP6, echo reply, id 8, seq 1, length 64
21:00:23.827332 wlp0s20f3 Out IP6 kkulkarni.attlocal.net > ord38s18-in-x0e.1e100.net: ICMP6, echo request, id 8, seq 2, length 64
21:00:23.864202 wlp0s20f3 In  IP6 ord38s18-in-x0e.1e100.net > kkulkarni.attlocal.net: ICMP6, echo reply, id 8, seq 2, length 64
4 packets captured
7 packets received by filter
0 packets dropped by kernel

[ Red Hat 免费指南:实现业务自动化的 5 个步骤。] 

包起来

在第二部分中,您了解了使用 管理网络上数据包捕获的六个新选项tcpdump。本文以第一部分中介绍的信息为基础。在最后一部分中,您将看到另外六个有助于过滤结果的标志tcpdump。

©2015-2025 Norria support@alaica.com