说明
tcpdum命令是一个截获网络数据包的包分析工具。tcpdump可以将网络中传递的数据包的头完全截获下来提供分析。他支持针对网络层、协议、主机、端口等过滤,并支持与、或、非逻辑语句协助过滤的有效信息。
如果系统没有tcpdump命令,则可以使用下面的命令来安装:
yum -y install tcpdump
格式
tcpdump [option] [expression]
常用参数
-i:监听指定网络接口
-q:以快速输出的方式运行,次选项仅显示数据包的协议概要信息,输出信息较短
-n:不进行DNS解析,加快显示速度
-nn:不将协议和端口数字转成名字
示例
1、不加参数运行tcpdum命令监听网络,**不建议这样做,数据量很大
[root@localhost ~]# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:30:35.509979 IP 112.44.107.123.24372 > localhost.ssh: Flags [.], ack 569591219, win 257, length 0
08:30:35.510111 IP localhost.ssh > 112.44.107.123.24372: Flags [P.], seq 1:197, ack 0, win 252, length 196
08:30:35.510381 IP localhost.41232 > 100.100.2.136.domain: 59150+ PTR? 232.121.18.172.in-addr.arpa. (45)
08:30:35.510637 IP 100.100.2.136.domain > localhost.41232: 59150 NXDomain* 0/1/0 (99)
08:30:35.511294 IP localhost.58178 > 100.100.2.138.domain: 54138+ PTR? 123.107.44.112.in-addr.arpa. (45)
08:30:35.511535 IP 100.100.2.138.domain > localhost.58178: 54138 ServFail 0/0/0 (45)
08:30:35.511565 IP localhost.38680 > 100.100.2.136.domain: 54138+ PTR? 123.107.44.112.in-addr.arpa. (45)
08:30:35.511714 IP 100.100.2.136.domain > localhost.38680: 54138 ServFail 0/0/0 (45)
08:30:35.511731 IP localhost.47858 > 100.100.2.138.domain: 54138+ PTR? 123.107.44.112.in-addr.arpa. (45)
...
2、精简输出信息
[root@localhost ~]# tcpdump -q
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:31:51.358303 IP 112.44.107.123.24372 > localhost.ssh: tcp 0
08:31:51.358431 IP localhost.ssh > 112.44.107.123.24372: tcp 196
08:31:51.358739 IP localhost.34405 > 100.100.2.136.domain: UDP, length 45
08:31:51.358986 IP 100.100.2.136.domain > localhost.34405: UDP, length 99
08:31:51.359675 IP localhost.52219 > 100.100.2.138.domain: UDP, length 45
08:31:51.445333 IP 112.44.107.123.24372 > localhost.ssh: tcp 0
08:31:52.343232 IP localhost.34585 > 100.100.2.138.domain: UDP, length 50
08:31:52.343397 IP 100.100.2.138.domain > localhost.34585: UDP, length 66
08:31:52.343820 IP localhost.60058 > 100.100.0.31.http: tcp 0
08:31:52.344264 IP 100.100.0.31.http > localhost.60058: tcp 0
08:31:52.344275 IP localhost.60058 > 100.100.0.31.http: tcp 0
...
3、监听指定网卡收到的数据包
[root@localhost ~]# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:33:13.006160 IP localhost.ssh > 112.44.107.123.24372: Flags [P.], seq 569642411:569642607, ack 1052337337, win 252, length 196
08:33:13.006506 IP localhost.39279 > 100.100.2.136.domain: 6320+ PTR? 123.107.44.112.in-addr.arpa. (45)
08:33:13.051290 IP 112.44.107.123.24372 > localhost.ssh: Flags [.], ack 196, win 254, length 0
08:33:13.285481 IP localhost.43702 > 106.11.68.13.http: Flags [P.], seq 4153309738:4153310556, ack 684080845, win 65296, length 818: HTTP
08:33:13.315863 IP 106.11.68.13.http > localhost.43702: Flags [.], ack 818, win 65535, length 0
08:33:15.008211 IP localhost.46932 > 100.100.2.138.domain: 6320+ PTR? 123.107.44.112.in-addr.arpa. (45)
08:33:16.564409 IP 106.11.68.13.http > localhost.43702: Flags [P.], seq 1:11, ack 818, win 65535, length 10: HTTP
08:33:16.564436 IP localhost.43702 > 106.11.68.13.http: Flags [.], ack 11, win 65296, length 0
...
4、监听指定主机的数据包,这里不粘贴结果
[root@localhost ~]# tcpdump -n host 192.168.71.108 #使用-n选项不进行DNS解析,加快显示速度。监听指定主机的关键字host,后面直接跟主机名或IP地址都可以。该命令是监听所有到192.168.71.108的主机收到和发出的数据包
[root@localhost ~]# tcpdump -n src host 192.168.71.108 #该命令是监听192.168.71.108的主机发出的数据包
[root@localhost ~]# tcpdump -n dst host 192.168.71.108 #该命令是监听192.168.71.108的主机接收的数据包
5、监听指定端口的数据包
[root@localhost ~]# tcpdump -nn port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:40:23.727883 IP 172.18.121.232.60242 > 100.100.0.31.80: Flags [S], seq 3887901584, win 29200, options [mss 1460,sackOK,TS val 2588377651 ecr 0,nop,wscale 7], length 0
08:40:23.728293 IP 100.100.0.31.80 > 172.18.121.232.60242: Flags [S.], seq 2942607909, ack 3887901585, win 14600, options [mss 1444,nop,nop,sackOK,nop,wscale 7], length 0
08:40:23.728305 IP 172.18.121.232.60242 > 100.100.0.31.80: Flags [.], ack 1, win 229, length 0
08:40:23.728733 IP 172.18.121.232.60242 > 100.100.0.31.80: Flags [P.], seq 1:277, ack 1, win 229, length 276: HTTP: POST /agent/metrics/putLines HTTP/1.1
08:40:23.728745 IP 172.18.121.232.60242 > 100.100.0.31.80: Flags [P.], seq 277:6628, ack 1, win 229, length 6351: HTTP
08:40:23.729110 IP 100.100.0.31.80 > 172.18.121.232.60242: Flags [.], ack 277, win 123, length 0
08:40:23.729111 IP 100.100.0.31.80 > 172.18.121.232.60242: Flags [.], ack 1721, win 146, length 0
08:40:23.729112 IP 100.100.0.31.80 > 172.18.121.232.60242: Flags [.], ack 3165, win 169, length 0
08:40:23.729112 IP 100.100.0.31.80 > 172.18.121.232.60242: Flags [.], ack 4609, win 191, length 0
08:40:23.729113 IP 100.100.0.31.80 > 172.18.121.232.60242: Flags [.], ack 6053, win 214, length 0
08:40:23.729113 IP 100.100.0.31.80 > 172.18.121.232.60242: Flags [.], ack 6628, win 237, length 0
...
6、监听指定协议的数据包,常用协议有:ip、arp、icmp、tcp、udp等类型
[root@localhost ~]# tcpdump -n arp #监听arp数据包
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
1 packet received by filter
0 packets dropped by kernel
[root@localhost ~]# tcpdump -n tcp #监听tcp数据包
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:43:38.844982 IP 172.18.121.232.ssh > 112.44.107.123.24372: Flags [P.], seq 569714687:569714883, ack 1052341389, win 252, length 196
08:43:38.845103 IP 112.44.107.123.24372 > 172.18.121.232.ssh: Flags [.], ack 0, win 251, length 0
08:43:38.845154 IP 172.18.121.232.ssh > 112.44.107.123.24372: Flags [P.], seq 196:472, ack 1, win 252, length 276
08:43:38.845182 IP 172.18.121.232.ssh > 112.44.107.123.24372: Flags [P.], seq 472:636, ack 1, win 252, length 164
7、多个过滤条件使用,运算符有:and、or、!
[root@localhost ~]# tcpdump -n host 112.44.107.123 and -nn port 80 #当前主机只跟112.44.107.123和端口为80通信的数据包
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:47:06.606537 IP 112.44.107.123.24224 > 172.18.121.232.80: Flags [S], seq 501559752, win 64240, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0
08:47:06.606571 IP 172.18.121.232.80 > 112.44.107.123.24224: Flags [S.], seq 3073971976, ack 501559753, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
08:47:06.606912 IP 112.44.107.123.24225 > 172.18.121.232.80: Flags [S], seq 1744237621, win 64240, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0
08:47:06.606921 IP 172.18.121.232.80 > 112.44.107.123.24225: Flags [S.], seq 4092866454, ack 1744237622, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
08:47:06.606953 IP 112.44.107.123.24226 > 172.18.121.232.80: Flags [S], seq 2317416972, win 64240, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0
08:47:06.606956 IP 172.18.121.232.80 > 112.44.107.123.24226: Flags [S.], seq 2804067275, ack 2317416973, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
08:47:06.648779 IP 112.44.107.123.24225 > 172.18.121.232.80: Flags [.], ack 1, win 257, length 0
08:47:06.649794 IP 112.44.107.123.24226 > 172.18.121.232.80: Flags [.], ack 1, win 257, length 0
08:47:06.650983 IP 112.44.107.123.24224 > 172.18.121.232.80: Flags [.], ack 1, win 257, length 0
...