美文网首页
tcpdump 命令的常用选项:一

tcpdump 命令的常用选项:一

作者: 老率的IT私房菜 | 来源:发表于2022-01-04 01:46 被阅读0次

tcpdump用于捕获和分析网络流量。系统管理员可以使用它来查看实时流量或将输出保存到文件中并在以后进行分析。下面列出6个常用选项

-D 选项

tcpdump的-D获取接口设备列表。看到此列表后,可以决定要在哪个接口上捕获流量。它还告诉你接口是否已启动、正在运行,以及它是否是环回接口,如下所示:

[root@localhost ~]# tcpdump -D1.ens160 [Up, Running]2.lo [Up, Running, Loopback]3.any (Pseudo-device that captures on all interfaces) [Up, Running]4.bluetooth-monitor (BluetoothLinuxMonitor) [none]5.nflog (Linux netfilter log (NFLOG) interface) [none]6.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]7.usbmon0 (All USB buses) [none]8.usbmon1 (USB bus number 1)9.usbmon2 (USB bus number 2)

-c [数字]选项

-c 选项捕获 X 个数据包,然后停止。否则,tcpdump 将无限地继续运行。因此,当只想捕获一小部分数据包样本时,可以使用此选项。但是如果接口上没有数据流量,tcpdump 会一直等待。

[root@localhost ~]# tcpdump -c 5 -i any

dropped privs to tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

17:33:47.713379 IP localhost.localdomain.ssh > 192.168.43.1.39970: Flags [P.], seq 714380127:714380371, ack 1854022435, win 388, length 244

17:33:47.713785 IP localhost.localdomain.36821 > _gateway.domain: 36365+ PTR? 1.43.168.192.in-addr.arpa. (43)

17:33:47.713939 IP 192.168.43.1.39970 > localhost.localdomain.ssh: Flags [.], ack 244, win 4104, length 0

17:33:47.716053 IP _gateway.domain > localhost.localdomain.36821: 36365 NXDomain 0/1/0 (78)

17:33:47.716543 IP localhost.localdomain.57441 > _gateway.domain: 61445+ PTR? 131.43.168.192.in-addr.arpa. (45)

5 packets captured

9 packets received by filter

0 packets dropped by kernel

-n 选项

-n选项不将IP地址解析为域名,直接以IP地址显示:

[root@localhost ~]# tcpdump -c 5 -i any -n

dropped privs to tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

17:36:38.980756 IP 192.168.43.131.ssh > 192.168.43.1.39970: Flags [P.], seq 714383039:714383283, ack 1854024303, win 388, length 244

17:36:38.981032 IP 192.168.43.131.ssh > 192.168.43.1.39970: Flags [P.], seq 244:440, ack 1, win 388, length 196

17:36:38.981096 IP 192.168.43.131.ssh > 192.168.43.1.39970: Flags [P.], seq 440:604, ack 1, win 388, length 164

17:36:38.981153 IP 192.168.43.131.ssh > 192.168.43.1.39970: Flags [P.], seq 604:768, ack 1, win 388, length 164

17:36:38.981208 IP 192.168.43.131.ssh > 192.168.43.1.39970: Flags [P.], seq 768:932, ack 1, win 388, length 164

5 packets captured

5 packets received by filter

0 packets dropped by kernel

www.51cto.com/it/news/2020/0113/18299.html

www.donews.com/news/detail/4/2971720.html

news.yesky.com/hotnews/311/109240311.shtml

-s 选项

带有-sXXX 的 tcpdump 可帮助你控制捕获数据包的大小。在上一个输出的第三行中,可以看到它表示捕获大小 262144 字节。可以使用-s选项更改捕获数据大小。如果你只想检查数据包标头,则可以使用较小的大小进行捕获:

[root@localhost ~]# tcpdump -c 5 -i any -n -s64

dropped privs to tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 64 bytes

17:47:44.437891 IP 192.168.43.131.ssh > 192.168.43.1.39970: Flags [P.], seq 714405271:714405515, ack 1854033767, win 388, length 244

17:47:44.438153 IP 192.168.43.131.ssh > 192.168.43.1.39970: Flags [P.], seq 244:440, ack 1, win 388, length 196

17:47:44.438220 IP 192.168.43.131.ssh > 192.168.43.1.39970: Flags [P.], seq 440:604, ack 1, win 388, length 164

17:47:44.438301 IP 192.168.43.131.ssh > 192.168.43.1.39970: Flags [P.], seq 604:768, ack 1, win 388, length 164

17:47:44.438361 IP 192.168.43.131.ssh > 192.168.43.1.39970: Flags [P.], seq 768:932, ack 1, win 388, length 164

5 packets captured

5 packets received by filter

0 packets dropped by kernel

端口捕获

tcpdump 允许你指定使用某个端口作为源或目标的网络数据包。例如,要捕获 DNS 流量,你可以使用端口 53。可以在 port选项前加上 src/dst。如 src port 53 或 dst port 53 并进一步过滤它。

[root@localhost ~]# tcpdump -i any port 53 -n

dropped privs to tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

17:50:48.158109 IP 192.168.43.131.47054 > 192.168.43.2.domain: 58704+ A? www.baidu.com. (31)

17:50:48.158152 IP 192.168.43.131.47054 > 192.168.43.2.domain: 60504+ AAAA? www.baidu.com. (31)

17:50:48.159180 IP 192.168.43.2.domain > 192.168.43.131.47054: 60504 1/1/0 CNAME www.a.shifen.com. (115)

17:50:48.162018 IP 192.168.43.2.domain > 192.168.43.131.47054: 58704 3/0/0 CNAME www.a.shifen.com., A 180.101.49.11, A 180.101.49.12 (90)

下面只获取源端口为53的数据包,其中-nn选项表示不解析IP地址和端口:

[root@localhost ~]# tcpdump -c 5 -i any src port 53 -nn -s64

dropped privs to tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 64 bytes

18:00:41.604216 IP 192.168.43.2.53 > 192.168.43.131.48245: 50676[|domain]

18:00:41.606390 IP 192.168.43.2.53 > 192.168.43.131.48245: 19947[|domain]

18:00:41.631001 IP 192.168.43.2.53 > 192.168.43.131.54536: 31350 NXDomain[|domain]

18:00:46.110591 IP 192.168.43.2.53 > 192.168.43.131.42379: 17512[|domain]

18:00:46.110603 IP 192.168.43.2.53 > 192.168.43.131.42379: 40562[|domain]

5 packets captured

5 packets received by filter

0 packets dropped by kernel

下面只获取目的端口为53的数据包:

[root@localhost ~]# tcpdump -c 5 -i any dst port 53 -nn -s64

dropped privs to tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 64 bytes

18:01:22.568585 IP 192.168.43.131.49444 > 192.168.43.2.53: 27625+[|domain]

18:01:22.568623 IP 192.168.43.131.49444 > 192.168.43.2.53: 42481+[|domain]

18:01:22.595257 IP 192.168.43.131.45790 > 192.168.43.2.53: 28116+[|domain]

18:01:23.850730 IP 192.168.43.131.34861 > 192.168.43.2.53: 23444+[|domain]

18:01:23.850762 IP 192.168.43.131.34861 > 192.168.43.2.53: 23964+[|domain]

5 packets captured

5 packets received by filter

0 packets dropped by kernel

-w 选项

如果要将 tcpdump 的输出写入文件,请使用选项-w选项写入文件。如果想查看写了多少数据包,可以加-v选项。

[root@localhost ~]# tcpdump -c 4 -i any port 53 -nn -w dns.pcap -v

dropped privs to tcpdump

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

4 packets captured

6 packets received by filter

0 packets dropped by kernel

总结

tcpdump 用于收集有关网络流量数据的出色工具。数据包捕获为故障排除和安全分析提供了有用的信息。

相关文章

  • 基础——抓包

    一 tcpdump基本使用 1.1 命令格式 1.2 常用选项 1.3 表达式(用于过滤报文) 1.4 常用命令组...

  • tcpdump 命令的常用选项:一

    tcpdump用于捕获和分析网络流量。系统管理员可以使用它来查看实时流量或将输出保存到文件中并在以后进行分析。下面...

  • tcpdump 命令的常用选项:二

    code>tcpdump用于捕获和分析网络流量。系统管理员可以使用它来查看实时流量或将输出保存到文件中并在以后进行...

  • tcpdump常用命令

    tcpdump -h帮助信息 常用命令 常用选项介绍 -i 指定监听的网络接口。-s 从每个分组中读取最开始的sn...

  • Tcpdump的常用命令行选项

    根据ip net host port 过滤数据 tcpdump dst host 10.0.110.1 tcpdu...

  • Linux~文件和目录常用命令

    ls:查看指定目录下的所有内容 命令格式: 常用选项: pwd:显示当前路径 命令格式: 常用选项: cd命令:切...

  • tcpdump命令详解

    linux命令之tcpdump 1、tcpdump命令简介 tcpdump命令是基于unix系统的命令行的数据报嗅...

  • Linux日常使用

    Linux命令简介 常用命令 命令格式 说明: command: 命令 -options: 选项,多个选项可以写-...

  • Linux~查看文本内容命令

    cat:查看文本内容(内容较少) 命令格式: 常用选项: more:查看文本内容(内容较多) 命令格式: 常用选项...

  • Linux~系统管理命令

    data:设置系统日期时间 命令格式: 常用选项: 示例: data:设置系统日期时间 命令格式: 常用选项: 示...

网友评论

      本文标题:tcpdump 命令的常用选项:一

      本文链接:https://www.haomeiwen.com/subject/efzfcrtx.html