tcpdump 抓包
第三次握手显示ack 1,可以指定-S参数以查看绝对值
yum install tcpdump -y
tcpdump --version
tcpdump --help
man tcpdump
# tcpdump version 4.9.2
# libpcap version 1.5.3
# tcpdump - dump traffic on a network
# SYNOPSIS
tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ]
[ -c count ]
[ -C file_size ] [ -G rotate_seconds ] [ -F file ]
[ -i interface ] [ -j tstamp_type ] [ -m module ] [ -M secret ]
[ --number ] [ -Q|-P in|out|inout ]
[ -r file ] [ -V file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
[ --time-stamp-precision=tstamp_precision ]
[ --immediate-mode ] [ --version ]
[ expression ]
-A 以ASCII显示,通常用来网页抓包
-c count 接收几个包后退出,不指定一直监听直到手动退出
-i interface 指定监听的网络接口,比如-i eth0,-i lo
-n 以ip显示,而非主机名
-nn 以ip和端口显示,而非主机名和服务名
-S 以绝对值方式而非相对值查看TCP sequence numbers
-w file 将监听包写到文件
-r file 读取-w file保存文件
-x 用十六进制字码列出数据包
-X 用十六进制和ASCII字码列出数据包
#常见表达式
'host foo', 'host 127.0.0.1' :针对单机。
'net 192.168' :针对某个网段。
'src host 127.0.0.1' 'dst net 192.168':限制来源(src)或目标(dst)。
'tcp port 21':针对通讯协议监听,如 tcp, udp, arp, ether 等。
and、or、not 进行条件组合。
# 示例
tcpdump -i eth0 -nn -c 3 #从eth0抓3个包
tcpdump -i lo -nn #监听lo,可以从另一个窗口进入本机ssh localhost,可看到三次握手过程(注意:本例在ssh时出现ssh_exchange_identification: read: Connection reset by peer)
tcpdump -i lo -nn -w lo.dump #保存到文件
tcpdump -r lo.dump -nn #读取dump文件(第三次出现ack 1)
reading from file lo.dump, link-type EN10MB (Ethernet)
14:41:13.115595 IP 127.0.0.1.50017 > 127.0.0.1.22: Flags [S], seq 2495914416, win 43690, options [mss 65495,sackOK,TS val 3178925769 ecr 0,nop,wscale 7], length 0
14:41:13.115617 IP 127.0.0.1.22 > 127.0.0.1.50017: Flags [S.], seq 4147432035, ack 2495914417, win 43690, options [mss 65495,sackOK,TS val 3178925769 ecr 3178925769,nop,wscale 7], length 0
14:41:13.115633 IP 127.0.0.1.50017 > 127.0.0.1.22: Flags [.], ack 1, win 342, options [nop,nop,TS val 3178925769 ecr 3178925769], length 0
14:41:13.115960 IP 127.0.0.1.50017 > 127.0.0.1.22: Flags [P.], seq 1:22, ack 1, win 342, options [nop,nop,TS val 3178925769 ecr 3178925769], length 21
14:41:13.115971 IP 127.0.0.1.22 > 127.0.0.1.50017: Flags [.], ack 22, win 342, options [nop,nop,TS val 3178925769 ecr 3178925769], length 0
14:41:18.126591 IP 127.0.0.1.22 > 127.0.0.1.50017: Flags [R.], seq 1, ack 22, win 342, options [nop,nop,TS val 0 ecr 3178925769], length 0
# Flags [P.], seq 1:22。此处为相对序号,-S可看绝对序号。PUSH,传输数据为1~22byte
tcpdump -r lo.dump -nn -S #加上-S对绝对值方式查看tcp序号
reading from file lo.dump, link-type EN10MB (Ethernet)
14:41:13.115595 IP 127.0.0.1.50017 > 127.0.0.1.22: Flags [S], seq 2495914416, win 43690, options [mss 65495,sackOK,TS val 3178925769 ecr 0,nop,wscale 7], length 0
14:41:13.115617 IP 127.0.0.1.22 > 127.0.0.1.50017: Flags [S.], seq 4147432035, ack 2495914417, win 43690, options [mss 65495,sackOK,TS val 3178925769 ecr 3178925769,nop,wscale 7], length 0
14:41:13.115633 IP 127.0.0.1.50017 > 127.0.0.1.22: Flags [.], ack 4147432036, win 342, options [nop,nop,TS val 3178925769 ecr 3178925769], length 0
14:41:13.115960 IP 127.0.0.1.50017 > 127.0.0.1.22: Flags [P.], seq 2495914417:2495914438, ack 4147432036, win 342, options [nop,nop,TS val 3178925769 ecr 3178925769], length 21
14:41:13.115971 IP 127.0.0.1.22 > 127.0.0.1.50017: Flags [.], ack 2495914438, win 342, options [nop,nop,TS val 3178925769 ecr 3178925769], length 0
14:41:18.126591 IP 127.0.0.1.22 > 127.0.0.1.50017: Flags [R.], seq 4147432036, ack 2495914438, win 342, options [nop,nop,TS val 0 ecr 3178925769], length 0
tcpdump -r lo.dump -nn -S src host 127.0.0.1 and src port 22 #指定ip端口
tcpdump -r lo.dump -nn -X #以16进制和ASCII码方式查看内容,本例[P.]PUSH环节可以看到SSH字眼。
#在man tcpdump提到:For the expression syntax,see pcap-filter(7).
man pcap-filter
#pcap-filter - packet filter syntax
The filter expression consists of one or more primitives. Primitives usually con‐
sist of an id (name or number) preceded by one or more qualifiers. There are three
different kinds of qualifier:
type type qualifiers say what kind of thing the id name or number refers to. Pos‐
sible types are host, net , port and portrange. E.g., `host foo', `net
128.3', `port 20', `portrange 6000-6008'. If there is no type qualifier,
host is assumed.
dir dir qualifiers specify a particular transfer direction to and/or from id.
Possible directions are src, dst, src or dst, src and dst, ra, ta, addr1,
addr2, addr3, and addr4. E.g., `src foo', `dst net 128.3', `src or dst port
ftp-data'. If there is no dir qualifier, src or dst is assumed. The ra, ta,
addr1, addr2, addr3, and addr4 qualifiers are only valid for IEEE 802.11
Wireless LAN link layers. For some link layers, such as SLIP and the
``cooked'' Linux capture mode used for the ``any'' device and for some other
device types, the inbound and outbound qualifiers can be used to specify a
desired direction.
proto proto qualifiers restrict the match to a particular protocol. Possible pro‐
tos are: ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp.
E.g., `ether src foo', `arp net 128.3', `tcp port 21', `udp portrange
7000-7009', `wlan addr2 0:2:3:4:5:6'. If there is no proto qualifier, all
protocols consistent with the type are assumed. E.g., `src foo' means `(ip
or arp or rarp) src foo' (except the latter is not legal syntax), `net bar'
means `(ip or arp or rarp) net bar' and `port 53' means `(tcp or udp) port
53'.
More complex filter expressions are built up by using the words and, or and not to combine primitives.
E.g., `host foo and not port ftp and not port ftp-data'. To
save typing, identical qualifier lists can be omitted. E.g., `tcp dst port ftp or
ftp-data or domain' is exactly the same as `tcp dst port ftp or tcp dst port ftp-
data or tcp dst port domain'.
网友评论