TCPDump 抓包- 基础命令

作者: 6a91e15c5cde | 来源:发表于2019-01-07 20:05 被阅读29次

应用抓包之Fiddler抓包
TCPDump 抓包- 基础命令
tcpdump的基本命令和使用
tcpdump 抓包
tcpdump抓包命令
tcpdump抓包命令
tcpdump抓包
tcpdump
tcpdump抓包规则命令大全
linux 常用命令

基础命令

tcpdump -D 打印当前主机上所有的网卡

[root@k8s-master ~]# tcpdump -D
1.eth0
2.docker0
3.nflog (Linux netfilter log (NFLOG) interface)
4.nfqueue (Linux netfilter queue (NFQUEUE) interface)
5.usbmon1 (USB bus number 1)
6.br-3e5ecb11bffe
7.veth3cbdd0a
15.any (Pseudo-device that captures on all interfaces)
16.lo [Loopback]

tcpdump -i any
-i 指定网卡，
any 表示所有网卡

root@k8s-master ~]# tcpdump -i any
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
14:00:52.481918 IP k8s-master.hans.abc.ssh > 120.237.110.62.51260: Flags [P.], seq 2554297159:2554297355, ack 1206348636, win 369, options [nop,nop,TS val 2819650521 ecr 1381288876], length 196
14:00:52.482204 IP k8s-master.hans.abc.57228 > 100.100.2.138.domain: 53426+ PTR? 62.110.237.120.in-addr.arpa. (45)
14:00:52.498029 IP localhost.38020 > localhost.webcache: Flags [P.], seq 3340380575:3340380844, ack 214717808, win 3635, options [nop,nop,TS val 2819650537 ecr 2819648536], length 269: HTTP: GET /api/v1/namespaces/kube-system/endpoints/kube-controller-manager HTTP/1.1

tcpdump -i eth0 -n
-n 显示ip地址，而不使用hostname

[root@k8s-master ~]# tcpdump -i eth0 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:07:33.966604 IP 172.24.7.60.ssh > 120.237.110.62.51260: Flags [P.], seq 2554595471:2554595659, ack 1206350244, win 369, options [nop,nop,TS val 2820052006 ecr 1381688562], length 188
14:07:33.966735 IP 172.24.7.60.ssh > 120.237.110.62.51260: Flags [P.], seq 188:416, ack 1, win 369, options [nop,nop,TS val 2820052006 ecr 1381688562], length 228
14:07:33.966771 IP 172.24.7.60.ssh > 120.237.110.62.51260: Flags [P.], seq 416:620, ack 1, win 369, options [nop,nop,TS val 2820052006 ecr 1381688562], length 204
14:07:33.966802 IP 172.24.7.60.ssh > 120.237.110.62.51260: Flags [P.], seq 620:824, ack 1, win 369, options [nop,nop,TS val 2820052006 ecr 1381688562], length 204

tcpdump -i eth0 -n -q
-q 显示数据包的简要信息

[root@k8s-master ~]# tcpdump -i eth0 -n -q
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:09:24.693978 IP 172.24.7.60.ssh > 120.237.110.62.51260: tcp 188
14:09:24.694078 IP 172.24.7.60.ssh > 120.237.110.62.51260: tcp 108
14:09:24.694124 IP 172.24.7.60.ssh > 120.237.110.62.51260: tcp 108
14:09:24.694175 IP 172.24.7.60.ssh > 120.237.110.62.51260: tcp 108

tcpdump -i eth0 -n -v
-v 显示数据包的详细信息
-vv 不同程度的详细信息
-vvv 不同程度的详细信息

[root@k8s-master ~]# tcpdump -i eth0 -n -v
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:11:56.703970 IP (tos 0x10, ttl 64, id 40948, offset 0, flags [DF], proto TCP (6), length 176)
    172.24.7.60.ssh > 120.237.110.62.51260: Flags [P.], cksum 0x9b22 (incorrect -> 0xd6c7), seq 2554918711:2554918835, ack 1206353116, win 369, options [nop,nop,TS val 2820314743 ecr 1381950025], length 124
14:11:56.704104 IP (tos 0x10, ttl 64, id 40949, offset 0, flags [DF], proto TCP (6), length 392)
    172.24.7.60.ssh > 120.237.110.62.51260: Flags [P.], cksum 0x9bfa (incorrect -> 0xe9df), seq 124:464, ack 1, win 369, options [nop,nop,TS val 2820314743 ecr 1381950025], length 340
14:11:56.704160 IP (tos 0x10, ttl 64, id 40950, offset 0, flags [DF], proto TCP (6), length 376)

tcpdump -i eth0 -n port 80
port 80 指定端口进行抓包

[root@k8s-master ~]# tcpdump -i eth0 -n port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:17:00.827812 IP 172.24.7.60.45754 > 100.100.30.25.http: Flags [P.], seq 1723630479:1723632121, ack 3451853212, win 1432, length 1642: HTTP
14:17:00.860953 IP 100.100.30.25.http > 172.24.7.60.45754: Flags [.], ack 1642, win 24565, length 0
14:17:05.731924 IP 172.24.7.60.45754 > 100.100.30.25.http: Flags [.], seq 1642:4506, ack 1, win 1432, length 2864: HTTP
14:17:05.731943 IP 172.24.7.60.45754 > 100.100.30.25.http: Flags [.], seq 4506:7370, ack 1, win 1432, length 2864: HTTP
14:17:05.731948 IP 172.24.7.60.45754 > 100.100.30.25.http: Flags [P.], seq 7370:9820, ack 1, win 1432, length 2450: HTTP

tcpdump -i eth0 -n -ttt
-ttt 以数据包出现的先后顺序的相对时间来打印数据报文

[root@k8s-master ~]# tcpdump -i eth0 -n -ttt
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
 00:00:00.000000 IP 172.24.7.60.ssh > 120.237.110.62.51260: Flags [P.], seq 2555010243:2555010431, ack 1206355032, win 369, options [nop,nop,TS val 2820925623 ecr 1382558653], length 188
 00:00:00.000146 IP 172.24.7.60.ssh > 120.237.110.62.51260: Flags [P.], seq 188:416, ack 1, win 369, options [nop,nop,TS val 2820925624 ecr 1382558653], length 228
 00:00:00.000042 IP 172.24.7.60.ssh > 120.237.110.62.51260: Flags [P.], seq 416:620, ack 1, win 369, options [nop,nop,TS val 2820925624 ecr 1382558653], length 204
 00:00:00.024967 IP 120.237.110.62.51260 > 172.24.7.60.ssh: Flags [.], ack 0, win 2047, options [nop,nop,TS val 1382558712 ecr 2820925596], length 0
 00:00:00.000052 IP 172.24.7.60.ssh > 120.237.110.62.51260: Flags [P.], seq 620:824, ack 1, win 369, options [nop,nop,TS val 2820925649 ecr 1382558712], length 204
 00:00:00.027031 IP 120.237.110.62.51260 > 172.24.7.60.ssh: Flags [.], ack 188, win 2045, options [nop,nop,TS val 1382558739 ecr 2820925623], length 0

tcpdump -i eth0 -n -ttt -c 5
-c 抓取的数据包数量

[root@k8s-master ~]# tcpdump -i eth0 -n -ttt -c 5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
 00:00:00.000000 IP 172.24.7.60.ssh > 120.237.110.62.51260: Flags [P.], seq 2555064555:2555064743, ack 1206355436, win 369, options [nop,nop,TS val 2821115929 ecr 1382748162], length 188
 00:00:00.000132 IP 172.24.7.60.ssh > 120.237.110.62.51260: Flags [P.], seq 188:416, ack 1, win 369, options [nop,nop,TS val 2821115929 ecr 1382748162], length 228
 00:00:00.000053 IP 172.24.7.60.ssh > 120.237.110.62.51260: Flags [P.], seq 416:620, ack 1, win 369, options [nop,nop,TS val 2821115929 ecr 1382748162], length 204
 00:00:00.024256 IP 120.237.110.62.51260 > 172.24.7.60.ssh: Flags [.], ack 0, win 2047, options [nop,nop,TS val 1382748221 ecr 2821115901], length 0
 00:00:00.000060 IP 172.24.7.60.ssh > 120.237.110.62.51260: Flags [P.], seq 620:824, ack 1, win 369, options [nop,nop,TS val 2821115953 ecr 1382748221], length 204
5 packets captured
5 packets received by filter
0 packets dropped by kernel

tcpdump -i eth0 -n -c 100 -w network.pcap
-w 将抓包数据保存到文件

[root@k8s-master ~]# tcpdump -i eth0 -n -c 100 -w network.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
100 packets captured
101 packets received by filter
0 packets dropped by kernel

tcpdump -i eth0 -n -A port 80
-A 显示数据包数据部分的详细内容
tcpdump -i eth0 -n -XX port 80
-XX 显示数据包的十六进制形式

过滤表达式

tcpdump -n host 172.24.7.60 -c 10
host 过滤和172.24.7.60这个ip相关的包

[root@k8s-master ~]# tcpdump -n host 172.24.7.60 -c 10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:50:01.335916 IP 172.24.7.60.ssh > 120.237.110.62.51260: Flags [P.], seq 2555116655:2555116843, ack 1206360724, win 369, options [nop,nop,TS val 2822599375 ecr 1384225326], length 188
14:50:01.336041 IP 172.24.7.60.ssh > 120.237.110.62.51260: Flags [P.], seq 188:416, ack 1, win 369, options [nop,nop,TS val 2822599375 ecr 1384225326], length 228
14:50:01.336097 IP 172.24.7.60.ssh > 120.237.110.62.51260: Flags [P.], seq 416:620, ack 1, win 369, options [nop,nop,TS val 2822599375 ecr 1384225326], length 204
14:50:01.336141 IP 172.24.7.60.ssh > 120.237.110.62.51260: Flags [P.], seq 620:824, ack 1, win 369, options [nop,nop,TS val 2822599375 ecr 1384225326], length 204
14:50:01.371793 IP 172.24.7.61.48396 > 172.24.7.60.bgp: Flags [S], seq 2943307381, win 29200, options [mss 1460,sackOK,TS val 2822871190 ecr 0,nop,wscale 7], length 0
14:50:01.371880 IP 172.24.7.60.bgp > 172.24.7.61.48396: Flags [R.], seq 0, ack 2943307382, win 0, length 0

tcpdump -n net 172.24.7.0/24 -c 10
net 过滤某个网络的包

[root@k8s-master ~]# tcpdump -n net 172.24.7.0/24 -c 10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:52:16.671140 IP 172.24.7.60.ssh > 120.237.110.62.51260: Flags [P.], seq 2555125731:2555125919, ack 1206363060, win 369, options [nop,nop,TS val 2822734710 ecr 1384360240], length 188
14:52:16.671264 IP 172.24.7.60.ssh > 120.237.110.62.51260: Flags [P.], seq 188:416, ack 1, win 369, options [nop,nop,TS val 2822734710 ecr 1384360240], length 228
14:52:16.671316 IP 172.24.7.60.ssh > 120.237.110.62.51260: Flags [P.], seq 416:620, ack 1, win 369, options [nop,nop,TS val 2822734710 ecr 1384360240], length 204
14:52:16.671367 IP 172.24.7.60.ssh > 120.237.110.62.51260: Flags [P.], seq 620:824, ack 1, win 369, options [nop,nop,TS val 2822734710 ecr 1384360240], length 204
14:52:16.671412 IP 172.24.7.60.ssh > 120.237.110.62.51260: Flags [P.], seq 824:1028, ack 1, win 369, options [nop,nop,TS val 2822734710 ecr 1384360240], length 204
14:52:16.750446 IP 120.237.110.62.51260 > 172.24.7.60.ssh: Flags [.], ack 188, win 2045, options [nop,nop,TS val 1384360685 ecr 2822734710], length 0
14:52:16.750528 IP 172.24.7.60.ssh > 120.237.110.62.51260: Flags [P.], seq 1028:1232, ack 1, win 369, options [nop,nop,TS val 2822734790 ecr 1384360685], length 204
14:52:16.750450 IP 120.237.110.62.51260 > 172.24.7.60.ssh: Flags [.], ack 416, win 2041, options [nop,nop,TS val 1384360685 ecr 2822734710], length 0
14:52:16.750450 IP 120.237.110.62.51260 > 172.24.7.60.ssh: Flags [.], ack 620, win 2044, options [nop,nop,TS val 1384360685 ecr 2822734710], length 0
14:52:16.750451 IP 120.237.110.62.51260 > 172.24.7.60.ssh: Flags [.], ack 824, win 2041, options [nop,nop,TS val 1384360685 ecr 2822734710], length 0
10 packets captured
11 packets received by filter
0 packets dropped by kernel

tcpdump -n udp -c 10 -vv
udp 抓取udp协议的数据包

[root@k8s-master ~]# tcpdump -n udp -c 10 -vv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:55:40.549850 IP (tos 0x0, ttl 63, id 917, offset 0, flags [DF], proto UDP (17), length 69)
    172.24.7.60.56308 > 100.100.2.136.domain: [bad udp cksum 0x1a83 -> 0xb8f8!] 1964+ PTR? 11.0.0.127.in-addr.arpa. (41)
14:55:40.549972 IP (tos 0x0, ttl 128, id 917, offset 0, flags [DF], proto UDP (17), length 119)
    100.100.2.136.domain > 172.24.7.60.56308: [no cksum] 1964 NXDomain* q: PTR? 11.0.0.127.in-addr.arpa. 0/1/0 ns: 127.in-addr.arpa. SOA localhost. root.localhost. 2008011001 604800 86400 2419200 604800 (91)
14:55:40.550359 IP (tos 0x0, ttl 63, id 918, offset 0, flags [DF], proto UDP (17), length 69)
    172.24.7.60.60958 > 100.100.2.136.domain: [bad udp cksum 0x1a83 -> 0x32ab!] 55147+ PTR? 1.0.18.172.in-addr.arpa. (41)
14:55:40.550511 IP (tos 0x0, ttl 128, id 918, offset 0, flags [DF], proto UDP (17), length 123)
    100.100.2.136.domain > 172.24.7.60.60958: [no cksum] 55147 NXDomain* q: PTR? 1.0.18.172.in-addr.arpa. 0/1/0 ns: 18.172.IN-ADDR.ARPA. SOA 18.172.IN-ADDR.ARPA. . 0 28800 7200 604800 86400 (95)
14:55:43.743554 IP (tos 0xc0, ttl 64, id 28800, offset 0, flags [DF], proto UDP (17), length 76)
    172.24.7.60.ntp > 100.100.5.1.ntp: [bad udp cksum 0x1d03 -> 0xb01b!] NTPv4, length 48
    Client, Leap indicator:  (0), Stratum 3 (secondary reference), poll 10 (1024s), precision -23
    Root Delay: 0.032440, Root dispersion: 0.041717, Reference-ID: 100.100.5.3
      Reference Timestamp:  3754535287.098650047 (2018/12/23 14:28:07)
      Originator Timestamp: 3754535867.763248015 (2018/12/23 14:37:47)
      Receive Timestamp:    3754535867.779158525 (2018/12/23 14:37:47)
      Transmit Timestamp:   3754536943.743525269 (2018/12/23 14:55:43)
        Originator - Receive Timestamp:  +0.015910509
        Originator - Transmit Timestamp: +1075.980277253

tcpdump -i eth0 udp port 53 -n
过滤udp协议的53端口的数据包

[root@k8s-master ~]# tcpdump -i eth0 udp port 53 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:08:42.816303 IP 172.24.7.60.44552 > 100.100.2.136.domain: 28325+ PTR? 11.0.0.127.in-addr.arpa. (41)
15:08:42.816494 IP 100.100.2.136.domain > 172.24.7.60.44552: 28325 NXDomain* 0/1/0 (91)
15:08:42.816960 IP 172.24.7.60.56708 > 100.100.2.136.domain: 13368+ PTR? 1.0.18.172.in-addr.arpa. (41)
15:08:42.817111 IP 100.100.2.136.domain > 172.24.7.60.56708: 13368 NXDomain* 0/1/0 (95)
15:08:50.147765 IP 172.24.7.60.46880 > 100.100.2.138.domain: 3411+ AAAA? k8s-master.hans.abc. (37)
15:08:50.147966 IP 100.100.2.138.domain > 172.24.7.60.46880: 3411 NXDomain 0/1/0 (104)

tcpdump -i eth0 src host 172.24.7.60 and dst 120.237.110.62 -n
过滤从原地址到目标地址的数据包

[root@k8s-master ~]# tcpdump -i eth0 src host 172.24.7.60 and dst 120.237.110.62 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:10:53.512156 IP 172.24.7.60.ssh > 120.237.110.62.51260: Flags [P.], seq 2555163399:2555163587, ack 1206370444, win 469, options [nop,nop,TS val 2823851551 ecr 1385473018], length 188
15:10:53.512280 IP 172.24.7.60.ssh > 120.237.110.62.51260: Flags [P.], seq 188:416, ack 1, win 469, options [nop,nop,TS val 2823851551 ecr 1385473018], length 228
15:10:53.542816 IP 172.24.7.60.ssh > 120.237.110.62.51260: Flags [P.], seq 416:620, ack 1, win 469, options [nop,nop,TS val 2823851582 ecr 1385473079], length 204
15:10:53.566805 IP 172.24.7.60.ssh > 120.237.110.62.51260: Flags [P.], seq 620:824, ack 1, win 469, options [nop,nop,TS val 2823851606 ecr 1385473104], length 204

逻辑表达式and or !
- or
  tcpdump -i eth0 -n -q port 80 or port 443

[root@k8s-master ~]# tcpdump -i eth0 -n -q port 80 or port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:15:38.099776 IP 172.24.7.60.45754 > 100.100.30.25.http: tcp 2864
15:15:38.099798 IP 172.24.7.60.45754 > 100.100.30.25.http: tcp 2864
15:15:38.099804 IP 172.24.7.60.45754 > 100.100.30.25.http: tcp 1626

and
tcpdump -i eth0 'src host 172.24.7.60 and (port 80 or port 443)'

[root@k8s-master ~]# tcpdump -i eth0 'src host 172.24.7.60 and (port 80 or port 443)'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:19:52.842631 IP k8s-master.hans.abc.45754 > 100.100.30.25.http: Flags [.], seq 1726442135:1726444999, ack 3451854900, win 1432, length 2864: HTTP
15:19:52.842651 IP k8s-master.hans.abc.45754 > 100.100.30.25.http: Flags [.], seq 2864:5728, ack 1, win 1432, length 2864: HTTP
15:19:52.842656 IP k8s-master.hans.abc.45754 > 100.100.30.25.http: Flags [P.], seq 5728:6874, ack 1, win 1432, length 1146: HTTP
15:19:57.246288 IP k8s-master.hans.abc.45754 > 100.100.30.25.http: Flags [.], seq 6874:9738, ack 1, win 1432, length 2864: HTTP
15:19:57.246312 IP k8s-master.hans.abc.45754 > 100.100.30.25.http: Flags [P.], seq 9738:11068, ack 1, win 1432, length 1330: HTTP