一:tcpdump帮助选项
[root@localhost~]#tcpdump --help
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ]
[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
[ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
[ -Q|-P in|out|inout ]
[ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
[ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
[ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ]
[ -Z user ] [ expression ]
二:过滤规则抓包
1、抓取指定IP地址数据包
tcpdump -i eth0 host 192.168.1.100
tcpdump -i eth0 src host 192.168.1.100
tcpdump -i eth0 dst host 192.168.1.100
2、抓取主机与特定IP(192.168.1.200 或192.168.1.201)通信包
tcpdump -i eth0 host 192.168.1.100 and \(192.168.1.200 or 192.168.1.201\)
3、抓取主机与特定IP(192.168.1.200 )之外的通信包
tcpdump ip host 192.168.1.100 and !192.168.1.200
4、抓取特定端口数据包
tcpdump -i eth0 port 22
tcpdump -i eth0 src port 22
tcpdump -i eth0 dst port 22
5、抓取特定网段数据包
tcpdump -i eth0 net 192.168
tcpdump -i eth0 src net 192.168
tcpdump -i eth0 dst net 192.168
6、抓取特定协议数据包
tcpdump -i eth0 arp
tcpdump -i eth0 ip
tcpdump -i eth0 tcp
tcpdump -i eth0 udp
tcpdump -i eth0 icmp
7、条件组合过滤抓包
tcpdump '((tcp) and (port 80) and ((dst host 192.168.1.254) or (dst host 192.168.1.1)))'
tcpdump -i eth0 '((tcp) and (port 80) and ((dst host 192.168.1.254) or (dst host 192.168.1.1)))'
tcpdump '((icmp) and ((ether dst host 00:0A:0B:03:0C:05)))'
tcpdump '((tcp) and ((dst net 192.168) and (not dst host 192.168.1.254))'
8、常用逻辑表达式
非 : ! or "not"
且 : && or "and"
或 : || or "or"
三:tcpdump抓包结果筛选查看
1、不解析域名以IP地址显示第三列的内容,sort -u去重
tcpdump -n -r test.cap | awk '{print $3}'| sort -u
2、筛选源IP为192.168.1.100的包
tcpdump -n src host 192.168.1.100 -r test.cap
3、筛选目的IP为192.168.1.100的包
tcpdump -n dst host 192.168.1.100 -r test.cap
4、筛选端口为50的包
tcpdump -n port 53 -r test.cap
5、以16进制显示端口80的包信息
tcpdump -nX port 80 -r test.cap
网友评论