运维自动抓包脚本
@
运维自动抓包脚本
基于
tcpdump命令写的抓包脚本工具抓包解释参考:
tcpdump抓包解释
抓包效果
[root@h11 ~]# sh scripts/tcpdump.sh
>>>>>>>>>>>>>>>> 欢迎使用tcpdump抓包工具 <<<<<<<<<<<<<<<<
—————————————————————————————————————————————————————————
PS2:不想设置的条件,按Enter跳过
PS1:输入-1回车,则不过滤条件直接打印结果
—————————————————————————————————————————————————————————
说明:
Flags标识符
[S] # SYN(开始连接)
[P] # PSH(推送数据)
[F] # FIN(结束连接)
[R] # RST(重置连接)
[.] # 可以用来表示ACK标志位1
—————————————————————————————————————————————————————————
>>>>>>>>>>>>>>>> 本机网卡名与IP地址如下 <<<<<<<<<<<<<<<<
br-d6845e9ca2a7 192.168.32.1
docker0 192.168.0.1
eth0 10.27.158.33
eth1 116.35.0.11
lo 127.0.0.1
veth2757587
veth8627760
—————————————————————————————————————————————————————————
请输入网卡名>>>
docker0
请输入文件名>>>
是否arp(是填arp,否则回车)>>>
流入包还是流出包(in入,out出,inout全部)>>>
in
抓多少个包>>>
40
指定协议>>>
tcp
指定端口>>>
8080
稍等几秒,正在抓取...
稍等几秒,正在抓取...
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on docker0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:17:10.848265 IP 192.168.0.7.webcache > iZuf69q6pk0vy6d5bz2fkpZ.60328: Flags [.], ack 4135455973, win 1432, options [nop,nop,TS val 2742710829 ecr 2742710829], length 0
17:17:11.039516 IP 192.168.0.7.webcache > iZuf69q6pk0vy6d5bz2fkpZ.60328: Flags [P.], seq 0:4096, ack 1, win 1432, options [nop,nop,TS val 2742711020 ecr 2742710829], length 4096: HTTP: HTTP/1.1 200 OK
17:17:11.039659 IP 192.168.0.7.webcache > iZuf69q6pk0vy6d5bz2fkpZ.60328: Flags [.], seq 4096:11336, ack 1, win 1432, options [nop,nop,TS val 2742711021 ecr 2742711021], length 7240: HTTP
17:17:11.039680 IP 192.168.0.7.webcache > iZuf69q6pk0vy6d5bz2fkpZ.60328: Flags [.], seq 11336:18576, ack 1, win 1432, options [nop,nop,TS val 2742711021 ecr 2742711021], length 7240: HTTP
17:17:11.039697 IP 192.168.0.7.webcache > iZuf69q6pk0vy6d5bz2fkpZ.60328: Flags [.], seq 18576:28712, ack 1, win 1432, options [nop,nop,TS val 2742711021 ecr 2742711021], length 10136: HTTP
17:17:11.039700 IP 192.168.0.7.webcache > iZuf69q6pk0vy6d5bz2fkpZ.60328: Flags [.], seq 28712:38848, ack 1, win 1432, options [nop,nop,TS val 2742711021 ecr 2742711021], length 10136: HTTP
17:17:11.039726 IP 192.168.0.7.webcache > iZuf69q6pk0vy6d5bz2fkpZ.60328: Flags [.], seq 38848:50432, ack 1, win 1432, options [nop,nop,TS val 2742711021 ecr 2742711021], length 11584: HTTP
17:17:11.039730 IP 192.168.0.7.webcache > iZuf69q6pk0vy6d5bz2fkpZ.60328: Flags [.], seq 50432:62016, ack 1, win 1432, options [nop,nop,TS val 2742711021 ecr 2742711021], length 11584: HTTP
17:17:11.039759 IP 192.168.0.7.webcache > iZuf69q6pk0vy6d5bz2fkpZ.60328: Flags [.], seq 62016:73600, ack 1, win 1432, options [nop,nop,TS val 2742711021 ecr 2742711021], length 11584: HTTP
17:17:11.039761 IP 192.168.0.7.webcache > iZuf69q6pk0vy6d5bz2fkpZ.60328: Flags [P.], seq 73600:74254, ack 1, win 1432, options [nop,nop,TS val 2742711021 ecr 2742711021], length 654: HTTP
17:17:12.341998 IP 192.168.0.4.webcache > test.ehoo100.com.49240: Flags [S.], seq 64182531, ack 1278531220, win 28960, options [mss 1460,sackOK,TS val 2742712323 ecr 1315369259,nop,wscale 7], length 0
17:17:12.343743 IP 192.168.0.4.webcache > test.ehoo100.com.49240: Flags [.], ack 923, win 241, options [nop,nop,TS val 2742712325 ecr 1315369261], length 0
17:17:12.350619 IP 192.168.0.4.webcache > test.ehoo100.com.49240: Flags [P.], seq 1:843, ack 923, win 241, options [nop,nop,TS val 2742712332 ecr 1315369261], length 842: HTTP: HTTP/1.1 200
17:17:12.351469 IP 192.168.0.4.webcache > test.ehoo100.com.49240: Flags [F.], seq 843, ack 924, win 241, options [nop,nop,TS val 2742712332 ecr 1315369268], length 0
17:17:14.229000 IP 192.168.0.4.webcache > test.ehoo100.com.49248: Flags [S.], seq 3202959926, ack 1054253435, win 28960, options [mss 1460,sackOK,TS val 2742714210 ecr 1315371146,nop,wscale 7], length 0
17:17:14.229372 IP 192.168.0.4.webcache > test.ehoo100.com.49248: Flags [.], ack 923, win 241, options [nop,nop,TS val 2742714210 ecr 1315371146], length 0
17:17:14.236271 IP 192.168.0.4.webcache > test.ehoo100.com.49248: Flags [P.], seq 1:843, ack 923, win 241, options [nop,nop,TS val 2742714217 ecr 1315371146], length 842: HTTP: HTTP/1.1 200
17:17:14.237022 IP 192.168.0.4.webcache > test.ehoo100.com.49248: Flags [F.], seq 843, ack 924, win 241, options [nop,nop,TS val 2742714218 ecr 1315371153], length 0
17:17:15.701995 IP 192.168.0.4.webcache > test.ehoo100.com.49316: Flags [S.], seq 2064293092, ack 832032870, win 28960, options [mss 1460,sackOK,TS val 2742715683 ecr 1315372619,nop,wscale 7], length 0
17:17:15.705772 IP 192.168.0.4.webcache > test.ehoo100.com.49316: Flags [.], ack 923, win 241, options [nop,nop,TS val 2742715687 ecr 1315372623], length 0
17:17:15.713751 IP 192.168.0.4.webcache > test.ehoo100.com.49316: Flags [P.], seq 1:843, ack 923, win 241, options [nop,nop,TS val 2742715695 ecr 1315372623], length 842: HTTP: HTTP/1.1 200
17:17:15.714623 IP 192.168.0.4.webcache > test.ehoo100.com.49316: Flags [F.], seq 843, ack 923, win 241, options [nop,nop,TS val 2742715696 ecr 1315372631], length 0
17:17:15.714813 IP 192.168.0.4.webcache > test.ehoo100.com.49316: Flags [.], ack 924, win 241, options [nop,nop,TS val 2742715696 ecr 1315372632], length 0
17:17:17.501019 IP 192.168.0.4.webcache > test.ehoo100.com.49320: Flags [S.], seq 786960601, ack 148800111, win 28960, options [mss 1460,sackOK,TS val 2742717482 ecr 1315374418,nop,wscale 7], length 0
17:17:17.505759 IP 192.168.0.4.webcache > test.ehoo100.com.49320: Flags [.], ack 923, win 241, options [nop,nop,TS val 2742717487 ecr 1315374423], length 0
17:17:17.513641 IP 192.168.0.4.webcache > test.ehoo100.com.49320: Flags [P.], seq 1:843, ack 923, win 241, options [nop,nop,TS val 2742717495 ecr 1315374423], length 842: HTTP: HTTP/1.1 200
17:17:17.514370 IP 192.168.0.4.webcache > test.ehoo100.com.49320: Flags [F.], seq 843, ack 924, win 241, options [nop,nop,TS val 2742717495 ecr 1315374431], length 0
17:17:20.421409 IP 192.168.0.4.webcache > test.ehoo100.com.49332: Flags [S.], seq 2471822742, ack 700981135, win 28960, options [mss 1460,sackOK,TS val 2742720402 ecr 1315377338,nop,wscale 7], length 0
17:17:20.421864 IP 192.168.0.4.webcache > test.ehoo100.com.49332: Flags [.], ack 900, win 241, options [nop,nop,TS val 2742720403 ecr 1315377339], length 0
17:17:20.464331 IP 192.168.0.4.webcache > test.ehoo100.com.49332: Flags [P.], seq 1:825, ack 900, win 241, options [nop,nop,TS val 2742720445 ecr 1315377339], length 824: HTTP: HTTP/1.1 404
17:17:20.464533 IP 192.168.0.4.webcache > test.ehoo100.com.49332: Flags [F.], seq 825, ack 900, win 241, options [nop,nop,TS val 2742720445 ecr 1315377339], length 0
17:17:20.464764 IP 192.168.0.4.webcache > test.ehoo100.com.49332: Flags [.], ack 901, win 241, options [nop,nop,TS val 2742720446 ecr 1315377382], length 0
17:17:23.141003 IP 192.168.0.4.webcache > test.ehoo100.com.49402: Flags [S.], seq 2651709246, ack 1905985077, win 28960, options [mss 1460,sackOK,TS val 2742723122 ecr 1315380058,nop,wscale 7], length 0
17:17:23.141428 IP 192.168.0.4.webcache > test.ehoo100.com.49402: Flags [.], ack 897, win 241, options [nop,nop,TS val 2742723122 ecr 1315380058], length 0
17:17:23.147550 IP 192.168.0.4.webcache > test.ehoo100.com.49402: Flags [P.], seq 1:843, ack 897, win 241, options [nop,nop,TS val 2742723128 ecr 1315380058], length 842: HTTP: HTTP/1.1 200
17:17:23.148423 IP 192.168.0.4.webcache > test.ehoo100.com.49402: Flags [F.], seq 843, ack 898, win 241, options [nop,nop,TS val 2742723129 ecr 1315380065], length 0
17:17:24.762418 IP 192.168.0.4.webcache > test.ehoo100.com.49420: Flags [S.], seq 3174615154, ack 3246731667, win 28960, options [mss 1460,sackOK,TS val 2742724743 ecr 1315381679,nop,wscale 7], length 0
17:17:24.762846 IP 192.168.0.4.webcache > test.ehoo100.com.49420: Flags [.], ack 923, win 241, options [nop,nop,TS val 2742724744 ecr 1315381680], length 0
17:17:24.769061 IP 192.168.0.4.webcache > test.ehoo100.com.49420: Flags [P.], seq 1:843, ack 923, win 241, options [nop,nop,TS val 2742724750 ecr 1315381680], length 842: HTTP: HTTP/1.1 200
17:17:24.769863 IP 192.168.0.4.webcache > test.ehoo100.com.49420: Flags [F.], seq 843, ack 924, win 241, options [nop,nop,TS val 2742724751 ecr 1315381686], length 0
40 packets captured
91 packets received by filter
0 packets dropped by kernel
tcpdump.sh
[root@h11 ~]# cat scripts/tcpdump.sh
#!/bin/bash
###############################################################
# 这是一个tcpdump的脚本
# 其中,各个数组作用如下
# func:用户输入的参数
# prompt:给用户的提示
# option:各个参数前面的选项
# FUNC:最后所执行的选项,也就是func和option的组合
# conditionnum:条件个数
# 如果要想添加额外条件,你需要做以下步骤
# 1、加几个条件,对应的conditionnum就加几
# 2、option加上前面相应的参数,注意后面要加上一个空格
# 3、prompt加上相应提示
# ------------------------------------------------------------
# 常用选项
# -i #监听哪一个网卡 any为所有网卡
# -n #不把ip解析成主机名
# -nn #不把端口解析成应用层协议
# -c #指定抓包的数量
# -S #不把随机序列和确认序列解析成绝对值
# -w #将流量保存到文件中,文件中的信息是无法直接查看的
# -r #读取文件中的内容
# -v #输出一个稍微详细的信息,例如在ip包中可以包括ttl和服务类型的信息
# -vv #输出详细的报文信息
# Flags标识符
# [S] # SYN(开始连接)
# [P] # PSH(推送数据)
# [F] # FIN(结束连接)
# [R] # RST(重置连接)
# [.] # 可以用来表示ACK标志位1
#
# # 输出内容结构
# 时间
# 协议
# 发送方IP+端口号
# 数据流向
# 接收方IP+端口号
# 冒号
# 数据包内容:包含Flags标识符,seq号,ack号,win窗口,数据长度length
###############################################################
# 抓取网卡:any、eth0、docker0 或其他
# 抓取端口:需指定容器的内网端口,比如8886:8080,则需输入8080
###############################################################
Get_ip() {
# 先过滤网卡名称,存到数组a中
a=(`ifconfig | grep ^[a-z] | awk -F: '{print $1}'`)
# 在拿到IP地址,存到数组b中
b=(`ifconfig | grep 'inet' | sed 's/^.*inet //g' | sed 's/ *netmask.*$//g'`)
for ((i=0;i<${#a[@]};i++))
do
echo ${a[$i]} ${b[$i]}
done
}
Readme() {
echo "说明:
Flags标识符
[S] # SYN(开始连接)
[P] # PSH(推送数据)
[F] # FIN(结束连接)
[R] # RST(重置连接)
[.] # 可以用来表示ACK标志位1"
}
Welcome() {
clear
echo ">>>>>>>>>>>>>>>> 欢迎使用tcpdump抓包工具 <<<<<<<<<<<<<<<<"
echo "—————————————————————————————————————————————————————————"
echo "PS2:不想设置的条件,按Enter跳过"
echo "PS1:输入-1回车,则不过滤条件直接打印结果"
echo "—————————————————————————————————————————————————————————"
Readme
echo "—————————————————————————————————————————————————————————"
echo ">>>>>>>>>>>>>>>> 本机网卡名与IP地址如下 <<<<<<<<<<<<<<<<"
Get_ip
echo "—————————————————————————————————————————————————————————"
}
Get_package() {
conditionnum=7
func=()
FUNC=()
options=('-i ' '-w ' '-b ' '-Q ' '-c ' '' 'port ')
prompt=('请输入网卡名>>>' "请输入文件名>>>" "是否arp(是填arp,否则回车)>>>" "流入包还是流出包(in入,out出,inout全部)>>>" "抓多少个包>>>" "指定协议>>>" "指定端口>>>")
i=0
for((; i<$conditionnum ;i++))
do
echo ${prompt[i]}
read func[i]
if [ "${func[i]}" == "-1" ];then
echo "稍等几秒,正在抓取..."
break
fi
done
j=0
for((; `expr "${func[j]}" != "-1"` && j < $conditionnum ;j++))
do
if [ "${func[j]}" == '' ];then
l=1
echo "稍等几秒,正在抓取..."
else
FUNC[j]=${options[j]}${func[j]}
fi
done
tcpdump ${FUNC[0]} ${FUNC[1]} ${FUNC[2]} ${FUNC[3]} ${FUNC[4]} ${FUNC[5]} ${FUNC[6]}
}
######################## 函数体调用 ########################
Welcome
Get_package
