TCPDUMP抓包学习
一、抓包基础
1、抓网卡ens33 的包,有多大抓多大,然后保存到a.cap中
[root@localhost ~]# tcpdump -i ens33 -s 0 -w a.cap tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
2、读取a.cap文件
[root@localhost ~]# tcpdump -r a.cap reading from file a.cap, link-type EN10MB (Ethernet) 18:30:13.453516 IP localhost.localdomain.ssh > 192.168.10.1.sicct: Flags [P.], seq 1710739872:1710740004, ack 930202420, win 532, length 132 18:30:13.453754 IP 192.168.10.1.sicct > localhost.localdomain.ssh: Flags [.], ack 132, win 255, length 0 18:30:14.379791 IP 192.168.10.1 > localhost.localdomain: ICMP echo request, id 1, seq 1720, length 40 18:30:14.379825 IP localhost.localdomain > 192.168.10.1: ICMP echo reply, id 1, seq 1720, length 40 18:30:15.381526 IP 192.168.10.1 > localhost.localdomain: ICMP echo request, id 1, seq 1721, length 40 18:30:15.381556 IP localhost.localdomain > 192.168.10.1: ICMP echo reply, id 1, seq 1721, length 40 18:30:16.383090 IP 192.168.10.1 > localhost.localdomain: ICMP echo request, id 1, seq 1722, length 40 18:30:16.383121 IP localhost.localdomain > 192.168.10.1: ICMP echo reply, id 1, seq 1722, length 40 18:30:17.385139 IP 192.168.10.1 > localhost.localdomain: ICMP echo request, id 1, seq 1723, length 40 18:30:17.385273 IP localhost.localdomain > 192.168.10.1: ICMP echo reply, id 1, seq 1723, length 40 18:30:18.385827 IP 192.168.10.1 > localhost.localdomain: ICMP echo request, id 1, seq 1725, length 40 18:30:18.385866 IP localhost.localdomain > 192.168.10.1: ICMP echo reply, id 1, seq 1725, length 40 18:30:19.244187 IP 192.168.10.1.63076 > 239.255.255.250.ssdp: UDP, length 133 18:30:19.387459 IP 192.168.10.1 > localhost.localdomain: ICMP echo request, id 1, seq 1726, length 40 18:30:19.387517 IP localhost.localdomain > 192.168.10.1: ICMP echo reply, id 1, seq 1726, length 40 18:30:20.390170 IP 192.168.10.1 > localhost.localdomain: ICMP echo request, id 1, seq 1727, length 40 18:30:20.390271 IP localhost.localdomain > 192.168.10.1: ICMP echo reply, id 1, seq 1727, length 40 18:30:20.438195 IP 192.168.10.1.sicct > localhost.localdomain.ssh: Flags [P.], seq 1:53, ack 132, win 255, length 52
3、读取详细内容
[root@localhost ~]# tcpdump -A -r a.cap reading from file a.cap, link-type EN10MB (Ethernet) 18:30:13.453516 IP localhost.localdomain.ssh > 192.168.10.1.sicct: Flags [P.], seq 1710739872:1710740004, ack 930202420, win 532, length 132 E...] @.@.G... ... .....e...7q.4P.......u0.L.}H....j....2.#|!..v.Y......"<....@.B~..|0.N.n..........,......v........&.(G9.b.a9...f.....Y.t.R....m... .v....B...:.......K.... 18:30:13.453754 IP 192.168.10.1.sicct > localhost.localdomain.ssh: Flags [.], ack 132, win 255, length 0 E..(..@...OX.. ... .....7q.4e..$P............. 18:30:14.379791 IP 192.168.10.1 > localhost.localdomain: ICMP echo request, id 1, seq 1720, length 40 E..<.......H.. ... ...F.....abcdefghijklmnopqrstuvwabcdefghi 18:30:14.379825 IP localhost.localdomain > 192.168.10.1: ICMP echo reply, id 1, seq 1720, length 40 E..<e...@..E..
4、抓tcp 22端口的包
[root@localhost ~]# tcpdump -i ens33 tcp port 22 -w a.cap tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
二、抓包筛选
1、通过操作系统筛选
[root@localhost ~]# tcpdump -r a.cap |awk '{print $3}'|sort -u reading from file a.cap, link-type EN10MB (Ethernet) 192.168.10.1.8323 192.168.10.1.8325 192.168.10.1.8327 192.168.10.1.8328 192.168.10.1.cruise-config 192.168.10.1.cruise-swroute localhost.localdomain.http
2、通过源或目标地址筛选
[root@localhost ~]# tcpdump -n src host 192.168.10.13 -r a.cap reading from file a.cap, link-type EN10MB (Ethernet) 18:41:59.455482 IP 192.168.10.13.http > 192.168.10.1.8327: Flags [.], ack 819547226, win 473, length 0 18:41:59.455616 IP 192.168.10.13.http > 192.168.10.1.8325: Flags [.], ack 3409464214, win 473, length 0 18:41:59.455690 IP 192.168.10.13.http > 192.168.10.1.8323: Flags [.], ack 3567728118, win 524, length 0 18:41:59.455768 IP 192.168.10.13.http > 192.168.10.1.8328: Flags [.], ack 731030296, win 524, length 0 18:42:01.132478 IP 192.168.10.13.http > 192.168.10.1.cruise-swroute: Flags [S.], seq 2880921528, ack 2519829979, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 6], length 0 18:42:01.132938 IP 192.168.10.13.http > 192.168.10.1.cruise-config: Flags [S.], seq 430913213, ack 2320844865, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 6], length 0 18:42:01.134389 IP 192.168.10.13.http > 192.168.10.1.cruise-swroute: Flags [.], ack 441, win 473, length 0 18:42:01.136378 IP 192.168.10.13.http > 192.168.10.1.cruise-swroute: Flags [.], seq 1:4381, ack 441, win 473, length 4380: HTTP: HTTP/1.1 403 Forbidden 18:42:01.136641 IP 192.168.10.13.http > 192.168.10.1.cruise-swroute: Flags [P.], seq 4381:5242, ack 441, win 473, length 861: HTTP 18:42:01.163086 IP 192.168.10.13.http > 192.168.10.1.cruise-config: Flags [.], ack 400, win 473, length 0 18:42:01.163388 IP 192.168.10.13.http > 192.168.10.1.cruise-swroute: Flags [P.], seq 5242:5732, ack 838, win 490, length 490: HTTP: HTTP/1.1 404 Not Found 18:42:01.164423 IP 192.168.10.13.http > 192.168.10.1.cruise-config: Flags [P.], seq 1:494, ack 400, win 473, length 493: HTTP: HTTP/1.1 404 Not Found 18:42:01.178354 IP 192.168.10.13.http > 192.168.10.1.cruise-config: Flags [P.], seq 494:983, ack 796, win 490, length 489: HTTP: HTTP/1.1 404 Not Found 18:42:01.178523 IP 192.168.10.13.http > 192.168.10.1.cruise-swroute: Flags [P.], seq 5732:6223, ack 1236, win 507, length 491: HTTP: HTTP/1.1 404 Not Found [root@localhost ~]# tcpdump -n dest host 192.168.10.13 -r a.cap reading from file a.cap, link-type EN10MB (Ethernet) tcpdump: syntax error [root@localhost ~]# tcpdump -n dst host 192.168.10.13 -r a.cap reading from file a.cap, link-type EN10MB (Ethernet) 18:41:59.455392 IP 192.168.10.1.8327 > 192.168.10.13.http: Flags [F.], seq 819547225, ack 2993797214, win 256, length 0 18:41:59.455603 IP 192.168.10.1.8325 > 192.168.10.13.http: Flags [F.], seq 3409464213, ack 3748071194, win 256, length 0 18:41:59.455678 IP 192.168.10.1.8323 > 192.168.10.13.http: Flags [F.], seq 3567728117, ack 80696614, win 252, length 0 18:41:59.455757 IP 192.168.10.1.8328 > 192.168.10.13.http: Flags [F.], seq 731030295, ack 1348262823, win 252, length 0 18:42:01.132300 IP 192.168.10.1.cruise-swroute > 192.168.10.13.http: Flags [S], seq 2519829978, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 18:42:01.132607 IP 192.168.10.1.cruise-swroute > 192.168.10.13.http: Flags [.], ack 2880921529, win 256, length 0 18:42:01.132821 IP 192.168.10.1.cruise-config > 192.168.10.13.http: Flags [S], seq 2320844864, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 18:42:01.133059 IP 192.168.10.1.cruise-config > 192.168.10.13.http: Flags [.], ack 430913214, win 256, length 0 18:42:01.134332 IP 192.168.10.1.cruise-swroute > 192.168.10.13.http: Flags [P.], seq 0:440, ack 1, win 256, length 440: HTTP: GET / HTTP/1.1 18:42:01.136670 IP 192.168.10.1.cruise-swroute > 192.168.10.13.http: Flags [.], ack 2921, win 256, length 0 18:42:01.136736 IP 192.168.10.1.cruise-swroute > 192.168.10.13.http: Flags [.], ack 5242, win 256, length 0 18:42:01.162692 IP 192.168.10.1.cruise-swroute > 192.168.10.13.http: Flags [P.], seq 440:837, ack 5242, win 256, length 397: HTTP: GET /noindex/css/fonts/Bold/OpenSans-Bold.woff HTTP/1.1 18:42:01.163034 IP 192.168.10.1.cruise-config > 192.168.10.13.http: Flags [P.], seq 0:399, ack 1, win 256, length 399: HTTP: GET /noindex/css/fonts/Light/OpenSans-Light.woff HTTP/1.1 18:42:01.178069 IP 192.168.10.1.cruise-config > 192.168.10.13.http: Flags [P.], seq 399:795, ack 494, win 254, length 396: HTTP: GET /noindex/css/fonts/Bold/OpenSans-Bold.ttf HTTP/1.1 18:42:01.178136 IP 192.168.10.1.cruise-swroute > 192.168.10.13.http: Flags [P.], seq 837:1235, ack 5732, win 254, length 398: HTTP: GET /noindex/css/fonts/Light/OpenSans-Light.ttf HTTP/1.1 18:42:01.372703 IP 192.168.10.1.cruise-config > 192.168.10.13.http: Flags [.], ack 983, win 252, length 0 18:42:01.381626 IP 192.168.10.1.cruise-swroute > 192.168.10.13.http: Flags [.], ack 6223, win 252, length 0
3、筛选端口
[root@localhost ~]# tcpdump -n port 53 -r a.cap