tcpdump

介绍一下常用的几个命令
tcpdump -c num -i int -nn -XX -vvv
    
抓包选项:
 -c count:指定要抓取的包数量
 -i interface:指定tcpdump需要监听的接口
 -nn:表示以ip和port的方式显示来源主机和目的主机，而不是用主机名和服务
输出选项
 -e：输出的每行中都将包括数据链路层头部信息，例如源MAC和目标MAC。
 -XX:输出包的头部数据,会以16进制和ASCII两种方式同时输出
 -vvv:当分析和打印的时候,产生详细的输出
其他功能选项:
 -D:列出可用于抓包的接口。将会列出接口的数值编号和接口名

文件操作:
　-w xx.pcap 将抓取的包结果写入文件中 
　-r xx.pcap 显示文件中的包内容

tcpdump表达式
一个基本的表达式单元格式为"proto dir type ID"---------tcp dst port 10
 proto：通过给定协议限定匹配的数据包类型(tcp/udp/arp/ip/ether/icmp)
 dir：指定ID的方向。(src-源主机,dst-目的主机)
 type：指定ID的类型(host/net/port/portrange)

表达式单元之间可以使用操作符" and / && / or / || / not / ! "进行连接

监听指定协议的数据
tcpdump -i eth0 -nn 'icmp'

监听指定的主机
tcpdump -i eth0 -nn 'host 10.240.176.172'   --接收和发送的包都会被抓取
tcpdump -i eth0 -nn 'src host 10.240.176.172'  --只抓取发送的包
tcpdump -i eth0 -nn 'dst host 10.240.176.172'  --只抓取接收的包

监听指定的端口
tcpdump -i eth0 -nn 'port 80'

监听指定主机和端口
tcpdump -i eth0 -nn 'port 80 and src host 10.240.176.172'

监听除某个端口外的其他端口
tcpdump -i eth0 -nn '!port 20'

使用scapy进行发包,tcpdump收包:主要监听第二层的包/TCP(回环端口)

aok = IP(dst='10.240.176.144',ttl=(1,3))

sendp(aok,iface='lo')
...
Sent 3 packets

tcpdump -i lo -vvv
08:28:48.194231 00:00:01:00:42:cd (oui Unknown) > 45:00:00:14:00:01 (oui Unknown), ethertype Unknown (0x0af0), length 20:
        0x0000:  b0ac 0af0 b090                           ......
08:28:48.194932 00:00:02:00:41:cd (oui Unknown) > 45:00:00:14:00:01 (oui Unknown), ethertype Unknown (0x0af0), length 20:
        0x0000:  b0ac 0af0 b090                           ......
08:28:48.195800 00:00:03:00:40:cd (oui Unknown) > 45:00:00:14:00:01 (oui Unknown), ethertype Unknown (0x0af0), length 20:
        0x0000:  b0ac 0af0 b090

>>> send(aok,iface='lo')
...
Sent 3 packets.
tcpdump -i lo -vvv
0 packets captured
0 packets received by filter
0 packets dropped by kernel

>>> sendp(aok,iface='lo')
...
Sent 3 packets.
[root@localhost /]# tcpdump -i lo -vvv 'dst host 10.240.176.144'
tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel

>>> send(aok,iface='ens32')
...
Sent 3 packets.
[root@localhost /]# tcpdump -i ens32 -vvv 'dst host 10.240.176.144'
tcpdump: listening on ens32, link-type EN10MB (Ethernet), capture size 65535 bytes
08:32:13.857317 IP (tos 0x0, ttl 1, id 1, offset 0, flags [none], proto Options (0), length 20)
    10.240.176.172 > 10.240.176.144:  ip 0
08:32:13.861459 IP (tos 0x0, ttl 2, id 1, offset 0, flags [none], proto Options (0), length 20)
    10.240.176.172 > 10.240.176.144:  ip 0
08:32:13.862699 IP (tos 0x0, ttl 3, id 1, offset 0, flags [none], proto Options (0), length 20)
    10.240.176.172 > 10.240.176.144:  ip 0

>>> sendp(aok,iface='ens32')
...
Sent 3 packets.
[root@localhost /]# tcpdump -i ens32 -vvv 'dst host 10.240.176.144'
0 packets captured
1 packet received by filter
0 packets dropped by kernel