tcpdump
截获所有192.168.10.126的主机收到和发出的数据包,命令如下
tcpdump host 192.168.10.126
截获主机192.168.10.126和主机192.168.10.127或192.168.10.128的通信,使用如下命令(在命令行使用括号时,要用转义符\来对括号进行转已):
tcpdump host 192.168.10.126 and \(192.168.10.127 or 192.168.10.128\)
截获主机192.168.10.126 和所有主机(除了192.168.10.127)通信的ip包,使用命令如下:
tcpdump ip host 192.168.10.126 and ! 192.168.10.127
截获主机192.168.10.126接收或发出的smtp包
tcpdump tcp port 25 and host 192.168.10.126
-n Don’t convert host addresses to names. This
can be used to avoid DNS lookups.
如果怀疑系统正受到拒绝服务攻击,网络往管理可以通过截获发往本机所有icmp包,来判断是否有大量的ping指令流向服务器
tcpdump icmp -n -i eth0
源地址 目的地址 标志信息 下次期望的序列号 接收缓存的窗口大小
15:47:32.485049 IP localhost.ssh > localhost.52684: Flags [P.], seq 248:300, ack 105, win 562, length 52
15:47:32.532568 IP localhost.52684 > localhost.ssh: Flags [.], ack 300, win 252, length 0
15:47:32.811724 IP localhost.52684 > localhost.ssh: Flags [P.], seq 105:157, ack 300, win 252, length 52
15:47:32.813628 IP localhost.ssh > localhost.52684: Flags [P.], seq 300:352, ack 157, win 562, length 52
15:47:32.863882 IP localhost.52684 > localhost.ssh: Flags [.], ack 352, win 252, length 0
15:47:33.123672 IP localhost.52684 > localhost.ssh: Flags [P.], seq 157:209, ack 352, win 252, length 52
15:47:33.125097 IP localhost.ssh > localhost.52684: Flags [P.], seq 352:404, ack 209, win 562, length 52
15:47:33.173320 IP localhost.52684 > localhost.ssh: Flags [.], ack 404, win 252, length 0
15:47:34.844265 IP localhost.52684 > localhost.ssh: Flags [P.], seq 209:261, ack 404, win 252, lengt
localhost.ssh > localhost.52684:
Flags [P.],tcp包中的标志信息,s代表syn标志,f代表fin,p代表push,r代表rst .表示没有标记
ack 105,下次期望的序列号
win 562,接收缓存的窗口大小