Linux 抓包工具:tcpdump
tcpdump 是一个抓包工具,通常用来分析网络
安装tcpdump命令
[root@mysql test]# yum install -y tcpdump
-i 指定网卡 捉取网卡数据包
抓取指定网卡的数据包
[root@mysql test]# tcpdump -nn -i eth0
捉取指定网卡,端口的数据包
[root@mysql test]# tcpdump -nn -i eth0 port 22
捉取指定数量的数据包 -c count
捉10个数据包
[root@mysql test]# tcpdump -nn -i eth0 -c 10 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 23:16:32.649442 IP 192.168.0.110.22 > 192.168.0.106.60104: Flags [P.], seq 2807638170:2807638366, ack 1457889588, win 1259, length 196 23:16:32.649789 IP 192.168.0.106.60104 > 192.168.0.110.22: Flags [.], ack 196, win 16298, length 0 23:16:32.649905 IP 192.168.0.110.22 > 192.168.0.106.60104: Flags [P.], seq 196:376, ack 1, win 1259, length 180 23:16:32.654906 IP 192.168.0.110.22 > 192.168.0.106.60104: Flags [P.], seq 376:636, ack 1, win 1259, length 260 23:16:32.655263 IP 192.168.0.106.60104 > 192.168.0.110.22: Flags [.], ack 636, win 16188, length 0 23:16:32.656933 IP 192.168.0.110.22 > 192.168.0.106.60104: Flags [P.], seq 636:896, ack 1, win 1259, length 260 23:16:32.659151 IP 192.168.0.110.22 > 192.168.0.106.60104: Flags [P.], seq 896:1060, ack 1, win 1259, length 164 23:16:32.659479 IP 192.168.0.106.60104 > 192.168.0.110.22: Flags [.], ack 1060, win 16082, length 0 23:16:32.659548 IP 192.168.0.110.22 > 192.168.0.106.60104: Flags [P.], seq 1060:1320, ack 1, win 1259, length 260 23:16:32.660859 IP 192.168.0.110.22 > 192.168.0.106.60104: Flags [P.], seq 1320:1484, ack 1, win 1259, length 164 10 packets captured 11 packets received by filter 0 packets dropped by kernel
-w 指定文件
指定存放到哪个文件
[root@mysql test]# tcpdump -nn -i eth0 -c 10 -w 1.txt
生成文件
[root@mysql test]# ls 1.txt
文件 需要用tcpdump -r 1.txt 查看
-r file
[root@mysql test]# tcpdump -r 1.txt reading from file 1.txt, link-type EN10MB (Ethernet) 23:24:25.382186 IP 192.168.0.110.ssh > 192.168.0.106.60104: Flags [P.], seq 2807649858:2807649990, ack 1457896688, win 1259, length 132 23:24:25.382881 IP 192.168.0.106.60104 > 192.168.0.110.ssh: Flags [.], ack 132, win 15695, length 0 23:24:26.659280 IP 192.168.0.106.62688 > 239.255.255.250.ssdp: UDP, length 133 23:24:29.659551 IP 192.168.0.106.62688 > 239.255.255.250.ssdp: UDP, length 133 23:24:30.793661 IP6 fe80::dd37:f87c:843e:395b.51568 > ff02::1:3.hostmon: UDP, length 22 23:24:30.793988 IP 192.168.0.106.50234 > 224.0.0.252.hostmon: UDP, length 22 23:24:30.894833 IP6 fe80::dd37:f87c:843e:395b.51568 > ff02::1:3.hostmon: UDP, length 22 23:24:30.894857 IP 192.168.0.106.50234 > 224.0.0.252.hostmon: UDP, length 22 23:24:31.095942 IP 192.168.0.106.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 23:24:31.845968 IP 192.168.0.106.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
输出详解:
[root@mysql test]# tcpdump -nn -i eth0 -c 10 # 如下,表示源地址192.168.0.110:22 发送到目标地址 192.168.0.106.60104的数据包 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 23:16:32.649442 IP 192.168.0.110.22 > 192.168.0.106.60104: Flags [P.], seq 2807638170:2807638366, ack 1457889588, win 1259, length 19623:16:32.649905 IP 192.168.0.110.22 > 192.168.0.106.60104: Flags [P.], seq 196:376, ack 1, win 1259, length 180 23:16:32.654906 IP 192.168.0.110.22 > 192.168.0.106.60104: Flags [P.], seq 376:636, ack 1, win 1259, length 260