tcpdump是一个用于截取网络分组,并输出分组内容的工具。凭借强大的功能和灵活的截取策略,使其成为类UNIX系统下用于网络分析和问题排查的首选工具
tcpdump 支持针对网络层、协议、主机、网络或端口的过滤,并提供and、or、not等逻辑语句来帮助你去掉无用的信息
tcpdump 命令使用示例
linux系统下执行tcpdump命令需要root账号或者具备sudo权限的账号,否则执行tcpdump命令说,系统会提示tcpdump: no suitable device found。
在下面的例子中,-i eth0 参数表示只抓取 eth0 接口数据包,不加-i eth0 是表示抓取所有的接口包括 lo。
01、抓取所有网络包,并在terminal中显示抓取的结果,将包以十六进制的形式显示。
tcpdump
02、抓取所有的网络包,并存到 result.cap 文件中。
tcpdump -w result.cap
03、抓取所有的经过eth0网卡的网络包,并存到result.cap 文件中。
tcpdump -i eth0 -w result.cap
04、抓取源地址是192.168.1.100的包,并将结果保存到 result.cap 文件中。
tcpdump src host 192.168.1.100 -w result.cap
05、抓取地址包含是192.168.1.100的包,并将结果保存到 result.cap 文件中。
tcpdump host 192.168.1.100 -w result.cap
06、抓取目的地址包含是192.168.1.100的包,并将结果保存到 result.cap 文件中。
tcpdump dest host 192.168.1.100 -w result.cap
07、抓取主机地址为 192.168.1.100 的数据包
tcpdump -i eth0 -vnn host 192.168.1.100
08、抓取包含192.168.1.0/24网段的数据包
tcpdump -i eth0 -vnn net 192.168.1.0/24
09、抓取网卡eth0上所有包含端口22的数据包
tcpdump -i eth0 -vnn port 22
10、抓取指定协议格式的数据包,协议格式可以是「udp,icmp,arp,ip」中的任何一种,例如以下命令:
tcpdump udp -i eth0 -vnn
11、抓取经过 eth0 网卡的源 ip 是 192.168.1.100 数据包,src参数表示源。
tcpdump -i eth0 -vnn src host 192.168.1.100
12、抓取经过 eth0 网卡目的 ip 是 192.168.1.100 数据包,dst参数表示目的。
tcpdump -i eth0 -vnn dst host 192.168.1.100
13、抓取源端口是22的数据包
tcpdump -i eth0 -vnn src port 22
14、抓取源ip是 192.168.1.100 且目的ip端口是22的数据包
tcpdump -i eth0 -vnn src host 192.168.1.100 and dst port 22
15、抓取源ip``192.168.1.100``22
tcpdump -i eth0 -vnn src host 192.168.1.100 or port 22
16、抓取源ip``192.168.1.100``22
tcpdump -i eth0 -vnn src host 192.168.1.100 and not port 22
17、抓取源ip是192.168.1.100且目的端口是22,或源ip是192.168.1.102且目的端口是80的数据包。
tcpdump -i eth0 -vnn ( src host 192.168.1.100 and dst port 22 ) or ( src host 192.168.1.102 and dst port 80 )
18、把抓取的数据包记录存到/tmp/result文件中,当抓取100个数据包后就退出程序。
tcpdump –i eth0 -vnn -w /tmp/result -c 100
19、从/tmp/result记录中读取tcp协议的数据包
tcpdump -i eth0 tcp -vnn -r /tmp/result
20、想要截获所有192.168.1.100的主机收到的和发出的所有的数据包:
tcpdump host 192.168.1.100
21、如果想要获取主机192.168.1.100除了和主机192.168.1.101之外所有主机通信的ip包,使用命令:
tcpdump ip host 192.168.1.100 and ! 192.168.1.101
22、如果想要获取主机 192.168.1.100 接收或发出的 telnet 包,使用如下命令:
tcpdump tcp port 23 host 192.168.1.100
查看cap文件
tcpdump -r result.cap
19:18:13.256780 IP host-10-6-10-56.openstacklocal.ssh > 10.0.100.121.53712: Flags [P.], seq 3099367847:3099367947, ack 3498477490, win 298, options [nop,nop,TS val 3313648 ecr 21114196], length 100
19:18:13.299286 IP 10.0.100.121.53712 > host-10-6-10-56.openstacklocal.ssh: Flags [.], ack 100, win 4070, options [nop,nop,TS val 21114205 ecr 3313610], length 0
19:18:13.448969 IP host-10-6-10-51.openstacklocal.51567 > host-10-6-10-53.openstacklocal.spcsdlobby: Flags [P.], seq 1082971748:1082971768, ack 1913390286, win 229, options [nop,nop,TS val 1746704988 ecr 1746
687267], length 20
19:18:13.452643 ARP, Request who-has host-10-6-10-54.openstacklocal tell host-10-6-10-28.openstacklocal, length 46
19:18:13.827050 ARP, Request who-has host-10-6-10-49.openstacklocal tell host-10-6-10-22.openstacklocal, length 46
19:18:14.476700 ARP, Request who-has host-10-6-10-54.openstacklocal tell host-10-6-10-28.openstacklocal, length 46
19:18:14.682684 IP host-10-6-10-75.openstacklocal.41006 > host-10-6-10-70.openstacklocal.postgres: Flags [S], seq 860357188, win 29200, options [mss 1460,sackOK,TS val 28676834 ecr 0,nop,wscale 7], length 0
19:18:14.683431 IP host-10-6-10-75.openstacklocal.41008 > host-10-6-10-70.openstacklocal.postgres: Flags [S], seq 3515804874, win 29200, options [mss 1460,sackOK,TS val 28676835 ecr 0,nop,wscale 7], length 0
19:18:14.683439 IP host-10-6-10-75.openstacklocal.41006 > host-10-6-10-70.openstacklocal.postgres: Flags [.], ack 1980546721, win 229, options [nop,nop,TS val 28676835 ecr 28669253], length 0
19:18:14.683445 IP host-10-6-10-75.openstacklocal.41006 > host-10-6-10-70.openstacklocal.postgres: Flags [F.], seq 0, ack 1, win 229, options [nop,nop,TS val 28676835 ecr 28669253], length 0
19:18:14.683628 IP host-10-6-10-75.openstacklocal.41008 > host-10-6-10-70.openstacklocal.postgres: Flags [.], ack 2679719999, win 229, options [nop,nop,TS val 28676835 ecr 28669254], length 0
19:18:14.683725 IP host-10-6-10-75.openstacklocal.41008 > host-10-6-10-70.openstacklocal.postgres: Flags [F.], seq 0, ack 1, win 229, options [nop,nop,TS val 28676835 ecr 28669254], length 0
19:18:14.687927 IP host-10-6-10-75.openstacklocal.41006 > host-10-6-10-70.openstacklocal.postgres: Flags [.], ack 2, win 229, options [nop,nop,TS val 28676839 ecr 28669258], length 0
19:18:14.689062 IP host-10-6-10-75.openstacklocal.41008 > host-10-6-10-70.openstacklocal.postgres: Flags [.], ack 2, win 229, options [nop,nop,TS val 28676841 ecr 28669259], length 0
19:18:14.850932 ARP, Request who-has host-10-6-10-49.openstacklocal tell host-10-6-10-22.openstacklocal, length 46
19:18:14.949139 IP host-10-6-10-51.openstacklocal.51567 > host-10-6-10-53.openstacklocal.spcsdlobby: Flags [P.], seq 20:40, ack 21, win 229, options [nop,nop,TS val 1746706488 ecr 1746688767], length 20
19:18:15.833304 IP 10.0.31.174.32003 > host-10-6-10-56.openstacklocal.37482: Flags [P.], seq 1195098192:1195098200, ack 2867760332, win 501, options [nop,nop,TS val 2786542746 ecr 3286222], length 8
19:18:15.833405 IP host-10-6-10-56.openstacklocal.37482 > 10.0.31.174.32003: Flags [.], ack 8, win 251, options [nop,nop,TS val 3316224 ecr 2786542746], length 0
19:18:15.874912 ARP, Request who-has host-10-6-10-49.openstacklocal tell host-10-6-10-22.openstacklocal, length 46
19:18:15.981443 IP host-10-6-10-47.openstacklocal.ssh > host-10-6-10-44.openstacklocal.40826: Flags [.], ack 3476650715, win 24576, options [nop,nop,TS val 4240378251 ecr 670974340], length 0
19:18:16.057943 IP 10.0.31.174.32003 > host-10-6-10-56.openstacklocal.37484: Flags [P.], seq 3298882722:3298882730, ack 3403222495, win 501, options [nop,nop,TS val 2786542971 ecr 3257255], length 8
19:18:16.057996 IP host-10-6-10-56.openstacklocal.37484 > 10.0.31.174.32003: Flags [.], ack 8, win 238, options [nop,nop,TS val 3316449 ecr 2786542971], length 0
19:18:16.311399 IP host-10-6-10-51.openstacklocal.8441 > host-10-6-10-53.openstacklocal.40980: Flags [P.], seq 200227942:200228156, ack 3982844457, win 1427, options [nop,nop,TS val 1746707851 ecr 1746690129], length 214
19:18:16.436227 ARP, Request who-has host-10-6-10-54.openstacklocal tell host-10-6-10-28.openstacklocal, length 46
19:18:16.449225 IP host-10-6-10-51.openstacklocal.51567 > host-10-6-10-53.openstacklocal.spcsdlobby: Flags [P.], seq 40:60, ack 41, win 229, options [nop,nop,TS val 1746707988 ecr 1746690267], length 20
19:18:16.459197 IP 10.0.31.174.32003 > host-10-6-10-56.openstacklocal.37486: Flags [P.], seq 200139947:200139955, ack 3482776466, win 501, options [nop,nop,TS val 2786543373 ecr 3286850], length 8
19:18:16.459246 IP host-10-6-10-56.openstacklocal.37486 > 10.0.31.174.32003: Flags [.], ack 8, win 337, options [nop,nop,TS val 3316850 ecr 2786543373], length 0
19:18:16.494231 IP host-10-6-10-75.openstacklocal.postgres > host-10-6-10-70.openstacklocal.39406: Flags [S.], seq 3306713232, ack 297850110, win 28960, options [mss 1460,sackOK,TS val 28678646 ecr 28671064,nop,wscale 7], length 0
19:18:16.494437 IP host-10-6-10-75.openstacklocal.postgres > host-10-6-10-70.openstacklocal.39406: Flags [.], ack 17, win 227, options [nop,nop,TS val 28678646 ecr 28671065], length 0
19:18:16.497888 IP host-10-6-10-75.openstacklocal.postgres > host-10-6-10-70.openstacklocal.39406: Flags [F.], seq 1, ack 17, win 227, options [nop,nop,TS val 28678649 ecr 28671065], length 0
19:18:16.498143 IP host-10-6-10-75.openstacklocal.postgres > host-10-6-10-70.openstacklocal.39406: Flags [.], ack 18, win 227, options [nop,nop,TS val 28678650 ecr 28671069], length 0
19:18:16.498386 IP host-10-6-10-75.openstacklocal.postgres > host-10-6-10-70.openstacklocal.39082: Flags [P.], seq 3194856494:3194856560, ack 2874590546, win 676, options [nop,nop,TS val 28678650 ecr 28671069], length 66
19:18:16.750405 IP host-10-6-10-75.openstacklocal.postgres > host-10-6-10-70.openstacklocal.39082: Flags [P.], seq 66:151, ack 45, win 676, options [nop,nop,TS val 28678902 ecr 28671320], length 85
19:18:16.756402 IP host-10-6-10-75.openstacklocal.postgres > host-10-6-10-70.openstacklocal.39082: Flags [P.], seq 151:173, ack 593, win 685, options [nop,nop,TS val 28678908 ecr 28671321], length 22
19:18:16.756443 IP host-10-6-10-75.openstacklocal.postgres > host-10-6-10-70.openstacklocal.39080: Flags [P.], seq 1238779238:1238779492, ack 987142720, win 227, options [nop,nop,TS val 28678908 ecr 28666068], length 254
19:18:16.756698 IP host-10-6-10-75.openstacklocal.postgres > host-10-6-10-70.openstacklocal.39082: Flags [P.], seq 173:248, ack 636, win 685, options [nop,nop,TS val 28678908 ecr 28671327], length 75
19:18:16.756776 IP host-10-6-10-75.openstacklocal.postgres > host-10-6-10-70.openstacklocal.39080: Flags [.], ack 40, win 227, options [nop,nop,TS val 28678908 ecr 28671327], length 0
19:18:16.759008 IP host-10-6-10-56.openstacklocal.37484 > 10.0.31.174.32003: Flags [P.], seq 1:1949, ack 8, win 238, options [nop,nop,TS val 3317150 ecr 2786542971], length 1948
19:18:16.761670 IP host-10-6-10-75.openstacklocal.postgres > host-10-6-10-70.openstacklocal.39080: Flags [.], ack 79, win 227, options [nop,nop,TS val 28678913 ecr 28671332], length 0
19:18:16.761757 IP host-10-6-10-75.openstacklocal.postgres > host-10-6-10-70.openstacklocal.39080: Flags [.], ack 118, win 227, options [nop,nop,TS val 28678913 ecr 28671332], length 0
19:18:16.785723 IP 10.0.31.174.32003 > host-10-6-10-56.openstacklocal.37484: Flags [.], ack 1949, win 501, options [nop,nop,TS val 2786543698 ecr 3317150], length 0
19:18:16.785760 IP 10.0.31.174.32003 > host-10-6-10-56.openstacklocal.37484: Flags [P.], seq 8:29, ack 1949, win 501, options [nop,nop,TS val 2786543699 ecr 3317150], length 21
19:18:16.785770 IP host-10-6-10-56.openstacklocal.37484 > 10.0.31.174.32003: Flags [.], ack 29, win 238, options [nop,nop,TS val 3317177 ecr 2786543699], length 0
19:18:16.804679 IP host-10-6-10-56.openstacklocal.37484 > 10.0.31.174.32003: Flags [P.], seq 1949:3695, ack 29, win 238, options [nop,nop,TS val 3317196 ecr 2786543699], length 1746
19:18:16.828989 IP 10.0.31.174.32003 > host-10-6-10-56.openstacklocal.37484: Flags [.], ack 3695, win 501, options [nop,nop,TS val 2786543743 ecr 3317196], length 0
19:18:16.829673 IP 10.0.31.174.32003 > host-10-6-10-56.openstacklocal.37484: Flags [P.], seq 29:50, ack 3695, win 501, options [nop,nop,TS val 2786543744 ecr 3317196], length 21
19:18:16.869657 IP host-10-6-10-56.openstacklocal.37484 > 10.0.31.174.32003: Flags [.], ack 50, win 238, options [nop,nop,TS val 3317261 ecr 2786543744], length 0
19:18:16.898941 ARP, Request who-has host-10-6-10-49.openstacklocal tell host-10-6-10-22.openstacklocal, length 46
19:18:17.095497 IP 10.0.100.121.53712 > host-10-6-10-56.openstacklocal.ssh: Flags [P.], seq 1:37, ack 100, win 4070, options [nop,nop,TS val 21114584 ecr 3313610], length 36
19:18:17.095791 IP host-10-6-10-56.openstacklocal.ssh > 10.0.100.121.53712: Flags [P.], seq 100:136, ack 37, win 298, options [nop,nop,TS val 3317487 ecr 21114584], length 36
19:18:17.314228 IP host-10-6-10-75.openstacklocal.postgres > host-10-6-10-70.openstacklocal.39080: Flags [P.], seq 254:340, ack 118, win 227, options [nop,nop,TS val 28679466 ecr 28671332], length 86
19:18:17.314629 IP host-10-6-10-75.openstacklocal.postgres > host-10-6-10-70.openstacklocal.39080: Flags [.], ack 157, win 227, options [nop,nop,TS val 28679466 ecr 28671885], length 0
19:18:17.319506 IP host-10-6-10-75.openstacklocal.postgres > host-10-6-10-70.openstacklocal.39080: Flags [.], ack 196, win 227, options [nop,nop,TS val 28679471 ecr 28671890], length 0