投稿
  1. 极客之音首页
  2. 操作系统

Linux 中的 tcpdump 命令示例

土豆大侠 操作系统 阅读 254

1. 写在前面

tcpdump 是一款数据包嗅探和数据包分析工具,供系统管理员排除 Linux 中的连接问题。它用于捕获、过滤和分析网络流量,例如通过系统的 TCP/IP 数据包。很多时候,它也被用作安全工具,将捕获的信息保存在 pcap 文件中,然后可以通过 Wireshark 或命令工具本身打开这些 pcap 文件进行分析。

2. 如何安装 tcpdump

许多 Linux 发行版都包含 tcpdump,尤其是那些用于企业发行版。可使用以下命令检查系统上是否安装了 tcpdump

root@dev:~# which tcpdump
------------------------------------------------------------------------------------
/usr/sbin/tcpdump

或者

root@dev:~# tcpdump --version
------------------------------------------------------------------------------------
tcpdump version 4.9.3
libpcap version 1.9.1 (with TPACKET_V3)
OpenSSL 1.1.1f  31 Mar 2020

如果未安装 tcpdump,请使用以下命令:

基于 RedHat 的 linux 操作系统

sudo dnf install tcpdump
OR
sudo yum install tcpdump

Ubuntu/Debian:

sudo apt update && sudo apt install tcpdump

MacOS 系统可通过 brew 命令管理 tcpdump:

brew install tcpdump

Arch Linux:

sudo pacman -S tcpdump

【备注】 只有 root 或具有 sudo 权限才能运行 tcpdump 命令。否则返回错误提示:

test@dev:~$ tcpdump
------------------------------------------------------------------------------------
tcpdump: veth56ad7af: You don't have permission to capture on that device
(socket: Operation not permitted)

3. 如何使用 tcpdump ?

语法:

tcpdump [options] [expression]

[options] – 控制命令的行为;[expression] – 定义哪些数据包被捕获;

常用选项:

  • -n:此选项告诉 tcpdump 不解析主机名。

  • -r:此选项告诉 tcpdump 从文件读取,而不是从网络读取。

  • -s:此选项告诉 tcpdump 从每个数据包中捕获指定数量的字节。

  • -w:此选项告诉 tcpdump 将捕获的数据包写入文件。

更多选项: man tcpdump

3.1 捕获当前网络接口的数据包

root@dev:~# sudo tcpdump
------------------------------------------------------------------------------------
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on veth56ad7af, link-type EN10MB (Ethernet), capture size 262144 bytes

直接启动 tcpdump 将监视第一个网络接口上所有流过的数据包,并实时显示捕获的数据包。如果你知道要找什么,而且接口上的流量不大,这就很有用。不然,很有可能控制台会迅速滚动输出很多内容。

注: 用 Ctrl+C 中断捕获。

3.2 指定网络接口捕获数据包

使用 -i 选项选择网络接口。

root@dev:~# sudo tcpdump -i ens3
------------------------------------------------------------------------------------
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
23:51:01.736503 IP postgres.ssh > 10.20.0.6.52641: Flags [P.], seq 929906551:929906739, ack 1537666405, win 501, options [nop,nop,TS val 2237384077 ecr 2123731707], length 188
23:51:01.737971 IP postgres.36074 > 10.10.0.11.domain: 41663+ [1au] PTR? 6.0.20.10.in-addr.arpa. (51)
... ...

该命令将捕获 ens3 网络接口的数据包。

要显示可用接口:tcpdump -D

root@dev:~# tcpdump -D
------------------------------------------------------------------------------------
1.veth56ad7af [Up, Running]
2.veth35a93df [Up, Running]
3.ens3 [Up, Running]
4.veth4589fa3 [Up, Running]
5.veth5445b7b [Up, Running]
6.veth6b7e51e [Up, Running]
7.veth99e634f [Up, Running]
8.br-2c9e6051f755 [Up, Running]
9.vethf18500a [Up, Running]
10.lo [Up, Running, Loopback]
11.any (Pseudo-device that captures on all interfaces) [Up, Running]
12.docker0 [Up]
13.br-3c911bd828a7 [Up]
14.bluetooth-monitor (Bluetooth Linux Monitor) [none]
15.nflog (Linux netfilter log (NFLOG) interface) [none]
16.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]

3.3 捕获指定数量的数据包

root@dev:~# sudo tcpdump -c 4 -i ens3
------------------------------------------------------------------------------------
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
23:56:27.673241 IP postgres.ssh > 10.20.0.6.52641: Flags [P.], seq 944680451:944680559, ack 1537676021, win 501, options [nop,nop,TS val 2237710014 ecr 2124054915], length 108
23:56:27.673429 IP postgres.ssh > 10.20.0.6.52641: Flags [P.], seq 108:144, ack 1, win 501, options [nop,nop,TS val 2237710014 ecr 2124054915], length 36
23:56:27.673550 IP postgres.ssh > 10.20.0.6.52641: Flags [P.], seq 144:252, ack 1, win 501, options [nop,nop,TS val 2237710014 ecr 2124054915], length 108
23:56:27.673663 IP postgres.ssh > 10.20.0.6.52641: Flags [P.], seq 252:288, ack 1, win 501, options [nop,nop,TS val 2237710014 ecr 2124054915], length 36
4 packets captured
14 packets received by filter
0 packets dropped by kernel

该命令将从 ens3 接口只捕获 4 个数据包。

3.4 指定格式打印捕获的数据包

以 ASCII 格式打印每个数据包:

root@dev:~# sudo tcpdump -c 1 -A -i ens3
------------------------------------------------------------------------------------
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
00:00:43.641986 IP postgres.ssh > 10.20.0.6.52641: Flags [P.], seq 970177311:970177499, ack 1537695769, win 501, options [nop,nop,TS val 2237965982 ecr 2124308734], length 188
E....l@.@.i.
d.o
.......9...[.`............
.d..~.`..x......Z.x....~....1....9..e....@J....X ._..=sY.=.[..lO5%xj.=...}i..`rP ..rn....P?....aLn.....D*F-?.'ej.Z.X...x=.F...<..f...h..D.L& ......U..........g}....E.....q....._.(..........FW8PO..
1 packet captured
5 packets received by filter
0 packets dropped by kernel

该命令将把从 ens3 捕捉到的数据包打印为 ASCII 值。

以 HEX 和 ASCII 值显示数据包

root@dev:~# sudo tcpdump -c 1 -XX -i ens3
------------------------------------------------------------------------------------
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
00:01:59.336195 IP postgres.ssh > 10.20.0.6.52641: Flags [P.], seq 970182919:970183107, ack 1537698141, win 501, options [nop,nop,TS val 2238041676 ecr 2124383974], length 188
    0x0000:  084f a97c 5d51 fa16 3e96 388e 0800 4512  .O.|]Q..>.8...E.
    0x0010:  00f0 bbb4 4000 4006 6955 0a64 006f 0a14  ....@.@.iU.d.o..
    0x0020:  0006 0016 cda1 39d3 d107 5ba7 695d 8018  ......9...[.i]..
    0x0030:  01f5 15cf 0000 0101 080a 8565 ce4c 7e9f  ...........e.L~.
    0x0040:  86e6 0601 afa8 4764 4f67 1f19 3a2c 08c3  ......GdOg..:,..
    0x0050:  f997 00cf f6f7 a968 6ae0 47c4 dd54 8284  .......hj.G..T..
    0x0060:  1451 3cc8 b9eb 1c05 aef8 c24b 9d5d d716  .Q<........K.]..
    0x0070:  a7b0 a3d0 8bbc e5a8 b2f9 4e3e b49c fea9  ..........N>....
    0x0080:  ac0d 7e8f 27d9 3b51 f8bc d19f 56ad 1348  ..~.'.;Q....V..H
    0x0090:  326a d515 8ef7 296b 35fb d20e 92fb dc69  2j....)k5......i
    0x00a0:  fc22 e0a3 f854 3208 f1d8 c780 61cc 0172  ."...T2.....a..r
    0x00b0:  9209 f68e 5fb2 3fdf 7903 77ad 79c3 3d43  ...._.?.y.w.y.=C
    0x00c0:  2820 241d ae62 2e3f e74b 6527 c0c6 8b76  (.$..b.?.Ke'...v
    0x00d0:  1278 11a9 0491 e20c 9b52 8cc1 da98 7542  .x.......R....uB
    0x00e0:  0204 406d 319b ebee 0d73 2a03 1cbf 379a  ..@m1....s*...7.
    0x00f0:  a891 4b1d 262a 9f62 2e45 2f46 fb43       ..K.&*.b.E/F.C
1 packet captured
8 packets received by filter
0 packets dropped by kernel

该命令将以 HEX 和 ASCII 值打印从 ens3 接口捕获的数据包。

3.5 将捕获的数据包保存到文件中

使用 -w 选项和文件名来指定输出到文件。

root@dev:~# sudo tcpdump -w ens3.pcap -i ens3
------------------------------------------------------------------------------------
tcpdump: listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes

该命令将在名为 ens3.pcap 的文件中输出所有捕获的数据包。

root@dev:~# ls
------------------------------------------------------------------------------------
ens3.pcap

请确保使用 .pcap 文件扩展名。捕获结果不能作为文本文件使用。此外,如果 tcpdump 文件的扩展名为 .pcapWireshark 可以打开该文件。

3.6 从文件中读取捕获的数据包

使用 tcpdump 或 Wiresharktcpdump 本身可以读取文件,但可能会发现使用 Wireshark 更有优势。

tcpdump:

root@dev:~# sudo tcpdump -r ens3.pcap 
------------------------------------------------------------------------------------
reading from file ens3.pcap, link-type EN10MB (Ethernet)
00:04:38.837053 IP postgres.ssh > 10.20.0.6.52641: Flags [P.], seq 970188379:970188503, ack 1537700029, win 501, options [nop,nop,TS val 2238201177 ecr 2124542727], length 124
00:04:38.860158 IP 10.20.0.6.52641 > postgres.ssh: Flags [.], ack 124, win 18802, options [nop,nop,TS val 2124542820 ecr 2238201177], length 0
00:04:41.361641 a4:16:e7:49:9d:2e (oui Unknown) > Broadcast, ethertype Unknown (0x9998), length 60: 
    0x0000:  0001 0000 0014 0000 0004 0000 0000 0000  ................
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
00:04:41.760126 IP postgres.ssh > 10.40.3.185.50731: Flags [P.], seq 4069736875:4069737055, ack 1816987167, win 501, options [nop,nop,TS val 2779863134 ecr 284796024], length 180
00:04:41.763115 IP postgres.ssh > 10.40.3.185.58362: Flags [P.], seq 3030415738:3030415918, ack 1191141323, win 501, options [nop,nop,TS val 2779863137 ecr 284796006], length 180
00:04:41.799853 IP postgres.ssh > 10.40.3.185.58362: Flags [P.], seq 180:392, ack 1, win 501, options [nop,nop,TS val 2779863174 ecr 284796006], length 212
00:04:41.802295 IP 10.40.3.185.58362 > postgres.ssh: Flags [.], ack 392, win 510, options [nop,nop,TS val 284806008 ecr 2779863137], length 0
00:04:41.804690 IP 10.40.3.185.50731 > postgres.ssh: Flags [.], ack 180, win 511, options [nop,nop,TS val 284806010 ecr 2779863134], length 0

该命令将从 ens3.pcap 文件中读取捕获的数据包。

使用 Wireshark 查看捕获文件:如果在 Linux、macOS 或 Windows 等其他系统上安装了 Wireshark,Wireshark 也能打开 PCAP 文件。Wireshark 的界面比 tcpdump 更友好、更灵活,尤其是在处理来自不同机器的多个捕获文件时。具体怎么使用不再本文中介绍。

3.7 捕获带有 IP 地址的数据包

root@dev:~# sudo tcpdump -c 2 -n -i ens3
------------------------------------------------------------------------------------
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
00:09:54.353019 IP 10.100.0.111.22 > 10.20.0.6.52641: Flags [P.], seq 971580299:971580487, ack 1537703757, win 501, options [nop,nop,TS val 2238516693 ecr 2124856665], length 188
00:09:54.353201 IP 10.100.0.111.22 > 10.20.0.6.52641: Flags [P.], seq 188:408, ack 1, win 501, options [nop,nop,TS val 2238516693 ecr 2124856665], length 220
2 packets captured
2 packets received by filter
0 packets dropped by kernel

该命令将捕获带有 IP 地址的数据包。

3.8 只捕获 TCP 数据包

root@dev:~# sudo tcpdump -c 2 -i ens3 tcp
------------------------------------------------------------------------------------
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
00:11:19.479446 IP postgres.ssh > 10.20.0.6.52641: Flags [P.], seq 971582315:971582503, ack 1537704937, win 501, options [nop,nop,TS val 2238601820 ecr 2124941357], length 188
00:11:19.489474 IP postgres.ssh > 10.20.0.6.52641: Flags [P.], seq 188:400, ack 1, win 501, options [nop,nop,TS val 2238601830 ecr 2124941357], length 212
2 packets captured
3 packets received by filter
0 packets dropped by kernel

该命令将只捕获来自 ens3 的 TCP 数据包。

3.9 监视源或目标 IP 地址

标志 描述
host 来源或目的地字段中包含此主机的任何数据包
src 来源字段中包含此主机的任何数据包
dst 目的地字段中包含该主机的任何数据包
src and dst 任何在源字段和目标字段中都包含该主机的数据包
src or dst 来源字段或目的地字段中包含该主机的任何数据包

捕获指定主机 IP 的数据包(收到和发出的所有的数据包):

root@dev:~# sudo tcpdump -c 2 -i ens3 host 10.20.0.6
------------------------------------------------------------------------------------
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
00:18:45.205402 IP postgres.ssh > 10.20.0.6.52641: Flags [P.], seq 974591087:974591275, ack 1537711413, win 501, options [nop,nop,TS val 2239047546 ecr 2125383272], length 188
00:18:45.212331 IP postgres.ssh > 10.20.0.6.52641: Flags [P.], seq 188:400, ack 1, win 501, options [nop,nop,TS val 2239047553 ecr 2125383272], length 212
2 packets captured
2 packets received by filter
0 packets dropped by kernel

捕获 10.20.0.6 发送的所有数据包:

root@dev:~# sudo tcpdump -i ens3 src host 10.20.0.6
------------------------------------------------------------------------------------
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
00:20:05.389193 IP 10.20.0.6.52641 > postgres.ssh: Flags [.], ack 974594659, win 18801, options [nop,nop,TS val 2125463074 ecr 2239127713], length 0
00:20:05.418196 IP 10.20.0.6.52641 > postgres.ssh: Flags [.], ack 189, win 18801, options [nop,nop,TS val 2125463096 ecr 2239127737], length 0
00:20:05.436097 IP 10.20.0.6.52641 > postgres.ssh: Flags [.], ack 369, win 18801, options [nop,nop,TS val 2125463119 ecr 2239127759], length 0

捕获 10.20.0.6 收到的所有数据包:

root@dev:~# sudo tcpdump -i ens3 dst host 10.20.0.6
------------------------------------------------------------------------------------
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
00:38:58.226948 IP postgres.ssh > 10.20.0.6.52641: Flags [P.], seq 976263207:976263315, ack 1537733557, win 501, options [nop,nop,TS val 2240260567 ecr 2126590176], length 108
00:38:58.227114 IP postgres.ssh > 10.20.0.6.52641: Flags [P.], seq 108:252, ack 1, win 501, options [nop,nop,TS val 2240260567 ecr 2126590176], length 144
00:38:58.227228 IP postgres.ssh > 10.20.0.6.52641: Flags [P.], seq 252:288, ack 1, win 501, options [nop,nop,TS val 2240260567 ecr 2126590176], length 36
00:38:58.234606 IP postgres.ssh > 10.20.0.6.52641: Flags [P.], seq 288:500, ack 1, win 501, options [nop,nop,TS val 2240260575 ecr 2126590176], length 212

捕获10.20.0.6 和主机10.20.0.7 或10.20.0.8的通信:

root@dev:~# sudo tcpdump host 10.20.0.6 and (10.20.0.7 or 10.20.0.8)
------------------------------------------------------------------------------------
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on veth56ad7af, link-type EN10MB (Ethernet), capture size 262144 bytes

捕获10.20.0.6除了和主机10.20.0.7之外所有主机通信的ip包:

root@dev:~# sudo tcpdump ip host 10.20.0.6 and ! 10.20.0.7
------------------------------------------------------------------------------------
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on veth56ad7af, link-type EN10MB (Ethernet), capture size 262144 bytes

3.10 按端口号筛选

基于端口号的过滤:

root@dev:~# sudo tcpdump -i ens3 dst port 22
------------------------------------------------------------------------------------
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
00:23:17.889107 IP 10.20.0.6.52641 > postgres.ssh: Flags [.], ack 974625303, win 18801, options [nop,nop,TS val 2125654589 ecr 2239320214], length 0
00:23:17.915460 IP 10.20.0.6.52641 > postgres.ssh: Flags [.], ack 189, win 18801, options [nop,nop,TS val 2125654613 ecr 2239320238], length 0
00:23:17.931549 IP 10.20.0.6.52641 > postgres.ssh: Flags [.], ack 369, win 18801, options [nop,nop,TS val 2125654629 ecr 2239320256], length 0

对本机的udp 123(ntp) 端口进行监视:

root@dev:~# sudo  tcpdump udp port 123
------------------------------------------------------------------------------------
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on veth56ad7af, link-type EN10MB (Ethernet), capture size 262144 bytes

感谢您花时间阅读文章!

收藏本站不迷路!

原文始发于微信公众号(滑翔的纸飞机):Linux 中的 tcpdump 命令示例

版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。

文章由极客之音整理,本文链接:https://www.bmabk.com/index.php/post/260881.html

(0)
土豆大侠的头像土豆大侠
0 0

相关推荐

发表回复

登录后才能评论
极客之音——专业性很强的中文编程技术网站,欢迎收藏到浏览器,订阅我们!