tcpdump速查表

tcpdump 速查表

-D 列出网络设备

~]$ sudo tcpdump -D

1.eth0

2.nflog (Linux netfilter log (NFLOG) interface)

3.nfqueue (Linux netfilter queue (NFQUEUE) interface)

4.any (Pseudo-device that captures on all interfaces)

5.lo [Loopback]
1
2
3
4
5
6
7
8
9
10
11

-i 指定网卡

前面列出的设备可以用 -i dev 来指定抓对应网卡的数据包

-c 指定抓包数量

~]$ sudo tcpdump -i eth0 -c 3

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

03:38:41.388895 IP 13.248.125.132.37196 > ip-10-31-1-74.ap-southeast-1.compute.internal.10012: Flags [.], ack 3665636334, win 2014, options [nop,nop,TS val 1083056799 ecr 1675755283], length 0

03:38:41.389146 IP 99.82.173.66.58088 > ip-10-31-1-74.ap-southeast-1.compute.internal.10012: Flags [.], ack 978012266, win 2014, options [nop,nop,TS val 1031202901 ecr 3469957515], length 0

03:38:41.390227 IP 13.248.115.61.61524 > ip-10-31-1-74.ap-southeast-1.compute.internal.10012: Flags [P.], seq 2332145948:2332146170, ack 3523970401, win 2014, options [nop,nop,TS val 1454561556 ecr 1165926638], length 222

3 packets captured

100 packets received by filter

9 packets dropped by kernel
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

-n 将域名解析为 IP

~]$ sudo tcpdump -i eth0 -c 3 -n

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

03:41:34.332790 IP 13.248.98.123.58200 > 10.31.1.74.10012: Flags [P.], seq 106251671:106251871, ack 1748469091, win 2014, options [nop,nop,TS val 1392634401 ecr 817044617], length 200

03:41:34.332957 IP 10.31.1.74.10012 > 13.248.98.121.9842: Flags [P.], seq 2880652137:2880652336, ack 1075202655, win 850, options [nop,nop,TS val 1486636778 ecr 1393164829], length 199

03:41:34.332965 IP 10.31.1.74.10012 > 13.248.98.123.58200: Flags [P.], seq 420:619, ack 200, win 613, options [nop,nop,TS val 817044728 ecr 1392634401], length 199

3 packets captured

38 packets received by filter

0 packets dropped by kernel
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

可以看到 ip-10-31-1-74.ap-southeast-1.compute.internal 这个域名被展示为 IP 10.31.1.74

-nn 可以将端口也展示为数字，默认情况下是会把端口展示为协议名称，例如 80 端口显示为 http。

-s 限定抓包大小（capture size）

注意，这里不是筛选包大小，而是无论数据包多大，只截取指定的长度，单位是字节（bytes）。举例一个场景，如果只想看 header，就可以只要前 64 字节长度：

~]$ sudo tcpdump -i eth0 -c 3 -s 64

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 64 bytes

03:52:13.605359 IP 13.248.125.130.61304 > ip-10-31-1-74.ap-southeast-1.compute.internal.10012: Flags [.], ack 2139160988, win 2014, options [nop,nop,TS[|tcp]>

03:52:13.609252 IP 13.248.98.123.remote-winsock > ip-10-31-1-74.ap-southeast-1.compute.internal.10012: Flags [.], ack 4105886282, win 2014, options [nop,nop,TS[|tcp]>

03:52:13.609334 IP 13.248.115.67.9258 > ip-10-31-1-74.ap-southeast-1.compute.internal.10012: Flags [.], ack 3359161493, win 2014, options [nop,nop,TS[|tcp]>

3 packets captured

49 packets received by filter

0 packets dropped by kernel
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

-w 另存为文件

b]$ sudo tcpdump -i eth0 -n -c 3 tcp "port 10012" -w 10012.pcap

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

3 packets captured

41 packets received by filter

0 packets dropped by kernel
1
2
3
4
5
6
7
8
9

另存为 .pcap 文件，可以用 WireShark 打开，也可以直接用 tcpdump -r 打开。

当然，不想用 .pcap 格式的话，直接 > capture.txt 重定向到纯文本文件也是可以的。

筛选语法

host IP 筛选主机

~]$ sudo tcpdump -i eth0 -n -c 3 "host 10.31.1.8"
1

src host IP 筛选源主机

~]$ sudo tcpdump -i eth0 -n -c 3 "src host 10.31.1.8"
1

dst host IP 筛选目标主机

~]$ sudo tcpdump -i eth0 -n -c 3 "dst host 10.31.1.8"
1

注意，是 dst host 不是 dest host

net CIDR 筛选网络区间

源、目标网络依次类推

~]$ sudo tcpdump -i eth0 -n -c 3 "net 10.31.0.0/16"

~]$ sudo tcpdump -i eth0 -n -c 3 "src net 10.31.0.0/16"

~]$ sudo tcpdump -i eth0 -n -c 3 "dst net 10.31.0.0/16"
1
2
3
4
5

port PORT 筛选端口

源、目标端口依次类推

~]$ sudo tcpdump -i eth0 -n -c 3 "port 10012"

~]$ sudo tcpdump -i eth0 -n -c 3 "src port 10012"

~]$ sudo tcpdump -i eth0 -n -c 3 "dst port 10012"
1
2
3
4
5

tcp udp 筛选协议

~]$ sudo tcpdump -i eth0 -nn -c 3 tcp "port 10012"

~]$ sudo tcpdump -i eth0 -n -c 3 udp
1
2
3

ip6 筛选 IPv6

~]$ sudo tcpdump -i eth0 -n -c 3 ip6

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

06:18:17.504845 IP6 fe80::48b:8dff:fe41:c1ce.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit

06:20:12.584991 IP6 fe80::48b:8dff:fe41:c1ce.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit

06:22:16.652850 IP6 fe80::48b:8dff:fe41:c1ce.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit

3 packets captured

49 packets received by filter

0 packets dropped by kernel
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

and or not 组合使用

~]$ sudo tcpdump -i eth0 -n -c 3 "src net 10.31.0.0/16 and (port 10012 or port 10013)"
1

参考资料

https://www.redhat.com/sysadmin/tcpdump-part-one

https://www.redhat.com/sysadmin/tcpdump-part-2

https://www.redhat.com/sysadmin/tcpdump-part-3