一文带你掌握Tcpdump命令的使用

2022-06-22 15:24:02 浏览数 (1)

1.tcpdump介绍

  • 在网络问题的调试中,tcpdump应该说是一个必不可少的工具,和大部分linux下优秀工具一样,它的特点就是简单而强大。它是基于Unix系统的命令行式的数据包嗅探工具,可以抓取流动在网卡上的数据包。
  • 默认情况下,tcpdump不会抓取本机内部通讯的报文。 根据网络协议栈的规定,对于报文,即使是目的地是本机,也需要经过本机的网络协议层,所以本机通讯肯定是通过API进入了内核,并且完成了路由选择。【比如本机的TCP通信,也必须要socket通信的基本要素:src ip port dst ip port】
  • 如果要使用tcpdump抓取其他主机MAC地址的数据包,必须开启网卡混杂模式,所谓混杂模式,用最简单的语言就是让网卡抓取任何经过它的数据包,不管这个数据包是不是发给它或者是它发出的。 一般而言,Unix不会让普通用户设置混杂模式,因为这样可以看到别人的信息,比如telnet的用户名和密码,这样会引起一些安全上的问题,所以只有root用户可以开启混杂模式,开启混杂模式的命令是:ifconfig en0 promisc, en0是你要打开混杂模式的网卡。

Linux抓包原理:

  • Linux抓包是通过注册一种虚拟的底层网络协议来完成对网络报文(准确的说是网络设备)消息的处理权。当网卡接收到一个网络报文之后,它会遍历系统中所有已经注册的网络协议,例如以太网协议、x25协议处理模块来尝试进行报文的解析处理,这一点和一些文件系统的挂载相似,就是让系统中所有的已经注册的文件系统来进行尝试挂载,如果哪一个认为自己可以处理,那么就完成挂载。
  • 当抓包模块把自己伪装成一个网络协议的时候,系统在收到报文的时候就会给这个伪协议一次机会,让它来对网卡收到的报文进行一次处理,此时该模块就会趁机对报文进行窥探,也就是把这个报文完完整整的复制一份,假装是自己接收到的报文,汇报给抓包模块。

2.tcpdump使用

2.1 语法

代码语言:javascript复制
tcpdump [ -AdDefIKlLnNOpqRStuUvxX ] [ -B buffer_size ] [ -c count ]
        [ -C file_size ] [ -G rotate_seconds ] [ -F file ]
        [ -i interface ] [ -m module ] [ -M secret ]
        [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
        [ -W filecount ]
        [ -E spi@ipaddr algo:secret,...  ]
        [ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
        [ expression ]

1.类型的关键字

代码语言:javascript复制
host(缺省类型): 指明一台主机,如:host 159.48.22.2

net: 指明一个网络地址,如:net 205.0.0.0

port: 指明端口号,如:port 22

2.确定方向的关键字

代码语言:javascript复制
src: src 159.48.22.2, IP包源地址是159.48.22.2

dst: dst net 205.0.0.0, 目标网络地址是205.0.0.0

dst or src(缺省值)

dst and src

3.协议的关键字:缺省值是监听所有协议的信息包

代码语言:javascript复制
fddi

ip

arp

rarp

tcp

udp

4.其他关键字

代码语言:javascript复制
gateway

broadcast

less

greater

5.常用表达式:多条件时可以用括号,但是要用转义

代码语言:javascript复制
非 : ! or "not" (去掉双引号)

且 : && or "and"

或 : || or "or"

2.2 选项

代码语言:javascript复制
-A:以ASCII编码打印每个报文(不包括链路层的头),这对分析网页来说很方便;
-a:将网络地址和广播地址转变成名字; 
-c<数据包数目>:在收到指定的包的数目后,tcpdump就会停止;
-C:用于判断用 -w 选项将报文写入的文件的大小是否超过这个值,如果超过了就新建文件(文件名后缀是1、2、3依次增加);
-d:将匹配信息包的代码以人们能够理解的汇编格式给出; 
-dd:将匹配信息包的代码以c语言程序段的格式给出; 
-ddd:将匹配信息包的代码以十进制的形式给出;
-D:列出当前主机的所有网卡编号和名称,可以用于选项 -i;
-e:在输出行打印出数据链路层的头部信息; 
-f:将外部的Internet地址以数字的形式打印出来; 
-F<表达文件>:从指定的文件中读取表达式,忽略其它的表达式; 
-i<网络界面>:监听主机的该网卡上的数据流,如果没有指定,就会使用最小网卡编号的网卡(在选项-D可知道,但是不包括环路接口),linux 2.2 内核及之后的版本支持 any 网卡,用于指代任意网卡; 
-l:如果没有使用 -w 选项,就可以将报文打印到 标准输出终端(此时这是默认); 
-n:显示ip,而不是主机名; 
-N:不列出域名; 
-O:不将数据包编码最佳化; 
-p:不让网络界面进入混杂模式; 
-q:快速输出,仅列出少数的传输协议信息; 
-r<数据包文件>:从指定的文件中读取包(这些包一般通过-w选项产生); 
-s<数据包大小>:指定抓包显示一行的宽度,-s0表示可按包长显示完整的包,经常和-A一起用,默认截取长度为60个字节,但一般ethernet MTU都是1500字节。所以,要抓取大于60字节的包时,使用默认参数就会导致包数据丢失; 
-S:用绝对而非相对数值列出TCP关联数; 
-t:在输出的每一行不打印时间戳; 
-tt:在输出的每一行显示未经格式化的时间戳记; 
-T<数据包类型>:将监听到的包直接解释为指定的类型的报文,常见的类型有rpc (远程过程调用)和snmp(简单网络管理协议); 
-v:输出一个稍微详细的信息,例如在ip包中可以包括ttl和服务类型的信息; 
-vv:输出详细的报文信息; 
-x/-xx/-X/-XX:以十六进制显示包内容,几个选项只有细微的差别,详见man手册; 
-w<数据包文件>:直接将包写入文件中,并不分析和打印出来;
expression:用于筛选的逻辑表达式;

2.3 命令实践

1.直接启动tcpdump,将抓取所有经过第一个网络接口上的数据包

代码语言:javascript复制
[root@localhost ~]# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
07:28:18.573605 IP 192.168.2.195.23282 > 192.168.2.252.24118: UDP, length 172
07:28:18.574144 IP 192.168.2.252.36558 > 192.168.2.195.17168: UDP, length 172

2.抓取所有经过指定网络接口上的数据包

代码语言:javascript复制
[root@localhost ~]# tcpdump -i ens37
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes
21:20:31.431060 IP localhost.localdomain.ssh > 192.168.2.252.64705: Flags [P.], seq 1904493269:1904493457, ack 1808492261, win 257, length 188
21:20:31.431604 IP 192.168.2.252.64705 > localhost.localdomain.ssh: Flags [.], ack 188, win 4098, length 0

3.抓取所有经过ens37,目的或源地址是192.168.2.195的网络数据

代码语言:javascript复制
[root@localhost ~]# tcpdump -i ens37 host 192.168.2.195
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes
21:24:05.041207 IP localhost.localdomain.ssh > 192.168.2.252.64705: Flags [P.], seq 1904781305:1904781493, ack 1808494885, win 257, length 188
21:24:05.041799 IP 192.168.2.252.64705 > localhost.localdomain.ssh: Flags [.], ack 188, win 4095, length 0
21:24:05.042899 IP localhost.localdomain.37266 > gateway.domain: 26682  PTR? 252.2.168.192.in-addr.arpa. (44)

4.抓取主机192.168.2.195除了和主机192.168.2.161之外的所有主机通信的数据包

代码语言:javascript复制
[root@vos23-253 ~]# tcpdump -n host 192.168.2.195 and ! 192.168.2.161 

5.抓取主机192.168.2.195和主机192.168.2.161或192.168.1.192的通信

代码语言:javascript复制
[root@vos23-253 ~]# tcpdump host 192.168.2.195 and (192.168.2.161 or 192.168.2.192 )

6.抓取主机192.168.2.195除了和主机192.168.2.161之外所有主机通信的ip包

代码语言:javascript复制
[root@vos23-253 ~]# tcpdump ip -n host 192.168.2.195 and ! 192.168.2.161

7.抓取主机192.168.2.195发送的所有数据

代码语言:javascript复制
[root@localhost ~]# tcpdump -i ens37 src host 192.168.2.195 (注意数据流向)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes
22:03:26.464844 IP localhost.localdomain.ssh > 192.168.2.252.64705: Flags [P.], seq 1905084757:1905084945, ack 1808509393, win 257, length 188
22:03:26.469440 IP localhost.localdomain.39264 > gateway.domain: 27217  PTR? 252.2.168.192.in-addr.arpa. (44)
22:03:26.481412 IP localhost.localdomain.53247 > gateway.domain: 6371  PTR? 195.2.168.192.in-addr.arpa. (44)
22:03:26.487318 IP localhost.localdomain.58260 > gateway.domain: 52148  PTR? 1.2.168.192.in-addr.arpa. (42)
22:03:26.487878 IP localhost.localdomain.ssh > 192.168.2.252.64705: Flags [P.], seq 188:368, ack 1, win 257, length 180
22:03:26.492947 IP localhost.localdomain.ssh > 192.168.2.252.64705: Flags [P.], seq 368:860, ack 1, win 257, length 492
22:03:26.496669 IP localhost.localdomain.ssh > 192.168.2.252.64705: Flags [P.], seq 860:1016, ack 1, win 257, length 156

8.抓取主机192.168.2.195接收的所有数据

代码语言:javascript复制
[root@localhost ~]# tcpdump -i ens37 dst host 192.168.2.195 (注意数据流向)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes
22:05:38.212869 IP 192.168.2.252.64705 > localhost.localdomain.ssh: Flags [.], ack 1905088285, win 4095, length 0
22:05:38.218244 IP gateway.domain > localhost.localdomain.53967: 14803 NXDomain* 0/0/0 (44)
22:05:38.229078 IP gateway.domain > localhost.localdomain.46026: 48360 NXDomain* 0/0/0 (44)
22:05:38.232544 IP gateway.domain > localhost.localdomain.49773: 29420 NXDomain* 0/0/0 (42)
22:05:38.233906 IP 192.168.2.252.64705 > localhost.localdomain.ssh: Flags [.], ack 473, win 4100, length 0
22:05:38.278512 IP 192.168.2.252.64705 > localhost.localdomain.ssh: Flags [.], ack 621, win 4099, length 0
22:05:38.323606 IP 192.168.2.252.64705 > localhost.localdomain.ssh: Flags [.], ack 769, win 4099, length 0
22:05:38.367239 IP 192.168.2.252.64705 > localhost.localdomain.ssh: Flags [.], ack 917, win 4098, length 0

9.抓取主机192.168.2.195所有在TCP 80端口的数据包

代码语言:javascript复制
[root@localhost ~]# tcpdump -i ens37 host 192.168.2.195 and tcp port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes
22:09:41.001031 IP 192.168.2.252.56896 > localhost.localdomain.http: Flags [S], seq 4142713941, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
22:09:41.001115 IP localhost.localdomain.http > 192.168.2.252.56896: Flags [S.], seq 2314038867, ack 4142713942, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
22:09:41.001867 IP 192.168.2.252.56897 > localhost.localdomain.http: Flags [S], seq 1124231281, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
22:09:41.001951 IP localhost.localdomain.http > 192.168.2.252.56897: Flags [S.], seq 3765993047, ack 1124231282, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0

10.抓取HTTP主机192.168.2.195在80端口接收到的数据包

代码语言:javascript复制
[root@localhost ~]# tcpdump -i ens37 host 192.168.2.195 and dst port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes
22:14:53.001984 IP 192.168.2.252.57017 > localhost.localdomain.http: Flags [S], seq 522768429, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
22:14:53.003398 IP 192.168.2.252.57018 > localhost.localdomain.http: Flags [S], seq 638329607, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
22:14:53.004030 IP 192.168.2.252.57017 > localhost.localdomain.http: Flags [.], ack 3320819599, win 513, length 0
22:14:53.004096 IP 192.168.2.252.57018 > localhost.localdomain.http: Flags [.], ack 285611684, win 513, length 0
22:14:53.162771 IP 192.168.2.252.56947 > localhost.localdomain.http: Flags [F.], seq 2938864200, ack 2243393952, win 1020, length 0
22:14:53.163069 IP 192.168.2.252.56946 > localhost.localdomain.http: Flags [F.], seq 2820151409, ack 882247900, win 1024, length 0
22:14:53.163179 IP 192.168.2.252.57023 > localhost.localdomain.http: Flags [S], seq 3156484712, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
22:14:53.163531 IP 192.168.2.252.57024 > localhost.localdomain.http: Flags [S], seq 21775267, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
22:14:53.163890 IP 192.168.2.252.57023 > localhost.localdomain.http: Flags [.], ack 990188203, win 1024, length 0
22:14:53.163943 IP 192.168.2.252.57024 > localhost.localdomain.http: Flags [.], ack 19856703, win 1024, length 0
22:14:53.164541 IP 192.168.2.252.57024 > localhost.localdomain.http: Flags [P.], seq 0:403, ack 1, win 1024, length 403: HTTP: GET / HTTP/1.1
22:14:53.180512 IP 192.168.2.252.57024 > localhost.localdomain.http: Flags [.], ack 181, win 1023, length 0
22:14:53.189681 IP 192.168.2.252.57024 > localhost.localdomain.http: Flags [P.], seq 403:780, ack 181, win 1023, length 377: HTTP: GET /root/1.jpg HTTP/1.1

2.4 抓个网站试试

想抓取访问某个网站时的网络数据,比如网站http://www.baidu.com/ 怎么做呢?

1.通过tcpdump截获主机http://www.baidu.com/ 发送与接收所有的数据包

代码语言:javascript复制
[root@localhost ~]# tcpdump -i ens37 host www.baidu.com
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes

2.再开一个终端访问百度

代码语言:javascript复制
[root@localhost ~]# curl www.baidu.com
<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title>百度一下,你就知道

终端1控制台显示:

代码语言:javascript复制
...
22:34:15.927132 IP localhost.localdomain.58156 > 14.215.177.39.http: Flags [S], seq 943770983, win 29200, options [mss 1460,sackOK,TS val 449936864 ecr 0,nop,wscale 7], length 0
22:34:15.964430 IP 14.215.177.39.http > localhost.localdomain.58156: Flags [S.], seq 922061785, ack 943770984, win 8192, options [mss 1420,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 5], length 0
22:34:15.964500 IP localhost.localdomain.58156 > 14.215.177.39.http: Flags [.], ack 1, win 229, length 0
22:34:15.964788 IP localhost.localdomain.58156 > 14.215.177.39.http: Flags [P.], seq 1:78, ack 1, win 229, length 77: HTTP: GET / HTTP/1.1
22:34:16.001627 IP 14.215.177.39.http > localhost.localdomain.58156: Flags [.], ack 78, win 908, length 0
22:34:16.005731 IP 14.215.177.39.http > localhost.localdomain.58156: Flags [P.], seq 1:2782, ack 78, win 908, length 2781: HTTP: HTTP/1.1 200 OK
22:34:16.005786 IP localhost.localdomain.58156 > 14.215.177.39.http: Flags [.], ack 2782, win 272, length 0
22:34:16.006299 IP localhost.localdomain.58156 > 14.215.177.39.http: Flags [F.], seq 78, ack 2782, win 272, length 0
22:34:16.019073 IP 14.215.177.39.http > localhost.localdomain.58156: Flags [P.], seq 1421:2782, ack 78, win 908, length 1361: HTTP
22:34:16.019127 IP localhost.localdomain.58156 > 14.215.177.39.http: Flags [.], ack 2782, win 272, options [nop,nop,sack 1 {1421:2782}], length 0
22:34:16.058086 IP 14.215.177.39.http > localhost.localdomain.58156: Flags [.], ack 79, win 908, length 0
22:34:16.058144 IP 14.215.177.39.http > localhost.localdomain.58156: Flags [F.], seq 2782, ack 79, win 908, length 0
22:34:16.058170 IP localhost.localdomain.58156 > 14.215.177.39.http: Flags [.], ack 2783, win 272, length 0

3.确认序列号ack为何是1。这是相对值,如何显示绝对值

代码语言:javascript复制
[root@localhost ~]# tcpdump -S -i ens37 host www.baidu.com (另一端访问百度)

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes
22:37:03.007599 IP localhost.localdomain.43828 > 14.215.177.38.http: Flags [S], seq 2579767550, win 29200, options [mss 1460,sackOK,TS val 450103944 ecr 0,nop,wscale 7], length 0
22:37:03.046689 IP 14.215.177.38.http > localhost.localdomain.43828: Flags [S.], seq 159367515, ack 2579767551, win 8192, options [mss 1420,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 5], length 0
22:37:03.046759 IP localhost.localdomain.43828 > 14.215.177.38.http: Flags [.], ack 159367516, win 229, length 0
22:37:03.047002 IP localhost.localdomain.43828 > 14.215.177.38.http: Flags [P.], seq 2579767551:2579767628, ack 159367516, win 229, length 77: HTTP: GET / HTTP/1.1
22:37:03.085555 IP 14.215.177.38.http > localhost.localdomain.43828: Flags [.], ack 2579767628, win 908, length 0
22:37:03.087793 IP 14.215.177.38.http > localhost.localdomain.43828: Flags [P.], seq 159367516:159368956, ack 2579767628, win 908, length 1440: HTTP: HTTP/1.1 200 OK
22:37:03.087850 IP localhost.localdomain.43828 > 14.215.177.38.http: Flags [.], ack 159368956, win 251, length 0
22:37:03.088470 IP 14.215.177.38.http > localhost.localdomain.43828: Flags [P.], seq 159368956:159370297, ack 2579767628, win 908, length 1341: HTTP

4.想要看到详细的http报文。怎么做?

代码语言:javascript复制
[root@localhost ~]# tcpdump -A -i ens37 host www.baidu.com
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes
22:39:41.707406 IP localhost.localdomain.43830 > 14.215.177.38.http: Flags [S], seq 3662513049, win 29200, options [mss 1460,sackOK,TS val 450262644 ecr 0,nop,wscale 7], length 0
E..<..@.@..e.......&.6.P.M........r............
..vt........
22:39:41.751033 IP 14.215.177.38.http > localhost.localdomain.43830: Flags [S.], seq 3205237971, ack 3662513050, win 8192, options [mss 1420,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 5], length 0
E`.<..@.7......&.....P.6.....M.... ..g......................
22:39:41.751103 IP localhost.localdomain.43830 > 14.215.177.38.http: Flags [.], ack 1, win 229, length 0
E..(..@.@..x.......&.6.P.M......P.......
22:39:41.751403 IP localhost.localdomain.43830 > 14.215.177.38.http: Flags [P.], seq 1:78, ack 1, win 229, length 77: HTTP: GET / HTTP/1.1
E..u..@.@..*.......&.6.P.M......P.......GET / HTTP/1.1
User-Agent: curl/7.29.0
Host: www.baidu.com
Accept: */*
22:39:41.795966 IP 14.215.177.38.http > localhost.localdomain.43830: Flags [.], ack 78, win 908, length 0
E`.(..@.4..k...&.....P.6.....M..P...SC....    
22:39:41.928944 IP 14.215.177.38.http > localhost.localdomain.43830: Flags [P.], seq 1:1441, ack 78, win 908, length 1440: HTTP: HTTP/1.1 200 OK
E`....@.4......&.....P.6.....M..P....#..HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 2381
Content-Type: text/html
Date: Mon, 09 Mar 2020 08:39:55 GMT
Etag: "588604dc-94d"
Last-Modified: Mon, 23 Jan 2017 13:27:56 GMT
Pragma: no-cache
Server: bfe/1.0.8.18
Set-Cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/

5.将抓取的结果保存到文件test1

代码语言:javascript复制
[root@localhost ~]# tcpdump -A -i ens37 -w test1 host www.baidu.com

6.如何读取这个文件的基本信息

代码语言:javascript复制
[root@localhost ~]# tcpdump -r test1 
reading from file test1, link-type EN10MB (Ethernet)
22:42:01.321830 IP localhost.localdomain.58162 > 14.215.177.39.http: Flags [S], seq 2706590061, win 29200, options [mss 1460,sackOK,TS val 450402259 ecr 0,nop,wscale 7], length 0

7.想要了解更多,比如上面的http报文

代码语言:javascript复制
[root@localhost ~]# tcpdump -A -r test1 
reading from file test1, link-type EN10MB (Ethernet)
22:42:01.321830 IP localhost.localdomain.58162 > 14.215.177.39.http: Flags [S], seq 2706590061, win 29200, options [mss 1460,sackOK,TS val 450402259 ecr 0,nop,wscale 7], length 0
E..<..@.@..........'.2.P.SIm......r............
............
22:42:01.361527 IP 14.215.177.39.http > localhost.localdomain.58162: Flags [S.], seq 2388635062, ack 2706590062, win 8192, options [mss 1420,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 5], length 0
E`.<..@.7..3...'.....P.2._...SIn.. ..Z......................
22:42:01.361596 IP localhost.localdomain.58162 > 14.215.177.39.http: Flags [.], ack 1, win 229, length 0
E..(..@.@..........'.2.P.SIn._..P.......
22:42:01.361876 IP localhost.localdomain.58162 > 14.215.177.39.http: Flags [P.], seq 1:78, ack 1, win 229, length 77: HTTP: GET / HTTP/1.1
E..u..@.@..X.......'.2.P.SIn._..P.......GET / HTTP/1.1
User-Agent: curl/7.29.0
Host: www.baidu.com
Accept: */*

8.也同时想要将确认序列号ack打印成绝对值

代码语言:javascript复制
[root@localhost ~]# tcpdump -AS -r test1 
代码语言:javascript复制
注:

无参数的选项比如 -A, -S, -e, 等。均可以共用一个减号

'src host www.baidu.cn' 属于 expression ,如果太长,可以用单引号括起来:

代码语言:javascript复制
[root@localhost ~]# tcpdump -i ens37 'src host www.baidu.com'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes
22:47:52.389567 IP 14.215.177.38.http > localhost.localdomain.43834: Flags [S.], seq 1091142458, ack 3695757409, win 8192, options [mss 1420,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 5], length 0
22:47:52.430102 IP 14.215.177.38.http > localhost.localdomain.43834: Flags [.], ack 78, win 908, length 0
代码语言:javascript复制
第一列是时间戳:时、分、秒、微秒

第二列是网际网路协议的名称

第三列是报文发送方的十进制的网际网路协议地址,以及紧跟其后的端口号(偶尔会是某个协议名如 http ,如果在此处仍然显示端口号加上 -n 选项)

第四列是大于号

第五列是报文接收方的十进制的网际网路协议地址,以及紧跟其后的端口号(偶尔会是某个协议名如 http ,如果在此处仍然显示端口号加上 -n 选项)

第六列是冒号

第七列是 Flags 标识,可能的取值是 [S.] [.] [P.] [F.]

第八、九、十……列 是tcp协议报文头的一些变量值:

seq 是 请求同步的 序列号

ack 是 已经同步的 序列号

win 是 当前可用窗口大小

length 是 tcp协议报文体的长度

如果加入了-S选项,会看到的 seq, ack 是 两个冒号分割的值,分别表示变更前、后的值。

0 人点赞