方法示例中如何使用tcpdump命令

Tcpdump是网络故障排除命令,也称为数据包嗅探器,用于捕获和显示来自网络的数据包。 Tcpdump允许用户捕获和显示在计算机所连接的网络上发送和接收的TCP / IP和其他数据包。您可以通过将捕获的数据重定向到grep来实时搜索输出。或者,您可以将数据写入文件以供以后检索。对数据包应用过滤器,以避免不必要的流量。需要根访问权限才能执行tcpdump命令。

您可以捕获通过本地网络传递的所有数据,并将这些数据放入文件中。它不会在屏幕上显示实时输出,但是会将网络上的数据包捕获到指定的文件。您可以保存整个数据包或部分数据包(标题)。您可以选择捕获和分析一个网络接口或所有网络接口上的流量。在本文中,您将学习如何使用tcpdump命令来分析Linux机器上的流量。

目录

  • 1)分析所有接口上的流量
  • 2)列出可用的接口
  • 3)分析特定接口并限制数据包
  • 4)使用IP地址和端口捕获数据
  • 5)拦截来自特定端口的数据包
  • 6)忽略特定端口的拦截数据包
  • 7)拦截来自特定协议的数据包
  • 8)登录到特定文件
  • 9)读取tcpdump记录文件
  • 10)捕获带有详细信息的数据包
  • 11)从远程主机捕获数据包
  • 12)将目标数据包捕获到远程主机
  • 13)捕获特定主机的传入和传出数据包
  • 14)使用端口范围捕获数据包
  • 结论

1)分析所有接口上的流量

Tcpdump默认情况下未安装,必须事先安装

Ubuntu 16.04 / 18.04

# apt install tcpdump

与Centos 7

# yum install tcpdump

如果使用不带任何选项的tcpdump,则会分析所有接口上的流量。

# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
07:41:25.886307 IP li339-47.members.linode.com.ssh > 169.255.7.5.44284: Flags [P.], seq 1435074392:1435074508, a
ck 4135933864, win 381, options [nop,nop,TS val 3387567505 ecr 18335689], length 116
07:41:25.886932 IP li339-47.members.linode.com.49063 > resolver08.dallas.linode.com.domain: 61296+ PTR? 5.7.255.169.in-addr.arpa. (42)
07:41:26.133811 IP 169.255.7.5.44284 > li339-47.members.linode.com.ssh: Flags [.], ack 0, win 722, options [nop,nop,TS val 18335757 ecr 3387567484], length 0
07:41:26.133851 IP li339-47.members.linode.com.ssh > 169.255.7.5.44284: Flags [P.], seq 116:232, ack 1, win 381, options [nop,nop,TS val 3387567753 ecr 18335757], length 116
07:41:26.142929 IP resolver08.dallas.linode.com.domain > li339-47.members.linode.com.49063: 61296 NXDomain 0/0/0 (42)
.....
.....
07:41:26.680521 IP li339-47.members.linode.com.ssh > 169.255.7.5.44284: Flags [P.], seq 2724:3132, ack 1, win 381, options [nop,nop,TS val 3387568299 ecr 18335894], length 408
^C
17 packets captured
18 packets received by filter
0 packets dropped by kernel

源格式是source.port,其中源是主机名或IP地址。在第一行中,您可以看到在时间戳记07:41:25.886307捕获的数据包是IP协议,起源于主机名li339-47.members.linode.com和端口ssh。这就是为什么您看到li339-47。 Members.linode.com.ssh。数据包被寻址到169.255.7.5.44284 ack标志。

您需要按取消按钮才能停止。如果您需要更多信息,tcpdump有几个选项可以增强或修改输出。

  • -i interface :在指定的界面上监听。
  • -n :不解析主机名。可以使用 -nn 不解析主机名或端口名。
  • -t :不将时间戳输出到每个转储行。
  • -X :以十六进制和ASCII格式显示数据包的内容。
  • -v, -vv, -vvv :增加返回的数据包信息量。
  • -c N :仅获取N个数据包后停止。
  • -s :以字节为单位定义捕获的快照(大小)。除非有意减少捕获,否则请使用-s0来获取所有内容。
  • -S :输出绝对序列号。
  • -q :显示较少的协议信息。
  • -w file :将原始数据包写入文件

2)列出可用的接口

可以列出可用的接口 -D 参量

# tcpdump -D
1.eth0
2.nflog (Linux netfilter log (NFLOG) interface)
3.nfqueue (Linux netfilter queue (NFQUEUE) interface)
4.any (Pseudo-device that captures on all interfaces)
5.lo [Loopback]

这使您可以选择要使用的界面。

3)分析特定接口并限制数据包

现在,您可以决定分析指定接口上的流量 -i 使用参数限制捕获的数据包数量 -c

# tcpdump -i eth0 -c 5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:57:09.186418 IP li339-47.members.linode.com.ssh > 169.255.7.5.44284: Flags [P.], seq 1435431156:1435431272, ack 4135945080, win 419, options [nop,nop,TS val 3392110805 ecr 19471515], length 116
08:57:09.186855 IP li339-47.members.linode.com.33326 > resolver08.dallas.linode.com.domain: 9787+ PTR? 5.7.255.169.in-addr.arpa. (42)
08:57:09.335228 IP 134.119.220.87.45873 > li339-47.members.linode.com.60342: Flags [S], seq 3684168813, win 1024, length 0
08:57:09.335264 IP li339-47.members.linode.com.60342 > 134.119.220.87.45873: Flags [R.], seq 0, ack 3684168814, win 0, length 0
08:57:09.378999 IP 134.119.220.87.45873 > li339-47.members.linode.com.25070: Flags [S], seq 3509221600, win 1024, length 0
5 packets captured
13 packets received by filter
0 packets dropped by kernel

4)使用IP地址和端口捕获数据

如您在以上捕获中所见,没有源端口号和IP地址。可以使用 -nn 拥有它

# tcpdump -i eth0 -c 5 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:17:09.572425 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 1435457792:1435457908, ack 4135947356, win 419, options [nop,nop,TS val 3393311191 ecr 19771613], length 116
09:17:09.605048 IP 96.126.114.47.32887 > 204.11.201.10.123: NTPv4, Client, length 48
09:17:09.663754 IP 204.11.201.10.123 > 96.126.114.47.32887: NTPv4, Server, length 48
09:17:09.785600 IP 169.255.7.5.44284 > 96.126.114.47.22: Flags [.], ack 0, win 722, options [nop,nop,TS val 19771669 ecr 3393311183], length 0
09:17:09.785646 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 116:700, ack 1, win 419, options [nop,nop,TS val 3393311404 ecr 19771669], length 584
5 packets captured
5 packets received by filter
0 packets dropped by kernel

5)拦截来自特定端口的数据包

您可以决定侦听指定端口号的数据包 port 参数。

# tcpdump -i eth0 -c 5 -nn port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:27:27.773270 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 1435459900:1435460016, ack 4135948192, win 419, options [nop,nop,TS val 3393929392 ecr 19926162], length 116
09:27:27.773357 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 116:232, ack 1, win 419, options [nop,nop,TS val 3393929392 ecr 19926162], length 116
09:27:28.032620 IP 169.255.7.5.44284 > 96.126.114.47.22: Flags [.], ack 0, win 722, options [nop,nop,TS val 19926230 ecr 3393929384], length 0
09:27:28.032655 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 232:648, ack 1, win 419, options [nop,nop,TS val 3393929652 ecr 19926230], length 416
09:27:28.032668 IP 169.255.7.5.44284 > 96.126.114.47.22: Flags [.], ack 116, win 722, options [nop,nop,TS val 19926230 ecr 3393929392], length 0
5 packets captured
6 packets received by filter
0 packets dropped by kernel

6)忽略特定端口的拦截数据包

您可以决定在拦截数据包时忽略端口。这是 not port 参量

# tcpdump -i eth0 -c 5 -nn not port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:15:53.784094 IP 134.119.220.87.45873 > 96.126.114.47.32724: Flags [S], seq 1210911834, win 1024, length 0
11:15:53.784139 IP 96.126.114.47.32724 > 134.119.220.87.45873: Flags [R.], seq 0, ack 1210911835, win 0, length 0
11:15:53.910633 IP 134.119.220.87.45873 > 96.126.114.47.32724: Flags [R], seq 1210911835, win 1200, length 0
11:15:53.911319 IP 134.119.220.87 > 96.126.114.47: ICMP host 134.119.220.87 unreachable - admin prohibited, length 48
11:15:56.327699 IP 134.119.220.87.45873 > 96.126.114.47.18566: Flags [S], seq 3213454109, win 1024, length 0
5 packets captured
6 packets received by filter
0 packets dropped by kernel

7)拦截来自特定协议的数据包

您可以决定仅捕获icmp或tcp数据包

# tcpdump -i eth0 -c 5 -nn tcp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:49:33.371487 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 1435550388:1435550504, ack 4135954104, win 438, options [nop,nop,TS val 3395254990 ecr 20257561], length 116
09:49:33.371612 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 116:232, ack 1, win 438, options [nop,nop,TS val 3395254990 ecr 20257561], length 116
09:49:33.371788 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 232:452, ack 1, win 438, options [nop,nop,TS val 3395254991 ecr 20257561], length 220
09:49:33.371956 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 452:648, ack 1, win 438, options [nop,nop,TS val 3395254991 ecr 20257561], length 196
09:49:33.631626 IP 169.255.7.5.44284 > 96.126.114.47.22: Flags [.], ack 116, win 722, options [nop,nop,TS val 20257629 ecr 3395254981], length 0
5 packets captured
7 packets received by filter
0 packets dropped by kernel

您可以用icmp代替tcp

8)登录到特定文件

捕获的数据包可以保存到文件中。默认情况下,将数据包捕获到文件时,每个数据包仅存储68字节的数据。其余信息将被忽略。可以使用 -s 告诉tcpdump每个数据包要保存多少字节,并指定数据包快照长度为0,tcpdump将保存整个数据包。

# tcpdump -i eth0 -c 5 -nn tcp -w packets-record.cap -s 0
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
5 packets captured
5 packets received by filter
0 packets dropped by kernel

9)读取tcpdump记录文件

使用诸如cat或更少的常用命令的tcpdump savepackets无法读取要保存的文件的内容,但是您需要使用 -r tcpdump命令参数

# tcpdump -r packets-record.cap 
reading from file packets-record.cap, link-type EN10MB (Ethernet)
10:06:25.310077 IP li339-47.members.linode.com.ssh > 169.255.7.5.44284: Flags [P.], seq 1435573932:1435573976, ack 4135958592, win 457, options [nop,nop,TS val 3396266929 ecr 20510549], length 44
10:06:25.565590 IP 169.255.7.5.44284 > li339-47.members.linode.com.ssh: Flags [.], ack 0, win 722, options [nop,nop,TS val 20510616 ecr 3396266919], length 0
10:06:25.565633 IP li339-47.members.linode.com.ssh > 169.255.7.5.44284: Flags [P.], seq 44:160, ack 1, win 457, options [nop,nop,TS val 3396267184 ecr 20510616], length 116
10:06:25.570384 IP 169.255.7.5.44284 > li339-47.members.linode.com.ssh: Flags [.], ack 44, win 722, options [nop,nop,TS val 20510617 ecr 3396266929], length 0
10:06:25.827438 IP 169.255.7.5.44284 > li339-47.members.linode.com.ssh: Flags [.], ack 160, win 722, options [nop,nop,TS val 20510681 ecr 3396267184], length 0

10)捕获带有详细信息的数据包

您可以更深入地扫描网络。使用命令组合来过滤所需内容

# tcpdump -i eth0 -c 5 -ttttnnvvS
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
2018-04-10 10:32:36.073756 IP (tos 0x10, ttl 64, id 14601, offset 0, flags [DF], proto TCP (6), length 96)
    96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], cksum 0x8404 (incorrect -> 0x570b), seq 1435611412:1435611456, ack 4135969472, win 495, options [nop,nop,TS val 3397837693 ecr 20903238], length 44
2018-04-10 10:32:36.073896 IP (tos 0x10, ttl 64, id 14602, offset 0, flags [DF], proto TCP (6), length 168)
    96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], cksum 0x844c (incorrect -> 0x14ec), seq 1435611456:1435611572, ack 4135969472, win 495, options [nop,nop,TS val 3397837693 ecr 20903238], length 116
2018-04-10 10:32:36.074118 IP (tos 0x10, ttl 64, id 14603, offset 0, flags [DF], proto TCP (6), length 200)
    96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], cksum 0x846c (incorrect -> 0x52d8), seq 1435611572:1435611720, ack 4135969472, win 495, options [nop,nop,TS val 3397837693 ecr 20903238], length 148
2018-04-10 10:32:36.083469 IP (tos 0x8, ttl 53, id 26190, offset 0, flags [none], proto ICMP (1), length 68)
    134.119.220.87 > 96.126.114.47: ICMP host 134.119.220.87 unreachable - admin prohibited, length 48
        IP (tos 0x28, ttl 48, id 23212, offset 0, flags [DF], proto TCP (6), length 40)
    96.126.114.47.47317 > 134.119.220.87.45873: Flags [R.], cksum 0x5362 (correct), seq 0, ack 96384300, win 0, length 0
2018-04-10 10:32:36.084338 IP (tos 0x0, ttl 244, id 32726, offset 0, flags [none], proto TCP (6), length 40)
    134.119.220.87.45873 > 96.126.114.47.47317: Flags [R], cksum 0x4ec2 (correct), seq 96384300, win 1200, length 0
5 packets captured
5 packets received by filter
0 packets dropped by kernel

11)从远程主机捕获数据包

要仅显示来自特定IP的数据包,请使用 src 参量

# tcpdump -i eth0 -c 5 -ttttnnvvS src host 96.126.114.1
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
2018-04-10 11:27:28.498964 ARP, Ethernet (len 6), IPv4 (len 4), Reply 96.126.114.1 is-at 00:00:0c:9f:f0:06, length 46
2018-04-10 11:28:08.614258 ARP, Ethernet (len 6), IPv4 (len 4), Reply 96.126.114.1 is-at 00:00:0c:9f:f0:06, length 46
2018-04-10 11:28:53.621982 ARP, Ethernet (len 6), IPv4 (len 4), Reply 96.126.114.1 is-at 00:00:0c:9f:f0:06, length 46
2018-04-10 11:29:33.511165 ARP, Ethernet (len 6), IPv4 (len 4), Reply 96.126.114.1 is-at 00:00:0c:9f:f0:06, length 46
2018-04-10 11:30:13.837251 ARP, Ethernet (len 6), IPv4 (len 4), Reply 96.126.114.1 is-at 00:00:0c:9f:f0:06, length 46
5 packets captured
5 packets received by filter
0 packets dropped by kernel

你可以看到请求包

12)将目标数据包捕获到远程主机

可以仅显示具有特定目的地的包裹。例如,您可以在路由器目标位置查看软件包。

# tcpdump -i eth0 -c 5 -ttttnnvvS dst host 96.126.114.1
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
2018-04-10 11:34:15.107495 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 96.126.114.1 tell 96.126.114.47, length 28
2018-04-10 11:35:00.547492 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 96.126.114.1 tell 96.126.114.47, length 28
2018-04-10 11:35:47.907837 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 96.126.114.1 tell 96.126.114.47, length 28
2018-04-10 11:36:12.867576 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 96.126.114.1 tell 96.126.114.47, length 28
2018-04-10 11:36:39.534063 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 96.126.114.1 tell 96.126.114.47, length 28
5 packets captured
5 packets received by filter
0 packets dropped by kernel

在这里你可以看到回复包

13)捕获特定主机的传入和传出数据包

在以上两个命令中使用 srcdst 在两个不同的时间捕获来自特定主机的传入和传出数据包。但是,可以用一个命令直接执行它, host 参量

# tcpdump -i eth0 -c 5 -ttttnnvvS host 96.126.114.1
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
2018-04-10 11:37:49.720992 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 96.126.114.1 tell 96.126.114.47, length 28
2018-04-10 11:37:49.725683 ARP, Ethernet (len 6), IPv4 (len 4), Reply 96.126.114.1 is-at 00:00:0c:9f:f0:06, length 46
2018-04-10 11:38:14.894130 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 96.126.114.1 tell 96.126.114.47, length 28
2018-04-10 11:38:14.900008 ARP, Ethernet (len 6), IPv4 (len 4), Reply 96.126.114.1 is-at 00:00:0c:9f:f0:06, length 46
2018-04-10 11:38:39.854051 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 96.126.114.1 tell 96.126.114.47, length 28
5 packets captured
5 packets received by filter
0 packets dropped by kernel

现在您可以看到请求和响应数据包。

14)使用端口范围捕获数据包

可以使用各种端口来捕获网络流量。

# tcpdump -i eth0 -c 3 -nns 0 portrange 20-23
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:59:45.996312 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 1435738516:1435738632, ack 4136021820, win 875, options [nop,nop,TS val 3403067615 ecr 22210718], length 116
11:59:45.996512 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 116:232, ack 1, win 875, options [nop,nop,TS val 3403067615 ecr 22210718], length 116
11:59:45.996728 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 232:452, ack 1, win 875, options [nop,nop,TS val 3403067616 ecr 22210718], length 220
3 packets captured
5 packets received by filter
0 packets dropped by kernel

结论

Tcpdump提供了几种用于筛选要捕获的流量数据包的选项。虽然数据包嗅探器是有用的诊断工具,但也可以加以利用。例如,一个非恶意人员可以运行一个数据包嗅探器来捕获其他人通过网络发送的密码。根据您的网络配置,即使发送或接收计算机没有运行数据包嗅探器,此技巧也有效。因此,许多组织都有禁止在某些情况下使用包嗅探器的策略。

Sidebar