tcpdump必知必会
原创
Options Used Most
1. tcpdump -D
Show the list of available interfaces
[user@XXX ~]$ sudo tcpdump -D
1.eth1
2.any (Pseudo-device that captures on all interfaces)
3.lo2. tcpdump -i eth1/any
Listen on the eth1/any interface
3. tcpdump -n
Don’t resolve hostnames
4. tcmpdump -nn
Don’t resolve hostnames or port names
5. tcpdump -X
Show the packet’s contents in both hex and ASCII
[user@XXX ~]$ sudo tcpdump -i eth1 -nX
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
21:57:02.189849 IP 10.180.86.46.36000 > 10.123.127.105.38368: Flags [P.], seq 3278177287:3278177483, ack 601166924, win 135, options [nop,nop,TS val 1063825743 ecr 4081959434], length 196
0x0000: 4510 00f8 7243 4000 4006 dce6 0ab4 562e E...rC@.@.....V.
0x0010: 0a7b 7f69 8ca0 95e0 c365 0407 23d5 144c .{.i.....e..#..L
0x0020: 8018 0087 ebb0 0000 0101 080a 3f68 b14f ............?h.O
0x0030: f34d c20a d33b f411 a1db 2992 cd76 7ffb .M...;....)..v..
0x0040: 372d d869 0a3f c5bd 8cc0 cb97 95b3 b7bc 7-.i.?..........
0x0050: 00cb 04e1 fdf6 89b1 285d ab12 03c3 39d6 ........(]....9.
0x0060: e084 cd76 120c 2a4e 044e a8a7 a03b 27be ...v..*N.N...;'.
0x0070: 6970 11c2 2ffc cce8 32e4 e5ed 5830 36d4 ip../...2...X06.
0x0080: b411 f10b 74d9 6efe e297 8f47 ae68 e972 ....t.n....G.h.r
0x0090: 42be 4deb 042a 485e 0efb 835b 5821 b297 B.M..*H^...[X!..
0x00a0: fe88 5da3 6ca3 313a 10f2 2dd6 d8a8 9475 ..].l.1:..-....u
0x00b0: e22e d4a5 595a 808a 9ec4 1a16 8ad5 8bde ....YZ..........
0x00c0: 32c9 0346 1495 422b 0cac 82ad 6376 ee91 2..F..B+....cv..
0x00d0: 136b 6113 742d 3390 06f5 9a38 87c3 a65d .ka.t-3....8...]
0x00e0: fa5f 34c8 b3fc 5691 9765 fa3f d874 9bc6 ._4...V..e.?.t..
0x00f0: 597d 786b 56eb f481 Y}xkV...6. tcpdump -XX
Same as -X, but also shows the ethernet header
7. tcpdump -v/-vv/-vvv
Increase the amount of packet information you get back
8. tcpdump -c
Only get x number of packets and then stop
[user@XXX ~]$ sudo tcpdump -i eth1 -nXX -vvv -c 1
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
09:33:38.189787 IP (tos 0x10, ttl 64, id 30734, offset 0, flags [DF], proto TCP (6), length 184)
10.180.86.46.36000 > 10.123.127.105.38368: Flags [P.], cksum 0xeb70 (incorrect -> 0x871a), seq 3278912063:3278912195, ack 601194076, win 251, options [nop,nop,TS val 1074274743 ecr 4092408220], length 132
0x0000: c4ca d9c1 14bf fc48 ef2e 449f 0800 4510 .......H..D...E.
0x0010: 00b8 780e 4000 4006 d75b 0ab4 562e 0a7b ..x.@.@..[..V..{
0x0020: 7f69 8ca0 95e0 c370 3a3f 23d5 7e5c 8018 .i.....p:?#.~\..
0x0030: 00fb eb70 0000 0101 080a 4008 21b7 f3ed ...p......@.!...
0x0040: 319c 06a6 fd7a 641d 598f 35b8 cf1a d833 1....zd.Y.5....3
0x0050: 748e 95e8 fe52 d034 6390 880b 53b8 bff8 t....R.4c...S...
0x0060: e4c1 eaf1 472e b7df c276 bc66 d35e ddea ....G....v.f.^..
0x0070: e3eb 65b3 2258 ca38 1247 7140 804c 99a6 ..e."X.8.Gq@.L..
0x0080: 2f33 9ae6 5986 3680 0bb3 920d 8ace a115 /3..Y.6.........
0x0090: 2089 bcef fd87 de0f af5c 3253 0eb0 7cc3 .........\2S..|.
0x00a0: 97fb 0fb2 4b00 5453 0735 4ee0 7d7e eb5e ....K.TS.5N.}~.^
0x00b0: e9b7 243a 7758 a37e 6a88 41eb 2ec1 0d6e ..$:wX.~j.A....n
0x00c0: 6237 d0bf dba4 b7....
1 packets captured
1 packets received by filter
0 packets dropped by kernel9. tcpdump icmp
Only get ICMP packets
[user@XXX ~]$ sudo tcpdump -i eth1 -nXX -vvv -c 1 icmp
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
09:35:13.709213 IP (tos 0x0, ttl 61, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
10.179.225.13 > 10.180.86.46: ICMP echo request, id 21425, seq 6, length 64
0x0000: fc48 ef2e 449f c4ca d9c1 14bf 0800 4500 .H..D.........E.
0x0010: 0054 0000 4000 3d01 f106 0ab3 e10d 0ab4 .T..@.=.........
0x0020: 562e 0800 49dc 53b1 0006 d13b 4e57 41d6 V...I.S....;NWA.
0x0030: 0e00 0809 0a0b 0c0d 0e0f 1011 1213 1415 ................
0x0040: 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 ...........!"#$%
0x0050: 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 &'()*+,-./012345
0x0060: 3637 67
1 packets captured
2 packets received by filter
0 packets dropped by kernel10. tcpdump -s
Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less
11. tcpdump -S
Print absolute sequence numbers
12. tcpdump -E
Decrypt IPSEC traffic by providing an encryption key
Basic Usage
1. Basic communication
tcpdump -nS
2. Basic communication (very verbose)
tcpdump -nnvvS
3. A deeper look at the traffic
tcpdump -nnvvXS
4. Heavy packet viewing
tcpdump -nnvvXSs 1514
Examples
1. host(ip/hostname)
[root@CentOS ~]# tcpdump host www.baidu.com
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 65535 bytes
09:54:39.520870 IP 10.0.2.15 > 14.215.177.38: ICMP echo request, id 31471, seq 1, length 64
09:54:40.520952 IP 10.0.2.15 > 14.215.177.38: ICMP echo request, id 31471, seq 2, length 64
09:54:41.523130 IP 10.0.2.15 > 14.215.177.38: ICMP echo request, id 31471, seq 3, length 64
^C
3 packets captured
7 packets received by filter
0 packets dropped by kernel2. src, dst
# tcpdump src 2.3.4.5
# tcpdump dst 3.4.5.63. net
tcpdump net 1.2.3.0/24
4. proto
tcpdump icmp
tcpdump tcp4. port
[root@CentOS ~]# tcpdump -i any tcp port 8080 -c1 -vvv and dst port 8080 -nn
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
10:00:39.055313 IP (tos 0x0, ttl 64, id 19536, offset 0, flags [DF], proto TCP (6), length 60)
10.0.2.15.33857 > 10.14.36.110.8080: Flags [S], cksum 0x3ab9 (incorrect -> 0xef33), seq 791917197, win 29200, options [mss 1460,sackOK,TS val 667025117 ecr 0,nop,wscale 7], length 0
1 packet captured
1 packet received by filter
0 packets dropped by kernel5. Port Ranges
tcpdump portrange 21-23
6. Packet Size Filter
only see packets below or above a certain size (in bytes)
tcpdump less 32
tcpdump greater 128
tcpdump > 32
tcpdump <= 128RW File
1. Write to a file
tcpdump -s 1514 port 80 -w http.cap2. Read from a filetcpdump -r capture_fileLogical Combination1. and or &&2. or or ||3. not or !4. GroupingCorrecttcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'Incorrecttcpdump src 10.0.2.4 and (dst port 3389 or 22)Hacking into bytes1. Show me all URGENT (URG) packetstcpdump 'tcp[13] & 32!=0'2. Show me all ACKNOWLEDGE (ACK) packetstcpdump 'tcp[13] & 16!=0'3. Show me all PUSH (PSH) packetstcpdump 'tcp[13] & 8!=0'4. Show me all RESET (RST) packetstcpdump 'tcp[13] & 4!=0'5. Show me all SYNCHRONIZE (SYN) packetstcpdump 'tcp[13] & 2!=0'6. Show me all FINISH (FIN) packetstcpdump 'tcp[13] & 1!=0'7. Show me all SYNCHRONIZE/ACKNOWLEDGE (SYNACK)packetstcpdump 'tcp[13]=18'8. IPv6 traffictcpdump ip69. Packets with both the RST and SYN flags settcpdump 'tcp[13] = 6'10. Traffic with the ‘Evil Bit’ Settcpdump 'ip[6] & 128 != 0'
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。