tcpdump必知必会

Options Used Most

1. tcpdump -D

Show the list of available interfaces

[user@XXX ~]$ sudo tcpdump -D
1.eth1
2.any (Pseudo-device that captures on all interfaces)
3.lo

2. tcpdump -i eth1/any

Listen on the eth1/any interface

3. tcpdump -n

Don’t resolve hostnames

4. tcmpdump -nn

Don’t resolve hostnames or port names

5. tcpdump -X

Show the packet’s contents in both hex and ASCII

[user@XXX ~]$ sudo tcpdump -i eth1 -nX
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
21:57:02.189849 IP 10.180.86.46.36000 > 10.123.127.105.38368: Flags [P.], seq 3278177287:3278177483, ack 601166924, win 135, options [nop,nop,TS val 1063825743 ecr 4081959434], length 196
        0x0000:  4510 00f8 7243 4000 4006 dce6 0ab4 562e  E...rC@.@.....V.
        0x0010:  0a7b 7f69 8ca0 95e0 c365 0407 23d5 144c  .{.i.....e..#..L
        0x0020:  8018 0087 ebb0 0000 0101 080a 3f68 b14f  ............?h.O
        0x0030:  f34d c20a d33b f411 a1db 2992 cd76 7ffb  .M...;....)..v..
        0x0040:  372d d869 0a3f c5bd 8cc0 cb97 95b3 b7bc  7-.i.?..........
        0x0050:  00cb 04e1 fdf6 89b1 285d ab12 03c3 39d6  ........(]....9.
        0x0060:  e084 cd76 120c 2a4e 044e a8a7 a03b 27be  ...v..*N.N...;'.
        0x0070:  6970 11c2 2ffc cce8 32e4 e5ed 5830 36d4  ip../...2...X06.
        0x0080:  b411 f10b 74d9 6efe e297 8f47 ae68 e972  ....t.n....G.h.r
        0x0090:  42be 4deb 042a 485e 0efb 835b 5821 b297  B.M..*H^...[X!..
        0x00a0:  fe88 5da3 6ca3 313a 10f2 2dd6 d8a8 9475  ..].l.1:..-....u
        0x00b0:  e22e d4a5 595a 808a 9ec4 1a16 8ad5 8bde  ....YZ..........
        0x00c0:  32c9 0346 1495 422b 0cac 82ad 6376 ee91  2..F..B+....cv..
        0x00d0:  136b 6113 742d 3390 06f5 9a38 87c3 a65d  .ka.t-3....8...]
        0x00e0:  fa5f 34c8 b3fc 5691 9765 fa3f d874 9bc6  ._4...V..e.?.t..
        0x00f0:  597d 786b 56eb f481                      Y}xkV...

6. tcpdump -XX

Same as -X, but also shows the ethernet header

7. tcpdump -v/-vv/-vvv

Increase the amount of packet information you get back

8. tcpdump -c

Only get x number of packets and then stop

[user@XXX ~]$ sudo tcpdump -i eth1 -nXX -vvv -c 1
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
09:33:38.189787 IP (tos 0x10, ttl 64, id 30734, offset 0, flags [DF], proto TCP (6), length 184)
    10.180.86.46.36000 > 10.123.127.105.38368: Flags [P.], cksum 0xeb70 (incorrect -> 0x871a), seq 3278912063:3278912195, ack 601194076, win 251, options [nop,nop,TS val 1074274743 ecr 4092408220], length 132
        0x0000:  c4ca d9c1 14bf fc48 ef2e 449f 0800 4510  .......H..D...E.
        0x0010:  00b8 780e 4000 4006 d75b 0ab4 562e 0a7b  ..x.@.@..[..V..{
        0x0020:  7f69 8ca0 95e0 c370 3a3f 23d5 7e5c 8018  .i.....p:?#.~\..
        0x0030:  00fb eb70 0000 0101 080a 4008 21b7 f3ed  ...p......@.!...
        0x0040:  319c 06a6 fd7a 641d 598f 35b8 cf1a d833  1....zd.Y.5....3
        0x0050:  748e 95e8 fe52 d034 6390 880b 53b8 bff8  t....R.4c...S...
        0x0060:  e4c1 eaf1 472e b7df c276 bc66 d35e ddea  ....G....v.f.^..
        0x0070:  e3eb 65b3 2258 ca38 1247 7140 804c 99a6  ..e."X.8.Gq@.L..
        0x0080:  2f33 9ae6 5986 3680 0bb3 920d 8ace a115  /3..Y.6.........
        0x0090:  2089 bcef fd87 de0f af5c 3253 0eb0 7cc3  .........\2S..|.
        0x00a0:  97fb 0fb2 4b00 5453 0735 4ee0 7d7e eb5e  ....K.TS.5N.}~.^
        0x00b0:  e9b7 243a 7758 a37e 6a88 41eb 2ec1 0d6e  ..$:wX.~j.A....n
        0x00c0:  6237 d0bf dba4                           b7....
1 packets captured
1 packets received by filter
0 packets dropped by kernel

9. tcpdump icmp

Only get ICMP packets

[user@XXX ~]$ sudo tcpdump -i eth1 -nXX -vvv -c 1 icmp
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
09:35:13.709213 IP (tos 0x0, ttl 61, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    10.179.225.13 > 10.180.86.46: ICMP echo request, id 21425, seq 6, length 64
        0x0000:  fc48 ef2e 449f c4ca d9c1 14bf 0800 4500  .H..D.........E.
        0x0010:  0054 0000 4000 3d01 f106 0ab3 e10d 0ab4  .T..@.=.........
        0x0020:  562e 0800 49dc 53b1 0006 d13b 4e57 41d6  V...I.S....;NWA.
        0x0030:  0e00 0809 0a0b 0c0d 0e0f 1011 1213 1415  ................
        0x0040:  1617 1819 1a1b 1c1d 1e1f 2021 2223 2425  ...........!"#$%
        0x0050:  2627 2829 2a2b 2c2d 2e2f 3031 3233 3435  &'()*+,-./012345
        0x0060:  3637                                     67
1 packets captured
2 packets received by filter
0 packets dropped by kernel

10. tcpdump -s

Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less

11. tcpdump -S

Print absolute sequence numbers

12. tcpdump -E

Decrypt IPSEC traffic by providing an encryption key

Basic Usage

1. Basic communication

tcpdump -nS

2. Basic communication (very verbose)

tcpdump -nnvvS

3. A deeper look at the traffic

tcpdump -nnvvXS

4. Heavy packet viewing

tcpdump -nnvvXSs 1514

Examples

1. host(ip/hostname)

[root@CentOS ~]# tcpdump host www.baidu.com
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 65535 bytes
09:54:39.520870 IP 10.0.2.15 > 14.215.177.38: ICMP echo request, id 31471, seq 1, length 64
09:54:40.520952 IP 10.0.2.15 > 14.215.177.38: ICMP echo request, id 31471, seq 2, length 64
09:54:41.523130 IP 10.0.2.15 > 14.215.177.38: ICMP echo request, id 31471, seq 3, length 64
^C
3 packets captured
7 packets received by filter
0 packets dropped by kernel

2. src, dst

# tcpdump src 2.3.4.5 
# tcpdump dst 3.4.5.6

3. net

tcpdump net 1.2.3.0/24

4. proto

tcpdump icmp
tcpdump tcp

4. port

[root@CentOS ~]# tcpdump -i any tcp port 8080 -c1 -vvv and dst port 8080 -nn
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
10:00:39.055313 IP (tos 0x0, ttl 64, id 19536, offset 0, flags [DF], proto TCP (6), length 60)
    10.0.2.15.33857 > 10.14.36.110.8080: Flags [S], cksum 0x3ab9 (incorrect -> 0xef33), seq 791917197, win 29200, options [mss 1460,sackOK,TS val 667025117 ecr 0,nop,wscale 7], length 0
1 packet captured
1 packet received by filter
0 packets dropped by kernel

5. Port Ranges

tcpdump portrange 21-23

6. Packet Size Filter

only see packets below or above a certain size (in bytes)

tcpdump less 32 
tcpdump greater 128
tcpdump > 32 
tcpdump <= 128

RW File

1. Write to a file

tcpdump -s 1514 port 80 -w http.cap2. Read from a filetcpdump -r capture_fileLogical Combination1. and or &&2. or or ||3. not or !4. GroupingCorrecttcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'Incorrecttcpdump src 10.0.2.4 and (dst port 3389 or 22)Hacking into bytes1. Show me all URGENT (URG) packetstcpdump 'tcp[13] & 32!=0'2. Show me all ACKNOWLEDGE (ACK) packetstcpdump 'tcp[13] & 16!=0'3. Show me all PUSH (PSH) packetstcpdump 'tcp[13] & 8!=0'4. Show me all RESET (RST) packetstcpdump 'tcp[13] & 4!=0'5. Show me all SYNCHRONIZE (SYN) packetstcpdump 'tcp[13] & 2!=0'6. Show me all FINISH (FIN) packetstcpdump 'tcp[13] & 1!=0'7. Show me all SYNCHRONIZE/ACKNOWLEDGE (SYNACK)packetstcpdump 'tcp[13]=18'8. IPv6 traffictcpdump ip69. Packets with both the RST and SYN flags settcpdump 'tcp[13] = 6'10. Traffic with the ‘Evil Bit’ Settcpdump 'ip[6] & 128 != 0'

原创声明,本文系作者授权云+社区发表,未经许可,不得转载。

如有侵权,请联系 yunjia_community@tencent.com 删除。

发表于

我来说两句

0 条评论
登录 后参与评论

相关文章

来自专栏琦小虾的Binary

Ubuntu 14.04下超级终端Minicom连接ARM

Ubuntu 14.04下超级终端Minicom连接ARM 发现最近笔者已经化身博客文档狂魔,只要实现了一些新鲜玩意儿就得往博客里记录…… 自我吐槽一番,...

1946
来自专栏智能大石头

STM32/GD32芯片信息

因为需要自动适配芯片进行系统配置,所以我们有必要通过读取一些系统寄存器来获取必要信息。 我们的代码需要兼容STM32F1/GD32F1/STM32F0/STM3...

2289
来自专栏嵌入式程序猿

那些年,我们追过的MCU复位

概述 在嵌入式系统中,复位(Reset)功能的应用非常广泛。复位是MCU工作开始的标志,MCU中所有的初始化工作都是在复位之后开始的。在实际应用中,我们也可以通...

3306
来自专栏知识分享

太阳能锂电池充电电路

原先的 ? 现在的 ? 为了充分利用太阳能电池板产生的电,做了以上修改。 实测,现在的充电电流是原先的2~3倍,甚至更多。  重点说一下,自己用光敏电阻传感器模...

2867
来自专栏软件开发

Java资源大全中文版(Awesome最新版)

Awesome系列的Java资源整理。awesome-java 就是akullpp发起维护的Java资源列表,内容包括:构建工具、数据库、框架、模板、安全、代码...

28010
来自专栏北京马哥教育

VMware2014年所有产品简介

PS:很多童鞋对VMware的产品线不了解,本人使用VMware的产品刚好10年,VMware是目前业界的虚拟化王者,无论是虚拟化技术还是商用市场份额,都引领业...

2465
来自专栏搜云库

CentOs7.3 搭建 Solr单机服务

CentOs7.3 搭建 Solr单机服务 Solr是什么? Solr是一款优秀的基于Lucene的全文检索服务器,它对Lucene进行了扩展,提供了非常丰富的...

2277
来自专栏从流域到海域

不同时区的换算

在外企工作,你的同事很有可能与你不在同一个时区,这个时候需要换算一下时间,以期在会议、邮件、电话合理进行安排。这篇博文将介绍各个时区已经如何转换,最后将介...

1745
来自专栏逸鹏说道

Ubuntu18.04下VMware or VirtualBox 虚拟化的问题

This host supports Intel VT-x, but Intel VT-x is disabled. Intel VT-x might be d...

2734
来自专栏Clive的技术分享

修改CentOS服务器时间为北京时间

4494

扫码关注云+社区