tcpdump必知必会

Options Used Most

1. tcpdump -D

Show the list of available interfaces

[user@XXX ~]$ sudo tcpdump -D
1.eth1
2.any (Pseudo-device that captures on all interfaces)
3.lo

2. tcpdump -i eth1/any

Listen on the eth1/any interface

3. tcpdump -n

Don’t resolve hostnames

4. tcmpdump -nn

Don’t resolve hostnames or port names

5. tcpdump -X

Show the packet’s contents in both hex and ASCII

[user@XXX ~]$ sudo tcpdump -i eth1 -nX
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
21:57:02.189849 IP 10.180.86.46.36000 > 10.123.127.105.38368: Flags [P.], seq 3278177287:3278177483, ack 601166924, win 135, options [nop,nop,TS val 1063825743 ecr 4081959434], length 196
        0x0000:  4510 00f8 7243 4000 4006 dce6 0ab4 562e  E...rC@.@.....V.
        0x0010:  0a7b 7f69 8ca0 95e0 c365 0407 23d5 144c  .{.i.....e..#..L
        0x0020:  8018 0087 ebb0 0000 0101 080a 3f68 b14f  ............?h.O
        0x0030:  f34d c20a d33b f411 a1db 2992 cd76 7ffb  .M...;....)..v..
        0x0040:  372d d869 0a3f c5bd 8cc0 cb97 95b3 b7bc  7-.i.?..........
        0x0050:  00cb 04e1 fdf6 89b1 285d ab12 03c3 39d6  ........(]....9.
        0x0060:  e084 cd76 120c 2a4e 044e a8a7 a03b 27be  ...v..*N.N...;'.
        0x0070:  6970 11c2 2ffc cce8 32e4 e5ed 5830 36d4  ip../...2...X06.
        0x0080:  b411 f10b 74d9 6efe e297 8f47 ae68 e972  ....t.n....G.h.r
        0x0090:  42be 4deb 042a 485e 0efb 835b 5821 b297  B.M..*H^...[X!..
        0x00a0:  fe88 5da3 6ca3 313a 10f2 2dd6 d8a8 9475  ..].l.1:..-....u
        0x00b0:  e22e d4a5 595a 808a 9ec4 1a16 8ad5 8bde  ....YZ..........
        0x00c0:  32c9 0346 1495 422b 0cac 82ad 6376 ee91  2..F..B+....cv..
        0x00d0:  136b 6113 742d 3390 06f5 9a38 87c3 a65d  .ka.t-3....8...]
        0x00e0:  fa5f 34c8 b3fc 5691 9765 fa3f d874 9bc6  ._4...V..e.?.t..
        0x00f0:  597d 786b 56eb f481                      Y}xkV...

6. tcpdump -XX

Same as -X, but also shows the ethernet header

7. tcpdump -v/-vv/-vvv

Increase the amount of packet information you get back

8. tcpdump -c

Only get x number of packets and then stop

[user@XXX ~]$ sudo tcpdump -i eth1 -nXX -vvv -c 1
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
09:33:38.189787 IP (tos 0x10, ttl 64, id 30734, offset 0, flags [DF], proto TCP (6), length 184)
    10.180.86.46.36000 > 10.123.127.105.38368: Flags [P.], cksum 0xeb70 (incorrect -> 0x871a), seq 3278912063:3278912195, ack 601194076, win 251, options [nop,nop,TS val 1074274743 ecr 4092408220], length 132
        0x0000:  c4ca d9c1 14bf fc48 ef2e 449f 0800 4510  .......H..D...E.
        0x0010:  00b8 780e 4000 4006 d75b 0ab4 562e 0a7b  ..x.@.@..[..V..{
        0x0020:  7f69 8ca0 95e0 c370 3a3f 23d5 7e5c 8018  .i.....p:?#.~\..
        0x0030:  00fb eb70 0000 0101 080a 4008 21b7 f3ed  ...p......@.!...
        0x0040:  319c 06a6 fd7a 641d 598f 35b8 cf1a d833  1....zd.Y.5....3
        0x0050:  748e 95e8 fe52 d034 6390 880b 53b8 bff8  t....R.4c...S...
        0x0060:  e4c1 eaf1 472e b7df c276 bc66 d35e ddea  ....G....v.f.^..
        0x0070:  e3eb 65b3 2258 ca38 1247 7140 804c 99a6  ..e."X.8.Gq@.L..
        0x0080:  2f33 9ae6 5986 3680 0bb3 920d 8ace a115  /3..Y.6.........
        0x0090:  2089 bcef fd87 de0f af5c 3253 0eb0 7cc3  .........\2S..|.
        0x00a0:  97fb 0fb2 4b00 5453 0735 4ee0 7d7e eb5e  ....K.TS.5N.}~.^
        0x00b0:  e9b7 243a 7758 a37e 6a88 41eb 2ec1 0d6e  ..$:wX.~j.A....n
        0x00c0:  6237 d0bf dba4                           b7....
1 packets captured
1 packets received by filter
0 packets dropped by kernel

9. tcpdump icmp

Only get ICMP packets

[user@XXX ~]$ sudo tcpdump -i eth1 -nXX -vvv -c 1 icmp
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
09:35:13.709213 IP (tos 0x0, ttl 61, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    10.179.225.13 > 10.180.86.46: ICMP echo request, id 21425, seq 6, length 64
        0x0000:  fc48 ef2e 449f c4ca d9c1 14bf 0800 4500  .H..D.........E.
        0x0010:  0054 0000 4000 3d01 f106 0ab3 e10d 0ab4  .T..@.=.........
        0x0020:  562e 0800 49dc 53b1 0006 d13b 4e57 41d6  V...I.S....;NWA.
        0x0030:  0e00 0809 0a0b 0c0d 0e0f 1011 1213 1415  ................
        0x0040:  1617 1819 1a1b 1c1d 1e1f 2021 2223 2425  ...........!"#$%
        0x0050:  2627 2829 2a2b 2c2d 2e2f 3031 3233 3435  &'()*+,-./012345
        0x0060:  3637                                     67
1 packets captured
2 packets received by filter
0 packets dropped by kernel

10. tcpdump -s

Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less

11. tcpdump -S

Print absolute sequence numbers

12. tcpdump -E

Decrypt IPSEC traffic by providing an encryption key

Basic Usage

1. Basic communication

tcpdump -nS

2. Basic communication (very verbose)

tcpdump -nnvvS

3. A deeper look at the traffic

tcpdump -nnvvXS

4. Heavy packet viewing

tcpdump -nnvvXSs 1514

Examples

1. host(ip/hostname)

[root@CentOS ~]# tcpdump host www.baidu.com
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 65535 bytes
09:54:39.520870 IP 10.0.2.15 > 14.215.177.38: ICMP echo request, id 31471, seq 1, length 64
09:54:40.520952 IP 10.0.2.15 > 14.215.177.38: ICMP echo request, id 31471, seq 2, length 64
09:54:41.523130 IP 10.0.2.15 > 14.215.177.38: ICMP echo request, id 31471, seq 3, length 64
^C
3 packets captured
7 packets received by filter
0 packets dropped by kernel

2. src, dst

# tcpdump src 2.3.4.5 
# tcpdump dst 3.4.5.6

3. net

tcpdump net 1.2.3.0/24

4. proto

tcpdump icmp
tcpdump tcp

4. port

[root@CentOS ~]# tcpdump -i any tcp port 8080 -c1 -vvv and dst port 8080 -nn
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
10:00:39.055313 IP (tos 0x0, ttl 64, id 19536, offset 0, flags [DF], proto TCP (6), length 60)
    10.0.2.15.33857 > 10.14.36.110.8080: Flags [S], cksum 0x3ab9 (incorrect -> 0xef33), seq 791917197, win 29200, options [mss 1460,sackOK,TS val 667025117 ecr 0,nop,wscale 7], length 0
1 packet captured
1 packet received by filter
0 packets dropped by kernel

5. Port Ranges

tcpdump portrange 21-23

6. Packet Size Filter

only see packets below or above a certain size (in bytes)

tcpdump less 32 
tcpdump greater 128
tcpdump > 32 
tcpdump <= 128

RW File

1. Write to a file

tcpdump -s 1514 port 80 -w http.cap2. Read from a filetcpdump -r capture_fileLogical Combination1. and or &&2. or or ||3. not or !4. GroupingCorrecttcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'Incorrecttcpdump src 10.0.2.4 and (dst port 3389 or 22)Hacking into bytes1. Show me all URGENT (URG) packetstcpdump 'tcp[13] & 32!=0'2. Show me all ACKNOWLEDGE (ACK) packetstcpdump 'tcp[13] & 16!=0'3. Show me all PUSH (PSH) packetstcpdump 'tcp[13] & 8!=0'4. Show me all RESET (RST) packetstcpdump 'tcp[13] & 4!=0'5. Show me all SYNCHRONIZE (SYN) packetstcpdump 'tcp[13] & 2!=0'6. Show me all FINISH (FIN) packetstcpdump 'tcp[13] & 1!=0'7. Show me all SYNCHRONIZE/ACKNOWLEDGE (SYNACK)packetstcpdump 'tcp[13]=18'8. IPv6 traffictcpdump ip69. Packets with both the RST and SYN flags settcpdump 'tcp[13] = 6'10. Traffic with the ‘Evil Bit’ Settcpdump 'ip[6] & 128 != 0'

原创声明,本文系作者授权云+社区-专栏发表,未经许可,不得转载。

如有侵权,请联系 yunjia_community@tencent.com 删除。

发表于

我来说两句

0 条评论
登录 后参与评论

相关文章

来自专栏用户2442861的专栏

2014 360校园招聘技术类笔试题

原文:http://blog.csdn.net/lanxuezaipiao/article/details/41892553

571
来自专栏狂码一生

用MFC写一个聊天室程序 - 学习笔记

下面的服务器端与客户端的程序与步骤是我在学习MFC网络编程写一个聊天室程序所写的程序,在这里作一个笔记,也希望能帮到一部分刚刚学习的朋友,一起共勉,一起努力历进...

51514
来自专栏xingoo, 一个梦想做发明家的程序员

WSAEventSelect模型 ---应用实例,重写TCP服务器实例

// WSAEvent.cpp : 定义控制台应用程序的入口点。 // #include "stdafx.h" #include <winsock2.h> #...

1789
来自专栏Android 开发者

[译] 支持库 27.1.0 中的 Loader

1393
来自专栏跟着阿笨一起玩NET

C#中的串口通信

串行接口按电气标准及协议来分,包括RS-232-C、RS-422、RS485、USB等。 RS-232-C、RS-422与RS-485标准只对接口的电气特性做出...

292
来自专栏FreeBuf

逆向分析智能窗帘频射协议

近来我热衷于对家庭自动化设备的破解,然后将它们添加到我的Homekit集成包之中。这事情要从几个月前说起,当时我爸订购了大批量的RAEX 433MHz射频电动窗...

2715
来自专栏专注研发

【2018】笔试题笔记

3.对关键字{10,20,8,25,35,6,18,30,5,15,28}序列进行希尔排序,取增量d =5时,排序结果为( {6,18,8,5,15,10,...

924
来自专栏乐沙弥的世界

MySQL HA架构下innodb_flush_log_at_trx_commit及sync_binlog参数

      HeartBeat + DRBD以及MySQL replication是很多企业比较普遍使用的方式。对于数据的完整性和一致性的问题,这两种架构需要考...

712
来自专栏牛客网

【后台开发】百度,头条,腾讯面经

半年了,从七月的迷之自信,到十月的0offer,迷茫、反思、不甘,各位战友的鼓励激励着我前进... 终于拿到了offer,感谢牛客网长期以来的陪伴,在此献上面经...

3945
来自专栏安富莱嵌入式技术分享

【RL-TCPnet网络教程】第2章 嵌入式网络协议栈基础知识

本章教程为大家介绍嵌入式网络协议栈基础知识,本章先让大家有一个全面的认识,后面章节中会为大家逐一讲解用到的协议。

934

扫码关注云+社区