系统问题解决之tcpdump

原创

CoffeeLand

修改于 2020-04-07 11:26:38

3.1K0

修改于 2020-04-07 11:26:38

文章被收录于专栏：CoffeeLandCoffeeLand

tcpdump info
tcpdump commamd options
tcpdump 使用

tcpdump info

tcpdump是linux 自带的一个网络抓包工具, 分析网络问题非常好用

tcpdump commamd optionsn-nn

 -n     Don't  convert  host  addresses  to  names.  This can be used to
              avoid DNS lookups.
             
 -nn    Don't convert protocol and port numbers etc. to names either. //不会转换也就是保持raw data
 
 
  -i     Listen on interface.  If unspecified, tcpdump searches the  sys‐
              tem interface list for the lowest numbered, configured up inter‐
              face (excluding loopback), which may turn out to be,  for  exam‐
              ple, ``eth0''.
              // -i,其实就是制定网卡, -i any 就是指定所有 
              On  Linux  systems with 2.2 or later kernels, an interface argu‐
              ment of ``any'' can be used to capture packets from  all  inter‐
              faces.   Note  that  captures  on the ``any'' device will not be
              done in promiscuous mode.

              If the -D flag is supported, an interface number as  printed  by
              that flag can be used as the interface argument.
              
    //将抓包结果写入文件 , 文件以.pcap为后缀, 使用-r 去读        
     -w     Write the raw packets to file rather than parsing  and  printing
              them  out.  They can later be printed with the -r option.  Stan‐
              dard output is used if file is ``-''.

              This output will be buffered if written to a file or pipe, so  a
              program reading from the file or pipe may not see packets for an
              arbitrary amount of time after they are received.   Use  the  -U
              flag  to  cause  packets  to  be  written  as  soon  as they are
              received.

              The MIME type application/vnd.tcpdump.pcap has  been  registered
              with  IANA  for pcap files. The filename extension .pcap appears
              to be the most commonly used along with .cap and  .dmp.  Tcpdump
              itself  doesn't  check  the extension when reading capture files
              and doesn't add an extension when writing them  (it  uses  magic
              numbers  in  the  file  header instead). However, many operating
              systems and applications will use the extension if it is present
              and adding one (e.g. .pcap) is recommended.
              
 // 读pcap的文件
 -r     Read  packets  from file (which was created with the -w option).
              Standard input is used if file is ``-''.

tcpdump 使用

特别注意: 使用tcpdump必须要用root来执行

[xx@mybuildvm ~]$ tcpdump -i any

tcpdump: any: You don't have permission to capture on that device

(socket: Operation not permitted)

//监听所有网卡上的请求
# tcpdump -i any

// 不转换protocol和port来监听
# tcp -i any -nn

//限制数量-c <number>监听
# tcp -i any -nn -c 5

// 指定端口port
# tcpdump -i any -c5  port 8080

// 指定host
# tcpdump -i any  host localhost

//指定host 和 port
# tcpdump -i any -nn  host localhost and port 8080

// 指定发送请求的host
# tcpdum -i any -nn src localhost and port 8080

//将结果保存至文件里-w
# tcpdump -i any -nn -w test.pcap port 8080
//使用tcpdump来读test.pcap file
# tcpdump -nn -r webserver.pcap
//可以加 -A , 显示content,