tcpdump抓包工具使用
阿新 • • 發佈:2020-09-12
安裝
yum -y install tcpdump
基本用法
#抓取網口eth0流量包 # tcpdump -i eth0 -nnv #指定抓取100個包 # tcpdump -i eth0 -nnv -c 100 #把抓包輸出寫入檔案 # tcpdump -i eth0 -nnv -w /file1.tcpdump #讀取 # tcpdump -nnv -r /file1.tcpdump
注意:使用w引數寫入的是二進位制檔案,無法直接讀取使用tcpdump -r讀取 也可以下載使用抓包工具wireshark讀取
條件 port,host,net
# tcpdump -i eth0 -nnv not port 80 # tcpdump -i eth0 -nnv port 22 # tcpdump -i eth0 -nnv port 80 # tcpdump -i eth0 -nnv net 192.168.0.0/24 # tcpdump -i eth0 -nnv host 192.168.0.15 # tcpdump -i eth0 -nnv dst port 22 # tcpdump -i eth0 -nnv src port 22
協議作為條件
# tcpdump -i eth0 -nnv arp # tcpdump -i eth0 -nnv icmp # tcpdump -i eth0 -nnv udp #udp協議 # tcpdump -i eth0 -nnv tcp #tcp協議,三次握手及四次斷開 # tcpdump -i eth0 -nnv ip #ip協議 # tcpdump -i eth0 -nnv vrrp #keepalived使用協議
多條件:與或非 and or not
# tcpdump -i eth0 -nnv not net 192.168.0.0/24 # tcpdump -i eth0 -nnv not port 80 # tcpdump -i eth0 -nnv host 192.168.0.15 and port 22 # tcpdump -i eth0 -nnv host 192.168.0.15 and host 192.168.0.33 # tcpdump -i eth0 -nnv host 192.168.0.15 or host 192.168.0.33 # tcpdump -i eth0 -nnv \( host 192.168.0.15 and port 22 \) or \( host 192.168.0.33 and port 80 \) # tcpdump -i eth0 -nnv host 192.168.0.110 and port 22 or port 80 # tcpdump -i eth0 -nnv host 192.168.0.110 and \( port 22 or port 80\) # tcpdump -i eth0 -nnv host 192.168.0.110 and port 80 # tcpdump -i eth0 -nnv host 192.168.0.110 and ! port 80
tcp資料報頭,有8位標識位部分
CWR | ECE | URG | ACK | PSH | RST | SYN | FIN
# man tcpdump
#條件為TCP僅有SYN標記的
# tcpdump -i eth0 -nnv tcp[13]==2 |C|E|U|A|P|R|S|F| |--------------- | |0 0 0 0 0 0 1 0 | |--------------- | |7 6 5 4 3 2 1 0| # tcpdump -i eth0 -nnv tcp[13]==2 and port 22 -w ssh-conn.tcpdump 條件是:TCP僅有SYN/ACK標記的 # tcpdump -i eth0 -nnv tcp[13]==18 |C|E|U|A|P|R|S|F| |--------------- | |0 0 0 1 0 0 1 0 | |--------------- | |7 6 5 4 3 2 1 0| # tcpdump -i eth0 -nnv tcp[13]==17