linux各種抓包情況說明
大家都知道抓包指令:tcpdump 抓包的主要目的是測試埠、網路協議通不通,以及對抓取的資料包進行分析、測試,抓包對熟悉linux的大神都不陌生,網路對於我來說也是一竅不通,只是在這裡記錄一下自己在工作中常用到的一些抓包使用說明。
#抓取主機上所有來自四面八方的資料包
[[email protected] Log]# tcpdumptcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes11:37:02.100344 IP 133.38.7.144.11811 > 133.37.22.83.radius: RADIUS, Unknown Command (202), id: 0xa4 length: 34511:37:02.100352 IP 133.38.7.145.11811 > 133.37.22.83.radius: RADIUS, Unknown Command (137), id: 0x9b length: 33
#抓取本機指定網絡卡上的資料包,-i 指定的本機網絡卡eth0
[[email protected] Log]# tcpdump -i eth0tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes10:03:12.238556 IP 133.38.7.144.11811 > 133.37.22.83.radius: RADIUS, Unknown Command (177), id: 0x49 length: 48010:03:12.238559 IP 133.38.7.146.11811 > 133.37.22.83.radius: RADIUS, Unknown Command (93), id: 0x27 length: 524
#監聽本機埠資料包,指定網絡卡eth0,埠1812
[[email protected] Log]# tcpdump -i eth0 -s 0 port 1812tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes11:46:41.940333 IP 133.38.7.144.11811 > 133.37.22.83.radius: RADIUS, Unknown Command (130), id: 0x14 length: 60611:46:41.940333 IP 133.38.7.146.11811 > 133.37.22.83.radius: RADIUS, Unknown Command (160), id: 0xe4 length: 3311:46:41.940894 IP 133.38.7.144.11811 > 133.37.22.83.radius: RADIUS, Unknown Command (131), id: 0x14 length: 606
#ICMP協議資料包(從一臺主機對本機發起的ping)
[[email protected] Log]# tcpdump host 133.37.22.84tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes11:49:12.200801 IP 133.37.22.84 > 133.37.22.83: ICMP echo request, id 18010, seq 1, length 6411:49:12.200954 IP 133.37.22.83 > 133.37.22.84: ICMP echo reply, id 18010, seq 1, length 64
#抓取來自於某個主機的資料包,src host x.x.x.x
[[email protected] Log]# tcpdump -i eth0 src host 133.38.7.144tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes12:00:06.768507 IP 133.38.7.144.11811 > 133.37.22.83.radius: RADIUS, Unknown Command (134), id: 0x22 length: 60212:00:06.769007 IP 133.38.7.144.11811 > 133.37.22.83.radius: RADIUS, Unknown Command (135), id: 0x22 length: 34412:00:06.769400 IP 133.38.7.144.11811 > 133.37.22.83.radius: RADIUS, Unknown Command (136), id: 0x22 length: 288
#抓包生成檔案儲存,將埠1812上抓到的包儲存為b.cap檔案,-w xxx.cap
[[email protected] Log]# tcpdump -i eth0 -s 0 port 1812 -w b.cap
抓包檔案分析軟體:Wireshark,對於各種抓包報文的解析規則,涉及更深層次的協議知識,後面會分享一篇關於redius協議的報文解析規則