趣云笔记
在之前的文章中,介绍了一些Netstat命令(现已被ss命令取代)来监视或管理Linux网络。今天要介绍的是另一个正在进行的数据包嗅探工具系列,称为Tcpdump,这里主要是通过实际示例讨论和介绍一些有用的命令。
Tcpdump是一个功能最强大、使用最广泛的命令行数据包嗅探器或包分析器工具,用于捕获或过滤在特定接口上通过网络接收或传输的TCP/IP数据包。Tcpdump可在各种基于Linux/Unix的操作系统上轻松使用。此外,它还提供了将捕获的数据包保存在文件中以供将来分析的宝贵选项。
另外,Tcpdump将文件保存为pcap格式,可以通过Tcpdump命令或基于开源GUI的工具Wireshark(网络协议分析器)读取Tcpdump pcap格式文件来查看该文件。
在Linux中安装Tcpdump
许多Linux发行版已经附带了Tcpdump工具,如果你的系统上没有该工具,可以使用以下任一命令安装它。
$ sudo apt install tcpdump [Debian、Ubuntu和Mint] $ sudo yum install tcpdump [RHEL/CentOS/Fedora和Rocky/AlmaLinux] $ sudo emerge -a sys-apps/tcpdump [Gentoo Linux] $ sudo apk add tcpdump [Alpine Linux] $ sudo pacman -S tcpdump [Arch Linux] $ sudo zypper install tcpdump [OpenSUSE]
Tcpdump命令示例入门
在系统上安装Tcpdump工具后,可以继续查看以下命令及其典型示例。
1、从特定接口抓包
命令屏幕将向上滚动,直到你中断为止,当我们执行Tcpdump命令时,它将从所有接口捕获,但是使用-i参数时仅从所需接口捕获。
[1]+ Stopped tcpdump -i eth0 [root@ecscoupon ~]# tcpdump -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 23:30:29.137616 IP 579.bm-nginx-loadbalancer.mgmt.nym2.adnexus.net.https > ecscoupon.com198.12.80.139.59505: Flags [.], ack 2719286496, win 82, options [nop,nop,TS val 2962911689 ecr 1324125128], length 0 23:30:29.153971 ARP, Request who-has 172-245-8-67-host.colocrossing.com tell 172-245-8-1-host.colocrossing.com, length 46 23:30:29.158354 IP ecscoupon.com198.12.80.139.58425 > dns.google.domain: 28328+ PTR? 155.179.67.68.in-addr.arpa. (44) 23:30:29.158563 IP ecscoupon.com198.12.80.139.ssh > 120.242.64.9.apc-5456: Flags [P.], seq 3044214138:3044214346, ack 2069913363, win 501, length 208 23:30:29.174742 IP dns.google.domain > ecscoupon.com198.12.80.139.58425: 28328 1/0/0 PTR 579.bm-nginx-loadbalancer.mgmt.nym2.adnexus.net. (105) 23:30:29.175403 IP ecscoupon.com198.12.80.139.51192 > dns.google.domain: 24174+ PTR? 67.8.245.172.in-addr.arpa. (43)
2、只捕获N个数据包
当运行Tcpdump命令时,它将捕获指定接口的所有数据包,直到你点击取消按钮。但使用-c选项,可以捕获指定数量的数据包。下面的示例将仅捕获6个数据包。
[root@ecscoupon ~]# tcpdump -c 5 -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 23:33:26.968020 ARP, Request who-has 23-94-24-46-host.colocrossing.com tell 23-94-24-1-host.colocrossing.com, length 46 23:33:26.988149 IP ecscoupon.com198.12.80.139.40052 > dns.google.domain: 57563+ PTR? 46.24.94.23.in-addr.arpa. (42) 23:33:26.988350 IP ecscoupon.com198.12.80.139.ssh > 120.242.64.9.apc-5456: Flags [P.], seq 3044249338:3044249546, ack 2069913715, win 501, length 208 23:33:27.003233 STP 802.1w, Rapid STP, Flags [Learn, Forward], bridge-id 8000.28:c0:da:42:b3:81.8209, length 43 23:33:27.009336 IP dns.google.domain > ecscoupon.com198.12.80.139.40052: 57563 1/0/0 PTR 23-94-24-46-host.colocrossing.com. (89) 5 packets captured 43 packets received by filter 0 packets dropped by kernel
3、以ASCII格式打印捕获的数据包
下面带有-A选项的Tcpdump命令以ASCII格式显示包,它是一种字符编码方案格式。
[root@ecscoupon ~]# tcpdump -A -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 23:35:01.552474 ARP, Request who-has 23-94-24-30-host.colocrossing.com tell 23-94-24-1-host.colocrossing.com, length 46 ........(..B...^.........^.................... 23:35:01.553400 ARP, Request who-has 23-95-10-243-host.colocrossing.com tell 23-95-10-1-host.colocrossing.com, length 46 ........(..B..._ ........_ ................... 23:35:01.555491 ARP, Request who-has 192-227-131-167-host.colocrossing.com tell 192-227-131-1-host.colocrossing.com, length 46 ........(..B.................................. 23:35:01.557295 ARP, Request who-has 107-175-46-173-host.colocrossing.com tell 107-175-46-1-host.colocrossing.com, length 46 ........(..B..k.........k.....................
4、显示可用接口
要列出系统上可用接口的数量,请运行以下带-D选项的命令。
[root@ecscoupon ~]# tcpdump -D 1.eth0 2.nflog (Linux netfilter log (NFLOG) interface) 3.nfqueue (Linux netfilter queue (NFQUEUE) interface) 4.usbmon1 (USB bus number 1) 5.any (Pseudo-device that captures on all interfaces) 6.lo [Loopback]
5、以十六进制和ASCII显示捕获的数据包
以下带-XX选项的命令捕获每个数据包的数据,包括十六进制和ASCII格式的链路层标头:
[root@ecscoupon ~]# tcpdump -XX -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
23:39:12.538683 IP ecscoupon.com198.12.80.139.ssh > 120.242.64.9.apc-5456: Flags [P.], seq 3044899642:3044899850, ack 2069915443, win 501, length 208
0x0000: 28c0 da42 b381 0016 3cf5 533d 0800 4510 (..B....<.S=..E.
0x0010: 00f8 f376 4000 4006 76e6 c60c 508b 78f2 ...v@.@.v...P.x.
0x0020: 4009 0016 1550 b57d 7b3a 7b60 6733 5018 @....P.}{:{`g3P.
0x0030: 01f5 d07d 0000 92f8 6e57 87d0 84f6 3d30 ...}....nW....=0
0x0040: 143d 7d47 8a95 b713 6f17 821f a086 bf91 .=}G....o.......
0x0050: 7250 0e23 6016 5b93 6b24 2805 74fe 5786 rP.#`.[.k$(.t.W.
0x0060: 4bb6 7167 ca01 a6e8 096c 72a6 532f bf6c K.qg.....lr.S/.l
0x0070: 9edd 2809 d886 b114 92ba 08e6 59a0 6a27 ..(.........Y.j'
0x0080: 6a79 e44f 7236 1b75 8f06 6b0a 86d6 c826 jy.Or6.u..k....&
0x0090: 9fa2 b974 0d44 44d2 b27c d907 9343 878c ...t.DD..|...C..
0x00a0: 6cf4 3aeb 6467 fac6 1917 e07c 5e74 cb90 l.:.dg.....|^t..
0x00b0: a9c5 b647 7afc 89d6 2099 34be 311f 0139 ...Gz.....4.1..9
0x00c0: 52b4 40a7 c126 698a 5880 5cda 0322 9371 R.@..&i.X.\..".q
0x00d0: ce4b 1695 bc55 794f da87 41cb cadf 3e2f .K...UyO..A...>/
0x00e0: acba 6fe1 dc91 bfae d6a9 e196 cd31 b2ed ..o..........1..
0x00f0: 5c79 a40d 9859 ad52 8304 53b1 6445 6b8d \y...Y.R..S.dEk.
0x0100: 4a51 3a70 e6aa JQ:p..
23:39:12.539524 IP ecscoupon.com198.12.80.139.36521 > dns.google.domain: 23326+ PTR? 9.64.242.120.in-addr.arpa. (43)
0x0000: 28c0 da42 b381 0016 3cf5 533d 0800 4500 (..B....<.S=..E.
0x0010: 0047 f345 4000 4011 20b9 c60c 508b 0808 .G.E@.@.....P...
0x0020: 0808 8ea9 0035 0033 26ec 5b1e 0100 0001 .....5.3&.[.....
0x0030: 0000 0000 0000 0139 0236 3403 3234 3203 .......9.64.242.
0x0040: 3132 3007 696e 2d61 6464 7204 6172 7061 120.in-addr.arpa
6、捕获数据包并将其保存在文件中
正如我们所说,Tcpdump具有捕获文件并将其保存为.pcap格式的功能,只需执行带有-w选项的命令即可:
[root@ecscoupon ~]# tcpdump -w 0001.pcap -i eth0 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes ^C12827 packets captured 12936 packets received by filter 0 packets dropped by kernel
7、读取抓包文件
要读取并分析捕获的数据包0001.pcap文件,请使用带-r选项的命令,如下所示:
[root@ecscoupon ~]# tcpdump -r 0001.pcap reading from file 0001.pcap, link-type EN10MB (Ethernet) 23:40:29.615460 IP ecscoupon.com198.12.80.139.ssh > 120.242.64.9.apc-5456: Flags [P.], seq 3044931482:3044931626, ack 2069915779, win 501, length 144 23:40:29.663587 ARP, Request who-has 172-245-8-102-host.colocrossing.com tell 172-245-8-1-host.colocrossing.com, length 46 23:40:29.670367 ARP, Request who-has 107-172-168-184-host.colocrossing.com tell 107-172-168-1-host.colocrossing.com, length 46
8、捕获IP地址数据包
要捕获特定接口的数据包,请运行以下带有-n选项的命令。
[root@ecsccoupon ~]# tcpdump -n -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 23:50:40.474977 IP 198.12.80.139.ssh > 120.242.64.9.apc-5456: Flags [P.], seq 129952:130208, ack 1, win 501, length 256 23:50:40.475108 IP 198.12.80.139.ssh > 120.242.64.9.apc-5456: Flags [P.], seq 130208:130384, ack 1, win 501, length 176 23:50:40.475237 IP 198.12.80.139.ssh > 120.242.64.9.apc-5456: Flags [P.], seq 130384:130560, ack 1, win 501, length 176 23:50:40.475368 IP 198.12.80.139.ssh > 120.242.64.9.apc-5456: Flags [P.], seq 130560:130736, ack 1, win 501, length 176 23:50:40.475497 IP 198.12.80.139.ssh > 120.242.64.9.apc-5456: Flags [P.], seq 130736:130912, ack 1, win 501, length 176
9、仅捕获TCP数据包
要基于TCP端口捕获数据包,请使用选项tcp运行以下命令:
[root@idccoupon ~]# tcpdump -i eth0 tcp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 23:54:12.542136 IP ecscoupon.com198.12.80.139.ssh > 120.242.64.9.apc-5456: Flags [P.], seq 3052940474:3052940682, ack 2069949059, win 501, length 208 23:54:12.565563 IP ecscoupon.com198.12.80.139.ssh > 120.242.64.9.apc-5456: Flags [P.], seq 208:416, ack 1, win 501, length 208 23:54:12.565959 IP ecscoupon.com198.12.80.139.ssh > 120.242.64.9.apc-5456: Flags [P.], seq 416:608, ack 1, win 501, length 192 23:54:12.566184 IP ecscoupon.com198.12.80.139.ssh > 120.242.64.9.apc-5456: Flags [P.], seq 608:800, ack 1, win 501, length 192 23:54:12.566416 IP ecscoupon.com198.12.80.139.ssh > 120.242.64.9.apc-5456: Flags [P.], seq 800:992, ack 1, win 501, length 192 23:54:12.566692 IP ecscoupon.com198.12.80.139.ssh > 120.242.64.9.apc-5456: Flags [P.], seq 992:1184, ack 1, win 501, length 192 23:54:12.566947 IP ecscoupon.com198.12.80.139.ssh > 120.242.64.9.apc-5456: Flags [P.], seq 1184:1376, ack 1, win 501, length 192
10、从特定端口抓包
假设要捕获特定端口22的数据包,请通过指定端口号22来执行以下命令,如下所示:
[root@idccoupon ~]# tcpdump -i eth0 port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 00:00:14.315553 IP ecscoupon.com198.12.80.139.ssh > 120.242.64.9.apc-5456: Flags [P.], seq 254816: 255008, ack 1, win 501, length 192 00:00:14.315828 IP ecscoupon.com198.12.80.139.ssh > 120.242.64.9.apc-5456: Flags [P.], seq 255008: 255200, ack 1, win 501, length 192 00:00:14.315977 IP ecscoupon.com198.12.80.139.ssh > 120.242.64.9.apc-5456: Flags [P.], seq 255200: 255392, ack 1, win 501, length 192 00:00:14.316122 IP ecscoupon.com198.12.80.139.ssh > 120.242.64.9.apc-5456: Flags [P.], seq 255392: 255584, ack 1, win 501, length 192 00:00:14.316257 IP ecscoupon.com198.12.80.139.ssh > 120.242.64.9.apc-5456: Flags [P.], seq 255584: 255776, ack 1, win 501, length 192 00:00:14.316412 IP ecscoupon.com198.12.80.139.ssh > 120.242.64.9.apc-5456: Flags [P.], seq 255776: 255968, ack 1, win 501, length 192
11、从源IP抓包
要捕获来自源IP的数据包,假设要捕获192.168.0.2的数据包,请使用以下命令。
[root@idccoupon ~]# tcpdump -i eth0 src 198.12.80.139 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 00:03:48.445301 IP ecscoupon.com198.12.80.139.ssh > 120.242.64.9.apc-5456: Flags [P.], seq 1088112:1088304, ack 481, win 501, length 192 00:03:48.445486 IP ecscoupon.com198.12.80.139.ssh > 120.242.64.9.apc-5456: Flags [P.], seq 1088304:1088496, ack 481, win 501, length 192 00:03:48.445727 IP ecscoupon.com198.12.80.139.ssh > 120.242.64.9.apc-5456: Flags [P.], seq 1088496:1088688, ack 481, win 501, length 192 00:03:48.446172 IP ecscoupon.com198.12.80.139.ssh > 120.242.64.9.apc-5456: Flags [P.], seq 1088688:1088880, ack 481, win 501, length 192 00:03:48.446397 IP ecscoupon.com198.12.80.139.ssh > 120.242.64.9.apc-5456: Flags [P.], seq 1088880:1089072, ack 481, win 501, length 192 00:03:48.446539 IP ecscoupon.com198.12.80.139.ssh > 120.242.64.9.apc-5456: Flags [P.], seq 1089072:1089264, ack 481, win 501, length 192
12、从目标IP捕获数据包
要捕获来自目标IP的数据包,假设要捕获50.116.66.139的数据包,请使用以下命令。
# tcpdump -i eth0 dst 50.116.66.139 tcpdump:抑制详细输出,使用 -v 或 -vv 进行完整协议解码 监听 eth0,链路类型 EN10MB(以太网),捕获大小 65535 字节 10:55:01.798591 IP 192.168.0.2.59896 > 50.116.66.139.http:标志[.],ack 2480401451,win 318,选项[nop,nop,TS val 7955710 ecr 804759402],长度0 10:55:05.527476 IP 192.168.0.2.59894 > 50.116.66.139.http:标志[F.],seq 2521556029,ack 2164168606,win 245,选项[nop,nop,TS val 7959439 ecr 80475 9284],长度0 10:55:05.626027 IP 192.168.0.2.59894 > 50.116.66.139.http:标志[.],ack 2,win 245,选项[nop,nop,TS val 7959537 ecr 804759787],长度0
总结
在本文中,小编主要介绍了Tcpdump命令的安装,并且演示了捕获和分析数据包的实例。目前Tcpdump有许多可用选项,你可以根据自身的要求使用这些选项,灵活应用即可。
需要注意的是,运行 Tcpdump 命令可能需要管理员或超级用户权限,否则可能无法访问网络接口。在使用 Tcpdump 时,请小心过滤器的使用,以免错过关键信息或导致不必要的数据包捕获。
