tcpdump用于捕获和分析网络流量。系统管理员可以使用它来查看实时流量或将输出保存到文件中并在以后进行分析。下面列出6个常用选项
基于TCP标志的过滤器
可以根据各种tcp标志过滤TCP流量。这是一个基于tcp-ack标志的过滤示例。
[root@localhost~]tcpdump-iany-c3-Xdroppedprivstotcpdumptcpdump:verboseoutputsuppressed,use-vor-vvforfullprotocoldecodelisteningonany,link-typeLINUX_SLL(Linuxcooked),capturesize262144bytes16:37:30.318137:Flags[P.],seq725376559:725376803,ack1854460843,win1842,length2440x0000:4548011c0faf10c0a82b83EH.@.@.R+.0x0010:c0a82b0100169c222b3c5e2f6e88d3ab..+."+^/n0x0020:50180732d8e30000000000d0d1ce67d9P..2.:b8e95171dd56bfbb2d3e7ce79a9b60a5...-|`.0x0040:152d42959f8fd6badec2895e39212d76.-B..^9!-v0x0050:c5c65b6b716161eb0b301eaeb6222f14..[kqaa..0"/.0x0060:.Zg(0x0070:4b9f942db762a1789d5e5f7096c2fbadK..-.^_:53.kj..0x0090:203e9a2275c302eac8d5a2ec5d3060db.."u.]0`.0x00a0:64;'=0x00b0:8.'..$O_..]W..0x00c0:3c7277de6da597b952e87695a964d2a2b..16:37:30.318540_:47072+PTR?1.43.168.192.(43)0x0000:45000047a7e540004011baeac0a82b83E..G..@.@..+.0x0010:c0a82b02c58d00350033d81ab7e00100..+.5.30x0020:0001000000000000031361.43.160x0030:380331393207696:706100000c0001pa..16:37:30.318743:Flags[.],ack244,win4103,length00x0000:45000028538d40008006cf6dc0a82b01E..(S.@.m..+.0x0010:c0a82b839c2200166e88d3ab2b3c5f23..+.."..n+_tcpdump-iany-c4-Adroppedprivstotcpdumptcpdump:verboseoutputsuppressed,use-vor-vvforfullprotocoldecodelisteningonany,link-typeLINUX_SLL(Linuxcooked),capturesize262144bytes16:38:36.499869:Flags[P.],seq725380591:725380835,ack1854462375,win1842,length244EH.@.@.Q++."+..3}s..tcpdump-iany-c1droppedprivstotcpdumptcpdump:verboseoutputsuppressed,use-vor-vvforfullprotocoldecodelisteningonany,link-typeLINUX_SLL(Linuxcooked),capturesize262144bytes19:40:24.112322:Flags[P.],seq725383083:725383327,ack1854472047,win1842,length2441packetcaptured6packetsreceivedbyfilter0packetsdroppedbykernel
下面是使用-v选项:
[root@localhost~]tcpdump-ianyport443-c1-vvdroppedprivstotcpdumptcpdump:listeningonany,link-typeLINUX_SLL(Linuxcooked),capturesize262144bytes19:51:18.409014IP(tos0x0,ttl64,id14543,offset0,flags[DF],protoTCP(6),length60):Flags[S],cksum0xd1cb(incorrect-0x3f8f),seq895899993,win29200,options[mss1460,sackOK,TSval1518996680ecr0,nop,wscale7],length01packetcaptured1packetreceivedbyfilter0packetsdroppedbykernel
下面是使用-vvv选项:
[root@localhost~].:4cf0e7e15c701be181700ef08026903eL\:4920abbffcc057a592b0ed6ffd68ed96I...0x00b0:53a13c7e96bd9f9db95a8dad998bdb5fS.~..Z.._0x00c0:9:.}.+;0x00d0:d6018d7a84a4bfd58e3ebe22z..."1packetcaptured7packetsreceivedbyfilter0packetsdroppedbykernel
按照协议过滤
可以使用协议名称来过滤特定协议的数据包。下面是过滤出UDP协议的数据包:
[root@localhost~]tcpdumptcpandport443-iany-c2-nndroppedprivstotcpdumptcpdump:verboseoutputsuppressed,use-vor-vvforfullprotocoldecodelisteningonany,link-typeLINUX_SLL(Linuxcooked),capturesize262144bytes14:41:53.357110:Flags[S],seq1415602203,win29200,options[mss1460,sackOK,TSval1913450260ecr0,nop,wscale7],length014:41:53.378144:Flags[S.],seq1535386750,ack1415602204,win64240,options[mss1460],length02packetscaptured3packetsreceivedbyfilter0packetsdroppedbykernel[root@localhost~]tcpdump'icmp[icmptype]!=icmp-echoandicmp[icmptype]!=icmp-echoreply'-c4droppedprivstotcpdumptcpdump:verboseoutputsuppressed,use-vor-vvforfullprotocoldecodelisteningonens160,link-typeEN10MB(Ethernet),capturesize262144bytes14:57:47.675667:,length6814:57:48.677588:,length6814:57:49.680887:,length6814:57:50.686504:,length684packetscaptured4packetsreceivedbyfilter0packetsdroppedbykernel
-q选项简化输出信息
如果想要简化输出内容,请使用-q选项更快速、安静的输出。
[root@localhost~]tcpdumptcp-iany-c4-tdroppedprivstotcpdumptcpdump:verboseoutputsuppressed,use-vor-vvforfullprotocoldecodelisteningonany,link-typeLINUX_SLL(Linuxcooked),:Flags[P.],seq743668214:743668458,ack3963265225,win343,:Flags[.],ack244,win4102,:Flags[P.],seq244:520,ack1,win343,:Flags[P.],seq520:684,ack1,win343,length1644packetscaptured4packetsreceivedbyfilter0packetsdroppedbykernel
可以看到每行数据最前面不显示时间戳了。
输出本行和前一行的时间差,而不是时间
下面例子使用-ttt选项,显示了6行icmp数据包,可以看到每行之间的时间差:
[root@localhost~]#tcpdumpicmp-iany-c6-ttt-nndroppedprivstotcpdumptcpdump:verboseoutputsuppressed,use-vor-vvforfullprotocoldecodelisteningonany,link-typeLINUX_SLL(Linuxcooked),capturesize262144bytes00:00:00.000000:ICMPechorequest,id2986,seq1,length6400:00:00.251269:ICMPechoreply,id2986,seq1,length6400:00:00.749532:ICMPechorequest,id2986,seq2,length6400:00:00.253396:ICMPechoreply,id2986,seq2,length6400:00:00.747521:ICMPechorequest,id2986,seq3,length6400:00:01.051634:ICMPechorequest,id2986,seq4,length646packetscaptured6packetsreceivedbyfilter0packetsdroppedbykernel
总结
tcpdump用于收集有关网络流量数据的出色工具。数据包捕获为故障排除和安全分析提供了有用的信息。
