前言

創(chuàng)新互聯(lián)建站基于成都重慶香港及美國(guó)等地區(qū)分布式IDC機(jī)房數(shù)據(jù)中心構(gòu)建的電信大帶寬，聯(lián)通大帶寬，移動(dòng)大帶寬，多線BGP大帶寬租用,是為眾多客戶提供專業(yè)服務(wù)器托管報(bào)價(jià)，主機(jī)托管價(jià)格性價(jià)比高，為金融證券行業(yè)德陽(yáng)機(jī)房托管，ai人工智能服務(wù)器托管提供bgp線路100M獨(dú)享，G口帶寬及機(jī)柜租用的專業(yè)成都idc公司。

    在介紹和使用tcpdump之前，請(qǐng)確保您已經(jīng)掌握或者了解如下幾個(gè)關(guān)鍵概念，否則后面的內(nèi)容讓你有點(diǎn)痛苦。

1. 能夠在Linux命令行下工作

2. 理解OSI七層網(wǎng)絡(luò)協(xié)議的概念

3. 熟悉各層的協(xié)議頭部，重點(diǎn)是IP/TCP/UDP

4. 交換機(jī)和路由器對(duì)應(yīng)于OSI的協(xié)議層

另外還需要注意的是：

    tcpdump是基于Unix系統(tǒng)的命令行式的數(shù)據(jù)包嗅探工具。如果要使用tcpdump抓取其他主機(jī)MAC地址的數(shù)據(jù)包，必須開啟網(wǎng)卡混雜模式，所謂混雜模式，用最簡(jiǎn)單的語(yǔ)言就是讓網(wǎng)卡抓取任何經(jīng)過(guò)它的數(shù)據(jù)包，不管這個(gè)數(shù)據(jù)包是不是發(fā)給它或者是它發(fā)出的，點(diǎn)擊【http://en.wikipedia.org/wiki/Promiscuous_mode】獲取更多有關(guān)混雜模式的資料。一般而言，Unix不會(huì)讓普通用戶設(shè)置混雜模式，因?yàn)檫@樣可以看到別人的信息，比如telnet的用戶名和密碼，這樣會(huì)引起一些安全上的問(wèn)題，所以只有root用戶可以開啟混雜模式，開啟混雜模式的命令是：ifconfig eth0 promisc, eth0是你要打開混雜模式的網(wǎng)卡。肯定有人要問(wèn)如果在windows下要不要打開混雜模式，windows下網(wǎng)卡沒有什么混雜模式不混雜模式，在于應(yīng)用程序本身，如使用Wireshark抓包的時(shí)候可以通過(guò)設(shè)置為在混雜模式下抓包（這就是為什么該死的ARP欺騙病毒可以猖狂的原因）。tcpdump當(dāng)然也可以指定抓包過(guò)濾器，而且其過(guò)濾器語(yǔ)言非常著名，叫做Berkeley包過(guò)濾，簡(jiǎn)稱BPF語(yǔ)言。

tcpdump介紹

     tcpdump is the premier network analysis tool for information security professionals. tcpdump is a commandline network analyzer tool or more technically a packet sniffer. Having a solid grasp of this uber-powerful application is mandatory for anyone desiring a thorough understanding of TCP/IP. It can be thought of as the commandline version of wiresharek (only to a certain extent, since wireshark is much more powerful and capable. Many prefer to use higher level analysis tools Wireshark, but I believe this to usually be a mistake, you must know how wireshark work).

    As a commandline tool tcpdump is quite powerful for network analysis as filter expressions can be passwd in and tcpdump would pick up only the matching packets and dump them.

安裝tcpdump

### CentOS
[root@localhost ~]# yum search tcpdump
======================== Matched: tcpdump ===============================
arpwatch.i386 : Network monitoring tools for tracking IP addresses on a network.
libpcap.i386 : A system-independent interface for user-level packet capture.
libpcap-devel.i386 : A pcap library.
tcpdump.i386 : A network traffic monitoring tool.
[root@localhost ~]# yum -y install tcpdump

### Ubuntu
$ sudo apt-get install tcpdump

對(duì)于Linux，tcpdump 依賴于libpcap庫(kù)，關(guān)于更多l(xiāng)ibpcap庫(kù)，請(qǐng)參考這里。

tcpdump命令行選項(xiàng)

    下面的一些選項(xiàng)能夠幫助我們更好的利用tcpdump工作。這些選項(xiàng)非常容易忘記而且比較容易混淆，所以，請(qǐng)時(shí)刻 man  一下。

    首先，我會(huì)根據(jù)實(shí)際情況，喜歡添加一些選項(xiàng)在tcpdump命令本身。第一個(gè)是 -n ，不進(jìn)行名稱解析，結(jié)果以IP地址的形式展現(xiàn)。第二個(gè)是 -X, 它以十六進(jìn)制和ASCII把包的內(nèi)容顯示。最后一個(gè)是 -S，以絕對(duì)序列號(hào)顯示，而不是相對(duì)的。

    需要重點(diǎn)關(guān)注的是，默認(rèn)情況下，tcpdump只會(huì)抓取包的前96 bytes，如果你想抓取更多，請(qǐng)加上 -s number 選項(xiàng)，number 指定您想抓取的字節(jié)數(shù)。我建議使用 0(zero) 作為抓取的字節(jié)number，這將抓取所有的數(shù)據(jù)包的所有內(nèi)容。

    下面是我經(jīng)常使用的選項(xiàng)：

tcpdump基本用法

1、-n  Don't convert host addresses to names.  This  can  be  used  to  avoid  DNS

       lookups.

[root@localhost ~]# tcpdump -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

17:25:33.472001 IP 192.168.27.129.46255 > 192.168.27.2.53:  36340+ A? www.baidu.com. (31)

默認(rèn)情況下，tcpdump將監(jiān)視第一個(gè)網(wǎng)卡上所有流過(guò)的數(shù)據(jù)包，我們看一下tcpdump輸出的這一行信息。

第一個(gè)字段"17:25:33.472001",是毫秒級(jí)精度的時(shí)間戳。

第二個(gè)字段"IP",是數(shù)據(jù)包的協(xié)議。

第三個(gè)字段"192.168.27.129.46255"，是source IP Address joined with the source Port。

第四個(gè)字段"192.168.27.2.53",是destination IP Address joined with destination Port and then some information about the packet.

2、-v -vv -vvv verbose, very verbose, very very verbose

    -S    Print absolute, rather than relative, TCP sequence numbers.

[root@localhost ~]# tcpdump -nnvvS

3、-X  Print each packet (minus its link level header) in hex and ASCII.

[root@localhost ~]# tcpdump -nnvvXS

4、-s increases the default snaplength, grabbing the whole packet

[root@localhost ~]# tcpdump -nnvvXS -s 1514
[root@localhost ~]# tcpdump -nnvvXS -s0

5、capture of exactly two(-c2) ICMP packets(a ping)

[root@localhost ~]# tcpdump -nnvvXS -s0 -c2 
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:20:16.361251 IP (tos 0x0, ttl  64, id 28517, offset 0, flags [DF], proto: UDP (17), length: 59) 192.168.27.129.56183 > 192.168.27.2.53: [udp sum ok]  8002+ A? www.baidu.com. (31)
	0x0000:  4500 003b 6f65 4000 4011 1379 c0a8 1b81  E..;oe@.@..y....
	0x0010:  c0a8 1b02 db77 0035 0027 90dc 1f42 0100  .....w.5.'...B..
	0x0020:  0001 0000 0000 0000 0377 7777 0562 6169  .........www.bai
	0x0030:  6475 0363 6f6d 0000 0100 01              du.com.....
19:20:16.468176 IP (tos 0x0, ttl 128, id 182, offset 0, flags [none], proto: UDP (17), length: 118) 192.168.27.2.53 > 192.168.27.129.56183: [udp sum ok]  8002 q: A? www.baidu.com. 3/0/0 www.baidu.com. CNAME www.a.shifen.com., www.a.shifen.com. A 61.135.169.105, www.a.shifen.com. A 61.135.169.125 (90)
	0x0000:  4500 0076 00b6 0000 8011 81ed c0a8 1b02  E..v............
	0x0010:  c0a8 1b81 0035 db77 0062 48e9 1f42 8180  .....5.w.bH..B..
	0x0020:  0001 0003 0000 0000 0377 7777 0562 6169  .........www.bai
	0x0030:  6475 0363 6f6d 0000 0100 01c0 0c00 0500  du.com..........
	0x0040:  0100 0000 0500 0f03 7777 7701 6106 7368  ........www.a.sh
	0x0050:  6966 656e c016 c02b 0001 0001 0000 0005  ifen...+........
	0x0060:  0004 3d87 a969 c02b 0001 0001 0000 0005  ..=..i.+........
	0x0070:  0004 3d87 a97d                           ..=..}
2 packets captured
3 packets received by filter
0 packets dropped by kernel

Common Syntax

    Expressions allow you to trim out various types of traffic and find exactly what you're looking for. Mastering the expressions and learning to combine them creatively is what makes one truly powerful with tcpdump.

expression

    select which packets will be dumped. If no expression is given, all packets on the net will be dumped. Otherwise, only packets for which expression is 'True' will be dumped.

    There are three different kinds of qualifier.

  type    qualifiers say what kind of thing the id name or number refers to. Possible types are host, netand port. If there is no type qualifier, hostis assumed.

  dir      qualifiers specify a particular transfer direction to and/or from id. Possible directions are src, dst, src or dstand src and dst. If there is no dir qualifier, src or dstis assumed.

 proto    qualifiers restrict the match to a particular protocol. Possible protos are: ether, fddi, tr, ip, ip6, arp, rarp, decnet, tcpand udp. E.g 'tcp src 192.168.1.2' . If there is no proto qualifier, all protocols consistent with the type are assumed.

    Expressions are nice, but the real magic of tcpdump comes from the ability to combine them in creative ways in order to isolate exactly what you're looking for. There are three ways to do combinations, and if you've studied computers at all they'll be pretty familar to you:

舉例說(shuō)明：

### type
## host
# tcpdump host 1.2.3.4

## net
# tcpdump net 1.2.3.0/24
# tcpdump net 1.2

## port
# tcpdump port 80

## src, dst
# tcpdump src 1.2.3.4
# tcpdump dst 1.2.3.4

## proto
# tcpdump icmp

### type, dir, proto
# tcpdump 'src port 3306 and tcp'
# tcpdump 'udp and src port 53'

Writing to a File

    tcpdump allows you to send what you're capturing to a file for later use using the -woption, and then to read it back using the -roption. This is an excellent way to capture raw traffic and then run it through various tools later.

    The traffic captured in this way is stored in tcpdump format, which is pretty much universal in the network analysis space. This means it can be read in by all sorts of tools, including Wireshark, Snort, etc.

## capture all port 80 traffic to a file
# tcpdump -s 1514 port 80 -w capture_file

## read captured traffic back into tcpdump
# tcpdump -r capture_file

More Examples

# tcpdump -nnvvS  'src 10.5.2.3 and dst port 3306'

# tcpdump 'src 10.0.2.4 and (dst port 3306 or 22)'

## 你懂的
# [root@localhost ~]# tcpdump -i eth0 -nnvvXS -s1514 'port 22 or port 23 or port 25 or port 110' | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|pass:|user:|username:|password:|login:|pass |user ' -B20

http://danielmiessler.com/study/tcpdump/

http://openmaniak.com/tcpdump.php

http://www.binarytides.com/tcpdump-tutorial-sniffing-analysing-packets/

http://www.cnblogs.com/ggjucheng/archive/2012/01/14/2322659.html （good）

http://blog.csdn.net/langeldep/article/details/6156818

http://roclinux.cn/?p=2474

http://www.chinaunix.net/old_jh/29/674578.html

http://blog.chinaunix.net/uid-10328574-id-2951040.html

網(wǎng)頁(yè)題目：tcpdump教程-從命令行抓取和分析數(shù)據(jù)包
瀏覽路徑：http://jinyejixie.com/article36/ppsepg.html

成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián)，為您提供小程序開發(fā)、微信公眾號(hào)、響應(yīng)式網(wǎng)站、虛擬主機(jī)、網(wǎng)站改版、做網(wǎng)站

廣告

聲明：本網(wǎng)站發(fā)布的內(nèi)容（圖片、視頻和文字）以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主，如果涉及侵權(quán)請(qǐng)盡快告知，我們將會(huì)在第一時(shí)間刪除。文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng)，如需處理請(qǐng)聯(lián)系客服。電話：028-86922220；郵箱：631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載，或轉(zhuǎn)載時(shí)需注明來(lái)源： 創(chuàng)新互聯(lián)