黑基网 首页 IT教程 网络管理 查看内容

Linux运维常用网络抓包工具tcpdump的介绍和使用

2018-1-22 12:50| 投稿: xiaotiger |来自: 互联网

摘要: tcpdump是一个用于截取网络分组,并输出分组内容的工具。tcpdump凭借强大的功能和灵活的截取策略,使其成为类UNIX系统下用于网络分析和问题排查的首选工具。

Linux运维常用网络抓包工具tcpdump的介绍和使用

前言

tcpdump是一个用于截取网络分组,并输出分组内容的工具。tcpdump凭借强大的功能和灵活的截取策略,使其成为类UNIX系统下用于网络分析和问题排查的首选工具。

tcpdump提供了源代码,公开了接口,因此具备很强的可扩展性,对于网络维护和入侵者都是非常有用的工具。tcpdump存在于基本的Linux系统中,由于它需要将网络界面设置为混杂模式,普通用户不能正常执行,但具备root权限的用户可以直接执行它来获取网络上的信息。因此系统中存在网络分析工具主要不是对本机安全的威胁,而是对网络上的其他计算机的安全存在威胁。

概述

顾名思义,tcpdump可以将网络中传送的数据包的“头”完全截获下来提供分析。它支持针对网络层、协议、主机、网络或端口的过滤,并提供and、or、not等逻辑语句来帮助你去掉无用的信息。

[[email protected] ~]# tcpdump -vv

不带参数的tcpdump会收集网络中所有的信息包头,数据量巨大,必须过滤。

选项介绍

  • -A 以ASCII格式打印出所有分组,并将链路层的头最小化。

  • -c 在收到指定的数量的分组后,tcpdump就会停止。

  • -C 在将一个原始分组写入文件之前,检查文件当前的大小是否超过了参数file_size 中指定的大小。如果超过了指定大小,则关闭当前文件,然后在打开一个新的文件。参数 file_size 的单位是兆字节(是1,000,000字节,而不是1,048,576字节)。

  • -d 将匹配信息包的代码以人们能够理解的汇编格式给出。

  • -dd 将匹配信息包的代码以c语言程序段的格式给出。

  • -ddd 将匹配信息包的代码以十进制的形式给出。

  • -D 打印出系统中所有可以用tcpdump截包的网络接口。

  • -e 在输出行打印出数据链路层的头部信息。

  • -E 用[email protected] algo:secret解密那些以addr作为地址,并且包含了安全参数索引值spi的IPsec ESP分组。

  • -f 将外部的Internet地址以数字的形式打印出来。

  • -F 从指定的文件中读取表达式,忽略命令行中给出的表达式。

  • -i 指定监听的网络接口。

  • -l 使标准输出变为缓冲行形式,可以把数据导出到文件。

  • -L 列出网络接口的已知数据链路。

  • -m 从文件module中导入SMI MIB模块定义。该参数可以被使用多次,以导入多个MIB模块。

  • -M 如果tcp报文中存在TCP-MD5选项,则需要用secret作为共享的验证码用于验证TCP-MD5选选项摘要(详情可参考RFC 2385)。

  • -b 在数据-链路层上选择协议,包括ip、arp、rarp、ipx都是这一层的。

  • -n 不把网络地址转换成名字。

  • -nn 不进行端口名称的转换。

  • -N 不输出主机名中的域名部分。例如,‘nic.ddn.mil‘只输出’nic‘。

  • -t 在输出的每一行不打印时间戳。

  • -O 不运行分组分组匹配(packet-matching)代码优化程序。

  • -P 不将网络接口设置成混杂模式。

  • -q 快速输出。只输出较少的协议信息。

  • -r 从指定的文件中读取包(这些包一般通过-w选项产生)。

  • -S 将tcp的序列号以绝对值形式输出,而不是相对值。

  • -s 从每个分组中读取最开始的snaplen个字节,而不是默认的68个字节。

  • -T 将监听到的包直接解释为指定的类型的报文,常见的类型有rpc远程过程调用)和snmp(简单网络管理协议;)。

  • -t 不在每一行中输出时间戳。

  • -tt 在每一行中输出非格式化的时间戳。

  • -ttt 输出本行和前面一行之间的时间差。

  • -tttt 在每一行中输出由date处理的默认格式的时间戳。

  • -u 输出未解码的NFS句柄。

  • -v 输出一个稍微详细的信息,例如在ip包中可以包括ttl和服务类型的信息。

  • -vv 输出详细的报文信息。

  • -w 直接将分组写入文件中,而不是不分析并打印出来。

tcpdump的表达式介绍

表达式是一个正则表达式,tcpdump利用它作为过滤报文的条件,如果一个报文满足表 达式的条件,则这个报文将会被捕获。如果没有给出任何条件,则网络上所有的信息包 将会被截获。

在表达式中一般如下几种类型的关键字:

第一种是关于类型的关键字,主要包括host,net,port,例如 host 210.27.48.2, 指明 210.27.48.2是一台主机,net 202.0.0.0指明202.0.0.0是一个网络地址,port 23 指明端口号是23。如果没有指定类型,缺省的类型是host。

第二种是确定传输方向的关键字,主要包括src,dst,dst or src,dst and src, 这些关键字指明了传输的方向。举例说明,src 210.27.48.2 ,指明ip包中源地址是 210.27.48.2 , dst net 202.0.0.0 指明目的网络地址是202.0.0.0。如果没有指明 方向关键字,则缺省是src or dst关键字。

第三种是协议的关键字,主要包括fddi,ip,arp,rarp,tcp,udp等类型。Fddi指明是在FDDI (分布式光纤数据接口网络)上的特定的网络协议,实际上它是”ether”的别名,fddi和ether 具有类似的源地址和目的地址,所以可以将fddi协议包当作ether的包进行处理和分析。 其他的几个关键字就是指明了监听的包的协议内容。如果没有指定任何协议,则tcpdump 将会 监听所有协议的信息包。

除了这三种类型的关键字之外,其他重要的关键字如下:gateway, broadcast,less, greater,

还有三种逻辑运算,取非运算是 ‘not ’ ‘! ‘, 与运算是’and’,’&&’;或运算是’or’ ,’||’;

这些关键字可以组合起来构成强大的组合条件来满足人们的需要。

举例

(1) 想要截获所有192.168.5.85 的主机收到的和发出的所有的分组:

#tcpdump host 192.168.5.85

(2) 想要截获主机192.168.5.95 和主机192.168.5.6或192.168.5.172的通信,使用命令(注意:括号前的反斜杠是必须的):

[[email protected] ~]# tcpdump host 192.168.5.95 and \(192.168.5.6 or 192.168.5.172\)

(3) 如果想要获取主机192.168.5.95除了和主机192.168.5.6之外所有主机通信的ip包,使用命令:

#tcpdump ip host 192.168.5.95 and ! 192.168.5.6

(4) 如果想要获取主机192.168.5.95接收或发出的ssh包,并且不转换主机名使用如下命令:

[[email protected] ~]# tcpdump -nn -n src host 192.168.5.95 and port 22 and tcp

(5) 获取主机192.168.228.246接收或发出的ssh包,并把mac地址也一同显示:

[[email protected] ~]# tcpdump -e -n -nn src host 192.168.5.95 and port 22 and tcp

, groupId: 6513409187966353927, itemId: 6513409187966353927, type: 1, subInfo: { isOriginal: false, source: 海渊haiyuan, time: 2018-01-21 15:54:14 }, tagInfo: { tags: [{"name":"Linux"},{"name":"技术"}], groupId: 6513409187966353927, itemId: 6513409187966353927, repin: 0, }, has_extern_link: 0 }, commentInfo: { groupId: 6513409187966353927, itemId: 6513409187966353927, comments_count: 2, ban_comment: 0 }, mediaInfo: { uid: 5797167091, name: 海渊haiyuan, avatar: //p9.pstatp.com/large/2c65000c5d05ea367691, openUrl: /c/user/5797167091/, follow: false }, pgcInfo: {"media_info":{"open_url":"/c/user/5797167091/","avatar_url":"https://p9.pstatp.com/large/2c65000c5d05ea367691","media_id":1571888770794497,"name":"海渊haiyuan","user_verified":false},"articles":[{"item_id":"6513526725945590276","url":"/item/6513526725945590276","title":"慕课网视频《DevOps和云计算初始》学习整理纪要"},{"item_id":"6513409187966353927","url":"/item/6513409187966353927","title":"Linux运维常用网络抓包工具tcpdump的介绍和使用"},{"item_id":"6513140987039056388","url":"/item/6513140987039056388","title":"Linux运维iptables中如何流程化编写iptables脚本"},{"item_id":"6509444537394397700","url":"/item/6509444537394397700","title":"使用Python 3.6进行处理文件,文件的创建和读取代码实解"}]}, feedInfo: { url: /api/pc/feed/, category: __all__, initList: [{"comments_count":12,"media_avatar_url":"//p1.pstatp.com/large/13550018a452238fb80f","is_feed_ad":false,"is_diversion_page":false,"title":"Excel中最常用的12个函数|职场人做报表加速神器","single_mode":true,"gallary_image_count":15,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6513344440013160973/","source":"耀说","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":18,"image_url":"//p3.pstatp.com/list/190x124/5b40000195cc5d0baaac","group_id":"6513344440013160973","is_related":true,"media_url":"/c/user/54829141290/"},{"comments_count":103,"media_avatar_url":"//p1.pstatp.com/large/5681000337fd888b62d8","is_feed_ad":false,"is_diversion_page":false,"title":"数据恢复2:U盘坏了怎么办,我的方法可能可以起死回生","single_mode":true,"gallary_image_count":11,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6511545438816961038/","source":"奇凡想当然","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":22,"image_url":"//p1.pstatp.com/list/190x124/59390004618a1715b21d","group_id":"6511545438816961038","is_related":true,"media_url":"/c/user/1437070467/"},{"comments_count":19,"media_avatar_url":"//p8.pstatp.com/large/567e0005eab85b5a0e97","is_feed_ad":false,"is_diversion_page":false,"title":"新编程思路-无服务器框架","single_mode":true,"gallary_image_count":5,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6512092449517601288/","source":"大大里","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":4,"image_url":"//p1.pstatp.com/list/190x124/594300013ec5cd246ad9","group_id":"6512092449517601288","is_related":true,"media_url":"/c/user/60795876833/"},{"comments_count":65,"media_avatar_url":"//p1.pstatp.com/large/249a0001ea600d4d6964","is_feed_ad":false,"is_diversion_page":false,"title":"斐讯天天链:大家都在谈的区块链技术,离我们生活并不远","single_mode":true,"gallary_image_count":1,"middle_mode":true,"has_video":false,"video_duration_str":null,"source_url":"/group/6512652557767148040/","source":"鲜闻早知道","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/59490002882fe58b51ad","group_id":"6512652557767148040","is_related":true,"media_url":"/c/user/59220798821/"},{"comments_count":57,"media_avatar_url":"//p3.pstatp.com/large/16ab0006e1cdabac2d52","is_feed_ad":false,"is_diversion_page":false,"title":"这4个超实用的电脑必备黑科技软件,用过都不会卸载!","single_mode":true,"gallary_image_count":4,"middle_mode":true,"has_video":false,"video_duration_str":null,"source_url":"/group/6512312800126173700/","source":"科技Fun","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":12,"image_url":"//p1.pstatp.com/list/190x124/593f0005da1ecb588363","group_id":"6512312800126173700","is_related":true,"media_url":"/c/user/55766004812/"},{"comments_count":85,"media_avatar_url":"//p3.pstatp.com/large/59300002d2b4c63268fa","is_feed_ad":false,"is_diversion_page":false,"title":"IP地址,子网掩码,默认网关,DNS的简单阐述","single_mode":true,"gallary_image_count":10,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6513175417686327822/","source":"IT信息技术随笔","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":65,"image_url":"//p9.pstatp.com/list/190x124/594a0004b929b7b81d48","group_id":"6513175417686327822","is_related":true,"media_url":"/c/user/85147527679/"},{"comments_count":38,"media_avatar_url":"//p7.pstatp.com/large/56840001b2cb36bca139","is_feed_ad":false,"is_diversion_page":false,"title":"Excel中,用数字1和0代替“√”、“×”的输入,数据录入必备!","single_mode":true,"gallary_image_count":2,"middle_mode":true,"has_video":false,"video_duration_str":null,"source_url":"/group/6512645231303721476/","source":"每日易学2018","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":3,"image_url":"//p1.pstatp.com/list/190x124/5948000263130783e778","group_id":"6512645231303721476","is_related":true,"media_url":"/c/user/15693819663/"},{"comments_count":9,"media_avatar_url":"//p7.pstatp.com/large/56900005af0b4084136f","is_feed_ad":false,"is_diversion_page":false,"title":"知道这些Mysql数据库设计规范,让你的数据库效率更高","single_mode":true,"gallary_image_count":2,"middle_mode":true,"has_video":false,"video_duration_str":null,"source_url":"/group/6513064764493529603/","source":"陶陶开心每一天","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":4,"image_url":"//p1.pstatp.com/list/190x124/594a0003cb079b64a025","group_id":"6513064764493529603","is_related":true,"media_url":"/c/user/85503244060/"},{"comments_count":3,"media_avatar_url":"//p1.pstatp.com/large/17820006bed6f23ec1dd","is_feed_ad":false,"is_diversion_page":false,"title":"python学习之路(12):连接 Mysql 数据库及简单的增删改查回滚操作","single_mode":true,"gallary_image_count":13,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6513163636993688077/","source":"山顶洞洞人","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":2,"image_url":"//p3.pstatp.com/list/190x124/5945000523faf9cf38c8","group_id":"6513163636993688077","is_related":true,"media_url":"/c/user/52468413927/"},{"comments_count":2,"media_avatar_url":"//p10.pstatp.com/large/2c5d0007641ef31bef64","is_feed_ad":false,"is_diversion_page":false,"title":"Redis主从复制及其原理","single_mode":true,"gallary_image_count":1,"middle_mode":true,"has_video":false,"video_duration_str":null,"source_url":"/group/6513426331147960835/","source":"Java修炼手册","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/5b430000232edb0a5e04","group_id":"6513426331147960835","is_related":true,"media_url":"/c/user/62773497840/"},{"comments_count":83,"media_avatar_url":"//p3.pstatp.com/large/471100005fdf7183fc0e","is_feed_ad":false,"is_diversion_page":false,"title":"一起来搭个服务器吧,并实现自有域名访问!","single_mode":true,"gallary_image_count":13,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6513450943047008771/","source":"小K又来了","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/5b3f00029828336ec8d4","group_id":"6513450943047008771","is_related":true,"media_url":"/c/user/77547346040/"},{"comments_count":2,"media_avatar_url":"//p1.pstatp.com/large/4ae50004fbe250060fc4","is_feed_ad":false,"is_diversion_page":false,"title":"JDBC、SQL注入攻击原理以及解决方案","single_mode":true,"gallary_image_count":15,"middle_mode":true,"has_video":false,"video_duration_str":null,"source_url":"/group/6513420490428645891/","source":"java交流","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":4,"image_url":"//p9.pstatp.com/list/190x124/5b3f00029b71ee239750","group_id":"6513420490428645891","is_related":true,"media_url":"/c/user/79132029943/"},{"comments_count":20,"media_avatar_url":"//p3.pstatp.com/large/4719000084e185e23e84","is_feed_ad":false,"is_diversion_page":false,"title":"干货!Excel 表格的所有公式的操作方法看这篇就够了!","single_mode":true,"gallary_image_count":15,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6513323927610065411/","source":"office技巧分享","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":9,"image_url":"//p1.pstatp.com/list/190x124/5b3f0001acfc2eab9d3e","group_id":"6513323927610065411","is_related":true,"media_url":"/c/user/77371300393/"},{"comments_count":22,"media_avatar_url":"//p9.pstatp.com/large/382d000ef000dc52e3e4","is_feed_ad":false,"is_diversion_page":false,"title":"3分钟学会冻结单元格、列宽自动适应内容、提取数据快速填充数值","single_mode":true,"gallary_image_count":8,"middle_mode":true,"has_video":false,"video_duration_str":null,"source_url":"/group/6512646643509101059/","source":"联想商用服务","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/59470002c043db14e470","group_id":"6512646643509101059","is_related":true,"media_url":"/c/user/66204016996/"},{"comments_count":4,"media_avatar_url":"//p3.pstatp.com/large/56850003496d64c1531e","is_feed_ad":false,"is_diversion_page":false,"title":"来自数据库顶级架构师的分享","single_mode":true,"gallary_image_count":9,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6513353855407751687/","source":"一个小小的java码农","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":5,"image_url":"//p3.pstatp.com/list/190x124/594b00022d1e0efe46b1","group_id":"6513353855407751687","is_related":true,"media_url":"/c/user/84900003145/"},{"comments_count":15,"media_avatar_url":"//p7.pstatp.com/large/56840001b2cb36bca139","is_feed_ad":false,"is_diversion_page":false,"title":"Excel还能这么用?输入数据后,自动输入当前时间,新手必会!","single_mode":true,"gallary_image_count":4,"middle_mode":true,"has_video":false,"video_duration_str":null,"source_url":"/group/6513456333511983624/","source":"每日易学2018","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":5,"image_url":"//p3.pstatp.com/list/190x124/5b3f0002eb4a12053bf9","group_id":"6513456333511983624","is_related":true,"media_url":"/c/user/15693819663/"},{"comments_count":7,"media_avatar_url":"//p9.pstatp.com/large/434d0003c70af59ccaa5","is_feed_ad":false,"is_diversion_page":false,"title":"INDIRECT函数-智能跨多表引用帮你提升效率","single_mode":true,"gallary_image_count":8,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6513294779126645251/","source":"小德EXCEL数据分析","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":11,"image_url":"//p1.pstatp.com/list/190x124/5b4000013c83a71a3bff","group_id":"6513294779126645251","is_related":true,"media_url":"/c/user/50732800910/"},{"comments_count":4,"media_avatar_url":"//p1.pstatp.com/large/4e7b000191d1dcd4ea2a","is_feed_ad":false,"is_diversion_page":false,"title":"“中大型公司”支付服务架构演进之路,解决实际问题!","single_mode":true,"gallary_image_count":1,"middle_mode":true,"has_video":false,"video_duration_str":null,"source_url":"/group/6513049156070670855/","source":"JAVA高级分享","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/59490005d085e125bfc7","group_id":"6513049156070670855","is_related":true,"media_url":"/c/user/81456863481/"},{"comments_count":34,"media_avatar_url":"//p1.pstatp.com/large/402e0002ee1a9e6e95ec","is_feed_ad":false,"is_diversion_page":false,"title":"教大家如何学大数据领域中最火最热的spark 学了它薪资至少翻一翻","single_mode":true,"gallary_image_count":5,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6513456602220069380/","source":"IT大数据笔记","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":30,"image_url":"//p3.pstatp.com/list/190x124/5517000734b48cfb6015","group_id":"6513456602220069380","is_related":true,"media_url":"/c/user/6100181035/"},{"comments_count":12,"media_avatar_url":"//p1.pstatp.com/large/46d70004bcdba0d74311","is_feed_ad":false,"is_diversion_page":false,"title":"理论基础之——软件方案设计","single_mode":true,"gallary_image_count":4,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6513041255310557710/","source":"挖掘需求成就产品","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":3,"image_url":"//p9.pstatp.com/list/190x124/59480005b99e19981445","group_id":"6513041255310557710","is_related":true,"media_url":"/c/user/75866013183/"}] }, shareInfo: { shareUrl: https://m.toutiao.com/group/6513409187966353927/, abstract: Linux运维常用网络抓包工具tcpdump的介绍和使用前言tcpdump是一个用于截取网络分组,并输出分组内容的工具。tcpdump凭借强大的功能和灵活的截取策略,使其成为类UNIX系统下用于网络分析和问题排查的首选工具。
小编推荐:欲学习电脑技术、系统维护、网络管理、编程开发和安全攻防等高端IT技术,请 点击这里 注册黑基账号,公开课频道价值万元IT培训教程免费学,让您少走弯路、事半功倍,好工作升职加薪!



免责声明:本文由投稿者转载自互联网,版权归原作者所有,文中所述不代表本站观点,若有侵权或转载等不当之处请联系我们处理,让我们一起为维护良好的互联网秩序而努力!联系方式见网站首页右下角。


鲜花

握手

雷人

路过

鸡蛋

相关阅读

最新评论


新出炉

返回顶部