Tcpdump的常用指令小结,Linux抓包工具:tcpdump简单使用。

jackxiang 2010-1-14 13:25 | |
TCPDUMP数据包分析及在服务器维护过程中的作用。windump用法类似。今天特别为了测试tcpdump架设了两个虚拟机,对所述命令进行测试。以达到完全了解tcpdump的目的。环境centos 5 虚拟机用vmware。

tcpdump的选项介绍

   -a    将网络地址和广播地址转变成名字;
   -d    将匹配信息包的代码以人们能够理解的汇编格式给出;
   -dd    将匹配信息包的代码以c语言程序段的格式给出;
   -ddd   将匹配信息包的代码以十进制的形式给出;
   -e    在输出行打印出数据链路层的头部信息;
   -f    将外部的Internet地址以数字的形式打印出来;
   -l    使标准输出变为缓冲行形式;
   -n    不把网络地址转换成名字;
   -t    在输出的每一行不打印时间戳;
   -v    输出一个稍微详细的信息,例如在ip包中可以包括ttl和服务类型的信息;
   -vv    输出详细的报文信息;
   -c    在收到指定的包的数目后,tcpdump就会停止;
   -F    从指定的文件中读取表达式,忽略其它的表达式;
   -i    指定监听的网络接口;
   -r    从指定的文件中读取包(这些包一般通过-w选项产生);
   -w    直接将包写入文件中,并不分析和打印出来;
   -T    将监听到的包直接解释为指定的类型的报文,常见的类型有rpc (远程过程调用)和snmp(简单网络管理协议;)

tcpdump -nnnv arp 查找ARP攻击时确定攻击原MAC地址时常用。
tcpdump -nnnv udp port 53  DNS服务器53端口受ARP攻击时查看攻击源时用。
tcpdump -nnnv udp and not port 53  可以确定是否有非53端口的大流量UDP攻击
tcpdump -nnnv port 80 and host 192.168.0.1 找出从192.168.0.1的80端口收到或发送的IP包。
tcpdump -nnnv ip host 210.27.48.1 and ! 210.27.48.2 获取主机210.27.48.1除了和主机210.27.48.2之外所有主机通信的ip包

tcpdump -nnnv host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)  截获主机210.27.48.1 和主机210.27.48.2 或210.27.48.3的通信

tcpdump -nnnv host ! 192.168.15.129 and ! 192.168.15.130 and dst port 80
捕获除了主机192.168.15.129与192.168.15.130 且到本机目标80端口的数据包。

tcpdump -nnnv src 192.168.15.129 and port 53 捕获由192.168.15.129到本机53端口的数据包。不管是UDP还是TCP

信息参考:Tcpdump命令的使用与示例http://tcpdump.anheng.com.cn/news/24/586.html" target="_blank"> http://tcpdump.anheng.com.cn/news/24/586.html
                超级详细Tcpdump 的用法 http://course.51cto.com/art/200512/15473.htm
                Linux下的Sniffer Tcpdump的安装和使用http://unix-cd.com/vc/www/28/2007-08/8018.html 注此文中部分命令是错的。
           TCPDump使用方法小结   http://softtest.chinaitlab.com/qita/746811.html
                 TCPDUMP高级用法http://blog.csdn.net/linyt/archive/2007/12/14/1936073.aspx











================================================================================
Linux抓包工具:tcpdump简单使用
简单用法,可以分析soap数据包。

this is probably the easiest way to monitor SOAP messages.

simply use

#tcpdump -i eth0 -A -s 1024 port 80 | tee dump.log

to log all the packet sent to port 80 to dump.log


***********************************************************

今天在尝试TTserver的Http协议接口,为了确定走的协议是否为Http,需要抓包确定一下,
在windows下有很多工具很方便的抓包,linux下只能通过命令行来操作了,下面简单记录一下
tcpdump工具的使用:
//抓包,
tcpdump -nX -s 0 -w cap.raw host 123.123.123.123 and port 2978
//读包
tcpdump -r cap.raw -A

tcpdump有很多参数选项,man就可看到,
-----------------------------------------------------------------------------------    
EXAMPLES
To print all packets arriving at or departing from sundown:
tcpdump host sundown

To print traffic between helios and either hot or ace:
tcpdump host helios and \( hot or ace \)

To print all IP packets between ace and any host except helios:
tcpdump ip host ace and not helios

To print all traffic between local hosts and hosts at Berkeley:
tcpdump net ucb-ether

To print all ftp traffic through internet gateway snup: (note that the
expression is quoted to prevent the shell from (mis-)interpreting the
parentheses):
tcpdump 'gateway snup and (port ftp or ftp-data)'

To print traffic neither sourced from nor destined for local hosts (if
you gateway to one other net, this stuff should never make it onto your
local net).
tcpdump ip and not net localnet

To print the start and end packets (the SYN and FIN packets) of each
TCP conversation that involves a non-local host.
tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'

To print all IPv4 HTTP packets to and from port 80, i.e. print only
packets that contain data, not, for example, SYN and FIN packets and
ACK-only packets. (IPv6 is left as an exercise for the reader.)
tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<>2)) != 0)'

To print IP packets longer than 576 bytes sent through gateway snup:
tcpdump 'gateway snup and ip[2:2] > 576'

To print IP broadcast or multicast packets that were not sent via Eth-
ernet broadcast or multicast:
tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'

To print all ICMP packets that are not echo requests/replies (i.e., not
ping packets):
tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'
------------------------------------------------------------------------------------

注:需要root的权限才能运行tcpdump命令
说实话,tcpdump虽然强大,但是毕竟操作起来不如windows下一些图形软件方便。

作者:jackxiang@向东博客 专注WEB应用 构架之美 --- 构架之美,在于尽态极妍 | 应用之美,在于药到病除
地址:https://jackxiang.com/post/2563/
版权所有。转载时必须以链接形式注明作者和原始出处及本声明!


最后编辑: jackxiang 编辑于2013-4-17 09:28
评论列表
发表评论

昵称

网址

电邮

打开HTML 打开UBB 打开表情 隐藏 记住我 [登入] [注册]