网络嗅探工具--Tcpdump命令

tcpdum是一个强大和广泛使用的命令行包嗅探器或者包分析工具，它用于捕获或过滤通过指定网卡上网络传输或接收的TCP/IP数据包。

它在大部分基于Linux/Unix的操作系统下是有的。tcpdum也给了一个选项，用于在一个文件中保存被捕获的包用于将来分析。它用pcap格式保存这个文件，可以用tcpdump命令或者一个称为Wireshark(网络协议分析器)的基于GUI开源工具查看这个文件。

如何在Linux中安装tcpdump

很多Linux发行版已经安装了tcpdump工具，如果你你在系统上没有安装它，你根据自己的版本用以下命令之一安装它。

$ sudo apt-get install tcpdump  [On Debian, Ubuntu and Mint]
$ sudo yum install tcpdump           [On RHEL/CentOS/Fedora and Rocky Linux/AlmaLinux]
$ sudo emerge -a sys-apps/tcpdump    [On Gentoo Linux]
$ sudo pacman -S tcpdump             [On Arch Linux]
$ sudo zypper install tcpdump        [On OpenSUSE]    

开始tcpdump命令示例

在你的系统上安装了tcpdump工具后，你可以继续用它的示例浏览以下命令。

1、从特定网卡捕获数据包

在你中断钱，这个命令屏幕将向上翻滚，并且当你执行tcpdump命令时，它将从所有网卡捕获，但-i选项只从所需网卡捕获。

[root@localhost blctrl]# tcpdump -i br0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
10:52:21.896531 IP 192.168.3.50.60752 > 192.168.3.2.ssh: Flags [P.], seq 16928555:16928603, ack 321098057, win 511, length 48
10:52:21.897350 IP 192.168.3.2.ssh > 192.168.3.50.60752: Flags [P.], seq 1:49, ack 48, win 302, length 48
10:52:21.945874 IP 192.168.3.50.60752 > 192.168.3.2.ssh: Flags [.], ack 49, win 510, length 0
10:52:22.123492 IP 192.168.3.50.60752 > 192.168.3.2.ssh: Flags [P.], seq 48:96, ack 49, win 510, length 48
10:52:22.123870 IP 192.168.3.2.ssh > 192.168.3.50.60752: Flags [P.], seq 49:97, ack 96, win 302, length 48
...

2、只捕获N个数据包

当你运行tcpdum命令时，在你用ctrl+c中断钱，它将捕获指定网卡的所有数据包。但使用-c选项，你能捕获指定数目的数据包。以下示例显示只捕获4个数据包。

[root@localhost blctrl]# tcpdump -c4 -i br0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
10:55:00.546242 ARP, Request who-has 192.168.3.3 (52:54:00:52:8b:a9 (oui Unknown)) tell 192.168.3.50, length 48
10:55:00.546499 ARP, Reply 192.168.3.3 is-at 52:54:00:52:8b:a9 (oui Unknown), length 28
10:55:10.657039 IP 192.168.3.50.60752 > 192.168.3.2.ssh: Flags [P.], seq 16929851:16929899, ack 321099833, win 509, length 48
10:55:10.657735 IP 192.168.3.2.ssh > 192.168.3.50.60752: Flags [P.], seq 1:65, ack 48, win 302, length 64

3、用ASCII打印被捕获的数据包

以下使用选项-A的tcpdump命令用ASCII格式显示数据包。它是一种字符编码方案格式。

[root@localhost blctrl]# tcpdump -A -i br0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
10:59:28.567132 IP 192.168.3.50.60752 > 192.168.3.2.ssh: Flags [P.], seq 16930475:16930523, ack 321100873, win 511, length 48
E..X.^@........2.....P....V..#.IP....}..tjy..ze.P..F h*.T...Q   .0......:u].!3....m.RJ'.?.0.
10:59:28.567653 IP 192.168.3.2.ssh > 192.168.3.50.60752: Flags [P.], seq 1:49, ack 48, win 302, length 48
E..X=.@.@.u3.......2...P.#.I..V.P........w...rA...Z.:..v).Y9YVgo....7p...f.:).lZ.t..o..x
10:59:28.620799 IP 192.168.3.50.60752 > 192.168.3.2.ssh: Flags [.], ack 49, win 511, length 0
E..(._@........2.....P....V..#.yP...1p.........0
7

4、显示可用接口

要列出系统上可用接口数目，用-D运行以下命令：

[root@localhost blctrl]# tcpdump -D
1.enp0s25
2.enp0s20u13
3.br0
4.virbr0
5.vnet0
6.enp0s20u7
7.nflog (Linux netfilter log (NFLOG) interface)
8.nfqueue (Linux netfilter queue (NFQUEUE) interface)
9.vnet1
10.usbmon1 (USB bus number 1)
11.usbmon2 (USB bus number 2)
12.usbmon3 (USB bus number 3)
13.usbmon4 (USB bus number 4)
14.any (Pseudo-device that captures on all interfaces)
15.lo [Loopback]

5、用HEX和ASCII显示捕获的数据包

带选项-XX的以下命令捕获每个数据包的数据，包括它的以HEX和ASCII格式的链接等级头：

[root@localhost blctrl]# tcpdump -XX -i lo
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
19:40:45.630090 IP localhost.51876 > localhost.x11: Flags [P.], seq 4213737534:4213737540, ack 45552367, win 342, options [nop,nop,TS val 258469654 ecr 258428887], length 6
        0x0000:  0000 0000 0000 0000 0000 0000 0800 4500  ..............E.
        0x0010:  003a 44cd 4000 4006 f7ee 7f00 0001 7f00  .:D.@.@.........
        0x0020:  0001 caa4 1770 fb28 883e 02b7 12ef 8018  .....p.(.>......
        0x0030:  0156 fe2e 0000 0101 080a 0f67 ef16 0f67  .V.........g...g
        0x0040:  4fd7 6865 6c6c 6f0a                      O.hello.
19:40:45.630135 IP localhost.x11 > localhost.51876: Flags [.], ack 6, win 342, options [nop,nop,TS val 258469654 ecr 258469654], length 0
        0x0000:  0000 0000 0000 0000 0000 0000 0800 4500  ..............E.
        0x0010:  0034 de19 4000 4006 5ea8 7f00 0001 7f00  .4..@.@.^.......
        0x0020:  0001 1770 caa4 02b7 12ef fb28 8844 8010  ...p.......(.D..
        0x0030:  0156 fe28 0000 0101 080a 0f67 ef16 0f67  .V.(.......g...g
        0x0040:  ef16                                     ..

6、捕获并且在文件中保存数据包

tcpdum有一个捕获并且用.pcap格式保存文件的特定，要做这件事，只要执行带-w选项的命令。

[root@localhost blctrl]# tcpdump -w 0001.pcap -i eth0
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C2 packets captured
4 packets received by filter
0 packets dropped by kernel

7、读取捕获的数据包文件

要读取和分析捕获的数据包0001.pcap文件，使用带-r选项的命令，如下：

[root@localhost blctrl]# tcpdump -r 0001.pcap
reading from file 0001.pcap, link-type EN10MB (Ethernet)
19:45:42.049771 IP localhost.localdomain.ssh > 192.168.3.50.58396: Flags [P.], seq 878614622:878614686, ack 820965017, win 338, length 64
19:45:42.052754 IP 192.168.3.50.58396 > localhost.localdomain.ssh: Flags [.], ack 64, win 4100, length 0

8、捕获IP地址数据包

要捕获指定接口的数据包，运行以下带选项-n的命令。

[root@localhost blctrl]# tcpdump -n -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
19:49:15.103551 IP 192.168.3.2.ssh > 192.168.3.50.58396: Flags [P.], seq 878617806:878617870, ack 820967417, win 338, length 64
19:49:15.103835 IP 192.168.3.2.ssh > 192.168.3.50.58396: Flags [P.], seq 64:160, ack 1, win 338, length 96
19:49:15.104000 IP 192.168.3.2.ssh > 192.168.3.50.58396: Flags [P.], seq 160:240, ack 1, win 338, length 80
19:49:15.104133 IP 192.168.3.2.ssh > 192.168.3.50.58396: Flags [P.], seq 240:320, ack 1, win 338, length 80
...

9、只捕获TCP数据包

要基于TCP端口捕获数据包，运行以下带tcp的命令：

[root@localhost blctrl]# tcpdump -nc2 -i eth0 tcp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
19:53:21.173635 IP 192.168.3.2.ssh > 192.168.3.50.58913: Flags [P.], seq 4053253630:4053253678, ack 2296591871, win 302, length 48
19:53:21.174011 IP 192.168.3.2.ssh > 192.168.3.50.58913: Flags [P.], seq 48:144, ack 1, win 302, length 96
2 packets captured
2 packets received by filter
0 packets dropped by kernel

10、从指定端口捕获数据包

捕获指定指定端口6000的数据包，通过指定端口号6000执行以下命令：

[root@localhost blctrl]# tcpdump -n -i br0 port 6000
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:07:28.649930 IP 192.168.3.2.x11 > 192.168.3.3.51206: Flags [P.], seq 3742423595:3742423601, ack 1530954122, win 227, options [nop,nop,TS val 270872647 ecr 7834516], length 6
11:07:28.650220 IP 192.168.3.3.51206 > 192.168.3.2.x11: Flags [.], ack 6, win 229, options [nop,nop,TS val 7888785 ecr 270872647], length 0

11、捕获来自源IP的数据包

要捕获来自源IP的数据包，你想要捕获192.168.3.2来自的数据包，使用以下命令：

root@localhost blctrl]# tcpdump -n -i br0 src 192.168.3.2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:08:41.297662 IP 192.168.3.2.ssh > 192.168.3.50.60752: Flags [P.], seq 321101545:321101593, ack 16931179, win 302, length 48
11:08:41.491138 IP 192.168.3.2.ssh > 192.168.3.50.60752: Flags [P.], seq 48:96, ack 49, win 302, length 48
11:08:41.569769 IP 192.168.3.2.ssh > 192.168.3.50.60752: Flags [P.], seq 96:144, ack 97, win 302, length 48
11:08:41.753360 IP 192.168.3.2.ssh > 192.168.3.50.60752: Flags [P.], seq 144:192, ack 145, win 302, length 48
11:08:42.363263 IP 192.168.3.2.ssh > 192.168.3.50.60752: Flags [P.], seq 192:240, ack 193, win 302, length 48
11:08:42.718541 IP 192.168.3.2.x11 > 192.168.3.3.51206: Flags [P.], seq 3742423601:3742423607, ack 1530954122, win 227, options [nop,nop,TS val 270946716 ecr 7888785], length 6
11:08:42.718598 IP 192.168.3.2.ssh > 192.168.3.50.60752: Flags [P.], seq 240:288, ack 241, win 302, length 48
11:08:46.040279 ARP, Reply 192.168.3.2 is-at 52:54:00:ec:ec:28, length 28
11:08:47.730009 ARP, Request who-has 192.168.3.3 tell 192.168.3.2, length 28
ved by filter
0 packets dropped by kernel

12、捕获来自目标IP的数据包

要捕获来自目标IP的数据包，即捕获去向192.168.3.2的数据包，使用以下命令：

[root@localhost blctrl]# tcpdump -n -i br0 dst 192.168.3.2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:10:10.343543 IP 192.168.3.3.51206 > 192.168.3.2.x11: Flags [P.], seq 1530954122:1530954128, ack 3742423607, win 229, options [nop,nop,TS val 8050478 ecr 270946716], length 6
11:10:10.386112 IP 192.168.3.50.60752 > 192.168.3.2.ssh: Flags [.], ack 321101881, win 507, length 0
11:10:15.044240 ARP, Request who-has 192.168.3.2 (52:54:00:ec:ec:28) tell 192.168.3.50, length 48
11:10:15.353141 ARP, Request who-has 192.168.3.2 tell 192.168.3.3, length 28