tcpdump 和Wireshark抓包
1 起因#
前段時(shí)間,一直在調(diào)線上的一個(gè)問(wèn)題:線上應(yīng)用接受POST請(qǐng)求,請(qǐng)求body中的參數(shù)獲取不全,存在丟失的狀況。這個(gè)問(wèn)題是偶發(fā)性的,大概發(fā)生的幾率為5%-10%左右,這個(gè)概率已經(jīng)相當(dāng)高了。在排查問(wèn)題的過(guò)程中使用到了tcpdump和Wireshark進(jìn)行抓包分析。感覺(jué)這兩個(gè)工具搭配起來(lái)干活,非常完美。所有的網(wǎng)絡(luò)傳輸在這兩個(gè)工具搭配下,都無(wú)處遁形。
為了更好、更順手地能夠用好這兩個(gè)工具,特整理本篇文章,希望也能給大家?guī)?lái)收獲。為大家之后排查問(wèn)題,添一利器。
2 tcpdump與Wireshark介紹#
在網(wǎng)絡(luò)問(wèn)題的調(diào)試中,tcpdump應(yīng)該說(shuō)是一個(gè)必不可少的工具,和大部分linux下優(yōu)秀工具一樣,它的特點(diǎn)就是簡(jiǎn)單而強(qiáng)大。它是基于Unix系統(tǒng)的命令行式的數(shù)據(jù)包嗅探工具,可以抓取流動(dòng)在網(wǎng)卡上的數(shù)據(jù)包。
默認(rèn)情況下,tcpdump不會(huì)抓取本機(jī)內(nèi)部通訊的報(bào)文。根據(jù)網(wǎng)絡(luò)協(xié)議棧的規(guī)定,對(duì)于報(bào)文,即使是目的地是本機(jī),也需要經(jīng)過(guò)本機(jī)的網(wǎng)絡(luò)協(xié)議層,所以本機(jī)通訊肯定是通過(guò)API進(jìn)入了內(nèi)核,并且完成了路由選擇。【比如本機(jī)的TCP通信,也必須要socket通信的基本要素:src ip port dst ip port】
如果要使用tcpdump抓取其他主機(jī)MAC地址的數(shù)據(jù)包,必須開(kāi)啟網(wǎng)卡混雜模式,所謂混雜模式,用最簡(jiǎn)單的語(yǔ)言就是讓網(wǎng)卡抓取任何經(jīng)過(guò)它的數(shù)據(jù)包,不管這個(gè)數(shù)據(jù)包是不是發(fā)給它或者是它發(fā)出的。一般而言,Unix不會(huì)讓普通用戶設(shè)置混雜模式,因?yàn)檫@樣可以看到別人的信息,比如telnet的用戶名和密碼,這樣會(huì)引起一些安全上的問(wèn)題,所以只有root用戶可以開(kāi)啟混雜模式,開(kāi)啟混雜模式的命令是:ifconfig en0 promisc, en0是你要打開(kāi)混雜模式的網(wǎng)卡。
Linux抓包原理:
Linux抓包是通過(guò)注冊(cè)一種虛擬的底層網(wǎng)絡(luò)協(xié)議來(lái)完成對(duì)網(wǎng)絡(luò)報(bào)文(準(zhǔn)確的說(shuō)是網(wǎng)絡(luò)設(shè)備)消息的處理權(quán)。當(dāng)網(wǎng)卡接收到一個(gè)網(wǎng)絡(luò)報(bào)文之后,它會(huì)遍歷系統(tǒng)中所有已經(jīng)注冊(cè)的網(wǎng)絡(luò)協(xié)議,例如以太網(wǎng)協(xié)議、x25協(xié)議處理模塊來(lái)嘗試進(jìn)行報(bào)文的解析處理,這一點(diǎn)和一些文件系統(tǒng)的掛載相似,就是讓系統(tǒng)中所有的已經(jīng)注冊(cè)的文件系統(tǒng)來(lái)進(jìn)行嘗試掛載,如果哪一個(gè)認(rèn)為自己可以處理,那么就完成掛載。當(dāng)抓包模塊把自己偽裝成一個(gè)網(wǎng)絡(luò)協(xié)議的時(shí)候,系統(tǒng)在收到報(bào)文的時(shí)候就會(huì)給這個(gè)偽協(xié)議一次機(jī)會(huì),讓它來(lái)對(duì)網(wǎng)卡收到的報(bào)文進(jìn)行一次處理,此時(shí)該模塊就會(huì)趁機(jī)對(duì)報(bào)文進(jìn)行窺探,也就是把這個(gè)報(bào)文完完整整的復(fù)制一份,假裝是自己接收到的報(bào)文,匯報(bào)給抓包模塊。Wireshark是一個(gè)網(wǎng)絡(luò)協(xié)議檢測(cè)工具,支持Windows平臺(tái)、Unix平臺(tái)、Mac平臺(tái),一般只在圖形界面平臺(tái)下使用Wireshark,如果是Linux的話,直接使用tcpdump了,因?yàn)橐话愣訪inux都自帶的tcpdump,或者用tcpdump抓包以后用Wireshark打開(kāi)分析。
在Mac平臺(tái)下,Wireshark通過(guò)WinPcap進(jìn)行抓包,封裝的很好,使用起來(lái)很方便,可以很容易的制定抓包過(guò)濾器或者顯示過(guò)濾器,具體簡(jiǎn)單使用下面會(huì)介紹。Wireshark是一個(gè)免費(fèi)的工具,只要google一下就能很容易找到下載的地方。
所以,tcpdump是用來(lái)抓取數(shù)據(jù)非常方便,Wireshark則是用于分析抓取到的數(shù)據(jù)比較方便。
3 tcpdump使用#
3.1 語(yǔ)法##
tcpdump [ -AdDefIKlLnNOpqRStuUvxX ] [ -B buffer_size ] [ -c count ]
[ -C file_size ] [ -G rotate_seconds ] [ -F file ]
[ -i interface ] [ -m module ] [ -M secret ]
[ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,… ]
[ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
[ expression ]
3.2 選項(xiàng)##
-A:以ASCII編碼打印每個(gè)報(bào)文(不包括鏈路層的頭),這對(duì)分析網(wǎng)頁(yè)來(lái)說(shuō)很方便;
-a:將網(wǎng)絡(luò)地址和廣播地址轉(zhuǎn)變成名字;
-c<數(shù)據(jù)包數(shù)目>:在收到指定的包的數(shù)目后,tcpdump就會(huì)停止;
-C:用于判斷用 -w 選項(xiàng)將報(bào)文寫入的文件的大小是否超過(guò)這個(gè)值,如果超過(guò)了就新建文件(文件名后綴是1、2、3依次增加);
-d:將匹配信息包的代碼以人們能夠理解的匯編格式給出;
-dd:將匹配信息包的代碼以c語(yǔ)言程序段的格式給出;
-ddd:將匹配信息包的代碼以十進(jìn)制的形式給出;
-D:列出當(dāng)前主機(jī)的所有網(wǎng)卡編號(hào)和名稱,可以用于選項(xiàng) -i;
-e:在輸出行打印出數(shù)據(jù)鏈路層的頭部信息;
-f:將外部的Internet地址以數(shù)字的形式打印出來(lái);
-F<表達(dá)文件>:從指定的文件中讀取表達(dá)式,忽略其它的表達(dá)式;
-i<網(wǎng)絡(luò)界面>:監(jiān)聽(tīng)主機(jī)的該網(wǎng)卡上的數(shù)據(jù)流,如果沒(méi)有指定,就會(huì)使用最小網(wǎng)卡編號(hào)的網(wǎng)卡(在選項(xiàng)-D可知道,但是不包括環(huán)路接口),linux 2.2 內(nèi)核及之后的版本支持 any 網(wǎng)卡,用于指代任意網(wǎng)卡;
-l:如果沒(méi)有使用 -w 選項(xiàng),就可以將報(bào)文打印到 標(biāo)準(zhǔn)輸出終端(此時(shí)這是默認(rèn));
-n:顯示ip,而不是主機(jī)名;
-N:不列出域名;
-O:不將數(shù)據(jù)包編碼最佳化;
-p:不讓網(wǎng)絡(luò)界面進(jìn)入混雜模式;
-q:快速輸出,僅列出少數(shù)的傳輸協(xié)議信息;
-r<數(shù)據(jù)包文件>:從指定的文件中讀取包(這些包一般通過(guò)-w選項(xiàng)產(chǎn)生);
-s<數(shù)據(jù)包大小>:指定抓包顯示一行的寬度,-s0表示可按包長(zhǎng)顯示完整的包,經(jīng)常和-A一起用,默認(rèn)截取長(zhǎng)度為60個(gè)字節(jié),但一般ethernet MTU都是1500字節(jié)。所以,要抓取大于60字節(jié)的包時(shí),使用默認(rèn)參數(shù)就會(huì)導(dǎo)致包數(shù)據(jù)丟失;
-S:用絕對(duì)而非相對(duì)數(shù)值列出TCP關(guān)聯(lián)數(shù);
-t:在輸出的每一行不打印時(shí)間戳;
-tt:在輸出的每一行顯示未經(jīng)格式化的時(shí)間戳記;
-T<數(shù)據(jù)包類型>:將監(jiān)聽(tīng)到的包直接解釋為指定的類型的報(bào)文,常見(jiàn)的類型有rpc (遠(yuǎn)程過(guò)程調(diào)用)和snmp(簡(jiǎn)單網(wǎng)絡(luò)管理協(xié)議);
-v:輸出一個(gè)稍微詳細(xì)的信息,例如在ip包中可以包括ttl和服務(wù)類型的信息;
-vv:輸出詳細(xì)的報(bào)文信息;
-x/-xx/-X/-XX:以十六進(jìn)制顯示包內(nèi)容,幾個(gè)選項(xiàng)只有細(xì)微的差別,詳見(jiàn)man手冊(cè);
-w<數(shù)據(jù)包文件>:直接將包寫入文件中,并不分析和打印出來(lái);
expression:用于篩選的邏輯表達(dá)式;
3.3 命令實(shí)踐##
直接啟動(dòng)tcpdump,將抓取所有經(jīng)過(guò)第一個(gè)網(wǎng)絡(luò)接口上的數(shù)據(jù)包tcpdump
控制臺(tái)輸出:
taomingkais-MacBook-Pro:~ TaoBangren$ sudo tcpdump
Password:
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pktap, link-type PKTAP (Packet Tap), capture size 262144 bytes
11:00:19.788139 IP 10.37.63.3.50809 > 10.37.253.32.socks: Flags [.], ack 151417909, win 4096, length 0
11:00:19.790267 IP 10.37.253.32.socks > 10.37.63.3.50809: Flags [.], ack 1, win 560, options [nop,nop,TS val 1323324836 ecr 501713973], length 0
11:00:19.851362 IP 10.37.63.53.57443 > 239.255.255.250.ssdp: UDP, length 133
11:00:19.851367 IP 10.37.63.107.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:00:19.851369 IP 10.37.63.138.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:00:20.060087 IP 10.37.63.71.54616 > 239.255.255.250.ssdp: UDP, length 133
tcpdump -i en0
如果不指定網(wǎng)卡,默認(rèn)tcpdump只會(huì)監(jiān)視第一個(gè)網(wǎng)絡(luò)接口,一般是eth0,下面的例子都沒(méi)有指定網(wǎng)絡(luò)接口。
控制臺(tái)輸出:
taomingkais-MacBook-Pro:~ TaoBangren$ sudo tcpdump -i en0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:04:31.780759 IP 10.37.63.100.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
tcpdump -i en0 host 10.37.63.255
控制臺(tái)輸出:
taomingkais-MacBook-Pro:~ TaoBangren$ sudo tcpdump host 10.37.63.255
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pktap, link-type PKTAP (Packet Tap), capture size 262144 bytes
11:07:23.807683 IP 10.37.63.61.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:07:23.913143 IP 10.37.63.95.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:07:24.538785 IP 10.37.63.61.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:07:24.643311 IP 10.37.63.95.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:07:24.747672 IP 10.37.63.87.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
11:07:25.374527 IP 10.37.63.95.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:07:26.209995 IP 10.37.63.86.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:07:26.210530 IP 10.37.63.61.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
tcpdump host 10.37.63.255 and (10.37.63.61 or 10.37.63.95 )
控制臺(tái)輸出:
taomingkais-MacBook-Pro:~ TaoBangren$ sudo tcpdump host 10.37.63.255 and (10.37.63.61 or 10.37.63.95 )
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pktap, link-type PKTAP (Packet Tap), capture size 262144 bytes
11:10:38.395320 IP 10.37.63.61.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:10:39.234047 IP 10.37.63.61.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:10:39.962286 IP 10.37.63.61.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:10:48.422443 IP 10.37.63.61.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:10:49.153630 IP 10.37.63.61.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:10:49.894146 IP 10.37.63.61.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:10:52.600297 IP 10.37.63.61.netbios-ns > 10.37.63.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
tcpdump -n host 10.37.63.255 and ! 10.37.63.61
控制臺(tái)輸出:
taomingkais-MacBook-Pro:~ TaoBangren$ sudo tcpdump -n host 10.37.63.255 and ! 10.37.63.61
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pktap, link-type PKTAP (Packet Tap), capture size 262144 bytes
15:54:33.921068 IP 10.37.63.86.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
15:54:34.025490 IP 10.37.63.86.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
15:54:34.025492 IP 10.37.63.86.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
15:54:34.338753 IP 10.37.63.56.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
15:54:35.174516 IP 10.37.63.88.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
15:54:35.204268 IP 10.37.63.56.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
15:54:35.592199 IP 10.37.63.135.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
tcpdump ip -n host 10.37.63.255 and ! 10.37.63.61
控制臺(tái)輸出:
taomingkais-MacBook-Pro:~ TaoBangren$ sudo tcpdump ip -n host 10.37.63.255 and ! 10.37.63.61
Password:
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pktap, link-type PKTAP (Packet Tap), capture size 262144 bytes
16:02:48.168264 IP 10.37.63.107.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:02:48.272626 IP 10.37.63.28.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:02:48.586137 IP 10.37.63.75.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:02:48.586140 IP 10.37.63.48.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:02:48.586201 IP 10.37.63.48.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:02:48.586202 IP 10.37.63.48.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:02:48.690751 IP 10.37.63.103.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:02:49.004792 IP 10.37.63.28.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:02:49.212622 IP 10.37.63.88.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:02:49.317969 IP 10.37.63.48.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:02:49.317972 IP 10.37.63.48.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:02:49.318301 IP 10.37.63.48.137 > 10.37.63.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
tcpdump -i en0 src host 10.37.63.3 (注意數(shù)據(jù)流向)
控制臺(tái)輸出:
taomingkais-MacBook-Pro:~ TaoBangren$ sudo tcpdump -i en0 src host 10.37.63.3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:08:05.698674 IP 10.37.63.3.51503 > 101.201.169.146.https: Flags [.], ack 3067697680, win 4096, length 0
16:08:06.225543 IP 10.37.63.3.56531 > 10.37.253.51.domain: 49330+ PTR? 3.63.37.10.in-addr.arpa. (41)
16:08:06.228851 IP 10.37.63.3.56781 > 10.37.253.51.domain: 9247+ PTR? 146.169.201.101.in-addr.arpa. (46)
16:08:07.247441 IP 10.37.63.3.53716 > 10.37.253.51.domain: 60009+ PTR? 51.253.37.10.in-addr.arpa. (43)
16:08:08.198285 IP 10.37.63.3.newoak > 123.151.13.85.irdmi: UDP, length 47
16:08:08.254488 IP 10.37.63.3.51134 > 10.37.253.51.domain: 52763+ PTR? 85.13.151.123.in-addr.arpa. (44)
16:08:08.917142 IP 10.37.63.3.51815 > 106.11.4.88.https: Flags [P.], seq 341932595:341932930, ack 4196579612, win 65535, length 335
16:08:08.918050 IP 10.37.63.3.51815 > 106.11.4.88.https: Flags [P.], seq 335:804, ack 1, win 65535, length 469
16:08:08.984637 IP 10.37.63.3.51815 > 106.11.4.88.https: Flags [.], ack 292, win 65535, length 0
tcpdump -i en0 dst host 10.37.63.3 (注意數(shù)據(jù)流向)
控制臺(tái)輸出:
taomingkais-MacBook-Pro:~ TaoBangren$ sudo tcpdump -i en0 dst host 10.37.63.3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:10:00.120346 IP 123.151.13.85.irdmi > 10.37.63.3.newoak: UDP, length 47
16:10:00.447742 IP 106.11.4.88.https > 10.37.63.3.51840: Flags [.], ack 3563461726, win 62712, length 0
16:10:00.449252 IP 106.11.4.88.https > 10.37.63.3.51840: Flags [P.], seq 0:291, ack 1, win 62712, length 291
16:10:00.590941 IP 10.37.253.51.domain > 10.37.63.3.62089: 38134 NXDomain 0/1/0 (101)
16:10:00.593145 IP 10.37.253.51.domain > 10.37.63.3.56987: 19136 NXDomain* 0/0/0 (41)
16:10:01.598164 IP 10.37.253.51.domain > 10.37.63.3.63380: 43688 NXDomain* 0/0/0 (43)
16:10:03.194440 IP 123.151.13.85.irdmi > 10.37.63.3.newoak: UDP, length 79
16:10:03.880803 IP 106.11.4.88.https > 10.37.63.3.51840: Flags [.], ack 806, win 63784, length 0
16:10:03.883452 IP 106.11.4.88.https > 10.37.63.3.51840: Flags [P.], seq 291:582, ack 806, win 63784, length 291
16:10:04.051402 IP dns15.online.tj.cn.irdmi > 10.37.63.3.terabase: UDP, length 87
tcpdump -i en0 host 10.37.63.3 and tcp port 80
控制臺(tái)輸出:
taomingkais-MacBook-Pro:~ TaoBangren$ sudo tcpdump -i en0 host 10.37.63.3 and tcp port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:13:34.869399 IP 10.37.63.3.51843 > cncln.online.ln.cn.http: Flags [.], ack 3148173637, win 8192, length 0
16:13:34.890175 IP cncln.online.ln.cn.http > 10.37.63.3.51843: Flags [.], ack 1, win 31, length 0
16:13:49.497784 IP 10.37.63.3.51845 > 27.221.81.19.http: Flags [.], ack 3932049450, win 4096, length 0
16:13:49.497786 IP 10.37.63.3.51844 > 27.221.81.19.http: Flags [.], ack 3635221024, win 4096, length 0
16:13:49.513952 IP 27.221.81.19.http > 10.37.63.3.51845: Flags [.], ack 1, win 122, options [nop,nop,TS val 4035158002 ecr 876369829], length 0
16:13:49.518587 IP 27.221.81.19.http > 10.37.63.3.51844: Flags [.], ack 1, win 122, options [nop,nop,TS val 4035158002 ecr 876369829], length 0
tcpdump -i en0 host 10.37.63.3 and dst port 80
控制臺(tái)輸出:
taomingkais-MacBook-Pro:~ TaoBangren$ sudo tcpdump -i en0 host 10.37.63.3 and dst port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:19:36.187617 IP 10.37.63.3.51901 > 180.149.132.47.http: Flags [P.], seq 219000907:219001688, ack 4212585623, win 8192, length 781: HTTP: GET / HTTP/1.1
16:19:36.194163 IP 10.37.63.3.51901 > 180.149.132.47.http: Flags [.], ack 292, win 8182, length 0
16:19:36.194292 IP 10.37.63.3.51901 > 180.149.132.47.http: Flags [.], ack 453, win 8186, length 0
tcpdump -i en0 port 25
源端口
tcpdump -i en0 src port 25
目的端口
tcpdump -i en0 dst port 25網(wǎng)絡(luò)過(guò)濾
抓取所有經(jīng)過(guò) en0,網(wǎng)絡(luò)是 192.168上的數(shù)據(jù)包tcpdump -i en0 net 192.168
tcpdump -i en0 src net 192.168
tcpdump -i en0 dst net 192.168
tcpdump -i en0 net 192.168.1
tcpdump -i en0 net 192.168.1.0/24
tcpdump -i en0 arp
tcpdump -i en0 ip
tcpdump -i en0 tcp
tcpdump -i en0 udp
tcpdump -i en0 icmp
tcpdump -i en0 ‘((tcp) and (port 80) and ((dst host 192.168.1.254) or (dst host 192.168.1.200)))’
抓取所有經(jīng)過(guò) en0,目標(biāo) MAC 地址是 00:01:02:03:04:05 的 ICMP 數(shù)據(jù)tcpdump -i eth1 ‘((icmp) and ((ether dst host 00:01:02:03:04:05)))’
抓取所有經(jīng)過(guò) en0,目的網(wǎng)絡(luò)是 192.168,但目的主機(jī)不是 192.168.1.200 的 TCP 數(shù)據(jù)tcpdump -i en0 ‘((tcp) and ((dst net 192.168) and (not dst host 192.168.1.200)))’
只抓 SYN 包tcpdump -i en0 ‘tcp[tcpflags] = tcp-syn’
抓 SYN, ACKtcpdump -i en0 ‘tcp[tcpflags] & tcp-syn != 0 and tcp[tcpflags] & tcp-ack != 0’
抓 SMTP 數(shù)據(jù),抓取數(shù)據(jù)區(qū)開(kāi)始為"MAIL"的包,"MAIL"的十六進(jìn)制為 0x4d41494ctcpdump -i en0 ‘((port 25) and (tcp[(tcp[12]>>2):4] = 0x4d41494c))’
抓 HTTP GET 數(shù)據(jù),"GET "的十六進(jìn)制是 0x47455420tcpdump -i en0 ‘tcp[(tcp[12]>>2):4] = 0x47455420’
0x4745 為”GET”前兩個(gè)字母”GE”,0x4854 為”HTTP”前兩個(gè)字母”HT”
tcpdump -XvvennSs 0 -i en0 tcp[20:2]=0x4745 or tcp[20:2]=0x4854
抓 SSH 返回,"SSH-"的十六進(jìn)制是 0x5353482Dtcpdump -i en0 ‘tcp[(tcp[12]>>2):4] = 0x5353482D’
抓老版本的 SSH 返回信息,如”SSH-1.99..”
tcpdump -i en0 ‘(tcp[(tcp[12]>>2):4] = 0x5353482D) and (tcp[((tcp[12]>>2)+4):2] = 0x312E)’
高級(jí)包頭過(guò)濾如前兩個(gè)的包頭過(guò)濾,首先了解如何從包頭過(guò)濾信息:
proto[x:y] : 過(guò)濾從x字節(jié)開(kāi)始的y字節(jié)數(shù)。比如ip[2:2]過(guò)濾出3、4字節(jié)(第一字節(jié)從0開(kāi)始排)
proto[x:y] & z = 0 : proto[x:y]和z的與操作為0
proto[x:y] & z !=0 : proto[x:y]和z的與操作不為0
proto[x:y] & z = z : proto[x:y]和z的與操作為z
proto[x:y] = z : proto[x:y]等于z
抓取端口大于1024的TCP數(shù)據(jù)包:
tcpdump -i en0 ‘tcp[0:2] > 1024’
抓 DNS 請(qǐng)求數(shù)據(jù)tcpdump -i en0 udp dst port 53
其他-c 參數(shù)對(duì)于運(yùn)維人員來(lái)說(shuō)也比較常用,因?yàn)榱髁勘容^大的服務(wù)器,靠人工 CTRL+C 還是抓的太多,于是可以用-c 參數(shù)指定抓多少個(gè)包。
time tcpdump -nn -i en0 ‘tcp[tcpflags] = tcp-syn’ -c 10000 > /dev/null
上面的命令計(jì)算抓 10000 個(gè) SYN 包花費(fèi)多少時(shí)間,可以判斷訪問(wèn)量大概是多少。
實(shí)時(shí)抓取端口號(hào)8000的GET包,然后寫入GET.log
tcpdump -i en0 ‘((port 8000) and (tcp[(tcp[12]>>2):4]=0x47455420))’ -nnAl -w /tmp/GET.
總結(jié)
以上是生活随笔為你收集整理的tcpdump 和Wireshark抓包的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問(wèn)題。
- 上一篇: UBUNTU16 64位编译VLC-2.
- 下一篇: OA办公系统手机app客户考勤资源管理系