tcpdump抓包時,如果-i選項指定為一個網(wǎng)卡地址,那么抓取的數(shù)據(jù)包數(shù)據(jù)鏈路層是以太網(wǎng)頭部;如果指定any,則以太網(wǎng)頭部將被替換為linux cooked capture頭部
# tcpdump -i any -w linux_sll.pcap
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
?
1 2 # tcpdump -i eth1 -w enet.pcap tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
?
tcpdump抓包時可以通過 -y 選項來指定data link type,不過測試發(fā)現(xiàn) -i 選項指定 any 時,不支持抓獲的包的data link type 為以太網(wǎng) :
1 2 3 4 5 # tcpdump -i any -w test.pcap -y EN10MB tcpdump: EN10MB is not one of the DLTs supported by?this?device ?# tcpdump -i eth1 -w test.pcap -y EN10MB tcpdump: data link type EN10MB ?# ?
tcpdump抓包時可以通過 -y 選項來指定data link type,不過測試發(fā)現(xiàn) -i 選項指定 any 時,不支持抓獲的包的data link type 為以太網(wǎng) :
1 2 3 4 5 # tcpdump -i any -w test.pcap -y EN10MB tcpdump: EN10MB is not one of the DLTs supported by?this?device ?# tcpdump -i eth1 -w test.pcap -y EN10MB tcpdump: data link type EN10MB ?# ?
這時,若需要將linux cooked capture格式的包轉(zhuǎn)換為Ethernet格式,有那么幾種方法:
1. 寫代碼讀出每一個包后再改寫到新文件(使用libpcap或者基于pcap頭部結(jié)構(gòu)體偏移);
2. tcpdump 3.0+ 版本下,可以用tcprewrite直接改寫,這應(yīng)該是最快捷的方法;
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 DLT Plugins As of 3.0, tcprewrite uses plugins to support different DLT/Layer 2 types. This not only makes the <br>code easier to maintain, but also helps make things clearer?for?users regarding what is and isn't <br>supported. Each plugin may support reading and/or writing packets. By?default, the plugin used to <br>read packets is also used?for?output, but you can override the output plugin?using?the --dlt option. <br>Changing the DLT plugin allows you to convert the packets from one DLT/Layer 2 type to another type. <br>This allows you?for?example to capture traffic on say an Ethernet interface and replay over Cisco <br>HDLC or capture on a BSD Loopback interface and replay over Ethernet. Plugins supported in output mode: Ethernet (enet) Cisco HDLC (hdlc) User defined Layer 2 (user) Plugins supported in input mode: Ethernet Cisco HDLC Linux SLL BSD Loopback BSD Null Raw IP 802.11 Juniper Ethernet (version >= 4.0) Hence,?if?you have a pcap in one of the supported input DLT types, you can convert it to one of the <br>supported output DLT type by?using?the --dlt=<output> option. Depending on the input DLT you may <br>need to provide additional DLT plugin flags.
?
tcprewrite轉(zhuǎn)換命令如下:
# tcpdump -r linux_sll.pcap
reading from file linux_sll.pcap, link-type LINUX_SLL (Linux cooked)# tcprewrite --dlt=enet --infile=linux_sll.pcap --outfile=enet.pcap# tcpdump -r enet.pcap
reading from file enet.pcap, link-type EN10MB (Ethernet)#
?
唯一有點問題的,是轉(zhuǎn)換后的數(shù)據(jù)的Destination-Mac為空, 對這個字段有需求的要注意下:
?
可以參考的網(wǎng)址:
https://wiki.wireshark.org/SLL
http://www.tcpdump.org/linktypes.html
http://tcpreplay.synfin.net/wiki/tcprewrite
?
其它:
1 2 # tips 刪除vlan # tcprewrite --enet-vlan=del --infile=enet.pcap --outfile=output.pcap ?
?
?
?
tcpdump?是一個命令行實用工具,允許你抓取和分析經(jīng)過系統(tǒng)的流量數(shù)據(jù)包。它通常被用作于網(wǎng)絡(luò)故障分析工具以及安全工具。
tcpdump?是一款強大的工具,支持多種選項和過濾規(guī)則,適用場景十分廣泛。由于它是命令行工具,因此適用于在遠(yuǎn)程服務(wù)器或者沒有圖形界面的設(shè)備中收集數(shù)據(jù)包以便于事后分析。它可以在后臺啟動,也可以用 cron 等定時工具創(chuàng)建定時任務(wù)啟用它。
本文中,我們將討論?tcpdump?最常用的一些功能。
1、在 Linux 中安裝 tcpdump tcpdump?支持多種 Linux 發(fā)行版,所以你的系統(tǒng)中很有可能已經(jīng)安裝了它。用下面的命令檢查一下是否已經(jīng)安裝了?tcpdump:
$ which tcpdump /usr/sbin/tcpdump 如果還沒有安裝?tcpdump,你可以用軟件包管理器安裝它。 例如,在 CentOS 或者 Red Hat Enterprise 系統(tǒng)中,用如下命令安裝?tcpdump:
$ sudo yum install -y tcpdump tcpdump?依賴于?libpcap,該庫文件用于捕獲網(wǎng)絡(luò)數(shù)據(jù)包。如果該庫文件也沒有安裝,系統(tǒng)會根據(jù)依賴關(guān)系自動安裝它。
現(xiàn)在你可以開始抓包了。
2、用 tcpdump 抓包 使用?tcpdump?抓包,需要管理員權(quán)限,因此下面的示例中絕大多數(shù)命令都是以?sudo?開頭。
首先,先用?tcpdump -D?命令列出可以抓包的網(wǎng)絡(luò)接口:
$ sudo tcpdump -D 1.eth0 2.virbr0 3.eth1 4.any (Pseudo-device that captures on all interfaces) 5.lo [Loopback] 如上所示,可以看到我的機器中所有可以抓包的網(wǎng)絡(luò)接口。其中特殊接口?any?可用于抓取所有活動的網(wǎng)絡(luò)接口的數(shù)據(jù)包。
我們就用如下命令先對?any?接口進(jìn)行抓包:
$ sudo tcpdump -i any tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 09:56:18.293641 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 3770820720:3770820916, ack 3503648727, win 309, options [nop,nop,TS val 76577898 ecr 510770929], length 196 09:56:18.293794 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 196, win 391, options [nop,nop,TS val 510771017 ecr 76577898], length 0 09:56:18.295058 IP rhel75.59883 > gateway.domain: 2486+ PTR? 1.64.168.192.in-addr.arpa. (43) 09:56:18.310225 IP gateway.domain > rhel75.59883: 2486 NXDomain* 0/1/0 (102) 09:56:18.312482 IP rhel75.49685 > gateway.domain: 34242+ PTR? 28.64.168.192.in-addr.arpa. (44) 09:56:18.322425 IP gateway.domain > rhel75.49685: 34242 NXDomain* 0/1/0 (103) 09:56:18.323164 IP rhel75.56631 > gateway.domain: 29904+ PTR? 1.122.168.192.in-addr.arpa. (44) 09:56:18.323342 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 196:584, ack 1, win 309, options [nop,nop,TS val 76577928 ecr 510771017], length 388 09:56:18.323563 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 584, win 411, options [nop,nop,TS val 510771047 ecr 76577928], length 0 09:56:18.335569 IP gateway.domain > rhel75.56631: 29904 NXDomain* 0/1/0 (103) 09:56:18.336429 IP rhel75.44007 > gateway.domain: 61677+ PTR? 98.122.168.192.in-addr.arpa. (45) 09:56:18.336655 IP gateway.domain > rhel75.44007: 61677* 1/0/0 PTR rhel75. (65) 09:56:18.337177 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 584:1644, ack 1, win 309, options [nop,nop,TS val 76577942 ecr 510771047], length 1060 ---- SKIPPING LONG OUTPUT ----- 09:56:19.342939 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 1752016, win 1444, options [nop,nop,TS val 510772067 ecr 76578948], length 0 ^C 9003 packets captured 9010 packets received by filter 7 packets dropped by kernel $ tcpdump?會持續(xù)抓包直到收到中斷信號。你可以按?Ctrl+C?來停止抓包。正如上面示例所示,tcpdump?抓取了超過 9000 個數(shù)據(jù)包。在這個示例中,由于我是通過?ssh?連接到服務(wù)器,所以?tcpdump?也捕獲了所有這類數(shù)據(jù)包。-c?選項可以用于限制?tcpdump?抓包的數(shù)量:
$ sudo tcpdump -i any -c 5 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 11:21:30.242740 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 3772575680:3772575876, ack 3503651743, win 309, options [nop,nop,TS val 81689848 ecr 515883153], length 196 11:21:30.242906 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 196, win 1443, options [nop,nop,TS val 515883235 ecr 81689848], length 0 11:21:30.244442 IP rhel75.43634 > gateway.domain: 57680+ PTR? 1.64.168.192.in-addr.arpa. (43) 11:21:30.244829 IP gateway.domain > rhel75.43634: 57680 NXDomain 0/0/0 (43) 11:21:30.247048 IP rhel75.33696 > gateway.domain: 37429+ PTR? 28.64.168.192.in-addr.arpa. (44) 5 packets captured 12 packets received by filter 0 packets dropped by kernel $ 如上所示,tcpdump?在抓取 5 個數(shù)據(jù)包后自動停止了抓包。這在有些場景中十分有用 —— 比如你只需要抓取少量的數(shù)據(jù)包用于分析。當(dāng)我們需要使用過濾規(guī)則抓取特定的數(shù)據(jù)包(如下所示)時,-c?的作用就十分突出了。
在上面示例中,tcpdump?默認(rèn)是將 IP 地址和端口號解析為對應(yīng)的接口名以及服務(wù)協(xié)議名稱。而通常在網(wǎng)絡(luò)故障排查中,使用 IP 地址和端口號更便于分析問題;用?-n?選項顯示 IP 地址,-nn?選項顯示端口號:
$ sudo tcpdump -i any -c5 -nn tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 23:56:24.292206 IP 192.168.64.28.22 > 192.168.64.1.35110: Flags [P.], seq 166198580:166198776, ack 2414541257, win 309, options [nop,nop,TS val 615664 ecr 540031155], length 196 23:56:24.292357 IP 192.168.64.1.35110 > 192.168.64.28.22: Flags [.], ack 196, win 1377, options [nop,nop,TS val 540031229 ecr 615664], length 0 23:56:24.292570 IP 192.168.64.28.22 > 192.168.64.1.35110: Flags [P.], seq 196:568, ack 1, win 309, options [nop,nop,TS val 615664 ecr 540031229], length 372 23:56:24.292655 IP 192.168.64.1.35110 > 192.168.64.28.22: Flags [.], ack 568, win 1400, options [nop,nop,TS val 540031229 ecr 615664], length 0 23:56:24.292752 IP 192.168.64.28.22 > 192.168.64.1.35110: Flags [P.], seq 568:908, ack 1, win 309, options [nop,nop,TS val 615664 ecr 540031229], length 340 5 packets captured 6 packets received by filter 0 packets dropped by kernel 如上所示,抓取的數(shù)據(jù)包中顯示 IP 地址和端口號。這樣還可以阻止?tcpdump?發(fā)出 DNS 查找,有助于在網(wǎng)絡(luò)故障排查中減少數(shù)據(jù)流量。
現(xiàn)在你已經(jīng)會抓包了,讓我們來分析一下這些抓包輸出的含義吧。
3、理解抓取的報文 tcpdump?能夠抓取并解碼多種協(xié)議類型的數(shù)據(jù)報文,如 TCP、UDP、ICMP 等等。雖然這里我們不可能介紹所有的數(shù)據(jù)報文類型,但可以分析下 TCP 類型的數(shù)據(jù)報文,來幫助你入門。更多有關(guān)?tcpdump?的詳細(xì)介紹可以參考其?幫助手冊。tcpdump?抓取的 TCP 報文看起來如下:
08:41:13.729687 IP 192.168.64.28.22 > 192.168.64.1.41916: Flags [P.], seq 196:568, ack 1, win 309, options [nop,nop,TS val 117964079 ecr 816509256], length 372 具體的字段根據(jù)不同的報文類型會有不同,但上面這個例子是一般的格式形式。
第一個字段?08:41:13.729687?是該數(shù)據(jù)報文被抓取的系統(tǒng)本地時間戳。
然后,IP?是網(wǎng)絡(luò)層協(xié)議類型,這里是?IPv4,如果是?IPv6?協(xié)議,該字段值是?IP6。
192.168.64.28.22?是源 ip 地址和端口號,緊跟其后的是目的 ip 地址和其端口號,這里是?192.168.64.1.41916。
在源 IP 和目的 IP 之后,可以看到是 TCP 報文標(biāo)記段?Flags [P.]。該字段通常取值如下:
值標(biāo)志類型描述 S SYN Connection Start F FIN Connection Finish P PUSH Data push R RST Connection reset . ACK Acknowledgment
該字段也可以是這些值的組合,例如?[S.]?代表?SYN-ACK?數(shù)據(jù)包。
接下來是該數(shù)據(jù)包中數(shù)據(jù)的序列號。對于抓取的第一個數(shù)據(jù)包,該字段值是一個絕對數(shù)字,后續(xù)包使用相對數(shù)值,以便更容易查詢跟蹤。例如此處?seq 196:568?代表該數(shù)據(jù)包包含該數(shù)據(jù)流的第 196 到 568 字節(jié)。
接下來是 ack 值:ack 1。該數(shù)據(jù)包是數(shù)據(jù)發(fā)送方,ack 值為 1。在數(shù)據(jù)接收方,該字段代表數(shù)據(jù)流上的下一個預(yù)期字節(jié)數(shù)據(jù),例如,該數(shù)據(jù)流中下一個數(shù)據(jù)包的 ack 值應(yīng)該是 568。
接下來字段是接收窗口大小?win 309,它表示接收緩沖區(qū)中可用的字節(jié)數(shù),后跟 TCP 選項如 MSS(最大段大小)或者窗口比例值。更詳盡的 TCP 協(xié)議內(nèi)容請參考?Transmission Control Protocol(TCP) Parameters。
最后,length 372?代表數(shù)據(jù)包有效載荷字節(jié)長度。這個長度和 seq 序列號中字節(jié)數(shù)值長度是不一樣的。
現(xiàn)在讓我們學(xué)習(xí)如何過濾數(shù)據(jù)報文以便更容易的分析定位問題。
4、過濾數(shù)據(jù)包 正如上面所提,tcpdump?可以抓取很多種類型的數(shù)據(jù)報文,其中很多可能和我們需要查找的問題并沒有關(guān)系。舉個例子,假設(shè)你正在定位一個與 web 服務(wù)器連接的網(wǎng)絡(luò)問題,就不必關(guān)系 SSH 數(shù)據(jù)報文,因此在抓包結(jié)果中過濾掉 SSH 報文可能更便于你分析問題。
tcpdump?有很多參數(shù)選項可以設(shè)置數(shù)據(jù)包過濾規(guī)則,例如根據(jù)源 IP 以及目的 IP 地址,端口號,協(xié)議等等規(guī)則來過濾數(shù)據(jù)包。下面就介紹一些最常用的過濾方法。
協(xié)議 在命令中指定協(xié)議便可以按照協(xié)議類型來篩選數(shù)據(jù)包。比方說用如下命令只要抓取 ICMP 報文:
$ sudo tcpdump -i any -c5 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 然后再打開一個終端,去 ping 另一臺機器:
$ ping opensource.com PING opensource.com (54.204.39.132) 56(84) bytes of data. 64 bytes from ec2-54-204-39-132.compute-1.amazonaws.com (54.204.39.132): icmp_seq=1 ttl=47 time=39.6 ms 回到運行?tcpdump?命令的終端中,可以看到它篩選出了 ICMP 報文。這里?tcpdump?并沒有顯示有關(guān)?opensource.com?的域名解析數(shù)據(jù)包:
09:34:20.136766 IP rhel75 > ec2-54-204-39-132.compute-1.amazonaws.com: ICMP echo request, id 20361, seq 1, length 64 09:34:20.176402 IP ec2-54-204-39-132.compute-1.amazonaws.com > rhel75: ICMP echo reply, id 20361, seq 1, length 64 09:34:21.140230 IP rhel75 > ec2-54-204-39-132.compute-1.amazonaws.com: ICMP echo request, id 20361, seq 2, length 64 09:34:21.180020 IP ec2-54-204-39-132.compute-1.amazonaws.com > rhel75: ICMP echo reply, id 20361, seq 2, length 64 09:34:22.141777 IP rhel75 > ec2-54-204-39-132.compute-1.amazonaws.com: ICMP echo request, id 20361, seq 3, length 64 5 packets captured 5 packets received by filter 0 packets dropped by kernel 主機 用?host?參數(shù)只抓取和特定主機相關(guān)的數(shù)據(jù)包:
$ sudo tcpdump -i any -c5 -nn host 54.204.39.132 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 09:54:20.042023 IP 192.168.122.98.39326 > 54.204.39.132.80: Flags [S], seq 1375157070, win 29200, options [mss 1460,sackOK,TS val 122350391 ecr 0,nop,wscale 7], length 0 09:54:20.088127 IP 54.204.39.132.80 > 192.168.122.98.39326: Flags [S.], seq 1935542841, ack 1375157071, win 28960, options [mss 1460,sackOK,TS val 522713542 ecr 122350391,nop,wscale 9], length 0 09:54:20.088204 IP 192.168.122.98.39326 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 122350437 ecr 522713542], length 0 09:54:20.088734 IP 192.168.122.98.39326 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 122350438 ecr 522713542], length 112: HTTP: GET / HTTP/1.1 09:54:20.129733 IP 54.204.39.132.80 > 192.168.122.98.39326: Flags [.], ack 113, win 57, options [nop,nop,TS val 522713552 ecr 122350438], length 0 5 packets captured 5 packets received by filter 0 packets dropped by kernel 如上所示,只抓取和顯示與?54.204.39.132?有關(guān)的數(shù)據(jù)包。
端口號 tcpdump?可以根據(jù)服務(wù)類型或者端口號來篩選數(shù)據(jù)包。例如,抓取和 HTTP 服務(wù)相關(guān)的數(shù)據(jù)包:
$ sudo tcpdump -i any -c5 -nn port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 09:58:28.790548 IP 192.168.122.98.39330 > 54.204.39.132.80: Flags [S], seq 1745665159, win 29200, options [mss 1460,sackOK,TS val 122599140 ecr 0,nop,wscale 7], length 0 09:58:28.834026 IP 54.204.39.132.80 > 192.168.122.98.39330: Flags [S.], seq 4063583040, ack 1745665160, win 28960, options [mss 1460,sackOK,TS val 522775728 ecr 122599140,nop,wscale 9], length 0 09:58:28.834093 IP 192.168.122.98.39330 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 122599183 ecr 522775728], length 0 09:58:28.834588 IP 192.168.122.98.39330 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 122599184 ecr 522775728], length 112: HTTP: GET / HTTP/1.1 09:58:28.878445 IP 54.204.39.132.80 > 192.168.122.98.39330: Flags [.], ack 113, win 57, options [nop,nop,TS val 522775739 ecr 122599184], length 0 5 packets captured 5 packets received by filter 0 packets dropped by kernel IP 地址/主機名 同樣,你也可以根據(jù)源 IP 地址或者目的 IP 地址或者主機名來篩選數(shù)據(jù)包。例如抓取源 IP 地址為?192.168.122.98?的數(shù)據(jù)包:
$ sudo tcpdump -i any -c5 -nn src 192.168.122.98 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 10:02:15.220824 IP 192.168.122.98.39436 > 192.168.122.1.53: 59332+ A? opensource.com. (32) 10:02:15.220862 IP 192.168.122.98.39436 > 192.168.122.1.53: 20749+ AAAA? opensource.com. (32) 10:02:15.364062 IP 192.168.122.98.39334 > 54.204.39.132.80: Flags [S], seq 1108640533, win 29200, options [mss 1460,sackOK,TS val 122825713 ecr 0,nop,wscale 7], length 0 10:02:15.409229 IP 192.168.122.98.39334 > 54.204.39.132.80: Flags [.], ack 669337581, win 229, options [nop,nop,TS val 122825758 ecr 522832372], length 0 10:02:15.409667 IP 192.168.122.98.39334 > 54.204.39.132.80: Flags [P.], seq 0:112, ack 1, win 229, options [nop,nop,TS val 122825759 ecr 522832372], length 112: HTTP: GET / HTTP/1.1 5 packets captured 5 packets received by filter 0 packets dropped by kernel 注意此處示例中抓取了來自源 IP 地址?192.168.122.98?的 53 端口以及 80 端口的數(shù)據(jù)包,它們的應(yīng)答包沒有顯示出來因為那些包的源 IP 地址已經(jīng)變了。
相對的,使用?dst?就是按目的 IP/主機名來篩選數(shù)據(jù)包。
$ sudo tcpdump -i any -c5 -nn dst 192.168.122.98 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 10:05:03.572931 IP 192.168.122.1.53 > 192.168.122.98.47049: 2248 1/0/0 A 54.204.39.132 (48) 10:05:03.572944 IP 192.168.122.1.53 > 192.168.122.98.47049: 33770 0/0/0 (32) 10:05:03.621833 IP 54.204.39.132.80 > 192.168.122.98.39338: Flags [S.], seq 3474204576, ack 3256851264, win 28960, options [mss 1460,sackOK,TS val 522874425 ecr 122993922,nop,wscale 9], length 0 10:05:03.667767 IP 54.204.39.132.80 > 192.168.122.98.39338: Flags [.], ack 113, win 57, options [nop,nop,TS val 522874436 ecr 122993972], length 0 10:05:03.672221 IP 54.204.39.132.80 > 192.168.122.98.39338: Flags [P.], seq 1:643, ack 113, win 57, options [nop,nop,TS val 522874437 ecr 122993972], length 642: HTTP: HTTP/1.1 302 Found 5 packets captured 5 packets received by filter 0 packets dropped by kernel 多條件篩選 當(dāng)然,可以使用多條件組合來篩選數(shù)據(jù)包,使用?and?以及?or?邏輯操作符來創(chuàng)建過濾規(guī)則。例如,篩選來自源 IP 地址?192.168.122.98?的 HTTP 數(shù)據(jù)包:
$ sudo tcpdump -i any -c5 -nn src 192.168.122.98 and port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 10:08:00.472696 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [S], seq 2712685325, win 29200, options [mss 1460,sackOK,TS val 123170822 ecr 0,nop,wscale 7], length 0 10:08:00.516118 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [.], ack 268723504, win 229, options [nop,nop,TS val 123170865 ecr 522918648], length 0 10:08:00.516583 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [P.], seq 0:112, ack 1, win 229, options [nop,nop,TS val 123170866 ecr 522918648], length 112: HTTP: GET / HTTP/1.1 10:08:00.567044 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [.], ack 643, win 239, options [nop,nop,TS val 123170916 ecr 522918661], length 0 10:08:00.788153 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [F.], seq 112, ack 643, win 239, options [nop,nop,TS val 123171137 ecr 522918661], length 0 5 packets captured 5 packets received by filter 0 packets dropped by kernel 你也可以使用括號來創(chuàng)建更為復(fù)雜的過濾規(guī)則,但在 shell 中請用引號包含你的過濾規(guī)則以防止被識別為 shell 表達(dá)式:
$ sudo tcpdump -i any -c5 -nn "port 80 and (src 192.168.122.98 or src 54.204.39.132)" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 10:10:37.602214 IP 192.168.122.98.39346 > 54.204.39.132.80: Flags [S], seq 871108679, win 29200, options [mss 1460,sackOK,TS val 123327951 ecr 0,nop,wscale 7], length 0 10:10:37.650651 IP 54.204.39.132.80 > 192.168.122.98.39346: Flags [S.], seq 854753193, ack 871108680, win 28960, options [mss 1460,sackOK,TS val 522957932 ecr 123327951,nop,wscale 9], length 0 10:10:37.650708 IP 192.168.122.98.39346 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 123328000 ecr 522957932], length 0 10:10:37.651097 IP 192.168.122.98.39346 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 123328000 ecr 522957932], length 112: HTTP: GET / HTTP/1.1 10:10:37.692900 IP 54.204.39.132.80 > 192.168.122.98.39346: Flags [.], ack 113, win 57, options [nop,nop,TS val 522957942 ecr 123328000], length 0 5 packets captured 5 packets received by filter 0 packets dropped by kernel 該例子中我們只抓取了來自源 IP 為?192.168.122.98?或者?54.204.39.132?的 HTTP (端口號80)的數(shù)據(jù)包。使用該方法就很容易抓取到數(shù)據(jù)流中交互雙方的數(shù)據(jù)包了。
5、檢查數(shù)據(jù)包內(nèi)容 在以上的示例中,我們只按數(shù)據(jù)包頭部的信息來建立規(guī)則篩選數(shù)據(jù)包,例如源地址、目的地址、端口號等等。有時我們需要分析網(wǎng)絡(luò)連接問題,可能需要分析數(shù)據(jù)包中的內(nèi)容來判斷什么內(nèi)容需要被發(fā)送、什么內(nèi)容需要被接收等。tcpdump?提供了兩個選項可以查看數(shù)據(jù)包內(nèi)容,-X?以十六進(jìn)制打印出數(shù)據(jù)報文內(nèi)容,-A?打印數(shù)據(jù)報文的 ASCII 值。
例如,HTTP 請求報文內(nèi)容如下:
$ sudo tcpdump -i any -c10 -nn -A port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 13:02:14.871803 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [S], seq 2546602048, win 29200, options [mss 1460,sackOK,TS val 133625221 ecr 0,nop,wscale 7], length 0 E..<..@.@.....zb6.'....P...@......r............ ............................ 13:02:14.910734 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [S.], seq 1877348646, ack 2546602049, win 28960, options [mss 1460,sackOK,TS val 525532247 ecr 133625221,nop,wscale 9], length 0 E..<..@./..a6.'...zb.P..o..&...A..q a.......... .R.W....... ? ? ................ 13:02:14.910832 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 133625260 ecr 525532247], length 0 E..4..@.@.....zb6.'....P...Ao..'........... .....R.W................ 13:02:14.911808 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 133625261 ecr 525532247], length 112: HTTP: GET / HTTP/1.1 E.....@.@..1..zb6.'....P...Ao..'........... .....R.WGET / HTTP/1.1 User-Agent: Wget/1.14 (linux-gnu) Accept: */* Host: opensource.com Connection: Keep-Alive ................ 13:02:14.951199 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [.], ack 113, win 57, options [nop,nop,TS val 525532257 ecr 133625261], length 0 E..4.F@./.."6.'...zb.P..o..'.......9.2..... .R.a.................... 13:02:14.955030 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [P.], seq 1:643, ack 113, win 57, options [nop,nop,TS val 525532258 ecr 133625261], length 642: HTTP: HTTP/1.1 302 Found E....G@./...6.'...zb.P..o..'.......9....... .R.b....HTTP/1.1 302 Found Server: nginx Date: Sun, 23 Sep 2018 17:02:14 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 207 X-Content-Type-Options: nosniff Location: https://opensource.com/ Cache-Control: max-age=1209600 Expires: Sun, 07 Oct 2018 17:02:14 GMT X-Request-ID: v-6baa3acc-bf52-11e8-9195-22000ab8cf2d X-Varnish: 632951979 Age: 0 Via: 1.1 varnish (Varnish/5.2) X-Cache: MISS Connection: keep-alive <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://opensource.com/">here</a>.</p> </body></html> ................ 13:02:14.955083 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [.], ack 643, win 239, options [nop,nop,TS val 133625304 ecr 525532258], length 0 E..4..@.@.....zb6.'....P....o.............. .....R.b................ 13:02:15.195524 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [F.], seq 113, ack 643, win 239, options [nop,nop,TS val 133625545 ecr 525532258], length 0 E..4..@.@.....zb6.'....P....o.............. .....R.b................ 13:02:15.236592 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [F.], seq 643, ack 114, win 57, options [nop,nop,TS val 525532329 ecr 133625545], length 0 E..4.H@./.. 6.'...zb.P..o..........9.I..... .R...................... 13:02:15.236656 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [.], ack 644, win 239, options [nop,nop,TS val 133625586 ecr 525532329], length 0 E..4..@.@.....zb6.'....P....o.............. .....R.................. 10 packets captured 10 packets received by filter 0 packets dropped by kernel 這對定位一些普通 HTTP 調(diào)用 API 接口的問題很有用。當(dāng)然如果是加密報文,這個輸出也就沒多大用了。
6、保存抓包數(shù)據(jù) tcpdump?提供了保存抓包數(shù)據(jù)的功能以便后續(xù)分析數(shù)據(jù)包。例如,你可以夜里讓它在那里抓包,然后早上起來再去分析它。同樣當(dāng)有很多數(shù)據(jù)包時,顯示過快也不利于分析,將數(shù)據(jù)包保存下來,更有利于分析問題。
使用?-w?選項來保存數(shù)據(jù)包而不是在屏幕上顯示出抓取的數(shù)據(jù)包:
$ sudo tcpdump -i any -c10 -nn -w webserver.pcap port 80 [sudo] password for ricardo: tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 10 packets captured 10 packets received by filter 0 packets dropped by kernel 該命令將抓取的數(shù)據(jù)包保存到文件?webserver.pcap。后綴名?pcap?表示文件是抓取的數(shù)據(jù)包格式。
正如示例中所示,保存數(shù)據(jù)包到文件中時屏幕上就沒有任何有關(guān)數(shù)據(jù)報文的輸出,其中?-c10?表示抓取到 10 個數(shù)據(jù)包后就停止抓包。如果想有一些反饋來提示確實抓取到了數(shù)據(jù)包,可以使用?-v?選項。
tcpdump?將數(shù)據(jù)包保存在二進(jìn)制文件中,所以不能簡單的用文本編輯器去打開它。使用?-r?選項參數(shù)來閱讀該文件中的報文內(nèi)容:
$ tcpdump -nn -r webserver.pcap reading from file webserver.pcap, link-type LINUX_SLL (Linux cooked) 13:36:57.679494 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [S], seq 3709732619, win 29200, options [mss 1460,sackOK,TS val 135708029 ecr 0,nop,wscale 7], length 0 13:36:57.718932 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [S.], seq 1999298316, ack 3709732620, win 28960, options [mss 1460,sackOK,TS val 526052949 ecr 135708029,nop,wscale 9], length 0 13:36:57.719005 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 135708068 ecr 526052949], length 0 13:36:57.719186 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 135708068 ecr 526052949], length 112: HTTP: GET / HTTP/1.1 13:36:57.756979 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [.], ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 0 13:36:57.760122 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [P.], seq 1:643, ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 642: HTTP: HTTP/1.1 302 Found 13:36:57.760182 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [.], ack 643, win 239, options [nop,nop,TS val 135708109 ecr 526052959], length 0 13:36:57.977602 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [F.], seq 113, ack 643, win 239, options [nop,nop,TS val 135708327 ecr 526052959], length 0 13:36:58.022089 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [F.], seq 643, ack 114, win 57, options [nop,nop,TS val 526053025 ecr 135708327], length 0 13:36:58.022132 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [.], ack 644, win 239, options [nop,nop,TS val 135708371 ecr 526053025], length 0 $ 這里不需要管理員權(quán)限?sudo?了,因為此刻并不是在網(wǎng)絡(luò)接口處抓包。
你還可以使用我們討論過的任何過濾規(guī)則來過濾文件中的內(nèi)容,就像使用實時數(shù)據(jù)一樣。 例如,通過執(zhí)行以下命令從源 IP 地址?54.204.39.132?檢查文件中的數(shù)據(jù)包:
$ tcpdump -nn -r webserver.pcap src 54.204.39.132 reading from file webserver.pcap, link-type LINUX_SLL (Linux cooked) 13:36:57.718932 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [S.], seq 1999298316, ack 3709732620, win 28960, options [mss 1460,sackOK,TS val 526052949 ecr 135708029,nop,wscale 9], length 0 13:36:57.756979 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [.], ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 0 13:36:57.760122 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [P.], seq 1:643, ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 642: HTTP: HTTP/1.1 302 Found 13:36:58.022089 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [F.], seq 643, ack 114, win 57, options [nop,nop,TS val 526053025 ecr 135708327], length 0 下一步做什么? 以上的基本功能已經(jīng)可以幫助你使用強大的?tcpdump?抓包工具了。更多的內(nèi)容請參考?tcpdump 網(wǎng)站?以及它的?幫助文件。
tcpdump?命令行工具為分析網(wǎng)絡(luò)流量數(shù)據(jù)包提供了強大的靈活性。如果需要使用圖形工具來抓包請參考?Wireshark。
Wireshark 還可以用來讀取?tcpdump?保存的 pcap 文件。你可以使用?tcpdump?命令行在沒有 GUI 界面的遠(yuǎn)程機器上抓包然后在 Wireshark 中分析數(shù)據(jù)包。
via:?https://opensource.com/article/18/10/introduction-tcpdump
?
轉(zhuǎn)載于:https://www.cnblogs.com/liuhongru/p/11207434.html
總結(jié)
以上是生活随笔 為你收集整理的在 Linux 命令行中使用 tcpdump 抓包 的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
如果覺得生活随笔 網(wǎng)站內(nèi)容還不錯,歡迎將生活随笔 推薦給好友。
