tcpdump

时间 2019-12-28

标签 tcpdump 繁體版

原文原文链接

tcpdump的语法：
tcpdump [options] [Protocol] [Direction] [Host(s)] [Value] [Logical Operations] [Other expression]ios

经常使用选项：express

-i any : Listen on all interfaces just to see if you're seeing any traffic.
-n : Don't resolve hostnames.
-nn : Don't resolve hostnames or port names.
-X : Show the packet's contents in both hex and ASCII.
-XX : Same as -X, but also shows the ethernet header.
-v, -vv, -vvv : Increase the amount of packet information you get back.
-c # : Only get x number of packets and then stop.
-s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
-S : Print absolute sequence numbers.
-e : Get the ethernet header as well.
-q : Show less protocol information.
-E : Decrypt IPSEC traffic by providing an encryption key.
-A ：Display Captured Packets in ASCII
-w /path/to/some_file : Capture the packets and write into a file
-r /path/from/some_file : Reading the packets from a saved file
-tttt : Capture packets with proper readable timestamp网络

Protocol(协议):
Values(取值): ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp.
If no protocol is specified, all the protocols are used. app

Direction(流向):
Values(取值): src, dst, src and dst, src or dst
If no source or destination is specified, the "src or dst" keywords are applied. (默认是src or dst)
For example, "host 10.2.2.2" is equivalent to "src or dst host 10.2.2.2".less

Host(s)(主机):
Values(替代关键字): net, port, host, portrange.
If no host(s) is specified, the "host" keyword is used. 默认若是此段没有指定关键字，默认即host。
For example, "src 10.1.1.1" is equivalent to "src host 10.1.1.1". tcp

Logical Operations:
(1) AND
and or &&
(2) OR
or or ||
(3) EXCEPT
not or !ide

普通状况下，直接启动tcpdump将监视第一个网络界面上全部流过的数据包。
# tcpdump
tcpdump: listening on fxp0
11:58:47.873028 202.102.245.40.netbios-ns > 202.102.245.127.netbios-ns: udp 50
11:58:47.974331 0:10:7b:8:3a:56 > 1:80:c2:0:0:0 802.1d ui/C len=43
0000 0000 0080 0000 1007 cf08 0900 0000
0e80 0000 902b 4695 0980 8701 0014 0002
000f 0000 902b 4695 0008 00
11:58:48.373134 0:0:e8:5b:6d:85 > Broadcast sap e0 ui/C len=97
ffff 0060 0004 ffff ffff ffff ffff ffff
0452 ffff ffff 0000 e85b 6d85 4008 0002
0640 4d41 5354 4552 5f57 4542 0000 0000
0000 00
使用-i参数指定tcpdump监听的网络界面，这在计算机具备多个网络界面时很是有用，
使用-c参数指定要监听的数据包数量，
使用-w参数指定将监听到的数据包写入文件中保存
A想要截获全部210.27.48.1 的主机收到的和发出的全部的数据包：
#tcpdump host 210.27.48.1
B想要截获主机210.27.48.1 和主机210.27.48.2 或210.27.48.3的通讯，使用命令：（在命令行中适用括号时，必定要
#tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)
C若是想要获取主机210.27.48.1除了和主机210.27.48.2以外全部主机通讯的ip包，使用命令：
#tcpdump ip host 210.27.48.1 and ! 210.27.48.2
D若是想要获取主机210.27.48.1接收或发出的telnet包，使用以下命令：
#tcpdump tcp port 23 host 210.27.48.1
E 对本机的udp 123 端口进行监视 123 为ntp的服务端口
# tcpdump udp port 123
F 系统将只对名为hostname的主机的通讯数据包进行监视。主机名能够是本地主机，也能够是网络上的任何一台计算机。下面的命令能够读取主机hostname发送的全部数据：
#tcpdump -i eth0 src host hostname
G 下面的命令能够监视全部送到主机hostname的数据包：
#tcpdump -i eth0 dst host hostname
H 咱们还能够监视经过指定网关的数据包：
#tcpdump -i eth0 gateway Gatewayname
I 若是你还想监视编址到指定端口的TCP或UDP数据包，那么执行如下命令：
#tcpdump -i eth0 host hostname and port 80
J 若是想要获取主机210.27.48.1除了和主机210.27.48.2以外全部主机通讯的ip包
，使用命令：
#tcpdump ip host 210.27.48.1 and ! 210.27.48.2
K 想要截获主机210.27.48.1 和主机210.27.48.2 或210.27.48.3的通讯，使用命令
：（在命令行中适用括号时，必定要
#tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)
L 若是想要获取主机210.27.48.1除了和主机210.27.48.2以外全部主机通讯的ip包，使用命令：
#tcpdump ip host 210.27.48.1 and ! 210.27.48.2
M 若是想要获取主机210.27.48.1接收或发出的telnet包，使用以下命令：
#tcpdump tcp port 23 host 210.27.48.1ui