tcpdump命令

tcpdump命令
  tcpdump命令用来抓取网络接口的数据包。
  可以使用-D选项列出所有的网络接口:

# tcpdump -D
1.eth0
2.nflog (Linux netfilter log (NFLOG) interface)
3.nfqueue (Linux netfilter queue (NFQUEUE) interface)
4.usbmon1 (USB bus number 1)
5.usbmon2 (USB bus number 2)
6.any (Pseudo-device that captures on all interfaces)
7.lo

  其中any是一个伪接口,它表示抓取所有网络接口的数据包。
  可以使用-i <网络接口名>来指定网络接口:

tcpdump -i eth0

  如果不指定接口,默认使用tcpdump -D列出的第一个网络接口。参考any的描述,可以使用以下命令抓取所有网络接口的数据包:

tcpdump -i any

  可以使用选项-v显示IP和TCP头信息

tcpdump -vi eth0

  可以使用选项-n,关闭将主机地址转化成主机名称的功能,这能避免DNS查询。

tcpdump -ni eth0

  可以使用选项-nn,关闭转换协议、端口号和名称的功能。

tcpdump -nni eth0

  可以指定协议类型,例如:

[root@localhost ~]# tcpdump -nni eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:40:52.698969 IP 12.0.10.29 > 12.0.10.30: ICMP echo request, id 620, seq 1, length 64
15:40:52.699561 IP 12.0.10.30 > 12.0.10.29: ICMP echo reply, id 620, seq 1, length 64
15:40:53.699115 IP 12.0.10.29 > 12.0.10.30: ICMP echo request, id 620, seq 2, length 64
15:40:53.699232 IP 12.0.10.30 > 12.0.10.29: ICMP echo reply, id 620, seq 2, length 64
15:40:54.699100 IP 12.0.10.29 > 12.0.10.30: ICMP echo request, id 620, seq 3, length 64
15:40:54.699316 IP 12.0.10.30 > 12.0.10.29: ICMP echo reply, id 620, seq 3, length 64
15:40:55.699099 IP 12.0.10.29 > 12.0.10.30: ICMP echo request, id 620, seq 4, length 64
15:40:55.699231 IP 12.0.10.30 > 12.0.10.29: ICMP echo reply, id 620, seq 4, length 64
15:40:56.699096 IP 12.0.10.29 > 12.0.10.30: ICMP echo request, id 620, seq 5, length 64
15:40:56.703240 IP 12.0.10.30 > 12.0.10.29: ICMP echo reply, id 620, seq 5, length 64
15:40:57.700280 IP 12.0.10.29 > 12.0.10.30: ICMP echo request, id 620, seq 6, length 64
15:40:57.704408 IP 12.0.10.30 > 12.0.10.29: ICMP echo reply, id 620, seq 6, length 64
15:40:58.702280 IP 12.0.10.29 > 12.0.10.30: ICMP echo request, id 620, seq 7, length 64
15:40:58.707281 IP 12.0.10.30 > 12.0.10.29: ICMP echo reply, id 620, seq 7, length 64
^C
14 packets captured
16 packets received by filter
0 packets dropped by kernel
[root@localhost ~]#

  上面的命令指定了ICMP协议。
  可以指定只过滤ARP协议:

tcpdump -nni eth0 arg

  可以指定只过滤ICMP的请求:

tcpdump -nni eth0 icmp[icmptype] == 8

  可以指定只过滤ICMP的回应:

tcpdump -nni eth0 icmp[icmptype] == 0

  ICMP的报文格式参考:rfc792


  可以过滤指定ip的identification:
  IP的报文格式参考:rfc791


  可以看出在IP包中,Identification位于第4和第5个字节(从第0个字节开始编号),可以使用以下命令过来过滤Identification为24332的包:

# tcpdump -nni eth0 'ip[4:2] == 24332'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:31:59.700974 IP 192.168.41.21.2223 > 239.1.1.1.2223: UDP, length 128

  可以指定源MAC地址:

tcpdump -nni eth0 ether src fa:16:3e:1f:b7:5b

  可以指定目的MAC地址:

tcpdump -nni eth0 ether dst fa:16:3e:1f:b7:5b

  可以通过-x选项以十六进制打印出包头和包数据,不包括链接层的头部。

[root@localhost ~]# tcpdump -nnxi eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:23:31.092103 IP 12.0.10.29 > 12.0.10.30: ICMP echo request, id 622, seq 2434, length 64
0x0000: 4500 0054 0000 4000 4001 0e6f 0c00 0a1d
0x0010: 0c00 0a1e 0800 bc65 026e 0982 0314 bb5b
0x0020: 0000 0000 b167 0100 0000 0000 1011 1213
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
0x0050: 3435 3637
16:23:31.092309 IP 12.0.10.30 > 12.0.10.29: ICMP echo reply, id 622, seq 2434, length 64
0x0000: 4500 0054 12fc 0000 8001 fb72 0c00 0a1e
0x0010: 0c00 0a1d 0000 c465 026e 0982 0314 bb5b
0x0020: 0000 0000 b167 0100 0000 0000 1011 1213
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
0x0050: 3435 3637
^C
2 packets captured
4 packets received by filter
0 packets dropped by kernel
[root@localhost ~]#

  如果需要打印链接层的头部,可以使用选项-xx:

[root@localhost ~]# tcpdump -nnxxi eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:23:36.092093 IP 12.0.10.29 > 12.0.10.30: ICMP echo request, id 622, seq 2439, length 64
0x0000: fa16 3e5b 4861 fa16 3e1f b75b 0800 4500
0x0010: 0054 0000 4000 4001 0e6f 0c00 0a1d 0c00
0x0020: 0a1e 0800 bf60 026e 0987 0814 bb5b 0000
0x0030: 0000 a967 0100 0000 0000 1011 1213 1415
0x0040: 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425
0x0050: 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435
0x0060: 3637
16:23:36.092235 IP 12.0.10.30 > 12.0.10.29: ICMP echo reply, id 622, seq 2439, length 64
0x0000: fa16 3e1f b75b fa16 3e5b 4861 0800 4500
0x0010: 0054 137f 0000 8001 faef 0c00 0a1e 0c00
0x0020: 0a1d 0000 c760 026e 0987 0814 bb5b 0000
0x0030: 0000 a967 0100 0000 0000 1011 1213 1415
0x0040: 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425
0x0050: 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435
0x0060: 3637
^C
2 packets captured
4 packets received by filter
0 packets dropped by kernel
[root@localhost ~]#

  如果需要以ASCII格式打出,可以使用选项-X:

[root@localhost ~]# tcpdump -nnXi eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:29:17.186099 IP 12.0.10.29 > 12.0.10.30: ICMP echo request, id 622, seq 2780, length 64
0x0000: 4500 0054 0000 4000 4001 0e6f 0c00 0a1d E..T..@.@..o....
0x0010: 0c00 0a1e 0800 329b 026e 0adc 5d15 bb5b ......2..n..]..[
0x0020: 0000 0000 ded6 0200 0000 0000 1011 1213 ................
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"#
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123
0x0050: 3435 3637                                4567
16:29:17.186272 IP 12.0.10.30 > 12.0.10.29: ICMP echo reply, id 622, seq 2780, length 64
0x0000: 4500 0054 3523 0000 8001 d94b 0c00 0a1e E..T5#.....K....
0x0010: 0c00 0a1d 0000 3a9b 026e 0adc 5d15 bb5b ......:..n..]..[
0x0020: 0000 0000 ded6 0200 0000 0000 1011 1213 ................
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"#
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123
0x0050: 3435 3637                                4567
^C
2 packets captured
4 packets received by filter
0 packets dropped by kernel
[root@localhost ~]#

  如果需要将链接层的头部也以ASCII格式打印出来,可以使用选项-XX:

[root@localhost ~]# tcpdump -nnXXi eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:29:24.186101 IP 12.0.10.29 > 12.0.10.30: ICMP echo request, id 622, seq 2787, length 64
0x0000: fa16 3e5b 4861 fa16 3e1f b75b 0800 4500 ..>[Ha..>..[..E.
0x0010: 0054 0000 4000 4001 0e6f 0c00 0a1d 0c00 .T..@.@..o......
0x0020: 0a1e 0800 2a94 026e 0ae3 6415 bb5b 0000 ....*..n..d..[..
0x0030: 0000 dfd6 0200 0000 0000 1011 1213 1415 ................
0x0040: 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 ...........!"#$%
0x0050: 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 &'()*+,-./012345
0x0060: 3637                                     67
16:29:24.186264 IP 12.0.10.30 > 12.0.10.29: ICMP echo reply, id 622, seq 2787, length 64
0x0000: fa16 3e1f b75b fa16 3e5b 4861 0800 4500 ..>..[..>[Ha..E.
0x0010: 0054 3543 0000 8001 d92b 0c00 0a1e 0c00 .T5C.....+......
0x0020: 0a1d 0000 3294 026e 0ae3 6415 bb5b 0000 ....2..n..d..[..
0x0030: 0000 dfd6 0200 0000 0000 1011 1213 1415 ................
0x0040: 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 ...........!"#$%
0x0050: 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 &'()*+,-./012345
0x0060: 3637                                     67
^C
2 packets captured
4 packets received by filter
0 packets dropped by kernel
[root@localhost ~]#

  可以使用选项-c,指定抓取若干个包后自动退出:

[root@localhost ~]# tcpdump -c 2 -nnxi eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:33:38.253086 IP 12.0.10.29 > 12.0.10.30: ICMP echo request, id 622, seq 3041, length 64
0x0000: 4500 0054 0000 4000 4001 0e6f 0c00 0a1d
0x0010: 0c00 0a1e 0800 7a8f 026e 0be1 6216 bb5b
0x0020: 0000 0000 8fdc 0300 0000 0000 1011 1213
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
0x0050: 3435 3637
16:33:38.253286 IP 12.0.10.30 > 12.0.10.29: ICMP echo reply, id 622, seq 3041, length 64
0x0000: 4500 0054 4058 0000 8001 ce16 0c00 0a1e
0x0010: 0c00 0a1d 0000 828f 026e 0be1 6216 bb5b
0x0020: 0000 0000 8fdc 0300 0000 0000 1011 1213
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
0x0050: 3435 3637
2 packets captured
2 packets received by filter
0 packets dropped by kernel
[root@localhost ~]#