计算机网络实用工具之tcpdump

简介

tcpdump是一个运行在命令行下的数据包分析器。能够获取到该计算机发送或接收的TCP/IP和其他数据包。

tcpdump 适用于大多数的类Unix操作系统，包括Linux、Solaris、BSD、Mac OS X、HP-UX和AIX 等等。在这些系统中，tcpdump 需要使用libpcap这个捕捉数据的库。其在Windows下的版本称为WinDump，它需要WinPcap驱动，相当于在Linux平台下的libpcap。

可以用于打印在网络接口上收发的数据包，过滤与特定表达式匹配的数据包；可以使用此工具来跟踪网络问题、检测攻击或监视网络活动。

官网

Home | TCPDUMP & LIBPCAP

安装

# tcpdump依赖于libpcap# ubuntu 22.04
# 查看libpcap
ubuntu~$ dpkg -l |grep libpcap
ii  libpcap0.8:amd64                       1.10.1-4build1                          amd64        system interface for user-level packet capture# 安装tcpdump
ubuntu~$ sudo apt install tcpdump# centos 7
# 查看libpcap
[root@centos7 ~]# rpm -qa libpcap
libpcap-1.5.3-13.el7_9.x86_64# 安装tcpdump
[root@centos7 ~]# sudo yum install tcpdump

使用帮助

[root@centos7 ~]# tcpdump -h
tcpdump version 4.99.1
libpcap version 1.10.1 (with TPACKET_V3)
OpenSSL 3.0.2 15 Mar 2022
Usage: tcpdump [-AbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ] [--count][ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ][ -i interface ] [ --immediate-mode ] [ -j tstamptype ][ -M secret ] [ --number ] [ --print ] [ -Q in|out|inout ][ -r file ] [ -s snaplen ] [ -T type ] [ --version ][ -V file ] [ -w file ] [ -W filecount ] [ -y datalinktype ][ --time-stamp-precision precision ] [ --micro ] [ --nano ][ -z postrotate-command ] [ -Z user ] [ expression ]

使用示例

运行 tcpdump 的通用格式是： tcpdump <options> <expression>

options

# 查看网卡tcpdump -D或tcpdump --list-interfaces
root@ubuntu:~# tcpdump -D
1.ens33 [Up, Running]
2.lo [Up, Running, Loopback]
3.any (Pseudo-device that captures on all interfaces) [Up, Running]
4.docker0 [Up]
5.bluetooth-monitor (Bluetooth Linux Monitor) [none]
6.nflog (Linux netfilter log (NFLOG) interface) [none]
7.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
8.bluetooth0 (Bluetooth adapter number 0) [none]
root@ubuntu:~# 
root@ubuntu:~# tcpdump --list-interfaces
1.ens33 [Up, Running]
2.lo [Up, Running, Loopback]
3.any (Pseudo-device that captures on all interfaces) [Up, Running]
4.docker0 [Up]
5.bluetooth-monitor (Bluetooth Linux Monitor) [none]
6.nflog (Linux netfilter log (NFLOG) interface) [none]
7.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
8.bluetooth0 (Bluetooth adapter number 0) [none]# 指定接口
# 所有接口
root@ubuntu:~# tcpdump -i any# ens33接口-i interface或--interface=interface
root@ubuntu:~# tcpdump -i ens33
root@ubuntu:~# tcpdump --interface=ens33# 将icmp数据包保存到icmp.pcap文件,参数-w，使用-w时，数据包不会显示在终端上。
root@ubuntu:~# tcpdump --interface=ens33 -w icmp.pcap icmp# 限制文件大小，-C参数，必须和-w参数一起使用
# 抓取的数据包保存到test.pcap文件中，大小达到2M时生成新的文件test.pcap1，数字递增
root@ubuntu:~# tcpdump -w test.pcap -C 2# 从文件中读取数据
root@ubuntu:/tmp# tcpdump -r test.pcap# -v参数，获取更多信息，-c 1意思是获取到1个数据包后停止,-n 不要将地址转换为名称
root@ubuntu:/tmp# tcpdump -n -c 1 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
14:18:26.384013 IP 192.168.21.128 > 183.2.172.42: ICMP echo request, id 5, seq 1, length 64
1 packet captured
2 packets received by filter
0 packets dropped by kernel
root@ubuntu:/tmp# 
root@ubuntu:/tmp# tcpdump -v -n -c 1 icmp
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
14:19:01.320676 IP (tos 0x0, ttl 64, id 21682, offset 0, flags [DF], proto ICMP (1), length 84)192.168.21.128 > 183.2.172.185: ICMP echo request, id 6, seq 1, length 64
1 packet captured
2 packets received by filter
0 packets dropped by kernel# 如果您还想以 ASCII 格式打印每个数据包的内容，则可以使用该 -A选项。例如，这将显示 HTTP 请求和响应的内容。
root@ubuntu:/tmp# tcpdump -A -n src port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
14:24:47.351778 IP 183.2.172.42.80 > 192.168.21.128.44002: Flags [S.], seq 2034896310, ack 4106329319, win 64240, options [mss 1460], length 0
E..,
......X...*.....P..yJ......`.............
14:24:47.352217 IP 183.2.172.42.80 > 192.168.21.128.44002: Flags [.], ack 78, win 64240, length 0
E..(
......[...*.....P..yJ.....4P....c........
14:24:47.378366 IP 183.2.172.42.80 > 192.168.21.128.44002: Flags [.], seq 1:1461, ack 78, win 64240, length 1460: HTTP: HTTP/1.1 200 OK
E............*.....P..yJ.....4P.......HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 2381
Content-Type: text/html
Date: Wed, 22 Nov 2023 14:24:47 GMT
Etag: "588604dc-94d"
Last-Modified: Mon, 23 Jan 2017 13:27:56 GMT
Pragma: no-cache
Server: bfe/1.0.8.18
Set-Cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title>...........................</title></head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> </div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <input type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input type=hidden name=tn value=baidu><span class="bg s_ipt_wr"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus></span><span class="bg s_btn_wr"><input type=submit id=su value=............ class="bg s_btn"></span> 
14:24:47.378452 IP 183.2.172.42.80 > 192.168.21.128.44002: Flags [P.], seq 1461:2782, ack 78, win 64240, length 1321: HTTP
E..Q
!.....0...*.....P..yJ.k...4P...Q...</form> </div> </div> <div id=u1> <a href=http://news.baidu.com name=tj_trnews class=mnav>......</a> <a href=http://www.hao123.com name=tj_trhao123 class=mnav>hao123</a> <a href=http://map.baidu.com name=tj_trmap class=mnav>......</a> <a href=http://v.baidu.com name=tj_trvideo class=mnav>......</a> <a href=http://tieba.baidu.com name=tj_trtieba class=mnav>......</a> <noscript> <a href=http://www.baidu.com/bdorz/login.gif?login&amp;tpl=mn&amp;u=http%3A%2F%2Fwww.baidu.com%2f%3fbdorz_come%3d1 name=tj_login class=lb>......</a> </noscript> <script>document.write('<a href="http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u='+ encodeURIComponent(window.location.href+ (window.location.search === "" ? "?" : "&")+ "bdorz_come=1")+ '" name="tj_login" class="lb">......</a>');</script> <a href=//www.baidu.com/more/ name=tj_briicon class=bri style="display: block;">............</a> </div> </div> </div> <div id=ftCon> <div id=ftConw> <p id=lh> <a href=http://home.baidu.com>............</a> <a href=http://ir.baidu.com>About Baidu</a> </p> <p id=cp>&copy;2017&nbsp;Baidu&nbsp;<a href=http://www.baidu.com/duty/>.....................</a>&nbsp; <a href=http://jianyi.baidu.com/ class=cp-feedback>............</a>&nbsp;...ICP...030173...&nbsp; <img src=//www.baidu.com/img/gs.gif> </p> </div> </div> </div> </body> </html>14:24:47.378907 IP 183.2.172.42.80 > 192.168.21.128.44002: Flags [.], ack 79, win 64239, length 0
E..(
".....X...*.....P..yJ.....5P.............
14:24:47.403420 IP 183.2.172.42.80 > 192.168.21.128.44002: Flags [FP.], seq 2782, ack 79, win 64239, length 0
E..(
#.....W...*.....P..yJ.....5P....}........# 显示数据链路层地址使用-e参数
root@ubuntu:/tmp# tcpdump -e -c 2 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
14:26:54.254562 00:0c:29:2b:39:27 > 00:50:56:c0:00:08, ethertype IPv4 (0x0800), length 242: 192.168.21.128.22 > 192.168.21.1.49523: Flags [P.], seq 117054726:117054914, ack 2091745178, win 501, length 188
14:26:54.254829 00:0c:29:2b:39:27 > 00:50:56:c0:00:08, ethertype IPv4 (0x0800), length 298: 192.168.21.128.22 > 192.168.21.1.49523: Flags [P.], seq 188:432, ack 1, win 501, length 244
2 packets captured
3 packets received by filter
0 packets dropped by kernel# 禁用混杂模式-p或--no-promiscuous-mode

expression

# type
host for an individual host (e.g. host 192.168.1.1)
net for network (e.g. net 192.168.0.0/24),
port for a port number (e.g. port 22)
portrange for a ranges of ports (e.g. portrange 1000-2000)
If no type is specified, host is assumed.# dir
src - source only
dst - destination only
src or dst - either side of the connection may match
src and dst both source and destination should match the specified identifier
If no direction is specified, src or dst is assumed.# proto
This qualifier lets you target only a specific protocol. Protocols that you may wish to specify include:ether (Ethernet)
wlan (Wireless Lan)
ip (Internet Protocol v4)
ip6 (Internet Protocol v6)
arp (Address Resolution Protocol)
rarp (Reverse - ARP)
tcp (Transmission Control Protocol)
udp (User Datagram Protocol)# Combining filter expressions with and, or, not
not
Can also be written as ! - select only traffic which does not match the expression which follows.
tcpdump not tcp # match only traffic which doesn't use the TCP protocoland
Can also be written as && - select traffic which matches both the preceding expression and the following expression.
tcpdump icmp and host google.dnsor
Can also be written as || - select traffic which matches the preceding expression or the following expression.# 示例：
# 以下两句是等效的
tcpdump tcp dst port 80 or tcp dst port 443
tcpdump tcp dst port 80 or 443# 可以使用括号()进一步定义逻辑：
tcpdump host athena and (port 80 or 443)# 协议过滤
tcpdump ip and tcp# 基于IP地址的过滤
tcpdump src host 192.168.1.1 and dst host 192.168.1.2tcpdump net 192.168.1    # filter for all traffic from the 192.168.1.0/24 subnet（192.168对应于192.168.0.0/16）# 端口过滤器
tcpdump src portrange 10000-20000 and dst port 443# 数据包长度
tcpdump ip host 192.168.1.1 and less 100
tcpdump icmp greater 50