linux抓包-tcpdump

大家好，又见面了，我是你们的朋友全栈君。

1.tcpdump简介

tcpdump是linux平台的抓包工具，可以抓取TCP/IP协议的数据包，网络协议，主机，端口，还提供and，or，not等逻辑语句过滤信息。

2.tcpdump参数

tcpdump帮助查看 tcpdump -h， man tcpdump

[root@master ~]# tcpdump -h
tcpdump version 4.9.2
libpcap version 1.5.3
OpenSSL 1.0.2k-fips  26 Jan 2017
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ]
		[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
		[ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
		[ -Q|-P in|out|inout ]
		[ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
		[ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
		[ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ]
		[ -Z user ] [ expression ]

• -A:只使用ASCII 打印报文的全部数据
• -b：数据链路层选择协议（ip，arp，rarp，ipx等）
• -c：指定抓取包的数量
• -D列出当前系统所有可以用于抓包的接口
• -e：输出链路层报文
• -i 指定监听的网卡，-i any 显示所有网卡
• –n 表示不解析主机名，直接用 IP 显示，默认是用 hostname 显示
• -nn 表示不解析主机名和端口，直接用端口号显示，默认显示是端口号对应的服务名
• -q 快速打印输出，即只输出少量的协议相关信息
• -s len 设置要抓取数据包长度为 len，默认只会截取前 96bytes 的内容，-s 0 的话，会截取全部内容。
• -XX 同 -X，但同时显示以太网头部
• -t 不要打印时间戳
• -X 同时用 hex 和 ascii 显示报文内容

3.tcpdump过滤器

过滤器：通俗讲就是我们抓取的数据包信息有许多是我们用不到的，通过过滤得到我们需要的信息，
这里过滤器有三类：
1.协议（protocol）:tcp,udp,icmp,ip,arp等
2.传输方向（dir）：src，dst，src and dst，src or dst(默认)
3.类型（type）：host，net，prot

tcpdump语法格式：tcpdump [options] [not] proto dir type

tcpdump的输出格式

       系统时间       源主机.端口        目标主机.端口            数据包参数
20:11:12.854851 IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 1838515159:1838515347, ack 1981438263, win 83, length 188
20:11:12.854946 IP 192.168.2.29.59546 > 192.168.2.43.22: Flags [.], ack 188, win 8207, length 0

数据包类型

• [S] SYN(开始连接)
• [.] 没有标志
• [P] PSH(推送数据)
• [F] FIN(完成连接)
• [R] RST(重置连接)

4.tcpdump常用操作

查看ens33网卡设备，对应22端口服务的传输信息（-t不显示时间信息）

[root@master ~]# tcpdump -ti ens33 port 22
IP 192.168.2.29.59546 > master.ssh: Flags [.], ack 22308, win 8208, length 0
IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 22308:22512, ack 1, win 83, length 204
IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 22512:22716, ack 1, win 83, length 204
IP 192.168.2.29.59546 > master.ssh: Flags [.], ack 22716, win 8206, length 0
IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 22716:22848, ack 1, win 83, length 132
IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 22848:22980, ack 1, win 83, length 132

查看指定网卡的设备，显示端口号对应服务

[root@master ~]# tcpdump -nnt -i ens33|head -10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 1817580335:1817580523, ack 1981371343, win 83, length 188
IP 192.168.2.29.59546 > 192.168.2.43.22: Flags [.], ack 188, win 8209, length 0
IP 220.191.97.17.43687 > 192.168.2.29.37561: UDP, length 219
IP 192.168.2.29.37561 > 117.61.19.156.35855: UDP, length 1089
IP 192.168.2.29.37561 > 220.191.97.17.43687: UDP, length 24
IP 192.168.2.29.37561 > 220.191.97.17.43687: UDP, length 1432
IP 192.168.2.29.37561 > 183.157.124.157.31285: UDP, length 1432
IP 192.168.2.29.37561 > 101.229.237.49.34270: UDP, length 1432
IP 192.168.2.29.37561 > 183.159.234.151.3146: UDP, length 1432
IP 192.168.2.29.37561 > 183.159.234.151.3146: UDP, length 1432
tcpdump: Unable to write output: Broken pipe

查看src源方向传输的信息

[root@master ~]# tcpdump -ti ens33 src port 22
IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 757140:757272, ack 73, win 83, length 132
IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 757272:757404, ack 73, win 83, length 132
IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 757404:757536, ack 73, win 83, length 132
IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 757536:757668, ack 73, win 83, length 132

查看dst源方向传输的信息

[root@master ~]# tcpdump -ti ens33 dst port 22
IP 192.168.2.29.59546 > master.ssh: Flags [.], ack 6157, win 8207, length 0
IP 192.168.2.29.59546 > master.ssh: Flags [.], ack 6273, win 8207, length 0
IP 192.168.2.29.59546 > master.ssh: Flags [.], ack 6389, win 8207, length 0
IP 192.168.2.29.59546 > master.ssh: Flags [.], ack 6505, win 8212, length 0
IP 192.168.2.29.59546 > master.ssh: Flags [.], ack 6621, win 8212, length 0

查看已经到192.168.2.29主机的的网卡设备ens33的22 号端口的数据包（-c抓包的数量，-v更详细信息）

[root@master ~]# tcpdump -nnt -i  ens33 dst host 192.168.2.29 and port 22 -c2 -vv
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
IP (tos 0x10, ttl 64, id 40345, offset 0, flags [DF], proto TCP (6), length 164)
    192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], cksum 0x862f (incorrect -> 0xd42e), seq 1836124383:1836124507, ack 1981412895, win 83, length 124
IP (tos 0x10, ttl 64, id 40346, offset 0, flags [DF], proto TCP (6), length 316)
    192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], cksum 0x86c7 (incorrect -> 0x21f6), seq 124:400, ack 1, win 83, length 276
2 packets captured
10 packets received by filter
0 packets dropped by kernel

查看22端口或者8443端口的数据包（-c20显示最新20条数据信息）

[root@master ~]# tcpdump -nnt -i ens33 -c 20 'port 22 or port 8443'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 1843624239:1843624427, ack 1981514743, win 83, length 188
IP 192.168.2.29.59546 > 192.168.2.43.22: Flags [.], ack 188, win 8211, length 0
IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 188:424, ack 1, win 83, length 236
IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 424:556, ack 1, win 83, length 132
IP 192.168.2.29.59546 > 192.168.2.43.22: Flags [.], ack 556, win 8210, length 0
IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 556:688, ack 1, win 83, length 132
IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 688:936, ack 1, win 83, length 248

查看某个网段的数据包

[root@master ~]# tcpdump -i ens33 dst net 192.168.2 -c2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:04:05.239508 IP 18.236.79.218.broad.xw.sh.dynamic.163data.com.cn.58123 > 192.168.2.29.37561: UDP, length 35
20:04:05.240617 IP 183.161.235.205.30834 > 192.168.2.29.37561: UDP, length 35
2 packets captured

查询某协议的数据包

[root@master ~]# tcpdump -i ens33 udp
[root@master ~]# tcpdump -i ens33 tcp
[root@master ~]# tcpdump -i ens33 icmp
[root@master ~]# tcpdump -i ens33 ip

俩种方式将数据包信息保存到文本

#第一种：直接输出到文件中
[root@master ~]# tcpdump  -nnt dst host  192.168.2.29  -i ens33 -c5 > tcpdump.txt 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
5 packets captured
310 packets received by filter
0 packets dropped by kernel
[root@master ~]# cat tcpdump.txt 
IP 192.168.2.43.22 > 192.168.2.29.59546: Flags [P.], seq 1841703659:1841703847, ack 1981496079, win 83, length 188
IP 112.98.40.64.4909 > 192.168.2.29.37561: UDP, length 34
IP 27.186.136.251.29396 > 192.168.2.29.37561: UDP, length 342
IP 113.129.233.43.49542 > 192.168.2.29.37561: UDP, length 24
IP 60.186.179.149.1027 > 192.168.2.29.37561: UDP, length 37

#第二种-w保存到文件内，通过-r查看（不能通过cat查看）
[root@master ~]# tcpdump  -nnt dst host  192.168.2.29  -i ens33 -c5 -w tcpdump.txt
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
5 packets captured
482 packets received by filter
0 packets dropped by kernel
[root@master ~]# tcpdump -r tcpdump.txt 
reading from file tcpdump.txt, link-type EN10MB (Ethernet)
20:25:13.839506 IP master.ssh > 192.168.2.29.59546: Flags [P.], seq 1841706771:1841706895, ack 1981497695, win 83, length 124
20:25:13.840656 IP 36.19.167.55.14975 > 192.168.2.29.37561: UDP, length 81
20:25:13.840657 IP 123.183.132.111.4176 > 192.168.2.29.37561: UDP, length 32
20:25:13.840806 IP 106.114.153.64.aes-discovery > 192.168.2.29.37561: UDP, length 264
20:25:13.841019 IP 43.146.142.219.broad.bj.bj.dynamic.163data.com.cn.24193 > 192.168.2.29.37561: UDP, length 24