这里我们学习的是tcpdump抓包
默认情况不加参数tcpdump抓包的话只抓每个数据包的前68个字节,也就是通常情况下抓完整的tcp,ip还有二层包头信息。当然我们如果要进行数据深入的分析的话,还是远远不够的,68个字节只能知道从哪里传到哪里以及端口信息。如果想要抓取完整的信息,还是需要借助一些参数的使用。
我这里宿主机hosts文件是
[root@master1 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
192.168.64.150 master1.gitlab.cn
[root@master1 ~]# 基础命令
[root@master1 ~]# tcpdump -i ens33 -s 0 -w a.cap参数分析:
-i 指定那个网卡
-s 指定数据包大小(默认是68个字节,0表示数据包全部字节)
-w 抓到的数据包放到某个文件下
这里我们ping一下百度这个网站,我们发现抓了75个包,查看一下a.cap这个文件
[root@master1 ~]# tcpdump -r a.cap
reading from file a.cap, link-type EN10MB (Ethernet)
22:06:42.293523 IP master1.gitlab.cn.ssh > 192.168.64.1.49378: Flags [P.], seq 527595354:527595478, ack 2050987823, win 257, length 124
22:06:42.293719 IP 192.168.64.1.49378 > master1.gitlab.cn.ssh: Flags [.], ack 124, win 4100, length 0
22:06:42.431504 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:42.791524 IP 192.168.64.1.49378 > master1.gitlab.cn.ssh: Flags [P.], seq 1:37, ack 124, win 4100, length 36
22:06:42.791696 IP master1.gitlab.cn.ssh > 192.168.64.1.49378: Flags [P.], seq 124:160, ack 37, win 257, length 36
22:06:42.833058 IP 192.168.64.1.49378 > master1.gitlab.cn.ssh: Flags [.], ack 160, win 4100, length 0
22:06:43.004906 IP 192.168.64.1.49378 > master1.gitlab.cn.ssh: Flags [P.], seq 37:73, ack 160, win 4100, length 36
22:06:43.005310 IP master1.gitlab.cn.ssh > 192.168.64.1.49378: Flags [P.], seq 160:196, ack 73, win 257, length 36
22:06:43.046371 IP 192.168.64.1.49378 > master1.gitlab.cn.ssh: Flags [.], ack 196, win 4106, length 0
22:06:43.142910 IP 192.168.64.1.49378 > master1.gitlab.cn.ssh: Flags [P.], seq 73:109, ack 196, win 4106, length 36
22:06:43.143074 IP master1.gitlab.cn.ssh > 192.168.64.1.49378: Flags [P.], seq 196:232, ack 109, win 257, length 36
22:06:43.184246 IP 192.168.64.1.49378 > master1.gitlab.cn.ssh: Flags [.], ack 232, win 4106, length 0
22:06:43.283044 IP 192.168.64.1.49378 > master1.gitlab.cn.ssh: Flags [P.], seq 109:145, ack 232, win 4106, length 36
22:06:43.283261 IP master1.gitlab.cn.ssh > 192.168.64.1.49378: Flags [P.], seq 232:268, ack 145, win 257, length 36
22:06:43.325452 IP 192.168.64.1.49378 > master1.gitlab.cn.ssh: Flags [.], ack 268, win 4105, length 0
22:06:43.388709 IP 192.168.64.1.49378 > master1.gitlab.cn.ssh: Flags [P.], seq 145:181, ack 268, win 4105, length 36
22:06:43.388886 IP master1.gitlab.cn.ssh > 192.168.64.1.49378: Flags [P.], seq 268:304, ack 181, win 257, length 36
22:06:43.430068 IP 192.168.64.1.49378 > master1.gitlab.cn.ssh: Flags [.], ack 304, win 4105, length 0
22:06:43.433035 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:43.515735 IP 192.168.64.1.49378 > master1.gitlab.cn.ssh: Flags [P.], seq 181:217, ack 304, win 4105, length 36
22:06:43.515935 IP master1.gitlab.cn.ssh > 192.168.64.1.49378: Flags [P.], seq 304:340, ack 217, win 257, length 36
22:06:43.556116 IP 192.168.64.1.49378 > master1.gitlab.cn.ssh: Flags [.], ack 340, win 4105, length 0
22:06:43.637828 IP 192.168.64.1.49378 > master1.gitlab.cn.ssh: Flags [P.], seq 217:253, ack 340, win 4105, length 36
22:06:43.638022 IP master1.gitlab.cn.ssh > 192.168.64.1.49378: Flags [P.], seq 340:376, ack 253, win 257, length 36
22:06:43.678734 IP 192.168.64.1.49378 > master1.gitlab.cn.ssh: Flags [.], ack 376, win 4105, length 0
22:06:44.434714 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:45.436320 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:45.526606 IP 192.168.64.1.51170 > master1.gitlab.cn.ssh: Flags [P.], seq 2388175140:2388175176, ack 3173181690, win 4104, length 36
22:06:45.526771 IP master1.gitlab.cn.ssh > 192.168.64.1.51170: Flags [P.], seq 1:85, ack 36, win 257, length 84
22:06:45.567345 IP 192.168.64.1.51170 > master1.gitlab.cn.ssh: Flags [.], ack 85, win 4104, length 0
22:06:46.437425 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:47.439275 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:48.440636 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:49.442906 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:50.445070 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:51.446604 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:52.448441 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:52.720313 IP 192.168.64.1.51170 > master1.gitlab.cn.ssh: Flags [P.], seq 36:72, ack 85, win 4104, length 36
22:06:52.721010 IP master1.gitlab.cn.ssh > 192.168.64.1.51170: Flags [P.], seq 85:121, ack 72, win 257, length 36
22:06:52.731663 IP master1.gitlab.cn.47778 > dns.google.domain: 6898+ A? www.baidu.com. (31)
22:06:52.761255 IP 192.168.64.1.51170 > master1.gitlab.cn.ssh: Flags [.], ack 121, win 4104, length 0
22:06:52.770334 IP dns.google.domain > master1.gitlab.cn.47778: 6898 3/0/0 CNAME www.a.shifen.com., CNAME www.wshifen.com., A 103.235.46.39 (100)
22:06:52.770698 IP master1.gitlab.cn > 103.235.46.39: ICMP echo request, id 4588, seq 1, length 64
22:06:52.770838 IP master1.gitlab.cn.ssh > 192.168.64.1.51170: Flags [P.], seq 121:221, ack 72, win 257, length 100
22:06:52.811795 IP 192.168.64.1.51170 > master1.gitlab.cn.ssh: Flags [.], ack 221, win 4103, length 0
22:06:53.012121 IP 103.235.46.39 > master1.gitlab.cn: ICMP echo reply, id 4588, seq 1, length 64
22:06:53.012289 IP master1.gitlab.cn.36903 > dns.google.domain: 22593+ PTR? 39.46.235.103.in-addr.arpa. (44)
22:06:53.057046 IP dns.google.domain > master1.gitlab.cn.36903: 22593 NXDomain 0/1/0 (132)
22:06:53.057952 IP master1.gitlab.cn.ssh > 192.168.64.1.51170: Flags [P.], seq 221:337, ack 72, win 257, length 116
22:06:53.099038 IP 192.168.64.1.51170 > master1.gitlab.cn.ssh: Flags [.], ack 337, win 4103, length 0
22:06:53.450333 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:53.770648 IP master1.gitlab.cn > 103.235.46.39: ICMP echo request, id 4588, seq 2, length 64
22:06:54.001596 IP 103.235.46.39 > master1.gitlab.cn: ICMP echo reply, id 4588, seq 2, length 64
22:06:54.001713 IP master1.gitlab.cn.ssh > 192.168.64.1.51170: Flags [P.], seq 337:453, ack 72, win 257, length 116
22:06:54.042291 IP 192.168.64.1.51170 > master1.gitlab.cn.ssh: Flags [.], ack 453, win 4102, length 0
22:06:54.452240 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:54.771135 IP master1.gitlab.cn > 103.235.46.39: ICMP echo request, id 4588, seq 3, length 64
22:06:54.996775 IP 103.235.46.39 > master1.gitlab.cn: ICMP echo reply, id 4588, seq 3, length 64
22:06:54.998968 IP master1.gitlab.cn.ssh > 192.168.64.1.51170: Flags [P.], seq 453:729, ack 72, win 257, length 276
22:06:54.999138 IP master1.gitlab.cn.ssh > 192.168.64.1.51170: Flags [P.], seq 729:805, ack 72, win 257, length 76
22:06:54.999295 IP 192.168.64.1.51170 > master1.gitlab.cn.ssh: Flags [.], ack 805, win 4101, length 0
22:06:55.453601 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:56.455062 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:57.456383 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:57.738435 ARP, Request who-has gateway tell master1.gitlab.cn, length 28
22:06:57.738564 ARP, Reply gateway is-at 00:50:56:ee:f2:d8 (oui Unknown), length 46
22:06:58.457813 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:59.459669 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:07:00.461488 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:07:01.463321 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:07:02.465314 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:07:02.943712 IP 192.168.64.1.51170 > master1.gitlab.cn.ssh: Flags [P.], seq 72:108, ack 805, win 4101, length 36
22:07:02.944394 IP master1.gitlab.cn.ssh > 192.168.64.1.51170: Flags [P.], seq 805:881, ack 108, win 257, length 76
22:07:02.985280 IP 192.168.64.1.51170 > master1.gitlab.cn.ssh: Flags [.], ack 881, win 4101, length 0
22:07:03.467029 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
[root@master1 ~]# ?
master1.gitlab.cn是虚拟机的hostname,我们可以使用-n 参数让它显示ip地址
因为我这里是xshell连接到我的虚拟机的,所以数据包中还有我的物理机器的数据,像192.168.64.1这个就是我们VMware虚拟网卡的ip地址,我们的虚拟机桥在这个上面跟宿主机通讯的,像103.235.46.39这个就是百度的地址,我们的ping命令是ICMP协议
我们也可以删选出ip信息
[root@master1 ~]# tcpdump -n -r a.cap | awk '{print $3}'|sort -u
reading from file a.cap, link-type EN10MB (Ethernet)
14.215.177.39
192.168.64.150
192.168.64.150.39558
192.168.64.150.48767
192.168.64.150.ssh
192.168.64.1.58981
192.168.64.1.64936
8.8.8.8.domain只提取来源是某个ip的信息(反之,也有目标ip的用法,把src改成dst)
[root@master1 ~]# tcpdump -n src host 192.168.64.1 -r a.cap
reading from file a.cap, link-type EN10MB (Ethernet)
22:42:18.668878 IP 192.168.64.1.58981 > 192.168.64.150.ssh: Flags [.], ack 3970072284, win 4102, length 0
22:42:20.226106 IP 192.168.64.1.64936 > 192.168.64.150.ssh: Flags [P.], seq 38624183:38624219, ack 3657068809, win 4104, length 36
22:42:20.267374 IP 192.168.64.1.64936 > 192.168.64.150.ssh: Flags [.], ack 37, win 4104, length 0
22:42:20.319094 IP 192.168.64.1.64936 > 192.168.64.150.ssh: Flags [.], ack 137, win 4103, length 0
22:42:20.408773 IP 192.168.64.1.64936 > 192.168.64.150.ssh: Flags [.], ack 253, win 4103, length 0
22:42:21.357347 IP 192.168.64.1.64936 > 192.168.64.150.ssh: Flags [.], ack 369, win 4102, length 0
22:42:22.323316 IP 192.168.64.1.64936 > 192.168.64.150.ssh: Flags [.], ack 721, win 4101, length 0
[root@master1 ~]# 查询某个端口的信息
[root@master1 ~]# tcpdump -n tcp port 64936 -r a.cap 补充:查看更加详细的信息,可以加如下的参数
[root@master1 ~]# tcpdump -A -r a.cap //以ASCII形式展示
[root@master1 ~]# tcpdump -X -r a.cap //以16进制展示,这个就像我们的wireshark其他命令:
1. tcpdump -i ens33 tcp port 22 指定抓取22端口,当然我们这里也可以指定其他协议,例如:ICMP。
因为这里是shell连接的,通过ssh连接,ssh的端口默认就是22,所以我输入上面的命令,立马就不断打印信息。
