IT数码 购物 网址 头条 软件 日历 阅读 图书馆
TxT小说阅读器
↓语音阅读,小说下载,古典文学↓
图片批量下载器
↓批量下载图片,美女图库↓
图片自动播放器
↓图片自动播放器↓
一键清除垃圾
↓轻轻一点,清除系统垃圾↓
开发: C++知识库 Java知识库 JavaScript Python PHP知识库 人工智能 区块链 大数据 移动开发 嵌入式 开发工具 数据结构与算法 开发测试 游戏开发 网络协议 系统运维
教程: HTML教程 CSS教程 JavaScript教程 Go语言教程 JQuery教程 VUE教程 VUE3教程 Bootstrap教程 SQL数据库教程 C语言教程 C++教程 Java教程 Python教程 Python3教程 C#教程
数码: 电脑 笔记本 显卡 显示器 固态硬盘 硬盘 耳机 手机 iphone vivo oppo 小米 华为 单反 装机 图拉丁
 
   -> 系统运维 -> tcpdump抓包(一) -> 正文阅读

[系统运维]tcpdump抓包(一)

这里我们学习的是tcpdump抓包

默认情况不加参数tcpdump抓包的话只抓每个数据包的前68个字节,也就是通常情况下抓完整的tcp,ip还有二层包头信息。当然我们如果要进行数据深入的分析的话,还是远远不够的,68个字节只能知道从哪里传到哪里以及端口信息。如果想要抓取完整的信息,还是需要借助一些参数的使用。

我这里宿主机hosts文件是

[root@master1 ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
192.168.64.150    master1.gitlab.cn
[root@master1 ~]# 

基础命令

[root@master1 ~]# tcpdump -i ens33 -s 0  -w a.cap

参数分析:

-i 指定那个网卡

-s 指定数据包大小(默认是68个字节,0表示数据包全部字节)

-w 抓到的数据包放到某个文件下

这里我们ping一下百度这个网站,我们发现抓了75个包,查看一下a.cap这个文件

[root@master1 ~]# tcpdump  -r  a.cap 
reading from file a.cap, link-type EN10MB (Ethernet)
22:06:42.293523 IP master1.gitlab.cn.ssh > 192.168.64.1.49378: Flags [P.], seq 527595354:527595478, ack 2050987823, win 257, length 124
22:06:42.293719 IP 192.168.64.1.49378 > master1.gitlab.cn.ssh: Flags [.], ack 124, win 4100, length 0
22:06:42.431504 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:42.791524 IP 192.168.64.1.49378 > master1.gitlab.cn.ssh: Flags [P.], seq 1:37, ack 124, win 4100, length 36
22:06:42.791696 IP master1.gitlab.cn.ssh > 192.168.64.1.49378: Flags [P.], seq 124:160, ack 37, win 257, length 36
22:06:42.833058 IP 192.168.64.1.49378 > master1.gitlab.cn.ssh: Flags [.], ack 160, win 4100, length 0
22:06:43.004906 IP 192.168.64.1.49378 > master1.gitlab.cn.ssh: Flags [P.], seq 37:73, ack 160, win 4100, length 36
22:06:43.005310 IP master1.gitlab.cn.ssh > 192.168.64.1.49378: Flags [P.], seq 160:196, ack 73, win 257, length 36
22:06:43.046371 IP 192.168.64.1.49378 > master1.gitlab.cn.ssh: Flags [.], ack 196, win 4106, length 0
22:06:43.142910 IP 192.168.64.1.49378 > master1.gitlab.cn.ssh: Flags [P.], seq 73:109, ack 196, win 4106, length 36
22:06:43.143074 IP master1.gitlab.cn.ssh > 192.168.64.1.49378: Flags [P.], seq 196:232, ack 109, win 257, length 36
22:06:43.184246 IP 192.168.64.1.49378 > master1.gitlab.cn.ssh: Flags [.], ack 232, win 4106, length 0
22:06:43.283044 IP 192.168.64.1.49378 > master1.gitlab.cn.ssh: Flags [P.], seq 109:145, ack 232, win 4106, length 36
22:06:43.283261 IP master1.gitlab.cn.ssh > 192.168.64.1.49378: Flags [P.], seq 232:268, ack 145, win 257, length 36
22:06:43.325452 IP 192.168.64.1.49378 > master1.gitlab.cn.ssh: Flags [.], ack 268, win 4105, length 0
22:06:43.388709 IP 192.168.64.1.49378 > master1.gitlab.cn.ssh: Flags [P.], seq 145:181, ack 268, win 4105, length 36
22:06:43.388886 IP master1.gitlab.cn.ssh > 192.168.64.1.49378: Flags [P.], seq 268:304, ack 181, win 257, length 36
22:06:43.430068 IP 192.168.64.1.49378 > master1.gitlab.cn.ssh: Flags [.], ack 304, win 4105, length 0
22:06:43.433035 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:43.515735 IP 192.168.64.1.49378 > master1.gitlab.cn.ssh: Flags [P.], seq 181:217, ack 304, win 4105, length 36
22:06:43.515935 IP master1.gitlab.cn.ssh > 192.168.64.1.49378: Flags [P.], seq 304:340, ack 217, win 257, length 36
22:06:43.556116 IP 192.168.64.1.49378 > master1.gitlab.cn.ssh: Flags [.], ack 340, win 4105, length 0
22:06:43.637828 IP 192.168.64.1.49378 > master1.gitlab.cn.ssh: Flags [P.], seq 217:253, ack 340, win 4105, length 36
22:06:43.638022 IP master1.gitlab.cn.ssh > 192.168.64.1.49378: Flags [P.], seq 340:376, ack 253, win 257, length 36
22:06:43.678734 IP 192.168.64.1.49378 > master1.gitlab.cn.ssh: Flags [.], ack 376, win 4105, length 0
22:06:44.434714 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:45.436320 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:45.526606 IP 192.168.64.1.51170 > master1.gitlab.cn.ssh: Flags [P.], seq 2388175140:2388175176, ack 3173181690, win 4104, length 36
22:06:45.526771 IP master1.gitlab.cn.ssh > 192.168.64.1.51170: Flags [P.], seq 1:85, ack 36, win 257, length 84
22:06:45.567345 IP 192.168.64.1.51170 > master1.gitlab.cn.ssh: Flags [.], ack 85, win 4104, length 0
22:06:46.437425 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:47.439275 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:48.440636 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:49.442906 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:50.445070 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:51.446604 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:52.448441 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:52.720313 IP 192.168.64.1.51170 > master1.gitlab.cn.ssh: Flags [P.], seq 36:72, ack 85, win 4104, length 36
22:06:52.721010 IP master1.gitlab.cn.ssh > 192.168.64.1.51170: Flags [P.], seq 85:121, ack 72, win 257, length 36
22:06:52.731663 IP master1.gitlab.cn.47778 > dns.google.domain: 6898+ A? www.baidu.com. (31)
22:06:52.761255 IP 192.168.64.1.51170 > master1.gitlab.cn.ssh: Flags [.], ack 121, win 4104, length 0
22:06:52.770334 IP dns.google.domain > master1.gitlab.cn.47778: 6898 3/0/0 CNAME www.a.shifen.com., CNAME www.wshifen.com., A 103.235.46.39 (100)
22:06:52.770698 IP master1.gitlab.cn > 103.235.46.39: ICMP echo request, id 4588, seq 1, length 64
22:06:52.770838 IP master1.gitlab.cn.ssh > 192.168.64.1.51170: Flags [P.], seq 121:221, ack 72, win 257, length 100
22:06:52.811795 IP 192.168.64.1.51170 > master1.gitlab.cn.ssh: Flags [.], ack 221, win 4103, length 0
22:06:53.012121 IP 103.235.46.39 > master1.gitlab.cn: ICMP echo reply, id 4588, seq 1, length 64
22:06:53.012289 IP master1.gitlab.cn.36903 > dns.google.domain: 22593+ PTR? 39.46.235.103.in-addr.arpa. (44)
22:06:53.057046 IP dns.google.domain > master1.gitlab.cn.36903: 22593 NXDomain 0/1/0 (132)
22:06:53.057952 IP master1.gitlab.cn.ssh > 192.168.64.1.51170: Flags [P.], seq 221:337, ack 72, win 257, length 116
22:06:53.099038 IP 192.168.64.1.51170 > master1.gitlab.cn.ssh: Flags [.], ack 337, win 4103, length 0
22:06:53.450333 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:53.770648 IP master1.gitlab.cn > 103.235.46.39: ICMP echo request, id 4588, seq 2, length 64
22:06:54.001596 IP 103.235.46.39 > master1.gitlab.cn: ICMP echo reply, id 4588, seq 2, length 64
22:06:54.001713 IP master1.gitlab.cn.ssh > 192.168.64.1.51170: Flags [P.], seq 337:453, ack 72, win 257, length 116
22:06:54.042291 IP 192.168.64.1.51170 > master1.gitlab.cn.ssh: Flags [.], ack 453, win 4102, length 0
22:06:54.452240 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:54.771135 IP master1.gitlab.cn > 103.235.46.39: ICMP echo request, id 4588, seq 3, length 64
22:06:54.996775 IP 103.235.46.39 > master1.gitlab.cn: ICMP echo reply, id 4588, seq 3, length 64
22:06:54.998968 IP master1.gitlab.cn.ssh > 192.168.64.1.51170: Flags [P.], seq 453:729, ack 72, win 257, length 276
22:06:54.999138 IP master1.gitlab.cn.ssh > 192.168.64.1.51170: Flags [P.], seq 729:805, ack 72, win 257, length 76
22:06:54.999295 IP 192.168.64.1.51170 > master1.gitlab.cn.ssh: Flags [.], ack 805, win 4101, length 0
22:06:55.453601 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:56.455062 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:57.456383 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:57.738435 ARP, Request who-has gateway tell master1.gitlab.cn, length 28
22:06:57.738564 ARP, Reply gateway is-at 00:50:56:ee:f2:d8 (oui Unknown), length 46
22:06:58.457813 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:06:59.459669 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:07:00.461488 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:07:01.463321 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:07:02.465314 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
22:07:02.943712 IP 192.168.64.1.51170 > master1.gitlab.cn.ssh: Flags [P.], seq 72:108, ack 805, win 4101, length 36
22:07:02.944394 IP master1.gitlab.cn.ssh > 192.168.64.1.51170: Flags [P.], seq 805:881, ack 108, win 257, length 76
22:07:02.985280 IP 192.168.64.1.51170 > master1.gitlab.cn.ssh: Flags [.], ack 881, win 4101, length 0
22:07:03.467029 IP master1.gitlab.cn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
[root@master1 ~]# 

?

master1.gitlab.cn是虚拟机的hostname,我们可以使用-n 参数让它显示ip地址

因为我这里是xshell连接到我的虚拟机的,所以数据包中还有我的物理机器的数据,像192.168.64.1这个就是我们VMware虚拟网卡的ip地址,我们的虚拟机桥在这个上面跟宿主机通讯的,像103.235.46.39这个就是百度的地址,我们的ping命令是ICMP协议

我们也可以删选出ip信息

[root@master1 ~]# tcpdump -n -r a.cap | awk '{print $3}'|sort -u
reading from file a.cap, link-type EN10MB (Ethernet)
14.215.177.39
192.168.64.150
192.168.64.150.39558
192.168.64.150.48767
192.168.64.150.ssh
192.168.64.1.58981
192.168.64.1.64936
8.8.8.8.domain

只提取来源是某个ip的信息(反之,也有目标ip的用法,把src改成dst)

[root@master1 ~]#  tcpdump  -n src host 192.168.64.1 -r a.cap 
reading from file a.cap, link-type EN10MB (Ethernet)
22:42:18.668878 IP 192.168.64.1.58981 > 192.168.64.150.ssh: Flags [.], ack 3970072284, win 4102, length 0
22:42:20.226106 IP 192.168.64.1.64936 > 192.168.64.150.ssh: Flags [P.], seq 38624183:38624219, ack 3657068809, win 4104, length 36
22:42:20.267374 IP 192.168.64.1.64936 > 192.168.64.150.ssh: Flags [.], ack 37, win 4104, length 0
22:42:20.319094 IP 192.168.64.1.64936 > 192.168.64.150.ssh: Flags [.], ack 137, win 4103, length 0
22:42:20.408773 IP 192.168.64.1.64936 > 192.168.64.150.ssh: Flags [.], ack 253, win 4103, length 0
22:42:21.357347 IP 192.168.64.1.64936 > 192.168.64.150.ssh: Flags [.], ack 369, win 4102, length 0
22:42:22.323316 IP 192.168.64.1.64936 > 192.168.64.150.ssh: Flags [.], ack 721, win 4101, length 0
[root@master1 ~]# 

查询某个端口的信息

[root@master1 ~]#  tcpdump  -n tcp port 64936 -r a.cap 

补充:查看更加详细的信息,可以加如下的参数

[root@master1 ~]# tcpdump  -A -r a.cap      //以ASCII形式展示
[root@master1 ~]# tcpdump  -X -r a.cap    //以16进制展示,这个就像我们的wireshark

其他命令:

1. tcpdump -i ens33 tcp port 22 指定抓取22端口,当然我们这里也可以指定其他协议,例如:ICMP。

因为这里是shell连接的,通过ssh连接,ssh的端口默认就是22,所以我输入上面的命令,立马就不断打印信息。

  系统运维 最新文章
配置小型公司网络WLAN基本业务(AC通过三层
如何在交付运维过程中建立风险底线意识,提
快速传输大文件,怎么通过网络传大文件给对
从游戏服务端角度分析移动同步(状态同步)
MySQL使用MyCat实现分库分表
如何用DWDM射频光纤技术实现200公里外的站点
国内顺畅下载k8s.gcr.io的镜像
自动化测试appium
ctfshow ssrf
Linux操作系统学习之实用指令(Centos7/8均
上一篇文章      下一篇文章      查看所有文章
加:2021-07-29 12:03:21  更:2021-07-29 12:05:00 
 
开发: C++知识库 Java知识库 JavaScript Python PHP知识库 人工智能 区块链 大数据 移动开发 嵌入式 开发工具 数据结构与算法 开发测试 游戏开发 网络协议 系统运维
教程: HTML教程 CSS教程 JavaScript教程 Go语言教程 JQuery教程 VUE教程 VUE3教程 Bootstrap教程 SQL数据库教程 C语言教程 C++教程 Java教程 Python教程 Python3教程 C#教程
数码: 电脑 笔记本 显卡 显示器 固态硬盘 硬盘 耳机 手机 iphone vivo oppo 小米 华为 单反 装机 图拉丁

360图书馆 购物 三丰科技 阅读网 日历 万年历 2024年11日历 -2024/11/15 0:42:10-

图片自动播放器
↓图片自动播放器↓
TxT小说阅读器
↓语音阅读,小说下载,古典文学↓
一键清除垃圾
↓轻轻一点,清除系统垃圾↓
图片批量下载器
↓批量下载图片,美女图库↓
  网站联系: qq:121756557 email:121756557@qq.com  IT数码