转自源地址:https://www.cnblogs.com/maifengqiang/p/3863168.html
Source address: https://www.cnblogs.com/maifengqiang/p/3863168.html
1、抓取回环网口的包:tcpdump -i lo
1, bag to retrieve the ring portal: tcpdump-i lo
2、防止包截断:tcpdump -s0
2, to prevent package interruption: tcpdump-s0
3、以数字显示主机及端口:tcpdump -n
3, host and port by number: tcpdump-n
?第一种是关于类型的关键字,主要包括host,net,port, 例如 host 210.27.48.2,指明 210.27.48.2是一台主机,net 202.0.0.0 指明 202.0.0.0是一个网络地址,port 23 指明端口号是23。如果没有指定类型,缺省的类型是host.
? The first is a key word about types, mainly host, net, port, e.g. host 210.27.48.2, specifying 210.27.48.2, net 202.0.0, indicating 202.0.0 is a web address, port 23 indicating the port number 23. If no specified type, the default type is host.
第二种是确定传输方向的关键字,主要包括src , dst ,dst or src, dst and src ,这些关键字指明了传输的方向。举例说明,src 210.27.48.2 ,指明ip包中源地址是210.27.48.2 , dst net 202.0.0.0 指明目的网络地址是202.0.0.0 。如果没有指明方向关键字,则缺省是src or dst关键字。
The second is the key words that determine the direction of transmission, including mainly src, dst, dst or src, dst and src, which indicate the direction of transmission. For example, src 210.27.48.2, indicating the source address in the ip package is 210.27.48.2, dst net 202.0.0, specifying the target network address is 202.0.0. If no key to the direction is specified, the default is src or dst.
第三种是协议的关键字,主要包括fddi,ip,arp,rarp,tcp,udp等类型。Fddi指明是在FDDI(分布式光纤数据接口网络)上的特定 的网络协议,实际上它是"ether"的别名,fddi和ether具有类似的源地址和目的地址,所以可以将fddi协议包当作ether的包进行处理和 分析。其他的几个关键字就是指明了监听的包的协议内容。如果没有指定任何协议,则tcpdump将会监听所有协议的信息包。
The third is the key word for the protocol, mainly the type of fddi, ip, arp, rp, tcp, udp, etc.. Fddi indicates a specific network protocol on the FDDI (distributed fibre-optic data interface network), which is actually an alias for "ether" and fddi and ether have similar source and destination addresses, so the package can be processed and analysed as a body package. The other key words are the content of the package for listening. If no agreement is specified, tcpdump will listen to all protocols.
? 除了这三种类型的关键字之外,其他重要的关键字如下:gateway, broadcast,less,greater,还有三种逻辑运算,取非运算是 'not ' '! ', 与运算是'and','&&;或运算 是'or' ,'||';这些关键字可以组合起来构成强大的组合条件来满足人们的需要,下面举几个例子来说明。
• In addition to these three types of keywords, other important key words are as follows: Gateway, Broadcast, less, Greater, and there are three logical calculations, which are called 'not '! ', 'and 'and 'and 'and 'and 'and 'and 'and 'and 'and 'and ', or 'or','; these keywords can be combined to form powerful combinations to meet people's needs, as illustrated by a few examples below.
普通情况下,直接启动tcpdump将监视第一个网络界面上所有流过的数据包。
Normally, the tcpdump will be activated directly to monitor all passing data packages on the first network interface.
# tcpdump
tcpdump: listening on fxp0
11:58:47.873028 202.102.245.40.netbios-ns > 202.102.245.127.netbios-ns: udp 50
11:58:47.974331 0:10:7b:8:3a:56 > 1:80:c2:0:0:0 802.1d ui/C len=43
0000 0000 0080 0000 1007 cf08 0900 0000
0e80 0000 902b 4695 0980 8701 0014 0002
000f 0000 902b 4695 0008 00
11:58:48.373134 0:0:e8:5b:6d:85 > Broadcast sap e0 ui/C len=97
ffff 0060 0004 ffff ffff ffff ffff ffff
0452 ffff ffff 0000 e85b 6d85 4008 0002
0640 4d41 5354 4552 5f57 4542 0000 0000
0000 00
使用-i参数指定tcpdump监听的网络界面,这在计算机具有多个网络界面时非常有用,
To specify a network interface for tcpdump listening using the -i parameter, which is very useful when computers have multiple web interfaces.
使用-c参数指定要监听的数据包数量,
Specifies the number of packets to be bugged using the -c parameter,
使用-w参数指定将监听到的数据包写入文件中保存
Specifies that the monitored package will be saved in the file using the -w parameter
A想要截获所有210.27.48.1 的主机收到的和发出的所有的数据包:
A seeks to intercept all data packages received and sent by all 210.27.48.1 hosts:
#tcpdump host 210.27.48.1
B想要截获主机210.27.48.1 和主机210.27.48.2 或210.27.48.3的通信,使用命令:(在命令行中适用 括号时,一定要
B seeks to intercept communications from hosts 210.27.48.1 and 210.27.48.2 or 210.27.48.3 by command: (When the brackets are applied in the command line, be sure)
#tcpdump host 210.27.48.1 and / (210.27.48.2 or 210.27.48.3 /)
C如果想要获取主机210.27.48.1除了和主机210.27.48.2之外所有主机通信的ip包,使用命令:
C uses an order if it wishes to obtain an ip package for all mainframe communications except for the host and host 210.27.48.2.
#tcpdump ip host 210.27.48.1 and ! 210.27.48.2
D如果想要获取主机210.27.48.1接收或发出的telnet包,使用如下命令:
If D wishes to obtain host 210.27.48.1 receiving or sending a Telnet package, use the following order:
#tcpdump tcp port 23 host 210.27.48.1
E 对本机的udp 123 端口进行监视 123 为ntp的服务端口
E to monitor the udp 123 port of this machine 123 service port for ntp
# tcpdump udp port 123
F 系统将只对名为hostname的主机的通信数据包进行监视。主机名可以是本地主机,也可以是网络上的任何一台计算机。下面的命令可以读取主机hostname发送的所有数据:
F The system will only monitor the communication data package of the hostname. The host name can be either the local host or any computer on the network. The following command can read all data sent by hostname:
#tcpdump -i eth0 src host hostname
G 下面的命令可以监视所有送到主机hostname的数据包:
G The following orders can monitor all data packages delivered to hostname:
#tcpdump -i eth0 dst host hostname
H? 我们还可以监视通过指定网关的数据包:
H? We can also monitor data packages via designated gateways:
#tcpdump -i eth0 gateway Gatewayname
I 如果你还想监视编址到指定端口的TCP或UDP数据包,那么执行以下命令:
i If you also want to monitor a TCP or UDP data package with a location to a specified port, then execute the following command:
#tcpdump -i eth0 host hostname and port 80
J 如果想要获取主机210.27.48.1除了和主机210.27.48.2之外所有主机通信的ip包
J If you want to get an ip package for all mainframe communications except for the mainframe and host 210.27.48.2.
,使用命令:
, use command:
#tcpdump ip host 210.27.48.1 and ! 210.27.48.2
K 想要截获主机210.27.48.1 和主机210.27.48.2 或210.27.48.3的通信,使用命令
K. Trying to intercept communications from mainframe 210.27.48.1 and mainframe 210.27.48.2 or 210.27.48.3, using orders
:(在命令行中适用 括号时,一定要
: When the brackets are applied in the command line, make sure
#tcpdump host 210.27.48.1 and / (210.27.48.2 or 210.27.48.3 /)
L 如果想要获取主机210.27.48.1除了和主机210.27.48.2之外所有主机通信的ip包,使用命令:
L If you want to get an ip package for all mainframe communications except for the host and host 210.27.48.2, use the command:
#tcpdump ip host 210.27.48.1 and ! 210.27.48.2
M 如果想要获取主机210.27.48.1接收或发出的telnet包,使用如下命令:
M If you want to get the host 210.27.48.1 received or sent out of the Telnet package, use the following order:
#tcpdump tcp port 23 host 210.27.48.1
第三种是协议的关键字,主要包括fddi,ip ,arp,rarp,tcp,udp等类型
The third is the key word of the agreement, mainly the type of fddi, ip, arp, rp, tcp, udp, etc.
除了这三种类型的关键字之外,其他重要的关键字如下:gateway, broadcast,less,
In addition to these three types of keywords, other important keywords are as follows: Gateway, Broadcast, less,
greater,还有三种逻辑运算,取非运算是 'not ' '! ', 与运算是'and','&&';或运算 是'o
Greater, there are three other logical calculations, which are "not '! ', and "and", and "and" and "and" or "o"
r' ,'||';
第二种是确定传输方向的关键字,主要包括src , dst ,dst or src, dst and src ,
The second is the key word that determines the direction of the transmission, including mainly src, dst, dst or src, dst and src,
如果我们只需要列出送到80端口的数据包,用dst port;如果我们只希望看到返回80端口的数据包,用src port。
If we just need to list the data packs sent to port 80, use the dst port; if we just want to see the data pack back to port 80, use the src port.
#tcpdump –i eth0 host hostname and dst port 80? 目的端口是80
#tcpdump-i eth0 hostname and dst port 80?
或者
Or...
#tcpdump –i eth0 host hostname and src port 80? 源端口是80? 一般是提供http的服务的主机
#tcpdump –i eth0 hostname and src port 80?
如果条件很多的话? 要在条件之前加and 或 or 或 not
If there's a lot of conditions, you have to add them before the conditions or not.
#tcpdump -i eth0 host ! 211.161.223.70 and ! 211.161.223.71 and dst port 80
如果在ethernet 使用混杂模式 系统的日志将会记录
If you use hybrid mode in the restnet, the logs of the system will be recorded.
May? 7 20:03:46 localhost kernel: eth0: Promiscuous mode enabled.
May? 7 20:03:46 localhost kernel: device eth0 entered promiscuous mode
May? 7 20:03:57 localhost kernel: device eth0 left promiscuous mode
tcpdump对截获的数据并没有进行彻底解码,数据包内的大部分内容是使用十六进制的形式直接打印输出的。显然这不利于分析网络故障,通常的解决办法是先使用带-w参数的tcpdump 截获数据并保存到文件中,然后再使用其他程序进行解码分析。当然也应该定义过滤规则,以避免捕获的数据包填满整个硬盘。
tcpdump does not decode the intercepted data thoroughly, and most of the contents in the package are printed directly in hexadecimal format. This is clearly not conducive to analysis of network failures. The usual solution is to intercept data using tcpdump with-w parameters and save them to the file before using other programs to decode the analysis. Of course, filtering rules should also be defined in order to avoid the capture of a complete hard disk.
# tcpdump -i eth1 src? host 211.167.237.199
00:02:03.096713 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 2010208:2010352(144) ack 33377 win 8576
00:02:03.096951 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 2010352:2010496(144) ack 33377 win 8576
00:02:03.100928 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 2010496:2010640(144) ack 33377 win 8576
00:02:03.101165 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 2010640:2010784(144) ack 33377 win 8576
00:02:03.102554 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 2010784:2010928(144) ack 33425 win 8576
表明在00:02:03点的时候,211.167.237.199通过ssh源端口连接到221.216.165.189的1467端口
Indicates that at 00:02:03, 211.167.237.199 was connected to the 1467 port at 221.216.165.189 via the ssh port
#tcpdump -i eth1 src host 211.167.237.199 and dst port 1467
00:09:27.603075 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 180400:180544(144) ack 2833 win 8576
00:09:27.605631 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 180544:180688(144) ack 2881 win 8576
截获所有由eth0进入、源地址(src)为192.168.0.5的主机(host),并且(and)目标(dst)端口(port)为80的数据包
Interception of all hosts (host) entering eth0, source address (src) 192.168.0.5 and (and) target (dst) port (port) 80 data packs
观看网卡传送、接收数据包的状态
Watching the network card transfer, receiving the package status
$ netstat? -i
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500? 0? 14639 0? 0? 0? 5705? 119? 0 0 BMRU
Iface:? 网卡
Internet:?
RX-OK RX-ERR RX-DRP RX-OVR : 网卡正确接收数据包的数量以及发生错误、流失、碰撞的总数
RX-OK RX-ERR RX-DRP RX-OVR: Number of correct data packages received by webcards and total number of errors, losses, collisions
TX-OK TX-ERR TX-DRP TX-OVR : 网卡正确发送数据包的数量以及发生错误、流失、碰撞的总数
TX-OK TX-ERR TX-DRP TX-OVR: Number of correct data packages sent by webcards and total number of errors, losses, collisions
[root@linux ~]#tcpdump [-nn] [-i 介面] [-w 儲存檔名] [-c 次數] [-Ae]? ? ? ? [-qX] [-r 檔案] [所欲擷取的資料內容]參數:
[root@linux~] #b>tcpdump[-nn] [-i interface] [-w storage name] [-c] [-Ae]?? [-qX] [-r] [wanted data content] arguments:
-nn:直接以 IP 及 port number 顯示,而非主機名與服務名稱
-nn: Display directly in IP and port number instead of host name and service name
-i :後面接要『監聽』的網路介面,例如 eth0, lo, ppp0 等等的介面;
-i: follow a network interface for `advocating', e.g. eth0, lo, ppp0, etc.;
-w :如果你要將監聽所得的封包資料儲存下來,用這個參數就對了!後面接檔名
-w: If you want to save the package from the bugging, use this parameter!
-c :監聽的封包數,如果沒有這個參數, tcpdump 會持續不斷的監聽,
-c: The number of envelopes that listen, and if this parameter is not available, tcpdump will continue to listen.
? ? 直到使用者輸入 [ctrl]-c 為止。
♪ Until the user enters [ctrl]-c.
-A :封包的內容以 ASCII 顯示,通常用來捉取 WWW 的網頁封包資料。
-A: The contents of the package are shown in ASCII and are usually used to capture the WWW web envelope data.
-e :使用資料連接層 (OSI 第二層) 的 MAC 封包資料來顯示;
-e: use MAC package data from the data interface (OSI level 2) for display;
-q :僅列出較為簡短的封包資訊,每一行的內容比較精簡
-q: Only short package information is listed, and each line is more concise
-X :可以列出十六進位 (hex) 以及 ASCII 的封包內容,對於監聽封包內容很有用
-X: Listing the package contents of hexadecimal (hex) and ASCII is useful for listening to the package contents
-r :從後面接的檔案將封包資料讀出來。那個『檔案』是已經存在的檔案,
-r: Reads the package from the file that comes back. The "file" is an existing file.
? ? 並且這個『檔案』是由 -w 所製作出來的。
♪ And this "file" was made by-w.
所欲擷取的資料內容:我們可以專門針對某些通訊協定或者是 IP 來源進行封包擷取,
The content of the data that we want to capture: we can focus on some communications protocols or IP sources, and we can use them as a package.
? ? 那就可以簡化輸出的結果,並取得最有用的資訊。常見的表示方法有:
♪ So you can simplify the output and get the most useful information.
? ? 'host foo', 'host 127.0.0.1' :針對單部主機來進行封包擷取
♪ 'host foo', 'host 127.0.0.1': sealing a single host
? ? 'net 192.168' :針對某個網域來進行封包的擷取;
♪ 'net192.168': wrapping a domain;
? ? 'src host 127.0.0.1' 'dst net 192.168':同時加上來源(src)或目標(dst)限制
♪'src host 127.0.0.1' 'dst net 192,168': add source (src) or target (dst) limits
? ? 'tcp port 21':還可以針對通訊協定偵測,如 tcp, udp, arp, ether 等
♪ 'tcp port 21': Communication protocols can also be detected, e. g. tcp, udp, arp, etc.
? ? 還可以利用 and 與 or 來進行封包資料的整合顯示呢!範例一:以 IP 與 port number 捉下 eth0 這個網路卡上的封包,持續 3 秒[root@linux ~]#tcpdump -i eth0 -nntcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes01:33:40.41 IP 192.168.1.100.22 > 192.168.1.11.1190: P 116:232(116) ack 1 win 964801:33:40.41 IP 192.168.1.100.22 > 192.168.1.11.1190: P 232:364(132) ack 1 win 9648<==按下 [ctrl]-c 之後結束6680 packets captured<==捉下來的封包數量14250 packets received by filter<==由過濾所得的總封包數量7512 packets dropped by kernel<==被核心所丟棄的封包
An example is: the package on this web card was captured with IP and port number on eth0 for 3 seconds [root@linux~] #b>tcpdump -i eth0 -n/b>tpdump: verbose output suppressed, use-v-v for full protocol decodeling on eth0, link-type EN10MB (Ethernet), capture size 96 bytes01:33:40.41 IP1981.100.22 & gt; 192168.11.1990: P 116:232 (116) cppp:33:40.41 IP19268.1.100 & gt; 192.1990:40 = kert = 2,2364 (kt) = 98 t;
如果你是第一次看 tcpdump 的 man page 時,肯定一個頭兩個大,因為 tcpdump 幾乎都是分析封包的表頭資料,使用者如果沒有簡易的網路封包基礎,要看懂粉難吶! 所以,至少您得要回到網路基礎裡面去將 TCP 封包的表頭資料理解理解才好啊! ^_^!至於那個範例一所產生的輸出範例中,我們可以約略區分為數個欄位, 我們以範例一當中那個特殊字體行來說明一下:
If you're looking at the man page of tcpdump for the first time, you're sure to have the first two big ones, because tcpdump almost always analyses the surface data of the package, and users will have to read it if they don't have an easy web envelope base! So at least you have to go back to 01:33:40.41:這個是此封包被擷取的時間,『時:分:秒』的單位; 01:33:40.41: This is the time when the package was taken, 'Time: minutes: seconds' unit; IP:透過的通訊協定是 IP ; IP: The communication protocol is defined as IP; 192.168.1.100.22 >:傳送端是 192.168.1.100 這個 IP,而傳送的 port number 為 22,您必須要瞭解的是,那個大於 (>) 的符號指的是封包的傳輸方向喔! 192.168.1.100.22 & gt;: The sender is 192.168.1.1.100 of this IP and the port number is 22. You must understand that the symbol larger than (>) refers to the transfer direction of the package! 192.168.1.11.1190:接收端的 IP 是 192.168.1.11, 且該主機開啟 port 1190 來接收; 192.168.1.11.1190: The recipient's IP is 192.168.1.11 and the host opens the port 1190 to receive; P 116:232(116):這個封包帶有 PUSH 的資料傳輸標誌, 且傳輸的資料為整體資料的 116~232 byte,所以這個封包帶有 116 bytes 的資料量; P 116:232(116): This package contains PUSH data transfer tags and the transferred data is 116~232 byte of the whole data, so the package contains 116 bytes of data. ack 1 win 9648:ACK與 Window size 的相關資料。 Back 1 win 9648: ACK and Windows size. 最簡單的說法,就是該封包是由 192.168.1.100 傳到 192.168.1.11,透過的 port 是由 22 到 1190 , 且帶有 116 bytes 的資料量,使用的是 PUSH 的旗標,而不是 SYN 之類的主動連線標誌。 呵呵!不容易看的懂吧!所以說,上頭才講請務必到TCP 表頭資料的部分去瞧一瞧的啊! The simplest thing to say is that the package was sent from 192.1681.100 to 192.1681.11, via port from 22 to 1190, and with 116 bytes, using PUSH flag, not SYN, or something. Oh! It's not easy to read! So it's only ! 再來,一個網路狀態很忙的主機上面,你想要取得某部主機對你連線的封包資料而已時, 使用 tcpdump 配合管線命令與正規表示法也可以,不過,畢竟不好捉取! 我們可以透過 tcpdump 的表示法功能,就能夠輕易的將所需要的資料獨立的取出來。 在上面的範例一當中,我們僅針對 eth0 做監聽,所以整個 eth0 介面上面的資料都會被顯示到螢幕上, 不好分析啊!那麼我們可以簡化嗎?例如只取出 port 21 的連線封包,可以這樣做: And again, when you want to get a package of information about a host that's busy with your connection, you can use tcpdump to match a line command with a regular expression, but it's not easy to capture it! We can easily take out the data we need through the tcpdump expression function. In the example above, we just listen to eth0, so the data on the eth0 interface will be displayed on the screen. [root@linux ~]#tcpdump -i eth0 -nn port 21tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes01:54:37.96 IP 192.168.1.11.1240 > 192.168.1.100.21: . ack 1 win 6553501:54:37.96 IP 192.168.1.100.21 > 192.168.1.11.1240: P 1:21(20) ack 1 win 584001:54:38.12 IP 192.168.1.11.1240 > 192.168.1.100.21: . ack 21 win 6551501:54:42.79 IP 192.168.1.11.1240 > 192.168.1.100.21: P 1:17(16) ack 21 win 6551501:54:42.79 IP 192.168.1.100.21 > 192.168.1.11.1240: . ack 17 win 584001:54:42.79 IP 192.168.1.100.21 > 192.168.1.11.1240: P 21:55(34) ack 17 win 5840 瞧!這樣就僅提出 port 21 的資訊而已,且仔細看的話,你會發現封包的傳遞都是雙向的, client 端發出『要求』而 server 端則予以『回應』,所以,當然是有去有回啊! 而我們也就可以經過這個封包的流向來瞭解到封包運作的過程。 舉例來說: Look, this is just the information about Port 21, and if you look closely, you'll find that the package's transmissions are two-way, and the client sends the "request" and the server sends the "reply," so of course it goes back! And we can pass through the package to understand how it works. For example: 我們先在一個終端機視窗輸入『 tcpdump -i lo -nn 』 的監聽, We first enter the "tcpdump-i lo-nn" bug in a terminal window. 再另開一個終端機視窗來對本機 (127.0.0.1) 登入『ssh localhost』 Open another terminal window to access (127.0.1) to "sh localhost" 那麼輸出的結果會是如何? So what's the result? [root@linux ~]#tcpdump -i lo -nn 1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 2 listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes 3 11:02:54.253777 IP 127.0.0.1.32936> 127.0.0.1.22:S933696132:933696132(0)? ? win 32767 4 11:02:54.253831 IP 127.0.0.1.22 > 127.0.0.1.32936:S920046702:920046702(0)ack933696133 win 32767 5 11:02:54.253871 IP 127.0.0.1.32936 > 127.0.0.1.22: .ack1 win 8192 6 11:02:54.272124 IP 127.0.0.1.22 > 127.0.0.1.32936: P 1:23(22) ack 1 win 8192? ? 7 11:02:54.272375 IP 127.0.0.1.32936 > 127.0.0.1.22: . ack 23 win 8192 上表顯示的頭兩行是 tcpdump 的基本說明,然後: The first two rows shown in the table above are the basic instructions for tcpdump, and then: 第 3 行顯示的是『來自 client 端,帶有 SYN 主動連線的封包』, Line 3 shows "a package with SYN main connection from the client end", 第 4 行顯示的是『來自 server 端,除了回應 client 端之外(ACK),還帶有 SYN 主動連線的標誌; Line 4 shows 'from the server'end with a sign with the SYN main connection, in addition to responding to the clitend (ACK); 第 5 行則顯示 client 端回應 server 確定連線建立 (ACK) Line 5 shows clit response server confirmed connection creation (ACK) 第 6 行以後則開始進入資料傳輸的步驟。 After line 6, the process of data transfer begins. 從第 3-5 行的流程來看,熟不熟悉啊?沒錯!那就是三向交握的基礎流程啦!夠有趣吧! 不過 tcpdump 之所以被稱為駭客軟體之一可不止上頭介紹的功能吶! 上面介紹的功能可以用來作為我們主機的封包連線與傳輸的流程分析, 這將有助於我們瞭解到封包的運作,同時瞭解到主機的防火牆設定規則是否有需要修訂的地方。
注册有任何问题请添加 微信:MVIP619 拉你进入群
打开微信扫一扫
添加客服
进入交流群
发表评论