tcpdump教程 - 从命令行抓取和分析数据包

tcpdump教程 - 从命令行抓取和分析数据包

前言

在介绍和使用tcpdump之前，请确保您已经掌握或者了解如下几个关键概念，否则后面的内容让你有点痛苦。

能够在Linux命令行下工作理解OSI七层网络协议的概念熟悉各层的协议头部，重点是IP/TCP/UDP交换机和路由器对应于OSI的协议层

另外还需要注意的是：

tcpdump介绍

tcpdump is the premier network analysis tool for information security professionals. tcpdump is a commandline network analyzer tool or more technically a packet sniffer. Having a solid grasp of this uber-powerful application is mandatory for anyone desiring a thorough understanding of TCP/IP. It can be thought of as the commandline version of wiresharek (only to a certain extent, since wireshark is much more powerful and capable. Many prefer to use higher level analysis tools Wireshark, but I believe this to usually be a mistake, you must know how wireshark work).

As a commandline tool tcpdump is quite powerful for network analysis as filter expressions can be passwd in and tcpdump would pick up only the matching packets and dump them.

安装tcpdump

### CentOS [root@localhost ~]# yum search tcpdump ======================== Matched: tcpdump =============================== arpwatch.i386 : Network monitoring tools for tracking IP addresses on a network. libpcap.i386 : A system-independent interface for user-level packet capture. libpcap-devel.i386 : A pcap library. tcpdump.i386 : A network traffic monitoring tool. [root@localhost ~]# yum -y install tcpdump ### Ubuntu $ sudo apt-get install tcpdump

对于Linux，tcpdump 依赖于libpcap库，关于更多libpcap库，请参考这里。

tcpdump命令行选项

下面的一些选项能够帮助我们更好的利用tcpdump工作。这些选项非常容易忘记而且比较容易混淆，所以，请时刻 man  一下。

首先，我会根据实际情况，喜欢添加一些选项在tcpdump命令本身。第一个是 -n ，不进行名称解析，结果以IP地址的形式展现。第二个是 -X, 它以十六进制和ASCII把包的内容显示。最后一个是 -S，以绝对序列号显示，而不是相对的。

需要重点关注的是，默认情况下，tcpdump只会抓取包的前96 bytes，如果你想抓取更多，请加上 -s number 选项，number 指定您想抓取的字节数。我建议使用 0(zero) 作为抓取的字节number，这将抓取所有的数据包的所有内容。

下面是我经常使用的选项：

tcpdump基本用法

1、-n  Don't convert host addresses to names.   This  can  be  used  to  avoid  DNS

lookups.

[root@localhost ~]# tcpdump -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 17:25:33.472001 IP 192.168.27.129.46255 > 192.168.27.2.53:  36340+ A? baidu.com. (31)

默认情况下，tcpdump将监视第一个网卡上所有流过的数据包，我们看一下tcpdump输出的这一行信息。

第一个字段"17:25:33.472001",是毫秒级精度的时间戳。

第二个字段"IP",是数据包的协议。

第三个字段"192.168.27.129.46255"，是source IP Address joined with the source Port。

第四个字段"192.168.27.2.53",是destination IP Address joined with destination Port and then some information about the packet.

2、-v -vv -vvv verbose, very verbose, very very verbose

-S     Print absolute, rather than relative, TCP sequence numbers.

[root@localhost ~]# tcpdump -nnvvS

3、-X  Print each packet (minus its link level header) in hex and ASCII.

[root@localhost ~]# tcpdump -nnvvXS

4、-s increases the default snaplength, grabbing the whole packet

[root@localhost ~]# tcpdump -nnvvXS -s 1514 [root@localhost ~]# tcpdump -nnvvXS -s0

5、capture of exactly two(-c2) ICMP packets(a ping)

[root@localhost ~]# tcpdump -nnvvXS -s0 -c2  tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 19:20:16.361251 IP (tos 0x0, ttl  64, id 28517, offset 0, flags [DF], proto: UDP (17), length: 59) 192.168.27.129.56183 > 192.168.27.2.53: [udp sum ok]  8002+ A? baidu.com. (31) 0x0000:  4500 003b 6f65 4000 4011 1379 c0a8 1b81  E..;oe@.@..y.... 0x0010:  c0a8 1b02 db77 0035 0027 90dc 1f42 0100  .....w.5.'...B.. 0x0020:  0001 0000 0000 0000 0377 7777 0562 6169  .........bai 0x0030:  6475 0363 6f6d 0000 0100 01              du.com..... 19:20:16.468176 IP (tos 0x0, ttl 128, id 182, offset 0, flags [none], proto: UDP (17), length: 118) 192.168.27.2.53 > 192.168.27.129.56183: [udp sum ok]  8002 q: A? baidu.com. 3/0/0 baidu.com. CNAME a.shifen.com., a.shifen.com. A 61.135.169.105, a.shifen.com. A 61.135.169.125 (90) 0x0000:  4500 0076 00b6 0000 8011 81ed c0a8 1b02  E..v............ 0x0010:  c0a8 1b81 0035 db77 0062 48e9 1f42 8180  .....5.w.bH..B.. 0x0020:  0001 0003 0000 0000 0377 7777 0562 6169  .........bai 0x0030:  6475 0363 6f6d 0000 0100 01c0 0c00 0500  du.com.......... 0x0040:  0100 0000 0500 0f03 7777 7701 6106 7368  ........a.sh 0x0050:  6966 656e c016 c02b 0001 0001 0000 0005  ifen...+........ 0x0060:  0004 3d87 a969 c02b 0001 0001 0000 0005  ..=..i.+........ 0x0070:  0004 3d87 a97d                           ..=..} 2 packets captured 3 packets received by filter 0 packets dropped by kernel

Common Syntax

Expressions allow you to trim out various types of traffic and find exactly what you're looking for. Mastering the expressions and learning to combine them creatively is what makes one truly powerful with tcpdump.

expression

select which packets will be dumped. If no expression is given, all packets on the net will be dumped. Otherwise, only packets for which expression is 'True' will be dumped.

There are three different kinds of qualifier.

type    qualifiers say what kind of thing the id name or number refers to. Possible types are host, net and port. If there is no type qualifier, host is assumed.

dir      qualifiers specify a particular transfer direction to and/or from id. Possible directions are src, dst, src or dst and src and dst. If there is no dir qualifier, src or dst is assumed.

proto    qualifiers restrict the match to a particular protocol. Possible protos are: ether, fddi, tr, ip, ip6, arp, rarp, decnet, tcp and udp. E.g 'tcp src 192.168.1.2' . If there is no proto qualifier, all protocols consistent with the type are assumed.

Expressions are nice, but the real magic of tcpdump comes from the ability to combine them in creative ways in order to isolate exactly what you're looking for. There are three ways to do combinations, and if you've studied computers at all they'll be pretty familar to you:

举例说明：

### type ## host # tcpdump host 1.2.3.4 ## net # tcpdump net 1.2.3.0/24 # tcpdump net 1.2 ## port # tcpdump port 80 ## src, dst # tcpdump src 1.2.3.4 # tcpdump dst 1.2.3.4 ## proto # tcpdump icmp ### type, dir, proto # tcpdump 'src port 3306 and tcp' # tcpdump 'udp and src port 53'

Writing to a File

tcpdump allows you to send what you're capturing to a file for later use using the -w option, and then to read it back using the -r option. This is an excellent way to capture raw traffic and then run it through various tools later.

The traffic captured in this way is stored in tcpdump format, which is pretty much universal in the network analysis space. This means it can be read in by all sorts of tools, including Wireshark, Snort, etc.

## capture all port 80 traffic to a file # tcpdump -s 1514 port 80 -w capture_file ## read captured traffic back into tcpdump # tcpdump -r capture_file

More Examples

# tcpdump -nnvvS  'src 10.5.2.3 and dst port 3306' # tcpdump 'src 10.0.2.4 and (dst port 3306 or 22)' ## 你懂的 # [root@localhost ~]# tcpdump -i eth0 -nnvvXS -s1514 'port 22 or port 23 or port 25 or port 110' | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|pass:|user:|username:|password:|login:|pass |user ' -B20

http://danielmiessler.com/study/tcpdump/

http://binarytides.com/tcpdump-tutorial-sniffing-analysing-packets/

http://cnblogs.com/ggjucheng/archive/2012/01/14/2322659.html （good）

http://blog.csdn-/langeldep/article/details/6156818

http://chinaunix-/old_jh/29/674578.html

http://blog.chinaunix-/uid-10328574-id-2951040.html

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。