tcpdump 命令的常用选项：一

tcpdump用于捕获和分析网络流量。系统管理员可以使用它来查看实时流量或将输出保存到文件中并在以后进行分析。下面列出6个常用选项

-D 选项

tcpdump的-D获取接口设备列表。看到此列表后，可以决定要在哪个接口上捕获流量。它还告诉你接口是否已启动、正在运行，以及它是否是环回接口，如下所示：

[root@localhost ~]# tcpdump -D1.ens160 [Up, Running]2.lo [Up, Running, Loopback]3.any (Pseudo-device that captures on all interfaces) [Up, Running]4.bluetooth-monitor (Bluetooth Linux Monitor) [none]5.nflog (Linux netfilter log (NFLOG) interface) [none]6.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]7.usbmon0 (All USB buses) [none]8.usbmon1 (USB bus number 1)9.usbmon2 (USB bus number 2)

-c [数字]选项

-c 选项捕获  X  个数据包，然后停止。否则，tcpdump 将无限地继续运行。因此，当只想捕获一小部分数据包样本时，可以使用此选项。但是如果接口上没有数据流量，tcpdump 会一直等待。

[root@localhost ~]# tcpdump -c 5 -i any

dropped privs to tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

17:33:47.713379 IP localhost.localdomain.ssh >192.168.43.1.39970: Flags [P.], seq 714380127:714380371, ack 1854022435, win 388, length 244

17:33:47.713785 IP localhost.localdomain.36821 >_gateway.domain: 36365+ PTR? 1.43.168.192.in-addr.arpa. (43)

17:33:47.713939 IP 192.168.43.1.39970 >localhost.localdomain.ssh: Flags [.], ack 244, win 4104, length 0

17:33:47.716053 IP _gateway.domain >localhost.localdomain.36821: 36365 NXDomain 0/1/0 (78)

17:33:47.716543 IP localhost.localdomain.57441 >_gateway.domain: 61445+ PTR? 131.43.168.192.in-addr.arpa. (45)

5 packets captured

9 packets received by filter

0 packets dropped by kernel

-n 选项

-n选项不将IP地址解析为域名，直接以IP地址显示：

[root@localhost ~]# tcpdump -c 5 -i any -n

dropped privs to tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

17:36:38.980756 IP 192.168.43.131.ssh >192.168.43.1.39970: Flags [P.], seq 714383039:714383283, ack 1854024303, win 388, length 244

17:36:38.981032 IP 192.168.43.131.ssh >192.168.43.1.39970: Flags [P.], seq 244:440, ack 1, win 388, length 196

17:36:38.981096 IP 192.168.43.131.ssh >192.168.43.1.39970: Flags [P.], seq 440:604, ack 1, win 388, length 164

17:36:38.981153 IP 192.168.43.131.ssh >192.168.43.1.39970: Flags [P.], seq 604:768, ack 1, win 388, length 164

17:36:38.981208 IP 192.168.43.131.ssh >192.168.43.1.39970: Flags [P.], seq 768:932, ack 1, win 388, length 164

5 packets captured

5 packets received by filter

0 packets dropped by kernel

www.51cto.com/it/news/2020/0113/18299.html

www.donews.com/news/detail/4/2971720.html

news.yesky.com/hotnews/311/109240311.shtml

-s 选项

带有-sXXX 的 tcpdump 可帮助你控制捕获数据包的大小。在上一个输出的第三行中，可以看到它表示捕获大小 262144 字节。可以使用-s选项更改捕获数据大小。如果你只想检查数据包标头，则可以使用较小的大小进行捕获：

[root@localhost ~]# tcpdump -c 5 -i any -n -s64

dropped privs to tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 64 bytes

17:47:44.437891 IP 192.168.43.131.ssh >192.168.43.1.39970: Flags [P.], seq 714405271:714405515, ack 1854033767, win 388, length 244

17:47:44.438153 IP 192.168.43.131.ssh >192.168.43.1.39970: Flags [P.], seq 244:440, ack 1, win 388, length 196

17:47:44.438220 IP 192.168.43.131.ssh >192.168.43.1.39970: Flags [P.], seq 440:604, ack 1, win 388, length 164

17:47:44.438301 IP 192.168.43.131.ssh >192.168.43.1.39970: Flags [P.], seq 604:768, ack 1, win 388, length 164

17:47:44.438361 IP 192.168.43.131.ssh >192.168.43.1.39970: Flags [P.], seq 768:932, ack 1, win 388, length 164

5 packets captured

5 packets received by filter

0 packets dropped by kernel

端口捕获

tcpdump 允许你指定使用某个端口作为源或目标的网络数据包。例如，要捕获 DNS 流量，你可以使用端口 53。可以在 port选项前加上 src/dst。如 src port 53 或 dst port 53 并进一步过滤它。

[root@localhost ~]# tcpdump -i any port 53 -n

dropped privs to tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

17:50:48.158109 IP 192.168.43.131.47054 >192.168.43.2.domain: 58704+ A? www.baidu.com. (31)

17:50:48.158152 IP 192.168.43.131.47054 >192.168.43.2.domain: 60504+ AAAA? www.baidu.com. (31)

17:50:48.159180 IP 192.168.43.2.domain >192.168.43.131.47054: 60504 1/1/0 CNAME www.a.shifen.com. (115)

17:50:48.162018 IP 192.168.43.2.domain >192.168.43.131.47054: 58704 3/0/0 CNAME www.a.shifen.com., A 180.101.49.11, A 180.101.49.12 (90)

下面只获取源端口为53的数据包，其中-nn选项表示不解析IP地址和端口：

[root@localhost ~]# tcpdump -c 5 -i any src port 53 -nn -s64

dropped privs to tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 64 bytes

18:00:41.604216 IP 192.168.43.2.53 >192.168.43.131.48245: 50676[|domain]

18:00:41.606390 IP 192.168.43.2.53 >192.168.43.131.48245: 19947[|domain]

18:00:41.631001 IP 192.168.43.2.53 >192.168.43.131.54536: 31350 NXDomain[|domain]

18:00:46.110591 IP 192.168.43.2.53 >192.168.43.131.42379: 17512[|domain]

18:00:46.110603 IP 192.168.43.2.53 >192.168.43.131.42379: 40562[|domain]

5 packets captured

5 packets received by filter

0 packets dropped by kernel

下面只获取目的端口为53的数据包：

[root@localhost ~]# tcpdump -c 5 -i any dst port 53 -nn -s64

dropped privs to tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 64 bytes

18:01:22.568585 IP 192.168.43.131.49444 >192.168.43.2.53: 27625+[|domain]

18:01:22.568623 IP 192.168.43.131.49444 >192.168.43.2.53: 42481+[|domain]

18:01:22.595257 IP 192.168.43.131.45790 >192.168.43.2.53: 28116+[|domain]

18:01:23.850730 IP 192.168.43.131.34861 >192.168.43.2.53: 23444+[|domain]

18:01:23.850762 IP 192.168.43.131.34861 >192.168.43.2.53: 23964+[|domain]

5 packets captured

5 packets received by filter

0 packets dropped by kernel

-w 选项

如果要将 tcpdump 的输出写入文件，请使用选项-w选项写入文件。如果想查看写了多少数据包，可以加-v选项。

[root@localhost ~]# tcpdump -c 4 -i any port 53 -nn -w dns.pcap -v

dropped privs to tcpdump

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

4 packets captured

6 packets received by filter

0 packets dropped by kernel

总结

tcpdump 用于收集有关网络流量数据的出色工具。数据包捕获为故障排除和安全分析提供了有用的信息。

code>tcpdump用于捕获和分析网络流量。系统管理员可以使用它来查看实时流量或将输出保存到文件中并在以后进行分析。下面列出5个常用选项

-r选项

如果你导出了一个 .pcap 文件，你就会知道不能使用文本编辑器来读取文件内容。因此，你应该使用-r file.pcap选项。它读取现有捕获的文件并将它们显示出来。

# 导出.pcap文件[root@localhost ~]# tcpdump -c 4 -i any port 53 -nn -w dns.pcap -vdropped privs to tcpdumptcpdump: listening on any, link-type LINUX _SLL (Linux cooked), capture size 262144 bytes4 packets captured8 packets received by filter0 packets dropped by kernel# 使用-r选项读取.pcap文件[root@localhost ~]# tcpdump -r dns.pcap reading from file dns.pcap, link-type LINUX_SLL (Linux cooked)dropped privs to tcpdump19:33:54.533792 IP localhost.localdomain.48048 >_gateway.domain: 30912+ A? www.bai. (25)19:33:54.533835 IP localhost.localdomain.48048 >_gateway.domain: 51681+ AAAA? www.bai. (25)19:33:54.537733 IP _gateway.domain >localhost.localdomain.48048: 51681 NXDomain 0/1/0 (100)19:33:54.539312 IP _gateway.domain >localhost.localdomain.48048: 30912 NXDomain 0/1/0 (100)

host 选项

如果要过滤特定主机的流量，可以使用host选项后面添加ip 或者主机名来捕获特定主机的数据包。

[root@localhost ~]# tcpdump host redhat.com -i any -c5

dropped privs to tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

20:27:19.762717 IP localhost.localdomain.59096 >redirect.redhat.com.https: Flags [S], seq 2565597156, win 29200, options [mss 1460,sackOK,TS val 178658343 ecr 0,nop,wscale 7], length 0

20:27:19.977742 IP redirect.redhat.com.https >localhost.localdomain.59096: Flags [S.], seq 1933719472, ack 2565597157, win 64240, options [mss 1460], length 0

20:27:19.977773 IP localhost.localdomain.59096 >redirect.redhat.com.https: Flags [.], ack 1, win 29200, length 0

20:27:19.983584 IP localhost.localdomain.59096 >redirect.redhat.com.https: Flags [P.], seq 1:518, ack 1, win 29200, length 517

20:27:19.983781 IP redirect.redhat.com.https >localhost.localdomain.59096: Flags [.], ack 518, win 64240, length 0

5 packets captured

9 packets received by filter

0 packets dropped by kernel

可以使用 src 或 dst 关键字告诉 tcpdump 捕获的数据包是否应包含源地址或目标地址中的主机。列入下面获取源主机地址为redhat.com的数据包，和获取目的主机地址为redhat.com的数据包：

[root@localhost ~]# tcpdump src host redhat.com -i any -c5

dropped privs to tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

20:29:23.090360 IP redirect.redhat.com.https >localhost.localdomain.59098: Flags [S.], seq 1420240111, ack 1139421965, win 64240, options [mss 1460], length 0

20:29:23.096748 IP redirect.redhat.com.https >localhost.localdomain.59098: Flags [.], ack 518, win 64240, length 0

20:29:23.353159 IP redirect.redhat.com.https >localhost.localdomain.59098: Flags [P.], seq 1:1381, ack 518, win 64240, length 1380

20:29:23.353434 IP redirect.redhat.com.https >localhost.localdomain.59098: Flags [.], seq 1381:2841, ack 518, win 64240, length 1460

20:29:23.353461 IP redirect.redhat.com.https >localhost.localdomain.59098: Flags [P.], seq 2841:3407, ack 518, win 64240, length 566

5 packets captured

9 packets received by filter

0 packets dropped by kernel

[root@localhost ~]# tcpdump dst host redhat.com -i any -c5

dropped privs to tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

20:29:35.661917 IP localhost.localdomain.59100 >redirect.redhat.com.https: Flags [S], seq 4207740141, win 29200, options [mss 1460,sackOK,TS val 178783790 ecr 0,nop,wscale 7], length 0

20:29:35.886845 IP localhost.localdomain.59100 >redirect.redhat.com.https: Flags [.], ack 1287594187, win 29200, length 0

20:29:35.892463 IP localhost.localdomain.59100 >redirect.redhat.com.https: Flags [P.], seq 0:517, ack 1, win 29200, length 517

20:29:36.121990 IP localhost.localdomain.59100 >redirect.redhat.com.https: Flags [.], ack 1461, win 32120, length 0

20:29:36.122028 IP localhost.localdomain.59100 >redirect.redhat.com.https: Flags [.], ack 2921, win 35040, length 0

5 packets captured

10 packets received by filter

0 packets dropped by kernel

逻辑运算符

tcpdump 支持and/or/not运算符作为关键字，例如，tcpdump -i ens33 “host www.linuxprobe.com and (port 80 or port 443)”。在复合表达式周围使用引号是很有必要的，这样 bash  shell 就不会试图解释括号。

[root@localhost ~]# tcpdump -i any "host www.linuxprobe.com and (port 80 or port 443)" -s64 -c5

dropped privs to tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 64 bytes

20:37:12.398299 IP localhost.localdomain.52754 >140.249.61.18.https: Flags [S], seq 3304304157, win 29200, options [mss 1460,sackOK,TS[|tcp]>

20:37:12.408805 IP 140.249.61.18.https >localhost.localdomain.52754: Flags [S.], seq 2112965730, ack 3304304158, win 64240, options [mss 1460], length 0

20:37:12.408842 IP localhost.localdomain.52754 >140.249.61.18.https: Flags [.], ack 1, win 29200, length 0

20:37:12.414672 IP localhost.localdomain.52754 >140.249.61.18.https: Flags [P.], seq 1:518, ack 1, win 29200, length 517

20:37:12.414948 IP 140.249.61.18.https >localhost.localdomain.52754: Flags [.], ack 518, win 64240, length 0

5 packets captured

9 packets received by filter

0 packets dropped by kernel

site.qudong.com/2017/0220/394075.shtml

www.techweb.com.cn/prnews/qiyenews/archives/26181.html

www.zjqiye.net/2016/0226/177817.shtml

net 关键字

net 关键字可用于捕获一个网段的数据包。net关键字还可以将 src 和 ds与逻辑运算符一起使用，并更精确地过滤包。下面实例是获取源net为192.168.0.0/16网段，并且目标net不包含192.168.0.0/16网段的数据包。

[root@localhost ~]# tcpdump -i any -n "src net 192.168.0.0/16 and not dst net 192.168.0.0/16" -c4

dropped privs to tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

20:43:25.558537 IP 192.168.43.131.34562 >140.249.61.18.http: Flags [S], seq 3720011773, win 29200, options [mss 1460,sackOK,TS val 4199917698 ecr 0,nop,wscale 7], length 0

20:43:25.571477 IP 192.168.43.131.34562 >140.249.61.18.http: Flags [.], ack 1199844, win 29200, length 0

20:43:25.571693 IP 192.168.43.131.34562 >140.249.61.18.http: Flags [P.], seq 0:82, ack 1, win 29200, length 82: HTTP: GET / HTTP/1.1

20:43:25.587514 IP 192.168.43.131.34562 >140.249.61.18.http: Flags [.], ack 546, win 29975, length 0

4 packets captured

4 packets received by filter

0 packets dropped by kernel

ip6 关键字

可以使用 ip6 关键字捕获 IPv6 流量。下面是一个例子：

[root@localhost ~]# tcpdump -i any ip6 host  fe80::9520:7b41:7099:c6f7 -c4

dropped privs to tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

22:17:08.182720 IP6 localhost.localdomain >fe80::9520:7b41:7099:c6f7: ICMP6, echo request, seq 12, length 64

22:17:08.183329 IP6 fe80::9520:7b41:7099:c6f7 >localhost.localdomain: ICMP6, echo reply, seq 12, length 64

22:17:09.207102 IP6 localhost.localdomain >fe80::9520:7b41:7099:c6f7: ICMP6, echo request, seq 13, length 64

22:17:09.207555 IP6 fe80::9520:7b41:7099:c6f7 >localhost.localdomain: ICMP6, echo reply, seq 13, length 64

4 packets captured

4 packets received by filter

0 packets dropped by kernel

总结

tcpdump 用于收集有关网络流量数据的出色工具。数据包捕获为故障排除和安全分析提供了有用的信息。

---