抓包之tcpdump安装和使用

写在前面

公司的运维同事，以及搞C，C++开发的同事，经常回通过tcpdump工具抓包来排查问题。可以看出该技能还是比较重要的，所以就想着也来学习下，并记录在这里，希望也能能够帮助到你，并用在实际工作中。

1：安装

1.1：安装

从这里下载tcpdump和libcap:

因为是xz文件所以解压命令是：tar -xJf xxxx.tar.xz。安装libcap和tcpdump的命令都是：

./configure
make
make install

如果顺利的话，到这里就成功了，执行tcpdump就可以按照默认的配置来抓包了：

[root@localhost program]# tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), snapshot length 262144 bytes
02:37:58.562315 IP localhost.localdomain.ssh > 192.168.10.94.58517: Flags [P.], seq 462979098:462979286, ack 71636262, win 261, length 188
02:37:58.565888 IP 192.168.10.94.58517 > localhost.localdomain.ssh: Flags [.], ack 188, win 508, length 0
02:37:58.650063 IP localhost.localdomain.45844 > public1.alidns.com.domain: 17318+ PTR? 94.10.168.192.in-addr.arpa. (44)
^C02:37:58.651487 ARP, Request who-has 192.168.10.67 tell 192.168.10.118, length 46
...

1.2：可能遇到的问题

1.2.1：configure: error: no acceptable C compiler found in $PATH

执行yum install gcc。

1.2.2：configure: error: Neither flex nor lex was found.

解决：安装m4，bison，flex。

m4下载地址: http://ftp.gnu.org/gnu/m4/ 1.4.19

cd m4-1.4.19
./configure
make
make install

bison下载地址：http://ftp.gnu.org/gnu/bison/ bison-3.7.6.tar.gz

cd bison-3.7.6
./configure
make                           
make install

flex下载地址： https://github.com/westes/flex/releases flex-2.6.4.tar.gz

cd flex-2.6.4
./configure
make
make insatll

2：使用

2.1：列出所有的网卡

使用-D参数：

[root@localhost ~]# tcpdump -D
1.ens33 [Up, Running, Connected]
2.any (Pseudo-device that captures on all interfaces) [Up, Running]
3.lo [Up, Running, Loopback]
4.usbmon2 (Raw USB traffic, bus number 2)
5.usbmon1 (Raw USB traffic, bus number 1)
6.usbmon0 (Raw USB traffic, all USB buses) [none]
7.nflog (Linux netfilter log (NFLOG) interface) [none]
8.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]

2.2：抓特定网卡的包

-i 选择网卡设备，比如选择本地回环：

先抓着ing

[root@localhost ~]# tcpdump -i lo
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes
请求下ng

[root@localhost sbin]# curl http://127.0.0.1:80
<!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> html { color-scheme: light dark; } body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body>
Welcome to nginx!

If you see this page, the nginx web server is successfully installed and working. Further configuration is required.

For online documentation and support please refer to nginx.org.
Commercial support is available at nginx.com.

Thank you for using nginx.
</body> </html>
再看抓到东西了

[root@localhost sbin]# tcpdump -i lo
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes
00:37:52.923269 IP localhost.56470 > localhost.http: Flags [S], seq 843820990, win 43690, options [mss 65495,sackOK,TS val 255345234 ecr 0,nop,wscale 7], length 0
00:37:52.923281 IP localhost.http > localhost.56470: Flags [R.], seq 0, ack 843820991, win 0, length 0
00:37:58.641913 IP localhost.56472 > localhost.http: Flags [S], seq 1563503097, win 43690, options [mss 65495,sackOK,TS val 255350958 ecr 0,nop,wscale 7], length 0
00:37:58.641932 IP localhost.http > localhost.56472: Flags [S.], seq 214531868, ack 1563503098, win 43690, options [mss 65495,sackOK,TS val 255350958 ecr 255350958,nop,wscale 7], length 0
00:37:58.641946 IP localhost.56472 > localhost.http: Flags [.], ack 1, win 342, options [nop,nop,TS val 255350958 ecr 255350958], length 0
00:37:58.642024 IP localhost.56472 > localhost.http: Flags [P.], seq 1:74, ack 1, win 342, options [nop,nop,TS val 255350958 ecr 255350958], length 73: HTTP: GET / HTTP/1.1
00:37:58.642032 IP localhost.http > localhost.56472: Flags [.], ack 74, win 342, options [nop,nop,TS val 255350958 ecr 255350958], length 0
00:37:58.642355 IP localhost.http > localhost.56472: Flags [P.], seq 1:239, ack 74, win 342, options [nop,nop,TS val 255350959 ecr 255350958], length 238: HTTP: HTTP/1.1 200 OK
00:37:58.642364 IP localhost.56472 > localhost.http: Flags [.], ack 239, win 350, options [nop,nop,TS val 255350959 ecr 255350959], length 0
00:37:58.642394 IP localhost.http > localhost.56472: Flags [P.], seq 239:854, ack 74, win 342, options [nop,nop,TS val 255350959 ecr 255350959], length 615: HTTP
00:37:58.642402 IP localhost.56472 > localhost.http: Flags [.], ack 854, win 360, options [nop,nop,TS val 255350959 ecr 255350959], length 0
00:37:58.642581 IP localhost.56472 > localhost.http: Flags [F.], seq 74, ack 854, win 360, options [nop,nop,TS val 255350959 ecr 255350959], length 0
00:37:58.643250 IP localhost.http > localhost.56472: Flags [F.], seq 854, ack 75, win 342, options [nop,nop,TS val 255350960 ecr 255350959], length 0
00:37:58.643264 IP localhost.56472 > localhost.http: Flags [.], ack 855, win 360, options [nop,nop,TS val 255350960 ecr 255350960], length 0

2.3：-c 抓取多少条报文

[root@localhost sbin]# tcpdump -i lo -c 2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes
01:20:44.768619 IP localhost.56474 > localhost.http: Flags [S], seq 2392252259, win 43690, options [mss 65495,sackOK,TS val 257917081 ecr 0,nop,wscale 7], length 0
01:20:44.768648 IP localhost.http > localhost.56474: Flags [S.], seq 4224015561, ack 2392252260, win 43690, options [mss 65495,sackOK,TS val 257917081 ecr 257917081,nop,wscale 7], length 0
2 packets captured
24 packets received by filter
0 packets dropped by kernel

2.4：--time-stamp-precision 指定捕获时的时间精度，默认毫秒 micro，可选纳秒 nano

2.5：过滤

过滤使用的是bpf过滤语法，比如过滤ip为127.0.0.1，port为80的数据包host 127.0.0.1 or dst port 80：

[root@localhost sbin]# tcpdump host 127.0.0.1 or dst port 80 -i lo -c 2 --time-stamp-precision nano
\tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes
01:47:42.644167857 IP localhost.56494 > localhost.http: Flags [S], seq 3263091779, win 43690, options [mss 65495,sackOK,TS val 259534961 ecr 0,nop,wscale 7], length 0
01:47:42.644196259 IP localhost.http > localhost.56494: Flags [S.], seq 1880556489, ack 3263091780, win 43690, options [mss 65495,sackOK,TS val 259534961 ecr 259534961,nop,wscale 7], length 0
2 packets captured
24 packets received by filter
0 packets dropped by kernel

另外过滤还有一些比较高级的用法，对于抓取特定状态的数据包很有用：

2.6：-w保存到文件中，并从文件中读取（读取多个文件）

保存到文件中

[root@localhost test]# tcpdump -c 2 -w a.pcap
tcpdump: listening on ens33, link-type EN10MB (Ethernet), snapshot length 262144 bytes
2 packets captured
14 packets received by filter
0 packets dropped by kernel
从文件中读取

[root@localhost test]# ll
total 4
-rw-r--r--. 1 root root 294 Jan 13 01:58 a.pcap
[root@localhost test]# tcpdump -r a.pcap
reading from file a.pcap, link-type EN10MB (Ethernet), snapshot length 262144
01:58:31.049823 IP localhost.localdomain.ssh > 192.168.10.94.52601: Flags [P.], seq 3406851377:3406851501, ack 3681961471, win 261, length 124
01:58:31.100850 IP 192.168.10.94.52601 > localhost.localdomain.ssh: Flags [.], ack 124, win 508, length 0
加载到wireshark中
文件-》打开，选择要加载的pcap：
读取多个文件
准备多个文件：

[root@localhost test]# tcpdump -c 2 -w one.pcap
tcpdump: listening on ens33, link-type EN10MB (Ethernet), snapshot length 262144 bytes
2 packets captured
22 packets received by filter
0 packets dropped by kernel
[root@localhost test]# tcpdump -c 2 -w two.pcap
tcpdump: listening on ens33, link-type EN10MB (Ethernet), snapshot length 262144 bytes
2 packets captured
28 packets received by filter
0 packets dropped by kernel
[root@localhost test]# ll
total 12
-rw-r--r--. 1 root root 294 Jan 13 01:58 a.pcap
-rw-r--r--. 1 root root 294 Jan 13 02:49 one.pcap
-rw-r--r--. 1 root root 294 Jan 13 02:50 two.pcap

在一个文件中指定要读取的文件们：

[root@localhost test]# cat all 
one.pcap
two.pcap

读取,使用-V参数：

[root@localhost test]# tcpdump -V all
reading from file one.pcap, link-type EN10MB (Ethernet), snapshot length 262144
02:49:57.645367 IP localhost.localdomain.ssh > 192.168.10.94.52601: Flags [P.], seq 3406854861:3406854985, ack 3681965707, win 261, length 124
02:49:57.646647 IP 192.168.10.94.52601 > localhost.localdomain.ssh: Flags [.], ack 0, win 512, length 0
reading from file two.pcap, link-type EN10MB (Ethernet), snapshot length 262144
02:50:04.246070 IP localhost.localdomain.ssh > 192.168.10.94.52601: Flags [P.], seq 1136:1260, ack 661, win 261, length 124
02:50:04.246343 IP 192.168.10.94.52601 > localhost.localdomain.ssh: Flags [.], ack 1136, win 508, length 0
[root@localhost test]#

2.7：-C限制单个文件大小，-W限制最大文件个数

当超过个数时，覆写最前面的：

这里---C 的单位是1000000字节，大概是1M。

2.8：-G设置每隔多久生成一个文件

每隔3秒生成一个文件，并指定时间后缀：

[root@localhost test]# tcpdump -G 3 -w def%M-%S
tcpdump: listening on ens33, link-type EN10MB (Ethernet), snapshot length 262144 bytes
^C525 packets captured
544 packets received by filter
0 packets dropped by kernel
[root@localhost test]# ll | grep def
-rw-r--r--. 1 root root  10540 Jan 13 03:12 def12-55
-rw-r--r--. 1 root root  12218 Jan 13 03:13 def12-58
-rw-r--r--. 1 root root  11281 Jan 13 03:13 def13-01
-rw-r--r--. 1 root root  13870 Jan 13 03:13 def13-04

2.9：控制显示详情

主要参数：

-e显示数据链路层头部信息
-S显示绝对序列号

[root@localhost test]# tcpdump -c 2 -S
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), snapshot length 262144 bytes
03:19:19.464455 IP localhost.localdomain.ssh > 192.168.10.94.52601: Flags [P.], seq 3406897957:3406898145, ack 3681977203, win 261, length 188
03:19:19.469906 IP 192.168.10.94.52601 > localhost.localdomain.ssh: Flags [.], ack 3406898145, win 508, length 0
2 packets captured
23 packets received by filter
0 packets dropped by kernel
-A 以ASCII码显示

[root@localhost test]# tcpdump -c 2 -A
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), snapshot length 262144 bytes
03:23:42.445345 IP localhost.localdomain.ssh > 192.168.10.94.52601: Flags [P.], seq 3406898785:3406898973, ack 3681977499, win 261, length 188
E...[U@.@.H...
*..
^...y..&a.v..P...........{./L'.........sd.W8G_Ox..'0.O.O.2w...N...'....C...jf...Jm ..d. 0..k..#'.?..t..M.^kZ..n...Q.AoAU.s......Ac.X..."B....kQ.xNjU{..T.......i..m..i...UEib.1...?[W..........?.Zt.it......V.
03:23:42.449537 IP 192.168.10.94.52601 > localhost.localdomain.ssh: Flags [.], ack 188, win 511, length 0
E..(..@...^...
^..
*.y...v....'.P....+........
2 packets captured
17 packets received by filter
0 packets dropped by kernel
-x 以16进制显示

[root@localhost test]# tcpdump -c 2 -x
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), snapshot length 262144 bytes
03:23:56.847124 IP localhost.localdomain.ssh > 192.168.10.94.52601: Flags [P.], seq 3406899893:3406900081, ack 3681977651, win 261, length 188
0x0000: 4510 00e4 5b5c 4000 4006 48cf c0a8 0a2a
0x0010: c0a8 0a5e 0016 cd79 cb11 2ab5 db76 8533
0x0020: 5018 0105 96af 0000 482f 9f38 9a7e a876
0x0030: 2ff5 f868 1012 51ea 58b2 6252 8ba8 c0d1
0x0040: bd2a 0c6b dcd8 89cc 21cc 2157 3c19 db35
0x0050: 7f76 7380 ff93 319e 7d3a 223c 21b4 aa76
0x0060: 448c fed4 0b50 af92 9e26 026c c13e 6b91
0x0070: be68 086b e481 0b0f 0daf 0e9d 07c5 bb02
0x0080: 4e18 adc3 e07c 5705 fb6e f877 18a7 390f
0x0090: 7707 7f84 cd9b 1b49 5535 9978 16b7 75a8
0x00a0: 3679 c266 4eff 84ce 2b7f a921 7338 ba29
0x00b0: d8b2 c2bb c31a 5009 b642 9b54 821b 2ce2
0x00c0: 7fd2 ebf4 a8f3 fed5 d700 6603 d767 7251
...
-X 以16进制和ASCII码显示

[root@localhost test]# tcpdump -c 2 -X
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), snapshot length 262144 bytes
03:24:39.963597 IP localhost.localdomain.ssh > 192.168.10.94.52601: Flags [P.], seq 3406903797:3406903985, ack 3681977911, win 261, length 188
0x0000: 4510 00e4 5b69 4000 4006 48c2 c0a8 0a2a E...[i@.@.H....*
0x0010: c0a8 0a5e 0016 cd79 cb11 39f5 db76 8637 ...^...y..9..v.7
0x0020: 5018 0105 96af 0000 6e6e 36d6 f559 67ab P.......nn6..Yg.
0x0030: 8e7e 201d 6c43 5564 c62e 56be 7a9d e96b .~..lCUd..V.z..k
0x0040: 9483 b57e 6e5a 35fd cc6d 83de 4a4e b29d ...~nZ5..m..JN..
0x0050: 0838 9f45 7d2e 2d45 389a 0760 c30c 3c58 .8.E}.-E8....<X 0x0060: 8201 54d8 f955 ebbd b313 4445 0f8f 1909 ..T..U....DE.... 0x0070: f335 c2f4 ef65 5fc9 ab2b b3e7 acfd ea20 .5...e_..+...... 0x0080: 915b 5938 7f7d 64ce fdca 8587 bfec 5202 .[Y8.}d.......R. 0x0090: b8de 12f6 6de1 8cc7 fa55 a786 3f06 6e98 ....m....U..?.n. 0x00a0: 731c 2de9 08e8 2ea5 1266 f485 c335 0869 s.-......f...5.i 0x00b0: 9aaa 957d 0d2b 5e8e 5b4e 90f2 3c70 fb4d ...}.+^.[N..<p.M 0x00c0: 04d2 8315 3166 3418 ef8d dbba 8f60 281c ....1f4......(.
0x00d0: d52d 3a55 d733 00d9 0045 f32e ef90 be25 .-:U.3...E.....%
0x00e0: fdd1 fc86 ....
03:24:39.963713 IP 192.168.10.185.mdns > mdns.mcast.net.mdns: 0*- [0q] 1/0/2 PTR M-oM-?M-=M-oM-?M-=M-oM-?M-=M-oM-?M-=M-oM-?M-=M-oM-?M-=M-]M-.._dosvc._tcp.local. (317)
0x0000: 4500 0159 2f03 0000 0111 dd34 c0a8 0ab9 E..Y/......4....
0x0010: e000 00fb 14e9 14e9 0145 f77d 0000 8400 .........E.}....
0x0020: 0000 0001 0000 0002 065f 646f 7376 6304 ........._dosvc.
0x0030: 5f74 6370 056c 6f63 616c 0000 0c00 0100 _tcp.local......
0x0040: 0000 0000 2814 efbf bdef bfbd efbf bdef ....(...........
0x0050: bfbd efbf bdef bfbd ddae 065f 646f 7376 ..........._dosv
0x0060: 6304 5f74 6370 056c 6f63 616c 0014 efbf c._tcp.local....
0x0070: bdef bfbd efbf bdef bfbd efbf bdef bfbd ................
0x0080: ddae 065f 646f 7376 6304 5f74 6370 056c ..._dosvc._tcp.l
0x0090: 6f63 616c 0000 2100 0100 0000 0000 2200 ocal..!.......".
0x00a0: 0000 001e 0014 efbf bdef bfbd efbf bdef ................
...

写在后面

参考文章列表

LINUX 抓包工具Tcpdump下载安装(非常详细)，从零基础入门到精通，看完这一篇就够了。