目录
"-D":列出系统中所有可以用于tcpdump抓取数据包的网卡列表
"-w":把包数据直接写入指定的文件中而不进行分析和打印输出
前言
tcpdump是强大的网络数据采集分析工具之一,称为抓包工具。它可以将网络中传送的数据包完全截获下来提供分析。它支持针对网络层、协议、主机、网络或端口的过滤,并提供逻辑语句来帮助我们过滤掉无用的信息。其中tcpdump字面拆分,tcp:传输控制协议(transmission control protocol),位于传输层,dump:导出的意思。
tcpdump命令的常见参数
"-h":查看帮助信息
例如:
bash
# tcpdump -h
tcpdump version 4.9.3
libpcap version 1.9.1 (with TPACKET_V3)
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ]
[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
[ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
[ -Q in|out|inout ]
[ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
[ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
[ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ]
[ -Z user ] [ expression ]"--version":查看版本号
例如:
bash
# tcpdump --version
tcpdump version 4.9.3
libpcap version 1.9.1 (with TPACKET_V3)"-D":列出系统中所有可以用于tcpdump抓取数据包的网卡列表
例如:
bash
# tcpdump -D
1.wlan0 [Up, Running]
2.any (Pseudo-device that captures on all interfaces) [Up, Running]
3.lo [Loopback]"-i":指定哪个网卡接口
例如:
bash
# tcpdump -i wlan0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
00:22:21.386610 IP 192.168.169.59.38394 > 192.168.32.3.domain: 5+ SRV? _sips._tcp.sipgz04.hbq.r.10086.cn. (51)
...
00:22:21.560149 IP 192.168.169.59.7879 > 180.76.76.76.domain: 42514+ AAAA? gap.work.weixin.qq.com. (40)
00:22:21.562346 IP 192.168.169.59.20975 > 180.76.76.76.domain: 17325+ A? gap.work.weixin.qq.com. (40)"host":筛选出指定的主机IP的相关数据包
例如:
bash
# tcpdump host 192.168.169.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
18:20:50.598341 IP 192.168.169.59.39338 > 192.168.169.1.www: Flags [S], seq 2224882238, win 65535, options [mss 1460,sackOK,TS val 1395385504 ecr 0,nop,wscale 9], length 0
18:20:50.598450 IP 192.168.169.1.www > 192.168.169.59.39338: Flags [S.], seq 4160180220, ack 2224882239, win 65160, options [mss 1460,sackOK,TS val 2182696542 ecr 1395385504,nop,wscale 3], length 0
18:20:50.603623 IP 192.168.169.59.39338 > 192.168.169.1.www: Flags [.], ack 1, win 128, options [nop,nop,TS val 1395385527 ecr 2182696542], length 0
18:20:50.603965 IP 192.168.169.59.39338 > 192.168.169.1.www: Flags [P.], seq 1:212, ack 1, win 128, options [nop,nop,TS val 1395385528 ecr 2182696542], length 211: HTTP: GET /app/getparamvalue?param=rec HTTP/1.1
18:20:50.604034 IP 192.168.169.1.www > 192.168.169.59.39338: Flags [.], ack 212, win 8119, options [nop,nop,TS val 2182696547 ecr 1395385528], length 0
..."port":指定哪个端口,例如:
bash
# tcpdump port 554
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
18:36:22.460633 IP 192.168.169.1.554 > 192.168.169.59.41456: Flags [P.], seq 1908680467:1908680662, ack 3404164144, win 8010, options [nop,nop,TS val 2183627926 ecr 1396316862], length 195: RTSP
18:36:22.484299 IP 192.168.169.59.41456 > 192.168.169.1.554: Flags [.], ack 195, win 1532, options [nop,nop,TS val 1396316913 ecr 2183627926], length 0
18:36:22.491079 IP 192.168.169.1.554 > 192.168.169.59.41456: Flags [P.], seq 195:470, ack 1, win 8010, options [nop,nop,TS val 2183627957 ecr 1396316913], length 275: RTSP
18:36:22.495765 IP 192.168.169.59.41456 > 192.168.169.1.554: Flags [.], ack 470, win 1532, options [nop,nop,TS val 1396316943 ecr 2183627957], length 0
18:36:22.531393 IP 192.168.169.1.554 > 192.168.169.59.41456: Flags [P.], seq 470:759, ack 1, win 8010, options [nop,nop,TS val 2183627997 ecr 1396316943], length 289: RTSP
18:36:22.538752 IP 192.168.169.59.41456 > 192.168.169.1.554: Flags [.], ack 759, win 1532, options [nop,nop,TS val 1396316985 ecr 2183627997], length 0
18:36:22.571757 IP 192.168.169.1.554 > 192.168.169.59.41456: Flags [P.], seq 759:1014, ack 1, win 8010, options [nop,nop,TS val 2183628038 ecr 1396316985], length 255: RTSP
18:36:22.578728 IP 192.168.169.59.41456 > 192.168.169.1.554: Flags [.], ack 1014, win 1532, options [nop,nop,TS val 1396317025 ecr 2183628038], length 0
18:36:22.606963 IP 192.168.169.1.554 > 192.168.169.59.41456: Flags [P.], seq 1014:1309, ack 1, win 8010, options [nop,nop,TS val 2183628073 ecr 1396317025], length 295: RTSP
..."-w":把包数据直接写入指定的文件中而不进行分析和打印输出
注意这里的文件后缀名为pcap或cap。
例如:
bash
# tcpdump -w /mnt/card/test.pcap
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytestcpdump抓包文件的解析
pcap或cap文件是常见的数据报存储格式文件,数据按照特定格式存储,普通编辑器无法正常打开该类型的文件或无法直观查看数据的重要信息。它们需要特定的解析工具软件才能直观地读取并查看,如wireshark等。
总结
tcpdump是一款命令行网络数据包捕获和分析工具,主要用于实时监控和诊断网络流量。
核心作用: tcpdump的核心功能是捕获流经指定网络接口的数据包,并基于网络层协议、主机地址、端口号或数据包方向等条件进行过滤分析。它通过Berkeley Packet Filter(BPF)语法高效筛选数据,输出格式包含时间戳、源/目标IP及端口等信息,便于快速识别异常流量或协议交互。
适用场景: tcpdump广泛应用于以下领域:
- 网络故障排查:通过捕获数据包定位连接超时、路由问题或服务不可达等故障,例如分析TCP三次握手过程。
- 性能监控与流量分析:统计特定主机或端口的流量模式,评估带宽利用率,识别网络瓶颈。
- 安全监控与威胁检测:捕获可疑流量(如异常端口访问或扫描行为),辅助入侵检测。
- 协议分析与开发调试:验证自定义协议行为或调试网络应用通信细节。