本文章的命令测试平台如下:
# MacOS 11.1 Big Sur# tcpdump: sh-3.2# tcpdump --versiontcpdump version tcpdump version 4.9.3 -- Apple version 100libpcap version 1.9.1LibreSSL 2.8.3# Linux等其他平台略有不同,但是大部分是通用的
在有关网络协议文档中,有个单词叫做Octet,有些翻译叫做`八位组`,个中:1 Octet = 8 bit,和现在的观点字节(byte,B)同等。在大部分网络协议中,利用的是Octet而不是byte,那是由于很多年之前1 byte = 10 bit,以是才有了1 Octet = 8bit这个约定。以是,如果提到第n个Octet,一样平常表示的是一段数据中的第n个字节,当然也要基于笔墨场景区分n是从0开始,还是从1开始。
很多人上来就拍脑袋瓜就开始写tcpdump命令,这种结果便是提示语法缺点,为了避免这些问题,下面就从案例中解释一些把稳事变:
fh@192 ~ % NAME=ok# 单引号会直接输出,不解析fh@192 ~ % echo 'Hello, $NAME'Hello, $NAME# 双引号会先解析变量,再输出fh@192 ~ % echo "Hello, $NAME"Hello, ok# ()会报错fh@192 ~ % echo (ok)zsh: unknown sort specifierfh@192 ~ % echo ok && demookzsh: command not found: demo# 利用"" 或者 ''包住字符串就不会涌现问题fh@192 ~ % echo "ok && demo"ok && demofh@192 ~ % echo 'ok && demo'ok && demofh@192 ~ %
由于tcpdump中会有筛选的表达式,表达式包括() && || >>等分外符号,针对这些符号,shell须要做转义,一样平常情形下,我们须要在筛选表达式用''或者""包住表达式,否则会涌现非常。
# 建议按照以下格式编写# 无值选项可以合并写,这是可以的tcpdump 无值选项1 无值选项2 无值选项.k 有值选项名.1 有值选项值.1 有值选项名.2 有值选项值.2 有值选项名.n 有值选项值.n '表达式'
由于本人水平有限,部分tcpdump不清楚部分,利用TODO来代替,后续弄懂会连续补充案例。
SYNOPSISNAME tcpdump - dump traffic on a networkSYNOPSIS tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ] [ -c count ] [ -C file_size ] [ -G rotate_seconds ] [ -F file ] [ -i interface ] [ -j tstamp_type ] [ -k (metadata_arg) ] [ -m module ] [ -M secret ] [ --number ] [ -Q in|out|inout ] [ -r file ] [ -V file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ] [ -E spi@ipaddr algo:secret,... ] [ -y datalinktype ] [ -z postrotate-command ] [ -Z user ] [ -Q packet-metadata-filter ] [ -Q in|out|inout ] [ --time-stamp-precision=tstamp_precision ] [ --immediate-mode ] [ --version ] [ expression ]Options-A
# -A: 以ASCII码的形式打印每个包(不包括链路层的头),一样平常用来捕获网页数据sh-3.2# tcpdump -A -c 1 -i any16:28:07.931082 IP 192.168.0.108.57342 > 192.168.1.1.domain: 59093+ A? oth.eve.mdt.qq.com. (36)...f.n.._.....E..@....@.\....l.......5.,.d.............oth.eve.mdt.qq.com.....-b
# 利用ASDOT表示法在BGP数据包中打印AS号,而不是ASPLAIN表示法# 在BGP包中利用ASDOT表示法打印AS号,而不是ASPLAIN表示法sh-3.2# tcpdump -b -i any−B buffer_size
# -B buffer_size: 设置操作系统的捕获缓存大小,单位:KB# -c count: 收到或者显示count个包退却撤退出# -i any: 监控所有的网络接口# -w file: 将抓到的包保存到a.pcap里面,此文件可以用wireshark打开sh-3.2# tcpdump -B 10 -c 3 -i any -w a.pcap-c count或−c skip,count
# -c count: 抓取count包后tcpdump退出sh-3.2# tcpdump -c 1 -i any tcpdump: data link type PKTAPtcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes17:32:05.155429 IP 192.168.0.108.58448 > 17.57.145.7.5223: Flags [R.], seq 2009854550, ack 1819239997, win 2048, length 01 packet captured37 packets received by filter0 packets dropped by kernelsh-3.2#
# -c skip,count: -c选项的第二种利用形式,指的是忽略skip包后,再抓count个包停滞# 逗号之前的skip是必选,逗号之后的count是可选sh-3.2# tcpdump -c 5,3 -i any# 有逗号、无count值表明忽略前面5个包,且一贯抓包不退出sh-3.2# tcpdump -c 5, -i any−C file_size
# -C file_size: 将原始数据包存放到文件之前,先检讨是否超过file_size(单位: 1000000B);# -w file: 保存的文件# 超过file_size则关闭文件,并创建新的文件连续写数据# 新的文件名为"file"+"idx": idx从1开始sh-3.2# tcpdump -C 5 -i any -w f.pcap# 把稳:file_size指的是近似值,不是准确值# 文件的名称为: file file1 file2 file3 filensh-3.2# ls -lr-rw-r--r-- 1 root wheel 1782772 5 2 16:19 f.pcap7-rw-r--r-- 1 root wheel 5000952 5 2 16:19 f.pcap6-rw-r--r-- 1 root wheel 5001304 5 2 16:19 f.pcap5-rw-r--r-- 1 root wheel 5000300 5 2 16:19 f.pcap4-rw-r--r-- 1 root wheel 5000748 5 2 16:19 f.pcap3-rw-r--r-- 1 root wheel 5000344 5 2 16:19 f.pcap2-rw-r--r-- 1 root wheel 5000160 5 2 16:18 f.pcap1-rw-r--r-- 1 root wheel 5000264 5 2 16:18 f.pcapsh-3.2#-d ~ -ddd
# -d: 以人类可读的形式,标准输出打印编排过的包匹配码sh-3.2# tcpdump -dtcpdump: data link type PKTAP(000) ret #262144# -dd: 以C代码片段的形式打印出包匹配码sh-3.2# tcpdump -ddtcpdump: data link type PKTAP{ 0x6, 0, 0, 0x00040000 },# 以十进制的形式打印出包匹配码(前面有count)sh-3.2# tcpdump -dddtcpdump: data link type PKTAP16 0 0 262144-D
# -D:打印在系统中,tcpdump可以捕获包的网络接口# 每个网络接口,都有一个编号和一个网络接口名称,也可能带有一个网络接口的描述# 编号或网络接口可以放在-i选项后面来表明在哪个网络接口上抓包# 这个选项存在的意义是:Windows系统、短缺ifconfig -a选项的系统不会列出这些信息# 编号在Windows 2000及以上的系统非常有用,由于他们的网络接口名称是一个繁芜的字符串# 如果tcpdump的依赖libpcap短缺pcap_findalldevs函数,那么tcpdump的此功能将是无效的fh@Feihu-3 ~ % tcpdump -D1.en0 [Up, Running]2.awdl0 [Up, Running]3.llw0 [Up, Running]4.utun0 [Up, Running]5.ap1 [Up, Running]6.utun1 [Up, Running]7.lo0 [Up, Running, Loopback]8.bridge0 [Up, Running]9.en1 [Up, Running]10.en2 [Up, Running]11.en3 [Up, Running]12.en4 [Up, Running]13.gif0 [none]14.stf0 [none]-e
# -e: 每一行打印链路层的头信息。# 比如可以打印以太网和IEEE 802.11等协议的MAC层的地址# 假设一个局域网内有两台设备的IP相同,我们可以通过这种办法来判断此包来源于哪个设备sh-3.2# tcpdump -c 1 -e -i any16:55:34.277368 80:8f:1d:66:9a:6e (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 42: Request who-has 192.168.0.100 tell 192.168.0.1, length 28# 未指定-e选项的打印结果sh-3.2# tcpdump -c 1 -i any16:55:45.235387 ARP, Request who-has 192.168.0.108 tell 192.168.0.1, length 28-E
# 利用spi@ipaddr algo:secret用来解密一个发给addr的IPsec ESP包# 这个包包括Security Parameter Index value spi# 可以用多个spi@ipaddr algo:secret的值构建选项值,两两之间用逗号或者新行隔开# algo字段可以是des-cbc, 3des-cbc, blowfish-cbc, rc3-cbc, cast128-cbc,none,默认是des-cbc# 只有在tcpdump编译的时候启动解密功能才支持解密包的能力# secret: ESP密钥的ASCII文本,如果因此0x开头,读的时候将是十六进制的值# 本选项假定是RFC2406 ESP,而不是RFC1827 ESP# 本选项因此调试为目的,利用真实的密钥值我们是劝阻的。# 在命令行上利用IPsec密钥会以通过ps命令以及在其他场合对其他人可见# 除了前面的语法外,可以利用file name语法让tcpdump读取,tcpdump在收到第一个ESP包的时候打开,# 以是tcpdump被付与的任何分外权限将会被放弃[ -E spi@ipaddr algo:secret,... ]-f
# 显示外部的IPv4时,采取的是数字办法而不是名字。# TODOsh-3.2# tcpdump -f -i any16:46:36.813722 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 11716:46:36.814783 IP 192.168.0.105.62980 > 192.168.1.1.domain: 6648+ PTR? 1.0.168.192.in-addr.arpa. (42)16:46:36.820954 IP 192.168.1.1.domain > 192.168.0.105.62980: 6648 1/0/0 PTR 192.168.0.1. (67)16:46:36.821712 IP 192.168.0.105.51227 > 192.168.1.1.domain: 4339+ PTR? 255.255.255.255.in-addr.arpa. (46)16:46:36.829809 IP 192.168.1.1.domain > 192.168.0.105.51227: 4339 0/0/0 (46)16:46:36.831042 IP 192.168.0.105.61722 > 192.168.1.1.domain: 3347+ PTR? 105.0.168.192.in-addr.arpa. (44)16:46:36.834207 IP 192.168.1.1.domain > 192.168.0.105.61722: 3347 1/0/0 PTR 192.168.0.105. (71)sh-3.2# tcpdump -i any16:47:09.176906 ARP, Reply 192.168.0.1 is-at 54:75:95:7b:35:60 (oui Unknown), length 2816:47:09.177804 IP 192.168.0.105.53642 > 192.168.1.1.domain: 59641+ PTR? 1.0.168.192.in-addr.arpa. (42)16:47:09.180557 IP 192.168.1.1.domain > 192.168.0.105.53642: 59641 1/0/0 PTR 192.168.0.1. (67)16:47:09.181364 IP 192.168.0.105.54508 > 192.168.1.1.domain: 42563+ PTR? 105.0.168.192.in-addr.arpa. (44)16:47:09.184506 IP 192.168.1.1.domain > 192.168.0.105.54508: 42563 1/0/0 PTR 192.168.0.105. (71)-F file
# -F file: 利用file作为过滤表达式的输入,命令行的额外表达式将会被忽略。# 过滤表达式为exp文件,目的端口号只能是80sh-3.2# tcpdump -nn -i any -F exptcpdump: data link type PKTAPtcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes16:51:28.272523 IP 192.168.0.105.51833 > 36.152.44.95.80: Flags [SEW], seq 1230950913, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 976750906 ecr 0,sackOK,eol], length 016:51:28.300868 IP 192.168.0.105.51833 > 36.152.44.95.80: Flags [.], ack 4276175339, win 4096, length 016:51:28.300922 IP 192.168.0.105.51833 > 36.152.44.95.80: Flags [P.], seq 0:77, ack 1, win 4096, length 77: HTTP: GET / HTTP/1.116:51:28.323539 IP 192.168.0.105.51833 > 36.152.44.95.80: Flags [.], ack 2782, win 4052, length 016:51:28.323834 IP 192.168.0.105.51833 > 36.152.44.95.80: Flags [F.], seq 77, ack 2782, win 4096, length 016:51:28.334178 IP 192.168.0.105.51833 > 36.152.44.95.80: Flags [F.], seq 77, ack 2782, win 4096, options [nop,nop,sack 1 {1441:2782}], length 016:51:28.349878 IP 192.168.0.105.51833 > 36.152.44.95.80: Flags [.], ack 2783, win 4096, length 0# 直接向百度要求fh@192 ~ % curl www.baidu.com# 产生一个文件,文件名是exp, 里面筛选是端口号是80的包sh-3.2# cat expdst port 80-g
# -g: 为了便于解析,在详细模式下不在IP头之后插入换行符。# TODOsh-3.2# tcpdump -g -vvv -c 3 -i anytcpdump: data link type PKTAPtcpdump: listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes16:55:45.885643 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.0.105 tell 192.168.0.1, length 2816:55:45.885689 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.0.105 is-at e0:b5:5f:f2:bb:a3 (oui Unknown), length 2816:55:45.886959 IP (tos 0x0, ttl 64, id 19770, offset 0, flags [none], proto UDP (17), length 72) 192.168.0.105.54217 > 192.168.1.1.domain: [udp sum ok] 13832+ PTR? 105.0.168.192.in-addr.arpa. (44)3 packets captured8 packets received by filter0 packets dropped by kernelsh-3.2# −G rotate_seconds
# -G rotate_seconds: 如果-G和-w选项均指定了值,则每隔rotate_seconds韶光重新存储到文件;# 但是-w选项的值必须包含韶光格式,详细魄式可从参考man 3 strfttime# 如果-w未指定时间格式,将会覆盖写原来的文件;# 如果tcpdump同时指定了-C和-G,那么天生的文件名的格式是file<count>sh-3.2# tcpdump -G 3 -i any -w 'fh_%Y-%m-%d_%T.pcap'# 文件名fh_年-月-日_时-分-秒.pcapsh-3.2# ls -ltotal 5560-rw-r--r-- 1 root wheel 448 5 3 07:29 fh_2021-05-03_07:29:38.pcap-rw-r--r-- 1 root wheel 352 5 3 07:29 fh_2021-05-03_07:29:50.pcap-rw-r--r-- 1 root wheel 372 5 3 07:29 fh_2021-05-03_07:29:54.pcap-rw-r--r-- 1 root wheel 552 5 3 07:30 fh_2021-05-03_07:30:02.pcap# -G、-C、-w稠浊利用sh-3.2# tcpdump -C 1 -G 100000 -i any -w f# 抓包的文件名sh-3.2# ls -lrttotal 30160-rw-r--r-- 1 root wheel 1000128 5 3 16:04 f-rw-r--r-- 1 root wheel 1000576 5 3 16:04 f1-rw-r--r-- 1 root wheel 1001560 5 3 16:04 f2-rw-r--r-- 1 root wheel 1000268 5 3 16:04 f3-rw-r--r-- 1 root wheel 1000012 5 3 16:04 f4-rw-r--r-- 1 root wheel 1000868 5 3 16:04 f5-rw-r--r-- 1 root wheel 1000124 5 3 16:04 f6-H
# -H: 考试测验去检测802.11s draft mesh headers# TODO−i interface
# -i interface: 指定抓包的网络接口,可以是网卡名称,也可以是编号# 可以通过tcpdump -D获取# 如果指定所有,可以利用tcpdump -i any来解释# 一样平常情形,如果用any的话,不会是殽杂模式,以是,在某些情形下,仍旧利用网卡名称-I
# -I: 又可以换成−−monitor−mode;当前仅支持IEEE 802.11 WI-FI网络接口,也只能在部分操作系统上利用。−−immediate−mode
# TODO−j tstamp_type
# TODO-J
sh-3.2# tcpdump -JTime stamp types for pktap (use option -j to set): host (Host)−−time−stamp−precision=tstamp_precision
# --time-stamp-precision: 韶光戳精度,只能是micro或者是nano,须要设备支持sh-3.2# tcpdump -c 3 -i any --time-stamp-precision=micro07:27:15.474324 IP 192.168.0.105.63096 > 17.248.165.105.https: Flags [P.], seq 1745755457:1745756013, ack 644458944, win 2048, options [nop,nop,TS val 842425166 ecr 4054084285], length 55607:27:15.474879 IP 192.168.0.105.63096 > 17.248.165.105.https: Flags [P.], seq 556:655, ack 1, win 2048, options [nop,nop,TS val 842425166 ecr 4054084285], length 9907:27:15.494650 IP 192.168.0.105.59318 > 192.168.1.1.domain: 48955+ PTR? 105.0.168.192.in-addr.arpa. (44)# 抓取三个包,精度为纳秒,但是设备不支持sh-3.2# tcpdump -c 3 -i any --time-stamp-precision=nanotcpdump: any: Can't set nanosecond time stamp precision: That device doesn't support that time stamp precisionsh-3.2#-k
# -k: 掌握显示包的元数据信息,参数后面的值指定要显示的元数据类型的参数# I: 网络接口名称或者网络接口ID# N: 进程名称# P: 进程ID# S: 做事类# D: 方向# C: 注释# C: flags# U: 进程的UUID# V: pcap-ng块的详细打印(默认不显示)# A: 显示所有元数据类型# Linux平台彷佛不支持sh-3.2# tcpdump -l -i any -k INPSDCCUVA | grep 'proc QQMusic'16:31:55.245774 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.108.57731 > .http: Flags [S], seq 598034964, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 803848705 ecr 0,sackOK,eol], length 0sh-3.2# tcpdump -l -i any -k A | grep 'proc QQMusic'16:37:59.984827 (en0, proc kernel_task:0:, eproc QQMusic:465:, svc BE, in, so) IP localhost.http > 192.168.0.108.57812: Flags [F.], seq 1219446476, ack 2542671645, win 1047, length 0-K
# 不要试图验证TCP、UDP、IP的校验和;# 这对付在硬件中实行部分或全部校验和打算的接口中很有用# 否则,所有传出去的TCP校验和都将被标记为坏的。sh-3.2# tcpdump -K -i any
-l
# -l: 缓存标准输出行sh-3.2# tcpdump -l -i any | tee data16:09:35.951957 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 117sh-3.2# cat data16:09:35.951957 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 117# 可以一边转存到文件,一边终端监视# 把稳,某些系统,比如Mac纵然你将终端关掉,也会连续在后台抓包的,有些将终端关闭,将会自动停滞抓包sh-3.2# tcpdump -l -i any > tmp & tail -f tmp[1] 22454# tcpdump的进程号tcpdump: data link type PKTAPtcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes16:12:50.265227 IP 192.168.0.108.57267 > 141.226.231.48.https: Flags [P.], seq 1157134174:1157134385, ack 3885736249, win 4096, length 211sh-3.2# pidof tcpdump22454sh-3.2# cat tmp16:12:50.265227 IP 192.168.0.108.57267 > 141.226.231.48.https: Flags [P.], seq 1157134174:1157134385, ack 3885736249, win 4096, length 211-L
# 列出网络接口的已知数据链路sh-3.2# tcpdump -LData link types for pktap (use option -y to set): PKTAP (Apple DLT_PKTAP) RAW (Raw IP)−m module
# TODO−M secret
# -M secret: 如果在TCP数据包中有TCP-MD5选项(RFC 2385),则为其择要的验证指定一个公共的密钥secret# TODO-n
# -n: 不将地址(IP、端口号等)转换成名字# 目的端口显示80sh-3.2# tcpdump -n -i any dst port 8017:03:54.503552 IP 192.168.0.105.51843 > 36.152.44.95.80: Flags [SEW], seq 3619108142, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 977496600 ecr 0,sackOK,eol], length 0# 目的端口显示httpsh-3.2# tcpdump -i any dst port 8017:04:07.620053 IP 192.168.0.105.51844 > 36.152.44.96.http: Flags [SEW], seq 1916226026, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 977509699 ecr 0,sackOK,eol], length 0
-N
# -N: 不打印主机的域名部分,比如'nic.ddd.mil'只打印'nic'--number
--number: 在行的开始打印可选的包数# TODO,暂未创造用途-O
# -O: 不启用包匹配时候的优化代码sh-3.2# tcpdump -O -i any-P
-P: 在保存文件的形式利用pcap-ng文件格式。-p
# -p: 不将网络接口设置为殽杂模式# TODO,暂未找到利用场景-Q expression
# 通过进程来筛选抓包# Linux平台可能不支持# 抓取QQMusic的的网络包sh-3.2# tcpdump -l -k A -i any -Q "pid=`pidof QQMusic`"19:51:44.653768 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61177 > 112.12.18.35.http: Flags [F.], seq 2901431543, ack 439813618, win 2048, options [nop,nop,TS val 834357380 ecr 3175665935], length 019:52:00.347990 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61244 > .http: Flags [S], seq 1737074890, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 834373067 ecr 0,sackOK,eol], length 019:52:00.354345 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61245 > .https: Flags [S], seq 407543729, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 834373073 ecr 0,sackOK,eol], length 019:52:00.376527 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, eproc QQMusic:465:, svc BE, in, so) IP .http > 192.168.0.105.61244: Flags [S.], seq 4234791179, ack 1737074891, win 14280, options [mss 1440,sackOK,TS val 4105774949 ecr 834373067,nop,wscale 8], length 019:52:00.376579 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61244 > .http: Flags [.], ack 1, win 2052, options [nop,nop,TS val 834373095 ecr 4105774949], length 019:52:00.376586 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, eproc QQMusic:465:, svc BE, in, so) IP .https > 192.168.0.105.61245: Flags [S.], seq 2778593785, ack 407543730, win 14400, options [mss 1440,nop,nop,sackOK,nop,wscale 8], length 019:52:00.376605 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61245 > .https: Flags [.], ack 1, win 4096, length 019:52:00.377063 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61244 > .http: Flags [P.], seq 1:330, ack 1, win 2052, options [nop,nop,TS val 834373095 ecr 4105774949], length 329: HTTP: POST /3gmusic/fcgi-bin/imusic_tj HTTP/1.119:52:00.377136 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61244 > .http: Flags [P.], seq 330:891, ack 1, win 2052, options [nop,nop,TS val 834373095 ecr 4105774949], length 561: HTTP19:52:00.377382 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61245 > .https: Flags [P.], seq 1:518, ack 1, win 4096, length 51719:52:00.392525 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61246 > .http: Flags [S], seq 949130891, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 834373110 ecr 0,sackOK,eol], length 019:52:00.392772 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, eproc QQMusic:465:, svc BE, in, so) IP .http > 192.168.0.105.61244: Flags [.], ack 330, win 60, options [nop,nop,TS val 4105774954 ecr 834373095], length 019:52:00.393108 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, eproc QQMusic:465:, svc BE, in, so) IP .http > 192.168.0.105.61244: Flags [.], ack 891, win 65, options [nop,nop,TS val 4105774954 ecr 834373095], length 019:52:00.394928 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61247 > .https: Flags [S], seq 3767223308, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 834373112 ecr 0,sackOK,eol], length 0^C19:52:00.399340 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61248 > 112.29.199.146.http: Flags [S], seq 475420522, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 834373116 ecr 0,sackOK,eol], length 0
# 抓取当前ping命令,且经由网卡en0的,并是出去的包sh-3.2# tcpdump -l -n -k A -i any -Q "(pid=`pidof ping` && if=en0) && (dir=out)"tcpdump: data link type PKTAPtcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes20:43:28.841764 (en0, proc ping:24801:65df3803-6045-3c14-9c20-c6029f7e6b65, svc CTL, out, so) IP 192.168.0.105 > 36.152.44.96: ICMP echo request, id 57696, seq 99, length 6420:43:29.844144 (en0, proc ping:24801:65df3803-6045-3c14-9c20-c6029f7e6b65, svc CTL, out, so) IP 192.168.0.105 > 36.152.44.96: ICMP echo request, id 57696, seq 100, length 6420:43:30.845564 (en0, proc ping:24801:65df3803-6045-3c14-9c20-c6029f7e6b65, svc CTL, out, so) IP 192.168.0.105 > 36.152.44.96: ICMP echo request, id 57696, seq 101, length 6420:43:31.850426 (en0, proc ping:24801:65df3803-6045-3c14-9c20-c6029f7e6b65, svc CTL, out, so) IP 192.168.0.105 > 36.152.44.96: ICMP echo request, id 57696, seq 102, length 64-Q direction
# -Q direction: 选择抓取包的发送/吸收方向。这里的值可能为in、out、inout。# 仅支持部分平台可用,比如在Mac Big Sur 11.1上提示是语法缺点,Linux可用# -Q direction: 不支持sh-3.2# tcpdump -i any -Q inouttcpdump: cannot parse term at:tcpdump: invalid expression "inout"-q
# 快速输出,输出行较短由于打印少量的协议信息# 一样平常用来两个设备之间是否有通信sh-3.2# tcpdump -q -c 1 -i any 17:34:28.477717 IP 192.168.0.108.58502 > ec2-52-73-175-240.compute-1.amazonaws.com.https: tcp 77-r file
# -B buffer_size: 设置操作系统的捕获缓存大小,单位:KB# -c count: 收到或者显示count个包退却撤退出# -i any: 监控所有的网络接口# -w file: 将抓到的包保存到a.pcap里面,此文件可以用wireshark打开sh-3.2# tcpdump -B 10 -c 3 -i any -w a.pcap# -r: 读取存放的包文件# 读取a.pcap文件并打印sh-3.2# tcpdump -r a.pcap-S
# -S: 打印TCP绝对的序列号(Sequence number)sh-3.2# tcpdump -S -c 5 -i any tcp22:55:39.034056 IP 192.168.0.108.53416 > .https: Flags [P.], seq 102397009:102397357, ack 147569054, win 4096, length 348# 打印TCP相对序列号# 可以看出,序列号值偏小sh-3.2# tcpdump -c 5 -i any tcp22:56:34.764683 IP 120.253.253.166.https > 192.168.0.108.53618: Flags [.], ack 399, win 424, options [nop,nop,TS val 683536312 ecr 790374160], length 022:56:34.805734 IP 120.253.253.166.https > 192.168.0.108.53618: Flags [P.], seq 1:165, ack 399, win 424, options [nop,nop,TS val 683536353 ecr 790374160], length 1645 packets captured−s snaplen
# 抓取每个数据包的截取字节数,0表示不截断# snaplen来自每个数据包的字节数,而不是默认的262144B。由于快照有限而被截断的数据包中用"[|proto]"表示,# proto是发生截断的协议级别的名称。# 较大的快照既增加了处理数据包所需的韶光,也有效地减少了数据包缓冲的量,可能导致数据包丢失。# 该当将snaplen限定为感兴趣的协议信息的最小数目;# snaplen设置为0表示将其设置为默认值262144B# tcpdump -i any -s 0-T type
# -T type: 逼迫以type的协议进行解析。# TODO,暂未利用到-t n
# 不加-t等选项,打印时:分:秒:奇妙sh-3.2# tcpdump -q -c 1 -i any17:31:54.639053 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 117# -t: 不打印韶光sh-3.2# tcpdump -q -t -c 1 -i anyARP, Request who-has 192.168.0.100 tell 192.168.0.1, length 28# -tt: 显示UTC韶光, 单位:秒,精度:奇妙sh-3.2# tcpdump -q -tt -c 1 -i any1619948152.308620 ARP, Request who-has 192.168.0.108 tell 192.168.0.1, length 28# -ttt: 当前行与上一行的韶光之差,精度:奇妙sh-3.2# tcpdump -q -ttt -c 5 -i any 00:00:00.000000 ARP, Request who-has 192.168.0.108 tell 192.168.0.1, length 28 00:00:00.000040 ARP, Reply 192.168.0.108 is-at e0:b5:5f:f2:bb:a3 (oui Unknown), length 28 00:00:01.023767 ARP, Request who-has 192.168.0.100 tell 192.168.0.1, length 28 00:00:09.320029 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 117 00:00:01.739861 ARP, Request who-has 192.168.0.108 tell 192.168.0.1, length 28 # -tttt: 年-月-日 时-分-秒sh-3.2# tcpdump -q -tttt -c 5 -i any2021-05-02 17:36:29.379506 ARP, Request who-has 192.168.0.100 tell 192.168.0.1, length 28# -ttttt: 当前行与第一行的韶光之差sh-3.2# tcpdump -q -ttttt -c 5 -i any 00:00:00.000000 ARP, Request who-has 192.168.0.104 tell 192.168.0.1, length 28 00:00:00.002959 IP 192.168.0.108.63825 > 192.168.1.1.domain: UDP, length 44 00:00:00.024223 IP 192.168.1.1.domain > 192.168.0.108.63825: UDP, length 44 00:00:00.027152 IP 192.168.0.108.63529 > 192.168.1.1.domain: UDP, length 42 00:00:00.043833 IP 192.168.1.1.domain > 192.168.0.108.63529: UDP, length 42 # -t n: 指前面的-t -tt -ttt -tttt -ttttt,n的值为[0, 5] # -t 4: 表示-tttt, 年-月-日 时-分-秒 sh-3.2# tcpdump -q -t 4 -c 5 -i any2021-05-02 22:10:33.504936 ARP, Request who-has 192.168.0.108 tell 192.168.0.1, length 282021-05-02 22:10:33.504960 ARP, Reply 192.168.0.108 is-at e0:b5:5f:f2:bb:a3 (oui Unknown), length 282021-05-02 22:10:33.507086 IP 192.168.0.108.50613 > 192.168.1.1.domain: UDP, length 442021-05-02 22:10:33.527680 IP 192.168.1.1.domain > 192.168.0.108.50613: UDP, length 442021-05-02 22:10:33.530574 IP 192.168.0.108.52033 > 192.168.1.1.domain: UDP, length 42−-time-zone-offset tz
# TODO,暂未找到利用场景-u
# 打印未加密的NFS句柄# TODO-U
# 使得当tcpdump在利用-w 选项时, 其文件写入与包的保存同步-v ~ -vvv
# 详细的输出# time to live,TTL、identification、total length、options# 完全的IP和ICMP头checksum校验sh-3.2# tcpdump -v -c 1 -i any07:11:58.204064 IP (tos 0x0, ttl 64, id 58584, offset 0, flags [none], proto UDP (17), length 68) 192.168.0.108.50687 > 192.168.1.1.domain: 12358+ Type65? oc.cgiaccess.tc.qq.com. (40)# 更详细的输出。例如NFS的相应包,SMB包的完备解码sh-3.2# tcpdump -vv -c 1 -i any07:12:03.135693 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64) 192.168.0.108.59311 > hn.kd.ny.adsl.http: Flags [S], cksum 0xfedc (correct), seq 2245791363, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 813143821 ecr 0,sackOK,eol], length 0# 更详细的输出,例如telnet的SB..SE选项将会被完全打印sh-3.2# tcpdump -vvv -c 1 -i any07:12:09.490236 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64) 192.168.0.108.59307 > 113.207.16.43.http: Flags [S], cksum 0xe2ff (correct), seq 245316099, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 813150168 ecr 0,sackOK,eol], length 0−V file
# Read a list of filenames from file. Standard input is used if file is ``-''.# TODO−w file
# -B buffer_size: 设置操作系统的捕获缓存大小,单位:KB# -c count: 收到或者显示count个包退却撤退出# -i any: 监控所有的网络接口# -w file: 将抓到的包保存到a.pcap里面,此文件可以用wireshark打开sh-3.2# tcpdump -B 10 -c 3 -i any -w a.pcap-W
# 把稳: 一样平常情形,-W和-G是不会混用的,混用效果如下,终极只有这10个文件# 如果与-G混用,将会限定转储文件的数量,当达到这个文件数量的时候,tcpdump将会退出sh-3.2# tcpdump -G 3 -i any -W 10 -w 'fh_%Y-%m-%d_%T.pcap'tcpdump: data link type PKTAPtcpdump: listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytesMaximum file limit reached: 1085 packets captured86 packets received by filter0 packets dropped by kernelsh-3.2# sh-3.2# ls -ltotal 80-rw-r--r-- 1 root wheel 1748 5 3 18:01 fh_2021-05-03_18:01:06.pcap-rw-r--r-- 1 root wheel 1720 5 3 18:01 fh_2021-05-03_18:01:09.pcap-rw-r--r-- 1 root wheel 2012 5 3 18:01 fh_2021-05-03_18:01:13.pcap-rw-r--r-- 1 root wheel 2464 5 3 18:01 fh_2021-05-03_18:01:16.pcap-rw-r--r-- 1 root wheel 2220 5 3 18:01 fh_2021-05-03_18:01:19.pcap-rw-r--r-- 1 root wheel 972 5 3 18:01 fh_2021-05-03_18:01:22.pcap-rw-r--r-- 1 root wheel 656 5 3 18:01 fh_2021-05-03_18:01:25.pcap-rw-r--r-- 1 root wheel 2156 5 3 18:01 fh_2021-05-03_18:01:28.pcap-rw-r--r-- 1 root wheel 660 5 3 18:01 fh_2021-05-03_18:01:31.pcap-rw-r--r-- 1 root wheel 2736 5 3 18:01 fh_2021-05-03_18:01:34.pcap此选项与-C 选项合营利用, 这将限定可打开的文件数目, 并且当文件数据超过这里设置的限定时, 依次循环替代之前的文件, 这相称于一个拥有filecount 个文件的文件缓冲池. 同时, 该选项会使得每个文件名的开头会涌现足够多并用来占位的0, 这可以方便这些文件被精确的排序.# -W: 与-C选项合营利用,限定可打开的文件数目# 当前文件大小超过设置的阈值# 会逐步覆盖写掉最老的文件,# 相称于一个拥有固天命目个文件的文件缓冲池# 该选项会使得每个文件名的开头涌现足够多并用来占位的0,以便于这些文件的精确排序sh-3.2# tcpdump -C 10 -i any -W 10 -w f.pcaptcpdump: data link type PKTAPtcpdump: listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytessh-3.2# ls -ltotal 202832-rw-r--r-- 1 root wheel 10001184 5 3 20:46 f.pcap0-rw-r--r-- 1 root wheel 10000676 5 3 20:46 f.pcap1-rw-r--r-- 1 root wheel 10000264 5 3 20:46 f.pcap2-rw-r--r-- 1 root wheel 9436328 5 3 20:46 f.pcap3-rw-r--r-- 1 root wheel 10001368 5 3 20:46 f.pcap4-rw-r--r-- 1 root wheel 10000500 5 3 20:46 f.pcap5-rw-r--r-- 1 root wheel 10001580 5 3 20:46 f.pcap6-rw-r--r-- 1 root wheel 10001344 5 3 20:46 f.pcap7-rw-r--r-- 1 root wheel 10000036 5 3 20:46 f.pcap8-rw-r--r-- 1 root wheel 10001576 5 3 20:46 f.pcap9-x ~ -xx
# -x: 当解析和打印时,以十六进制的形式打印每个包的头和数据(不包括数据链路层)# 完全包大小与snaplen的最小值将会被打印。# 如果高层协议的长度较小,且有添补的数据,添补的数据也会被打印sh-3.2# tcpdump -x -c 1 -i any07:15:15.184806 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 1170x0000: ffff ffff ffff 808f 1d66 9a6e 0800 45000x0010: 0091 2e6a 0000 4011 8b49 c0a8 0001 ffff0x0020: ffff 0400 1389 007d f2f5 0101 0e00 e12b0x0030: 83c7 f391 0067 0000 0006 000a 544c 2d570x0040: 4452 3536 3730 000b 0003 312e 3000 07000x0050: 0101 0005 0011 3830 2d38 462d 3144 2d360x0060: 362d 3941 2d36 4500 0800 0b31 3932 2e310x0070: 3638 2e30 2e31 0009 000a 7470 6c6f 67690x0080: 6e2e 636e 000a 000e 544c 2d57 4452 35360x0090: 3730 2031 2e30 000c 0005 312e 372e 34# -xx: 当解析和打印时,以十六进制的形式打印每个包的头和数据(包括数据链路层)sh-3.2# tcpdump -xx -c 1 -i any07:15:21.845351 IP 192.168.0.1 > all-systems.mcast.net: igmp query v20x0000: 9c00 0000 0100 0000 0100 0000 656e 30000x0010: 0000 0000 0000 0000 0000 0000 0000 00000x0020: 0000 0000 0100 0000 0200 0000 0e00 00000x0030: 0000 0000 ffff ffff 0000 0000 0000 00000x0040: 0000 0000 0000 0000 0000 0000 0000 00000x0050: 0600 0000 ffff ffff 0000 0000 0000 00000x0060: 0000 0000 0000 0000 0000 0000 0000 00000x0070: 0000 0000 0000 0000 0000 0000 0000 00000x0080: 0000 0000 0000 0000 0000 0000 0000 00000x0090: 0000 0000 0000 0000 0000 0000 e0b5 5ff20x00a0: bba3 808f 1d66 9a6e 0800 4664 0020 00000x00b0: 0000 0102 83c9 c0a8 0001 e000 0001 94040x00c0: 0000 1164 ee9b 0000 0000-X ~ -XX
# -X: 以十六进制和ASCII形式打印每个包的头和数据(不包括数据链路层)sh-3.2# tcpdump -X -c 1 -i any 09:27:02.294497 IP 192.168.0.108.59641 > 17.57.145.85.5223: Flags [P.], seq 2947289557:2947289591, ack 1286537765, win 2048, options [nop,nop,TS val 815292931 ecr 1521406707], length 340x0000: 808f 1d66 9a6e e0b5 5ff2 bba3 0800 4500 ...f.n.._.....E.0x0010: 0056 0000 4000 4006 d6ff c0a8 006c 1139 .V..@.@......l.90x0020: 9155 e8f9 1467 afac 11d5 4caf 0225 8018 .U...g....L..%..0x0030: 0800 c0de 0000 0101 080a 3098 6203 5aae ..........0.b.Z.0x0040: d2f3 1703 0300 1d36 51f7 2f2f 61dc aec8 .......6Q.//a...0x0050: 3e9f 7142 ad7d 2c52 17cb 3f69 5844 5a0b >.qB.},R..?iXDZ.0x0060: b730 68b2 .0h.# -XX: 以十六进制和ASCII形式打印每个包的头和数据(包括数据链路层)sh-3.2# tcpdump -XX -c 1 -i any 09:27:19.770828 ARP, Request who-has 192.168.0.102 tell 192.168.0.1, length 280x0000: 9c00 0000 0100 0000 0100 0000 656e 3000 ............en0.0x0010: 0000 0000 0000 0000 0000 0000 0000 0000 ................0x0020: 0000 0000 0100 0000 0200 0000 0e00 0000 ................0x0030: 0000 0000 ffff ffff 0000 0000 0000 0000 ................0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................0x0050: 0600 0000 ffff ffff 0000 0000 0000 0000 ................0x0060: 0000 0000 0000 0000 0000 0000 0000 0000 ................0x0070: 0000 0000 0000 0000 0000 0000 0000 0000 ................0x0080: 0000 0000 0000 0000 0000 0000 0000 0000 ................0x0090: 0000 0000 0000 0000 0000 0000 ffff ffff ................0x00a0: ffff 808f 1d66 9a6e 0806 0001 0800 0604 .....f.n........0x00b0: 0001 808f 1d66 9a6e c0a8 0001 0000 0000 .....f.n........0x00c0: 0000 c0a8 0066 .....f−y datalinktype
# -y表示设置要捕获的包的数据链路类型,后面的值可以通过tcpdump -L获取sh-3.2# tcpdump -c 3 -i any -y PKTAPtcpdump: data link type PKTAPtcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes07:13:18.510220 IP 192.168.0.108.50031 > 192.168.1.1.domain: 52163+ Type65? init.itunes.apple.com. (39)07:13:18.510370 IP 192.168.0.108.53892 > 192.168.1.1.domain: 51314+ A? init.itunes.apple.com. (39)07:13:18.511977 IP 192.168.0.108.59574 > 192.168.1.1.domain: 31671+ PTR? 1.1.168.192.in-addr.arpa. (42)−z postrotate-command
# TODO−Z user
# 如果tcpdump以root用户运行,# 在打开捕获设备或输入savefile之后,在打开任何savefile输出之前,# 须要将用户标识改成user,并将组表示改为user的主组# 这个行为在编译的时候开启Simple Example
# 抓取从sundow出发或者到达sundown的包tcpdump host sundown
# 抓取从helios与hot之间的包或helios与ace之间的包# 把稳:由于括号要在shell中的分外含义,以是须要转义sh-3.2# tcpdump host helios and \( hot or ace \)# 加个单引号也行sh-3.2# tcpdump host 'helios and ( hot or ace )'
# 抓取主机ace与其他设备(除了helios)的IP包tcpdump ip host ace and not helios
# 根据TCP的协议文档,标识位有# CWR | ECE | URG | ACK | PSH | RST | SYN | FIN# 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1# 由于协议是霸占的是1字节去存储这些数据# 以是只要哪个标识位有,那么相应的标识位的二进制数据为1# tcp[13]的值就即是所有的标识位组成的数据# 例如,SYN和ECE有标识位,其它的都没有,即# CWR | ECE | URG | ACK | PSH | RST | SYN | FIN# 0 | 1 | 0 | 0 | 0 | 0 | 1 | 0# 二进制数1000010换算的十进制数位为2+64=66# 抓取TCP头标识位SYN=1的包# tcpflags与tcp-synn是固定字符串sh-3.2# tcpdump -c 3 -i any tcp[tcpflags] == tcp-syn10:35:52.530024 IP 192.168.0.105.50185 > 36.152.44.95.http: Flags [S], seq 2376496549, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 961791043 ecr 0,sackOK,eol], length 0# 抓取TCP头标识位SYN=1的包sh-3.2# tcpdump -c 3 -i any "tcp[tcpflags] & tcp-syn != 0"10:46:13.462082 IP 192.168.0.105.50230 > 17.57.145.138.5223: Flags [SEW], seq 2859770077, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 962410554 ecr 0,sackOK,eol], length 0# 抓取TCP头标识位SYN=1的包,其它的标识位必须是0# 13表示的是tcp头的八位组索引,也便是第14个字节为止sh-3.2# tcpdump -c 3 -i any tcp[13] == 210:37:04.078781 IP 192.168.0.105.50186 > 36.152.44.95.http: Flags [S], seq 2470176140, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 961862485 ecr 0,sackOK,eol], length 0# 抓取TCP头标识位SYN=1的包,其它的标识位不愿定sh-3.2# tcpdump -c 3 -i any 'tcp[13] & 2 != 0'10:43:36.097897 IP 112.12.18.35.http > 192.168.0.105.50220: Flags [S.E], seq 2162058548, ack 687473791, win 24560, options [mss 1240,sackOK,TS val 3488808144 ecr 962253657,nop,wscale 7], length 0# 抓取TCP头标识位SYN=1的包sh-3.2# tcpdump -c 3 -i any "tcp[tcpflags] & 2 != 0"10:48:18.979423 IP 112.13.113.177.https > 192.168.0.105.50239: Flags [S.E], seq 2878024220, ack 3660935114, win 65535, options [mss 1240,nop,nop,sackOK,nop,wscale 7], length 0# 抓取TCP头标识位SYN=1的包# SYN标识位子必须是1sh-3.2# tcpdump -c 3 -i any "tcp[13] & tcp-syn != 0"10:50:02.277088 IP 114.215.201.167.https > 192.168.0.105.50240: Flags [S.E], seq 3713319443, ack 3904450841, win 28960, options [mss 1444,sackOK,TS val 813836359 ecr 962638984,nop,wscale 7], length 0
# 稠浊抓包# 抓取S和E的,S是2,E是64sh-3.2# tcpdump -c 3 -i any "tcp[13] & 66 != 0"10:52:43.165572 IP 192.168.0.105.50253 > 112.13.113.175.https: Flags [SEW], seq 2596521973, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 962799488 ecr 0,sackOK,eol], length 010:52:43.170984 IP 112.13.113.175.https > 192.168.0.105.50253: Flags [S.E], seq 1776611129, ack 2596521974, win 65535, options [mss 1240,nop,nop,sackOK,nop,wscale 7], length 0
# 抓取TCP头标识位SYN=1或者ACK=1的包sh-3.2# tcpdump -c 3 -i any "tcp[13] == 2 || tcp[13] == 16"11:04:16.448140 IP 192.168.0.105.50305 > 202.89.233.100.http: Flags [.], ack 4288857099, win 4096, length 011:04:16.484528 IP 202.89.233.100.http > 192.168.0.105.50305: Flags [.], ack 76, win 2052, length 011:04:16.488353 IP 192.168.0.105.50305 > 202.89.233.100.http: Flags [.], ack 252, win 4092, length 03 packets captured# 抓取TCP头标识位SYN=1或者ACK=1的包sh-3.2# tcpdump -c 3 -i any "tcp[tcpflags] == tcp-syn || tcp[tcpflags] == tcp-ack"11:05:36.259971 IP 192.168.0.105.50307 > 202.89.233.100.http: Flags [.], ack 1056415600, win 4096, length 011:05:36.294120 IP 202.89.233.100.http > 192.168.0.105.50307: Flags [.], ack 76, win 2052, length 011:05:36.296395 IP 192.168.0.105.50307 > 202.89.233.100.http: Flags [.], ack 252, win 4092, length 0# 抓取TCP头标识位SYN=1或者ACK=1的包sh-3.2# tcpdump -c 3 -i any "tcp[tcpflags] & (tcp-syn | tcp-ack) != 0"listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes11:06:49.538196 IP 192.168.0.105.50317 > 202.89.233.100.http: Flags [SEW], seq 1874972306, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 963643859 ecr 0,sackOK,eol], length 011:06:49.575793 IP 202.89.233.100.http > 192.168.0.105.50317: Flags [S.E], seq 2830925598, ack 1874972307, win 65535, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 011:06:49.575892 IP 192.168.0.105.50317 > 202.89.233.100.http: Flags [.], ack 1, win 4096, length 0
# 抓取ICMP协议的相应包sh-3.2# tcpdump -l -i any 'icmp[icmptype] == icmp-echoreply'11:11:17.364314 IP 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 31748, seq 0, length 6411:11:18.367304 IP 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 31748, seq 1, length 6411:11:19.382795 IP 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 31748, seq 2, length 6411:11:20.375911 IP 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 31748, seq 3, length 6411:11:21.386021 IP 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 31748, seq 4, length 6411:11:22.390280 IP 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 31748, seq 5, length 64
# 抓取ICMP的发出包sh-3.2# tcpdump -l -i any 'icmp[icmptype] == icmp-echo'11:12:11.536154 IP 192.168.0.105 > 36.152.44.95: ICMP echo request, id 31748, seq 54, length 6411:12:12.538711 IP 192.168.0.105 > 36.152.44.95: ICMP echo request, id 31748, seq 55, length 64
# 抓取TCP头标记为SYN或者是FIN的包sh-3.2# tcpdump -c 3 -i any 'tcp[tcpflags] & (tcp-syn | tcp-fin) != 0'11:18:30.044806 IP 192.168.0.105.50348 > 36.152.44.96.http: Flags [SEW], seq 2552582652, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 964343308 ecr 0,sackOK,eol], length 011:18:30.070423 IP 36.152.44.96.http > 192.168.0.105.50348: Flags [S.EW], seq 1113793641, ack 2552582653, win 8192, options [mss 1444,nop,wscale 5,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,sackOK,eol], length 011:18:30.090726 IP 192.168.0.105.50348 > 36.152.44.96.http: Flags [F.], seq 78, ack 2782, win 4096, length 0
# 缺点的例子,把稳,单词别写错了,是tcpflags不是tcp-flagssh-3.2# tcpdump -c 3 -i any 'tcp[tcp-flags] & (tcp-syn | tcp-fin) != 0'pktap_filter_packet: pcap_add_if_info(en0, 1) failed: pcap_if_info_set_add: pcap_compile_nopcap() failedpktap_filter_packet: pcap_add_if_info(en0, 1) failed: pcap_if_info_set_add: pcap_compile_nopcap() failedpktap_filter_packet: pcap_add_if_info(en0, 1) failed: pcap_if_info_set_add: pcap_compile_nopcap() failed
# 抓取包的长度小于即是64的包sh-3.2# tcpdump -i any 'len <= 64'11:26:36.537212 IP 192.168.0.106 > 224.0.0.251: igmp v2 report 224.0.0.25111:26:36.639064 ARP, Request who-has 192.168.0.101 tell 192.168.0.1, length 2811:26:40.633276 ARP, Request who-has 192.168.0.107 tell 192.168.0.1, length 2811:26:49.644929 ARP, Request who-has 192.168.0.110 tell 192.168.0.1, length 2811:26:49.644936 ARP, Request who-has 192.168.0.104 tell 192.168.0.1, length 2811:26:50.668792 ARP, Request who-has 192.168.0.110 tell 192.168.0.1, length 2811:26:52.614550 ARP, Request who-has 192.168.0.107 tell 192.168.0.1, length 28
# less x 与 len <= x 等价sh-3.2# tcpdump -i any 'less 64'tcpdump: data link type PKTAPtcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes11:28:02.657862 ARP, Request who-has 192.168.0.106 tell 192.168.0.1, length 2811:28:02.965671 IP 192.168.0.106 > 224.0.0.251: igmp v2 report 224.0.0.25111:28:07.675190 ARP, Request who-has 192.168.0.110 tell 192.168.0.1, length 2811:28:08.333329 IP 192.168.0.105.50372 > .https: Flags [.], ack 726486359, win 4096, length 0
# greater x 与len > x等价 sh-3.2# tcpdump -i any 'greater 15'11:28:48.411257 IP 192.168.0.105 > 36.152.44.95: ICMP echo request, id 48132, seq 191, length 6411:28:48.413868 IP 192.168.0.105.58130 > 192.168.1.1.domain: 30895+ PTR? 105.0.168.192.in-addr.arpa. (44)11:28:48.422369 IP 192.168.1.1.domain > 192.168.0.105.58130: 30895 1/0/0 PTR 192.168.0.105. (71)11:28:48.424873 IP 192.168.0.105.54997 > 192.168.1.1.domain: 42652+ PTR? 95.44.152.36.in-addr.arpa. (43)11:28:48.433663 IP 192.168.1.1.domain > 192.168.0.105.54997: 42652 NXDomain 0/0/0 (43)11:28:48.435863 IP 192.168.0.105.51512 > 192.168.1.1.domain: 7793+ PTR? 1.1.168.192.in-addr.arpa. (42)11:28:48.439439 IP 192.168.1.1.domain > 192.168.0.105.51512: 7793 1/0/0 PTR 192.168.1.1. (67)11:28:48.439452 IP 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 48132, seq 191, length 6411:28:49.415585 IP 192.168.0.105 > 36.152.44.95: ICMP echo request, id 48132, seq 192, length 6411:28:49.443141 IP 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 48132, seq 192, length 64
# 抓取长度为71的包sh-3.2# tcpdump -i any 'len == 71'11:31:20.306112 IP 192.168.0.105.64280 > 192.168.1.1.domain: 35181+ Type65? p1.glb6.com. (29)11:31:20.306445 IP 192.168.0.105.55012 > 192.168.1.1.domain: 7495+ A? p1.glb6.com. (29)11:31:20.315468 IP 192.168.1.1.domain > 192.168.0.105.64280: 35181 0/0/0 (29)
# 抓取Mac地址为54:75:95:7b:35:60且是ping的相应包# 本案例是其余一个终端,同等在ping www.baiud.com,而54:75:95:7b:35:60的Mac地址是来自百度的# 可以在host前面加上src,表明方向是从百度发过来的sh-3.2# tcpdump -e -i any 'icmp[icmptype] == icmp-echoreply && ether host 54:75:95:7b:35:60'11:37:35.310634 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 48132, seq 716, length 6411:37:36.318294 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 48132, seq 717, length 6411:37:37.314188 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 48132, seq 718, length 6411:37:38.323501 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 48132, seq 719, length 6411:37:39.328558 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 48132, seq 720, length 6411:37:40.321349 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 48132, seq 721, length 64fh@192 ~ % ping www.baidu.com
# 抓取Mac地址为54:75:95:7b:35:60且是ping的相应包sh-3.2# tcpdump -e -i any 'icmp[icmptype] == icmp-echoreply && ether src host 54:75:95:7b:35:60'11:49:40.812524 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.96 > 192.168.0.105: ICMP echo reply, id 7429, seq 17, length 6411:49:41.818021 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.96 > 192.168.0.105: ICMP echo reply, id 7429, seq 18, length 6411:49:42.814954 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.96 > 192.168.0.105: ICMP echo reply, id 7429, seq 19, length 6411:49:43.823059 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.96 > 192.168.0.105: ICMP echo reply, id 7429, seq 20, length 6411:49:44.826890 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.96 > 192.168.0.105: ICMP echo reply, id 7429, seq 21, length 6411:49:45.826942 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.96 > 192.168.0.105: ICMP echo reply, id 7429, seq 22, length 64^C
# 广播sh-3.2# tcpdump -i any ether broadcast11:41:31.679469 ARP, Request who-has 192.168.0.107 tell 192.168.0.1, length 2811:41:34.750550 ARP, Request who-has 192.168.0.101 tell 192.168.0.1, length 2811:41:35.674033 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 11711:41:39.666861 ARP, Request who-has 192.168.0.106 tell 192.168.0.1, length 28
# 多播sh-3.2# tcpdump -i any ether multicasttcpdump: data link type PKTAPtcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes11:42:47.659987 ARP, Request who-has 192.168.0.105 tell 192.168.0.1, length 2811:42:49.707712 ARP, Request who-has 192.168.0.107 tell 192.168.0.1, length 2811:42:49.707729 ARP, Request who-has 192.168.0.101 tell 192.168.0.1, length 2811:42:50.731564 ARP, Request who-has 192.168.0.107 tell 192.168.0.1, length 28
# IPv4多播sh-3.2# tcpdump -i any ip multicasttcpdump: data link type PKTAPtcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes11:44:55.661623 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 11711:45:15.630119 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 11711:45:35.701241 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 11711:45:55.672420 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 117
# IPv6多播sh-3.2# tcpdump -i any ip6 multicast11:47:38.380803 IP6 fe80::7:29a1:df91:ad39 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 2811:47:38.483198 IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QU)? 9.3.d.a.1.9.f.d.1.a.9.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)11:47:38.483273 IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QU)? 9.3.d.a.1.9.f.d.1.a.9.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)11:47:38.483646 IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QU)? 9.3.d.a.1.9.f.d.1.a.9.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)11:47:38.483673 IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QU)? 9.3.d.a.1.9.f.d.1.a.9.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)11:47:38.483732 IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QU)? 9.3.d.a.1.9.f.d.1.a.9.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)11:47:39.488898 IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QM)? 9.3.d.a.1.9.f.d.1.a.9.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)11:47:39.488967 IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QM)? 9.3.d.a.1.9.f.d.1.a.9.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)11:47:39.489085 IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QM)? 9.3.d.a.1.9.f.d.1.a.9.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)
# 筛选出tcp的dst端口号为80,src端口号为51601的包,直接通过TCP包进行筛选sh-3.2# lsof -nP | grep -i qqmusic | grep TCPQQMusic 585 fh 37u IPv4 0x593c30f6d1324cb3 0t0 TCP 192.168.0.105:51061->112.12.18.34:80 (ESTABLISHED)tcp[n:c]:表示从第n个字节开始,以及后面的两个c字节,范围是[n, n+c-1],单位:字节# 通过下面的端口号以及lsof可以看出,抓取的包是精确的。sh-3.2# tcpdump -l -nn -k A -i any 'tcp[2:2] == 80 && tcp[0:2] == 51061 '13:59:15.663518 (en0, proc QQMusic:585:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.51061 > 112.12.18.34.80: Flags [F.], seq 1803106724, ack 809620981, win 2834, options [nop,nop,TS val 971045141 ecr 3500502658], length 013:59:15.683182 (en0, proc QQMusic:585:, svc BE, out, so) IP 192.168.0.105.51061 > 112.12.18.34.80: Flags [.], ack 2, win 5156, options [nop,nop,TS val 971045160 ecr 3500559870], length 0
# icmp包后面不能直接跟host,sh-3.2# tcpdump -i any icmp dst host 36.152.44.95pktap_filter_packet: pcap_add_if_info(lo0, 0) failed: pcap_if_info_set_add: pcap_compile_nopcap() failedpktap_filter_packet: pcap_add_if_info(lo0, 0) failed: pcap_if_info_set_add: pcap_compile_nopcap() failedpktap_filter_packet: pcap_add_if_info(lo0, 0) failed: pcap_if_info_set_add: pcap_compile_nopcap() failed# 抓取icmp的筛选包,可以加上&&符号sh-3.2# tcpdump -i any icmp && dst host 36.152.44.9514:08:06.605468 IP 192.168.0.105 > 36.152.44.96: ICMP echo request, id 36105, seq 22, length 6414:08:06.629689 IP 36.152.44.96 > 192.168.0.105: ICMP echo reply, id 36105, seq 22, length 6414:08:07.608930 IP 192.168.0.105 > 36.152.44.96: ICMP echo request, id 36105, seq 23, length 6414:08:07.632835 IP 36.152.44.96 > 192.168.0.105: ICMP echo reply, id 36105, seq 23, length 64
# MacoS可以直接连接到Wireshark上,自动打开界面sh-3.2# tcpdump -i any -w - | /Applications/Wireshark.app/Contents/MacOS/Wireshark -k -i -tcpdump: data link type PKTAPtcpdump: listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes2021-05-09 14:13:26.269 Wireshark[2574:141163] Warning: Expected min height of view: (<NSView: 0x7f91cd0d2420>) to be less than or equal to 30 but got a height of 32.000000. This error will be logged once per view in violation.4240 packets captured4241 packets received by filter0 packets dropped by kernelsh-3.2#
# 可以通过ifname进行网卡筛选sh-3.2# tcpdump -k A -i any tcp && ifname en0tcpdump: data link type PKTAPtcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes14:24:29.129292 (en0, proc QQMusic:585:20d71810-64f0-3f16-9881-55d62d68771a, eproc QQMusic:585:, svc BE, in, so) IP .http > 192.168.0.105.51263: Flags [F.], seq 2759476374, ack 4074839740, win 67, length 014:24:29.129371 (en0, proc QQMusic:585:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.51263 > .http: Flags [.], ack 1, win 4096, length 014:24:29.129455 (en0, proc QQMusic:585:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.51263 > .http: Flags [F.], seq 1, ack 1, win 4096, length 014:24:29.144969 (en0, proc QQMusic:585:20d71810-64f0-3f16-9881-55d62d68771a, eproc QQMusic:585:, svc BE, in, so) IP .http > 192.168.0.105.51261: Flags [F.], seq 620045740, ack 964400737, win 68, length 014:24:29.145026 (en0, proc QQMusic:585:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.51261 > .http: Flags [.], ack 1, win 4096, length 014:24:29.145101 (en0, proc QQMusic:585:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.51261 > .http: Flags [F.], seq 1, ack 1, win 4096, length 014:24:29.148380 (en0, proc QQMusic:585:20d71810-64f0-3f16-9881-55d62d68771a, eproc QQMusic:585:, svc BE, in, so) IP .https > 192.168.0.105.51262: Flags [P.], seq 705673920:705673951, ack 106355732, win 72, length 31
# 抓取50-200且端口号不为80的包sh-3.2# tcpdump -nn -i any '(dst portrange 50-200) && (! dst port 80)'tcpdump: data link type PKTAPtcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes14:36:43.320692 IP 192.168.0.105.56467 > 192.168.1.1.53: 64499+ A? www.baidu.com. (31)References
参考资料如下:
百度百科:octet百度百家号:肝了三天,万字长文教你玩转 tcpdump,从此抓包不用愁man tcpdumpman pcap-filterrfc793 (TRANSMISSION CONTROL PROTOCOL)
