{"id":5781,"date":"2013-11-06T22:43:22","date_gmt":"2013-11-06T14:43:22","guid":{"rendered":"http:\/\/jpuyy.com\/?p=5781"},"modified":"2022-03-12T22:00:31","modified_gmt":"2022-03-12T14:00:31","slug":"tcpdump-usage","status":"publish","type":"post","link":"https:\/\/jpuyy.com\/?p=5781","title":{"rendered":"tcpdump\u4f7f\u7528\u65b9\u6cd5"},"content":{"rendered":"

tcpdump\u662flinux\u547d\u4ee4\u884c\u4e0b\u5e38\u7528\u7684\u7684\u4e00\u4e2a\u6293\u5305\u5de5\u5177\uff0c\u6293\u5305\u7684\u76ee\u7684\u662f\u5206\u6790\u95ee\u9898\u3002<\/p>\n

tcpdump -i eth0 -nn \u76d1\u542ceth0\uff0c-nn\u8868\u793a\u4ee5ip\u548cport\u65b9\u5f0f\u663e\u793a\u5305\uff0c\u4e0d\u5c06ip\u8f6c\u4e3a\u4e3b\u673a\u540d\uff0c\u8fd9\u79cd\u5728\u88c5B\u7684\u65f6\u5019\u53ef\u4ee5\u5237\u5c4f\uff0c\u610f\u4e49\u4e0d\u5927<\/p>\n

\u6240\u4ee5\u8981\u5b9e\u73b0\u66f4\u7cbe\u7ec6\u5316\u7684\u6293\u5305\u8fd8\u662f\u9700\u8981\u52a0\u66f4\u591a\u7684\u53c2\u6570\uff0c\u4f7f\u7528man tcpdump | less -Ip examples\u53ef\u4ee5\u67e5\u770b\u624b\u518c\u4e2d\u7684\u4f8b\u5b50\u3002\u4ee5\u4e0b\u662f\u5e38\u7528\u7684\u4f8b\u5b50<\/p>\n

\u67e5\u770b\u6240\u6709\u7f51\u5361<\/p>\n

tcpdump -D<\/pre>\n
\u6293\u53d6\u5177\u4f53\u534f\u8bae\u7684\u5305<\/p>\n
tcpdump -i eth0 -nn 'udp'\r\ntcpdump -i eth0 -nn 'tcp'\r\ntcpdump -i eth0 -nn 'icmp'<\/pre>\n
\u6293\u53d6192.168.1.233\u7684\u5305<\/p>\n
tcpdump -i eth0 -nn 'host 192.168.1.233'<\/pre>\n
\u6293\u53d6\u4ece192.168.1.233\u53d1\u9001\u7684\u5305<\/p>\n
tcpdump -i eth0 -nn 'src host 192.168.1.233'<\/pre>\n
\u6293\u53d6\u53d1\u9001\u5230192.168.1.233\u7684\u5305<\/p>\n
tcpdump -i eth0 -nn 'src host 192.168.1.233'<\/pre>\n
\u591a\u79cd\u53c2\u6570\u7528and\u8fde\u63a5\uff0c\u5982<\/p>\n
tcpdump -i eth0 -nn 'tcp port 80 and host 192.168.1.233'<\/pre>\n
\u4f7f\u7528tcpdump\u622a\u53d6HTTP\u5305\u4f1a\u5f88\u65b9\u4fbf<\/p>\n
tcpdump \u8fc7\u6ee4 HTTP GET<\/p>\n
tcpdump -s 0 -A 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'<\/pre>\n
tcpdump \u8fc7\u6ee4 HTTP POST<\/p>\n
tcpdump -s 0 -A 'tcp dst port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)'<\/pre>\n
tcpdump -e \u663e\u793a\u4ee5\u592a\u7f51\u6570\u636e\u5e27<\/p>\n
tcpdump -v \u663e\u793a\u8fdb\u884c\u7684\u5206\u7ec4\u4ea4\u6362<\/p>\n
tcpdump \u67e5\u770b http \u54cd\u5e94\u5168\u90e8\u62a5\u6587<\/p>\n
tcpdump -A -vvvv -s 9999 -i eth0 port 80<\/code><\/pre>\n
\u67e5\u770bHTTP\u7684\u8bf7\u6c42\u548c\u53cd\u56de\u5934\u548c\u5185\u5bb9\uff0c\u8be6\u89c1https:\/\/sites.google.com\/site\/jimmyxu101\/testing\/use-tcpdump-to-monitor-http-traffic<\/p>\n
tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'\r\ntcpdump -X -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'<\/pre>\n
1. To monitor HTTP traffic including request and response headers and message body:<\/p>\n
tcpdump -A -s 0 ‘tcp port 80 and (((ip[2:2] – ((ip[0]&0xf)<<2)) – ((tcp[12]&0xf0)>>2)) != 0)’<\/p>\n
2. To monitor HTTP traffic including request and response headers and message body from a particular source:<\/p>\n
tcpdump -A -s 0 ‘src example.com and tcp port 80 and (((ip[2:2] – ((ip[0]&0xf)<<2)) – ((tcp[12]&0xf0)>>2)) != 0)’<\/p>\n
3. To monitor HTTP traffic including request and response headers and message body from local host to local host:<\/p>\n
tcpdump -A -s 0 ‘tcp port 80 and (((ip[2:2] – ((ip[0]&0xf)<<2)) – ((tcp[12]&0xf0)>>2)) != 0)’ -i lo<\/p>\n
4. To only include HTTP requests, modify \u201ctcp port 80\u201d to \u201ctcp dst port 80\u201d in above commands<\/p>\n
5. Capture TCP packets from local host to local host<\/p>\n
tcpdump -i lo<\/p>\n
tcpdump flag\u89e3\u8bfb<\/p>\n
\"tcpdump-data-flags\"<\/a><\/p>\n\n<\/colgroup>\n<\/colgroup>\n<\/colgroup>\n\n\n\n\n\n\n\n\n\n
TCP Flag<\/span><\/td>\nFlag in tcpdump<\/span><\/td>\nFlag Meaning<\/span><\/td>\n<\/tr>\n
SYN<\/span><\/td>\ns<\/span><\/td>\nSyn packet, a session establishment request. The first part of any TCP connection.<\/span><\/td>\n<\/tr>\n
ACK<\/span><\/td>\nack<\/span><\/td>\nAck packet, used to acknowledge the receipt of data from the sender. May appear in conjunction with other flags.<\/span><\/td>\n<\/tr>\n
FIN<\/span><\/td>\nf<\/span><\/td>\nFinish flag, used to indicate the sender\u2019s intention to terminate the connection to the receiving host.<\/span><\/td>\n<\/tr>\n
RESET<\/span><\/td>\nr<\/span><\/td>\nIndicates the sender\u2019s intention to immediately abort the existing connection.<\/span><\/td>\n<\/tr>\n
PUSH<\/span><\/td>\np<\/span><\/td>\nSignals the immediate push of data from the sending host to the receiving host. For interactive applications such as telnet, the main issue is the quickest response time, which this \u201cpush\u201d flag signals.<\/span><\/td>\n<\/tr>\n
URGENT<\/span><\/td>\nurg<\/span><\/td>\nUrgent data should take precedence over other data. For example, a Ctrl-C to terminate a FTP download.<\/span><\/td>\n<\/tr>\n
Placeholder<\/span><\/td>\n0<\/span><\/td>\nIf the connection does not have a syn, finish, reset, or push flag set, this placefolder flag will be found after the destination port. Note that it also appears in conjunction with the ack flag.<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
tcpdump\u8bfb\u51fa\u6765\u7684\u4fe1\u606f\u53ef\u4ee5\u4fdd\u5b58\u65b9\u4fbf\u67e5\u770b\u548c\u5206\u6790
\n\u4fdd\u5b58pcap\u4fe1\u606f,\u53ef\u4ee5\u7528WireShark\u6765\u67e5\u770b<\/p>\n
tcpdump -i vmbr1 -nn -vv -tttt -s 65535 -w tcpdump.pcap<\/pre>\n
\u5982\u679c\u62c5\u5fc3\u6587\u4ef6\u8fc7\u5927\u53ef\u4ee5\u52a0 -C \u8ddf\u6570\u5b57\uff0c\u5f53\u6587\u4ef6\u8fbe\u5230\u8fd9\u4e2a\u503c(MB)\u4e4b\u540e\uff0c\u4f1a\u65b0\u751f\u6210tcpdump.pcap.2<\/p>\n
\u6293\u53d6 sql \u8bed\u53e5<\/p>\n
tcpdump -i bond0 -s 0 -l -w -  | strings | perl -e '\r\nwhile(<>) { chomp; next if \/^[^ ]+[ ]*$\/;\r\n    if(\/^(SELECT|UPDATE|DELETE|INSERT|SET|COMMIT|ROLLBACK|CREATE|DROP|ALTER|CALL)\/i)\r\n    {\r\n        if (defined $q) { print \"$q\\n\"; }\r\n        $q=$_;\r\n    } else {\r\n        $_ =~ s\/^[ \\t]+\/\/; $q.=\" $_\";\r\n    }\r\n}'\r\n<\/pre>\n
\u67e5\u770b\u4fdd\u5b58\u6587\u4ef6\u7684\u683c\u5f0f<\/p>\n
# file tcpdump.pcap\r\ntcpdump.pcap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)<\/pre>\n
\u5bf9\u4e8e\u4fdd\u5b58\u7684\u6587\u4ef6\u53ef\u4ee5\u7528-r\u8bfb\u53d6\uff0c\u76f8\u5f53\u4e8e\u5bf9\u4e4b\u524d\u7684\u6293\u53d6\u7684\u8fc7\u7a0b\u8fdb\u884c\u56de\u653e\u3002<\/p>\n
tcpdump -ttttnnr tcpdump.pcap\r\ntcpdump -qns 0 -X -r tcpdump.pcap\r\ntcpdump -e -r tcpdump.pcap<\/pre>\n
wireshark filter<\/p>\n
\u91cd\u4f20<\/p>\n
\r\ntcp.analysis.retransmission\r\n<\/pre>\n
\u8fc7\u6ee4 tcp stream<\/p>\n
\r\ntcp.stream eq 1\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
tcpdump\u662flinux\u547d\u4ee4\u884c\u4e0b\u5e38\u7528\u7684\u7684\u4e00\u4e2a\u6293\u5305\u5de5\u5177\uff0c\u6293\u5305\u7684\u76ee\u7684\u662f\u5206\u6790\u95ee\u9898\u3002 tcpdump -i eth0 -nn \u76d1\u542ceth0\uff0c-nn\u8868\u793a\u4ee5ip\u548cport\u65b9\u5f0f\u663e\u793a\u5305\uff0c\u4e0d\u5c06ip\u8f6c\u4e3a\u4e3b\u673a\u540d\uff0c\u8fd9\u79cd\u5728\u88c5B\u7684\u65f6\u5019\u53ef\u4ee5\u5237\u5c4f\uff0c\u610f\u4e49\u4e0d\u5927 \u6240\u4ee5\u8981\u5b9e\u73b0\u66f4\u7cbe\u7ec6\u5316\u7684\u6293\u5305\u8fd8\u662f\u9700\u8981\u52a0\u66f4\u591a\u7684\u53c2\u6570\uff0c\u4f7f\u7528man tcpdump | less -Ip examples\u53ef\u4ee5\u67e5\u770b\u624b\u518c\u4e2d\u7684\u4f8b\u5b50\u3002\u4ee5\u4e0b\u662f\u5e38\u7528\u7684\u4f8b\u5b50 \u67e5\u770b\u6240\u6709\u7f51\u5361 tcpdump -D \u6293\u53d6\u5177\u4f53\u534f\u8bae\u7684\u5305 tcpdump -i eth0 -nn ‘udp’ tcpdump -i eth0 -nn ‘tcp’ tcpdump -i eth0 -nn ‘icmp’ \u6293\u53d6192.168.1.233\u7684\u5305 tcpdump -i eth0 -nn ‘host 192.168.1.233’ \u6293\u53d6\u4ece192.168.1.233\u53d1\u9001\u7684\u5305 tcpdump -i eth0 -nn ‘src host 192.168.1.233’ \u6293\u53d6\u53d1\u9001\u5230192.168.1.233\u7684\u5305 tcpdump -i eth0 -nn ‘src host 192.168.1.233’ \u591a\u79cd\u53c2\u6570\u7528and\u8fde\u63a5\uff0c\u5982 […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[159],"tags":[],"class_list":["post-5781","post","type-post","status-publish","format-standard","hentry","category-network"],"_links":{"self":[{"href":"https:\/\/jpuyy.com\/index.php?rest_route=\/wp\/v2\/posts\/5781","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jpuyy.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jpuyy.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jpuyy.com\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/jpuyy.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5781"}],"version-history":[{"count":21,"href":"https:\/\/jpuyy.com\/index.php?rest_route=\/wp\/v2\/posts\/5781\/revisions"}],"predecessor-version":[{"id":9532,"href":"https:\/\/jpuyy.com\/index.php?rest_route=\/wp\/v2\/posts\/5781\/revisions\/9532"}],"wp:attachment":[{"href":"https:\/\/jpuyy.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5781"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jpuyy.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5781"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jpuyy.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5781"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}