首页 > 系统相关 >tcpdump 简单使用

tcpdump 简单使用

时间:2022-10-11 11:13:15浏览次数:60  
标签:49.11 http 简单 110.160 42360 192.168 180.101 使用 tcpdump

  1. 语法解析

    tcpdump -vvnn -c 10 -s 0 -i eth0 “tcpdump原语表达式”
    -vvnn:显示ip地址而不是主机名
    -c:抓包次数
    -s:抓包大小,大于这个值的包内容会被截断,0表示不限制大小,显示全部内容
    -i: 抓取通过指定网卡的包,不指定就是所有网卡

    tcpdump 原语表达式:
    协议:ip、arp、rarp、tcp、udp、icmp、http、ether(数据链路层协议)
    传输方向:src、dst、dst or src、dst and src、broadcast(广播)、multicast(组播)
    类型:host(ip或mac地址 ,ether协议下是mac地址)、net(网络号)、port(端口号)、portrange(22-99 端口范围)
    原语格式:协议 + [传输方向] + 类型 + 具体数值
    原语组合方式: &&(与),||(或),!(非)

  2. 熟悉下tcpdump, 也不用着急,熟能生巧,使用中进步

    • tcpdump -n -i br0 -c 10 dst host 192.168.32.13 and src port 22

      • (-n 不解析域名和端口名 提升性能)

      • (-i 指定网卡)

      • (-c 指定数量)

      • dst 目的 host 主机

      • src 来源 port 端口

    • tcpdump -c 10000 src host 192.168.32.13 and port not 59431 -XX

      • port not 可以屏蔽某个端口

      • -XX 以十六进制和ASCII两种形式输出包头

    • tcpdump tcp port not 50416 and src host 192.168.32.13 -A

      • -A 以ASCII码格式显示,能查看部分内容

    • tcpdump -n host 192.168.110.160 and 180.101.49.11(curl百度,抓主机和百度之间的包)
      15:49:34.739467 IP 192.168.110.160.42360 > 180.101.49.11.http: Flags [S], seq 3504867936, win 29200, options [mss 1460,sackOK,TS val 194013100 ecr 0,nop,wscale 7], length 0
      15:49:34.750563 IP 180.101.49.11.http > 192.168.110.160.42360: Flags [S.], seq 1529026246, ack 3504867937, win 8192, options [mss 1200,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 5], length 0
      15:49:34.750640 IP 192.168.110.160.42360 > 180.101.49.11.http: Flags [.], ack 1, win 229, length 0
      15:49:34.750768 IP 192.168.110.160.42360 > 180.101.49.11.http: Flags [P.], seq 1:78, ack 1, win 229, length 77
      15:49:34.761561 IP 180.101.49.11.http > 192.168.110.160.42360: Flags [.], ack 78, win 908, length 0
      15:49:34.762788 IP 180.101.49.11.http > 192.168.110.160.42360: Flags [P.], seq 1:1441, ack 78, win 908, length 1440
      15:49:34.762842 IP 192.168.110.160.42360 > 180.101.49.11.http: Flags [.], ack 1441, win 251, length 0
      15:49:34.762901 IP 180.101.49.11.http > 192.168.110.160.42360: Flags [P.], seq 1441:2782, ack 78, win 908, length 1341
      15:49:34.762932 IP 192.168.110.160.42360 > 180.101.49.11.http: Flags [.], ack 2782, win 272, length 0
      15:49:34.763129 IP 192.168.110.160.42360 > 180.101.49.11.http: Flags [F.], seq 78, ack 2782, win 272, length 0
      15:49:34.772208 IP 180.101.49.11.http > 192.168.110.160.42360: Flags [P.], seq 2593:2782, ack 78, win 908, length 189
      15:49:34.772275 IP 192.168.110.160.42360 > 180.101.49.11.http: Flags [.], ack 2782, win 272, options [nop,nop,sack 1 {2593:2782}], length 0
      15:49:34.774178 IP 180.101.49.11.http > 192.168.110.160.42360: Flags [.], ack 79, win 908, length 0
      15:49:34.774291 IP 180.101.49.11.http > 192.168.110.160.42360: Flags [F.], seq 2782, ack 79, win 908, length 0
      15:49:34.774343 IP 192.168.110.160.42360 > 180.101.49.11.http: Flags [.], ack 2783, win 272, length 0

标签:49.11,http,简单,110.160,42360,192.168,180.101,使用,tcpdump
From: https://www.cnblogs.com/hovinlu/p/16778535.html

相关文章