首页 > 系统相关 >CentOS中使用tcpdump抓包 转载

CentOS中使用tcpdump抓包 转载

时间:2024-05-07 10:11:07浏览次数:23  
标签:CentOS 18.16 IP 202.169 length server110 win tcpdump 抓包

安装:

yum install tcpdump

命令使用:

监听特定网卡

tcpdump

抓取第一块网卡所有数据包

 

[root@server110 tcpdump]# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:58:14.441562 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 2956277183:2956277391, ack 2178083060, win 336, length 208
15:58:14.442088 IP server110.34562 > ns-px.online.sh.cn.domain: 34223+ PTR? 169.202.16.18.in-addr.arpa. (44)
15:58:14.486822 IP 18.16.202.169.cvd > server110.ssh: Flags [.], ack 208, win 16419, length 0
15:58:14.692932 IP ns-px.online.sh.cn.domain > server110.34562: 34223 NXDomain 0/1/0 (116)
15:58:14.693416 IP server110.57017 > ns-px.online.sh.cn.domain: 12369+ PTR? 5.209.96.202.in-addr.arpa. (43)
15:58:14.693577 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 208:400, ack 1, win 336, length 192
15:58:14.695254 IP ns-px.online.sh.cn.domain > server110.57017: 12369 1/0/0 PTR ns-px.online.sh.cn. (75)
15:58:14.695519 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 400:656, ack 1, win 336, length 256
15:58:14.696577 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 656:1232, ack 1, win 336, length 576
15:58:14.697564 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 1232:1392, ack 1, win 336, length 160
15:58:14.698563 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 1392:1552, ack 1, win 336, length 160

 

tcpdump -i 抓取某一块网卡数据包

 

[root@server110 tcpdump]# ifconfig
eth0 Link encap:Ethernet HWaddr 52:54:00:DE:05:94
inet addr:18.16.200.110 Bcast:18.16.200.255 Mask:255.255.255.0
inet6 addr: fe80::5054:ff:fede:594/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:50017569 errors:0 dropped:0 overruns:0 frame:0
TX packets:27403502 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:21017784488 (19.5 GiB) TX bytes:3969196772 (3.6 GiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:191873 errors:0 dropped:0 overruns:0 frame:0
TX packets:191873 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:31953071 (30.4 MiB) TX bytes:31953071 (30.4 MiB)

[root@server110 tcpdump]# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:59:43.529881 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 2956715807:2956716015, ack 2178087524, win 336, length 208
15:59:43.530636 IP 18.16.202.169.cvd > server110.ssh: Flags [.], ack 208, win 16422, length 0
15:59:43.530732 IP server110.50508 > ns-px.online.sh.cn.domain: 42810+ PTR? 169.202.16.18.in-addr.arpa. (44)
15:59:43.533748 IP ns-px.online.sh.cn.domain > server110.50508: 42810 NXDomain 0/1/0 (116)
15:59:43.534054 IP server110.37348 > ns-px.online.sh.cn.domain: 43151+ PTR? 5.209.96.202.in-addr.arpa. (43)
15:59:43.534537 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 208:496, ack 1, win 336, length 288
15:59:43.540551 IP ns-px.online.sh.cn.domain > server110.37348: 43151 1/0/0 PTR ns-px.online.sh.cn. (75)
15:59:43.541536 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 496:1072, ack 1, win 336, length 576
15:59:43.542319 IP 18.16.202.169.cvd > server110.ssh: Flags [.], ack 1072, win 16425, length 0
15:59:43.542529 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 1072:1328, ack 1, win 336, length 256
15:59:43.543545 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 1328:1488, ack 1, win 336, length 160

 

监听特定主机

 

[root@server110 tcpdump]# tcpdump  host 18.16.202.169
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:07:16.334596 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 2957160543:2957160751, ack 2178097380, win 336, length 208
16:07:16.375768 IP 18.16.202.169.cvd > server110.ssh: Flags [.], ack 208, win 16425, length 0
16:07:16.539595 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 208:496, ack 1, win 336, length 288
16:07:16.540553 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 496:656, ack 1, win 336, length 160
16:07:16.541564 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 656:816, ack 1, win 336, length 160
16:07:16.541731 IP 18.16.202.169.cvd > server110.ssh: Flags [.], ack 656, win 16423, length 0
16:07:16.542572 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 816:1072, ack 1, win 336, length 256
16:07:16.543565 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 1072:1232, ack 1, win 336, length 160

 

特定来源

 

[root@server110 tcpdump]# tcpdump src host 18.16.202.169
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:08:30.681395 IP 18.16.202.169.cvd > server110.ssh: Flags [.], ack 2957168815, win 16420, length 0
16:08:30.791328 IP 18.16.202.169.cvd > server110.ssh: Flags [.], ack 161, win 16420, length 0
16:08:30.833394 IP 18.16.202.169.cvd > server110.ssh: Flags [.], ack 321, win 16419, length 0

 

特定目标地址

 

[root@server110 tcpdump]# tcpdump dst host 18.16.202.169
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:09:27.404603 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 2958878511:2958878719, ack 2178100804, win 336, length 208
16:09:27.408521 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 208:400, ack 1, win 336, length 192
16:09:27.409530 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 400:560, ack 1, win 336, length 160

 

监听特定端口

 

[root@server110 tcpdump]# tcpdump port 8083 -vv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:10:31.361199 IP (tos 0x0, ttl 127, id 19231, offset 0, flags [DF], proto TCP (6), length 52)
18.16.202.169.14626 > server110.us-srv: Flags [S], cksum 0x3315 (correct), seq 2299766793, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:10:31.361264 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
server110.us-srv > 18.16.202.169.14626: Flags [S.], cksum 0x4b86 (correct), seq 1167811532, ack 2299766794, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
16:10:31.361594 IP (tos 0x0, ttl 127, id 19232, offset 0, flags [DF], proto TCP (6), length 40)
18.16.202.169.14626 > server110.us-srv: Flags [.], cksum 0xa54c (correct), seq 1, ack 1, win 8212, length 0

 

监听tcp协议,并加数据包写入abc.cap

 

[root@server110 tcpdump]# tcpdump tcp port 8083 -w  ./abc.cap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C15 packets captured
15 packets received by filter
0 packets dropped by kernel

 

总共15条数据,其中只包含tcp,http格式的数据

稍微复杂例子

 

tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.cap

 

  1. tcp: ip icmp arp rarp 和 tcp、udp、icmp这些选项等都要放到第一个参数的位置,用来过滤数据报的类型

  2. -i eth1 : 只抓经过接口eth1的包

  3. -t : 不显示时间戳

  4. -s 0 : 抓取数据包时默认抓取长度为68字节。加上-S 0 后可以抓到完整的数据包

  5. -c 100 : 只抓取100个数据包

  6. dst port ! 22 : 不抓取目标端口是22的数据包

  7. src net 192.168.1.0/24 : 数据包的源网络地址为192.168.1.0/24

  8. -w ./target.cap : 保存成cap文件,方便用ethereal(即wireshark)分析

链接:https://www.cnblogs.com/hongdada/p/10565898.html

标签:CentOS,18.16,IP,202.169,length,server110,win,tcpdump,抓包
From: https://www.cnblogs.com/testzcy/p/18176634

相关文章

  • centos安装fastdfs
    安装前的准备检查Linux上是否安装了gcc、libevent、libevent-devel点击查看代码yumlistinstalled|grepgccyumlistinstalled|greplibeventyumlistinstalled|greplibevent-devel————————————————​如果没有安装,则需进行安装点击查看......
  • 自研AP配置(capwap隧道建立与维护抓包)
    自研AP配置(capwap抓包)【概要】组网方式见【自研AP配置(上电发现AC)】无线组网CAPWAP协议隧道建立与维护:https://cloud.tencent.com/developer/article/1842281【步骤】在AP后台使用【syswan2lanon】命令进行wan口映射,使用【wireshark】抓取AP建立capwap隧道过程包重新拉起AP进程【......
  • iperf测试抓包
    iperf测试抓包【概要】【步骤】1.2.【问题汇总】【问题x】【解决x】【总结】常用命令总结......
  • Docker-compose安装(Centos7)
    卸载原来的docker-composerm-rf/usr/local/bin/docker-composerm-rf/usr/bin/docker-compose下载docker-composecurl-L"https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname-s)-$(uname-m)"-o/usr/local/bin/docker-compos......
  • VMware虚拟机安装Centos-7.9
    VMware虚拟机安装Centos-7.9创作不易,点赞关注一下吧1.安装VMwareWorkstationPro大家根据自己的实际情况安装合适版本的VMwareWorkstationPro,具体的安装推荐及各版本的下载链接大家可以看我之前发布的一篇博客:VMwareWorkstationPro各版本下载链接汇总(特全!!!)。1.1运行安装程......
  • Linux(centos7)实现git push到gitee
    1.找到需要提交的文夹目录cd目的目录2.初始化git仓库gitinit看见最下面的InitializedemptyGitrepositoryin就是初始化成功了3.配置提交人信息gitconfig--globaluser.name“你想填的名字”gitconfig--globaluser.email"你的邮箱"最后查看一下是否正确gi......
  • 交叉编译tcpdump
    1.下载源码gitclonehttps://github.com/the-tcpdump-group/libpcap.gitgitclonehttps://github.com/the-tcpdump-group/tcpdump.git2.交叉编译libpcap执行shautogen.sh生成configure设置交叉编译链./configure--host=arm-linux-gnueabihf设置install环境,将Makefile......
  • iptables使用详解(centos7)
    iptables使用详解(centos7)小百菜已于2024-03-2114:40:02修改阅读量7.2k收藏22点赞数2文章标签:iptables限速版权GitCode开源社区文章已被社区收录加入社区我们需要安装iptables-services,用来启动和停止iptables服务防火墙配置文件/etc/sysconfig/iptables查......
  • centos7修改redis密码
    检查Redis配置文件首先,我们需要确保Redis的配置文件中包含了设置密码的选项。打开Redis的配置文件/etc/redis.conf,查找以下行并确保取消注释(去掉行首的#):requirepassyour_password启动Redis服务使用以下命令启动Redis服务:systemctlstartredis如果Redis已经在运行,则可以跳......
  • Linux-centos8-samaba配置
    安装samba:yuminstallsambasamba-clientsamba-swat检查是否安装成功:rpm-qa|grepsambasamba文件配置先将smb.conf备份,网上很多人都用rm,后面再建立个新文件cp/etc/samba/smb.conf/etc/samba/smb2.confls-laF/etc/samba/创建目录文件,并进行权限和安全相关设......