tcpdump显示包详细内容(tcpdump笔记)

本文章是在看完tcpdump的资料后作的笔记,下面我们就来说一说关于tcpdump显示包详细内容?我们一起去了解并探讨一下这个问题吧!

tcpdump显示包详细内容(tcpdump笔记)

tcpdump显示包详细内容

Preface

本文章是在看完tcpdump的资料后作的笔记。

本文章的命令测试平台如下:

# MacOS 11.1 Big Sur # tcpdump: sh-3.2# tcpdump --version tcpdump version tcpdump version 4.9.3 -- Apple version 100 libpcap version 1.9.1 LibreSSL 2.8.3 # Linux等其他平台略有不同,但是大部分是通用的

在有关网络协议文档中,有个单词叫做Octet,有些翻译叫做`八位组`,其中:1 Octet = 8 bit,和现在的概念字节(byte,B)一致。在大部分网络协议中,使用的是Octet而不是byte,那是因为很多年之前1 byte = 10 bit,所以才有了1 Octet = 8bit这个约定。所以,如果提到第n个Octet,一般表示的是一段数据中的第n个字节,当然也要基于文字场景区分n是从0开始,还是从1开始。

很多人上来就拍脑袋瓜就开始写tcpdump命令,这种结果就是提示语法错误,为了避免这些问题,下面就从案例中说明一些注意事项:

  1. tcpdump需要加视情况加单引号和双引号;
  2. tcpdump后面的选项以及表达式的顺序请按照官方文档的要求来写;

fh@192 ~ % NAME=ok # 单引号会直接输出,不解析 fh@192 ~ % echo 'Hello, $NAME' Hello, $NAME # 双引号会先解析变量,再输出 fh@192 ~ % echo "Hello, $NAME" Hello, ok # ()会报错 fh@192 ~ % echo (ok) zsh: unknown sort specifier fh@192 ~ % echo ok && demo ok zsh: command not found: demo # 使用"" 或者 ''包住字符串就不会出现问题 fh@192 ~ % echo "ok && demo" ok && demo fh@192 ~ % echo 'ok && demo' ok && demo fh@192 ~ %

由于tcpdump中会有筛选的表达式,表达式包括() && || >>等特殊符号,针对这些符号,shell需要做转义,一般情况下,我们需要在筛选表达式用''或者""包住表达式,否则会出现异常。

# 建议按照以下格式编写 # 无值选项可以合并写,这是可以的 tcpdump 无值选项1 无值选项2 无值选项.k 有值选项名.1 有值选项值.1 有值选项名.2 有值选项值.2 有值选项名.n 有值选项值.n '表达式'

由于本人水平有限,部分tcpdump不清楚部分,使用TODO来代替,后续弄懂会继续补充案例。

SYNOPSIS

NAME tcpdump - dump traffic on a network SYNOPSIS tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ] [ -c count ] [ -C file_size ] [ -G rotate_seconds ] [ -F file ] [ -i interface ] [ -j tstamp_type ] [ -k (metadata_arg) ] [ -m module ] [ -M secret ] [ --number ] [ -Q in|out|inout ] [ -r file ] [ -V file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ] [ -E spi@ipaddr algo:secret,... ] [ -y datalinktype ] [ -z postrotate-command ] [ -Z user ] [ -Q packet-metadata-filter ] [ -Q in|out|inout ] [ --time-stamp-precision=tstamp_precision ] [ --immediate-mode ] [ --version ] [ expression ]

Options
  • -A

# -A: 以ASCII码的形式打印每个包(不包括链路层的头),一般用来捕获网页数据 sh-3.2# tcpdump -A -c 1 -i any 16:28:07.931082 IP 192.168.0.108.57342 > 192.168.1.1.domain: 59093 A? oth.eve.mdt.qq.com. (36) ...f.n.._.....E..@....@.\....l.......5.,.d.............oth.eve.mdt.qq.com.....

  • -b

# 使用ASDOT表示法在BGP数据包中打印AS号,而不是ASPLAIN表示法 # 在BGP包中使用ASDOT表示法打印AS号,而不是ASPLAIN表示法 sh-3.2# tcpdump -b -i any

  • −B buffer_size

# -B buffer_size: 设置操作系统的捕获缓存大小,单位:KB # -c count: 收到或者显示count个包后退出 # -i any: 监控所有的网络接口 # -w file: 将抓到的包保存到a.pcap里面,此文件可以用wireshark打开 sh-3.2# tcpdump -B 10 -c 3 -i any -w a.pcap

  • -c count或−c skip,count

# -c count: 抓取count包后tcpdump退出 sh-3.2# tcpdump -c 1 -i any tcpdump: data link type PKTAP tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes 17:32:05.155429 IP 192.168.0.108.58448 > 17.57.145.7.5223: Flags [R.], seq 2009854550, ack 1819239997, win 2048, length 0 1 packet captured 37 packets received by filter 0 packets dropped by kernel sh-3.2#

# -c skip,count: -c选项的第二种使用形式,指的是忽略skip包后,再抓count个包停止 # 逗号之前的skip是必选,逗号之后的count是可选 sh-3.2# tcpdump -c 5,3 -i any # 有逗号、无count值表明忽略前面5个包,且一直抓包不退出 sh-3.2# tcpdump -c 5, -i any

  • −C file_size

# -C file_size: 将原始数据包存放到文件之前,先检查是否超过file_size(单位: 1000000B); # -w file: 保存的文件 # 超过file_size则关闭文件,并创建新的文件继续写数据 # 新的文件名为"file" "idx": idx从1开始 sh-3.2# tcpdump -C 5 -i any -w f.pcap # 注意:file_size指的是近似值,不是准确值 # 文件的名称为: file file1 file2 file3 filen sh-3.2# ls -lr -rw-r--r-- 1 root wheel 1782772 5 2 16:19 f.pcap7 -rw-r--r-- 1 root wheel 5000952 5 2 16:19 f.pcap6 -rw-r--r-- 1 root wheel 5001304 5 2 16:19 f.pcap5 -rw-r--r-- 1 root wheel 5000300 5 2 16:19 f.pcap4 -rw-r--r-- 1 root wheel 5000748 5 2 16:19 f.pcap3 -rw-r--r-- 1 root wheel 5000344 5 2 16:19 f.pcap2 -rw-r--r-- 1 root wheel 5000160 5 2 16:18 f.pcap1 -rw-r--r-- 1 root wheel 5000264 5 2 16:18 f.pcap sh-3.2#

  • -d ~ -ddd

# -d: 以人类可读的形式,标准输出打印编排过的包匹配码 sh-3.2# tcpdump -d tcpdump: data link type PKTAP (000) ret #262144 # -dd: 以C代码片段的形式打印出包匹配码 sh-3.2# tcpdump -dd tcpdump: data link type PKTAP { 0x6, 0, 0, 0x00040000 }, # 以十进制的形式打印出包匹配码(前面有count) sh-3.2# tcpdump -ddd tcpdump: data link type PKTAP 1 6 0 0 262144

  • -D

# -D:打印在系统中,tcpdump可以捕获包的网络接口 # 每个网络接口,都有一个编号和一个网络接口名称,也可能带有一个网络接口的描述 # 编号或网络接口可以放在-i选项后面来表明在哪个网络接口上抓包 # 这个选项存在的意义是:Windows系统、缺少ifconfig -a选项的系统不会列出这些信息 # 编号在Windows 2000及以上的系统非常有用,因为他们的网络接口名称是一个复杂的字符串 # 如果tcpdump的依赖libpcap缺少pcap_findalldevs函数,那么tcpdump的此功能将是无效的 fh@Feihu-3 ~ % tcpdump -D 1.en0 [Up, Running] 2.awdl0 [Up, Running] 3.llw0 [Up, Running] 4.utun0 [Up, Running] 5.ap1 [Up, Running] 6.utun1 [Up, Running] 7.lo0 [Up, Running, Loopback] 8.bridge0 [Up, Running] 9.en1 [Up, Running] 10.en2 [Up, Running] 11.en3 [Up, Running] 12.en4 [Up, Running] 13.gif0 [none] 14.stf0 [none]

  • -e

# -e: 每一行打印链路层的头信息。 # 比如可以打印以太网和IEEE 802.11等协议的MAC层的地址 # 假设一个局域网内有两台设备的IP相同,我们可以通过这种方式来判断此包来源于哪个设备 sh-3.2# tcpdump -c 1 -e -i any 16:55:34.277368 80:8f:1d:66:9a:6e (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 42: Request who-has 192.168.0.100 tell 192.168.0.1, length 28 # 未指定-e选项的打印结果 sh-3.2# tcpdump -c 1 -i any 16:55:45.235387 ARP, Request who-has 192.168.0.108 tell 192.168.0.1, length 28

  • -E

# 使用spi@ipaddr algo:secret用来解密一个发给addr的IPsec ESP包 # 这个包包括Security Parameter Index value spi # 可以用多个spi@ipaddr algo:secret的值构建选项值,两两之间用逗号或者新行隔开 # algo字段可以是des-cbc, 3des-cbc, blowfish-cbc, rc3-cbc, cast128-cbc,none,默认是des-cbc # 只有在tcpdump编译的时候启动解密功能才支持解密包的能力 # secret: ESP密钥的ASCII文本,如果是以0x开头,读的时候将是十六进制的值 # 本选项假定是RFC2406 ESP,而不是RFC1827 ESP # 本选项是以调试为目的,使用真实的密钥值我们是劝阻的。 # 在命令行上使用IPsec密钥会以通过ps命令以及在其他场合对其他人可见 # 除了前面的语法外,可以使用file name语法让tcpdump读取,tcpdump在收到第一个ESP包的时候打开, # 所以tcpdump被授予的任何特殊权限将会被放弃 [ -E spi@ipaddr algo:secret,... ]

  • -f

# 显示外部的IPv4时,采用的是数字方式而不是名字。 # TODO sh-3.2# tcpdump -f -i any 16:46:36.813722 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 117 16:46:36.814783 IP 192.168.0.105.62980 > 192.168.1.1.domain: 6648 PTR? 1.0.168.192.in-addr.arpa. (42) 16:46:36.820954 IP 192.168.1.1.domain > 192.168.0.105.62980: 6648* 1/0/0 PTR 192.168.0.1. (67) 16:46:36.821712 IP 192.168.0.105.51227 > 192.168.1.1.domain: 4339 PTR? 255.255.255.255.in-addr.arpa. (46) 16:46:36.829809 IP 192.168.1.1.domain > 192.168.0.105.51227: 4339* 0/0/0 (46) 16:46:36.831042 IP 192.168.0.105.61722 > 192.168.1.1.domain: 3347 PTR? 105.0.168.192.in-addr.arpa. (44) 16:46:36.834207 IP 192.168.1.1.domain > 192.168.0.105.61722: 3347* 1/0/0 PTR 192.168.0.105. (71) sh-3.2# tcpdump -i any 16:47:09.176906 ARP, Reply 192.168.0.1 is-at 54:75:95:7b:35:60 (oui Unknown), length 28 16:47:09.177804 IP 192.168.0.105.53642 > 192.168.1.1.domain: 59641 PTR? 1.0.168.192.in-addr.arpa. (42) 16:47:09.180557 IP 192.168.1.1.domain > 192.168.0.105.53642: 59641* 1/0/0 PTR 192.168.0.1. (67) 16:47:09.181364 IP 192.168.0.105.54508 > 192.168.1.1.domain: 42563 PTR? 105.0.168.192.in-addr.arpa. (44) 16:47:09.184506 IP 192.168.1.1.domain > 192.168.0.105.54508: 42563* 1/0/0 PTR 192.168.0.105. (71)

  • -F file

# -F file: 使用file作为过滤表达式的输入,命令行的额外表达式将会被忽略。 # 过滤表达式为exp文件,目的端口号只能是80 sh-3.2# tcpdump -nn -i any -F exp tcpdump: data link type PKTAP tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes 16:51:28.272523 IP 192.168.0.105.51833 > 36.152.44.95.80: Flags [SEW], seq 1230950913, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 976750906 ecr 0,sackOK,eol], length 0 16:51:28.300868 IP 192.168.0.105.51833 > 36.152.44.95.80: Flags [.], ack 4276175339, win 4096, length 0 16:51:28.300922 IP 192.168.0.105.51833 > 36.152.44.95.80: Flags [P.], seq 0:77, ack 1, win 4096, length 77: HTTP: GET / HTTP/1.1 16:51:28.323539 IP 192.168.0.105.51833 > 36.152.44.95.80: Flags [.], ack 2782, win 4052, length 0 16:51:28.323834 IP 192.168.0.105.51833 > 36.152.44.95.80: Flags [F.], seq 77, ack 2782, win 4096, length 0 16:51:28.334178 IP 192.168.0.105.51833 > 36.152.44.95.80: Flags [F.], seq 77, ack 2782, win 4096, options [nop,nop,sack 1 {1441:2782}], length 0 16:51:28.349878 IP 192.168.0.105.51833 > 36.152.44.95.80: Flags [.], ack 2783, win 4096, length 0 # 直接向百度请求 fh@192 ~ % curl www.baidu.com # 产生一个文件,文件名是exp, 里面筛选是端口号是80的包 sh-3.2# cat exp dst port 80

  • -g

# -g: 为了便于解析,在详细模式下不在IP头之后插入换行符。 # TODO sh-3.2# tcpdump -g -vvv -c 3 -i any tcpdump: data link type PKTAP tcpdump: listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes 16:55:45.885643 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.0.105 tell 192.168.0.1, length 28 16:55:45.885689 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.0.105 is-at e0:b5:5f:f2:bb:a3 (oui Unknown), length 28 16:55:45.886959 IP (tos 0x0, ttl 64, id 19770, offset 0, flags [none], proto UDP (17), length 72) 192.168.0.105.54217 > 192.168.1.1.domain: [udp sum ok] 13832 PTR? 105.0.168.192.in-addr.arpa. (44) 3 packets captured 8 packets received by filter 0 packets dropped by kernel sh-3.2#

  • −G rotate_seconds

# -G rotate_seconds: 如果-G和-w选项均指定了值,则每隔rotate_seconds时间重新存储到文件; # 但是-w选项的值必须包含时间格式,具体格式可从参考man 3 strfttime # 如果-w未指定时间格式,将会覆盖写原来的文件; # 如果tcpdump同时指定了-C和-G,那么生成的文件名的格式是file<count> sh-3.2# tcpdump -G 3 -i any -w 'fh_%Y-%m-%d_%T.pcap' # 文件名fh_年-月-日_时-分-秒.pcap sh-3.2# ls -l total 5560 -rw-r--r-- 1 root wheel 448 5 3 07:29 fh_2021-05-03_07:29:38.pcap -rw-r--r-- 1 root wheel 352 5 3 07:29 fh_2021-05-03_07:29:50.pcap -rw-r--r-- 1 root wheel 372 5 3 07:29 fh_2021-05-03_07:29:54.pcap -rw-r--r-- 1 root wheel 552 5 3 07:30 fh_2021-05-03_07:30:02.pcap # -G、-C、-w混合使用 sh-3.2# tcpdump -C 1 -G 100000 -i any -w f # 抓包的文件名 sh-3.2# ls -lrt total 30160 -rw-r--r-- 1 root wheel 1000128 5 3 16:04 f -rw-r--r-- 1 root wheel 1000576 5 3 16:04 f1 -rw-r--r-- 1 root wheel 1001560 5 3 16:04 f2 -rw-r--r-- 1 root wheel 1000268 5 3 16:04 f3 -rw-r--r-- 1 root wheel 1000012 5 3 16:04 f4 -rw-r--r-- 1 root wheel 1000868 5 3 16:04 f5 -rw-r--r-- 1 root wheel 1000124 5 3 16:04 f6

  • -H

# -H: 尝试去检测802.11s draft mesh headers # TODO

  • −i interface

# -i interface: 指定抓包的网络接口,可以是网卡名称,也可以是编号 # 可以通过tcpdump -D获取 # 如果指定所有,可以使用tcpdump -i any来说明 # 一般情况,如果用any的话,不会是混杂模式,所以,在某些情况下,仍然使用网卡名称

  • -I

# -I: 又可以换成−−monitor−mode;当前仅支持IEEE 802.11 WI-FI网络接口,也只能在部分操作系统上使用。

  • −−immediate−mode

# TODO

  • −j tstamp_type

# TODO

  • -J

sh-3.2# tcpdump -J Time stamp types for pktap (use option -j to set): host (Host)

  • −−time−stamp−precision=tstamp_precision

# --time-stamp-precision: 时间戳精度,只能是micro或者是nano,需要设备支持 sh-3.2# tcpdump -c 3 -i any --time-stamp-precision=micro 07:27:15.474324 IP 192.168.0.105.63096 > 17.248.165.105.https: Flags [P.], seq 1745755457:1745756013, ack 644458944, win 2048, options [nop,nop,TS val 842425166 ecr 4054084285], length 556 07:27:15.474879 IP 192.168.0.105.63096 > 17.248.165.105.https: Flags [P.], seq 556:655, ack 1, win 2048, options [nop,nop,TS val 842425166 ecr 4054084285], length 99 07:27:15.494650 IP 192.168.0.105.59318 > 192.168.1.1.domain: 48955 PTR? 105.0.168.192.in-addr.arpa. (44) # 抓取三个包,精度为纳秒,但是设备不支持 sh-3.2# tcpdump -c 3 -i any --time-stamp-precision=nano tcpdump: any: Can't set nanosecond time stamp precision: That device doesn't support that time stamp precision sh-3.2#

  • -k

# -k: 控制显示包的元数据信息,参数后面的值指定要显示的元数据类型的参数 # I: 网络接口名称或者网络接口ID # N: 进程名称 # P: 进程ID # S: 服务类 # D: 方向 # C: 注释 # C: flags # U: 进程的UUID # V: pcap-ng块的详细打印(默认不显示) # A: 显示所有元数据类型 # Linux平台似乎不支持 sh-3.2# tcpdump -l -i any -k INPSDCCUVA | grep 'proc QQMusic' 16:31:55.245774 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.108.57731 > .http: Flags [S], seq 598034964, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 803848705 ecr 0,sackOK,eol], length 0 sh-3.2# tcpdump -l -i any -k A | grep 'proc QQMusic' 16:37:59.984827 (en0, proc kernel_task:0:, eproc QQMusic:465:, svc BE, in, so) IP localhost.http > 192.168.0.108.57812: Flags [F.], seq 1219446476, ack 2542671645, win 1047, length 0

  • -K

# 不要试图验证TCP、UDP、IP的校验和; # 这对于在硬件中执行部分或全部校验和计算的接口中很有用 # 否则,所有传出去的TCP校验和都将被标记为坏的。 sh-3.2# tcpdump -K -i any

-l

# -l: 缓存标准输出行 sh-3.2# tcpdump -l -i any | tee data 16:09:35.951957 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 117 sh-3.2# cat data 16:09:35.951957 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 117 # 可以一边转存到文件,一边终端监视 # 注意,某些系统,比如Mac即使你将终端关掉,也会继续在后台抓包的,有些将终端关闭,将会自动停止抓包 sh-3.2# tcpdump -l -i any > tmp & tail -f tmp [1] 22454 # tcpdump的进程号 tcpdump: data link type PKTAP tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes 16:12:50.265227 IP 192.168.0.108.57267 > 141.226.231.48.https: Flags [P.], seq 1157134174:1157134385, ack 3885736249, win 4096, length 211 sh-3.2# pidof tcpdump 22454 sh-3.2# cat tmp 16:12:50.265227 IP 192.168.0.108.57267 > 141.226.231.48.https: Flags [P.], seq 1157134174:1157134385, ack 3885736249, win 4096, length 211

  • -L

# 列出网络接口的已知数据链路 sh-3.2# tcpdump -L Data link types for pktap (use option -y to set): PKTAP (Apple DLT_PKTAP) RAW (Raw IP)

  • −m module

# TODO

  • −M secret

# -M secret: 如果在TCP数据包中有TCP-MD5选项(RFC 2385),则为其摘要的验证指定一个公共的密钥secret # TODO

  • -n

# -n: 不将地址(IP、端口号等)转换成名字 # 目的端口显示80 sh-3.2# tcpdump -n -i any dst port 80 17:03:54.503552 IP 192.168.0.105.51843 > 36.152.44.95.80: Flags [SEW], seq 3619108142, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 977496600 ecr 0,sackOK,eol], length 0 # 目的端口显示http sh-3.2# tcpdump -i any dst port 80 17:04:07.620053 IP 192.168.0.105.51844 > 36.152.44.96.http: Flags [SEW], seq 1916226026, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 977509699 ecr 0,sackOK,eol], length 0

-N

# -N: 不打印主机的域名部分,比如'nic.ddd.mil'只打印'nic'

  • --number

--number: 在行的开始打印可选的包数 # TODO,暂未发现用处

  • -O

# -O: 不启用包匹配时候的优化代码 sh-3.2# tcpdump -O -i any

  • -P

-P: 在保存文件的形式使用pcap-ng文件格式。

  • -p

# -p: 不将网络接口设置为混杂模式 # TODO,暂未找到使用场景

  • -Q expression

# 通过进程来筛选抓包 # Linux平台可能不支持 # 抓取QQMusic的的网络包 sh-3.2# tcpdump -l -k A -i any -Q "pid=`pidof QQMusic`" 19:51:44.653768 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61177 > 112.12.18.35.http: Flags [F.], seq 2901431543, ack 439813618, win 2048, options [nop,nop,TS val 834357380 ecr 3175665935], length 0 19:52:00.347990 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61244 > .http: Flags [S], seq 1737074890, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 834373067 ecr 0,sackOK,eol], length 0 19:52:00.354345 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61245 > .https: Flags [S], seq 407543729, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 834373073 ecr 0,sackOK,eol], length 0 19:52:00.376527 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, eproc QQMusic:465:, svc BE, in, so) IP .http > 192.168.0.105.61244: Flags [S.], seq 4234791179, ack 1737074891, win 14280, options [mss 1440,sackOK,TS val 4105774949 ecr 834373067,nop,wscale 8], length 0 19:52:00.376579 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61244 > .http: Flags [.], ack 1, win 2052, options [nop,nop,TS val 834373095 ecr 4105774949], length 0 19:52:00.376586 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, eproc QQMusic:465:, svc BE, in, so) IP .https > 192.168.0.105.61245: Flags [S.], seq 2778593785, ack 407543730, win 14400, options [mss 1440,nop,nop,sackOK,nop,wscale 8], length 0 19:52:00.376605 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61245 > .https: Flags [.], ack 1, win 4096, length 0 19:52:00.377063 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61244 > .http: Flags [P.], seq 1:330, ack 1, win 2052, options [nop,nop,TS val 834373095 ecr 4105774949], length 329: HTTP: POST /3gmusic/fcgi-bin/imusic_tj HTTP/1.1 19:52:00.377136 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61244 > .http: Flags [P.], seq 330:891, ack 1, win 2052, options [nop,nop,TS val 834373095 ecr 4105774949], length 561: HTTP 19:52:00.377382 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61245 > .https: Flags [P.], seq 1:518, ack 1, win 4096, length 517 19:52:00.392525 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61246 > .http: Flags [S], seq 949130891, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 834373110 ecr 0,sackOK,eol], length 0 19:52:00.392772 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, eproc QQMusic:465:, svc BE, in, so) IP .http > 192.168.0.105.61244: Flags [.], ack 330, win 60, options [nop,nop,TS val 4105774954 ecr 834373095], length 0 19:52:00.393108 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, eproc QQMusic:465:, svc BE, in, so) IP .http > 192.168.0.105.61244: Flags [.], ack 891, win 65, options [nop,nop,TS val 4105774954 ecr 834373095], length 0 19:52:00.394928 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61247 > .https: Flags [S], seq 3767223308, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 834373112 ecr 0,sackOK,eol], length 0 ^C19:52:00.399340 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61248 > 112.29.199.146.http: Flags [S], seq 475420522, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 834373116 ecr 0,sackOK,eol], length 0

# 抓取当前ping命令,且经过网卡en0的,并是出去的包 sh-3.2# tcpdump -l -n -k A -i any -Q "(pid=`pidof ping` && if=en0) && (dir=out)" tcpdump: data link type PKTAP tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes 20:43:28.841764 (en0, proc ping:24801:65df3803-6045-3c14-9c20-c6029f7e6b65, svc CTL, out, so) IP 192.168.0.105 > 36.152.44.96: ICMP echo request, id 57696, seq 99, length 64 20:43:29.844144 (en0, proc ping:24801:65df3803-6045-3c14-9c20-c6029f7e6b65, svc CTL, out, so) IP 192.168.0.105 > 36.152.44.96: ICMP echo request, id 57696, seq 100, length 64 20:43:30.845564 (en0, proc ping:24801:65df3803-6045-3c14-9c20-c6029f7e6b65, svc CTL, out, so) IP 192.168.0.105 > 36.152.44.96: ICMP echo request, id 57696, seq 101, length 64 20:43:31.850426 (en0, proc ping:24801:65df3803-6045-3c14-9c20-c6029f7e6b65, svc CTL, out, so) IP 192.168.0.105 > 36.152.44.96: ICMP echo request, id 57696, seq 102, length 64

  • -Q direction

# -Q direction: 选择抓取包的发送/接收方向。这里的值可能为in、out、inout。 # 仅支持部分平台可用,比如在Mac Big Sur 11.1上提示是语法错误,Linux可用 # -Q direction: 不支持 sh-3.2# tcpdump -i any -Q inout tcpdump: cannot parse term at: tcpdump: invalid expression "inout"

  • -q

# 快速输出,输出行较短因为打印少量的协议信息 # 一般用来两个设备之间是否有通信 sh-3.2# tcpdump -q -c 1 -i any 17:34:28.477717 IP 192.168.0.108.58502 > ec2-52-73-175-240.compute-1.amazonaws.com.https: tcp 77

  • -r file

# -B buffer_size: 设置操作系统的捕获缓存大小,单位:KB # -c count: 收到或者显示count个包后退出 # -i any: 监控所有的网络接口 # -w file: 将抓到的包保存到a.pcap里面,此文件可以用wireshark打开 sh-3.2# tcpdump -B 10 -c 3 -i any -w a.pcap # -r: 读取存放的包文件 # 读取a.pcap文件并打印 sh-3.2# tcpdump -r a.pcap

  • -S

# -S: 打印TCP绝对的序列号(Sequence number) sh-3.2# tcpdump -S -c 5 -i any tcp 22:55:39.034056 IP 192.168.0.108.53416 > .https: Flags [P.], seq 102397009:102397357, ack 147569054, win 4096, length 348 # 打印TCP相对序列号 # 可以看出,序列号值偏小 sh-3.2# tcpdump -c 5 -i any tcp 22:56:34.764683 IP 120.253.253.166.https > 192.168.0.108.53618: Flags [.], ack 399, win 424, options [nop,nop,TS val 683536312 ecr 790374160], length 0 22:56:34.805734 IP 120.253.253.166.https > 192.168.0.108.53618: Flags [P.], seq 1:165, ack 399, win 424, options [nop,nop,TS val 683536353 ecr 790374160], length 164 5 packets captured

  • −s snaplen

# 抓取每个数据包的截取字节数,0表示不截断 # snaplen来自每个数据包的字节数,而不是默认的262144B。由于快照有限而被截断的数据包中用"[|proto]"表示, # proto是发生截断的协议级别的名称。 # 较大的快照既增加了处理数据包所需的时间,也有效地减少了数据包缓冲的量,可能导致数据包丢失。 # 应该将snaplen限制为感兴趣的协议信息的最小数目; # snaplen设置为0表示将其设置为默认值262144B # tcpdump -i any -s 0

  • -T type

# -T type: 强制以type的协议进行解析。 # TODO,暂未使用到

  • -t n

# 不加-t等选项,打印时:分:秒:微妙 sh-3.2# tcpdump -q -c 1 -i any 17:31:54.639053 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 117 # -t: 不打印时间 sh-3.2# tcpdump -q -t -c 1 -i any ARP, Request who-has 192.168.0.100 tell 192.168.0.1, length 28 # -tt: 显示UTC时间, 单位:秒,精度:微妙 sh-3.2# tcpdump -q -tt -c 1 -i any 1619948152.308620 ARP, Request who-has 192.168.0.108 tell 192.168.0.1, length 28 # -ttt: 当前行与上一行的时间之差,精度:微妙 sh-3.2# tcpdump -q -ttt -c 5 -i any 00:00:00.000000 ARP, Request who-has 192.168.0.108 tell 192.168.0.1, length 28 00:00:00.000040 ARP, Reply 192.168.0.108 is-at e0:b5:5f:f2:bb:a3 (oui Unknown), length 28 00:00:01.023767 ARP, Request who-has 192.168.0.100 tell 192.168.0.1, length 28 00:00:09.320029 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 117 00:00:01.739861 ARP, Request who-has 192.168.0.108 tell 192.168.0.1, length 28 # -tttt: 年-月-日 时-分-秒 sh-3.2# tcpdump -q -tttt -c 5 -i any 2021-05-02 17:36:29.379506 ARP, Request who-has 192.168.0.100 tell 192.168.0.1, length 28 # -ttttt: 当前行与第一行的时间之差 sh-3.2# tcpdump -q -ttttt -c 5 -i any 00:00:00.000000 ARP, Request who-has 192.168.0.104 tell 192.168.0.1, length 28 00:00:00.002959 IP 192.168.0.108.63825 > 192.168.1.1.domain: UDP, length 44 00:00:00.024223 IP 192.168.1.1.domain > 192.168.0.108.63825: UDP, length 44 00:00:00.027152 IP 192.168.0.108.63529 > 192.168.1.1.domain: UDP, length 42 00:00:00.043833 IP 192.168.1.1.domain > 192.168.0.108.63529: UDP, length 42 # -t n: 指前面的-t -tt -ttt -tttt -ttttt,n的值为[0, 5] # -t 4: 表示-tttt, 年-月-日 时-分-秒 sh-3.2# tcpdump -q -t 4 -c 5 -i any 2021-05-02 22:10:33.504936 ARP, Request who-has 192.168.0.108 tell 192.168.0.1, length 28 2021-05-02 22:10:33.504960 ARP, Reply 192.168.0.108 is-at e0:b5:5f:f2:bb:a3 (oui Unknown), length 28 2021-05-02 22:10:33.507086 IP 192.168.0.108.50613 > 192.168.1.1.domain: UDP, length 44 2021-05-02 22:10:33.527680 IP 192.168.1.1.domain > 192.168.0.108.50613: UDP, length 44 2021-05-02 22:10:33.530574 IP 192.168.0.108.52033 > 192.168.1.1.domain: UDP, length 42

  • −-time-zone-offset tz

# TODO,暂未找到使用场景

  • -u

# 打印未加密的NFS句柄 # TODO

  • -U

# 使得当tcpdump在使用-w 选项时, 其文件写入与包的保存同步

  • -v ~ -vvv

# 详细的输出 # time to live,TTL、identification、total length、options # 完整的IP和ICMP头checksum校验 sh-3.2# tcpdump -v -c 1 -i any 07:11:58.204064 IP (tos 0x0, ttl 64, id 58584, offset 0, flags [none], proto UDP (17), length 68) 192.168.0.108.50687 > 192.168.1.1.domain: 12358 Type65? oc.cgiaccess.tc.qq.com. (40) # 更详细的输出。例如NFS的响应包,SMB包的完全解码 sh-3.2# tcpdump -vv -c 1 -i any 07:12:03.135693 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64) 192.168.0.108.59311 > hn.kd.ny.adsl.http: Flags [S], cksum 0xfedc (correct), seq 2245791363, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 813143821 ecr 0,sackOK,eol], length 0 # 更详细的输出,例如telnet的SB..SE选项将会被完整打印 sh-3.2# tcpdump -vvv -c 1 -i any 07:12:09.490236 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64) 192.168.0.108.59307 > 113.207.16.43.http: Flags [S], cksum 0xe2ff (correct), seq 245316099, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 813150168 ecr 0,sackOK,eol], length 0

  • −V file

# Read a list of filenames from file. Standard input is used if file is ``-''. # TODO

  • −w file

# -B buffer_size: 设置操作系统的捕获缓存大小,单位:KB # -c count: 收到或者显示count个包后退出 # -i any: 监控所有的网络接口 # -w file: 将抓到的包保存到a.pcap里面,此文件可以用wireshark打开 sh-3.2# tcpdump -B 10 -c 3 -i any -w a.pcap

  • -W

# 注意: 一般情况,-W和-G是不会混用的,混用效果如下,最终只有这10个文件 # 如果与-G混用,将会限制转储文件的数量,当达到这个文件数量的时候,tcpdump将会退出 sh-3.2# tcpdump -G 3 -i any -W 10 -w 'fh_%Y-%m-%d_%T.pcap' tcpdump: data link type PKTAP tcpdump: listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes Maximum file limit reached: 10 85 packets captured 86 packets received by filter 0 packets dropped by kernel sh-3.2# sh-3.2# ls -l total 80 -rw-r--r-- 1 root wheel 1748 5 3 18:01 fh_2021-05-03_18:01:06.pcap -rw-r--r-- 1 root wheel 1720 5 3 18:01 fh_2021-05-03_18:01:09.pcap -rw-r--r-- 1 root wheel 2012 5 3 18:01 fh_2021-05-03_18:01:13.pcap -rw-r--r-- 1 root wheel 2464 5 3 18:01 fh_2021-05-03_18:01:16.pcap -rw-r--r-- 1 root wheel 2220 5 3 18:01 fh_2021-05-03_18:01:19.pcap -rw-r--r-- 1 root wheel 972 5 3 18:01 fh_2021-05-03_18:01:22.pcap -rw-r--r-- 1 root wheel 656 5 3 18:01 fh_2021-05-03_18:01:25.pcap -rw-r--r-- 1 root wheel 2156 5 3 18:01 fh_2021-05-03_18:01:28.pcap -rw-r--r-- 1 root wheel 660 5 3 18:01 fh_2021-05-03_18:01:31.pcap -rw-r--r-- 1 root wheel 2736 5 3 18:01 fh_2021-05-03_18:01:34.pcap 此选项与-C 选项配合使用, 这将限制可打开的文件数目, 并且当文件数据超过这里设置的限制时, 依次循环替代之前的文件, 这相当于一个拥有filecount 个文件的文件缓冲池. 同时, 该选项会使得每个文件名的开头会出现足够多并用来占位的0, 这可以方便这些文件被正确的排序. # -W: 与-C选项配合使用,限制可打开的文件数目 # 当前文件大小超过设置的阈值 # 会逐步覆盖写掉最老的文件, # 相当于一个拥有固定数目个文件的文件缓冲池 # 该选项会使得每个文件名的开头出现足够多并用来占位的0,以便于这些文件的正确排序 sh-3.2# tcpdump -C 10 -i any -W 10 -w f.pcap tcpdump: data link type PKTAP tcpdump: listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes sh-3.2# ls -l total 202832 -rw-r--r-- 1 root wheel 10001184 5 3 20:46 f.pcap0 -rw-r--r-- 1 root wheel 10000676 5 3 20:46 f.pcap1 -rw-r--r-- 1 root wheel 10000264 5 3 20:46 f.pcap2 -rw-r--r-- 1 root wheel 9436328 5 3 20:46 f.pcap3 -rw-r--r-- 1 root wheel 10001368 5 3 20:46 f.pcap4 -rw-r--r-- 1 root wheel 10000500 5 3 20:46 f.pcap5 -rw-r--r-- 1 root wheel 10001580 5 3 20:46 f.pcap6 -rw-r--r-- 1 root wheel 10001344 5 3 20:46 f.pcap7 -rw-r--r-- 1 root wheel 10000036 5 3 20:46 f.pcap8 -rw-r--r-- 1 root wheel 10001576 5 3 20:46 f.pcap9

  • -x ~ -xx

# -x: 当解析和打印时,以十六进制的形式打印每个包的头和数据(不包括数据链路层) # 完整包大小与snaplen的最小值将会被打印。 # 如果高层协议的长度较小,且有填充的数据,填充的数据也会被打印 sh-3.2# tcpdump -x -c 1 -i any 07:15:15.184806 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 117 0x0000: ffff ffff ffff 808f 1d66 9a6e 0800 4500 0x0010: 0091 2e6a 0000 4011 8b49 c0a8 0001 ffff 0x0020: ffff 0400 1389 007d f2f5 0101 0e00 e12b 0x0030: 83c7 f391 0067 0000 0006 000a 544c 2d57 0x0040: 4452 3536 3730 000b 0003 312e 3000 0700 0x0050: 0101 0005 0011 3830 2d38 462d 3144 2d36 0x0060: 362d 3941 2d36 4500 0800 0b31 3932 2e31 0x0070: 3638 2e30 2e31 0009 000a 7470 6c6f 6769 0x0080: 6e2e 636e 000a 000e 544c 2d57 4452 3536 0x0090: 3730 2031 2e30 000c 0005 312e 372e 34 # -xx: 当解析和打印时,以十六进制的形式打印每个包的头和数据(包括数据链路层) sh-3.2# tcpdump -xx -c 1 -i any 07:15:21.845351 IP 192.168.0.1 > all-systems.mcast.net: igmp query v2 0x0000: 9c00 0000 0100 0000 0100 0000 656e 3000 0x0010: 0000 0000 0000 0000 0000 0000 0000 0000 0x0020: 0000 0000 0100 0000 0200 0000 0e00 0000 0x0030: 0000 0000 ffff ffff 0000 0000 0000 0000 0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 0x0050: 0600 0000 ffff ffff 0000 0000 0000 0000 0x0060: 0000 0000 0000 0000 0000 0000 0000 0000 0x0070: 0000 0000 0000 0000 0000 0000 0000 0000 0x0080: 0000 0000 0000 0000 0000 0000 0000 0000 0x0090: 0000 0000 0000 0000 0000 0000 e0b5 5ff2 0x00a0: bba3 808f 1d66 9a6e 0800 4664 0020 0000 0x00b0: 0000 0102 83c9 c0a8 0001 e000 0001 9404 0x00c0: 0000 1164 ee9b 0000 0000

  • -X ~ -XX

# -X: 以十六进制和ASCII形式打印每个包的头和数据(不包括数据链路层) sh-3.2# tcpdump -X -c 1 -i any 09:27:02.294497 IP 192.168.0.108.59641 > 17.57.145.85.5223: Flags [P.], seq 2947289557:2947289591, ack 1286537765, win 2048, options [nop,nop,TS val 815292931 ecr 1521406707], length 34 0x0000: 808f 1d66 9a6e e0b5 5ff2 bba3 0800 4500 ...f.n.._.....E. 0x0010: 0056 0000 4000 4006 d6ff c0a8 006c 1139 .V..@.@......l.9 0x0020: 9155 e8f9 1467 afac 11d5 4caf 0225 8018 .U...g....L..%.. 0x0030: 0800 c0de 0000 0101 080a 3098 6203 5aae ..........0.b.Z. 0x0040: d2f3 1703 0300 1d36 51f7 2f2f 61dc aec8 .......6Q.//a... 0x0050: 3e9f 7142 ad7d 2c52 17cb 3f69 5844 5a0b >.qB.},R..?iXDZ. 0x0060: b730 68b2 .0h. # -XX: 以十六进制和ASCII形式打印每个包的头和数据(包括数据链路层) sh-3.2# tcpdump -XX -c 1 -i any 09:27:19.770828 ARP, Request who-has 192.168.0.102 tell 192.168.0.1, length 28 0x0000: 9c00 0000 0100 0000 0100 0000 656e 3000 ............en0. 0x0010: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0020: 0000 0000 0100 0000 0200 0000 0e00 0000 ................ 0x0030: 0000 0000 ffff ffff 0000 0000 0000 0000 ................ 0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0050: 0600 0000 ffff ffff 0000 0000 0000 0000 ................ 0x0060: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0070: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0080: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0090: 0000 0000 0000 0000 0000 0000 ffff ffff ................ 0x00a0: ffff 808f 1d66 9a6e 0806 0001 0800 0604 .....f.n........ 0x00b0: 0001 808f 1d66 9a6e c0a8 0001 0000 0000 .....f.n........ 0x00c0: 0000 c0a8 0066 .....f

  • −y datalinktype

# -y表示设置要捕获的包的数据链路类型,后面的值可以通过tcpdump -L获取 sh-3.2# tcpdump -c 3 -i any -y PKTAP tcpdump: data link type PKTAP tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes 07:13:18.510220 IP 192.168.0.108.50031 > 192.168.1.1.domain: 52163 Type65? init.itunes.apple.com. (39) 07:13:18.510370 IP 192.168.0.108.53892 > 192.168.1.1.domain: 51314 A? init.itunes.apple.com. (39) 07:13:18.511977 IP 192.168.0.108.59574 > 192.168.1.1.domain: 31671 PTR? 1.1.168.192.in-addr.arpa. (42)

  • −z postrotate-command

# TODO

  • −Z user

# 如果tcpdump以root用户运行, # 在打开捕获设备或输入savefile之后,在打开任何savefile输出之前, # 需要将用户标识改成user,并将组表示改为user的主组 # 这个行为在编译的时候开启

Simple Example

# 抓取从sundow出发或者到达sundown的包 tcpdump host sundown

# 抓取从helios与hot之间的包或helios与ace之间的包 # 注意:由于括号要在shell中的特殊含义,所以需要转义 sh-3.2# tcpdump host helios and \( hot or ace \) # 加个单引号也行 sh-3.2# tcpdump host 'helios and ( hot or ace )'

# 抓取主机ace与其他设备(除了helios)的IP包 tcpdump ip host ace and not helios

# 根据TCP的协议文档,标识位有 # CWR | ECE | URG | ACK | PSH | RST | SYN | FIN # 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 # 由于协议是占据的是1字节去存储这些数据 # 所以只要哪个标识位有,那么响应的标识位的二进制数据为1 # tcp[13]的值就等于所有的标识位组成的数据 # 例如,SYN和ECE有标识位,其它的都没有,即 # CWR | ECE | URG | ACK | PSH | RST | SYN | FIN # 0 | 1 | 0 | 0 | 0 | 0 | 1 | 0 # 二进制数1000010换算的十进制数位为2 64=66 # 抓取TCP头标识位SYN=1的包 # tcpflags与tcp-synn是固定字符串 sh-3.2# tcpdump -c 3 -i any tcp[tcpflags] == tcp-syn 10:35:52.530024 IP 192.168.0.105.50185 > 36.152.44.95.http: Flags [S], seq 2376496549, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 961791043 ecr 0,sackOK,eol], length 0 # 抓取TCP头标识位SYN=1的包 sh-3.2# tcpdump -c 3 -i any "tcp[tcpflags] & tcp-syn != 0" 10:46:13.462082 IP 192.168.0.105.50230 > 17.57.145.138.5223: Flags [SEW], seq 2859770077, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 962410554 ecr 0,sackOK,eol], length 0 # 抓取TCP头标识位SYN=1的包,其它的标识位必须是0 # 13表示的是tcp头的八位组索引,也就是第14个字节为止 sh-3.2# tcpdump -c 3 -i any tcp[13] == 2 10:37:04.078781 IP 192.168.0.105.50186 > 36.152.44.95.http: Flags [S], seq 2470176140, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 961862485 ecr 0,sackOK,eol], length 0 # 抓取TCP头标识位SYN=1的包,其它的标识位不确定 sh-3.2# tcpdump -c 3 -i any 'tcp[13] & 2 != 0' 10:43:36.097897 IP 112.12.18.35.http > 192.168.0.105.50220: Flags [S.E], seq 2162058548, ack 687473791, win 24560, options [mss 1240,sackOK,TS val 3488808144 ecr 962253657,nop,wscale 7], length 0 # 抓取TCP头标识位SYN=1的包 sh-3.2# tcpdump -c 3 -i any "tcp[tcpflags] & 2 != 0" 10:48:18.979423 IP 112.13.113.177.https > 192.168.0.105.50239: Flags [S.E], seq 2878024220, ack 3660935114, win 65535, options [mss 1240,nop,nop,sackOK,nop,wscale 7], length 0 # 抓取TCP头标识位SYN=1的包 # SYN标识位子必须是1 sh-3.2# tcpdump -c 3 -i any "tcp[13] & tcp-syn != 0" 10:50:02.277088 IP 114.215.201.167.https > 192.168.0.105.50240: Flags [S.E], seq 3713319443, ack 3904450841, win 28960, options [mss 1444,sackOK,TS val 813836359 ecr 962638984,nop,wscale 7], length 0

# 混合抓包 # 抓取S和E的,S是2,E是64 sh-3.2# tcpdump -c 3 -i any "tcp[13] & 66 != 0" 10:52:43.165572 IP 192.168.0.105.50253 > 112.13.113.175.https: Flags [SEW], seq 2596521973, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 962799488 ecr 0,sackOK,eol], length 0 10:52:43.170984 IP 112.13.113.175.https > 192.168.0.105.50253: Flags [S.E], seq 1776611129, ack 2596521974, win 65535, options [mss 1240,nop,nop,sackOK,nop,wscale 7], length 0

# 抓取TCP头标识位SYN=1或者ACK=1的包 sh-3.2# tcpdump -c 3 -i any "tcp[13] == 2 || tcp[13] == 16" 11:04:16.448140 IP 192.168.0.105.50305 > 202.89.233.100.http: Flags [.], ack 4288857099, win 4096, length 0 11:04:16.484528 IP 202.89.233.100.http > 192.168.0.105.50305: Flags [.], ack 76, win 2052, length 0 11:04:16.488353 IP 192.168.0.105.50305 > 202.89.233.100.http: Flags [.], ack 252, win 4092, length 0 3 packets captured # 抓取TCP头标识位SYN=1或者ACK=1的包 sh-3.2# tcpdump -c 3 -i any "tcp[tcpflags] == tcp-syn || tcp[tcpflags] == tcp-ack" 11:05:36.259971 IP 192.168.0.105.50307 > 202.89.233.100.http: Flags [.], ack 1056415600, win 4096, length 0 11:05:36.294120 IP 202.89.233.100.http > 192.168.0.105.50307: Flags [.], ack 76, win 2052, length 0 11:05:36.296395 IP 192.168.0.105.50307 > 202.89.233.100.http: Flags [.], ack 252, win 4092, length 0 # 抓取TCP头标识位SYN=1或者ACK=1的包 sh-3.2# tcpdump -c 3 -i any "tcp[tcpflags] & (tcp-syn | tcp-ack) != 0" listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes 11:06:49.538196 IP 192.168.0.105.50317 > 202.89.233.100.http: Flags [SEW], seq 1874972306, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 963643859 ecr 0,sackOK,eol], length 0 11:06:49.575793 IP 202.89.233.100.http > 192.168.0.105.50317: Flags [S.E], seq 2830925598, ack 1874972307, win 65535, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0 11:06:49.575892 IP 192.168.0.105.50317 > 202.89.233.100.http: Flags [.], ack 1, win 4096, length 0

# 抓取ICMP协议的响应包 sh-3.2# tcpdump -l -i any 'icmp[icmptype] == icmp-echoreply' 11:11:17.364314 IP 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 31748, seq 0, length 64 11:11:18.367304 IP 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 31748, seq 1, length 64 11:11:19.382795 IP 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 31748, seq 2, length 64 11:11:20.375911 IP 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 31748, seq 3, length 64 11:11:21.386021 IP 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 31748, seq 4, length 64 11:11:22.390280 IP 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 31748, seq 5, length 64

# 抓取ICMP的发出包 sh-3.2# tcpdump -l -i any 'icmp[icmptype] == icmp-echo' 11:12:11.536154 IP 192.168.0.105 > 36.152.44.95: ICMP echo request, id 31748, seq 54, length 64 11:12:12.538711 IP 192.168.0.105 > 36.152.44.95: ICMP echo request, id 31748, seq 55, length 64

# 抓取TCP头标记为SYN或者是FIN的包 sh-3.2# tcpdump -c 3 -i any 'tcp[tcpflags] & (tcp-syn | tcp-fin) != 0' 11:18:30.044806 IP 192.168.0.105.50348 > 36.152.44.96.http: Flags [SEW], seq 2552582652, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 964343308 ecr 0,sackOK,eol], length 0 11:18:30.070423 IP 36.152.44.96.http > 192.168.0.105.50348: Flags [S.EW], seq 1113793641, ack 2552582653, win 8192, options [mss 1444,nop,wscale 5,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,sackOK,eol], length 0 11:18:30.090726 IP 192.168.0.105.50348 > 36.152.44.96.http: Flags [F.], seq 78, ack 2782, win 4096, length 0

# 错误的例子,注意,单词别写错了,是tcpflags不是tcp-flags sh-3.2# tcpdump -c 3 -i any 'tcp[tcp-flags] & (tcp-syn | tcp-fin) != 0' pktap_filter_packet: pcap_add_if_info(en0, 1) failed: pcap_if_info_set_add: pcap_compile_nopcap() failed pktap_filter_packet: pcap_add_if_info(en0, 1) failed: pcap_if_info_set_add: pcap_compile_nopcap() failed pktap_filter_packet: pcap_add_if_info(en0, 1) failed: pcap_if_info_set_add: pcap_compile_nopcap() failed

# 抓取包的长度小于等于64的包 sh-3.2# tcpdump -i any 'len <= 64' 11:26:36.537212 IP 192.168.0.106 > 224.0.0.251: igmp v2 report 224.0.0.251 11:26:36.639064 ARP, Request who-has 192.168.0.101 tell 192.168.0.1, length 28 11:26:40.633276 ARP, Request who-has 192.168.0.107 tell 192.168.0.1, length 28 11:26:49.644929 ARP, Request who-has 192.168.0.110 tell 192.168.0.1, length 28 11:26:49.644936 ARP, Request who-has 192.168.0.104 tell 192.168.0.1, length 28 11:26:50.668792 ARP, Request who-has 192.168.0.110 tell 192.168.0.1, length 28 11:26:52.614550 ARP, Request who-has 192.168.0.107 tell 192.168.0.1, length 28

# less x 与 len <= x 等价 sh-3.2# tcpdump -i any 'less 64' tcpdump: data link type PKTAP tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes 11:28:02.657862 ARP, Request who-has 192.168.0.106 tell 192.168.0.1, length 28 11:28:02.965671 IP 192.168.0.106 > 224.0.0.251: igmp v2 report 224.0.0.251 11:28:07.675190 ARP, Request who-has 192.168.0.110 tell 192.168.0.1, length 28 11:28:08.333329 IP 192.168.0.105.50372 > .https: Flags [.], ack 726486359, win 4096, length 0

# greater x 与len > x等价 sh-3.2# tcpdump -i any 'greater 15' 11:28:48.411257 IP 192.168.0.105 > 36.152.44.95: ICMP echo request, id 48132, seq 191, length 64 11:28:48.413868 IP 192.168.0.105.58130 > 192.168.1.1.domain: 30895 PTR? 105.0.168.192.in-addr.arpa. (44) 11:28:48.422369 IP 192.168.1.1.domain > 192.168.0.105.58130: 30895* 1/0/0 PTR 192.168.0.105. (71) 11:28:48.424873 IP 192.168.0.105.54997 > 192.168.1.1.domain: 42652 PTR? 95.44.152.36.in-addr.arpa. (43) 11:28:48.433663 IP 192.168.1.1.domain > 192.168.0.105.54997: 42652 NXDomain* 0/0/0 (43) 11:28:48.435863 IP 192.168.0.105.51512 > 192.168.1.1.domain: 7793 PTR? 1.1.168.192.in-addr.arpa. (42) 11:28:48.439439 IP 192.168.1.1.domain > 192.168.0.105.51512: 7793* 1/0/0 PTR 192.168.1.1. (67) 11:28:48.439452 IP 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 48132, seq 191, length 64 11:28:49.415585 IP 192.168.0.105 > 36.152.44.95: ICMP echo request, id 48132, seq 192, length 64 11:28:49.443141 IP 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 48132, seq 192, length 64

# 抓取长度为71的包 sh-3.2# tcpdump -i any 'len == 71' 11:31:20.306112 IP 192.168.0.105.64280 > 192.168.1.1.domain: 35181 Type65? p1.glb6.com. (29) 11:31:20.306445 IP 192.168.0.105.55012 > 192.168.1.1.domain: 7495 A? p1.glb6.com. (29) 11:31:20.315468 IP 192.168.1.1.domain > 192.168.0.105.64280: 35181 0/0/0 (29)

# 抓取Mac地址为54:75:95:7b:35:60且是ping的响应包 # 本案例是另外一个终端,一致在ping www.baiud.com,而54:75:95:7b:35:60的Mac地址是来自百度的 # 可以在host前面加上src,表明方向是从百度发过来的 sh-3.2# tcpdump -e -i any 'icmp[icmptype] == icmp-echoreply && ether host 54:75:95:7b:35:60' 11:37:35.310634 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 48132, seq 716, length 64 11:37:36.318294 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 48132, seq 717, length 64 11:37:37.314188 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 48132, seq 718, length 64 11:37:38.323501 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 48132, seq 719, length 64 11:37:39.328558 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 48132, seq 720, length 64 11:37:40.321349 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 48132, seq 721, length 64 fh@192 ~ % ping www.baidu.com

# 抓取Mac地址为54:75:95:7b:35:60且是ping的响应包 sh-3.2# tcpdump -e -i any 'icmp[icmptype] == icmp-echoreply && ether src host 54:75:95:7b:35:60' 11:49:40.812524 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.96 > 192.168.0.105: ICMP echo reply, id 7429, seq 17, length 64 11:49:41.818021 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.96 > 192.168.0.105: ICMP echo reply, id 7429, seq 18, length 64 11:49:42.814954 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.96 > 192.168.0.105: ICMP echo reply, id 7429, seq 19, length 64 11:49:43.823059 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.96 > 192.168.0.105: ICMP echo reply, id 7429, seq 20, length 64 11:49:44.826890 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.96 > 192.168.0.105: ICMP echo reply, id 7429, seq 21, length 64 11:49:45.826942 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.96 > 192.168.0.105: ICMP echo reply, id 7429, seq 22, length 64 ^C

# 广播 sh-3.2# tcpdump -i any ether broadcast 11:41:31.679469 ARP, Request who-has 192.168.0.107 tell 192.168.0.1, length 28 11:41:34.750550 ARP, Request who-has 192.168.0.101 tell 192.168.0.1, length 28 11:41:35.674033 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 117 11:41:39.666861 ARP, Request who-has 192.168.0.106 tell 192.168.0.1, length 28

# 多播 sh-3.2# tcpdump -i any ether multicast tcpdump: data link type PKTAP tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes 11:42:47.659987 ARP, Request who-has 192.168.0.105 tell 192.168.0.1, length 28 11:42:49.707712 ARP, Request who-has 192.168.0.107 tell 192.168.0.1, length 28 11:42:49.707729 ARP, Request who-has 192.168.0.101 tell 192.168.0.1, length 28 11:42:50.731564 ARP, Request who-has 192.168.0.107 tell 192.168.0.1, length 28

# IPv4多播 sh-3.2# tcpdump -i any ip multicast tcpdump: data link type PKTAP tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes 11:44:55.661623 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 117 11:45:15.630119 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 117 11:45:35.701241 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 117 11:45:55.672420 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 117

# IPv6多播 sh-3.2# tcpdump -i any ip6 multicast 11:47:38.380803 IP6 fe80::7:29a1:df91:ad39 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28 11:47:38.483198 IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QU)? 9.3.d.a.1.9.f.d.1.a.9.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90) 11:47:38.483273 IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QU)? 9.3.d.a.1.9.f.d.1.a.9.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90) 11:47:38.483646 IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QU)? 9.3.d.a.1.9.f.d.1.a.9.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90) 11:47:38.483673 IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QU)? 9.3.d.a.1.9.f.d.1.a.9.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90) 11:47:38.483732 IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QU)? 9.3.d.a.1.9.f.d.1.a.9.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90) 11:47:39.488898 IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QM)? 9.3.d.a.1.9.f.d.1.a.9.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90) 11:47:39.488967 IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QM)? 9.3.d.a.1.9.f.d.1.a.9.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90) 11:47:39.489085 IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QM)? 9.3.d.a.1.9.f.d.1.a.9.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)

# 筛选出tcp的dst端口号为80,src端口号为51601的包,直接通过TCP包进行筛选 sh-3.2# lsof -nP | grep -i qqmusic | grep TCP QQMusic 585 fh 37u IPv4 0x593c30f6d1324cb3 0t0 TCP 192.168.0.105:51061->112.12.18.34:80 (ESTABLISHED) tcp[n:c]:表示从第n个字节开始,以及后面的两个c字节,范围是[n, n c-1],单位:字节 # 通过下面的端口号以及lsof可以看出,抓取的包是正确的。 sh-3.2# tcpdump -l -nn -k A -i any 'tcp[2:2] == 80 && tcp[0:2] == 51061 ' 13:59:15.663518 (en0, proc QQMusic:585:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.51061 > 112.12.18.34.80: Flags [F.], seq 1803106724, ack 809620981, win 2834, options [nop,nop,TS val 971045141 ecr 3500502658], length 0 13:59:15.683182 (en0, proc QQMusic:585:, svc BE, out, so) IP 192.168.0.105.51061 > 112.12.18.34.80: Flags [.], ack 2, win 5156, options [nop,nop,TS val 971045160 ecr 3500559870], length 0

# icmp包后面不能直接跟host, sh-3.2# tcpdump -i any icmp dst host 36.152.44.95 pktap_filter_packet: pcap_add_if_info(lo0, 0) failed: pcap_if_info_set_add: pcap_compile_nopcap() failed pktap_filter_packet: pcap_add_if_info(lo0, 0) failed: pcap_if_info_set_add: pcap_compile_nopcap() failed pktap_filter_packet: pcap_add_if_info(lo0, 0) failed: pcap_if_info_set_add: pcap_compile_nopcap() failed # 抓取icmp的筛选包,可以加上&&符号 sh-3.2# tcpdump -i any icmp && dst host 36.152.44.95 14:08:06.605468 IP 192.168.0.105 > 36.152.44.96: ICMP echo request, id 36105, seq 22, length 64 14:08:06.629689 IP 36.152.44.96 > 192.168.0.105: ICMP echo reply, id 36105, seq 22, length 64 14:08:07.608930 IP 192.168.0.105 > 36.152.44.96: ICMP echo request, id 36105, seq 23, length 64 14:08:07.632835 IP 36.152.44.96 > 192.168.0.105: ICMP echo reply, id 36105, seq 23, length 64

# MacoS可以直接连接到Wireshark上,自动打开界面 sh-3.2# tcpdump -i any -w - | /Applications/Wireshark.app/Contents/MacOS/Wireshark -k -i - tcpdump: data link type PKTAP tcpdump: listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes 2021-05-09 14:13:26.269 Wireshark[2574:141163] Warning: Expected min height of view: (<NSView: 0x7f91cd0d2420>) to be less than or equal to 30 but got a height of 32.000000. This error will be logged once per view in violation. 4240 packets captured 4241 packets received by filter 0 packets dropped by kernel sh-3.2#

# 可以通过ifname进行网卡筛选 sh-3.2# tcpdump -k A -i any tcp && ifname en0 tcpdump: data link type PKTAP tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes 14:24:29.129292 (en0, proc QQMusic:585:20d71810-64f0-3f16-9881-55d62d68771a, eproc QQMusic:585:, svc BE, in, so) IP .http > 192.168.0.105.51263: Flags [F.], seq 2759476374, ack 4074839740, win 67, length 0 14:24:29.129371 (en0, proc QQMusic:585:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.51263 > .http: Flags [.], ack 1, win 4096, length 0 14:24:29.129455 (en0, proc QQMusic:585:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.51263 > .http: Flags [F.], seq 1, ack 1, win 4096, length 0 14:24:29.144969 (en0, proc QQMusic:585:20d71810-64f0-3f16-9881-55d62d68771a, eproc QQMusic:585:, svc BE, in, so) IP .http > 192.168.0.105.51261: Flags [F.], seq 620045740, ack 964400737, win 68, length 0 14:24:29.145026 (en0, proc QQMusic:585:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.51261 > .http: Flags [.], ack 1, win 4096, length 0 14:24:29.145101 (en0, proc QQMusic:585:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.51261 > .http: Flags [F.], seq 1, ack 1, win 4096, length 0 14:24:29.148380 (en0, proc QQMusic:585:20d71810-64f0-3f16-9881-55d62d68771a, eproc QQMusic:585:, svc BE, in, so) IP .https > 192.168.0.105.51262: Flags [P.], seq 705673920:705673951, ack 106355732, win 72, length 31

# 抓取50-200且端口号不为80的包 sh-3.2# tcpdump -nn -i any '(dst portrange 50-200) && (! dst port 80)' tcpdump: data link type PKTAP tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes 14:36:43.320692 IP 192.168.0.105.56467 > 192.168.1.1.53: 64499 A? www.baidu.com. (31)

References

参考资料如下:

百度百科:octet 百度百家号:肝了三天,万字长文教你玩转 tcpdump,从此抓包不用愁 man tcpdump man pcap-filter rfc793 (TRANSMISSION CONTROL PROTOCOL)

,

免责声明:本文仅代表文章作者的个人观点,与本站无关。其原创性、真实性以及文中陈述文字和内容未经本站证实,对本文以及其中全部或者部分内容文字的真实性、完整性和原创性本站不作任何保证或承诺,请读者仅作参考,并自行核实相关内容。文章投诉邮箱:anhduc.ph@yahoo.com

    分享
    投诉
    首页