tcpdump 的基本用法

马谦马谦马谦

615
文章

17
评论

2018 年 4 月 9 日 10:27:33运维评论608字数 617阅读 2 分 3 秒阅读模式

参考：[linux 速成案例](/linux/linux-maintenance/quick-guide-of-tcpdump-html.html)

一、基本用法

最简单的用法就是直接输入 tcpdump，监控所有的数据包：

[ma@ma ~]$ tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on usbmon1, link-type USB_LINUX_MMAPPED (USB with padded Linux header), capture size 65535 bytes
10:53:08.002434 CONTROL SUBMIT to 1:2:0
10:53:08.004461 CONTROL COMPLETE from 1:2:0
10:53:08.004502 CONTROL SUBMIT to 1:1:0
10:53:08.004502 CONTROL COMPLETE from 1:1:0
10:53:10.850080 CONTROL SUBMIT to 1:1:0
10:53:10.850102 CONTROL COMPLETE from 1:1:0

[ma@ma ~]$ tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on usbmon1, link-type USB_LINUX_MMAPPED (USB with padded Linux header), capture size 65535 bytes

10:53:08.002434 CONTROL SUBMIT to 1:2:0

10:53:08.004461 CONTROL COMPLETE from 1:2:0

10:53:08.004502 CONTROL SUBMIT to 1:1:0

10:53:08.004502 CONTROL COMPLETE from 1:1:0

10:53:10.850080 CONTROL SUBMIT to 1:1:0

10:53:10.850102 CONTROL COMPLETE from 1:1:0

1.1 指定网卡

通过-i 选项指定监视的网卡，例如：

root@ma:/home/ma# tcpdump -i lo ## 监视本地环回地址
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:29:20.842742 IP localhost.33688 > localhost.9999: Flags [S], seq 2494882294, win 43690, options [mss 65495,sackOK,TS val 3419853282 ecr 0,nop,wscale 7], length 0
10:29:20.842763 IP localhost.9999 > localhost.33688: Flags [S.], seq 2985714491, ack 2494882295, win 43690, options [mss 65495,sackOK,TS val 3419853282 ecr 3419853282,nop,wscale 7], length 0
10:29:20.842788 IP localhost.33688 > localhost.9999: Flags [.], ack 1, win 342, options [nop,nop,TS val 3419853282 ecr 3419853282], length 0

root@ma:/home/ma# tcpdump -i lo ## 监视本地环回地址

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes

10:29:20.842742 IP localhost.33688 > localhost.9999: Flags [S], seq 2494882294, win 43690, options [mss 65495,sackOK,TS val 3419853282 ecr 0,nop,wscale 7], length 0

10:29:20.842763 IP localhost.9999 > localhost.33688: Flags [S.], seq 2985714491, ack 2494882295, win 43690, options [mss 65495,sackOK,TS val 3419853282 ecr 3419853282,nop,wscale 7], length 0

10:29:20.842788 IP localhost.33688 > localhost.9999: Flags [.], ack 1, win 342, options [nop,nop,TS val 3419853282 ecr 3419853282], length 0

默认会监视系统的第一块网卡，会自动排除本地环回地址。

1.2 指定端口

指定端口可以根据不同的协议选择：tcp port *或者 udp port *，也可以直接 port *。

例如，抓取本地地址的 9999 端口上的 tcp 协议的数据包：

root@ma:/home/ma# tcpdump -i lo tcp port 9999
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes

root@ma:/home/ma# tcpdump -i lo tcp port 9999

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes

二、输出解释

对于以下数据包：

10:12:55.371576 IP localhost.33632 > localhost.9999: Flags [S], seq 2197027846, win 43690, options [mss 65495,sackOK,TS val 3418869659 ecr 0,nop,wscale 7], length 0
10:12:55.371600 IP localhost.9999 > localhost.33632: Flags [S.], seq 864630295, ack 2197027847, win 43690, options [mss 65495,sackOK,TS val 3418869659 ecr 3418869659,nop,wscale 7], length 0
10:12:55.371628 IP localhost.33632 > localhost.9999: Flags [.], ack 1, win 342, options [nop,nop,TS val 3418869659 ecr 3418869659], length 0

10:12:55.371576 IP localhost.33632 > localhost.9999: Flags [S], seq 2197027846, win 43690, options [mss 65495,sackOK,TS val 3418869659 ecr 0,nop,wscale 7], length 0

10:12:55.371600 IP localhost.9999 > localhost.33632: Flags [S.], seq 864630295, ack 2197027847, win 43690, options [mss 65495,sackOK,TS val 3418869659 ecr 3418869659,nop,wscale 7], length 0