• 时间:
  • 分类: Ubuntu
  • 阅读:(765)

dumpcap 安装

sudo apt install pcaputils

使用

sudo dumpcap -i enp0s31f6

Capturing on 'enp0s31f6'
File: /tmp/wireshark_enp0s31f6_20220216090552_xl1tkO.pcapng

抓取广播包

sudo dumpcap -i enp0s31f6 -f "broadcast"

Capturing on 'enp0s31f6'
File: /tmp/wireshark_enp0s31f6_20220216090953_PKm09I.pcapng

抓取指定IP包

sudo dumpcap -i enp0s31f6 -f "ip host 192.168.10.64"

Capturing on 'enp0s31f6'
File: /tmp/wireshark_enp0s31f6_20220216091028_Af9Bi0.pcapng

抓取指定MAC地址包

sudo dumpcap -i enp0s31f6 -f "ether host 8c:ec:4b:d0:f8:31"

Capturing on 'enp0s31f6'
File: /tmp/wireshark_enp0s31f6_20220216091135_uxv8ib.pcapng

抓取多个IP地址包

sudo dumpcap -i enp0s31f6 -f "ip host 192.168.10.64 or 192.168.10.71"

Capturing on 'enp0s31f6'
File: /tmp/wireshark_enp0s31f6_20220216091244_qLj4UK.pcapng

查看所有网络接口

sudo dumpcap -D
  1. ppp0
  2. vmnet1
  3. enp0s31f6
  4. vmnet8
  5. lo (Loopback)
  6. any
  7. docker0
  8. bluetooth-monitor
  9. nflog
  10. nfqueue
  11. bluetooth0
  12. wlp0s20f3

抓取指定包数就停止

sudo dumpcap -i enp0s31f6 -c 10

Capturing on 'enp0s31f6'
File: /tmp/wireshark_enp0s31f6_20220216091625_zExgX6.pcapng
Packets captured: 10
Packets received/dropped on interface 'enp0s31f6': 10/0 (pcap:0/dumpcap:0/flushed:0/ps_ifdrop:0) (100.0%)

抓取指定时长自动停止
时间单位是秒

sudo dumpcap -i enp0s31f6 -a duration:10

Capturing on 'enp0s31f6'
File: /tmp/wireshark_enp0s31f6_20220216091758_v2Fpaa.pcapng
Packets captured: 198
Packets received/dropped on interface 'enp0s31f6': 198/0 (pcap:0/dumpcap:0/flushed:0/ps_ifdrop:0) (100.0%)
抓取指定文件大小自动停止
文件大小单位是kB

sudo dumpcap -i enp0s31f6 -a filesize:10

Capturing on 'enp0s31f6'
File: /tmp/wireshark_enp0s31f6_20220216091850_1ZyWF9.pcapng
Packets captured: 95
Packets received/dropped on interface 'enp0s31f6': 95/0 (pcap:0/dumpcap:0/flushed:0/ps_ifdrop:0) (100.0%)

抓取指定文件个数后自动停止
这个应该要配合其他选项使用,如果文件无限制大小,就会一直写下去,也就没什么意义了。

sudo dumpcap -i enp0s31f6 -a files:2

dumpcap: Ring buffer requested, but capture isn't being saved to a permanent file.
dumpcap: Ring buffer requested, but no maximum capture file size, duration interval, or packets were specified.
Capturing on 'enp0s31f6'
File: /tmp/wireshark_enp0s31f6_20220216092356_MzSbHh.pcapng
正确的命令应该是这样

sudo dumpcap -i enp0s31f6 -b filesize:10 -a files:2 -w output.pcapng

Capturing on 'enp0s31f6'
File: output_00001_20220216092700.pcapng
Packets: 101 File: output_00002_20220216092705.pcapng
Packets captured: 202
Packets received/dropped on interface 'enp0s31f6': 202/0 (pcap:0/dumpcap:0/flushed:0/ps_ifdrop:0) (100.0%)

设置抓包文件格式
pcapng格式

sudo dumpcap -i enp0s31f6 -n

Capturing on 'enp0s31f6'
File: /tmp/wireshark_enp0s31f6_20220216092830_966pcE.pcapng
libpcap格式

sudo dumpcap -i enp0s31f6 -p

Capturing on 'enp0s31f6'
File: /tmp/wireshark_enp0s31f6_20220216092835_wc04em.pcapng

错误解决

Couldn't run /usr/bin/dumpcap in child process:Permission Denied

输入以下这句命令:
sudo setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/dumpcap

运行上述setcap命令行,能让dumpcap 无需root权限即可访问系统原生sockets,也就有权对整个网络栈执行管理相关操作了。

本文链接地址:https://const.net.cn/652.html

标签: none

添加新评论