标签 tcpdump 下的文章

“”

抓取包含192.168.5.1 的数据包

tcpdump -i eth0 -vnn host 192.168.5.1 

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:36:24.160956 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.5.1 tell 192.168.5.2, length 46
11:36:30.217699 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.5.1 tell 192.168.5.224, length 46

抓取包含192.168.5.0/24网段的数据包

tcpdump -i eth0 -vnn net 192.168.5.0/24

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:37:35.841606 IP (tos 0x0, ttl 64, id 64005, offset 0, flags [DF], proto TCP (6), length 86)
抓取包含端口22的数据包

tcpdump -i eth0 -vnn port 22

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:38:54.606955 IP (tos 0x10, ttl 64, id 22286, offset 0, flags [DF], proto TCP (6), length 156)

192.168.5.222.22 > 192.168.5.44.53888: Flags [P.], cksum 0x8ce9 (incorrect -> 0xaa25), seq 3416103818:3416103934, ack 2794641981, win 255, length 116

抓取udp协议的数据包

tcpdump -i eth0 -vnn  udp

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:39:46.000102 IP (tos 0x0, ttl 255, id 17285, offset 0, flags [none], proto UDP (17), length 44)

192.168.6.251.21003 > 255.255.255.255.1234: UDP, length 16

Tcpdump命令参数详解_心静梵音的技术博客_51CTO博客
update:2021-9-17
5、抓取icmp协议的数据包

tcpdump -i eth0 -vnn icmp

6、抓取arp协议的数据包

tcpdump -i eth0 -vnn arp

7、抓取ip协议的数据包

tcpdump -i eth0 -vnn ip

8、抓取源ip是10.10.10.122数据包。

tcpdump -i eth0 -vnn src host 10.10.10.122

9、抓取目的ip是10.10.10.122数据包

tcpdump -i eth0 -vnn dst host 10.10.10.122

10、抓取源端口是22的数据包

tcpdump -i eth0 -vnn src port 22

11、抓取源ip是10.10.10.253且目的ip是22的数据包

tcpdump -i eth0 -vnn src host 10.10.10.253 and dst port 22
          

12、抓取源ip是10.10.10.122或者包含端口是22的数据包

tcpdump -i eth0 -vnn src host 10.10.10.122 or port 22

13、抓取源ip是10.10.10.122且端口不是22的数据包

tcpdump -i eth0 -vnn src host 10.10.10.122 and not port 22

14、抓取源ip是10.10.10.2且目的端口是22,或源ip是10.10.10.65且目的端口是80的数据包。

tcpdump -i eth0 -vnn ( src host 10.10.10.2 and dst port 22 ) or ( src host 10.10.10.65 and dst port 80 )

15、抓取源ip是10.10.10.59且目的端口是22,或源ip是10.10.10.68且目的端口是80的数据包。

tcpdump -i  eth0 -vnn 'src host 10.10.10.59 and dst port 22' or  ' src host 10.10.10.68 and dst port 80 '

16、把抓取的数据包记录存到/tmp/fill文件中,当抓取100个数据包后就退出程序。

tcpdump –i eth0 -vnn -w  /tmp/fil1 -c 100

17、从/tmp/fill记录中读取tcp协议的数据包

tcpdump –i eth0 -vnn -r  /tmp/fil1 tcp

18、从/tmp/fill记录中读取包含10.10.10.58的数据包

tcpdump –i eth0 -vnn -r /tmp/fil1 host 10.10.10.58

19、假如要抓vlan 1的包,命令格式如下:

tcpdump -i eth0 port 80 and vlan 1 -w /tmp/vlan.cap

20、在后台抓eth0在80端口的包,命令格式如下:

nohup tcpdump -i eth0 port 80 -w /tmp/temp.cap &

21、ARP包的tcpdump输出信息

tcpdump arp -nvv

22、使用tcpdump抓取与主机192.168.43.23或着与主机192.168.43.24通信报文,并且显示在控制台上

tcpdump -X -s 1024 -i eth0 host (192.168.43.23 or 192.168.43.24) and host 172.16.70.35

23、常用命令收藏

tcpdump -i eth0 -nn 'dst host 172.100.6.231'

tcpdump -i eth0 -nn 'src host 172.100.6.12'

tcpdump -i eth0 -nnA 'port 80'

tcpdump -i eth0 -XnnA 'port 22'

tcpdump -i eth0 -nnA 'port 80 and src host 192.168.1.231'

tcpdump -i eth0 -nnA '!port 22' and 'src host 172.100.6.230'

tcpdump -i eth0 -nnA '!port 22'
Referenced from:https://blog.51cto.com/masters/1870141

tcpdump输出的时候,看到Flags[S],Flags[.],Flags[S.],Flags[P]

tcpdump -i lo tcp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
17:25:17.944030 IP localhost.http > localhost.39740: Flags [F.], seq 1095695913, ack 4186916696, win 512, options [nop,nop,TS val 932462 ecr 927461], length 0
17:25:17.944106 IP localhost.http > localhost.39738: Flags [F.], seq 2896031688, ack 35398580, win 512, options [nop,nop,TS val 932462 ecr 927458], length 0
17:25:17.987834 IP localhost.39738 > localhost.http: Flags [.], ack 1, win 1535, options [nop,nop,TS val 932506 ecr 932462], length 0
17:25:17.987860 IP localhost.39740 > localhost.http: Flags [.], ack 1, win 1535, options [nop,nop,TS val 932506 ecr 932462], length 0
17:25:18.542714 IP localhost.39738 > localhost.http: Flags [F.], seq 1, ack 1, win 1535, options [nop,nop,TS val 933061 ecr 932462], length 0
17:25:18.542754 IP localhost.http > localhost.39738: Flags [.], ack 2, win 512, options [nop,nop,TS val 933061 ecr 933061], length 0
17:25:18.542932 IP localhost.46984 > localhost.9614: Flags [S], seq 3512844352, win 65495, options [mss 65495,sackOK,TS val 933061 ecr 0,nop,wscale 7], length 0
17:25:18.542951 IP localhost.9614 > localhost.46984: Flags [R.], seq 0, ack 3512844353, win 0, length 0

 Tcpflags are some combination of S (SYN), F (FIN), P (PUSH), R (RST), U (URG), W (ECN CWR), E
       (ECN-Echo)  or  `.' (ACK), or `none' if no flags are set.  Data-seqno describes the portion of sequence space covered by the data in this packet (see example be‐
       Iptype, Src, dst, and flags are always present.  The other fields depend on the contents of the packet's TCP protocol header and are output only if appropriate.
       Some offsets and field values may be expressed as names rather than as numeric values. For example tcp[13] may be replaced with tcp[tcpflags]. The following  TCP
                   tcpdump -i xl0 'tcp[tcpflags] & tcp-push != 0'

tcpdump 源码下载

wget https://www.tcpdump.org/release/tcpdump-4.99.1.tar.gz
wget https://www.tcpdump.org/release/libpcap-1.10.1.tar.gz

交叉编译libpcap

tar xvf libpcap-1.10.1.tar.gz
cd libpcap-1.10.1/
./configure --prefix=$(pwd)/.. --host=arm-linux-gnueabihf --with-pcap=linux --disable-shared
make && make install

交叉编译tcpdump

tar xvf tcpdump-4.99.1.tar.gz
cd tcpdump-4.99.1/
./configure --prefix=$(pwd)/.. --host=arm-linux-gnueabihf --with-crypto=$(pwd)/..
make && make install

如果不需要OpenSSL的话

./configure --prefix=$(pwd)/.. --host=arm-linux-gnueabihf

./tcpdump -h

compiler: hesy May 19 2022 08:51:08
tcpdump version 4.99.1
libpcap version 1.10.1 (with TPACKET_V3)
OpenSSL 1.1.1d 10 Sep 2019

tcpdump for arm 下载, 依赖OpenSSL
tcpdump for arm

The file has a global header containing some global information followed by zero or more records for each captured packet, looking like this:

  • Global Header
  • Packet Header
  • Packet Data

Global Header

typedef struct pcap_hdr_s {
          guint32 magic_number;   /* magic number */
          guint16 version_major;  /* major version number */
          guint16 version_minor;  /* minor version number */
          gint32  thiszone;       /* GMT to local correction */
          guint32 sigfigs;        /* accuracy of timestamps */
          guint32 snaplen;        /* max length of captured packets, in octets */
          guint32 network;        /* data link type */
  } pcap_hdr_t;

示例:
xd4xc3xb2xa1x02x00x04x00x00x00x00x00x00x00x00x00x00x00x04x00x01x00x00x00
Record (Packet) Header

typedef struct pcaprec_hdr_s {
          guint32 ts_sec;         /* timestamp seconds */
          guint32 ts_usec;        /* timestamp microseconds */
          guint32 incl_len;       /* number of octets of packet saved in file */
          guint32 orig_len;       /* actual length of packet */
  } pcaprec_hdr_t;

Packet Data
The actual packet data will immediately follow the packet header as a data blob of incl_len bytes without a specific byte alignment.
查看tcpdump 数据

sudo tcpdump -c 1 -w test.pcap tcp

查看Global Header

hexdump -C -n 24 test.pcap 

00000000 d4 c3 b2 a1 02 00 04 00 00 00 00 00 00 00 00 00 |................|
00000010 00 00 04 00 01 00 00 00 |........|
00000018

查看Record (Packet) Header

 hexdump -C -s 24 -n 16 test.pcap 

00000018 54 f0 69 63 ab 52 0b 00 42 00 00 00 42 00 00 00 |T.ic.R..B...B...|
00000028

查看包数据Packet Data

hexdump -C -s 40 test.pcap
00000028 b8 ac 6f 3b 20 d0 38 f3 ab 09 44 1c 08 00 45 00 |..o; .8...D...E.|
00000038 00 34 3e c0 40 00 40 06 76 6b c0 a8 02 40 c0 a8 |.4>.@.@.vk...@..|
00000048 02 08 9c 08 1f 92 5e 7b f8 00 12 7f 1e 3e 80 11 |......^{.....>..|
00000058 01 f5 85 bf 00 00 01 01 08 0a 20 82 fb f2 d0 6a |.......... ....j|
00000068 41 0e |A.|
0000006a

tcpdump 官方说明文档
https://www.tcpdump.org/manpages/tcpdump.1.html
tcpdump 保存文件
tcpdump -i lo -w temp.pcap -C 10 -W 3
只显示除push和ack外的网络包

 tcpdump -i lo tcp port 31009 and 'tcp[tcpflags] & tcp-push==0' and 'tcp[tcpflags] & tcp-ack==0' -nnvvx

也可以使用

tcpdump -i lo tcp port 31009 and 'tcp[13] & 8 == 0' and 'tcp[13] & 16 == 0'

Show all URG packets:

tcpdump 'tcp[13] & 32 != 0'

Show all ACK packets:

tcpdump 'tcp[13] & 16 != 0'

Show all PSH packets:

tcpdump 'tcp[13] & 8 != 0'

Show all RST packets:

tcpdump 'tcp[13] & 4 != 0'

Show all SYN packets:

tcpdump 'tcp[13] & 2 != 0'

Show all FIN packets:

tcpdump 'tcp[13] & 1 != 0'

Show all SYN-ACK packets:

tcpdump 'tcp[13] = 18'

Show icmp echo request and reply

tcpdump -n icmp and 'icmp[0] != 8 and icmp[0] != 0'

Show all IP packets with a non-zero TOS field (one byte TOS field is at offset 1 in IP header):

tcpdump -v -n ip and ip[1]!=0

Show all IP packets with TTL less than some value (on byte TTL field is at offset 8 in IP header):

tcpdump -v ip and 'ip[8]<2'

Show TCP SYN packets:

tcpdump -n tcp and port 80 and 'tcp[tcpflags] & tcp-syn == tcp-syn'
tcpdump tcp and port 80 and 'tcp[tcpflags] == tcp-syn'
tcpdump -i <interface> "tcp[tcpflags] & (tcp-syn) != 0"

Show TCP ACK packets:

tcpdump -i <interface> "tcp[tcpflags] & (tcp-ack) != 0"

Show TCP SYN/ACK packets (typically, responses from servers):

tcpdump -n tcp and 'tcp[tcpflags] & (tcp-syn|tcp-ack) == (tcp-syn|tcp-ack)'
tcpdump -n tcp and 'tcp[tcpflags] & tcp-syn == tcp-syn' and 'tcp[tcpflags] & tcp-ack == tcp-ack'
tcpdump -i <interface> "tcp[tcpflags] & (tcp-syn|tcp-ack) != 0"

Show TCP FIN packets:

tcpdump -i <interface> "tcp[tcpflags] & (tcp-fin) != 0"

Show ARP Packets with MAC address

tcpdump -vv -e -nn ether proto 0x0806

Show packets of a specified length (IP packet length (16 bits) is located at offset 2 in IP header):

tcpdump -l icmp and '(ip[2:2]>50)' -w - |tcpdump -r - -v ip and '(ip[2:2]<60)'

tcpdump常用命令补充

Basic communication (very verbose) // see a good amount of traffic, with verbosity and no name help

tcpdump -nnvvS

A deeper look at the traffic // adds -X for payload but doesn’t grab any more of the packet

tcpdump -nnvvXS

Heavy packet viewing // the final “s” increases the snaplength, grabbing the whole packet

tcpdump -nnvvXSs 1514

host // look for traffic based on IP address (also works with hostname if you’re not using -n)

tcpdump host 1.2.3.4

src, dst // find traffic from only a source or destination (eliminates one side of a host conversation)

tcpdump src 2.3.4.5
tcpdump dst 3.4.5.6

net // capture an entire network using CIDR notation

tcpdump net 1.2.3.0/24

proto // works for tcp, udp, and icmp. Note that you don’t have to type proto

tcpdump icmp

port // see only traffic to or from a certain port

tcpdump port 3389

src, dst port // filter based on the source or destination port

tcpdump src port 1025 
tcpdump dst port 389

src/dst, port, protocol // combine all three

tcpdump src port 1025 and tcp
tcpdump udp and src port 53

You also have the option to filter by a range of ports instead of declaring them individually, and to only see packets that are above or below a certain size.

Port Ranges // see traffic to any port in a range

tcpdump port range 21–23

Packet Size Filter // only see packets below or above a certain size (in bytes)

tcpdump less 32
tcpdump greater 128

[ You can use the symbols for less than, greater than, and less than or equal / greater than or equal signs as well. ]

// filtering for size using symbols

tcpdump > 32
tcpdump <= 128

[ Note: Only the PSH, RST, SYN, and FIN flags are displayed in tcpdump‘s flag field output. URGs and ACKs are displayed, but they are shown elsewhere in the output rather than in the flags field ]

Keep in mind the reasons these filters work. The filters above find these various packets because tcp[13] looks at offset 13 in the TCP header, the number represents the location within the byte, and the !=0 means that the flag in question is set to 1, i.e. it’s on.

Show all URG packets:

tcpdump ‘tcp[13] & 32 != 0’

Show all ACK packets:

tcpdump ‘tcp[13] & 16 != 0’

Show all PSH packets:

tcpdump ‘tcp[13] & 8 != 0’

Show all RST packets:

tcpdump ‘tcp[13] & 4 != 0’

Show all SYN packets:

tcpdump ‘tcp[13] & 2 != 0’

Show all FIN packets:

tcpdump ‘tcp[13] & 1 != 0’

Show all SYN-ACK packets:

tcpdump ‘tcp[13] = 18’

Show icmp echo request and reply

tcpdump -n icmp and ‘icmp[0] != 8 and icmp[0] != 0’

Show all IP packets with a non-zero TOS field (one byte TOS field is at offset 1 in IP header):

tcpdump -v -n ip and ip[1]!=0

Show all IP packets with TTL less than some value (on byte TTL field is at offset 8 in IP header):

tcpdump -v ip and ‘ip[8]<2’

Show TCP SYN packets:

tcpdump -n tcp and port 80 and ‘tcp[tcpflags] & tcp-syn == tcp-syn’
tcpdump tcp and port 80 and ‘tcp[tcpflags] == tcp-syn’
tcpdump -i <interface> “tcp[tcpflags] & (tcp-syn) != 0”

Show TCP ACK packets:

tcpdump -i <interface> “tcp[tcpflags] & (tcp-ack) != 0”

Show TCP SYN/ACK packets (typically, responses from servers):

tcpdump -n tcp and ‘tcp[tcpflags] & (tcp-syn|tcp-ack) == (tcp-syn|tcp-ack)’
tcpdump -n tcp and ‘tcp[tcpflags] & tcp-syn == tcp-syn’ and ‘tcp[tcpflags] & tcp-ack == tcp-ack’
tcpdump -i <interface> “tcp[tcpflags] & (tcp-syn|tcp-ack) != 0”

Show TCP FIN packets:

tcpdump -i <interface> “tcp[tcpflags] & (tcp-fin) != 0”

Show ARP Packets with MAC address

tcpdump -vv -e -nn ether proto 0x0806

Show packets of a specified length (IP packet length (16 bits) is located at offset 2 in IP header):

tcpdump -l icmp and ‘(ip[2:2]>50)’ -w — |tcpdump -r — -v ip and ‘(ip[2:2]<60)’