标签 tcpdump 下的文章

“”

抓取包含192.168.5.1 的数据包

tcpdump -i eth0 -vnn host 192.168.5.1 

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:36:24.160956 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.5.1 tell 192.168.5.2, length 46
11:36:30.217699 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.5.1 tell 192.168.5.224, length 46

抓取包含192.168.5.0/24网段的数据包

tcpdump -i eth0 -vnn net 192.168.5.0/24

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:37:35.841606 IP (tos 0x0, ttl 64, id 64005, offset 0, flags [DF], proto TCP (6), length 86)
抓取包含端口22的数据包

tcpdump -i eth0 -vnn port 22

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:38:54.606955 IP (tos 0x10, ttl 64, id 22286, offset 0, flags [DF], proto TCP (6), length 156)

192.168.5.222.22 > 192.168.5.44.53888: Flags [P.], cksum 0x8ce9 (incorrect -> 0xaa25), seq 3416103818:3416103934, ack 2794641981, win 255, length 116

抓取udp协议的数据包

tcpdump -i eth0 -vnn  udp

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:39:46.000102 IP (tos 0x0, ttl 255, id 17285, offset 0, flags [none], proto UDP (17), length 44)

192.168.6.251.21003 > 255.255.255.255.1234: UDP, length 16

Tcpdump命令参数详解_心静梵音的技术博客_51CTO博客
update:2021-9-17
5、抓取icmp协议的数据包

tcpdump -i eth0 -vnn icmp

6、抓取arp协议的数据包

tcpdump -i eth0 -vnn arp

7、抓取ip协议的数据包

tcpdump -i eth0 -vnn ip

8、抓取源ip是10.10.10.122数据包。

tcpdump -i eth0 -vnn src host 10.10.10.122

9、抓取目的ip是10.10.10.122数据包

tcpdump -i eth0 -vnn dst host 10.10.10.122

10、抓取源端口是22的数据包

tcpdump -i eth0 -vnn src port 22

11、抓取源ip是10.10.10.253且目的ip是22的数据包

tcpdump -i eth0 -vnn src host 10.10.10.253 and dst port 22
          

12、抓取源ip是10.10.10.122或者包含端口是22的数据包

tcpdump -i eth0 -vnn src host 10.10.10.122 or port 22

13、抓取源ip是10.10.10.122且端口不是22的数据包

tcpdump -i eth0 -vnn src host 10.10.10.122 and not port 22

14、抓取源ip是10.10.10.2且目的端口是22,或源ip是10.10.10.65且目的端口是80的数据包。

tcpdump -i eth0 -vnn ( src host 10.10.10.2 and dst port 22 ) or ( src host 10.10.10.65 and dst port 80 )

15、抓取源ip是10.10.10.59且目的端口是22,或源ip是10.10.10.68且目的端口是80的数据包。

tcpdump -i  eth0 -vnn 'src host 10.10.10.59 and dst port 22' or  ' src host 10.10.10.68 and dst port 80 '

16、把抓取的数据包记录存到/tmp/fill文件中,当抓取100个数据包后就退出程序。

tcpdump –i eth0 -vnn -w  /tmp/fil1 -c 100

17、从/tmp/fill记录中读取tcp协议的数据包

tcpdump –i eth0 -vnn -r  /tmp/fil1 tcp

18、从/tmp/fill记录中读取包含10.10.10.58的数据包

tcpdump –i eth0 -vnn -r /tmp/fil1 host 10.10.10.58

19、假如要抓vlan 1的包,命令格式如下:

tcpdump -i eth0 port 80 and vlan 1 -w /tmp/vlan.cap

20、在后台抓eth0在80端口的包,命令格式如下:

nohup tcpdump -i eth0 port 80 -w /tmp/temp.cap &

21、ARP包的tcpdump输出信息

tcpdump arp -nvv

22、使用tcpdump抓取与主机192.168.43.23或着与主机192.168.43.24通信报文,并且显示在控制台上

tcpdump -X -s 1024 -i eth0 host (192.168.43.23 or 192.168.43.24) and host 172.16.70.35

23、常用命令收藏

tcpdump -i eth0 -nn 'dst host 172.100.6.231'

tcpdump -i eth0 -nn 'src host 172.100.6.12'

tcpdump -i eth0 -nnA 'port 80'

tcpdump -i eth0 -XnnA 'port 22'

tcpdump -i eth0 -nnA 'port 80 and src host 192.168.1.231'

tcpdump -i eth0 -nnA '!port 22' and 'src host 172.100.6.230'

tcpdump -i eth0 -nnA '!port 22'
Referenced from:https://blog.51cto.com/masters/1870141

tcpdump输出的时候,看到Flags[S],Flags[.],Flags[S.],Flags[P]

tcpdump -i lo tcp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
17:25:17.944030 IP localhost.http > localhost.39740: Flags [F.], seq 1095695913, ack 4186916696, win 512, options [nop,nop,TS val 932462 ecr 927461], length 0
17:25:17.944106 IP localhost.http > localhost.39738: Flags [F.], seq 2896031688, ack 35398580, win 512, options [nop,nop,TS val 932462 ecr 927458], length 0
17:25:17.987834 IP localhost.39738 > localhost.http: Flags [.], ack 1, win 1535, options [nop,nop,TS val 932506 ecr 932462], length 0
17:25:17.987860 IP localhost.39740 > localhost.http: Flags [.], ack 1, win 1535, options [nop,nop,TS val 932506 ecr 932462], length 0
17:25:18.542714 IP localhost.39738 > localhost.http: Flags [F.], seq 1, ack 1, win 1535, options [nop,nop,TS val 933061 ecr 932462], length 0
17:25:18.542754 IP localhost.http > localhost.39738: Flags [.], ack 2, win 512, options [nop,nop,TS val 933061 ecr 933061], length 0
17:25:18.542932 IP localhost.46984 > localhost.9614: Flags [S], seq 3512844352, win 65495, options [mss 65495,sackOK,TS val 933061 ecr 0,nop,wscale 7], length 0
17:25:18.542951 IP localhost.9614 > localhost.46984: Flags [R.], seq 0, ack 3512844353, win 0, length 0

 Tcpflags are some combination of S (SYN), F (FIN), P (PUSH), R (RST), U (URG), W (ECN CWR), E
       (ECN-Echo)  or  `.' (ACK), or `none' if no flags are set.  Data-seqno describes the portion of sequence space covered by the data in this packet (see example be‐
       Iptype, Src, dst, and flags are always present.  The other fields depend on the contents of the packet's TCP protocol header and are output only if appropriate.
       Some offsets and field values may be expressed as names rather than as numeric values. For example tcp[13] may be replaced with tcp[tcpflags]. The following  TCP
                   tcpdump -i xl0 'tcp[tcpflags] & tcp-push != 0'

tcpdump 源码下载

wget https://www.tcpdump.org/release/tcpdump-4.99.1.tar.gz
wget https://www.tcpdump.org/release/libpcap-1.10.1.tar.gz

交叉编译libpcap

tar xvf libpcap-1.10.1.tar.gz
cd libpcap-1.10.1/
./configure --prefix=$(pwd)/.. --host=arm-linux-gnueabihf --with-pcap=linux --disable-shared
make && make install

交叉编译tcpdump

tar xvf tcpdump-4.99.1.tar.gz
cd tcpdump-4.99.1/
./configure --prefix=$(pwd)/.. --host=arm-linux-gnueabihf --with-crypto=$(pwd)/..
make && make install

如果不需要OpenSSL的话

./configure --prefix=$(pwd)/.. --host=arm-linux-gnueabihf

./tcpdump -h

compiler: hesy May 19 2022 08:51:08
tcpdump version 4.99.1
libpcap version 1.10.1 (with TPACKET_V3)
OpenSSL 1.1.1d 10 Sep 2019

tcpdump for arm 下载, 依赖OpenSSL
tcpdump for arm