Tcpdump 的详细用法(收集)

第一种是关于类型的关键字,主要包括host,net,port, 例如 host 210.27.48.2,指明 210.27.48.2是一台主机,net 202.0.0.0 指明 202.0.0.0是一个网络地址,port 23 指明端口号是23。如果没有指定类型,缺省的类型是host.

第二种是确定传输方向的关键字,主要包括src , dst ,dst or src, dst and src ,这些关键字指明了传输的方向。举例说明,src 210.27.48.2 ,指明ip包中源地址是210.27.48.2 , dst net 202.0.0.0 指明目的网络地址是202.0.0.0 。如果没有指明方向关键字,则缺省是src or dst关键字。

第三种是协议的关键字,主要包括fddi,ip,arp,rarp,tcp,udp等类型。Fddi指明是在FDDI(分布式光纤数据接口网络)上的特定 的网络协议,实际上它是”ether”的别名,fddi和ether具有类似的源地址和目的地址,所以可以将fddi协议包当作ether的包进行处理和 分析。其他的几个关键字就是指明了监听的包的协议内容。如果没有指定任何协议,则tcpdump将会监听所有协议的信息包。

除了这三种类型的关键字之外,其他重要的关键字如下:gateway, broadcast,less,greater,还有三种逻辑运算,取非运算是 ‘not ‘ ‘! ‘, 与运算是’and’,’&&’;或运算 是’or’ ,’││’;这些关键字可以组合起来构成强大的组合条件来满足人们的需要,下面举几个例子来说明。
普通情况下,直接启动tcpdump将监视第一个网络界面上所有流过的数据包。
# tcpdump
tcpdump: listening on fxp0
11:58:47.873028 202.102.245.40.netbios-ns > 202.102.245.127.netbios-ns: udp 50
11:58:47.974331 0:10:7b:8:3a:56 > 1:80:c2:0:0:0 802.1d ui/C len=43
0000 0000 0080 0000 1007 cf08 0900 0000
0e80 0000 902b 4695 0980 8701 0014 0002
000f 0000 902b 4695 0008 00
11:58:48.373134 0:0:e8:5b:6d:85 > Broadcast sap e0 ui/C len=97
ffff 0060 0004 ffff ffff ffff ffff ffff
0452 ffff ffff 0000 e85b 6d85 4008 0002
0640 4d41 5354 4552 5f57 4542 0000 0000
0000 00
使用-i参数指定tcpdump监听的网络界面,这在计算机具有多个网络界面时非常有用,
使用-c参数指定要监听的数据包数量,
使用-w参数指定将监听到的数据包写入文件中保存

A想要截获所有210.27.48.1 的主机收到的和发出的所有的数据包:
#tcpdump host 210.27.48.1

B想要截获主机210.27.48.1 和主机210.27.48.2 或210.27.48.3的通信,使用命令:(在命令行中适用   括号时,一定要
#tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)

C如果想要获取主机210.27.48.1除了和主机210.27.48.2之外所有主机通信的ip包,使用命令:
#tcpdump ip host 210.27.48.1 and ! 210.27.48.2

D如果想要获取主机210.27.48.1接收或发出的telnet包,使用如下命令:
#tcpdump tcp port 23 host 210.27.48.1

E 对本机的udp 123 端口进行监视 123 为ntp的服务端口
# tcpdump udp port 123

F 系统将只对名为hostname的主机的通信数据包进行监视。主机名可以是本地主机,也可以是网络上的任何一台计算机。下面的命令可以读取主机hostname发送的所有数据:
#tcpdump -i eth0 src host hostname

G 下面的命令可以监视所有送到主机hostname的数据包:
#tcpdump -i eth0 dst host hostname

H 我们还可以监视通过指定网关的数据包:
#tcpdump -i eth0 gateway Gatewayname

I 如果你还想监视编址到指定端口的TCP或UDP数据包,那么执行以下命令:
#tcpdump -i eth0 host hostname and port 80

J 如果想要获取主机210.27.48.1除了和主机210.27.48.2之外所有主机通信的ip包
,使用命令:
#tcpdump ip host 210.27.48.1 and ! 210.27.48.2

K 想要截获主机210.27.48.1 和主机210.27.48.2 或210.27.48.3的通信,使用命令
:(在命令行中适用   括号时,一定要
#tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)

L 如果想要获取主机210.27.48.1除了和主机210.27.48.2之外所有主机通信的ip包,使用命令:
   #tcpdump ip host 210.27.48.1 and ! 210.27.48.2

M 如果想要获取主机210.27.48.1接收或发出的telnet包,使用如下命令:
   #tcpdump tcp port 23 host 210.27.48.1

第三种是协议的关键字,主要包括fddi,ip ,arp,rarp,tcp,udp等类型
除了这三种类型的关键字之外,其他重要的关键字如下:gateway, broadcast,less,
greater,还有三种逻辑运算,取非运算是 ‘not ‘ ‘! ‘, 与运算是’and’,’&&’;或运算 是’o
r’ ,’||’;
第二种是确定传输方向的关键字,主要包括src , dst ,dst or src, dst and src ,
如果我们只需要列出送到80端口的数据包,用dst port;如果我们只希望看到返回80端口的数据包,用src port。
#tcpdump –i eth0 host hostname and dst port 80 目的端口是80
或者
#tcpdump –i eth0 host hostname and src port 80 源端口是80 一般是提供http的服务的主机
如果条件很多的话 要在条件之前加and 或 or 或 not
#tcpdump -i eth0 host ! 211.161.223.70 and ! 211.161.223.71 and dst port 80

如果在ethernet 使用混杂模式 系统的日志将会记录

May 7 20:03:46 localhost kernel: eth0: Promiscuous mode enabled.
May 7 20:03:46 localhost kernel: device eth0 entered promiscuous mode
May 7 20:03:57 localhost kernel: device eth0 left promiscuous mode

tcpdump对截获的数据并没有进行彻底解码,数据包内的大部分内容是使用十六进制的形式直接打印输出的。显然这不利于分析网络故障,通常的解决办法是先使用带-w参数的tcpdump 截获数据并保存到文件中,然后再使用其他程序进行解码分析。当然也应该定义过滤规则,以避免捕获的数据包填满整个硬盘。

另外,使用Ethereal配合tcpdump可以实现很多意想不到的功能,比如过滤密码之类的,呵呵!

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
No Responses
  1. Hi, just wanted to say, I loved this blog post. It was helpful.
    Keep on posting!

  2. Hello, I read your new stuff like every week.
    Your humoristic style is awesome, keep doing what you’re doing!

  3. Wow, that’s what I was searching for, what a data!
    existing here at this web site, thanks admin of this web page.

  4. You really make it seem really easy along with your presentation but I in finding this topic to be really one
    thing which I feel I would never understand. It kind of feels too
    complicated and extremely extensive for me. I am looking forward
    in your next put up, I will attempt to get the
    hold of it!

  5. Aw, this was a really nice post. Taking the time and actual effort to produce a very good article…
    but what can I say… I hesitate a lot and never manage to
    get anything done.

  6. Good blog you have got here.. It’s hard to find good quality writing like yours nowadays.
    I seriously appreciate individuals like you! Take care!!

  7. Hi there outstanding blog! Does running a blog like this require
    a massive amount work? I have no expertise in programming however I was hoping to start
    my own blog soon. Anyways, if you have any recommendations or techniques for new
    blog owners please share. I understand this is off subject however I just had to ask.
    Thank you!

  8. A motivating discussion is worth comment. There’s no doubt that that you
    need to publish more about this issue, it might not be a taboo matter but typically people
    do not talk about such topics. To the next! Best wishes!!

  9. Hello! I’m at work browsing your blog from my new iphone 3gs!
    Just wanted to say I love reading through your blog and
    look forward to all your posts! Keep up the great work!

  10. quest bars says:

    It’s very straightforward to find out any topic on net as compared to textbooks,
    as I found this paragraph at this site.

  11. tinyurl.com says:

    Hello there, I discovered your website by way of Google whilst looking for
    a comparable topic, your site came up, it appears to be like good.
    I have bookmarked it in my google bookmarks.
    Hello there, just turned into aware of your weblog via Google, and
    located that it’s really informative. I am gonna be careful for brussels.
    I’ll be grateful in case you continue this in future.
    Numerous other people might be benefited from your writing.
    Cheers!

Leave a Reply

Your email address will not be published. Required fields are marked *

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Anti-spam image