linux運維之tcpdump工具監控tcp數據包情況相關案例

linux運維之tcpdump工具相關案例

[root@localhost ~]# tcpdump -D  #可用的interface  用-i指定，默認是1，如果不指定
1.bluetooth0 (Bluetooth adapter number 0)
2.nflog (Linux netfilter log (NFLOG) interface)
3.nfqueue (Linux netfilter queue (NFQUEUE) interface)
4.usbmon1 (USB bus number 1)
5.usbmon2 (USB bus number 2)
6.ens33
7.any (Pseudo-device that captures on all interfaces)
8.lo [Loopback]
[root@localhost ~]# tcpdump -nn -i any  #nn 顯示端口號 和ip ，而不是主機名和進程名
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
08:49:09.009835 IP 192.168.2.146.22 > 192.168.2.133.63885: Flags [P.], seq 3435706385:3435706577, ack 3511057395, win 343, length 192
08:49:09.010506 IP 192.168.2.133.63885 > 192.168.2.146.22: Flags [.], ack 192, win 16065, length 0
08:49:09.011048 IP 192.168.2.146.22 > 192.168.2.133.63885: Flags [P.], seq 192:320, ack 1, win 343, length 128
08:49:09.012111 IP 192.168.2.146.22 > 192.168.2.133.63885: Flags [P.], seq 320:400, ack 1, win 343, length 80
08:49:09.013120 IP 192.168.2.133.63885 > 192.168.2.146.22: Flags [.], ack 400, win 16425, length 0
08:49:09.014415 IP 192.168.2.146.22 > 192.168.2.133.63885: Flags [P.], seq 400:480, ack 1, win 343, length 80
08:49:09.015218 IP 192.168.2.146.22 > 192.168.2.133.63885: Flags [P.], seq 480:544, ack 1, win 343, length 64
08:49:09.016154 IP 192.168.2.133.63885 > 192.168.2.146.22: Flags [.], ack 544, win 16389, length 0
08:49:09.016775 IP 192.168.2.146.22 > 192.168.2.133.63885: Flags [P.], seq 544:624, ack 1, win 343, length 80
08:49:09.017664 IP 192.168.2.146.22 > 192.168.2.133.63885: Flags [P.], seq 624:688, ack 1, win 343, length 64
..................................
...
... 
08:49:09.306131 IP 192.168.2.146.22 > 192.168.2.133.63885: Flags [P.], seq 17840:17904, ack 97, win 343, length 64
08:49:09.307260 IP 192.168.2.133.63885 > 192.168.2.146.22: Flags [.], ack 17904, win 16389, length 0
08:49:09.308165 IP 192.168.2.146.22 > 192.168.2.133.63885: Flags [P.], seq 17904:17984, ack 97, win 343, length 80
08:49:09.309493 IP 192.168.2.146.22 > 192.168.2.133.63885: Flags [P.], seq 17984:18048, ack 97, win 343, length 64
08:49:09.310418 IP 192.168.2.133.63885 > 192.168.2.146.22: Flags [.], ack 18048, win 16353, length 0
08:49:09.315098 IP 192.168.2.133.63885 > 192.168.2.146.22: Flags [P.], seq 97:145, ack 18048, win 16353, length 48
^C
373 packets captured
374 packets received by filter
0 packets dropped by kernel
[root@localhost ~]# tcpdump -i ens33 port 80 -nn #監控ens33網卡接口 的80端口的tcp數據包傳輸信息
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
08:57:28.210364 IP 192.168.2.133.61086 > 192.168.2.146.80: Flags [F.], seq 4243865311, ack 2985023937, win 16425, length 0
08:57:28.210871 IP 192.168.2.133.61102 > 192.168.2.146.80: Flags [S], seq 3689069151, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
08:57:28.210930 IP 192.168.2.146.80 > 192.168.2.133.61102: Flags [S.], seq 408191512, ack 3689069152, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
08:57:28.211698 IP 192.168.2.133.61102 > 192.168.2.146.80: Flags [.], ack 1, win 16425, length 0
08:57:28.212734 IP 192.168.2.146.80 > 192.168.2.133.61086: Flags [.], ack 1, win 229, length 0
08:57:28.213439 IP 192.168.2.133.61103 > 192.168.2.146.80: Flags [S], seq 3244350185, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
08:57:28.213506 IP 192.168.2.146.80 > 192.168.2.133.61103: Flags [S.], seq 1804648528, ack 3244350186, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
08:57:28.214229 IP 192.168.2.133.61103 > 192.168.2.146.80: Flags [.], ack 1, win 16425, length 0
08:57:28.218670 IP 192.168.2.146.80 > 192.168.2.133.61086: Flags [F.], seq 1, ack 1, win 229, length 0
08:57:28.220307 IP 192.168.2.133.61086 > 192.168.2.146.80: Flags [.], ack 2, win 16425, length 0
08:57:28.263722 IP 192.168.2.133.61088 > 192.168.2.146.80: Flags [F.], seq 2798481682, ack 3747444025, win 16353, length 0
08:57:28.263863 IP 192.168.2.146.80 > 192.168.2.133.61088: Flags [.], ack 1, win 238, length 0
08:57:28.276935 IP 192.168.2.133.61087 > 192.168.2.146.80: Flags [P.], seq 525753435:525754010, ack 3590794076, win 16425, length 575: HTTP: GET /info.php HTTP/1.1
08:57:28.276998 IP 192.168.2.146.80 > 192.168.2.133.61087: Flags [.], ack 575, win 238, length 0
08:57:28.369981 IP 192.168.2.146.80 > 192.168.2.133.61087: Flags [P.], seq 1:286, ack 575, win 238, length 285: HTTP: HTTP/1.1 200 OK
08:57:28.370530 IP 192.168.2.133.61087 > 192.168.2.146.80: Flags [.], ack 286, win 16353, length 0
08:57:28.509791 IP 192.168.2.133.61085 > 192.168.2.146.80: Flags [F.], seq 3798521847, ack 601540034, win 16425, length 0
08:57:28.510980 IP 192.168.2.146.80 > 192.168.2.133.61085: Flags [.], ack 1, win 229, length 0
08:57:28.512009 IP 192.168.2.146.80 > 192.168.2.133.61085: Flags [F.], seq 1, ack 1, win 229, length 0
08:57:28.512651 IP 192.168.2.133.61085 > 192.168.2.146.80: Flags [.], ack 2, win 16425, length 0
08:57:33.376582 IP 192.168.2.146.80 > 192.168.2.133.61087: Flags [F.], seq 286, ack 575, win 238, length 0
08:57:33.376957 IP 192.168.2.133.61087 > 192.168.2.146.80: Flags [.], ack 287, win 16353, length 0
08:57:53.712844 IP 192.168.2.133.61087 > 192.168.2.146.80: Flags [F.], seq 575, ack 287, win 16353, length 0
08:57:53.713371 IP 192.168.2.146.80 > 192.168.2.133.61087: Flags [.], ack 576, win 238, length 0
08:57:59.497872 IP 192.168.2.146.80 > 192.168.2.133.61102: Flags [S.], seq 408191512, ack 3689069152, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
08:57:59.498577 IP 192.168.2.133.61102 > 192.168.2.146.80: Flags [.], ack 1, win 16425, options [nop,nop,sack 1 {0:1}], length 0
08:57:59.901328 IP 192.168.2.146.80 > 192.168.2.133.61103: Flags [S.], seq 1804648528, ack 3244350186, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
08:57:59.902935 IP 192.168.2.133.61103 > 192.168.2.146.80: Flags [.], ack 1, win 16425, options [nop,nop,sack 1 {0:1}], length 0
08:58:13.210508 IP 192.168.2.133.61102 > 192.168.2.146.80: Flags [.], seq 0:1, ack 1, win 16425, length 1: HTTP
08:58:13.210562 IP 192.168.2.146.80 > 192.168.2.133.61102: Flags [.], ack 1, win 229, options [nop,nop,sack 1 {0:1}], length 0
08:58:13.218922 IP 192.168.2.133.61103 > 192.168.2.146.80: Flags [.], seq 0:1, ack 1, win 16425, length 1: HTTP
08:58:13.218979 IP 192.168.2.146.80 > 192.168.2.133.61103: Flags [.], ack 1, win 229, options [nop,nop,sack 1 {0:1}], length 0
08:58:19.520794 IP 192.168.2.146.80 > 192.168.2.133.61102: Flags [F.], seq 1, ack 1, win 229, length 0
08:58:19.521529 IP 192.168.2.133.61102 > 192.168.2.146.80: Flags [.], ack 2, win 16425, length 0
08:58:19.908927 IP 192.168.2.146.80 > 192.168.2.133.61103: Flags [F.], seq 1, ack 1, win 229, length 0
08:58:19.909837 IP 192.168.2.133.61103 > 192.168.2.146.80: Flags [.], ack 2, win 16425, length 0
08:59:04.520465 IP 192.168.2.133.61102 > 192.168.2.146.80: Flags [.], seq 0:1, ack 2, win 16425, length 1: HTTP
08:59:04.520527 IP 192.168.2.146.80 > 192.168.2.133.61102: Flags [.], ack 1, win 229, length 0
08:59:04.903071 IP 192.168.2.133.61103 > 192.168.2.146.80: Flags [.], seq 0:1, ack 2, win 16425, length 1: HTTP
08:59:04.903129 IP 192.168.2.146.80 > 192.168.2.133.61103: Flags [.], ack 1, win 229, length 0
08:59:47.090854 IP 192.168.2.133.61102 > 192.168.2.146.80: Flags [F.], seq 1, ack 2, win 16425, length 0
08:59:47.090985 IP 192.168.2.146.80 > 192.168.2.133.61102: Flags [R], seq 408191514, win 0, length 0
08:59:47.091273 IP 192.168.2.133.61103 > 192.168.2.146.80: Flags [F.], seq 1, ack 2, win 16425, length 0
08:59:47.091307 IP 192.168.2.146.80 > 192.168.2.133.61103: Flags [R], seq 1804648530, win 0, length 0

[root@localhost ~]# tcpdump -i ens33 port 80 -nn -vvv #監控輸出最詳細的信息，包括http的響應頭，請求頭而不僅僅是隻顯示length -vvv
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
09:00:54.759431 IP (tos 0x0, ttl 64, id 20487, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.133.61342 > 192.168.2.146.80: Flags [S], cksum 0x88c0 (correct), seq 2406203539, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
09:00:54.759593 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.146.80 > 192.168.2.133.61342: Flags [S.], cksum 0x868e (incorrect -> 0xdd04), seq 3738270403, ack 2406203540, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
09:00:54.760033 IP (tos 0x0, ttl 64, id 20488, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.2.133.61342 > 192.168.2.146.80: Flags [.], cksum 0x4fbe (correct), seq 1, ack 1, win 16425, length 0
09:00:54.762460 IP (tos 0x0, ttl 64, id 20489, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.133.61343 > 192.168.2.146.80: Flags [S], cksum 0x4c90 (correct), seq 358446801, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
09:00:54.762525 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.146.80 > 192.168.2.133.61343: Flags [S.], cksum 0x868e (incorrect -> 0xd40e), seq 3293078034, ack 358446802, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
09:00:54.762946 IP (tos 0x0, ttl 64, id 20490, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.2.133.61343 > 192.168.2.146.80: Flags [.], cksum 0x46c8 (correct), seq 1, ack 1, win 16425, length 0
09:00:54.767238 IP (tos 0x0, ttl 64, id 20492, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.133.61344 > 192.168.2.146.80: Flags [S], cksum 0x8c6e (correct), seq 1002508430, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
09:00:54.767306 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.146.80 > 192.168.2.133.61344: Flags [S.], cksum 0x868e (incorrect -> 0xeb87), seq 193020735, ack 1002508431, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
09:00:54.767737 IP (tos 0x0, ttl 64, id 20493, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.2.133.61344 > 192.168.2.146.80: Flags [.], cksum 0x5e41 (correct), seq 1, ack 1, win 16425, length 0
09:00:54.772959 IP (tos 0x0, ttl 64, id 20496, offset 0, flags [DF], proto TCP (6), length 615)
    192.168.2.133.61343 > 192.168.2.146.80: Flags [P.], cksum 0xda47 (correct), seq 1:576, ack 1, win 16425, length 575: HTTP, length: 575
        GET /info.php HTTP/1.1
        Accept: text/html, application/xhtml+xml, */*
        Accept-Language: zh-CN
        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
        Accept-Encoding: gzip, deflate
        Host: 192.168.2.146
        DNT: 1
        Connection: Keep-Alive
        Cookie: Hm_lvt_ff4cb71e931f6325712159f14c68c707=1581680436; Hm_lpvt_ff4cb71e931f6325712159f14c68c707=1581680436; Hm_lvt_ff95f5c79cbb4371b8af8fd860147560=1581680436; Hm_lpvt_ff95f5c79cbb4371b8af8fd860147560=1581680436; nb-referrer-hostname=192.168.2.146; nb-start-page-url=http%3A%2F%2F192.168.2.146%2Finfo.php

09:00:54.773044 IP (tos 0x0, ttl 64, id 57910, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.2.146.80 > 192.168.2.133.61343: Flags [.], cksum 0x8682 (incorrect -> 0x83c4), seq 1, ack 576, win 238, length 0
09:00:54.876714 IP (tos 0x0, ttl 64, id 57911, offset 0, flags [DF], proto TCP (6), length 325)
    192.168.2.146.80 > 192.168.2.133.61343: Flags [P.], cksum 0x879f (incorrect -> 0x981b), seq 1:286, ack 576, win 238, length 285: HTTP, length: 285
        HTTP/1.1 200 OK
        Date: Thu, 13 Feb 2020 01:00:54 GMT
        Server: Apache/2.4.6 (CentOS) PHP/5.4.16
        X-Powered-By: PHP/5.4.16
        Keep-Alive: timeout=5, max=100
        Connection: Keep-Alive
        Transfer-Encoding: chunked
        Content-Type: text/html; charset=UTF-8

        1a
        101.200.90.101 via TCP/IP                                               #亞強-這裏的一個服務器響應瀏覽器的網頁內容部分，瀏覽器源代碼就僅僅有該行

        0

09:00:54.877790 IP (tos 0x0, ttl 64, id 20498, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.2.133.61343 > 192.168.2.146.80: Flags [.], cksum 0x43b4 (correct), seq 576, ack 286, win 16353, length 0
09:00:59.884922 IP (tos 0x0, ttl 64, id 57912, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.2.146.80 > 192.168.2.133.61343: Flags [F.], cksum 0x8682 (incorrect -> 0x82a6), seq 286, ack 576, win 238, length 0
09:00:59.885478 IP (tos 0x0, ttl 64, id 20536, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.2.133.61343 > 192.168.2.146.80: Flags [.], cksum 0x43b3 (correct), seq 576, ack 287, win 16353, length 0
09:01:26.406841 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.146.80 > 192.168.2.133.61342: Flags [S.], cksum 0x868e (incorrect -> 0xdd04), seq 3738270403, ack 2406203540, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
09:01:26.407265 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.146.80 > 192.168.2.133.61344: Flags [S.], cksum 0x868e (incorrect -> 0xeb87), seq 193020735, ack 1002508431, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
09:01:26.407619 IP (tos 0x0, ttl 64, id 20669, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.133.61342 > 192.168.2.146.80: Flags [.], cksum 0x667b (correct), seq 1, ack 1, win 16425, options [nop,nop,sack 1 {0:1}], length 0
09:01:26.407685 IP (tos 0x0, ttl 64, id 20670, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.133.61344 > 192.168.2.146.80: Flags [.], cksum 0x8aa8 (correct), seq 1, ack 1, win 16425, options [nop,nop,sack 1 {0:1}], length 0
09:01:39.757550 IP (tos 0x0, ttl 64, id 20734, offset 0, flags [DF], proto TCP (6), length 41)
    192.168.2.133.61342 > 192.168.2.146.80: Flags [.], cksum 0x4fbe (correct), seq 0:1, ack 1, win 16425, length 1: HTTP
09:01:39.757601 IP (tos 0x0, ttl 64, id 33139, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.146.80 > 192.168.2.133.61342: Flags [.], cksum 0x868e (incorrect -> 0xb8eb), seq 1, ack 1, win 229, options [nop,nop,sack 1 {0:1}], length 0
09:01:39.766620 IP (tos 0x0, ttl 64, id 20735, offset 0, flags [DF], proto TCP (6), length 41)
    192.168.2.133.61344 > 192.168.2.146.80: Flags [.], cksum 0x5e41 (correct), seq 0:1, ack 1, win 16425, length 1: HTTP
09:01:39.766669 IP (tos 0x0, ttl 64, id 47351, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.146.80 > 192.168.2.133.61344: Flags [.], cksum 0x868e (incorrect -> 0xcece), seq 1, ack 1, win 229, options [nop,nop,sack 1 {0:1}], length 0
09:01:46.429572 IP (tos 0x0, ttl 64, id 33140, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.2.146.80 > 192.168.2.133.61342: Flags [F.], cksum 0x8682 (incorrect -> 0x8f01), seq 1, ack 1, win 229, length 0
09:01:46.430270 IP (tos 0x0, ttl 64, id 20768, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.2.133.61342 > 192.168.2.146.80: Flags [.], cksum 0x4fbd (correct), seq 1, ack 2, win 16425, length 0
09:01:46.431860 IP (tos 0x0, ttl 64, id 47352, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.2.146.80 > 192.168.2.133.61344: Flags [F.], cksum 0x8682 (incorrect -> 0x9d84), seq 1, ack 1, win 229, length 0
09:01:46.433173 IP (tos 0x0, ttl 64, id 20769, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.2.133.61344 > 192.168.2.146.80: Flags [.], cksum 0x5e40 (correct), seq 1, ack 2, win 16425, length 0
^C
27 packets captured
27 packets received by filter
0 packets dropped by kernel

[root@localhost ~]# tcpdump -i ens33 port 80 -nn -vvv -tttt  #修正時間顯示 加上日期
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
2020-02-15 19:07:30.849219 IP (tos 0x0, ttl 64, id 28677, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.133.62684 > 192.168.2.146.80: Flags [S], cksum 0x0a8a (correct), seq 223787937, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
2020-02-15 19:07:30.849282 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.146.80 > 192.168.2.133.62684: Flags [S.], cksum 0x868e (incorrect -> 0xaf3e), seq 3717344146, ack 223787938, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
2020-02-15 19:07:30.849686 IP (tos 0x0, ttl 64, id 28678, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.133.62685 > 192.168.2.146.80: Flags [S], cksum 0xea36 (correct), seq 1456771701, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
2020-02-15 19:07:30.849722 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.2.146.80 > 192.168.2.133.62685: Flags [S.], cksum 0x868e (incorrect -> 0xc401), seq 3717854836, ack 1456771702, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
2020-02-15 19:07:30.849992 IP (tos 0x0, ttl 64, id 28679, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.2.133.62684 > 192.168.2.146.80: Flags [.], cksum 0x21f8 (correct), seq 1, ack 1, win 16425, length 0
2020-02-15 19:07:30.850010 IP (tos 0x0, ttl 64, id 28680, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.2.133.62685 > 192.168.2.146.80: Flags [.], cksum 0x36bb (correct), seq 1, ack 1, win 16425, length 0
2020-02-15 19:07:30.880984 IP (tos 0x0, ttl 64, id 28681, offset 0, flags [DF], proto TCP (6), length 40)