tcpdump使用過濾條件抓包(進階篇)

引言

這是有關網絡協議的第四篇博客。

上一篇博客分享了tcpdump使用過濾條件抓包的一些用法，如果沒有特殊的要求，基本能夠滿足一般的抓包要求，這篇博客分享如何在抓包的過程中將過濾條件更加具體化。

tcpdump常用選項在上一篇博客已經做過介紹，下面列出來方便查看，更多的選項請參考tcpdump官網。

常用選項介紹

• -n 禁止IP名稱解析。
• -nn 禁止IP和端口名稱解析。
• -i 指定捕獲哪個網卡的網絡數據包。
• -w 指定將包寫入哪個文件，如果文件不存在則創建該文件；如果存在則覆蓋其內容。
• -f 指定過濾表達式，例如指定捕獲哪個端口，哪個協議等。
• -r 指定從哪個文件讀取網絡數據包文件。
• -F 指定使用哪個文件的過濾表達式抓包。
• -D 列出所有可以使用tcpdump抓包的網卡。
• -c 指定捕獲或者讀取包的個數，-c後面直接接數字即可。
• -l 抓包時保存到文件的同時查看包的內容。
• -t 不打印時間戳。
• -tt 秒級時間戳。
• -ttt 打印時間戳到微秒或者納秒，取決於 –time-stamp-precision option 選項。
• -s 指定每個包捕獲的字節數。-s0將不限制大小，如果想捕獲完整的包可以這麼設置。
• -S 打印絕對的tcp序列號，而不是相對的序列號。
• -v/-vv/-vvv 打印詳細信息，v的個數越多， 打印內容越詳細。

命令概覽

該博客主要介紹如下命令的使用：

> #捕獲IPv6的包
> tcpdump -i ens33 ip6 -c3

> #捕獲icmp的包
> tcpdump -i ens33 icmp -c3

> #捕獲udp包
> tcpdump -nni ens33 udp -c4

> #使用數字代表協議
> tcpdump -nni ens33 proto 17 -c1 -v

> #指定目標端口範圍25-110
> tcpdump -nni ens33 dst portrange 25-110 -c3

> #捕獲任意網卡的包
> tcpdump -nni any -c3

> #根據網絡數據包的大小進行捕獲
> tcpdump -nni any less 32 -c3

> #指定源IP和目標端口
> tcpdump -i ens33 -nnvvS src 192.168.248.134 and dst port 53

> #捕獲從網絡A到網絡B的包
> tcpdump -i ens33 -nvX src net 192.168.248.0/24 and dst net 10.0.0.0/8 or 14.215.177.0/24

> #捕獲非ICMP包
> tcpdump -nni ens33 dst 14.215.177.39 and not icmp -c3

> #捕獲端口不是53的包
> tcpdump -nni ens33 src 192.168.248.134 and not port 53 -c3

> #提取User-Agent
> tcpdump -nni ens33 -A -s 1500 -l | grep "User-Agent:"

> #提取User-Agent和Host
> tcpdump -nni ens33 -A -s 1500 -l | egrep "User-Agent:|Host:"

> #提取HTTP請求URL
> tcpdump -i ens33 -s0 -vnl |egrep -i "POST /|GET /|Host:"

> #提取HTTP請求的密碼字段
> tcpdump -i ens33 -s0 -Anl |egrep -i "POST /|pwd=|passwd=|password=|Host:"

> #捕獲Cookie
> tcpdump -i ens33 -s0 -Al |egrep -i "Set-Cookie|Host:|Cookie:"

> #捕獲非ping命令產生的ICMP包
> tcpdump -nni ens33 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'

簡單命令

1. 指定協議類型

1）捕獲IPv6的包

這裏直接在後面接ip6即可，捕獲3個包直接輸出。

[sunft@localhost ~]$ sudo su
[sudo] sunft 的密碼：
[root@localhost sunft]# tcpdump -i ens33 ip6 -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
21:59:04.628607 IP6 fe80::24b1:28c6:e76:62f > gateway: ICMP6, neighbor solicitation, who has gateway, length 32
21:59:05.629175 IP6 fe80::24b1:28c6:e76:62f > gateway: ICMP6, neighbor solicitation, who has gateway, length 32
21:59:06.805183 IP6 fe80::24b1:28c6:e76:62f > ff02::1:ffc0:2222: ICMP6, neighbor solicitation, who has gateway, length 32
3 packets captured
3 packets received by filter
0 packets dropped by kernel

2）捕獲icmp包

這裏在後面接icmp即可，捕獲3個包並顯示出來。

[root@localhost sunft]# tcpdump -i ens33 icmp -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
22:17:16.066307 IP localhost > 14.215.177.39: ICMP echo request, id 3354, seq 1, length 64
22:17:16.070765 IP 14.215.177.39 > localhost: ICMP echo reply, id 3354, seq 1, length 64
22:17:18.106814 IP localhost > 14.215.177.39: ICMP echo request, id 3354, seq 2, length 64
3 packets captured
3 packets received by filter
0 packets dropped by kernel

3）捕獲udp包

第一步： 在終端輸入如下命令，對網卡進行監聽

[root@localhost sunft]# tcpdump -nni ens33 udp -c4
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
22:23:03.108888 IP 192.168.248.134.39477 > 192.168.248.2.53: 25720+ A? www.baidu.com. (31)
22:23:03.111247 IP 192.168.248.2.53 > 192.168.248.134.39477: 25720 2/0/0 A 14.215.177.39, A 14.215.177.38 (63)
22:23:11.144382 IP 192.168.248.134.60917 > 192.168.248.2.53: 61648+ A? www.baidu.com. (31)
22:23:11.146571 IP 192.168.248.2.53 > 192.168.248.134.60917: 61648 2/0/0 A 14.215.177.39, A 14.215.177.38 (63)
4 packets captured
4 packets received by filter
0 packets dropped by kernel

第二步： 在另外一個終端查詢百度的IP

[sunft@localhost ~]$ nslookup www.baidu.com
Server:		192.168.248.2
Address:	192.168.248.2#53

Non-authoritative answer:
Name:	www.baidu.com
Address: 14.215.177.39
Name:	www.baidu.com
Address: 14.215.177.38

4）使用數字代表協議

部分協議有其對應的十進制形式，具體請參考文章末尾的參考材料。這裏的proto 17代表UDP協議。

[root@localhost sunft]# tcpdump -nni ens33 proto 17 -c1 -v
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
22:45:13.789092 IP (tos 0x0, ttl 64, id 30301, offset 0, flags [none], proto UDP (17), length 59)
    192.168.248.134.62450 > 192.168.248.2.53: 65418+ A? www.baidu.com. (31)
1 packet captured
1 packet received by filter
0 packets dropped by kernel

2. 端口範圍

下面的例子捕獲目標端口爲25-110的3個包並顯示出來。

[root@localhost sunft]# tcpdump -nni ens33 dst portrange 25-110 -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:14:17.482566 IP 192.168.248.134.54275 > 117.18.237.29.80: Flags [.], ack 1058826142, win 30732, length 0
20:14:26.026503 IP 192.168.248.134.57943 > 104.86.182.64.80: Flags [.], ack 826562746, win 31088, length 0
20:14:26.218510 IP 192.168.248.134.54271 > 117.18.237.29.80: Flags [.], ack 214582950, win 30732, length 0
3 packets captured
3 packets received by filter
0 packets dropped by kernel

3. 任意網卡

可以使用**-i any**指定捕獲來自所有網卡的網絡數據包。下面的例子從所有的網卡隨機捕獲3個包。

[root@localhost sunft]# tcpdump -nni any -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
20:10:36.401132 IP6 ::1.34187 > ::1.6150: Flags [S], seq 597567463, win 43690, options [mss 65476,sackOK,TS val 4294844481 ecr 0,nop,wscale 7], length 0
20:10:36.401142 IP6 ::1.6150 > ::1.34187: Flags [R.], seq 0, ack 597567464, win 0, length 0
20:10:36.401683 IP 192.168.248.134.54356 > 192.168.248.134.6150: Flags [S], seq 1007347807, win 43690, options [mss 65495,sackOK,TS val 4294844482 ecr 0,nop,wscale 7], length 0
3 packets captured
8 packets received by filter
0 packets dropped by kernel

4. 根據包的大小抓包

下面的例子捕獲包的字節數小於32的包，類似的命令還有：

tcpdump <= 12
tcpdump less 32
tcpdump greater 64

[root@localhost sunft]# tcpdump -nni any less 32 -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
20:24:46.272538 ARP, Request who-has 192.168.248.2 tell 192.168.248.134, length 28
20:25:18.223937 ARP, Request who-has 192.168.248.2 tell 192.168.248.134, length 28
20:26:22.687704 ARP, Request who-has 192.168.248.2 tell 192.168.248.134, length 28
3 packets captured
3 packets received by filter
0 packets dropped by kernel

組合命令

tcpdump可以使用組合命令如下，使用英文或者編程中的符號均可：

1. 表示並且：and &&
2. 表示或者：or ||
3. 表示除了：not !

1. 特定IP和目標端口

下面的例子指定源IP和目標地址，將捕獲的包直接打印輸出。

[root@localhost sunft]# tcpdump -i ens33 -nnvvS src 192.168.248.134 and dst port 53
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
23:20:32.665037 IP (tos 0x0, ttl 64, id 18881, offset 0, flags [none], proto UDP (17), length 59)
    192.168.248.134.19811 > 192.168.248.2.53: [bad udp cksum 0x7213 -> 0xd53b!] 44784+ A? www.baidu.com. (31)
^C
1 packet captured
1 packet received by filter
0 packets dropped by kernel

2. 從一個網絡到另一個網絡

下面的例子捕獲從網絡192.168.248.0/24 到10.0.0.0/8 或14.215.177.0/24 網絡數據包，並且以16進制的形式顯示出來。

[root@localhost sunft]# tcpdump -i ens33 -nvX src net 192.168.248.0/24 and dst net 10.0.0.0/8 or 14.215.177.0/24
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:40:12.015817 IP (tos 0x0, ttl 64, id 13253, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.248.134 > 14.215.177.39: ICMP echo request, id 4237, seq 116, length 64
	0x0000:  4500 0054 33c5 4000 4001 8db6 c0a8 f886  E..T3.@.@.......
	0x0010:  0ed7 b127 0800 3780 108d 0074 ac10 c45d  ...'..7....t...]
	0x0020:  0000 0000 803d 0000 0000 0000 1011 1213  .....=..........
	0x0030:  1415 1617 1819 1a1b 1c1d 1e1f 2021 2223  .............!"#
	0x0040:  2425 2627 2829 2a2b 2c2d 2e2f 3031 3233  $%&'()*+,-./0123
	0x0050:  3435 3637                                4567

3. 顯示特定目的地址的所有非ICMP包

下面的例子捕獲所有去往14.215.177.39的非ICMP包。

[root@localhost sunft]# tcpdump -nni ens33 dst 14.215.177.39 and not icmp -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:47:15.778919 IP 192.168.248.134.47817 > 14.215.177.39.443: Flags [P.], seq 1004614837:1004615422, ack 1412106833, win 64240, length 585
20:47:15.803720 IP 192.168.248.134.47817 > 14.215.177.39.443: Flags [.], ack 1281, win 64240, length 0
20:47:15.805020 IP 192.168.248.134.47817 > 14.215.177.39.443: Flags [.], ack 9012, win 64240, length 0
3 packets captured
4 packets received by filter
0 packets dropped by kernel

4. 捕獲非特定端口的包

下面的例子先捕獲源地址是192.168.248.134，端口不是53的網絡數據包。第二條命令不指定端口，第二個包端口號是53。模擬該場景只需要在終端輸入nslookup 域名查詢域名的IP既可。

[root@localhost sunft]# tcpdump -nni ens33 src 192.168.248.134 and not port 53 -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:52:44.752134 IP 192.168.248.134.44515 > 54.71.96.255.443: Flags [.], ack 481446081, win 46720, length 0
20:52:45.839762 IP 192.168.248.134.18390 > 117.18.237.29.80: Flags [.], ack 971127717, win 30693, length 0
20:52:46.351895 IP 192.168.248.134.18362 > 117.18.237.29.80: Flags [.], ack 643063100, win 35415, length 0
3 packets captured
3 packets received by filter
0 packets dropped by kernel
[root@localhost sunft]# tcpdump -nni ens33 src 192.168.248.134 -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:56:15.856140 ARP, Request who-has 192.168.248.2 tell 192.168.248.134, length 28
20:56:17.661719 IP 192.168.248.134.32617 > 192.168.248.2.53: 59708+ A? www.baidu.com. (31)

5. 提取HTTP User Agents

下面的例子從捕獲的包中輸出帶有User-Agent: 的行。

[root@localhost sunft]# tcpdump -nni ens33 -A -s 1500 -l | grep "User-Agent:"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 1500 bytes
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
^C159 packets captured
159 packets received by filter
0 packets dropped by kernel

6. 提取User-Agent和Host

下面的例子從捕獲的包中過濾出含有User-Agent: 和Host: 行。

[root@localhost sunft]# tcpdump -nni ens33 -A -s 1500 -l | egrep "User-Agent:|Host:"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 1500 bytes
Host: detectportal.firefox.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Host: detectportal.firefox.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Host: ocsp2.globalsign.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
^C440 packets captured
440 packets received by filter
0 packets dropped by kernel

7. 提取HTTP請求URL

下面的例子從捕獲的包中輸出帶有 “POST /|GET /|Host:” 的行。

[root@localhost sunft]# tcpdump -i ens33 -s0 -vnl |egrep -i "POST /|GET /|Host:"
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
	GET /success.txt HTTP/1.1
	Host: detectportal.firefox.com
	POST /gsorganizationvalsha2g2 HTTP/1.1
	Host: ocsp2.globalsign.com
^C141 packets captured
141 packets received by filter
0 packets dropped by kernel

8. 提取HTTP請求的密碼字段

下面的例子從捕獲的包中輸出顯示包含 “POST /|pwd=|passwd=|password=|Host:” 的行，嘗試了兩個網站未捕獲到密碼相關的信息，捕獲到了POST / 和Host: 信息。

[root@localhost sunft]# tcpdump -i ens33 -s0 -Anl |egrep -i "POST /|pwd=|passwd=|password=|Host:"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
21:21:15.665274 IP 192.168.248.134.43313 > 203.208.40.56.http: Flags [P.], seq 1:456, ack 1, win 29200, length 455: HTTP: POST /gts1o1 HTTP/1.1
E.....@.@.........(8.1.P.. x;M:.P.r.....POST /gts1o1 HTTP/1.1
Host: ocsp.pki.goog
21:21:15.668271 IP 192.168.248.134.43315 > 203.208.40.56.http: Flags [P.], seq 1:455, ack 1, win 29200, length 454: HTTP: POST /gts1o1 HTTP/1.1
E...I.@[email protected].......(8.3.P....3.e.P.r.....POST /gts1o1 HTTP/1.1
Host: ocsp.pki.goog
Host: www.lagou.com
^C1387 packets captured
1387 packets received by filter
0 packets dropped by kernel

9. 捕獲Cookie

下面的例子過濾出網絡數據包中帶有Cookie的行，Host字段做了處理。

[root@localhost sunft]# tcpdump -i ens33 -s0 -Al |egrep -i "Set-Cookie|Host:|Cookie:"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
Host: www.xxxxxxx.com
Cookie: PHPSESSID=c3h8rr3p53840hes7jnokqpkm7; UM_distinctid=16e461159b850d-0158e82f770eed8-38694646-ae786-16e461159b93ed; CNZZDATA1274340067=1698433595-1573133535-%7C1573133535

10. 捕獲非ping命令產生的ICMP包

下面的例子捕獲非ping命令產生的ICMP包，該現象可以使用traceroute 命令產生。

[root@localhost sunft]# tcpdump -nni ens33 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
21:41:26.959040 IP 192.168.248.2 > 192.168.248.134: ICMP time exceeded in-transit, length 68
21:41:26.959049 IP 192.168.248.2 > 192.168.248.134: ICMP time exceeded in-transit, length 68
21:41:26.959050 IP 192.168.248.2 > 192.168.248.134: ICMP time exceeded in-transit, length 68

參考材料

https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
https://www.thegeekdiary.com/18-practical-tcpdump-command-examples-a-network-sniffer-tool-primer/
https://hackertarget.com/tcpdump-examples/

---

歡迎關注我的技術公衆號，一起學習技術！