引言
這是有關網絡協議的第四篇博客。
上一篇博客分享了tcpdump使用過濾條件抓包的一些用法,如果沒有特殊的要求,基本能夠滿足一般的抓包要求,這篇博客分享如何在抓包的過程中將過濾條件更加具體化。
tcpdump常用選項在上一篇博客已經做過介紹,下面列出來方便查看,更多的選項請參考tcpdump官網。
常用選項介紹
- -n 禁止IP名稱解析。
- -nn 禁止IP和端口名稱解析。
- -i 指定捕獲哪個網卡的網絡數據包。
- -w 指定將包寫入哪個文件,如果文件不存在則創建該文件;如果存在則覆蓋其內容。
- -f 指定過濾表達式,例如指定捕獲哪個端口,哪個協議等。
- -r 指定從哪個文件讀取網絡數據包文件。
- -F 指定使用哪個文件的過濾表達式抓包。
- -D 列出所有可以使用tcpdump抓包的網卡。
- -c 指定捕獲或者讀取包的個數,-c後面直接接數字即可。
- -l 抓包時保存到文件的同時查看包的內容。
- -t 不打印時間戳。
- -tt 秒級時間戳。
- -ttt 打印時間戳到微秒或者納秒,取決於 –time-stamp-precision option 選項。
- -s 指定每個包捕獲的字節數。-s0將不限制大小,如果想捕獲完整的包可以這麼設置。
- -S 打印絕對的tcp序列號,而不是相對的序列號。
- -v/-vv/-vvv 打印詳細信息,v的個數越多, 打印內容越詳細。
命令概覽
該博客主要介紹如下命令的使用:
> #捕獲IPv6的包
> tcpdump -i ens33 ip6 -c3
> #捕獲icmp的包
> tcpdump -i ens33 icmp -c3
> #捕獲udp包
> tcpdump -nni ens33 udp -c4
> #使用數字代表協議
> tcpdump -nni ens33 proto 17 -c1 -v
> #指定目標端口範圍25-110
> tcpdump -nni ens33 dst portrange 25-110 -c3
> #捕獲任意網卡的包
> tcpdump -nni any -c3
> #根據網絡數據包的大小進行捕獲
> tcpdump -nni any less 32 -c3
> #指定源IP和目標端口
> tcpdump -i ens33 -nnvvS src 192.168.248.134 and dst port 53
> #捕獲從網絡A到網絡B的包
> tcpdump -i ens33 -nvX src net 192.168.248.0/24 and dst net 10.0.0.0/8 or 14.215.177.0/24
> #捕獲非ICMP包
> tcpdump -nni ens33 dst 14.215.177.39 and not icmp -c3
> #捕獲端口不是53的包
> tcpdump -nni ens33 src 192.168.248.134 and not port 53 -c3
> #提取User-Agent
> tcpdump -nni ens33 -A -s 1500 -l | grep "User-Agent:"
> #提取User-Agent和Host
> tcpdump -nni ens33 -A -s 1500 -l | egrep "User-Agent:|Host:"
> #提取HTTP請求URL
> tcpdump -i ens33 -s0 -vnl |egrep -i "POST /|GET /|Host:"
> #提取HTTP請求的密碼字段
> tcpdump -i ens33 -s0 -Anl |egrep -i "POST /|pwd=|passwd=|password=|Host:"
> #捕獲Cookie
> tcpdump -i ens33 -s0 -Al |egrep -i "Set-Cookie|Host:|Cookie:"
> #捕獲非ping命令產生的ICMP包
> tcpdump -nni ens33 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'
簡單命令
1. 指定協議類型
1)捕獲IPv6的包
這裏直接在後面接ip6即可,捕獲3個包直接輸出。
[sunft@localhost ~]$ sudo su
[sudo] sunft 的密碼:
[root@localhost sunft]# tcpdump -i ens33 ip6 -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
21:59:04.628607 IP6 fe80::24b1:28c6:e76:62f > gateway: ICMP6, neighbor solicitation, who has gateway, length 32
21:59:05.629175 IP6 fe80::24b1:28c6:e76:62f > gateway: ICMP6, neighbor solicitation, who has gateway, length 32
21:59:06.805183 IP6 fe80::24b1:28c6:e76:62f > ff02::1:ffc0:2222: ICMP6, neighbor solicitation, who has gateway, length 32
3 packets captured
3 packets received by filter
0 packets dropped by kernel
2)捕獲icmp包
這裏在後面接icmp即可,捕獲3個包並顯示出來。
[root@localhost sunft]# tcpdump -i ens33 icmp -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
22:17:16.066307 IP localhost > 14.215.177.39: ICMP echo request, id 3354, seq 1, length 64
22:17:16.070765 IP 14.215.177.39 > localhost: ICMP echo reply, id 3354, seq 1, length 64
22:17:18.106814 IP localhost > 14.215.177.39: ICMP echo request, id 3354, seq 2, length 64
3 packets captured
3 packets received by filter
0 packets dropped by kernel
3)捕獲udp包
第一步: 在終端輸入如下命令,對網卡進行監聽
[root@localhost sunft]# tcpdump -nni ens33 udp -c4
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
22:23:03.108888 IP 192.168.248.134.39477 > 192.168.248.2.53: 25720+ A? www.baidu.com. (31)
22:23:03.111247 IP 192.168.248.2.53 > 192.168.248.134.39477: 25720 2/0/0 A 14.215.177.39, A 14.215.177.38 (63)
22:23:11.144382 IP 192.168.248.134.60917 > 192.168.248.2.53: 61648+ A? www.baidu.com. (31)
22:23:11.146571 IP 192.168.248.2.53 > 192.168.248.134.60917: 61648 2/0/0 A 14.215.177.39, A 14.215.177.38 (63)
4 packets captured
4 packets received by filter
0 packets dropped by kernel
第二步: 在另外一個終端查詢百度的IP
[sunft@localhost ~]$ nslookup www.baidu.com
Server: 192.168.248.2
Address: 192.168.248.2#53
Non-authoritative answer:
Name: www.baidu.com
Address: 14.215.177.39
Name: www.baidu.com
Address: 14.215.177.38
4)使用數字代表協議
部分協議有其對應的十進制形式,具體請參考文章末尾的參考材料。這裏的proto 17代表UDP協議。
[root@localhost sunft]# tcpdump -nni ens33 proto 17 -c1 -v
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
22:45:13.789092 IP (tos 0x0, ttl 64, id 30301, offset 0, flags [none], proto UDP (17), length 59)
192.168.248.134.62450 > 192.168.248.2.53: 65418+ A? www.baidu.com. (31)
1 packet captured
1 packet received by filter
0 packets dropped by kernel
2. 端口範圍
下面的例子捕獲目標端口爲25-110的3個包並顯示出來。
[root@localhost sunft]# tcpdump -nni ens33 dst portrange 25-110 -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:14:17.482566 IP 192.168.248.134.54275 > 117.18.237.29.80: Flags [.], ack 1058826142, win 30732, length 0
20:14:26.026503 IP 192.168.248.134.57943 > 104.86.182.64.80: Flags [.], ack 826562746, win 31088, length 0
20:14:26.218510 IP 192.168.248.134.54271 > 117.18.237.29.80: Flags [.], ack 214582950, win 30732, length 0
3 packets captured
3 packets received by filter
0 packets dropped by kernel
3. 任意網卡
可以使用**-i any**指定捕獲來自所有網卡的網絡數據包。下面的例子從所有的網卡隨機捕獲3個包。
[root@localhost sunft]# tcpdump -nni any -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
20:10:36.401132 IP6 ::1.34187 > ::1.6150: Flags [S], seq 597567463, win 43690, options [mss 65476,sackOK,TS val 4294844481 ecr 0,nop,wscale 7], length 0
20:10:36.401142 IP6 ::1.6150 > ::1.34187: Flags [R.], seq 0, ack 597567464, win 0, length 0
20:10:36.401683 IP 192.168.248.134.54356 > 192.168.248.134.6150: Flags [S], seq 1007347807, win 43690, options [mss 65495,sackOK,TS val 4294844482 ecr 0,nop,wscale 7], length 0
3 packets captured
8 packets received by filter
0 packets dropped by kernel
4. 根據包的大小抓包
下面的例子捕獲包的字節數小於32的包,類似的命令還有:
tcpdump <= 12
tcpdump less 32
tcpdump greater 64
[root@localhost sunft]# tcpdump -nni any less 32 -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
20:24:46.272538 ARP, Request who-has 192.168.248.2 tell 192.168.248.134, length 28
20:25:18.223937 ARP, Request who-has 192.168.248.2 tell 192.168.248.134, length 28
20:26:22.687704 ARP, Request who-has 192.168.248.2 tell 192.168.248.134, length 28
3 packets captured
3 packets received by filter
0 packets dropped by kernel
組合命令
tcpdump可以使用組合命令如下,使用英文或者編程中的符號均可:
- 表示並且:and &&
- 表示或者:or ||
- 表示除了:not !
1. 特定IP和目標端口
下面的例子指定源IP和目標地址,將捕獲的包直接打印輸出。
[root@localhost sunft]# tcpdump -i ens33 -nnvvS src 192.168.248.134 and dst port 53
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
23:20:32.665037 IP (tos 0x0, ttl 64, id 18881, offset 0, flags [none], proto UDP (17), length 59)
192.168.248.134.19811 > 192.168.248.2.53: [bad udp cksum 0x7213 -> 0xd53b!] 44784+ A? www.baidu.com. (31)
^C
1 packet captured
1 packet received by filter
0 packets dropped by kernel
2. 從一個網絡到另一個網絡
下面的例子捕獲從網絡192.168.248.0/24 到10.0.0.0/8 或14.215.177.0/24 網絡數據包,並且以16進制的形式顯示出來。
[root@localhost sunft]# tcpdump -i ens33 -nvX src net 192.168.248.0/24 and dst net 10.0.0.0/8 or 14.215.177.0/24
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:40:12.015817 IP (tos 0x0, ttl 64, id 13253, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.248.134 > 14.215.177.39: ICMP echo request, id 4237, seq 116, length 64
0x0000: 4500 0054 33c5 4000 4001 8db6 c0a8 f886 E..T3.@.@.......
0x0010: 0ed7 b127 0800 3780 108d 0074 ac10 c45d ...'..7....t...]
0x0020: 0000 0000 803d 0000 0000 0000 1011 1213 .....=..........
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"#
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123
0x0050: 3435 3637 4567
3. 顯示特定目的地址的所有非ICMP包
下面的例子捕獲所有去往14.215.177.39的非ICMP包。
[root@localhost sunft]# tcpdump -nni ens33 dst 14.215.177.39 and not icmp -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:47:15.778919 IP 192.168.248.134.47817 > 14.215.177.39.443: Flags [P.], seq 1004614837:1004615422, ack 1412106833, win 64240, length 585
20:47:15.803720 IP 192.168.248.134.47817 > 14.215.177.39.443: Flags [.], ack 1281, win 64240, length 0
20:47:15.805020 IP 192.168.248.134.47817 > 14.215.177.39.443: Flags [.], ack 9012, win 64240, length 0
3 packets captured
4 packets received by filter
0 packets dropped by kernel
4. 捕獲非特定端口的包
下面的例子先捕獲源地址是192.168.248.134,端口不是53的網絡數據包。第二條命令不指定端口,第二個包端口號是53。模擬該場景只需要在終端輸入nslookup 域名查詢域名的IP既可。
[root@localhost sunft]# tcpdump -nni ens33 src 192.168.248.134 and not port 53 -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:52:44.752134 IP 192.168.248.134.44515 > 54.71.96.255.443: Flags [.], ack 481446081, win 46720, length 0
20:52:45.839762 IP 192.168.248.134.18390 > 117.18.237.29.80: Flags [.], ack 971127717, win 30693, length 0
20:52:46.351895 IP 192.168.248.134.18362 > 117.18.237.29.80: Flags [.], ack 643063100, win 35415, length 0
3 packets captured
3 packets received by filter
0 packets dropped by kernel
[root@localhost sunft]# tcpdump -nni ens33 src 192.168.248.134 -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:56:15.856140 ARP, Request who-has 192.168.248.2 tell 192.168.248.134, length 28
20:56:17.661719 IP 192.168.248.134.32617 > 192.168.248.2.53: 59708+ A? www.baidu.com. (31)
5. 提取HTTP User Agents
下面的例子從捕獲的包中輸出帶有User-Agent: 的行。
[root@localhost sunft]# tcpdump -nni ens33 -A -s 1500 -l | grep "User-Agent:"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 1500 bytes
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
^C159 packets captured
159 packets received by filter
0 packets dropped by kernel
6. 提取User-Agent和Host
下面的例子從捕獲的包中過濾出含有User-Agent: 和Host: 行。
[root@localhost sunft]# tcpdump -nni ens33 -A -s 1500 -l | egrep "User-Agent:|Host:"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 1500 bytes
Host: detectportal.firefox.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Host: detectportal.firefox.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Host: ocsp2.globalsign.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
^C440 packets captured
440 packets received by filter
0 packets dropped by kernel
7. 提取HTTP請求URL
下面的例子從捕獲的包中輸出帶有 “POST /|GET /|Host:” 的行。
[root@localhost sunft]# tcpdump -i ens33 -s0 -vnl |egrep -i "POST /|GET /|Host:"
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
GET /success.txt HTTP/1.1
Host: detectportal.firefox.com
POST /gsorganizationvalsha2g2 HTTP/1.1
Host: ocsp2.globalsign.com
^C141 packets captured
141 packets received by filter
0 packets dropped by kernel
8. 提取HTTP請求的密碼字段
下面的例子從捕獲的包中輸出顯示包含 “POST /|pwd=|passwd=|password=|Host:” 的行,嘗試了兩個網站未捕獲到密碼相關的信息,捕獲到了POST / 和Host: 信息。
[root@localhost sunft]# tcpdump -i ens33 -s0 -Anl |egrep -i "POST /|pwd=|passwd=|password=|Host:"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
21:21:15.665274 IP 192.168.248.134.43313 > 203.208.40.56.http: Flags [P.], seq 1:456, ack 1, win 29200, length 455: HTTP: POST /gts1o1 HTTP/1.1
E.....@.@.........(8.1.P.. x;M:.P.r.....POST /gts1o1 HTTP/1.1
Host: ocsp.pki.goog
21:21:15.668271 IP 192.168.248.134.43315 > 203.208.40.56.http: Flags [P.], seq 1:455, ack 1, win 29200, length 454: HTTP: POST /gts1o1 HTTP/1.1
E...I.@[email protected].......(8.3.P....3.e.P.r.....POST /gts1o1 HTTP/1.1
Host: ocsp.pki.goog
Host: www.lagou.com
^C1387 packets captured
1387 packets received by filter
0 packets dropped by kernel
9. 捕獲Cookie
下面的例子過濾出網絡數據包中帶有Cookie的行,Host字段做了處理。
[root@localhost sunft]# tcpdump -i ens33 -s0 -Al |egrep -i "Set-Cookie|Host:|Cookie:"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
Host: www.xxxxxxx.com
Cookie: PHPSESSID=c3h8rr3p53840hes7jnokqpkm7; UM_distinctid=16e461159b850d-0158e82f770eed8-38694646-ae786-16e461159b93ed; CNZZDATA1274340067=1698433595-1573133535-%7C1573133535
10. 捕獲非ping命令產生的ICMP包
下面的例子捕獲非ping命令產生的ICMP包,該現象可以使用traceroute 命令產生。
[root@localhost sunft]# tcpdump -nni ens33 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
21:41:26.959040 IP 192.168.248.2 > 192.168.248.134: ICMP time exceeded in-transit, length 68
21:41:26.959049 IP 192.168.248.2 > 192.168.248.134: ICMP time exceeded in-transit, length 68
21:41:26.959050 IP 192.168.248.2 > 192.168.248.134: ICMP time exceeded in-transit, length 68
參考材料
https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
https://www.thegeekdiary.com/18-practical-tcpdump-command-examples-a-network-sniffer-tool-primer/
https://hackertarget.com/tcpdump-examples/
歡迎關注我的技術公衆號,一起學習技術!