tcpdump使用过滤条件抓包(进阶篇)

引言

这是有关网络协议的第四篇博客。

上一篇博客分享了tcpdump使用过滤条件抓包的一些用法，如果没有特殊的要求，基本能够满足一般的抓包要求，这篇博客分享如何在抓包的过程中将过滤条件更加具体化。

tcpdump常用选项在上一篇博客已经做过介绍，下面列出来方便查看，更多的选项请参考tcpdump官网。

常用选项介绍

• -n 禁止IP名称解析。
• -nn 禁止IP和端口名称解析。
• -i 指定捕获哪个网卡的网络数据包。
• -w 指定将包写入哪个文件，如果文件不存在则创建该文件；如果存在则覆盖其内容。
• -f 指定过滤表达式，例如指定捕获哪个端口，哪个协议等。
• -r 指定从哪个文件读取网络数据包文件。
• -F 指定使用哪个文件的过滤表达式抓包。
• -D 列出所有可以使用tcpdump抓包的网卡。
• -c 指定捕获或者读取包的个数，-c后面直接接数字即可。
• -l 抓包时保存到文件的同时查看包的内容。
• -t 不打印时间戳。
• -tt 秒级时间戳。
• -ttt 打印时间戳到微秒或者纳秒，取决于 –time-stamp-precision option 选项。
• -s 指定每个包捕获的字节数。-s0将不限制大小，如果想捕获完整的包可以这么设置。
• -S 打印绝对的tcp序列号，而不是相对的序列号。
• -v/-vv/-vvv 打印详细信息，v的个数越多， 打印内容越详细。

命令概览

该博客主要介绍如下命令的使用：

> #捕获IPv6的包
> tcpdump -i ens33 ip6 -c3

> #捕获icmp的包
> tcpdump -i ens33 icmp -c3

> #捕获udp包
> tcpdump -nni ens33 udp -c4

> #使用数字代表协议
> tcpdump -nni ens33 proto 17 -c1 -v

> #指定目标端口范围25-110
> tcpdump -nni ens33 dst portrange 25-110 -c3

> #捕获任意网卡的包
> tcpdump -nni any -c3

> #根据网络数据包的大小进行捕获
> tcpdump -nni any less 32 -c3

> #指定源IP和目标端口
> tcpdump -i ens33 -nnvvS src 192.168.248.134 and dst port 53

> #捕获从网络A到网络B的包
> tcpdump -i ens33 -nvX src net 192.168.248.0/24 and dst net 10.0.0.0/8 or 14.215.177.0/24

> #捕获非ICMP包
> tcpdump -nni ens33 dst 14.215.177.39 and not icmp -c3

> #捕获端口不是53的包
> tcpdump -nni ens33 src 192.168.248.134 and not port 53 -c3

> #提取User-Agent
> tcpdump -nni ens33 -A -s 1500 -l | grep "User-Agent:"

> #提取User-Agent和Host
> tcpdump -nni ens33 -A -s 1500 -l | egrep "User-Agent:|Host:"

> #提取HTTP请求URL
> tcpdump -i ens33 -s0 -vnl |egrep -i "POST /|GET /|Host:"

> #提取HTTP请求的密码字段
> tcpdump -i ens33 -s0 -Anl |egrep -i "POST /|pwd=|passwd=|password=|Host:"

> #捕获Cookie
> tcpdump -i ens33 -s0 -Al |egrep -i "Set-Cookie|Host:|Cookie:"

> #捕获非ping命令产生的ICMP包
> tcpdump -nni ens33 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'

简单命令

1. 指定协议类型

1）捕获IPv6的包

这里直接在后面接ip6即可，捕获3个包直接输出。

[sunft@localhost ~]$ sudo su
[sudo] sunft 的密码：
[root@localhost sunft]# tcpdump -i ens33 ip6 -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
21:59:04.628607 IP6 fe80::24b1:28c6:e76:62f > gateway: ICMP6, neighbor solicitation, who has gateway, length 32
21:59:05.629175 IP6 fe80::24b1:28c6:e76:62f > gateway: ICMP6, neighbor solicitation, who has gateway, length 32
21:59:06.805183 IP6 fe80::24b1:28c6:e76:62f > ff02::1:ffc0:2222: ICMP6, neighbor solicitation, who has gateway, length 32
3 packets captured
3 packets received by filter
0 packets dropped by kernel

2）捕获icmp包

这里在后面接icmp即可，捕获3个包并显示出来。

[root@localhost sunft]# tcpdump -i ens33 icmp -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
22:17:16.066307 IP localhost > 14.215.177.39: ICMP echo request, id 3354, seq 1, length 64
22:17:16.070765 IP 14.215.177.39 > localhost: ICMP echo reply, id 3354, seq 1, length 64
22:17:18.106814 IP localhost > 14.215.177.39: ICMP echo request, id 3354, seq 2, length 64
3 packets captured
3 packets received by filter
0 packets dropped by kernel

3）捕获udp包

第一步： 在终端输入如下命令，对网卡进行监听

[root@localhost sunft]# tcpdump -nni ens33 udp -c4
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
22:23:03.108888 IP 192.168.248.134.39477 > 192.168.248.2.53: 25720+ A? www.baidu.com. (31)
22:23:03.111247 IP 192.168.248.2.53 > 192.168.248.134.39477: 25720 2/0/0 A 14.215.177.39, A 14.215.177.38 (63)
22:23:11.144382 IP 192.168.248.134.60917 > 192.168.248.2.53: 61648+ A? www.baidu.com. (31)
22:23:11.146571 IP 192.168.248.2.53 > 192.168.248.134.60917: 61648 2/0/0 A 14.215.177.39, A 14.215.177.38 (63)
4 packets captured
4 packets received by filter
0 packets dropped by kernel

第二步： 在另外一个终端查询百度的IP

[sunft@localhost ~]$ nslookup www.baidu.com
Server:		192.168.248.2
Address:	192.168.248.2#53

Non-authoritative answer:
Name:	www.baidu.com
Address: 14.215.177.39
Name:	www.baidu.com
Address: 14.215.177.38

4）使用数字代表协议

部分协议有其对应的十进制形式，具体请参考文章末尾的参考材料。这里的proto 17代表UDP协议。

[root@localhost sunft]# tcpdump -nni ens33 proto 17 -c1 -v
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
22:45:13.789092 IP (tos 0x0, ttl 64, id 30301, offset 0, flags [none], proto UDP (17), length 59)
    192.168.248.134.62450 > 192.168.248.2.53: 65418+ A? www.baidu.com. (31)
1 packet captured
1 packet received by filter
0 packets dropped by kernel

2. 端口范围

下面的例子捕获目标端口为25-110的3个包并显示出来。

[root@localhost sunft]# tcpdump -nni ens33 dst portrange 25-110 -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:14:17.482566 IP 192.168.248.134.54275 > 117.18.237.29.80: Flags [.], ack 1058826142, win 30732, length 0
20:14:26.026503 IP 192.168.248.134.57943 > 104.86.182.64.80: Flags [.], ack 826562746, win 31088, length 0
20:14:26.218510 IP 192.168.248.134.54271 > 117.18.237.29.80: Flags [.], ack 214582950, win 30732, length 0
3 packets captured
3 packets received by filter
0 packets dropped by kernel

3. 任意网卡

可以使用**-i any**指定捕获来自所有网卡的网络数据包。下面的例子从所有的网卡随机捕获3个包。

[root@localhost sunft]# tcpdump -nni any -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
20:10:36.401132 IP6 ::1.34187 > ::1.6150: Flags [S], seq 597567463, win 43690, options [mss 65476,sackOK,TS val 4294844481 ecr 0,nop,wscale 7], length 0
20:10:36.401142 IP6 ::1.6150 > ::1.34187: Flags [R.], seq 0, ack 597567464, win 0, length 0
20:10:36.401683 IP 192.168.248.134.54356 > 192.168.248.134.6150: Flags [S], seq 1007347807, win 43690, options [mss 65495,sackOK,TS val 4294844482 ecr 0,nop,wscale 7], length 0
3 packets captured
8 packets received by filter
0 packets dropped by kernel

4. 根据包的大小抓包

下面的例子捕获包的字节数小于32的包，类似的命令还有：

tcpdump <= 12
tcpdump less 32
tcpdump greater 64

[root@localhost sunft]# tcpdump -nni any less 32 -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
20:24:46.272538 ARP, Request who-has 192.168.248.2 tell 192.168.248.134, length 28
20:25:18.223937 ARP, Request who-has 192.168.248.2 tell 192.168.248.134, length 28
20:26:22.687704 ARP, Request who-has 192.168.248.2 tell 192.168.248.134, length 28
3 packets captured
3 packets received by filter
0 packets dropped by kernel

组合命令

tcpdump可以使用组合命令如下，使用英文或者编程中的符号均可：

1. 表示并且：and &&
2. 表示或者：or ||
3. 表示除了：not !

1. 特定IP和目标端口

下面的例子指定源IP和目标地址，将捕获的包直接打印输出。

[root@localhost sunft]# tcpdump -i ens33 -nnvvS src 192.168.248.134 and dst port 53
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
23:20:32.665037 IP (tos 0x0, ttl 64, id 18881, offset 0, flags [none], proto UDP (17), length 59)
    192.168.248.134.19811 > 192.168.248.2.53: [bad udp cksum 0x7213 -> 0xd53b!] 44784+ A? www.baidu.com. (31)
^C
1 packet captured
1 packet received by filter
0 packets dropped by kernel

2. 从一个网络到另一个网络

下面的例子捕获从网络192.168.248.0/24 到10.0.0.0/8 或14.215.177.0/24 网络数据包，并且以16进制的形式显示出来。

[root@localhost sunft]# tcpdump -i ens33 -nvX src net 192.168.248.0/24 and dst net 10.0.0.0/8 or 14.215.177.0/24
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:40:12.015817 IP (tos 0x0, ttl 64, id 13253, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.248.134 > 14.215.177.39: ICMP echo request, id 4237, seq 116, length 64
	0x0000:  4500 0054 33c5 4000 4001 8db6 c0a8 f886  E..T3.@.@.......
	0x0010:  0ed7 b127 0800 3780 108d 0074 ac10 c45d  ...'..7....t...]
	0x0020:  0000 0000 803d 0000 0000 0000 1011 1213  .....=..........
	0x0030:  1415 1617 1819 1a1b 1c1d 1e1f 2021 2223  .............!"#
	0x0040:  2425 2627 2829 2a2b 2c2d 2e2f 3031 3233  $%&'()*+,-./0123
	0x0050:  3435 3637                                4567

3. 显示特定目的地址的所有非ICMP包

下面的例子捕获所有去往14.215.177.39的非ICMP包。

[root@localhost sunft]# tcpdump -nni ens33 dst 14.215.177.39 and not icmp -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:47:15.778919 IP 192.168.248.134.47817 > 14.215.177.39.443: Flags [P.], seq 1004614837:1004615422, ack 1412106833, win 64240, length 585
20:47:15.803720 IP 192.168.248.134.47817 > 14.215.177.39.443: Flags [.], ack 1281, win 64240, length 0
20:47:15.805020 IP 192.168.248.134.47817 > 14.215.177.39.443: Flags [.], ack 9012, win 64240, length 0
3 packets captured
4 packets received by filter
0 packets dropped by kernel

4. 捕获非特定端口的包

下面的例子先捕获源地址是192.168.248.134，端口不是53的网络数据包。第二条命令不指定端口，第二个包端口号是53。模拟该场景只需要在终端输入nslookup 域名查询域名的IP既可。

[root@localhost sunft]# tcpdump -nni ens33 src 192.168.248.134 and not port 53 -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:52:44.752134 IP 192.168.248.134.44515 > 54.71.96.255.443: Flags [.], ack 481446081, win 46720, length 0
20:52:45.839762 IP 192.168.248.134.18390 > 117.18.237.29.80: Flags [.], ack 971127717, win 30693, length 0
20:52:46.351895 IP 192.168.248.134.18362 > 117.18.237.29.80: Flags [.], ack 643063100, win 35415, length 0
3 packets captured
3 packets received by filter
0 packets dropped by kernel
[root@localhost sunft]# tcpdump -nni ens33 src 192.168.248.134 -c3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:56:15.856140 ARP, Request who-has 192.168.248.2 tell 192.168.248.134, length 28
20:56:17.661719 IP 192.168.248.134.32617 > 192.168.248.2.53: 59708+ A? www.baidu.com. (31)

5. 提取HTTP User Agents

下面的例子从捕获的包中输出带有User-Agent: 的行。

[root@localhost sunft]# tcpdump -nni ens33 -A -s 1500 -l | grep "User-Agent:"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 1500 bytes
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
^C159 packets captured
159 packets received by filter
0 packets dropped by kernel

6. 提取User-Agent和Host

下面的例子从捕获的包中过滤出含有User-Agent: 和Host: 行。

[root@localhost sunft]# tcpdump -nni ens33 -A -s 1500 -l | egrep "User-Agent:|Host:"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 1500 bytes
Host: detectportal.firefox.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Host: detectportal.firefox.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Host: ocsp2.globalsign.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
^C440 packets captured
440 packets received by filter
0 packets dropped by kernel

7. 提取HTTP请求URL

下面的例子从捕获的包中输出带有 “POST /|GET /|Host:” 的行。

[root@localhost sunft]# tcpdump -i ens33 -s0 -vnl |egrep -i "POST /|GET /|Host:"
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
	GET /success.txt HTTP/1.1
	Host: detectportal.firefox.com
	POST /gsorganizationvalsha2g2 HTTP/1.1
	Host: ocsp2.globalsign.com
^C141 packets captured
141 packets received by filter
0 packets dropped by kernel

8. 提取HTTP请求的密码字段

下面的例子从捕获的包中输出显示包含 “POST /|pwd=|passwd=|password=|Host:” 的行，尝试了两个网站未捕获到密码相关的信息，捕获到了POST / 和Host: 信息。

[root@localhost sunft]# tcpdump -i ens33 -s0 -Anl |egrep -i "POST /|pwd=|passwd=|password=|Host:"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
21:21:15.665274 IP 192.168.248.134.43313 > 203.208.40.56.http: Flags [P.], seq 1:456, ack 1, win 29200, length 455: HTTP: POST /gts1o1 HTTP/1.1
E.....@.@.........(8.1.P.. x;M:.P.r.....POST /gts1o1 HTTP/1.1
Host: ocsp.pki.goog
21:21:15.668271 IP 192.168.248.134.43315 > 203.208.40.56.http: Flags [P.], seq 1:455, ack 1, win 29200, length 454: HTTP: POST /gts1o1 HTTP/1.1
E...I.@[email protected].......(8.3.P....3.e.P.r.....POST /gts1o1 HTTP/1.1
Host: ocsp.pki.goog
Host: www.lagou.com
^C1387 packets captured
1387 packets received by filter
0 packets dropped by kernel

9. 捕获Cookie

下面的例子过滤出网络数据包中带有Cookie的行，Host字段做了处理。

[root@localhost sunft]# tcpdump -i ens33 -s0 -Al |egrep -i "Set-Cookie|Host:|Cookie:"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
Host: www.xxxxxxx.com
Cookie: PHPSESSID=c3h8rr3p53840hes7jnokqpkm7; UM_distinctid=16e461159b850d-0158e82f770eed8-38694646-ae786-16e461159b93ed; CNZZDATA1274340067=1698433595-1573133535-%7C1573133535

10. 捕获非ping命令产生的ICMP包

下面的例子捕获非ping命令产生的ICMP包，该现象可以使用traceroute 命令产生。

[root@localhost sunft]# tcpdump -nni ens33 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
21:41:26.959040 IP 192.168.248.2 > 192.168.248.134: ICMP time exceeded in-transit, length 68
21:41:26.959049 IP 192.168.248.2 > 192.168.248.134: ICMP time exceeded in-transit, length 68
21:41:26.959050 IP 192.168.248.2 > 192.168.248.134: ICMP time exceeded in-transit, length 68

参考材料

https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
https://www.thegeekdiary.com/18-practical-tcpdump-command-examples-a-network-sniffer-tool-primer/
https://hackertarget.com/tcpdump-examples/

---

欢迎关注我的技术公众号，一起学习技术！