引言
這是有關網絡協議的第三篇文章。
前兩篇文章分享了tcpdump和tshark最基本的用法。這篇文章原本是想翻譯tcpdump官方文檔,但是網上已經有了現成的翻譯版本,作者已經對比較難懂的部分做了說明,當然作者也有略過一部分的說明。
Tcpdump實際上非常複雜,需要對網絡協議有全面又細緻的掌握,有興趣可以參考tcpdump官方文檔。
這篇文章主要從指定過濾條件表達式捕獲包的角度去分享一些基本的過濾條件表達式。原本想一篇博客寫完,google了一番之後,發現還有很多比較實用的命令,所以分開寫。
tcpdump常用選項介紹
- -n 禁止IP名稱解析。
- -nn 禁止IP和端口名稱解析。
- -i 指定捕獲哪個網卡的網絡數據包。
- -w 指定將包寫入哪個文件,如果文件不存在則創建該文件;如果存在則覆蓋其內容。
- -f 指定過濾表達式,例如指定捕獲哪個端口,哪個協議等。
- -r 指定從哪個文件讀取網絡數據包文件。
- -F 指定使用哪個文件的過濾表達式抓包。
- -D 列出所有可以使用tcpdump抓包的網卡。
- -c 指定捕獲或者讀取包的個數,-c後面直接接數字即可。
- -l 抓包時保存到文件的同時查看包的內容。
- -t 不打印時間戳。
- -tt 秒級時間戳。
- -ttt 打印時間戳到微秒或者納秒,取決於 –time-stamp-precision option 選項。
- -s 指定每個包捕獲的字節數。
- -S 打印絕對的tcp序列號,而不是相對的序列號。
- -v/-vv/-vvv 打印詳細信息,v的個數越多, 打印內容越詳細。
上面是常用的選項,更多的選項請參考tcpdump官方文檔,下面將對使用過濾條件抓包進行基本的介紹。
命令概覽
這篇博客要分享的主要命令如下:
#協議爲tcp,目標端口或源端口爲80
tcpdump -nni ens33 -w packets.pcap 'tcp port 80'
#協議爲tcp,目標端口爲80
tcpdump -nni ens33 -w packets.pcap 'tcp dst port 80' -c10
#協議類型爲tcp,源端口爲80
tcpdump -nni ens33 -w packets.pcap 'tcp src port 80' -c10
#讀取文件中協議類型爲tcp,目標端口爲80的包
tcpdump -nnr packets.pcap 'tcp dst port 80' -c10
#將packets.pcap文件中目標端口爲443的包轉存到dst_port_443.pcap中
tcpdump -r packets.pcap 'dst port 443' -w dst_port_443.pcap
#指定IP地址爲14.215.177.39
tcpdump -nni ens33 host 14.215.177.39 -c5
#源IP地址爲192.168.248.134
tcpdump -nni ens33 src 192.168.248.134 -c5
#目標IP地址爲192.168.248.134
tcpdump -nni ens33 dst 192.168.248.134 -c5
#通往網絡192.168.248.0/24
tcpdump -nni ens33 net 192.168.248.0/24 -c5
實用命令
1. 測試-D選項
根據官方文檔的說明,-D選項用於列出系統中所有tcpdump可以進行抓包的網卡。
虛擬機測試代碼:
[sunft@localhost ~]$ tcpdump -D
1.bluetooth0 (Bluetooth adapter number 0)
[sunft@localhost ~]$ ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::176e:36f2:18ab:c561 prefixlen 64 scopeid 0x20<link>
inet6 fd15:4ba5:5a2b:1008:c7f1:b0a6:ecf:6bfc prefixlen 64 scopeid 0x0<global>
ether 00:0c:29:59:4f:1a txqueuelen 1000 (Ethernet)
RX packets 77 bytes 11417 (11.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 15 bytes 2598 (2.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 880 bytes 95324 (93.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 880 bytes 95324 (93.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:2b:fd:d5 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
普通Linux機器測試代碼:
[root@localhost ~]# tcpdump -D
1.eth0
2.nflog (Linux netfilter log (NFLOG) interface)
3.nfqueue (Linux netfilter queue (NFQUEUE) interface)
4.usbmon1 (USB bus number 1)
5.usbmon2 (USB bus number 2)
6.any (Pseudo-device that captures on all interfaces)
7.lo
說明:
不知道是因爲虛擬機的原因還是版本的原因,在虛擬機上 -D 選項並未正確列舉出所有可用的網卡,而 ifconfig 則正確列出了可用的網卡。
在列舉所有的可用網卡時不建議使用tcpdump -D這種方式,建議使用ifconfig或者其他命令列舉出網卡。
2. 捕獲協議類型爲tcp,目標端口或者源端口爲80的包
代碼示例:
[sunft@localhost ~]$ sudo su
[sudo] sunft 的密碼:
[root@localhost sunft]# tcpdump -nni ens33 -w packets.pcap 'tcp port 80'
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
^C38 packets captured
38 packets received by filter
0 packets dropped by kernel
[root@localhost sunft]# tcpdump -nnr packets.pcap 'tcp port 80'
reading from file packets.pcap, link-type EN10MB (Ethernet)
22:48:31.279240 IP 192.168.248.134.27388 > 220.113.153.226.80: Flags [.], ack 1, win 29200, length 0
22:48:31.279847 IP 192.168.248.134.27388 > 220.113.153.226.80: Flags [P.], seq 1:475, ack 1, win 29200, length 474: HTTP: POST /gsorganizationvalsha2g2 HTTP/1.1
22:48:31.280100 IP 220.113.153.226.80 > 192.168.248.134.27388: Flags [.], ack 475, win 64240, length 0
22:48:31.289409 IP 220.113.153.226.80 > 192.168.248.134.27388: Flags [P.], seq 1:2396, ack 475, win 64240, length 2395: HTTP: HTTP/1.1 200 OK
22:48:31.289468 IP 192.168.248.134.27388 > 220.113.153.226.80: Flags [.], ack 2396, win 33580, length 0
說明:
上述包中,使用 -n 禁止IP和端口解析後查看包,發現目標端口或者源端口爲80的包都被抓到了。使用tcp port 80命令可以成功過濾源端口或者目標端口爲80的包。
3. 捕獲協議爲tcp目標端口爲80的包
捕獲包示例:
下面的例子捕獲10個協議爲tcp目標端口爲80包
[root@localhost sunft]# tcpdump -nni ens33 -w packets.pcap 'tcp dst port 80' -c10
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
10 packets captured
10 packets received by filter
0 packets dropped by kernel
[root@localhost sunft]#
查看包:
可以看到,捕獲到的所有包的目標端口都是80
[root@localhost sunft]# tcpdump -nnr packets.pcap -c10
reading from file packets.pcap, link-type EN10MB (Ethernet)
20:39:38.812620 IP 192.168.248.134.36614 > 117.18.237.29.80: Flags [S], seq 836057363, win 29200, options [mss 1460,sackOK,TS val 758517 ecr 0,nop,wscale 7], length 0
20:39:39.815643 IP 192.168.248.134.36614 > 117.18.237.29.80: Flags [S], seq 836057363, win 29200, options [mss 1460,sackOK,TS val 759520 ecr 0,nop,wscale 7], length 0
20:39:41.396900 IP 192.168.248.134.36626 > 117.18.237.29.80: Flags [S], seq 789975658, win 29200, options [mss 1460,sackOK,TS val 761101 ecr 0,nop,wscale 7], length 0
20:39:41.747555 IP 192.168.248.134.36626 > 117.18.237.29.80: Flags [.], ack 112293494, win 29200, length 0
20:39:41.748260 IP 192.168.248.134.36626 > 117.18.237.29.80: Flags [P.], seq 0:452, ack 1, win 29200, length 452: HTTP: POST / HTTP/1.1
20:39:41.819023 IP 192.168.248.134.36614 > 117.18.237.29.80: Flags [S], seq 836057363, win 29200, options [mss 1460,sackOK,TS val 761524 ecr 0,nop,wscale 7], length 0
20:39:42.099281 IP 192.168.248.134.36626 > 117.18.237.29.80: Flags [.], ack 789, win 30732, length 0
20:39:42.109830 IP 192.168.248.134.36614 > 117.18.237.29.80: Flags [.], ack 1202536503, win 29200, length 0
20:39:44.941099 IP 192.168.248.134.49332 > 165.254.12.155.80: Flags [.], ack 28728514, win 30016, length 0
20:39:47.517209 IP 192.168.248.134.37085 > 220.112.25.174.80: Flags [S], seq 1491139573, win 29200, options [mss 1460,sackOK,TS val 767222 ecr 0,nop,wscale 7], length 0
說明:
加上 -nn參數目的是防止IP和端口名稱解析。使用tcp dst port 80命令可以成功過濾目標端口爲80的包。
4. 捕獲協議爲tcp源端口爲80的包
捕獲包示例:
下面的命令捕獲協議類型爲tcp,源端口爲80的包
[root@localhost sunft]# tcpdump -nni ens33 -w packets.pcap 'tcp src port 80' -c10
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
10 packets captured
10 packets received by filter
0 packets dropped by kernel
[root@localhost sunft]#
查看包:
讀取文件中抓到的10個包
[root@localhost sunft]# tcpdump -nnr packets.pcap -c10
reading from file packets.pcap, link-type EN10MB (Ethernet)
20:51:05.095148 IP 165.254.12.145.80 > 192.168.248.134.33571: Flags [.], ack 507444410, win 64240, length 0
20:51:15.111341 IP 165.254.12.145.80 > 192.168.248.134.33571: Flags [.], ack 1, win 64240, length 0
20:51:21.980979 IP 165.254.12.145.80 > 192.168.248.134.33571: Flags [.], ack 2, win 64239, length 0
20:51:22.143865 IP 165.254.12.145.80 > 192.168.248.134.33571: Flags [FP.], seq 0, ack 2, win 64239, length 0
20:51:31.677000 IP 165.254.12.155.80 > 192.168.248.134.50018: Flags [S.], seq 1805472846, ack 2399145023, win 64240, options [mss 1460], length 0
20:51:31.677512 IP 165.254.12.155.80 > 192.168.248.134.50018: Flags [.], ack 310, win 64240, length 0
20:51:31.846389 IP 165.254.12.155.80 > 192.168.248.134.50018: Flags [P.], seq 1:385, ack 310, win 64240, length 384: HTTP: HTTP/1.1 200 OK
20:51:41.846372 IP 165.254.12.155.80 > 192.168.248.134.50018: Flags [.], ack 310, win 64240, length 0
20:51:43.273446 IP 220.112.25.166.80 > 192.168.248.134.43856: Flags [S.], seq 1223842208, ack 1039673498, win 64240, options [mss 1460], length 0
20:51:43.276670 IP 220.112.25.166.80 > 192.168.248.134.43856: Flags [.], ack 475, win 64240, length 0
說明:
-nn 用於禁止IP和名稱解析,-c用於指定讀取多少個包。使用tcp src port 80命令可以成功過濾協議類型爲tcp,源端口爲80的包。
5. 只讀取文件中協議爲tcp,目標端口爲80的包
捕獲包並查看:
下面的命令任意捕獲10個包保存到文件中,再從文件中讀取協議類型爲tcp,目標端口爲80的包,只有一個包是滿足條件的,所以被過濾出來。
[root@localhost sunft]# tcpdump -nni ens33 -w packets.pcap -c10
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
10 packets captured
10 packets received by filter
0 packets dropped by kernel
[root@localhost sunft]# tcpdump -nnr packets.pcap 'tcp dst port 80' -c10
reading from file packets.pcap, link-type EN10MB (Ethernet)
21:05:03.623261 IP 192.168.248.134.38016 > 117.18.237.29.80: Flags [.], ack 624257373, win 30732, length 0
[root@localhost sunft]#
說明:
如果只需要讀取文件中的部分包,直接在文件名後面加上過濾條件即可。
6. 根據過濾條件將文件A中的包轉存到文件B中
捕獲包並轉存:
下面的命令將抓取的100個包,然後根據過濾表達式將符合條件的包轉存到另一個文件中。
[root@localhost sunft]# tcpdump -nnr packets.pcap -c10
reading from file packets.pcap, link-type EN10MB (Ethernet)
21:17:08.039040 IP 192.168.248.134.37212 > 14.215.177.39.443: Flags [.], ack 525957243, win 32160, length 0
21:17:08.039373 IP 192.168.248.134.37216 > 14.215.177.39.443: Flags [.], ack 1060448734, win 33232, length 0
21:17:08.039803 IP 14.215.177.39.443 > 192.168.248.134.37212: Flags [.], ack 1, win 64240, length 0
21:17:08.039852 IP 14.215.177.39.443 > 192.168.248.134.37216: Flags [.], ack 1, win 64240, length 0
21:17:08.393662 IP 211.162.160.32.443 > 192.168.248.134.51977: Flags [FP.], seq 1872316417:1872316478, ack 1631945767, win 64240, length 61
21:17:08.394213 IP 192.168.248.134.51977 > 211.162.160.32.443: Flags [P.], seq 1:39, ack 62, win 55047, length 38
[root@localhost sunft]# tcpdump -r packets.pcap 'dst port 443' -w dst_port_443.pcap
reading from file packets.pcap, link-type EN10MB (Ethernet)
[root@localhost sunft]# tcpdump -nnr dst_port_443.pcap -c10
reading from file dst_port_443.pcap, link-type EN10MB (Ethernet)
21:17:08.039040 IP 192.168.248.134.37212 > 14.215.177.39.443: Flags [.], ack 525957243, win 32160, length 0
21:17:08.039373 IP 192.168.248.134.37216 > 14.215.177.39.443: Flags [.], ack 1060448734, win 33232, length 0
21:17:08.394213 IP 192.168.248.134.51977 > 211.162.160.32.443: Flags [P.], seq 1631945767:1631945805, ack 1872316479, win 55047, length 38
說明:
第一步:從packets.pcap中讀取十個包,這裏顯示只有6個包,其中有三個包的目標端口是443。
第二步:將packets.pcap中目標端口443的包轉存到dst_port_443.pcap文件中。
第三步:查看dst_port_443.pcap中的包,發現三個包已經成功保存到dst_port_443.pcap文件中了。
7. 使用文件中的過濾表達式對包進行過濾
捕獲包並顯示:
下面的命令使用filter_expression.bpf作爲過濾條件捕獲想要的包,並直接顯示,-F選項用於指定使用過濾文件。
[root@localhost sunft]# cat filter_expression.bpf
tcp dst port 80
[root@localhost sunft]# tcpdump -nni ens33 -F filter_expression.bpf -c10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
21:30:41.821353 IP 192.168.248.134.64451 > 72.166.126.33.80: Flags [S], seq 1111993261, win 29200, options [mss 1460,sackOK,TS val 3821526 ecr 0,nop,wscale 7], length 0
21:30:42.008404 IP 192.168.248.134.64451 > 72.166.126.33.80: Flags [.], ack 475426640, win 29200, length 0
21:30:42.016472 IP 192.168.248.134.64451 > 72.166.126.33.80: Flags [P.], seq 0:309, ack 1, win 29200, length 309: HTTP: GET /success.txt HTTP/1.1
21:30:42.211435 IP 192.168.248.134.64451 > 72.166.126.33.80: Flags [.], ack 385, win 30016, length 0
21:30:48.924176 IP 192.168.248.134.64451 > 72.166.126.33.80: Flags [P.], seq 309:618, ack 385, win 30016, length 309: HTTP: GET /success.txt HTTP/1.1
21:30:49.122952 IP 192.168.248.134.64451 > 72.166.126.33.80: Flags [.], ack 769, win 31088, length 0
21:30:50.098251 IP 192.168.248.134.44798 > 220.113.153.222.80: Flags [S], seq 2787419036, win 29200, options [mss 1460,sackOK,TS val 3829803 ecr 0,nop,wscale 7], length 0
21:30:50.107668 IP 192.168.248.134.44798 > 220.113.153.222.80: Flags [.], ack 752690187, win 29200, length 0
21:30:50.107858 IP 192.168.248.134.44798 > 220.113.153.222.80: Flags [P.], seq 0:474, ack 1, win 29200, length 474: HTTP: POST /gsorganizationvalsha2g2 HTTP/1.1
21:30:50.117926 IP 192.168.248.134.44798 > 220.113.153.222.80: Flags [.], ack 1351, win 31050, length 0
10 packets captured
11 packets received by filter
0 packets dropped by kernel
說明: 這種情況適用於將表達式放置在文件中長期維護。
8. 指定IP地址
捕獲包並顯示:
直接使用host 14.215.177.39指定源地址或者目標地址的IP。
[root@localhost sunft]# ping www.baidu.com
PING www.baidu.com (14.215.177.39) 56(84) bytes of data.
64 bytes from 14.215.177.39 (14.215.177.39): icmp_seq=1 ttl=128 time=66.9 ms
64 bytes from 14.215.177.39 (14.215.177.39): icmp_seq=2 ttl=128 time=26.3 ms
^C
--- www.baidu.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 2137ms
rtt min/avg/max/mdev = 26.348/46.626/66.904/20.278 ms
[root@localhost sunft]# tcpdump -nni ens33 host 14.215.177.39 -c5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:03:08.969223 IP 192.168.248.134.21763 > 14.215.177.39.443: Flags [.], ack 1691733121, win 65280, length 0
20:03:08.969621 IP 14.215.177.39.443 > 192.168.248.134.21763: Flags [.], ack 1, win 64240, length 0
20:03:15.879297 IP 192.168.248.134.21763 > 14.215.177.39.443: Flags [P.], seq 1:586, ack 1, win 65280, length 585
20:03:15.880188 IP 14.215.177.39.443 > 192.168.248.134.21763: Flags [.], ack 586, win 64240, length 0
20:03:15.890951 IP 14.215.177.39.443 > 192.168.248.134.21763: Flags [P.], seq 1:1281, ack 586, win 64240, length 1280
5 packets captured
8 packets received by filter
0 packets dropped by kernel
說明:
上面的例子先用ping命令得到百度的IP地址,抓取源地址或目標地址爲百度的5個網絡包。
9. 指定目標IP或源IP
捕獲包並顯示:
使用src參數指定源IP地址,使用dst 參數指定目標IP。
[root@localhost sunft]# ip addr
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:59:4f:1a brd ff:ff:ff:ff:ff:ff
inet 192.168.248.134/24 brd 192.168.248.255 scope global dynamic ens33
valid_lft 1754sec preferred_lft 1754sec
inet6 fd15:4ba5:5a2b:1008:c7f1:b0a6:ecf:6bfc/64 scope global noprefixroute dynamic
valid_lft 86396sec preferred_lft 14396sec
inet6 fe80::176e:36f2:18ab:c561/64 scope link
valid_lft forever preferred_lft forever
[root@localhost sunft]# tcpdump -nni ens33 src 192.168.248.134 -c5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:14:13.895487 IP 192.168.248.134.52680 > 192.168.248.2.53: 22205+ A? www.baidu.com. (31)
20:14:13.895558 IP 192.168.248.134.52680 > 192.168.248.2.53: 35528+ AAAA? www.baidu.com. (31)
20:14:13.896441 IP 192.168.248.134.42015 > 192.168.248.2.53: 23907+ A? www.baidu.com. (31)
20:14:13.897900 ARP, Reply 192.168.248.134 is-at 00:0c:29:59:4f:1a, length 28
20:14:13.899295 IP 192.168.248.134.55591 > 192.168.248.2.53: 41364+ A? ss1.bdstatic.com. (34)
5 packets captured
7 packets received by filter
0 packets dropped by kernel
[root@localhost sunft]# tcpdump -nni ens33 dst 192.168.248.134 -c5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:18:43.765068 IP 192.168.248.2.53 > 192.168.248.134.38489: 9711 2/0/0 A 14.215.177.39, A 14.215.177.38 (63)
20:18:43.765107 IP 192.168.248.2.53 > 192.168.248.134.32978: 50234 1/0/0 A 211.162.160.32 (50)
20:18:43.765113 IP 192.168.248.2.53 > 192.168.248.134.28416: 65248 2/0/0 A 14.215.177.39, A 14.215.177.38 (63)
20:18:43.767445 IP 192.168.248.2.53 > 192.168.248.134.32978: 59201 1/1/0 CNAME sslbdstatic.jomodns.com. (131)
20:18:43.770868 IP 192.168.248.2.53 > 192.168.248.134.38489: 764 1/1/0 CNAME www.a.shifen.com. (115)
5 packets captured
5 packets received by filter
0 packets dropped by kernel
說明:
這裏先使用ip addr獲取本機IP,再使用src指定源IP捕獲5個包並顯示;最後使用 dst 指定目標IP捕獲5個包並顯示。
10. 指定捕獲通往某個網絡的包
捕獲包並顯示:
使用net指定網絡。
[root@localhost sunft]# tcpdump -nni ens33 net 192.168.248.0/24 -c5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:29:40.259370 IP 192.168.248.134.23009 > 139.199.214.202.123: NTPv4, Client, length 48
20:29:40.276068 ARP, Request who-has 192.168.248.134 tell 192.168.248.2, length 46
20:29:40.276130 ARP, Reply 192.168.248.134 is-at 00:0c:29:59:4f:1a, length 28
20:29:40.276643 IP 139.199.214.202.123 > 192.168.248.134.23009: NTPv4, Server, length 48
20:29:52.825828 IP 192.168.248.134.37367 > 192.168.248.2.53: 4384+ A? www.baidu.com. (31)
5 packets captured
6 packets received by filter
0 packets dropped by kernel
說明:
上述命令使用net 指定網絡網絡,捕獲5個包並顯示。
參考材料
https://www.tcpdump.org/manpages/tcpdump.1.html
https://www.thegeekdiary.com/examples-of-using-tcpdump-command-for-network-troubleshooting/
《Practical Packet analysis, 3rd edition》
歡迎關注我的技術公衆號,一起學習技術!
