tcpdump使用过滤条件抓包(基础篇)

引言

这是有关网络协议的第三篇文章。

前两篇文章分享了tcpdump和tshark最基本的用法。这篇文章原本是想翻译tcpdump官方文档,但是网上已经有了现成的翻译版本,作者已经对比较难懂的部分做了说明,当然作者也有略过一部分的说明。

Tcpdump实际上非常复杂,需要对网络协议有全面又细致的掌握,有兴趣可以参考tcpdump官方文档

这篇文章主要从指定过滤条件表达式捕获包的角度去分享一些基本的过滤条件表达式。原本想一篇博客写完,google了一番之后,发现还有很多比较实用的命令,所以分开写。

tcpdump常用选项介绍

  • -n 禁止IP名称解析。
  • -nn 禁止IP和端口名称解析。
  • -i 指定捕获哪个网卡的网络数据包。
  • -w 指定将包写入哪个文件,如果文件不存在则创建该文件;如果存在则覆盖其内容。
  • -f 指定过滤表达式,例如指定捕获哪个端口,哪个协议等。
  • -r 指定从哪个文件读取网络数据包文件。
  • -F 指定使用哪个文件的过滤表达式抓包。
  • -D 列出所有可以使用tcpdump抓包的网卡。
  • -c 指定捕获或者读取包的个数,-c后面直接接数字即可。
  • -l 抓包时保存到文件的同时查看包的内容。
  • -t 不打印时间戳。
  • -tt 秒级时间戳。
  • -ttt 打印时间戳到微秒或者纳秒,取决于 –time-stamp-precision option 选项。
  • -s 指定每个包捕获的字节数。
  • -S 打印绝对的tcp序列号,而不是相对的序列号。
  • -v/-vv/-vvv 打印详细信息,v的个数越多, 打印内容越详细。

上面是常用的选项,更多的选项请参考tcpdump官方文档,下面将对使用过滤条件抓包进行基本的介绍。

命令概览

这篇博客要分享的主要命令如下:

#协议为tcp,目标端口或源端口为80
tcpdump -nni ens33 -w packets.pcap 'tcp port 80'
#协议为tcp,目标端口为80
tcpdump -nni ens33 -w packets.pcap 'tcp dst port 80' -c10
#协议类型为tcp,源端口为80
tcpdump -nni ens33 -w packets.pcap 'tcp src port 80' -c10
#读取文件中协议类型为tcp,目标端口为80的包
tcpdump -nnr packets.pcap 'tcp dst port 80' -c10
#将packets.pcap文件中目标端口为443的包转存到dst_port_443.pcap中
tcpdump -r packets.pcap 'dst port 443' -w dst_port_443.pcap 
#指定IP地址为14.215.177.39
tcpdump -nni ens33 host 14.215.177.39 -c5
#源IP地址为192.168.248.134
tcpdump -nni ens33 src 192.168.248.134 -c5
#目标IP地址为192.168.248.134
tcpdump -nni ens33 dst 192.168.248.134 -c5
#通往网络192.168.248.0/24
tcpdump -nni ens33 net 192.168.248.0/24 -c5

实用命令

1. 测试-D选项

根据官方文档的说明,-D选项用于列出系统中所有tcpdump可以进行抓包的网卡。

虚拟机测试代码:

[sunft@localhost ~]$ tcpdump -D
1.bluetooth0 (Bluetooth adapter number 0)
[sunft@localhost ~]$ ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::176e:36f2:18ab:c561  prefixlen 64  scopeid 0x20<link>
        inet6 fd15:4ba5:5a2b:1008:c7f1:b0a6:ecf:6bfc  prefixlen 64  scopeid 0x0<global>
        ether 00:0c:29:59:4f:1a  txqueuelen 1000  (Ethernet)
        RX packets 77  bytes 11417 (11.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 15  bytes 2598 (2.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 880  bytes 95324 (93.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 880  bytes 95324 (93.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
        ether 52:54:00:2b:fd:d5  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

普通Linux机器测试代码:

[root@localhost ~]# tcpdump -D
1.eth0
2.nflog (Linux netfilter log (NFLOG) interface)
3.nfqueue (Linux netfilter queue (NFQUEUE) interface)
4.usbmon1 (USB bus number 1)
5.usbmon2 (USB bus number 2)
6.any (Pseudo-device that captures on all interfaces)
7.lo

说明:
不知道是因为虚拟机的原因还是版本的原因,在虚拟机上 -D 选项并未正确列举出所有可用的网卡,而 ifconfig 则正确列出了可用的网卡。

在列举所有的可用网卡时不建议使用tcpdump -D这种方式,建议使用ifconfig或者其他命令列举出网卡。

2. 捕获协议类型为tcp,目标端口或者源端口为80的包

代码示例:

[sunft@localhost ~]$ sudo su
[sudo] sunft 的密码:
[root@localhost sunft]# tcpdump -nni ens33 -w packets.pcap 'tcp port 80'
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
^C38 packets captured
38 packets received by filter
0 packets dropped by kernel
[root@localhost sunft]# tcpdump -nnr packets.pcap 'tcp port 80'
reading from file packets.pcap, link-type EN10MB (Ethernet)
22:48:31.279240 IP 192.168.248.134.27388 > 220.113.153.226.80: Flags [.], ack 1, win 29200, length 0
22:48:31.279847 IP 192.168.248.134.27388 > 220.113.153.226.80: Flags [P.], seq 1:475, ack 1, win 29200, length 474: HTTP: POST /gsorganizationvalsha2g2 HTTP/1.1
22:48:31.280100 IP 220.113.153.226.80 > 192.168.248.134.27388: Flags [.], ack 475, win 64240, length 0
22:48:31.289409 IP 220.113.153.226.80 > 192.168.248.134.27388: Flags [P.], seq 1:2396, ack 475, win 64240, length 2395: HTTP: HTTP/1.1 200 OK
22:48:31.289468 IP 192.168.248.134.27388 > 220.113.153.226.80: Flags [.], ack 2396, win 33580, length 0

说明:
上述包中,使用 -n 禁止IP和端口解析后查看包,发现目标端口或者源端口为80的包都被抓到了。使用tcp port 80命令可以成功过滤源端口或者目标端口为80的包。

3. 捕获协议为tcp目标端口为80的包

捕获包示例:
下面的例子捕获10个协议为tcp目标端口为80包

[root@localhost sunft]# tcpdump -nni ens33 -w packets.pcap 'tcp dst port 80' -c10
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
10 packets captured
10 packets received by filter
0 packets dropped by kernel
[root@localhost sunft]#

查看包:
可以看到,捕获到的所有包的目标端口都是80

[root@localhost sunft]# tcpdump -nnr packets.pcap -c10
reading from file packets.pcap, link-type EN10MB (Ethernet)
20:39:38.812620 IP 192.168.248.134.36614 > 117.18.237.29.80: Flags [S], seq 836057363, win 29200, options [mss 1460,sackOK,TS val 758517 ecr 0,nop,wscale 7], length 0
20:39:39.815643 IP 192.168.248.134.36614 > 117.18.237.29.80: Flags [S], seq 836057363, win 29200, options [mss 1460,sackOK,TS val 759520 ecr 0,nop,wscale 7], length 0
20:39:41.396900 IP 192.168.248.134.36626 > 117.18.237.29.80: Flags [S], seq 789975658, win 29200, options [mss 1460,sackOK,TS val 761101 ecr 0,nop,wscale 7], length 0
20:39:41.747555 IP 192.168.248.134.36626 > 117.18.237.29.80: Flags [.], ack 112293494, win 29200, length 0
20:39:41.748260 IP 192.168.248.134.36626 > 117.18.237.29.80: Flags [P.], seq 0:452, ack 1, win 29200, length 452: HTTP: POST / HTTP/1.1
20:39:41.819023 IP 192.168.248.134.36614 > 117.18.237.29.80: Flags [S], seq 836057363, win 29200, options [mss 1460,sackOK,TS val 761524 ecr 0,nop,wscale 7], length 0
20:39:42.099281 IP 192.168.248.134.36626 > 117.18.237.29.80: Flags [.], ack 789, win 30732, length 0
20:39:42.109830 IP 192.168.248.134.36614 > 117.18.237.29.80: Flags [.], ack 1202536503, win 29200, length 0
20:39:44.941099 IP 192.168.248.134.49332 > 165.254.12.155.80: Flags [.], ack 28728514, win 30016, length 0
20:39:47.517209 IP 192.168.248.134.37085 > 220.112.25.174.80: Flags [S], seq 1491139573, win 29200, options [mss 1460,sackOK,TS val 767222 ecr 0,nop,wscale 7], length 0

说明:
加上 -nn参数目的是防止IP和端口名称解析。使用tcp dst port 80命令可以成功过滤目标端口为80的包。

4. 捕获协议为tcp源端口为80的包

捕获包示例:
下面的命令捕获协议类型为tcp,源端口为80的包

[root@localhost sunft]# tcpdump -nni ens33 -w packets.pcap 'tcp src port 80' -c10
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
10 packets captured
10 packets received by filter
0 packets dropped by kernel
[root@localhost sunft]#

查看包:
读取文件中抓到的10个包

[root@localhost sunft]# tcpdump -nnr packets.pcap -c10
reading from file packets.pcap, link-type EN10MB (Ethernet)
20:51:05.095148 IP 165.254.12.145.80 > 192.168.248.134.33571: Flags [.], ack 507444410, win 64240, length 0
20:51:15.111341 IP 165.254.12.145.80 > 192.168.248.134.33571: Flags [.], ack 1, win 64240, length 0
20:51:21.980979 IP 165.254.12.145.80 > 192.168.248.134.33571: Flags [.], ack 2, win 64239, length 0
20:51:22.143865 IP 165.254.12.145.80 > 192.168.248.134.33571: Flags [FP.], seq 0, ack 2, win 64239, length 0
20:51:31.677000 IP 165.254.12.155.80 > 192.168.248.134.50018: Flags [S.], seq 1805472846, ack 2399145023, win 64240, options [mss 1460], length 0
20:51:31.677512 IP 165.254.12.155.80 > 192.168.248.134.50018: Flags [.], ack 310, win 64240, length 0
20:51:31.846389 IP 165.254.12.155.80 > 192.168.248.134.50018: Flags [P.], seq 1:385, ack 310, win 64240, length 384: HTTP: HTTP/1.1 200 OK
20:51:41.846372 IP 165.254.12.155.80 > 192.168.248.134.50018: Flags [.], ack 310, win 64240, length 0
20:51:43.273446 IP 220.112.25.166.80 > 192.168.248.134.43856: Flags [S.], seq 1223842208, ack 1039673498, win 64240, options [mss 1460], length 0
20:51:43.276670 IP 220.112.25.166.80 > 192.168.248.134.43856: Flags [.], ack 475, win 64240, length 0

说明:
-nn 用于禁止IP和名称解析,-c用于指定读取多少个包。使用tcp src port 80命令可以成功过滤协议类型为tcp,源端口为80的包。

5. 只读取文件中协议为tcp,目标端口为80的包

捕获包并查看:
下面的命令任意捕获10个包保存到文件中,再从文件中读取协议类型为tcp,目标端口为80的包,只有一个包是满足条件的,所以被过滤出来。

[root@localhost sunft]# tcpdump -nni ens33 -w packets.pcap -c10
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
10 packets captured
10 packets received by filter
0 packets dropped by kernel
[root@localhost sunft]# tcpdump -nnr packets.pcap 'tcp dst port 80' -c10
reading from file packets.pcap, link-type EN10MB (Ethernet)
21:05:03.623261 IP 192.168.248.134.38016 > 117.18.237.29.80: Flags [.], ack 624257373, win 30732, length 0
[root@localhost sunft]# 

说明:
如果只需要读取文件中的部分包,直接在文件名后面加上过滤条件即可。

6. 根据过滤条件将文件A中的包转存到文件B中

捕获包并转存:
下面的命令将抓取的100个包,然后根据过滤表达式将符合条件的包转存到另一个文件中。

[root@localhost sunft]# tcpdump -nnr packets.pcap -c10
reading from file packets.pcap, link-type EN10MB (Ethernet)
21:17:08.039040 IP 192.168.248.134.37212 > 14.215.177.39.443: Flags [.], ack 525957243, win 32160, length 0
21:17:08.039373 IP 192.168.248.134.37216 > 14.215.177.39.443: Flags [.], ack 1060448734, win 33232, length 0
21:17:08.039803 IP 14.215.177.39.443 > 192.168.248.134.37212: Flags [.], ack 1, win 64240, length 0
21:17:08.039852 IP 14.215.177.39.443 > 192.168.248.134.37216: Flags [.], ack 1, win 64240, length 0
21:17:08.393662 IP 211.162.160.32.443 > 192.168.248.134.51977: Flags [FP.], seq 1872316417:1872316478, ack 1631945767, win 64240, length 61
21:17:08.394213 IP 192.168.248.134.51977 > 211.162.160.32.443: Flags [P.], seq 1:39, ack 62, win 55047, length 38
[root@localhost sunft]# tcpdump -r packets.pcap 'dst port 443' -w dst_port_443.pcap 
reading from file packets.pcap, link-type EN10MB (Ethernet)
[root@localhost sunft]# tcpdump -nnr dst_port_443.pcap -c10
reading from file dst_port_443.pcap, link-type EN10MB (Ethernet)
21:17:08.039040 IP 192.168.248.134.37212 > 14.215.177.39.443: Flags [.], ack 525957243, win 32160, length 0
21:17:08.039373 IP 192.168.248.134.37216 > 14.215.177.39.443: Flags [.], ack 1060448734, win 33232, length 0
21:17:08.394213 IP 192.168.248.134.51977 > 211.162.160.32.443: Flags [P.], seq 1631945767:1631945805, ack 1872316479, win 55047, length 38

说明:
第一步:从packets.pcap中读取十个包,这里显示只有6个包,其中有三个包的目标端口是443。
第二步:将packets.pcap中目标端口443的包转存到dst_port_443.pcap文件中。
第三步:查看dst_port_443.pcap中的包,发现三个包已经成功保存到dst_port_443.pcap文件中了。

7. 使用文件中的过滤表达式对包进行过滤

捕获包并显示:
下面的命令使用filter_expression.bpf作为过滤条件捕获想要的包,并直接显示,-F选项用于指定使用过滤文件。

[root@localhost sunft]# cat filter_expression.bpf 
tcp dst port 80
[root@localhost sunft]# tcpdump -nni ens33 -F filter_expression.bpf -c10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
21:30:41.821353 IP 192.168.248.134.64451 > 72.166.126.33.80: Flags [S], seq 1111993261, win 29200, options [mss 1460,sackOK,TS val 3821526 ecr 0,nop,wscale 7], length 0
21:30:42.008404 IP 192.168.248.134.64451 > 72.166.126.33.80: Flags [.], ack 475426640, win 29200, length 0
21:30:42.016472 IP 192.168.248.134.64451 > 72.166.126.33.80: Flags [P.], seq 0:309, ack 1, win 29200, length 309: HTTP: GET /success.txt HTTP/1.1
21:30:42.211435 IP 192.168.248.134.64451 > 72.166.126.33.80: Flags [.], ack 385, win 30016, length 0
21:30:48.924176 IP 192.168.248.134.64451 > 72.166.126.33.80: Flags [P.], seq 309:618, ack 385, win 30016, length 309: HTTP: GET /success.txt HTTP/1.1
21:30:49.122952 IP 192.168.248.134.64451 > 72.166.126.33.80: Flags [.], ack 769, win 31088, length 0
21:30:50.098251 IP 192.168.248.134.44798 > 220.113.153.222.80: Flags [S], seq 2787419036, win 29200, options [mss 1460,sackOK,TS val 3829803 ecr 0,nop,wscale 7], length 0
21:30:50.107668 IP 192.168.248.134.44798 > 220.113.153.222.80: Flags [.], ack 752690187, win 29200, length 0
21:30:50.107858 IP 192.168.248.134.44798 > 220.113.153.222.80: Flags [P.], seq 0:474, ack 1, win 29200, length 474: HTTP: POST /gsorganizationvalsha2g2 HTTP/1.1
21:30:50.117926 IP 192.168.248.134.44798 > 220.113.153.222.80: Flags [.], ack 1351, win 31050, length 0
10 packets captured
11 packets received by filter
0 packets dropped by kernel

说明: 这种情况适用于将表达式放置在文件中长期维护。

8. 指定IP地址

捕获包并显示:
直接使用host 14.215.177.39指定源地址或者目标地址的IP。

[root@localhost sunft]# ping www.baidu.com
PING www.baidu.com (14.215.177.39) 56(84) bytes of data.
64 bytes from 14.215.177.39 (14.215.177.39): icmp_seq=1 ttl=128 time=66.9 ms
64 bytes from 14.215.177.39 (14.215.177.39): icmp_seq=2 ttl=128 time=26.3 ms
^C
--- www.baidu.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 2137ms
rtt min/avg/max/mdev = 26.348/46.626/66.904/20.278 ms
[root@localhost sunft]# tcpdump -nni ens33 host 14.215.177.39 -c5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:03:08.969223 IP 192.168.248.134.21763 > 14.215.177.39.443: Flags [.], ack 1691733121, win 65280, length 0
20:03:08.969621 IP 14.215.177.39.443 > 192.168.248.134.21763: Flags [.], ack 1, win 64240, length 0
20:03:15.879297 IP 192.168.248.134.21763 > 14.215.177.39.443: Flags [P.], seq 1:586, ack 1, win 65280, length 585
20:03:15.880188 IP 14.215.177.39.443 > 192.168.248.134.21763: Flags [.], ack 586, win 64240, length 0
20:03:15.890951 IP 14.215.177.39.443 > 192.168.248.134.21763: Flags [P.], seq 1:1281, ack 586, win 64240, length 1280
5 packets captured
8 packets received by filter
0 packets dropped by kernel

说明:
上面的例子先用ping命令得到百度的IP地址,抓取源地址或目标地址为百度的5个网络包。

9. 指定目标IP或源IP

捕获包并显示:
使用src参数指定源IP地址,使用dst 参数指定目标IP。

[root@localhost sunft]# ip addr
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:59:4f:1a brd ff:ff:ff:ff:ff:ff
    inet 192.168.248.134/24 brd 192.168.248.255 scope global dynamic ens33
       valid_lft 1754sec preferred_lft 1754sec
    inet6 fd15:4ba5:5a2b:1008:c7f1:b0a6:ecf:6bfc/64 scope global noprefixroute dynamic 
       valid_lft 86396sec preferred_lft 14396sec
    inet6 fe80::176e:36f2:18ab:c561/64 scope link 
       valid_lft forever preferred_lft forever
[root@localhost sunft]# tcpdump -nni ens33 src 192.168.248.134 -c5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:14:13.895487 IP 192.168.248.134.52680 > 192.168.248.2.53: 22205+ A? www.baidu.com. (31)
20:14:13.895558 IP 192.168.248.134.52680 > 192.168.248.2.53: 35528+ AAAA? www.baidu.com. (31)
20:14:13.896441 IP 192.168.248.134.42015 > 192.168.248.2.53: 23907+ A? www.baidu.com. (31)
20:14:13.897900 ARP, Reply 192.168.248.134 is-at 00:0c:29:59:4f:1a, length 28
20:14:13.899295 IP 192.168.248.134.55591 > 192.168.248.2.53: 41364+ A? ss1.bdstatic.com. (34)
5 packets captured
7 packets received by filter
0 packets dropped by kernel
[root@localhost sunft]# tcpdump -nni ens33 dst 192.168.248.134 -c5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:18:43.765068 IP 192.168.248.2.53 > 192.168.248.134.38489: 9711 2/0/0 A 14.215.177.39, A 14.215.177.38 (63)
20:18:43.765107 IP 192.168.248.2.53 > 192.168.248.134.32978: 50234 1/0/0 A 211.162.160.32 (50)
20:18:43.765113 IP 192.168.248.2.53 > 192.168.248.134.28416: 65248 2/0/0 A 14.215.177.39, A 14.215.177.38 (63)
20:18:43.767445 IP 192.168.248.2.53 > 192.168.248.134.32978: 59201 1/1/0 CNAME sslbdstatic.jomodns.com. (131)
20:18:43.770868 IP 192.168.248.2.53 > 192.168.248.134.38489: 764 1/1/0 CNAME www.a.shifen.com. (115)
5 packets captured
5 packets received by filter
0 packets dropped by kernel

说明:
这里先使用ip addr获取本机IP,再使用src指定源IP捕获5个包并显示;最后使用 dst 指定目标IP捕获5个包并显示。

10. 指定捕获通往某个网络的包

捕获包并显示:
使用net指定网络。

[root@localhost sunft]# tcpdump -nni ens33 net 192.168.248.0/24 -c5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:29:40.259370 IP 192.168.248.134.23009 > 139.199.214.202.123: NTPv4, Client, length 48
20:29:40.276068 ARP, Request who-has 192.168.248.134 tell 192.168.248.2, length 46
20:29:40.276130 ARP, Reply 192.168.248.134 is-at 00:0c:29:59:4f:1a, length 28
20:29:40.276643 IP 139.199.214.202.123 > 192.168.248.134.23009: NTPv4, Server, length 48
20:29:52.825828 IP 192.168.248.134.37367 > 192.168.248.2.53: 4384+ A? www.baidu.com. (31)
5 packets captured
6 packets received by filter
0 packets dropped by kernel

说明:
上述命令使用net 指定网络网络,捕获5个包并显示。

参考材料

https://www.tcpdump.org/manpages/tcpdump.1.html
https://www.thegeekdiary.com/examples-of-using-tcpdump-command-for-network-troubleshooting/
《Practical Packet analysis, 3rd edition》


欢迎关注我的技术公众号,一起学习技术!
个人公众号

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章