(2)精简输出信息
[root@localhost ~]# tcpdump -q #默认情况下,tcpdump命令的输出信息较多,为了显示精简的信息,可以使用-q选项 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 05:33:01.438200 IP localhost.ssh > localhost.50832: tcp 208 05:33:01.479036 IP localhost.50832 > localhost.ssh: tcp 0 05:33:01.494539 IP localhost.ssh > localhost.50832: tcp 176 05:33:01.510460 IP localhost.ssh > localhost.50832: tcp 112 05:33:01.510907 IP localhost.50832 > localhost.ssh: tcp 0 05:33:01.525789 IP localhost.ssh > localhost.50832: tcp 176 05:33:01.541450 IP localhost.ssh > localhost.50832: tcp 112 05:33:01.541548 IP localhost.50832 > localhost.ssh: tcp 0 05:33:01.557049 IP localhost.ssh > localhost.50832: tcp 176 05:33:01.574173 IP localhost.ssh > localhost.50832: tcp 112 05:33:01.574486 IP localhost.50832 > localhost.ssh: tcp 0 05:33:01.583765 IP localhost.50832 > localhost.ssh: tcp 64 05:33:01.583857 IP localhost.ssh > localhost.50832: tcp 176 ^C 24 packets captured 26 packets received by filter 0 packets dropped by kernel [root@localhost ~]# tcpdump -c 5 #使用-c选项指定监听的数据包数量,这样就不需要使用Ctrl+C了 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 05:34:24.515192 IP localhost.ssh > localhost.50832: Flags [P.], seq 898300004:898300212, ack 861398503, win 317, length 208 05:34:24.515301 IP localhost.50832 > localhost.ssh: Flags [.], ack 208, win 519, length 0 05:34:24.515445 IP localhost.60389 > localhost.domain: 26412+ PTR? 254.0.168.192.in-addr.arpa. (44) 05:34:24.518180 IP localhost.domain > localhost.60389: 26412 1/0/0 PTR localhost. (67) 05:34:24.518247 IP localhost.38804 > localhost.domain: 7473+ PTR? 233.0.168.192.in-addr.arpa. (44) 5 packets captured 10 packets received by filter 0 packets dropped by kernel(3)监听指定网卡收到的数据包
[root@Mr_chen ~]# tcpdump -i eth0 #使用-i选项可以指定要监听的网卡 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 05:46:06.865643 IP localhost.ssh > localhost.50832: Flags [P.], seq 898335828:898336036, ack 861403175, win 317, length 208 05:46:06.865721 IP localhost.50832 > localhost.ssh: Flags [.], ack 208, win 524, length 0 05:46:06.865876 IP localhost.37090 > localhost.domain: 16313+ PTR? 254.0.168.192.in-addr.arpa. (44) ^C 49 packets captured 52 packets received by filter 0 packets dropped by kernel以下是命令的结果说明
[x] 05:46:06.865643:当前时间,精确到微妙
[x] IP localhost.ssh > localhost.50832:从主机localhost的SSH端口发送数据到localhost的50832端口,“>”代表数据流向
[x] Flags [P.]:TCP包中的标志信息,S是SYN标志的缩写,F(FIN),P(PUSH),R(RST),“.”(没有标记)。
[x] seq:数据包中的数据的顺序号。
[x] ack:下次期望的顺序号
[x] win:接收缓存的窗口大小
[x] length:数据包长度
(4)监听指定主机的数据包
[root@Mr_chen ~]# tcpdump -n -c 5 host 192.168.0.254 #使用-n选项不进行DNS解析,加快显示速度。监听指定主机的关键字为host,后面直接接主机名或IP地址即可。本行命令的作用是监听所有192.168.0.254的主机收到的和发出的数据包 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 06:18:59.812585 IP 192.168.0.233.ssh > 192.168.0.254.50832: Flags [P.], seq 898389300:898389508, ack 861410071, win 317, length 208 06:18:59.812763 IP 192.168.0.254.50832 > 192.168.0.233.ssh: Flags [.], ack 208, win 524, length 0 06:18:59.813478 IP 192.168.0.233.ssh > 192.168.0.254.50832: Flags [P.], seq 208:496, ack 1, win 317, length 288 06:18:59.814441 IP 192.168.0.233.ssh > 192.168.0.254.50832: Flags [P.], seq 496:672, ack 1, win 317, length 176 06:18:59.814534 IP 192.168.0.254.50832 > 192.168.0.233.ssh: Flags [.], ack 672, win 522, length 0 5 packets captured 5 packets received by filter 0 packets dropped by kernel [root@Mr_chen ~]# tcpdump -n -c 5 src host 192.168.0.254 #只监听从192.168.0.254发出的数据包,即源地址为192.168.0.254,关键字为src(source,源地址) tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 06:19:45.439633 IP 192.168.0.254.50832 > 192.168.0.233.ssh: Flags [.], ack 898393156, win 522, length 0 06:19:45.511489 IP 192.168.0.254.50832 > 192.168.0.233.ssh: Flags [.], ack 161, win 521, length 0 06:19:45.589521 IP 192.168.0.254.50832 > 192.168.0.233.ssh: Flags [.], ack 321, win 520, length 0 06:19:45.667712 IP 192.168.0.254.50832 > 192.168.0.233.ssh: Flags [.], ack 481, win 520, length 0 06:19:45.733979 IP 192.168.0.254.50832 > 192.168.0.233.ssh: Flags [.], ack 641, win 519, length 0 5 packets captured 6 packets received by filter 0 packets dropped by kernel [root@Mr_chen ~]# tcpdump -n -c 5 dst host 192.168.0.254 #只监听192.168.0.254收到的数据包,即目标地址为192.168.0.254,关键字为dst(destination,目的地) tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 18:21:33.783811 IP 192.168.0.233.ssh > 192.168.0.254.55962: Flags [P.], seq 1885784800:1885785008, ack 322191067, win 317, length 208 18:21:33.785709 IP 192.168.0.233.ssh > 192.168.0.254.55962: Flags [P.], seq 208:400, ack 1, win 317, length 192 18:21:33.786677 IP 192.168.0.233.ssh > 192.168.0.254.55962: Flags [P.], seq 400:576, ack 1, win 317, length 176 18:21:33.787676 IP 192.168.0.233.ssh > 192.168.0.254.55962: Flags [P.], seq 576:752, ack 1, win 317, length 176 18:21:33.788684 IP 192.168.0.233.ssh > 192.168.0.254.55962: Flags [P.], seq 752:928, ack 1, win 317, length 176 5 packets captured 5 packets received by filter 0 packets dropped by kernel