tcpdump命令使用详解

一般情况下，在Linux系统的使用和运维过程中，连接网络是必不可少的一个环节。在某些场景中，网络数据的收集与分析显得格外重要。tcpdump作为一款流行的网络数据抓取和收集工具，我们很有必要去了解一下。

本次验证tcpdump的操作系统为：CentOS Linux release 7.5.1804 (Core)

安装tcpdump：

[root@linuxidc ~]# yum -y install tcpdump

二.获取帮助资料

2.1 tcpdump -help

在使用Linux命令之前，如果遇到不熟悉的命令选项，就通过–help或者-h选项来对命令及选项做一个初步的了解。在tcpdump的–help中，使用方法及步骤太过于简略，此处不再赘述。

2.2 man tcpdump

部分内容如下：

tcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ]
  [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
  [ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
  [ -Q|-P in|out|inout ]
  [ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
  [ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
  [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ]
  [ -Z user ] [ expression ]

三.实践

1.显示所有可以被tcpdump的接口，使用选项-D。

[root@linuxidc ~]# tcpdump -D
1.nflog (Linux netfilter log (NFLOG) interface)
2.nfqueue (Linux netfilter queue (NFQUEUE) interface)
3.usbmon1 (USB bus number 1)
4.usbmon2 (USB bus number 2)
5.ens33
6.any (Pseudo-device that captures on all interfaces)
7.lo [Loopback]

2.获取指定接口的数据的信息，使用选项-i。

[root@linuxidc ~]# tcpdump -i ens33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
23:43:37.837417 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 2765734802:2765735014, ack 3454639695, win 251, length 212
23:43:37.838749 IP linuxidc.59877 > public1.alidns.com.domain: 23489+ PTR? 1.1.1.10.in-addr.arpa. (39)
2 packets captured
14 packets received by filter
0 packets dropped by kernel

输出内容挺多的，刷得很快。可以根据标准输出的内容快速获取网络连接信息，按Ctrl+c退出。
3.抓取指定接口（设备）的数据包数量。使用的选项是-c。

[root@linuxidc ~]# tcpdump -c 10 -i ens33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
00:47:33.754369 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 2765810766:2765810978, ack 3454668519, win 251, length 212
00:47:33.757822 IP linuxidc.40048 > public1.alidns.com.domain: 25834+ PTR? 1.1.1.10.in-addr.arpa. (39)
00:47:33.797033 IP 10.1.1.1.55011 > linuxidc.ssh: Flags [.], ack 212, win 2053, length 0
00:47:34.053798 IP public1.alidns.com.domain > linuxidc.40048: 25834 NXDomain 0/1/0 (116)
00:47:34.056344 IP linuxidc.41574 > public1.alidns.com.domain: 1158+ PTR? 21.1.1.10.in-addr.arpa. (40)
00:47:34.702924 IP public1.alidns.com.domain > linuxidc.41574: 1158 NXDomain 0/1/0 (117)
00:47:34.703374 IP linuxidc.59986 > public1.alidns.com.domain: 12257+ PTR? 5.5.5.223.in-addr.arpa. (40)
00:47:34.703561 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 212:392, ack 1, win 251, length 180
00:47:34.745614 IP 10.1.1.1.55011 > linuxidc.ssh: Flags [.], ack 392, win 2052, length 0
00:47:34.856428 IP public1.alidns.com.domain > linuxidc.59986: 12257 1/0/0 PTR public1.alidns.com. (72)
10 packets captured
10 packets received by filter
0 packets dropped by kernel

4.指定抓取包的时间戳，使用选项-tttt。

[root@linuxidc ~]# tcpdump -c 10 -tttt -i ens33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
2018-08-29 00:52:46.759937 IP 10.1.1.1.55011 > linuxidc.ssh: Flags [.], ack 2765814682, win 2050, length 0
2018-08-29 00:52:46.766774 IP linuxidc.40898 > public1.alidns.com.domain: 57359+ PTR? 21.1.1.10.in-addr.arpa. (40)
2018-08-29 00:52:46.767024 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 1:213, ack 0, win 251, length 212
2018-08-29 00:52:46.809552 IP 10.1.1.1.55011 > linuxidc.ssh: Flags [.], ack 213, win 2049, length 0
2018-08-29 00:52:49.829346 ARP, Request who-has linuxidc (00:0c:29:ce:40:b0 (oui Unknown)) tell 10.1.1.1, length 46
2018-08-29 00:52:49.829370 ARP, Reply linuxidc is-at 00:0c:29:ce:40:b0 (oui Unknown), length 28
2018-08-29 00:52:51.771436 IP linuxidc.40898 > public1.alidns.com.domain: 57359+ PTR? 21.1.1.10.in-addr.arpa. (40)
2018-08-29 00:52:51.783425 ARP, Request who-has gateway tell linuxidc, length 28
2018-08-29 00:52:51.783707 ARP, Reply gateway is-at 00:50:56:f5:98:bc (oui Unknown), length 46
2018-08-29 00:52:52.497640 IP public1.alidns.com.domain > linuxidc.40898: 57359 NXDomain 0/1/0 (117)
10 packets captured
22 packets received by filter
0 packets dropped by kernel

5.仅仅抓取ip数据包，使用选项-n。