tcpdump命令使用详解(2)

[root@linuxidc ~]# tcpdump -c 10 -tttt -n -i ens33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
2018-08-29 00:55:27.770507 IP 10.1.1.21.ssh > 10.1.1.1.55011: Flags [P.], seq 2765822722:2765822934, ack 3454673575, win 251, length 212
2018-08-29 00:55:27.770973 IP 10.1.1.21.ssh > 10.1.1.1.55011: Flags [P.], seq 212:408, ack 1, win 251, length 196
2018-08-29 00:55:27.771107 IP 10.1.1.21.ssh > 10.1.1.1.55011: Flags [P.], seq 408:588, ack 1, win 251, length 180
2018-08-29 00:55:27.771237 IP 10.1.1.21.ssh > 10.1.1.1.55011: Flags [P.], seq 588:768, ack 1, win 251, length 180
2018-08-29 00:55:27.771387 IP 10.1.1.21.ssh > 10.1.1.1.55011: Flags [P.], seq 768:948, ack 1, win 251, length 180
2018-08-29 00:55:27.771570 IP 10.1.1.21.ssh > 10.1.1.1.55011: Flags [P.], seq 948:1128, ack 1, win 251, length 180
2018-08-29 00:55:27.771690 IP 10.1.1.21.ssh > 10.1.1.1.55011: Flags [P.], seq 1128:1308, ack 1, win 251, length 180
2018-08-29 00:55:27.771804 IP 10.1.1.21.ssh > 10.1.1.1.55011: Flags [P.], seq 1308:1488, ack 1, win 251, length 180
2018-08-29 00:55:27.771944 IP 10.1.1.1.55011 > 10.1.1.21.ssh: Flags [.], ack 1488, win 2053, length 0
2018-08-29 00:55:27.772102 IP 10.1.1.21.ssh > 10.1.1.1.55011: Flags [P.], seq 1488:1764, ack 1, win 251, length 276
10 packets captured
10 packets received by filter
0 packets dropped by kernel

6.把抓取的数据包存取到文件，使用-w选项。

[root@linuxidc ~]# tcpdump -c 10 -tttt -n -i ens33 -w tcpdump.pcap
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
10 packets captured
10 packets received by filter
0 packets dropped by kernel

该文件如果不指定路径的话，默认在当前操作目录下。不能直接被读取，需要使用tcpdump进行读取。这个命令也可以如下：

[root@linuxidc ~]# tcpdump -c 100 -tttt -n -i ens33 -w tcpdump.pcap greater 1024
[root@linuxidc ~]# tcpdump -c 100 -tttt -n -i ens33 -w tcpdump.pcap less 1024

7.从tcpdump文件中读取抓取的数据包。

[root@linuxidc ~]# tcpdump -r tcpdump.pcap
reading from file tcpdump.pcap, link-type EN10MB (Ethernet)
00:57:57.825513 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 2765825694:2765825842, ack 3454674579, win 251, length 148
00:57:57.825818 IP 10.1.1.1.55011 > linuxidc.ssh: Flags [.], ack 148, win 2053, length 0
00:57:58.203184 IP 10.1.1.1.58879 > 239.255.255.250.ssdp: UDP, length 174
00:57:59.203638 IP 10.1.1.1.58879 > 239.255.255.250.ssdp: UDP, length 174
00:58:05.116911 IP 10.1.1.1.56434 > linuxidc.ssh: Flags [P.], seq 4162589724:4162589776, ack 2392121475, win 2048, length 52
00:58:05.117228 IP linuxidc.ssh > 10.1.1.1.56434: Flags [.], ack 52, win 251, length 0
00:58:07.235581 IP 10.1.1.1.55011 > linuxidc.ssh: Flags [P.], seq 1:53, ack 148, win 2053, length 52
00:58:07.235886 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 148:200, ack 53, win 251, length 52
00:58:07.277502 IP 10.1.1.1.55011 > linuxidc.ssh: Flags [.], ack 200, win 2052, length 0
00:58:09.821038 IP 10.1.1.1.55011 > linuxidc.ssh: Flags [P.], seq 53:105, ack 200, win 2052, length 52

8.抓取指定接口的指定一些TCP/IP四层模型中网络层和传输层协议（如：TCP/UDP/ICMP/IAGMP/ARP/IP/RARP）的数据包。

[root@linuxidc ~]# tcpdump -c 10 -i ens33 tcp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
01:14:15.388381 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 2765855386:2765855598, ack 3454691347, win 340, length 212
01:14:15.389466 IP 10.1.1.1.55011 > linuxidc.ssh: Flags [.], ack 212, win 2049, length 0
01:14:15.959479 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 212:488, ack 1, win 340, length 276
01:14:15.959737 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 488:652, ack 1, win 340, length 164
01:14:15.959908 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 652:816, ack 1, win 340, length 164
01:14:15.960083 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 816:980, ack 1, win 340, length 164
01:14:15.960238 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 980:1144, ack 1, win 340, length 164
01:14:15.960388 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 1144:1308, ack 1, win 340, length 164
01:14:15.960557 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 1308:1472, ack 1, win 340, length 164
01:14:15.960721 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 1472:1636, ack 1, win 340, length 164
10 packets captured
10 packets received by filter
0 packets dropped by kernel
[root@linuxidc ~]# tcpdump -c 10 -i ens33 udp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
01:17:56.217920 IP 10.1.1.1.63463 > 239.255.255.250.ssdp: UDP, length 174
01:17:56.219257 IP linuxidc.48491 > public1.alidns.com.domain: 53308+ PTR? 250.255.255.239.in-addr.arpa. (46)
01:17:57.218813 IP 10.1.1.1.63463 > 239.255.255.250.ssdp: UDP, length 174
01:17:58.220117 IP 10.1.1.1.63463 > 239.255.255.250.ssdp: UDP, length 174
01:17:59.221545 IP 10.1.1.1.63463 > 239.255.255.250.ssdp: UDP, length 174
01:18:01.222170 IP linuxidc.48491 > public1.alidns.com.domain: 53308+ PTR? 250.255.255.239.in-addr.arpa. (46)
01:18:01.460643 IP public1.alidns.com.domain > linuxidc.48491: 53308 NXDomain 0/1/0 (103)
01:18:01.462527 IP linuxidc.46097 > public1.alidns.com.domain: 63425+ PTR? 1.1.1.10.in-addr.arpa. (39)
01:18:02.742698 IP public1.alidns.com.domain > linuxidc.46097: 63425 NXDomain 0/1/0 (116)
01:18:02.743371 IP linuxidc.60483 > public1.alidns.com.domain: 54493+ PTR? 5.5.5.223.in-addr.arpa. (40)
10 packets captured
13 packets received by filter
0 packets dropped by kernel
[root@linuxidc ~]# tcpdump -c 10 -i ens33 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
01:20:40.492456 IP linuxidc > 61.135.169.121: ICMP echo request, id 9516, seq 1, length 64
01:20:40.834752 IP 61.135.169.121 > linuxidc: ICMP echo reply, id 9516, seq 1, length 64
01:20:41.492751 IP linuxidc > 61.135.169.121: ICMP echo request, id 9516, seq 2, length 64
01:20:42.131624 IP 61.135.169.121 > linuxidc: ICMP echo reply, id 9516, seq 2, length 64
01:20:42.493242 IP linuxidc > 61.135.169.121: ICMP echo request, id 9516, seq 3, length 64
01:20:42.800717 IP 61.135.169.121 > linuxidc: ICMP echo reply, id 9516, seq 3, length 64
01:20:43.495523 IP linuxidc > 61.135.169.121: ICMP echo request, id 9516, seq 4, length 64
01:20:44.495944 IP linuxidc > 61.135.169.121: ICMP echo request, id 9516, seq 5, length 64
01:20:44.501359 IP 61.135.169.121 > linuxidc: ICMP echo reply, id 9516, seq 5, length 64
01:20:45.498312 IP linuxidc > 61.135.169.121: ICMP echo request, id 9516, seq 6, length 64
10 packets captured
10 packets received by filter
0 packets dropped by kernel

9.抓取指定端口上的数据包。