tcpdump命令使用详解(4)

[root@linuxidc ~]# tcpdump -c 10 -i ens33 src 223.5.5.5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
01:48:17.072240 IP public1.alidns.com > linuxidc: ICMP echo reply, id 9555, seq 35, length 64
01:48:17.372803 IP public1.alidns.com.domain > linuxidc.38253: 55537 NXDomain 0/1/0 (117)
01:48:17.414638 IP public1.alidns.com.domain > linuxidc.51867: 7178 1/0/0 PTR public1.alidns.com. (72)
01:48:18.070799 IP public1.alidns.com > linuxidc: ICMP echo reply, id 9555, seq 36, length 64
01:48:19.082138 IP public1.alidns.com > linuxidc: ICMP echo reply, id 9555, seq 37, length 64
01:48:20.099136 IP public1.alidns.com > linuxidc: ICMP echo reply, id 9555, seq 38, length 64
01:48:21.081299 IP public1.alidns.com > linuxidc: ICMP echo reply, id 9555, seq 39, length 64
01:48:22.079008 IP public1.alidns.com > linuxidc: ICMP echo reply, id 9555, seq 40, length 64
01:48:23.090255 IP public1.alidns.com > linuxidc: ICMP echo reply, id 9555, seq 41, length 64
01:48:24.230821 IP public1.alidns.com > linuxidc: ICMP echo reply, id 9555, seq 42, length 64
10 packets captured
11 packets received by filter
0 packets dropped by kernel

[root@linuxidc ~]# tcpdump -c 10 -i ens33 dst 223.5.5.5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
01:48:38.069626 IP linuxidc > public1.alidns.com: ICMP echo request, id 9555, seq 56, length 64
01:48:38.073248 IP linuxidc.48285 > public1.alidns.com.domain: 46129+ PTR? 5.5.5.223.in-addr.arpa. (40)
01:48:38.135949 IP linuxidc.44970 > public1.alidns.com.domain: 27616+ PTR? 21.1.1.10.in-addr.arpa. (40)
01:48:39.072184 IP linuxidc > public1.alidns.com: ICMP echo request, id 9555, seq 57, length 64
01:48:40.076144 IP linuxidc > public1.alidns.com: ICMP echo request, id 9555, seq 58, length 64
01:48:41.077810 IP linuxidc > public1.alidns.com: ICMP echo request, id 9555, seq 59, length 64
01:48:42.079204 IP linuxidc > public1.alidns.com: ICMP echo request, id 9555, seq 60, length 64
01:48:43.080601 IP linuxidc > public1.alidns.com: ICMP echo request, id 9555, seq 61, length 64
01:48:44.082011 IP linuxidc > public1.alidns.com: ICMP echo request, id 9555, seq 62, length 64
01:48:45.083420 IP linuxidc > public1.alidns.com: ICMP echo request, id 9555, seq 63, length 64
10 packets captured
10 packets received by filter
0 packets dropped by kernel

11.抓取两台主机之间的数据包。

[root@linuxidc ~]# tcpdump -c 10 -i ens33 tcp and \( host 223.5.5.5 or host 10.1.1.21 \)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
01:54:54.268935 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 2765927618:2765927830, ack 3454734639, win 340, length 212
01:54:54.269117 IP 10.1.1.1.55011 > linuxidc.ssh: Flags [.], ack 212, win 2051, length 0
01:54:54.561897 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 212:488, ack 1, win 340, length 276
01:54:54.562176 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 488:652, ack 1, win 340, length 164
01:54:54.562286 IP 10.1.1.1.55011 > linuxidc.ssh: Flags [.], ack 652, win 2050, length 0
01:54:54.562493 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 652:912, ack 1, win 340, length 260
01:54:54.562660 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 912:1076, ack 1, win 340, length 164
01:54:54.562808 IP 10.1.1.1.55011 > linuxidc.ssh: Flags [.], ack 1076, win 2048, length 0
01:54:54.563029 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 1076:1336, ack 1, win 340, length 260
01:54:54.563212 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 1336:1500, ack 1, win 340, length 164
10 packets captured
11 packets received by filter
0 packets dropped by kernel

[root@linuxidc ~]# tcpdump -c 10 -i ens33 src 10.1.1.21 and port 22 and dst 10.1.1.1 and port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
01:57:36.392318 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 2765943782:2765943994, ack 3454748435, win 362, length 212
01:57:36.904661 IP linuxidc.ssh > 10.1.1.1.56434: Flags [P.], seq 2392278579:2392278711, ack 4162603348, win 251, length 132
01:57:37.010706 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 212:520, ack 1, win 362, length 308
01:57:37.046307 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 520:684, ack 1, win 362, length 164
01:57:37.046546 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 684:848, ack 1, win 362, length 164
01:57:37.046669 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 848:1012, ack 1, win 362, length 164
01:57:37.046842 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 1012:1176, ack 1, win 362, length 164
01:57:37.046999 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 1176:1340, ack 1, win 362, length 164
01:57:37.047214 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 1340:1504, ack 1, win 362, length 164
01:57:37.047399 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 1504:1668, ack 1, win 362, length 164
10 packets captured
10 packets received by filter
0 packets dropped by kernel

12.以HEX或ASCII格式抓取数据包，分别使用选项-XX和-A即可。