[root@linuxidc ~]# tcpdump -c 3 -i ens33 -XX
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
02:03:21.704787 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 2765959902:2765960114, ack 3454752171, win 362, length 212
0x0000: 0050 56c0 0008 000c 29ce 40b0 0800 4510 .PV.....).@...E.
0x0010: 00fc 3612 4000 4006 edc2 0a01 0115 0a01 ..6.@.@.........
0x0020: 0101 0016 d6e3 a4dd 32de cdeb 55ab 5018 ........2...U.P.
0x0030: 016a 1706 0000 0000 00b0 bcc9 c244 c5bc .j...........D..
0x0040: fb53 12de b143 b265 a9cb 7a34 670b f634 .S...C.e..z4g..4
0x0050: d2a5 d977 8de5 1bb0 6166 5394 e0dc 8311 ...w....afS.....
0x0060: 1e63 1c33 0cae e945 d639 f505 583f dd45 .c.3...E.9..X?.E
0x0070: abd7 3822 4d63 2649 0e8d 19ac 2713 4732 ..8"Mc&I....'.G2
0x0080: 7d7f eb9b df16 295a 94c9 1c68 e456 8319 }.....)Z...h.V..
0x0090: dc94 469a 8fbf a84b 7203 b010 0869 3193 ..F....Kr....i1.
0x00a0: 7957 afad 19d3 3610 b0aa 4488 df5f 3f4b yW....6...D.._?K
0x00b0: 1f03 83f9 a480 0d08 cc6b 234c 5804 0787 .........k#LX...
0x00c0: 180e 5cd0 e681 5c2a cd2f 216e 1f32 53dd ..\...\*./!n.2S.
0x00d0: aa8e 1b22 c6d4 f8c0 896d 2b04 c00d 52f9 ...".....m+...R.
0x00e0: 56b3 0189 1672 3e1f 35ce 72bc f8f1 3aaf V....r>.5.r...:.
0x00f0: 82e7 b2f6 c8af c3a5 36af 0616 c21d 6808 ........6.....h.
0x0100: 246c bb48 2609 5583 d667 $l.H&.U..g
02:03:21.704989 IP 10.1.1.1.55011 > linuxidc.ssh: Flags [.], ack 212, win 2049, length 0
0x0000: 000c 29ce 40b0 0050 56c0 0008 0800 4500 ..).@..PV.....E.
0x0010: 0028 7afc 4000 8006 69bc 0a01 0101 0a01 .(z.@...i.......
0x0020: 0115 d6e3 0016 cdeb 55ab a4dd 33b2 5010 ........U...3.P.
0x0030: 0801 be9b 0000 0000 0000 0000 ............
02:03:21.705899 IP linuxidc.58309 > public1.alidns.com.domain: 46252+ PTR? 1.1.1.10.in-addr.arpa. (39)
0x0000: 0050 56f5 98bc 000c 29ce 40b0 0800 4500 .PV.....).@...E.
0x0010: 0043 e88b 4000 4011 62fe 0a01 0115 df05 .C..@.@.b.......
0x0020: 0505 e3c5 0035 002f ef60 b4ac 0100 0001 .....5./.`......
0x0030: 0000 0000 0000 0131 0131 0131 0231 3007 .......1.1.1.10.
0x0040: 696e 2d61 6464 7204 6172 7061 0000 0c00 in-addr.arpa....
0x0050: 01 .
3 packets captured
10 packets received by filter
0 packets dropped by kernel
[root@linuxidc ~]# tcpdump -c 3 -i ens33 -A
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
02:03:53.931462 IP 10.1.1.1.55011 > linuxidc.ssh: Flags [.], ack 2765963078, win 2048, length 0
E..({,@...i.
...
.........WG..?FP....l........
02:03:53.933710 IP linuxidc.40263 > public1.alidns.com.domain: 12427+ PTR? 21.1.1.10.in-addr.arpa. (40)
E..D..@.@.:.
........G.5.0.a0............21.1.1.10.in-addr.arpa.....
02:03:53.934052 IP linuxidc.ssh > 10.1.1.1.55011: Flags [P.], seq 1:213, ack 0, win 362, length 212
E...6.@.@...
...
.........?F..WGP..j..........T.IP.9~<..>....5...{..>> ..N.8.j.>...%.$.X;JE......}../z..Z...L..!.N6<.!'..^F...&..:+-}9.2.c.Bd.."...6Y...(W......!..QY.CWG.....s.[. L.>ED.......>.,1u..........-..> L.."... .......|.;.z|.0AB.R)z...q...N$...
3 packets captured
12 packets received by filter
0 packets dropped by kernel
四.总结
1.tcpdump的使用比较简单,上文已经列举了该工具的常用用法。
2.需要加强对TCP/IP四层参考模型的理解,文中涉及到的协议包括网络层和传输层的常见协议。
Linux公社的RSS地址:https://www.linuxidc.com/rssFeed.aspx