tcpdump:
数据包捕获
# tcpdump -nn -c 3 -i eth0 #-nn不反查主机名;-c接需要捕获包的个数;-i指定要使用的网卡接口; #-e:以网卡地址MAC数据包数据显示; #-w:后接将数据存入的文件名; #-A:以ANSI显示,在监听http请求时有用 #-r:将前面-w制作的文件读出来 #-q简化显示信息 #-X 以16进制显示,在监听帐号密码时可能用到
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:23:43.503619 IP 192.168.1.72.22 > 192.168.1.64.2416: Flags [P.], seq 450289231:450289427, ack 1778296046, win 185, length 196
13:23:43.504556 IP 192.168.1.64.2416 > 192.168.1.72.22: Flags [.], ack 196, win 253, length 0
13:23:43.506536 IP 192.168.1.72.22 > 192.168.1.64.2416: Flags [P.], seq 196:472, ack 1, win 185, length 276
3 packets captured
4 packets received by filter
0 packets dropped by kernel
#tcpdump -nn -c 3 -i eth0 -e[root@vm youyeah.cn]# tcpdump -nn -c 3 -i eth0 -e #-e:以网卡地址MAC数据包数据显示;
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:29:09.682351 00:0c:29:87:22:12 > 50:e5:49:b2:dc:6d, ethertype IPv4 (0x0800), length 250: 192.168.1.72.22 > 192.168.1.64.2416: Flags [P.], seq 450301887:450302083, ack 1778301826, win 215, length 196
13:29:09.683208 50:e5:49:b2:dc:6d > 00:0c:29:87:22:12, ethertype IPv4 (0x0800), length 60: 192.168.1.64.2416 > 192.168.1.72.22: Flags [.], ack 196, win 251, length 0
13:29:09.684292 00:0c:29:87:22:12 > 50:e5:49:b2:dc:6d, ethertype IPv4 (0x0800), length 474: 192.168.1.72.22 > 192.168.1.64.2416: Flags [P.], seq 196:616, ack 1, win 215, length 420
3 packets captured
3 packets received by filter
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:29:09.682351 00:0c:29:87:22:12 > 50:e5:49:b2:dc:6d, ethertype IPv4 (0x0800), length 250: 192.168.1.72.22 > 192.168.1.64.2416: Flags [P.], seq 450301887:450302083, ack 1778301826, win 215, length 196
13:29:09.683208 50:e5:49:b2:dc:6d > 00:0c:29:87:22:12, ethertype IPv4 (0x0800), length 60: 192.168.1.64.2416 > 192.168.1.72.22: Flags [.], ack 196, win 251, length 0
13:29:09.684292 00:0c:29:87:22:12 > 50:e5:49:b2:dc:6d, ethertype IPv4 (0x0800), length 474: 192.168.1.72.22 > 192.168.1.64.2416: Flags [P.], seq 196:616, ack 1, win 215, length 420
3 packets captured
3 packets received by filter
#tcpdump -nn -c 5 -i eth0 -q #-q简化显示信息
13:35:33.595605 IP 192.168.1.72.22 > 192.168.1.64.2416: tcp 196
13:35:33.596512 IP 192.168.1.64.2416 > 192.168.1.72.22: tcp 0
13:35:33.598422 IP 192.168.1.72.22 > 192.168.1.64.2416: tcp 180
13:35:33.598877 IP 192.168.1.72.22 > 192.168.1.64.2416: tcp 116
13:35:33.599169 IP 192.168.1.72.22 > 192.168.1.64.2416: tcp 116
#tcpdump -i eth0 -nn port 21 #只监听21端口的数据包
#tcpdump -x "host 192.168.1.1" #监听指定主机的数据包,因为使用了混杂模式,可以监听网关,非常可怕吧!
port为关键字,其他关键字有host gateway src host 等,并支持逻辑运算符,详细见文章
常用参数简介:
-i指定监听网卡,用于机器有多个网卡的情况
-c指定要监听的数据包的数量
-w将监听到的数据包存入文件中
I.定义类型的参数
包括host,net,port,分别对应着主机,网络地址和端口
II.定义传输方向的参数
包括src,dst,dst or src,dst and src
III.定义协议的参数
包括fddi,ip,arp,tcp,udp等
IV.除以上之外还有gateway,broadcast,less,greater
逻辑运算符:1)非 not ! 2)与 and && 3)或 or ||
1> #tcpdump 直接启动tcpdump默认监听第一块网卡上面流过的所有数据包
2> #tcpdump host 222.222.222.222 获取该主机上面收到和发出的所有数据包
3> #tcpdump host A and (B or C) 获取主机A和B或C的通信信息,注意括号
4> #tcpdump ip host A and !B 获取A和除了B的所有ip包
5> #tcpdump tcp port 23 host A 获取A发出或接受的所有telnet包
6> #tcpdump udp port 123 监听udp123端口的ntp服务
7> #tcpdump -i eth0 src host hostname 监听来自hostname的所有信息
8> #tcpdump -i eth0 gateway gatewayname 监听通过网关的数据包
9> #tcpdump -i eth0 host hostname and (src or dst)port 80 监听指定端口的信息
ethereal:
图形化工具,需要安装ethereal和ethereal-gnome