Linux 抓包工具：tcpdump

tcpdump 是一个抓包工具，通常用来分析网络

安装tcpdump命令

[root@mysql test]# yum install -y tcpdump

-i 指定网卡捉取网卡数据包

抓取指定网卡的数据包

[root@mysql test]# tcpdump -nn -i eth0

捉取指定网卡，端口的数据包

[root@mysql test]# tcpdump -nn -i eth0 port 22

捉取指定数量的数据包 -c count

捉10个数据包

[root@mysql test]# tcpdump -nn  -i eth0 -c 10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
23:16:32.649442 IP 192.168.0.110.22 > 192.168.0.106.60104: Flags [P.], seq 2807638170:2807638366, ack 1457889588, win 1259, length 196
23:16:32.649789 IP 192.168.0.106.60104 > 192.168.0.110.22: Flags [.], ack 196, win 16298, length 0
23:16:32.649905 IP 192.168.0.110.22 > 192.168.0.106.60104: Flags [P.], seq 196:376, ack 1, win 1259, length 180
23:16:32.654906 IP 192.168.0.110.22 > 192.168.0.106.60104: Flags [P.], seq 376:636, ack 1, win 1259, length 260
23:16:32.655263 IP 192.168.0.106.60104 > 192.168.0.110.22: Flags [.], ack 636, win 16188, length 0
23:16:32.656933 IP 192.168.0.110.22 > 192.168.0.106.60104: Flags [P.], seq 636:896, ack 1, win 1259, length 260
23:16:32.659151 IP 192.168.0.110.22 > 192.168.0.106.60104: Flags [P.], seq 896:1060, ack 1, win 1259, length 164
23:16:32.659479 IP 192.168.0.106.60104 > 192.168.0.110.22: Flags [.], ack 1060, win 16082, length 0
23:16:32.659548 IP 192.168.0.110.22 > 192.168.0.106.60104: Flags [P.], seq 1060:1320, ack 1, win 1259, length 260
23:16:32.660859 IP 192.168.0.110.22 > 192.168.0.106.60104: Flags [P.], seq 1320:1484, ack 1, win 1259, length 164
10 packets captured
11 packets received by filter
0 packets dropped by kernel

-w 指定文件

指定存放到哪个文件

[root@mysql test]# tcpdump -nn -i eth0 -c 10 -w 1.txt

生成文件

[root@mysql test]# ls
1.txt

文件需要用tcpdump -r 1.txt 查看

-r file

[root@mysql test]# tcpdump -r 1.txt 
reading from file 1.txt, link-type EN10MB (Ethernet)
23:24:25.382186 IP 192.168.0.110.ssh > 192.168.0.106.60104: Flags [P.], seq 2807649858:2807649990, ack 1457896688, win 1259, length 132
23:24:25.382881 IP 192.168.0.106.60104 > 192.168.0.110.ssh: Flags [.], ack 132, win 15695, length 0
23:24:26.659280 IP 192.168.0.106.62688 > 239.255.255.250.ssdp: UDP, length 133
23:24:29.659551 IP 192.168.0.106.62688 > 239.255.255.250.ssdp: UDP, length 133
23:24:30.793661 IP6 fe80::dd37:f87c:843e:395b.51568 > ff02::1:3.hostmon: UDP, length 22
23:24:30.793988 IP 192.168.0.106.50234 > 224.0.0.252.hostmon: UDP, length 22
23:24:30.894833 IP6 fe80::dd37:f87c:843e:395b.51568 > ff02::1:3.hostmon: UDP, length 22
23:24:30.894857 IP 192.168.0.106.50234 > 224.0.0.252.hostmon: UDP, length 22
23:24:31.095942 IP 192.168.0.106.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
23:24:31.845968 IP 192.168.0.106.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST

输出详解：

[root@mysql test]# tcpdump -nn  -i eth0 -c 10 # 如下，表示源地址192.168.0.110:22 发送到目标地址 192.168.0.106.60104的数据包
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
23:16:32.649442 IP 192.168.0.110.22 > 192.168.0.106.60104: Flags [P.], seq 2807638170:2807638366, ack 1457889588, win 1259, length 19623:16:32.649905 IP 192.168.0.110.22 > 192.168.0.106.60104: Flags [P.], seq 196:376, ack 1, win 1259, length 180
23:16:32.654906 IP 192.168.0.110.22 > 192.168.0.106.60104: Flags [P.], seq 376:636, ack 1, win 1259, length 260