本文章是在看完tcpdump的资料后作的笔记,下面我们就来说一说关于tcpdump显示包详细内容?我们一起去了解并探讨一下这个问题吧!
tcpdump显示包详细内容
Preface本文章是在看完tcpdump的资料后作的笔记。
本文章的命令测试平台如下:
# MacOS 11.1 Big Sur
# tcpdump:
sh-3.2# tcpdump --version
tcpdump version tcpdump version 4.9.3 -- Apple version 100
libpcap version 1.9.1
LibreSSL 2.8.3
# Linux等其他平台略有不同,但是大部分是通用的
在有关网络协议文档中,有个单词叫做Octet,有些翻译叫做`八位组`,其中:1 Octet = 8 bit,和现在的概念字节(byte,B)一致。在大部分网络协议中,使用的是Octet而不是byte,那是因为很多年之前1 byte = 10 bit,所以才有了1 Octet = 8bit这个约定。所以,如果提到第n个Octet,一般表示的是一段数据中的第n个字节,当然也要基于文字场景区分n是从0开始,还是从1开始。
很多人上来就拍脑袋瓜就开始写tcpdump命令,这种结果就是提示语法错误,为了避免这些问题,下面就从案例中说明一些注意事项:
- tcpdump需要加视情况加单引号和双引号;
- tcpdump后面的选项以及表达式的顺序请按照官方文档的要求来写;
fh@192 ~ % NAME=ok
# 单引号会直接输出,不解析
fh@192 ~ % echo 'Hello, $NAME'
Hello, $NAME
# 双引号会先解析变量,再输出
fh@192 ~ % echo "Hello, $NAME"
Hello, ok
# ()会报错
fh@192 ~ % echo (ok)
zsh: unknown sort specifier
fh@192 ~ % echo ok && demo
ok
zsh: command not found: demo
# 使用"" 或者 ''包住字符串就不会出现问题
fh@192 ~ % echo "ok && demo"
ok && demo
fh@192 ~ % echo 'ok && demo'
ok && demo
fh@192 ~ %
由于tcpdump中会有筛选的表达式,表达式包括() && || >>等特殊符号,针对这些符号,shell需要做转义,一般情况下,我们需要在筛选表达式用''或者""包住表达式,否则会出现异常。
# 建议按照以下格式编写
# 无值选项可以合并写,这是可以的
tcpdump 无值选项1 无值选项2 无值选项.k 有值选项名.1 有值选项值.1 有值选项名.2 有值选项值.2 有值选项名.n 有值选项值.n '表达式'
由于本人水平有限,部分tcpdump不清楚部分,使用TODO来代替,后续弄懂会继续补充案例。
SYNOPSIS
NAME
tcpdump - dump traffic on a network
SYNOPSIS
tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ]
[ -c count ]
[ -C file_size ] [ -G rotate_seconds ] [ -F file ]
[ -i interface ] [ -j tstamp_type ] [ -k (metadata_arg) ]
[ -m module ] [ -M secret ]
[ --number ] [ -Q in|out|inout ]
[ -r file ] [ -V file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
[ -Q packet-metadata-filter ] [ -Q in|out|inout ]
[ --time-stamp-precision=tstamp_precision ]
[ --immediate-mode ] [ --version ]
[ expression ]
- -A
# -A: 以ASCII码的形式打印每个包(不包括链路层的头),一般用来捕获网页数据
sh-3.2# tcpdump -A -c 1 -i any
16:28:07.931082 IP 192.168.0.108.57342 > 192.168.1.1.domain: 59093 A? oth.eve.mdt.qq.com. (36)
...f.n.._.....E..@....@.\....l.......5.,.d.............oth.eve.mdt.qq.com.....
- -b
# 使用ASDOT表示法在BGP数据包中打印AS号,而不是ASPLAIN表示法
# 在BGP包中使用ASDOT表示法打印AS号,而不是ASPLAIN表示法
sh-3.2# tcpdump -b -i any
- −B buffer_size
# -B buffer_size: 设置操作系统的捕获缓存大小,单位:KB
# -c count: 收到或者显示count个包后退出
# -i any: 监控所有的网络接口
# -w file: 将抓到的包保存到a.pcap里面,此文件可以用wireshark打开
sh-3.2# tcpdump -B 10 -c 3 -i any -w a.pcap
- -c count或−c skip,count
# -c count: 抓取count包后tcpdump退出
sh-3.2# tcpdump -c 1 -i any
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
17:32:05.155429 IP 192.168.0.108.58448 > 17.57.145.7.5223: Flags [R.], seq 2009854550, ack 1819239997, win 2048, length 0
1 packet captured
37 packets received by filter
0 packets dropped by kernel
sh-3.2#
# -c skip,count: -c选项的第二种使用形式,指的是忽略skip包后,再抓count个包停止
# 逗号之前的skip是必选,逗号之后的count是可选
sh-3.2# tcpdump -c 5,3 -i any
# 有逗号、无count值表明忽略前面5个包,且一直抓包不退出
sh-3.2# tcpdump -c 5, -i any
- −C file_size
# -C file_size: 将原始数据包存放到文件之前,先检查是否超过file_size(单位: 1000000B);
# -w file: 保存的文件
# 超过file_size则关闭文件,并创建新的文件继续写数据
# 新的文件名为"file" "idx": idx从1开始
sh-3.2# tcpdump -C 5 -i any -w f.pcap
# 注意:file_size指的是近似值,不是准确值
# 文件的名称为: file file1 file2 file3 filen
sh-3.2# ls -lr
-rw-r--r-- 1 root wheel 1782772 5 2 16:19 f.pcap7
-rw-r--r-- 1 root wheel 5000952 5 2 16:19 f.pcap6
-rw-r--r-- 1 root wheel 5001304 5 2 16:19 f.pcap5
-rw-r--r-- 1 root wheel 5000300 5 2 16:19 f.pcap4
-rw-r--r-- 1 root wheel 5000748 5 2 16:19 f.pcap3
-rw-r--r-- 1 root wheel 5000344 5 2 16:19 f.pcap2
-rw-r--r-- 1 root wheel 5000160 5 2 16:18 f.pcap1
-rw-r--r-- 1 root wheel 5000264 5 2 16:18 f.pcap
sh-3.2#
- -d ~ -ddd
# -d: 以人类可读的形式,标准输出打印编排过的包匹配码
sh-3.2# tcpdump -d
tcpdump: data link type PKTAP
(000) ret #262144
# -dd: 以C代码片段的形式打印出包匹配码
sh-3.2# tcpdump -dd
tcpdump: data link type PKTAP
{ 0x6, 0, 0, 0x00040000 },
# 以十进制的形式打印出包匹配码(前面有count)
sh-3.2# tcpdump -ddd
tcpdump: data link type PKTAP
1
6 0 0 262144
- -D
# -D:打印在系统中,tcpdump可以捕获包的网络接口
# 每个网络接口,都有一个编号和一个网络接口名称,也可能带有一个网络接口的描述
# 编号或网络接口可以放在-i选项后面来表明在哪个网络接口上抓包
# 这个选项存在的意义是:Windows系统、缺少ifconfig -a选项的系统不会列出这些信息
# 编号在Windows 2000及以上的系统非常有用,因为他们的网络接口名称是一个复杂的字符串
# 如果tcpdump的依赖libpcap缺少pcap_findalldevs函数,那么tcpdump的此功能将是无效的
fh@Feihu-3 ~ % tcpdump -D
1.en0 [Up, Running]
2.awdl0 [Up, Running]
3.llw0 [Up, Running]
4.utun0 [Up, Running]
5.ap1 [Up, Running]
6.utun1 [Up, Running]
7.lo0 [Up, Running, Loopback]
8.bridge0 [Up, Running]
9.en1 [Up, Running]
10.en2 [Up, Running]
11.en3 [Up, Running]
12.en4 [Up, Running]
13.gif0 [none]
14.stf0 [none]
- -e
# -e: 每一行打印链路层的头信息。
# 比如可以打印以太网和IEEE 802.11等协议的MAC层的地址
# 假设一个局域网内有两台设备的IP相同,我们可以通过这种方式来判断此包来源于哪个设备
sh-3.2# tcpdump -c 1 -e -i any
16:55:34.277368 80:8f:1d:66:9a:6e (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 42: Request who-has 192.168.0.100 tell 192.168.0.1, length 28
# 未指定-e选项的打印结果
sh-3.2# tcpdump -c 1 -i any
16:55:45.235387 ARP, Request who-has 192.168.0.108 tell 192.168.0.1, length 28
- -E
# 使用spi@ipaddr algo:secret用来解密一个发给addr的IPsec ESP包
# 这个包包括Security Parameter Index value spi
# 可以用多个spi@ipaddr algo:secret的值构建选项值,两两之间用逗号或者新行隔开
# algo字段可以是des-cbc, 3des-cbc, blowfish-cbc, rc3-cbc, cast128-cbc,none,默认是des-cbc
# 只有在tcpdump编译的时候启动解密功能才支持解密包的能力
# secret: ESP密钥的ASCII文本,如果是以0x开头,读的时候将是十六进制的值
# 本选项假定是RFC2406 ESP,而不是RFC1827 ESP
# 本选项是以调试为目的,使用真实的密钥值我们是劝阻的。
# 在命令行上使用IPsec密钥会以通过ps命令以及在其他场合对其他人可见
# 除了前面的语法外,可以使用file name语法让tcpdump读取,tcpdump在收到第一个ESP包的时候打开,
# 所以tcpdump被授予的任何特殊权限将会被放弃
[ -E spi@ipaddr algo:secret,... ]
- -f
# 显示外部的IPv4时,采用的是数字方式而不是名字。
# TODO
sh-3.2# tcpdump -f -i any
16:46:36.813722 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 117
16:46:36.814783 IP 192.168.0.105.62980 > 192.168.1.1.domain: 6648 PTR? 1.0.168.192.in-addr.arpa. (42)
16:46:36.820954 IP 192.168.1.1.domain > 192.168.0.105.62980: 6648* 1/0/0 PTR 192.168.0.1. (67)
16:46:36.821712 IP 192.168.0.105.51227 > 192.168.1.1.domain: 4339 PTR? 255.255.255.255.in-addr.arpa. (46)
16:46:36.829809 IP 192.168.1.1.domain > 192.168.0.105.51227: 4339* 0/0/0 (46)
16:46:36.831042 IP 192.168.0.105.61722 > 192.168.1.1.domain: 3347 PTR? 105.0.168.192.in-addr.arpa. (44)
16:46:36.834207 IP 192.168.1.1.domain > 192.168.0.105.61722: 3347* 1/0/0 PTR 192.168.0.105. (71)
sh-3.2# tcpdump -i any
16:47:09.176906 ARP, Reply 192.168.0.1 is-at 54:75:95:7b:35:60 (oui Unknown), length 28
16:47:09.177804 IP 192.168.0.105.53642 > 192.168.1.1.domain: 59641 PTR? 1.0.168.192.in-addr.arpa. (42)
16:47:09.180557 IP 192.168.1.1.domain > 192.168.0.105.53642: 59641* 1/0/0 PTR 192.168.0.1. (67)
16:47:09.181364 IP 192.168.0.105.54508 > 192.168.1.1.domain: 42563 PTR? 105.0.168.192.in-addr.arpa. (44)
16:47:09.184506 IP 192.168.1.1.domain > 192.168.0.105.54508: 42563* 1/0/0 PTR 192.168.0.105. (71)
- -F file
# -F file: 使用file作为过滤表达式的输入,命令行的额外表达式将会被忽略。
# 过滤表达式为exp文件,目的端口号只能是80
sh-3.2# tcpdump -nn -i any -F exp
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
16:51:28.272523 IP 192.168.0.105.51833 > 36.152.44.95.80: Flags [SEW], seq 1230950913, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 976750906 ecr 0,sackOK,eol], length 0
16:51:28.300868 IP 192.168.0.105.51833 > 36.152.44.95.80: Flags [.], ack 4276175339, win 4096, length 0
16:51:28.300922 IP 192.168.0.105.51833 > 36.152.44.95.80: Flags [P.], seq 0:77, ack 1, win 4096, length 77: HTTP: GET / HTTP/1.1
16:51:28.323539 IP 192.168.0.105.51833 > 36.152.44.95.80: Flags [.], ack 2782, win 4052, length 0
16:51:28.323834 IP 192.168.0.105.51833 > 36.152.44.95.80: Flags [F.], seq 77, ack 2782, win 4096, length 0
16:51:28.334178 IP 192.168.0.105.51833 > 36.152.44.95.80: Flags [F.], seq 77, ack 2782, win 4096, options [nop,nop,sack 1 {1441:2782}], length 0
16:51:28.349878 IP 192.168.0.105.51833 > 36.152.44.95.80: Flags [.], ack 2783, win 4096, length 0
# 直接向百度请求
fh@192 ~ % curl www.baidu.com
# 产生一个文件,文件名是exp, 里面筛选是端口号是80的包
sh-3.2# cat exp
dst port 80
- -g
# -g: 为了便于解析,在详细模式下不在IP头之后插入换行符。
# TODO
sh-3.2# tcpdump -g -vvv -c 3 -i any
tcpdump: data link type PKTAP
tcpdump: listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
16:55:45.885643 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.0.105 tell 192.168.0.1, length 28
16:55:45.885689 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.0.105 is-at e0:b5:5f:f2:bb:a3 (oui Unknown), length 28
16:55:45.886959 IP (tos 0x0, ttl 64, id 19770, offset 0, flags [none], proto UDP (17), length 72) 192.168.0.105.54217 > 192.168.1.1.domain: [udp sum ok] 13832 PTR? 105.0.168.192.in-addr.arpa. (44)
3 packets captured
8 packets received by filter
0 packets dropped by kernel
sh-3.2#
- −G rotate_seconds
# -G rotate_seconds: 如果-G和-w选项均指定了值,则每隔rotate_seconds时间重新存储到文件;
# 但是-w选项的值必须包含时间格式,具体格式可从参考man 3 strfttime
# 如果-w未指定时间格式,将会覆盖写原来的文件;
# 如果tcpdump同时指定了-C和-G,那么生成的文件名的格式是file<count>
sh-3.2# tcpdump -G 3 -i any -w 'fh_%Y-%m-%d_%T.pcap'
# 文件名fh_年-月-日_时-分-秒.pcap
sh-3.2# ls -l
total 5560
-rw-r--r-- 1 root wheel 448 5 3 07:29 fh_2021-05-03_07:29:38.pcap
-rw-r--r-- 1 root wheel 352 5 3 07:29 fh_2021-05-03_07:29:50.pcap
-rw-r--r-- 1 root wheel 372 5 3 07:29 fh_2021-05-03_07:29:54.pcap
-rw-r--r-- 1 root wheel 552 5 3 07:30 fh_2021-05-03_07:30:02.pcap
# -G、-C、-w混合使用
sh-3.2# tcpdump -C 1 -G 100000 -i any -w f
# 抓包的文件名
sh-3.2# ls -lrt
total 30160
-rw-r--r-- 1 root wheel 1000128 5 3 16:04 f
-rw-r--r-- 1 root wheel 1000576 5 3 16:04 f1
-rw-r--r-- 1 root wheel 1001560 5 3 16:04 f2
-rw-r--r-- 1 root wheel 1000268 5 3 16:04 f3
-rw-r--r-- 1 root wheel 1000012 5 3 16:04 f4
-rw-r--r-- 1 root wheel 1000868 5 3 16:04 f5
-rw-r--r-- 1 root wheel 1000124 5 3 16:04 f6
- -H
# -H: 尝试去检测802.11s draft mesh headers
# TODO
- −i interface
# -i interface: 指定抓包的网络接口,可以是网卡名称,也可以是编号
# 可以通过tcpdump -D获取
# 如果指定所有,可以使用tcpdump -i any来说明
# 一般情况,如果用any的话,不会是混杂模式,所以,在某些情况下,仍然使用网卡名称
- -I
# -I: 又可以换成−−monitor−mode;当前仅支持IEEE 802.11 WI-FI网络接口,也只能在部分操作系统上使用。
- −−immediate−mode
# TODO
- −j tstamp_type
# TODO
- -J
sh-3.2# tcpdump -J
Time stamp types for pktap (use option -j to set):
host (Host)
- −−time−stamp−precision=tstamp_precision
# --time-stamp-precision: 时间戳精度,只能是micro或者是nano,需要设备支持
sh-3.2# tcpdump -c 3 -i any --time-stamp-precision=micro
07:27:15.474324 IP 192.168.0.105.63096 > 17.248.165.105.https: Flags [P.], seq 1745755457:1745756013, ack 644458944, win 2048, options [nop,nop,TS val 842425166 ecr 4054084285], length 556
07:27:15.474879 IP 192.168.0.105.63096 > 17.248.165.105.https: Flags [P.], seq 556:655, ack 1, win 2048, options [nop,nop,TS val 842425166 ecr 4054084285], length 99
07:27:15.494650 IP 192.168.0.105.59318 > 192.168.1.1.domain: 48955 PTR? 105.0.168.192.in-addr.arpa. (44)
# 抓取三个包,精度为纳秒,但是设备不支持
sh-3.2# tcpdump -c 3 -i any --time-stamp-precision=nano
tcpdump: any: Can't set nanosecond time stamp precision: That device doesn't support that time stamp precision
sh-3.2#
- -k
# -k: 控制显示包的元数据信息,参数后面的值指定要显示的元数据类型的参数
# I: 网络接口名称或者网络接口ID
# N: 进程名称
# P: 进程ID
# S: 服务类
# D: 方向
# C: 注释
# C: flags
# U: 进程的UUID
# V: pcap-ng块的详细打印(默认不显示)
# A: 显示所有元数据类型
# Linux平台似乎不支持
sh-3.2# tcpdump -l -i any -k INPSDCCUVA | grep 'proc QQMusic'
16:31:55.245774 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.108.57731 > .http: Flags [S], seq 598034964, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 803848705 ecr 0,sackOK,eol], length 0
sh-3.2# tcpdump -l -i any -k A | grep 'proc QQMusic'
16:37:59.984827 (en0, proc kernel_task:0:, eproc QQMusic:465:, svc BE, in, so) IP localhost.http > 192.168.0.108.57812: Flags [F.], seq 1219446476, ack 2542671645, win 1047, length 0
- -K
# 不要试图验证TCP、UDP、IP的校验和;
# 这对于在硬件中执行部分或全部校验和计算的接口中很有用
# 否则,所有传出去的TCP校验和都将被标记为坏的。
sh-3.2# tcpdump -K -i any
-l
# -l: 缓存标准输出行
sh-3.2# tcpdump -l -i any | tee data
16:09:35.951957 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 117
sh-3.2# cat data
16:09:35.951957 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 117
# 可以一边转存到文件,一边终端监视
# 注意,某些系统,比如Mac即使你将终端关掉,也会继续在后台抓包的,有些将终端关闭,将会自动停止抓包
sh-3.2# tcpdump -l -i any > tmp & tail -f tmp
[1] 22454 # tcpdump的进程号
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
16:12:50.265227 IP 192.168.0.108.57267 > 141.226.231.48.https: Flags [P.], seq 1157134174:1157134385, ack 3885736249, win 4096, length 211
sh-3.2# pidof tcpdump
22454
sh-3.2# cat tmp
16:12:50.265227 IP 192.168.0.108.57267 > 141.226.231.48.https: Flags [P.], seq 1157134174:1157134385, ack 3885736249, win 4096, length 211
- -L
# 列出网络接口的已知数据链路
sh-3.2# tcpdump -L
Data link types for pktap (use option -y to set):
PKTAP (Apple DLT_PKTAP)
RAW (Raw IP)
- −m module
# TODO
- −M secret
# -M secret: 如果在TCP数据包中有TCP-MD5选项(RFC 2385),则为其摘要的验证指定一个公共的密钥secret
# TODO
- -n
# -n: 不将地址(IP、端口号等)转换成名字
# 目的端口显示80
sh-3.2# tcpdump -n -i any dst port 80
17:03:54.503552 IP 192.168.0.105.51843 > 36.152.44.95.80: Flags [SEW], seq 3619108142, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 977496600 ecr 0,sackOK,eol], length 0
# 目的端口显示http
sh-3.2# tcpdump -i any dst port 80
17:04:07.620053 IP 192.168.0.105.51844 > 36.152.44.96.http: Flags [SEW], seq 1916226026, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 977509699 ecr 0,sackOK,eol], length 0
-N
# -N: 不打印主机的域名部分,比如'nic.ddd.mil'只打印'nic'
- --number
--number: 在行的开始打印可选的包数
# TODO,暂未发现用处
- -O
# -O: 不启用包匹配时候的优化代码
sh-3.2# tcpdump -O -i any
- -P
-P: 在保存文件的形式使用pcap-ng文件格式。
- -p
# -p: 不将网络接口设置为混杂模式
# TODO,暂未找到使用场景
- -Q expression
# 通过进程来筛选抓包
# Linux平台可能不支持
# 抓取QQMusic的的网络包
sh-3.2# tcpdump -l -k A -i any -Q "pid=`pidof QQMusic`"
19:51:44.653768 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61177 > 112.12.18.35.http: Flags [F.], seq 2901431543, ack 439813618, win 2048, options [nop,nop,TS val 834357380 ecr 3175665935], length 0
19:52:00.347990 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61244 > .http: Flags [S], seq 1737074890, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 834373067 ecr 0,sackOK,eol], length 0
19:52:00.354345 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61245 > .https: Flags [S], seq 407543729, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 834373073 ecr 0,sackOK,eol], length 0
19:52:00.376527 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, eproc QQMusic:465:, svc BE, in, so) IP .http > 192.168.0.105.61244: Flags [S.], seq 4234791179, ack 1737074891, win 14280, options [mss 1440,sackOK,TS val 4105774949 ecr 834373067,nop,wscale 8], length 0
19:52:00.376579 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61244 > .http: Flags [.], ack 1, win 2052, options [nop,nop,TS val 834373095 ecr 4105774949], length 0
19:52:00.376586 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, eproc QQMusic:465:, svc BE, in, so) IP .https > 192.168.0.105.61245: Flags [S.], seq 2778593785, ack 407543730, win 14400, options [mss 1440,nop,nop,sackOK,nop,wscale 8], length 0
19:52:00.376605 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61245 > .https: Flags [.], ack 1, win 4096, length 0
19:52:00.377063 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61244 > .http: Flags [P.], seq 1:330, ack 1, win 2052, options [nop,nop,TS val 834373095 ecr 4105774949], length 329: HTTP: POST /3gmusic/fcgi-bin/imusic_tj HTTP/1.1
19:52:00.377136 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61244 > .http: Flags [P.], seq 330:891, ack 1, win 2052, options [nop,nop,TS val 834373095 ecr 4105774949], length 561: HTTP
19:52:00.377382 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61245 > .https: Flags [P.], seq 1:518, ack 1, win 4096, length 517
19:52:00.392525 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61246 > .http: Flags [S], seq 949130891, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 834373110 ecr 0,sackOK,eol], length 0
19:52:00.392772 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, eproc QQMusic:465:, svc BE, in, so) IP .http > 192.168.0.105.61244: Flags [.], ack 330, win 60, options [nop,nop,TS val 4105774954 ecr 834373095], length 0
19:52:00.393108 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, eproc QQMusic:465:, svc BE, in, so) IP .http > 192.168.0.105.61244: Flags [.], ack 891, win 65, options [nop,nop,TS val 4105774954 ecr 834373095], length 0
19:52:00.394928 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61247 > .https: Flags [S], seq 3767223308, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 834373112 ecr 0,sackOK,eol], length 0
^C19:52:00.399340 (en0, proc QQMusic:465:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.61248 > 112.29.199.146.http: Flags [S], seq 475420522, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 834373116 ecr 0,sackOK,eol], length 0
# 抓取当前ping命令,且经过网卡en0的,并是出去的包
sh-3.2# tcpdump -l -n -k A -i any -Q "(pid=`pidof ping` && if=en0) && (dir=out)"
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
20:43:28.841764 (en0, proc ping:24801:65df3803-6045-3c14-9c20-c6029f7e6b65, svc CTL, out, so) IP 192.168.0.105 > 36.152.44.96: ICMP echo request, id 57696, seq 99, length 64
20:43:29.844144 (en0, proc ping:24801:65df3803-6045-3c14-9c20-c6029f7e6b65, svc CTL, out, so) IP 192.168.0.105 > 36.152.44.96: ICMP echo request, id 57696, seq 100, length 64
20:43:30.845564 (en0, proc ping:24801:65df3803-6045-3c14-9c20-c6029f7e6b65, svc CTL, out, so) IP 192.168.0.105 > 36.152.44.96: ICMP echo request, id 57696, seq 101, length 64
20:43:31.850426 (en0, proc ping:24801:65df3803-6045-3c14-9c20-c6029f7e6b65, svc CTL, out, so) IP 192.168.0.105 > 36.152.44.96: ICMP echo request, id 57696, seq 102, length 64
- -Q direction
# -Q direction: 选择抓取包的发送/接收方向。这里的值可能为in、out、inout。
# 仅支持部分平台可用,比如在Mac Big Sur 11.1上提示是语法错误,Linux可用
# -Q direction: 不支持
sh-3.2# tcpdump -i any -Q inout
tcpdump: cannot parse term at:
tcpdump: invalid expression "inout"
- -q
# 快速输出,输出行较短因为打印少量的协议信息
# 一般用来两个设备之间是否有通信
sh-3.2# tcpdump -q -c 1 -i any
17:34:28.477717 IP 192.168.0.108.58502 > ec2-52-73-175-240.compute-1.amazonaws.com.https: tcp 77
- -r file
# -B buffer_size: 设置操作系统的捕获缓存大小,单位:KB
# -c count: 收到或者显示count个包后退出
# -i any: 监控所有的网络接口
# -w file: 将抓到的包保存到a.pcap里面,此文件可以用wireshark打开
sh-3.2# tcpdump -B 10 -c 3 -i any -w a.pcap
# -r: 读取存放的包文件
# 读取a.pcap文件并打印
sh-3.2# tcpdump -r a.pcap
- -S
# -S: 打印TCP绝对的序列号(Sequence number)
sh-3.2# tcpdump -S -c 5 -i any tcp
22:55:39.034056 IP 192.168.0.108.53416 > .https: Flags [P.], seq 102397009:102397357, ack 147569054, win 4096, length 348
# 打印TCP相对序列号
# 可以看出,序列号值偏小
sh-3.2# tcpdump -c 5 -i any tcp
22:56:34.764683 IP 120.253.253.166.https > 192.168.0.108.53618: Flags [.], ack 399, win 424, options [nop,nop,TS val 683536312 ecr 790374160], length 0
22:56:34.805734 IP 120.253.253.166.https > 192.168.0.108.53618: Flags [P.], seq 1:165, ack 399, win 424, options [nop,nop,TS val 683536353 ecr 790374160], length 164
5 packets captured
- −s snaplen
# 抓取每个数据包的截取字节数,0表示不截断
# snaplen来自每个数据包的字节数,而不是默认的262144B。由于快照有限而被截断的数据包中用"[|proto]"表示,
# proto是发生截断的协议级别的名称。
# 较大的快照既增加了处理数据包所需的时间,也有效地减少了数据包缓冲的量,可能导致数据包丢失。
# 应该将snaplen限制为感兴趣的协议信息的最小数目;
# snaplen设置为0表示将其设置为默认值262144B
# tcpdump -i any -s 0
- -T type
# -T type: 强制以type的协议进行解析。
# TODO,暂未使用到
- -t n
# 不加-t等选项,打印时:分:秒:微妙
sh-3.2# tcpdump -q -c 1 -i any
17:31:54.639053 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 117
# -t: 不打印时间
sh-3.2# tcpdump -q -t -c 1 -i any
ARP, Request who-has 192.168.0.100 tell 192.168.0.1, length 28
# -tt: 显示UTC时间, 单位:秒,精度:微妙
sh-3.2# tcpdump -q -tt -c 1 -i any
1619948152.308620 ARP, Request who-has 192.168.0.108 tell 192.168.0.1, length 28
# -ttt: 当前行与上一行的时间之差,精度:微妙
sh-3.2# tcpdump -q -ttt -c 5 -i any
00:00:00.000000 ARP, Request who-has 192.168.0.108 tell 192.168.0.1, length 28
00:00:00.000040 ARP, Reply 192.168.0.108 is-at e0:b5:5f:f2:bb:a3 (oui Unknown), length 28
00:00:01.023767 ARP, Request who-has 192.168.0.100 tell 192.168.0.1, length 28
00:00:09.320029 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 117
00:00:01.739861 ARP, Request who-has 192.168.0.108 tell 192.168.0.1, length 28
# -tttt: 年-月-日 时-分-秒
sh-3.2# tcpdump -q -tttt -c 5 -i any
2021-05-02 17:36:29.379506 ARP, Request who-has 192.168.0.100 tell 192.168.0.1, length 28
# -ttttt: 当前行与第一行的时间之差
sh-3.2# tcpdump -q -ttttt -c 5 -i any
00:00:00.000000 ARP, Request who-has 192.168.0.104 tell 192.168.0.1, length 28
00:00:00.002959 IP 192.168.0.108.63825 > 192.168.1.1.domain: UDP, length 44
00:00:00.024223 IP 192.168.1.1.domain > 192.168.0.108.63825: UDP, length 44
00:00:00.027152 IP 192.168.0.108.63529 > 192.168.1.1.domain: UDP, length 42
00:00:00.043833 IP 192.168.1.1.domain > 192.168.0.108.63529: UDP, length 42
# -t n: 指前面的-t -tt -ttt -tttt -ttttt,n的值为[0, 5]
# -t 4: 表示-tttt, 年-月-日 时-分-秒
sh-3.2# tcpdump -q -t 4 -c 5 -i any
2021-05-02 22:10:33.504936 ARP, Request who-has 192.168.0.108 tell 192.168.0.1, length 28
2021-05-02 22:10:33.504960 ARP, Reply 192.168.0.108 is-at e0:b5:5f:f2:bb:a3 (oui Unknown), length 28
2021-05-02 22:10:33.507086 IP 192.168.0.108.50613 > 192.168.1.1.domain: UDP, length 44
2021-05-02 22:10:33.527680 IP 192.168.1.1.domain > 192.168.0.108.50613: UDP, length 44
2021-05-02 22:10:33.530574 IP 192.168.0.108.52033 > 192.168.1.1.domain: UDP, length 42
- −-time-zone-offset tz
# TODO,暂未找到使用场景
- -u
# 打印未加密的NFS句柄
# TODO
- -U
# 使得当tcpdump在使用-w 选项时, 其文件写入与包的保存同步
- -v ~ -vvv
# 详细的输出
# time to live,TTL、identification、total length、options
# 完整的IP和ICMP头checksum校验
sh-3.2# tcpdump -v -c 1 -i any
07:11:58.204064 IP (tos 0x0, ttl 64, id 58584, offset 0, flags [none], proto UDP (17), length 68)
192.168.0.108.50687 > 192.168.1.1.domain: 12358 Type65? oc.cgiaccess.tc.qq.com. (40)
# 更详细的输出。例如NFS的响应包,SMB包的完全解码
sh-3.2# tcpdump -vv -c 1 -i any
07:12:03.135693 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
192.168.0.108.59311 > hn.kd.ny.adsl.http: Flags [S], cksum 0xfedc (correct), seq 2245791363, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 813143821 ecr 0,sackOK,eol], length 0
# 更详细的输出,例如telnet的SB..SE选项将会被完整打印
sh-3.2# tcpdump -vvv -c 1 -i any
07:12:09.490236 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
192.168.0.108.59307 > 113.207.16.43.http: Flags [S], cksum 0xe2ff (correct), seq 245316099, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 813150168 ecr 0,sackOK,eol], length 0
- −V file
# Read a list of filenames from file. Standard input is used if file is ``-''.
# TODO
- −w file
# -B buffer_size: 设置操作系统的捕获缓存大小,单位:KB
# -c count: 收到或者显示count个包后退出
# -i any: 监控所有的网络接口
# -w file: 将抓到的包保存到a.pcap里面,此文件可以用wireshark打开
sh-3.2# tcpdump -B 10 -c 3 -i any -w a.pcap
- -W
# 注意: 一般情况,-W和-G是不会混用的,混用效果如下,最终只有这10个文件
# 如果与-G混用,将会限制转储文件的数量,当达到这个文件数量的时候,tcpdump将会退出
sh-3.2# tcpdump -G 3 -i any -W 10 -w 'fh_%Y-%m-%d_%T.pcap'
tcpdump: data link type PKTAP
tcpdump: listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
Maximum file limit reached: 10
85 packets captured
86 packets received by filter
0 packets dropped by kernel
sh-3.2#
sh-3.2# ls -l
total 80
-rw-r--r-- 1 root wheel 1748 5 3 18:01 fh_2021-05-03_18:01:06.pcap
-rw-r--r-- 1 root wheel 1720 5 3 18:01 fh_2021-05-03_18:01:09.pcap
-rw-r--r-- 1 root wheel 2012 5 3 18:01 fh_2021-05-03_18:01:13.pcap
-rw-r--r-- 1 root wheel 2464 5 3 18:01 fh_2021-05-03_18:01:16.pcap
-rw-r--r-- 1 root wheel 2220 5 3 18:01 fh_2021-05-03_18:01:19.pcap
-rw-r--r-- 1 root wheel 972 5 3 18:01 fh_2021-05-03_18:01:22.pcap
-rw-r--r-- 1 root wheel 656 5 3 18:01 fh_2021-05-03_18:01:25.pcap
-rw-r--r-- 1 root wheel 2156 5 3 18:01 fh_2021-05-03_18:01:28.pcap
-rw-r--r-- 1 root wheel 660 5 3 18:01 fh_2021-05-03_18:01:31.pcap
-rw-r--r-- 1 root wheel 2736 5 3 18:01 fh_2021-05-03_18:01:34.pcap
此选项与-C 选项配合使用, 这将限制可打开的文件数目, 并且当文件数据超过这里设置的限制时, 依次循环替代之前的文件, 这相当于一个拥有filecount 个文件的文件缓冲池. 同时, 该选项会使得每个文件名的开头会出现足够多并用来占位的0, 这可以方便这些文件被正确的排序.
# -W: 与-C选项配合使用,限制可打开的文件数目
# 当前文件大小超过设置的阈值
# 会逐步覆盖写掉最老的文件,
# 相当于一个拥有固定数目个文件的文件缓冲池
# 该选项会使得每个文件名的开头出现足够多并用来占位的0,以便于这些文件的正确排序
sh-3.2# tcpdump -C 10 -i any -W 10 -w f.pcap
tcpdump: data link type PKTAP
tcpdump: listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
sh-3.2# ls -l
total 202832
-rw-r--r-- 1 root wheel 10001184 5 3 20:46 f.pcap0
-rw-r--r-- 1 root wheel 10000676 5 3 20:46 f.pcap1
-rw-r--r-- 1 root wheel 10000264 5 3 20:46 f.pcap2
-rw-r--r-- 1 root wheel 9436328 5 3 20:46 f.pcap3
-rw-r--r-- 1 root wheel 10001368 5 3 20:46 f.pcap4
-rw-r--r-- 1 root wheel 10000500 5 3 20:46 f.pcap5
-rw-r--r-- 1 root wheel 10001580 5 3 20:46 f.pcap6
-rw-r--r-- 1 root wheel 10001344 5 3 20:46 f.pcap7
-rw-r--r-- 1 root wheel 10000036 5 3 20:46 f.pcap8
-rw-r--r-- 1 root wheel 10001576 5 3 20:46 f.pcap9
- -x ~ -xx
# -x: 当解析和打印时,以十六进制的形式打印每个包的头和数据(不包括数据链路层)
# 完整包大小与snaplen的最小值将会被打印。
# 如果高层协议的长度较小,且有填充的数据,填充的数据也会被打印
sh-3.2# tcpdump -x -c 1 -i any
07:15:15.184806 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 117
0x0000: ffff ffff ffff 808f 1d66 9a6e 0800 4500
0x0010: 0091 2e6a 0000 4011 8b49 c0a8 0001 ffff
0x0020: ffff 0400 1389 007d f2f5 0101 0e00 e12b
0x0030: 83c7 f391 0067 0000 0006 000a 544c 2d57
0x0040: 4452 3536 3730 000b 0003 312e 3000 0700
0x0050: 0101 0005 0011 3830 2d38 462d 3144 2d36
0x0060: 362d 3941 2d36 4500 0800 0b31 3932 2e31
0x0070: 3638 2e30 2e31 0009 000a 7470 6c6f 6769
0x0080: 6e2e 636e 000a 000e 544c 2d57 4452 3536
0x0090: 3730 2031 2e30 000c 0005 312e 372e 34
# -xx: 当解析和打印时,以十六进制的形式打印每个包的头和数据(包括数据链路层)
sh-3.2# tcpdump -xx -c 1 -i any
07:15:21.845351 IP 192.168.0.1 > all-systems.mcast.net: igmp query v2
0x0000: 9c00 0000 0100 0000 0100 0000 656e 3000
0x0010: 0000 0000 0000 0000 0000 0000 0000 0000
0x0020: 0000 0000 0100 0000 0200 0000 0e00 0000
0x0030: 0000 0000 ffff ffff 0000 0000 0000 0000
0x0040: 0000 0000 0000 0000 0000 0000 0000 0000
0x0050: 0600 0000 ffff ffff 0000 0000 0000 0000
0x0060: 0000 0000 0000 0000 0000 0000 0000 0000
0x0070: 0000 0000 0000 0000 0000 0000 0000 0000
0x0080: 0000 0000 0000 0000 0000 0000 0000 0000
0x0090: 0000 0000 0000 0000 0000 0000 e0b5 5ff2
0x00a0: bba3 808f 1d66 9a6e 0800 4664 0020 0000
0x00b0: 0000 0102 83c9 c0a8 0001 e000 0001 9404
0x00c0: 0000 1164 ee9b 0000 0000
- -X ~ -XX
# -X: 以十六进制和ASCII形式打印每个包的头和数据(不包括数据链路层)
sh-3.2# tcpdump -X -c 1 -i any
09:27:02.294497 IP 192.168.0.108.59641 > 17.57.145.85.5223: Flags [P.], seq 2947289557:2947289591, ack 1286537765, win 2048, options [nop,nop,TS val 815292931 ecr 1521406707], length 34
0x0000: 808f 1d66 9a6e e0b5 5ff2 bba3 0800 4500 ...f.n.._.....E.
0x0010: 0056 0000 4000 4006 d6ff c0a8 006c 1139 .V..@.@......l.9
0x0020: 9155 e8f9 1467 afac 11d5 4caf 0225 8018 .U...g....L..%..
0x0030: 0800 c0de 0000 0101 080a 3098 6203 5aae ..........0.b.Z.
0x0040: d2f3 1703 0300 1d36 51f7 2f2f 61dc aec8 .......6Q.//a...
0x0050: 3e9f 7142 ad7d 2c52 17cb 3f69 5844 5a0b >.qB.},R..?iXDZ.
0x0060: b730 68b2 .0h.
# -XX: 以十六进制和ASCII形式打印每个包的头和数据(包括数据链路层)
sh-3.2# tcpdump -XX -c 1 -i any
09:27:19.770828 ARP, Request who-has 192.168.0.102 tell 192.168.0.1, length 28
0x0000: 9c00 0000 0100 0000 0100 0000 656e 3000 ............en0.
0x0010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0020: 0000 0000 0100 0000 0200 0000 0e00 0000 ................
0x0030: 0000 0000 ffff ffff 0000 0000 0000 0000 ................
0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0050: 0600 0000 ffff ffff 0000 0000 0000 0000 ................
0x0060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0090: 0000 0000 0000 0000 0000 0000 ffff ffff ................
0x00a0: ffff 808f 1d66 9a6e 0806 0001 0800 0604 .....f.n........
0x00b0: 0001 808f 1d66 9a6e c0a8 0001 0000 0000 .....f.n........
0x00c0: 0000 c0a8 0066 .....f
- −y datalinktype
# -y表示设置要捕获的包的数据链路类型,后面的值可以通过tcpdump -L获取
sh-3.2# tcpdump -c 3 -i any -y PKTAP
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
07:13:18.510220 IP 192.168.0.108.50031 > 192.168.1.1.domain: 52163 Type65? init.itunes.apple.com. (39)
07:13:18.510370 IP 192.168.0.108.53892 > 192.168.1.1.domain: 51314 A? init.itunes.apple.com. (39)
07:13:18.511977 IP 192.168.0.108.59574 > 192.168.1.1.domain: 31671 PTR? 1.1.168.192.in-addr.arpa. (42)
- −z postrotate-command
# TODO
- −Z user
# 如果tcpdump以root用户运行,
# 在打开捕获设备或输入savefile之后,在打开任何savefile输出之前,
# 需要将用户标识改成user,并将组表示改为user的主组
# 这个行为在编译的时候开启
# 抓取从sundow出发或者到达sundown的包
tcpdump host sundown
# 抓取从helios与hot之间的包或helios与ace之间的包
# 注意:由于括号要在shell中的特殊含义,所以需要转义
sh-3.2# tcpdump host helios and \( hot or ace \)
# 加个单引号也行
sh-3.2# tcpdump host 'helios and ( hot or ace )'
# 抓取主机ace与其他设备(除了helios)的IP包
tcpdump ip host ace and not helios
# 根据TCP的协议文档,标识位有
# CWR | ECE | URG | ACK | PSH | RST | SYN | FIN
# 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1
# 由于协议是占据的是1字节去存储这些数据
# 所以只要哪个标识位有,那么响应的标识位的二进制数据为1
# tcp[13]的值就等于所有的标识位组成的数据
# 例如,SYN和ECE有标识位,其它的都没有,即
# CWR | ECE | URG | ACK | PSH | RST | SYN | FIN
# 0 | 1 | 0 | 0 | 0 | 0 | 1 | 0
# 二进制数1000010换算的十进制数位为2 64=66
# 抓取TCP头标识位SYN=1的包
# tcpflags与tcp-synn是固定字符串
sh-3.2# tcpdump -c 3 -i any tcp[tcpflags] == tcp-syn
10:35:52.530024 IP 192.168.0.105.50185 > 36.152.44.95.http: Flags [S], seq 2376496549, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 961791043 ecr 0,sackOK,eol], length 0
# 抓取TCP头标识位SYN=1的包
sh-3.2# tcpdump -c 3 -i any "tcp[tcpflags] & tcp-syn != 0"
10:46:13.462082 IP 192.168.0.105.50230 > 17.57.145.138.5223: Flags [SEW], seq 2859770077, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 962410554 ecr 0,sackOK,eol], length 0
# 抓取TCP头标识位SYN=1的包,其它的标识位必须是0
# 13表示的是tcp头的八位组索引,也就是第14个字节为止
sh-3.2# tcpdump -c 3 -i any tcp[13] == 2
10:37:04.078781 IP 192.168.0.105.50186 > 36.152.44.95.http: Flags [S], seq 2470176140, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 961862485 ecr 0,sackOK,eol], length 0
# 抓取TCP头标识位SYN=1的包,其它的标识位不确定
sh-3.2# tcpdump -c 3 -i any 'tcp[13] & 2 != 0'
10:43:36.097897 IP 112.12.18.35.http > 192.168.0.105.50220: Flags [S.E], seq 2162058548, ack 687473791, win 24560, options [mss 1240,sackOK,TS val 3488808144 ecr 962253657,nop,wscale 7], length 0
# 抓取TCP头标识位SYN=1的包
sh-3.2# tcpdump -c 3 -i any "tcp[tcpflags] & 2 != 0"
10:48:18.979423 IP 112.13.113.177.https > 192.168.0.105.50239: Flags [S.E], seq 2878024220, ack 3660935114, win 65535, options [mss 1240,nop,nop,sackOK,nop,wscale 7], length 0
# 抓取TCP头标识位SYN=1的包
# SYN标识位子必须是1
sh-3.2# tcpdump -c 3 -i any "tcp[13] & tcp-syn != 0"
10:50:02.277088 IP 114.215.201.167.https > 192.168.0.105.50240: Flags [S.E], seq 3713319443, ack 3904450841, win 28960, options [mss 1444,sackOK,TS val 813836359 ecr 962638984,nop,wscale 7], length 0
# 混合抓包
# 抓取S和E的,S是2,E是64
sh-3.2# tcpdump -c 3 -i any "tcp[13] & 66 != 0"
10:52:43.165572 IP 192.168.0.105.50253 > 112.13.113.175.https: Flags [SEW], seq 2596521973, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 962799488 ecr 0,sackOK,eol], length 0
10:52:43.170984 IP 112.13.113.175.https > 192.168.0.105.50253: Flags [S.E], seq 1776611129, ack 2596521974, win 65535, options [mss 1240,nop,nop,sackOK,nop,wscale 7], length 0
# 抓取TCP头标识位SYN=1或者ACK=1的包
sh-3.2# tcpdump -c 3 -i any "tcp[13] == 2 || tcp[13] == 16"
11:04:16.448140 IP 192.168.0.105.50305 > 202.89.233.100.http: Flags [.], ack 4288857099, win 4096, length 0
11:04:16.484528 IP 202.89.233.100.http > 192.168.0.105.50305: Flags [.], ack 76, win 2052, length 0
11:04:16.488353 IP 192.168.0.105.50305 > 202.89.233.100.http: Flags [.], ack 252, win 4092, length 0
3 packets captured
# 抓取TCP头标识位SYN=1或者ACK=1的包
sh-3.2# tcpdump -c 3 -i any "tcp[tcpflags] == tcp-syn || tcp[tcpflags] == tcp-ack"
11:05:36.259971 IP 192.168.0.105.50307 > 202.89.233.100.http: Flags [.], ack 1056415600, win 4096, length 0
11:05:36.294120 IP 202.89.233.100.http > 192.168.0.105.50307: Flags [.], ack 76, win 2052, length 0
11:05:36.296395 IP 192.168.0.105.50307 > 202.89.233.100.http: Flags [.], ack 252, win 4092, length 0
# 抓取TCP头标识位SYN=1或者ACK=1的包
sh-3.2# tcpdump -c 3 -i any "tcp[tcpflags] & (tcp-syn | tcp-ack) != 0"
listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
11:06:49.538196 IP 192.168.0.105.50317 > 202.89.233.100.http: Flags [SEW], seq 1874972306, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 963643859 ecr 0,sackOK,eol], length 0
11:06:49.575793 IP 202.89.233.100.http > 192.168.0.105.50317: Flags [S.E], seq 2830925598, ack 1874972307, win 65535, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
11:06:49.575892 IP 192.168.0.105.50317 > 202.89.233.100.http: Flags [.], ack 1, win 4096, length 0
# 抓取ICMP协议的响应包
sh-3.2# tcpdump -l -i any 'icmp[icmptype] == icmp-echoreply'
11:11:17.364314 IP 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 31748, seq 0, length 64
11:11:18.367304 IP 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 31748, seq 1, length 64
11:11:19.382795 IP 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 31748, seq 2, length 64
11:11:20.375911 IP 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 31748, seq 3, length 64
11:11:21.386021 IP 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 31748, seq 4, length 64
11:11:22.390280 IP 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 31748, seq 5, length 64
# 抓取ICMP的发出包
sh-3.2# tcpdump -l -i any 'icmp[icmptype] == icmp-echo'
11:12:11.536154 IP 192.168.0.105 > 36.152.44.95: ICMP echo request, id 31748, seq 54, length 64
11:12:12.538711 IP 192.168.0.105 > 36.152.44.95: ICMP echo request, id 31748, seq 55, length 64
# 抓取TCP头标记为SYN或者是FIN的包
sh-3.2# tcpdump -c 3 -i any 'tcp[tcpflags] & (tcp-syn | tcp-fin) != 0'
11:18:30.044806 IP 192.168.0.105.50348 > 36.152.44.96.http: Flags [SEW], seq 2552582652, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 964343308 ecr 0,sackOK,eol], length 0
11:18:30.070423 IP 36.152.44.96.http > 192.168.0.105.50348: Flags [S.EW], seq 1113793641, ack 2552582653, win 8192, options [mss 1444,nop,wscale 5,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,sackOK,eol], length 0
11:18:30.090726 IP 192.168.0.105.50348 > 36.152.44.96.http: Flags [F.], seq 78, ack 2782, win 4096, length 0
# 错误的例子,注意,单词别写错了,是tcpflags不是tcp-flags
sh-3.2# tcpdump -c 3 -i any 'tcp[tcp-flags] & (tcp-syn | tcp-fin) != 0'
pktap_filter_packet: pcap_add_if_info(en0, 1) failed: pcap_if_info_set_add: pcap_compile_nopcap() failed
pktap_filter_packet: pcap_add_if_info(en0, 1) failed: pcap_if_info_set_add: pcap_compile_nopcap() failed
pktap_filter_packet: pcap_add_if_info(en0, 1) failed: pcap_if_info_set_add: pcap_compile_nopcap() failed
# 抓取包的长度小于等于64的包
sh-3.2# tcpdump -i any 'len <= 64'
11:26:36.537212 IP 192.168.0.106 > 224.0.0.251: igmp v2 report 224.0.0.251
11:26:36.639064 ARP, Request who-has 192.168.0.101 tell 192.168.0.1, length 28
11:26:40.633276 ARP, Request who-has 192.168.0.107 tell 192.168.0.1, length 28
11:26:49.644929 ARP, Request who-has 192.168.0.110 tell 192.168.0.1, length 28
11:26:49.644936 ARP, Request who-has 192.168.0.104 tell 192.168.0.1, length 28
11:26:50.668792 ARP, Request who-has 192.168.0.110 tell 192.168.0.1, length 28
11:26:52.614550 ARP, Request who-has 192.168.0.107 tell 192.168.0.1, length 28
# less x 与 len <= x 等价
sh-3.2# tcpdump -i any 'less 64'
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
11:28:02.657862 ARP, Request who-has 192.168.0.106 tell 192.168.0.1, length 28
11:28:02.965671 IP 192.168.0.106 > 224.0.0.251: igmp v2 report 224.0.0.251
11:28:07.675190 ARP, Request who-has 192.168.0.110 tell 192.168.0.1, length 28
11:28:08.333329 IP 192.168.0.105.50372 > .https: Flags [.], ack 726486359, win 4096, length 0
# greater x 与len > x等价
sh-3.2# tcpdump -i any 'greater 15'
11:28:48.411257 IP 192.168.0.105 > 36.152.44.95: ICMP echo request, id 48132, seq 191, length 64
11:28:48.413868 IP 192.168.0.105.58130 > 192.168.1.1.domain: 30895 PTR? 105.0.168.192.in-addr.arpa. (44)
11:28:48.422369 IP 192.168.1.1.domain > 192.168.0.105.58130: 30895* 1/0/0 PTR 192.168.0.105. (71)
11:28:48.424873 IP 192.168.0.105.54997 > 192.168.1.1.domain: 42652 PTR? 95.44.152.36.in-addr.arpa. (43)
11:28:48.433663 IP 192.168.1.1.domain > 192.168.0.105.54997: 42652 NXDomain* 0/0/0 (43)
11:28:48.435863 IP 192.168.0.105.51512 > 192.168.1.1.domain: 7793 PTR? 1.1.168.192.in-addr.arpa. (42)
11:28:48.439439 IP 192.168.1.1.domain > 192.168.0.105.51512: 7793* 1/0/0 PTR 192.168.1.1. (67)
11:28:48.439452 IP 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 48132, seq 191, length 64
11:28:49.415585 IP 192.168.0.105 > 36.152.44.95: ICMP echo request, id 48132, seq 192, length 64
11:28:49.443141 IP 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 48132, seq 192, length 64
# 抓取长度为71的包
sh-3.2# tcpdump -i any 'len == 71'
11:31:20.306112 IP 192.168.0.105.64280 > 192.168.1.1.domain: 35181 Type65? p1.glb6.com. (29)
11:31:20.306445 IP 192.168.0.105.55012 > 192.168.1.1.domain: 7495 A? p1.glb6.com. (29)
11:31:20.315468 IP 192.168.1.1.domain > 192.168.0.105.64280: 35181 0/0/0 (29)
# 抓取Mac地址为54:75:95:7b:35:60且是ping的响应包
# 本案例是另外一个终端,一致在ping www.baiud.com,而54:75:95:7b:35:60的Mac地址是来自百度的
# 可以在host前面加上src,表明方向是从百度发过来的
sh-3.2# tcpdump -e -i any 'icmp[icmptype] == icmp-echoreply && ether host 54:75:95:7b:35:60'
11:37:35.310634 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 48132, seq 716, length 64
11:37:36.318294 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 48132, seq 717, length 64
11:37:37.314188 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 48132, seq 718, length 64
11:37:38.323501 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 48132, seq 719, length 64
11:37:39.328558 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 48132, seq 720, length 64
11:37:40.321349 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.95 > 192.168.0.105: ICMP echo reply, id 48132, seq 721, length 64
fh@192 ~ % ping www.baidu.com
# 抓取Mac地址为54:75:95:7b:35:60且是ping的响应包
sh-3.2# tcpdump -e -i any 'icmp[icmptype] == icmp-echoreply && ether src host 54:75:95:7b:35:60'
11:49:40.812524 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.96 > 192.168.0.105: ICMP echo reply, id 7429, seq 17, length 64
11:49:41.818021 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.96 > 192.168.0.105: ICMP echo reply, id 7429, seq 18, length 64
11:49:42.814954 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.96 > 192.168.0.105: ICMP echo reply, id 7429, seq 19, length 64
11:49:43.823059 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.96 > 192.168.0.105: ICMP echo reply, id 7429, seq 20, length 64
11:49:44.826890 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.96 > 192.168.0.105: ICMP echo reply, id 7429, seq 21, length 64
11:49:45.826942 54:75:95:7b:35:60 (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 36.152.44.96 > 192.168.0.105: ICMP echo reply, id 7429, seq 22, length 64
^C
# 广播
sh-3.2# tcpdump -i any ether broadcast
11:41:31.679469 ARP, Request who-has 192.168.0.107 tell 192.168.0.1, length 28
11:41:34.750550 ARP, Request who-has 192.168.0.101 tell 192.168.0.1, length 28
11:41:35.674033 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 117
11:41:39.666861 ARP, Request who-has 192.168.0.106 tell 192.168.0.1, length 28
# 多播
sh-3.2# tcpdump -i any ether multicast
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
11:42:47.659987 ARP, Request who-has 192.168.0.105 tell 192.168.0.1, length 28
11:42:49.707712 ARP, Request who-has 192.168.0.107 tell 192.168.0.1, length 28
11:42:49.707729 ARP, Request who-has 192.168.0.101 tell 192.168.0.1, length 28
11:42:50.731564 ARP, Request who-has 192.168.0.107 tell 192.168.0.1, length 28
# IPv4多播
sh-3.2# tcpdump -i any ip multicast
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
11:44:55.661623 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 117
11:45:15.630119 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 117
11:45:35.701241 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 117
11:45:55.672420 IP 192.168.0.1.1024 > broadcasthost.commplex-link: UDP, length 117
# IPv6多播
sh-3.2# tcpdump -i any ip6 multicast
11:47:38.380803 IP6 fe80::7:29a1:df91:ad39 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
11:47:38.483198 IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QU)? 9.3.d.a.1.9.f.d.1.a.9.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)
11:47:38.483273 IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QU)? 9.3.d.a.1.9.f.d.1.a.9.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)
11:47:38.483646 IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QU)? 9.3.d.a.1.9.f.d.1.a.9.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)
11:47:38.483673 IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QU)? 9.3.d.a.1.9.f.d.1.a.9.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)
11:47:38.483732 IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QU)? 9.3.d.a.1.9.f.d.1.a.9.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)
11:47:39.488898 IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QM)? 9.3.d.a.1.9.f.d.1.a.9.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)
11:47:39.488967 IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QM)? 9.3.d.a.1.9.f.d.1.a.9.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)
11:47:39.489085 IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QM)? 9.3.d.a.1.9.f.d.1.a.9.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)
# 筛选出tcp的dst端口号为80,src端口号为51601的包,直接通过TCP包进行筛选
sh-3.2# lsof -nP | grep -i qqmusic | grep TCP
QQMusic 585 fh 37u IPv4 0x593c30f6d1324cb3 0t0 TCP 192.168.0.105:51061->112.12.18.34:80 (ESTABLISHED)
tcp[n:c]:表示从第n个字节开始,以及后面的两个c字节,范围是[n, n c-1],单位:字节
# 通过下面的端口号以及lsof可以看出,抓取的包是正确的。
sh-3.2# tcpdump -l -nn -k A -i any 'tcp[2:2] == 80 && tcp[0:2] == 51061 '
13:59:15.663518 (en0, proc QQMusic:585:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.51061 > 112.12.18.34.80: Flags [F.], seq 1803106724, ack 809620981, win 2834, options [nop,nop,TS val 971045141 ecr 3500502658], length 0
13:59:15.683182 (en0, proc QQMusic:585:, svc BE, out, so) IP 192.168.0.105.51061 > 112.12.18.34.80: Flags [.], ack 2, win 5156, options [nop,nop,TS val 971045160 ecr 3500559870], length 0
# icmp包后面不能直接跟host,
sh-3.2# tcpdump -i any icmp dst host 36.152.44.95
pktap_filter_packet: pcap_add_if_info(lo0, 0) failed: pcap_if_info_set_add: pcap_compile_nopcap() failed
pktap_filter_packet: pcap_add_if_info(lo0, 0) failed: pcap_if_info_set_add: pcap_compile_nopcap() failed
pktap_filter_packet: pcap_add_if_info(lo0, 0) failed: pcap_if_info_set_add: pcap_compile_nopcap() failed
# 抓取icmp的筛选包,可以加上&&符号
sh-3.2# tcpdump -i any icmp && dst host 36.152.44.95
14:08:06.605468 IP 192.168.0.105 > 36.152.44.96: ICMP echo request, id 36105, seq 22, length 64
14:08:06.629689 IP 36.152.44.96 > 192.168.0.105: ICMP echo reply, id 36105, seq 22, length 64
14:08:07.608930 IP 192.168.0.105 > 36.152.44.96: ICMP echo request, id 36105, seq 23, length 64
14:08:07.632835 IP 36.152.44.96 > 192.168.0.105: ICMP echo reply, id 36105, seq 23, length 64
# MacoS可以直接连接到Wireshark上,自动打开界面
sh-3.2# tcpdump -i any -w - | /Applications/Wireshark.app/Contents/MacOS/Wireshark -k -i -
tcpdump: data link type PKTAP
tcpdump: listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
2021-05-09 14:13:26.269 Wireshark[2574:141163] Warning: Expected min height of view: (<NSView: 0x7f91cd0d2420>) to be less than or equal to 30 but got a height of 32.000000. This error will be logged once per view in violation.
4240 packets captured
4241 packets received by filter
0 packets dropped by kernel
sh-3.2#
# 可以通过ifname进行网卡筛选
sh-3.2# tcpdump -k A -i any tcp && ifname en0
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
14:24:29.129292 (en0, proc QQMusic:585:20d71810-64f0-3f16-9881-55d62d68771a, eproc QQMusic:585:, svc BE, in, so) IP .http > 192.168.0.105.51263: Flags [F.], seq 2759476374, ack 4074839740, win 67, length 0
14:24:29.129371 (en0, proc QQMusic:585:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.51263 > .http: Flags [.], ack 1, win 4096, length 0
14:24:29.129455 (en0, proc QQMusic:585:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.51263 > .http: Flags [F.], seq 1, ack 1, win 4096, length 0
14:24:29.144969 (en0, proc QQMusic:585:20d71810-64f0-3f16-9881-55d62d68771a, eproc QQMusic:585:, svc BE, in, so) IP .http > 192.168.0.105.51261: Flags [F.], seq 620045740, ack 964400737, win 68, length 0
14:24:29.145026 (en0, proc QQMusic:585:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.51261 > .http: Flags [.], ack 1, win 4096, length 0
14:24:29.145101 (en0, proc QQMusic:585:20d71810-64f0-3f16-9881-55d62d68771a, svc BE, out, so) IP 192.168.0.105.51261 > .http: Flags [F.], seq 1, ack 1, win 4096, length 0
14:24:29.148380 (en0, proc QQMusic:585:20d71810-64f0-3f16-9881-55d62d68771a, eproc QQMusic:585:, svc BE, in, so) IP .https > 192.168.0.105.51262: Flags [P.], seq 705673920:705673951, ack 106355732, win 72, length 31
# 抓取50-200且端口号不为80的包
sh-3.2# tcpdump -nn -i any '(dst portrange 50-200) && (! dst port 80)'
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
14:36:43.320692 IP 192.168.0.105.56467 > 192.168.1.1.53: 64499 A? www.baidu.com. (31)
参考资料如下:
百度百科:octet
百度百家号:肝了三天,万字长文教你玩转 tcpdump,从此抓包不用愁
man tcpdump
man pcap-filter
rfc793 (TRANSMISSION CONTROL PROTOCOL)
