linux, 中使, 使用, 命, 命令
前言 tcpdump 是一个有名的命令行数据包分析工具。咱们可以使用 tcpdump 命令捕获实时 TCP/IP 数据包,这些数据包也可以保存到文件中。之后这些捕获的数据包可以通过 tcpdump 命令进行分析。tcpdump 命令在网络层面进行故障排除时变得非常方便。 tcpdump 在大多数 Linux主机环境 发行版中都能用,对于基于 Debian 的Linux主机环境,可以使用 apt 命令网站安装它。# apt install tcpdump -y复制具体代码如下在基于 RPM 的 Linux主机环境 具体操作办法系统上,可以使用下面的 yum 命令网站安装 tcpdump。# yum install tcpdump -y复制具体代码如下当咱们在没用任何选项的情况下运行 tcpdump 命令时,它将捕获所有接口的数据包。因此,要停止或取消 tcpdump 命令,请键入 ctrl c。在本具体的教程中,咱们将使用不同的实例来讨论如何捕获和分析数据包。 示例:1)从特定接口捕获数据包 当咱们在没用任何选项的情况下运行 tcpdump 命令时,它将捕获所有接口上的数据包,因此,要从特定接口捕获数据包,请使用选项 -i,后跟接口名称。 语法:# tcpdump -i {接口名}复制具体代码如下假设我想从接口 enp0s3 捕获数据包。 输出将如下所示,tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes06:43:22.905890 IP compute-0-1.example.com.ssh > 169.144.0.1.39374: Flags [P.], seq 21952160:21952540, ack 13537, win 291, options [nop,nop,TS val 26164373 ecr 6580205], length 38006:43:22.906045 IP compute-0-1.example.com.ssh > 169.144.0.1.39374: Flags [P.], seq 21952540:21952760, ack 13537, win 291, options [nop,nop,TS val 26164373 ecr 6580205], length 22006:43:22.906150 IP compute-0-1.example.com.ssh > 169.144.0.1.39374: Flags [P.], seq 21952760:21952980, ack 13537, win 291, options [nop,nop,TS val 26164373 ecr 6580205], length 22006:43:22.906291 IP 169.144.0.1.39374 > compute-0-1.example.com.ssh: Flags [.], ack 21952980, win 13094, options [nop,nop,TS val 6580205 ecr 26164373], length 006:43:22.906303 IP 169.144.0.1.39374 > compute-0-1.example.com.ssh: Flags [P.], seq 13537:13609, ack 21952980, win 13094, options [nop,nop,TS val 6580205 ecr 26164373], length 7206:43:22.906322 IP compute-0-1.example.com.ssh > 169.144.0.1.39374: Flags [P.], seq 21952980:21953200, ack 13537, win 291, options [nop,nop,TS val 26164373 ecr 6580205], length 220^C109930 packets captured110065 packets received by filter133 packets dropped by kernel[[email 988365@gmail.com] ~]#复制具体代码如下示例:2)从特定接口捕获特定数量数据包 假设咱们想从特定接口(如 enp0s3)捕获 12 个数据包,这可以使用选项 -c {数量} -I {接口名称} 轻松实现。[email 988365@gmail.com] ~]# tcpdump -c 12 -i enp0s3复制具体代码如下上面的命令将生成如下所示的输出, N-Number-Packsets-tcpdump-interface 示例:3)显示 tcpdump 的所有可用接口 使用 -D 选项显示 tcpdump 命令的所有可用接口,[[email 988365@gmail.com] ~]# tcpdump -D1.enp0s32.enp0s83.ovs-system4.br-int5.br-tun6.nflog (Linux主机环境 netfilter log (NFLOG) interface)7.nfqueue (Linux主机环境 netfilter queue (NFQUEUE) interface)8.usbmon1 (USB bus number 1)9.usbmon2 (USB bus number 2)10.qbra692e993-2811.qvoa692e993-2812.qvba692e993-2813.tapa692e993-2814.vxlan_sys_478915.any (Pseudo-device that captures on all interfaces)16.lo [Loopback][[email 988365@gmail.com] ~]#复制具体代码如下我正在我的一个 openstack 计算节点上运行 tcpdump 命令,这就是为什么在输出中您会看到数字接口、标签接口、网桥和 vxlan 接口。 示例:4)捕获带有可读时间戳的数据包(-tttt 选项) 默认情况下,在 tcpdump 命令输出中,不显示可读性好的时间戳,如果您想将可读性好的时间戳与每个捕获的数据包相关联,那么使用 -tttt 选项,示例如下所示,[[email 988365@gmail.com] ~]# tcpdump -c 8 -tttt -i enp0s3tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes2018-08-25 23:23:36.954883 IP compute-0-1.example.com.ssh > 169.144.0.1.39406: Flags [P.], seq 1449206247:1449206435, ack 3062020950, win 291, options [nop,nop,TS val 86178422 ecr 21583714], length 1882018-08-25 23:23:36.955046 IP 169.144.0.1.39406 > compute-0-1.example.com.ssh: Flags [.], ack 188, win 13585, options [nop,nop,TS val 21583717 ecr 86178422], length 02018-08-25 23:23:37.140097 IP controller0.example.com.amqp > compute-0-1.example.com.57818: Flags [P.], seq 814607956:814607964, ack 2387094506, win 252, options [nop,nop,TS val 86172228 ecr 86176695], length 82018-08-25 23:23:37.140175 IP compute-0-1.example.com.57818 > controller0.example.com.amqp: Flags [.], ack 8, win 237, options [nop,nop,TS val 86178607 ecr 86172228], length 02018-08-25 23:23:37.355238 IP compute-0-1.example.com.57836 > controller0.example.com.amqp: Flags [P.], seq 1080415080:1080417400, ack 1690909362, win 237, options [nop,nop,TS val 86178822 ecr 86163054], length 23202018-08-25 23:23:37.357119 IP controller0.example.com.amqp > compute-0-1.example.com.57836: Flags [.], ack 2320, win 1432, options [nop,nop,TS val 86172448 ecr 86178822], length 02018-08-25 23:23:37.357545 IP controller0.example.com.amqp > compute-0-1.example.com.57836: Flags [P.], seq 1:22, ack 2320, win 1432, options [nop,nop,TS val 86172449 ecr 86178822], length 212018-08-25 23:23:37.357572 IP compute-0-1.example.com.57836 > controller0.example.com.amqp: Flags [.], ack 22, win 237, options [nop,nop,TS val 86178825 ecr 86172449], length 08 packets captured134 packets received by filter69 packets dropped by kernel[[email 988365@gmail.com] ~]#复制具体代码如下示例:5)捕获数据包并将其保存到文件(-w 选项) 使用 tcpdump 命令中的 -w 选项将捕获的 TCP/IP 数据包保存到一个文件中,以便咱们可以在将来分析这些数据包以供进一步分析。 语法:# tcpdump -w 文件名.pcap -i {接口名}复制具体代码如下注意:文件扩展名必须为 .pcap。 假设我要把 enp0s3 接口捕获到的包保存到文件名为 enp0s3-26082018.pcap。[[email 988365@gmail.com] ~]# tcpdump -w enp0s3-26082018.pcap -i enp0s3复制具体代码如下上述命令将生成如下所示的输出,[[email 988365@gmail.com] ~]# tcpdump -w enp0s3-26082018.pcap -i enp0s3tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes^C841 packets captured845 packets received by filter0 packets dropped by kernel[[email 988365@gmail.com] ~]# lsanaconda-ks.cfg enp0s3-26082018.pcap[[email 988365@gmail.com] ~]#复制具体代码如下捕获并保存大小大于 N 字节的数据包。[[email 988365@gmail.com] ~]# tcpdump -w enp0s3-26082018-2.pcap greater 1024复制具体代码如下捕获并保存大小小于 N 字节的数据包。[[email 988365@gmail.com] ~]# tcpdump -w enp0s3-26082018-3.pcap less 1024复制具体代码如下示例:6)从保存的文件中读取数据包(-r 选项) 在上面的例子中,咱们已经将捕获的数据包保存到文件中,咱们可以使用选项 -r 从文件中读取这些数据包,例子如下所示,[[email 988365@gmail.com] ~]# tcpdump -r enp0s3-26082018.pcap复制具体代码如下用可读性高的时间戳读取包内容,[[email 988365@gmail.com] ~]# tcpdump -tttt -r enp0s3-26082018.pcapreading from file enp0s3-26082018.pcap, link-type EN10MB (Ethernet)2018-08-25 22:03:17.249648 IP compute-0-1.example.com.ssh > 169.144.0.1.39406: Flags [P.], seq 1426167803:1426167927, ack 3061962134, win 291, options[nop,nop,TS val 81358717 ecr 20378789], length 1242018-08-25 22:03:17.249840 IP 169.144.0.1.39406 > compute-0-1.example.com.ssh: Flags [.], ack 124, win 564, options [nop,nop,TS val 20378791 ecr 81358717], length 02018-08-25 22:03:17.454559 IP controller0.example.com.amqp > compute-0-1.example.com.57836: Flags [.], ack 1079416895, win 1432, options [nop,nop,TS val 81352560 ecr 81353913], length 02018-08-25 22:03:17.454642 IP compute-0-1.example.com.57836 > controller0.example.com.amqp: Flags [.], ack 1, win 237, options [nop,nop,TS val 81358922 ecr 81317504], length 02018-08-25 22:03:17.646945 IP compute-0-1.example.com.57788 > controller0.example.com.amqp: Flags [.], seq 106760587:106762035, ack 688390730, win 237, options [nop,nop,TS val 81359114 ecr 81350901], length 14482018-08-25 22:03:17.647043 IP compute-0-1.example.com.57788 > controller0.example.com.amqp: Flags [P.], seq 1448:1956, ack 1, win 237, options [nop,nop,TS val 81359114 ecr 81350901], length 5082018-08-25 22:03:17.647502 IP controller0.example.com.amqp > compute-0-1.example.com.57788: Flags [.], ack 1956, win 1432, options [nop,nop,TS val 81352753 ecr 81359114], length 0.........................................................................................................................复制具体代码如下示例:7)仅捕获特定接口上的 IP 地址数据包(-n 选项) 使用 tcpdump 命令中的 -n 选项,咱们能只捕获特定接口上的 IP 地址数据包,示例如下所示,[[email 988365@gmail.com] ~]# tcpdump -n -i enp0s3复制具体代码如下上述命令输出如下,tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes22:22:28.537904 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 1433301395:1433301583, ack 3061976250, win 291, options [nop,nop,TS val 82510005 ecr 20666610], length 18822:22:28.538173 IP 169.144.0.1.39406 > 169.144.0.20.ssh: Flags [.], ack 188, win 9086, options [nop,nop,TS val 20666613 ecr 82510005], length 022:22:28.538573 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 188:552, ack 1, win 291, options [nop,nop,TS val 82510006 ecr 20666613], length 36422:22:28.538736 IP 169.144.0.1.39406 > 169.144.0.20.ssh: Flags [.], ack 552, win 9086, options [nop,nop,TS val 20666613 ecr 82510006], length 022:22:28.538874 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 552:892, ack 1, win 291, options [nop,nop,TS val 82510006 ecr 20666613], length 34022:22:28.539042 IP 169.144.0.1.39406 > 169.144.0.20.ssh: Flags [.], ack 892, win 9086, options [nop,nop,TS val 20666613 ecr 82510006], length 022:22:28.539178 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 892:1232, ack 1, win 291, options [nop,nop,TS val 82510006 ecr 20666613], length 34022:22:28.539282 IP 169.144.0.1.39406 > 169.144.0.20.ssh: Flags [.], ack 1232, win 9086, options [nop,nop,TS val 20666614 ecr 82510006], length 022:22:28.539479 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 1232:1572, ack 1, win 291, options [nop,nop,TS val 82510006 ecr 20666614], length 34022:22:28.539595 IP 169.144.0.1.39406 > 169.144.0.20.ssh: Flags [.], ack 1572, win 9086, options [nop,nop,TS val 20666614 ecr 82510006], length 022:22:28.539760 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 1572:1912, ack 1, win 291, options [nop,nop,TS val 82510007 ecr 20666614], length 340.........................................................................复制具体代码如下您还可以使用 tcpdump 命令中的 -c 和 -N 选项捕获 N 个 IP 地址包,[[email 988365@gmail.com] ~]# tcpdump -c 25 -n -i enp0s3复制具体代码如下示例:8)仅捕获特定接口上的 TCP 数据包 在 tcpdump 命令中,咱们能使用 tcp 选项来只捕获 TCP 数据包, [[email 988365@gmail.com] ~]# tcpdump -i enp0s3 tcptcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes22:36:54.521053 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 1433336467:1433336655, ack 3061986618, win 291, options [nop,nop,TS val 83375988 ecr 20883106], length 18822:36:54.521474 IP 169.144.0.1.39406 > 169.144.0.20.ssh: Flags [.], ack 188, win 9086, options [nop,nop,TS val 20883109 ecr 83375988], length 022:36:54.522214 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 188:552, ack 1, win 291, options [nop,nop,TS val 83375989 ecr 20883109], length 36422:36:54.522508 IP 169.144.0.1.39406 > 169.144.0.20.ssh: Flags [.], ack 552, win 9086, options [nop,nop,TS val 20883109 ecr 83375989], length 022:36:54.522867 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 552:892, ack 1, win 291, options [nop,nop,TS val 83375990 ecr 20883109], length 34022:36:54.523006 IP 169.144.0.1.39406 > 169.144.0.20.ssh: Flags [.], ack 892, win 9086, options [nop,nop,TS val 20883109 ecr 83375990], length 022:36:54.523304 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 892:1232, ack 1, win 291, options [nop,nop,TS val 83375990 ecr 20883109], length 34022:36:54.523461 IP 169.144.0.1.39406 > 169.144.0.20.ssh: Flags [.], ack 1232, win 9086, options [nop,nop,TS val 20883110 ecr 83375990], length 022:36:54.523604 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 1232:1572, ack 1, win 291, options [nop,nop,TS val 83375991 ecr 20883110], length 340...................................................................................................................................................复制具体代码如下示例:9)从特定接口上的特定端口捕获数据包 使用 tcpdump 命令,咱们可以从特定接口 enp0s3 上的特定端口(例如 22)捕获数据包。 语法:# tcpdump -i {interface-name} port {Port_Number}复制具体代码如下[[email 988365@gmail.com] ~]# tcpdump -i enp0s3 port 22tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes22:54:45.032412 IP compute-0-1.example.com.ssh > 169.144.0.1.39406: Flags [P.], seq 1435010787:1435010975, ack 3061993834, win 291, options [nop,nop,TS val 84446499 ecr 21150734], length 18822:54:45.032631 IP 169.144.0.1.39406 > compute-0-1.example.com.ssh: Flags [.], ack 188, win 9131, options [nop,nop,TS val 21150737 ecr 84446499], length 022:54:55.037926 IP compute-0-1.example.com.ssh > 169.144.0.1.39406: Flags [P.], seq 188:576, ack 1, win 291, options [nop,nop,TS val 84456505 ecr 21150737], length 38822:54:55.038106 IP 169.144.0.1.39406 > compute-0-1.example.com.ssh: Flags [.], ack 576, win 9154, options [nop,nop,TS val 21153238 ecr 84456505], length 022:54:55.038286 IP compute-0-1.example.com.ssh > 169.144.0.1.39406: Flags [P.], seq 576:940, ack 1, win 291, options [nop,nop,TS val 84456505 ecr 21153238], length 36422:54:55.038564 IP 169.144.0.1.39406 > compute-0-1.example.com.ssh: Flags [.], ack 940, win 9177, options [nop,nop,TS val 21153238 ecr 84456505], length 022:54:55.038708 IP compute-0-1.example.com.ssh > 169.144.0.1.39406: Flags [P.], seq 940:1304, ack 1, win 291, options [nop,nop,TS val 84456506 ecr 21153238], length 364............................................................................................................................复制具体代码如下示例:10)在特定接口上捕获来自特定来源 IP 的数据包 在 tcpdump 命令中,使用 src 关键字后跟 IP 地址,咱们可以捕获来自特定来源 IP 的数据包, 语法: # tcpdump -n -i {接口名} src {IP 地址} 例子如下,[[email 988365@gmail.com] ~]# tcpdump -n -i enp0s3 src 169.144.0.10tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes23:03:45.912733 IP 169.144.0.10.amqp > 169.144.0.20.57800: Flags [.], ack 526623844, win 243, options [nop,nop,TS val 84981008 ecr 84982372], length 023:03:46.136757 IP 169.144.0.10.amqp > 169.144.0.20.57796: Flags [.], ack 2535995970, win 252, options [nop,nop,TS val 84981232 ecr 84982596], length 023:03:46.153398 IP 169.144.0.10.amqp > 169.144.0.20.57798: Flags [.], ack 3623063621, win 243, options [nop,nop,TS val 84981248 ecr 84982612], length 023:03:46.361160 IP 169.144.0.10.amqp > 169.144.0.20.57802: Flags [.], ack 2140263945, win 252, options [nop,nop,TS val 84981456 ecr 84982821], length 023:03:46.376926 IP 169.144.0.10.amqp > 169.144.0.20.57808: Flags [.], ack 175946224, win 252, options [nop,nop,TS val 84981472 ecr 84982836], length 023:03:46.505242 IP 169.144.0.10.amqp > 169.144.0.20.57810: Flags [.], ack 1016089556, win 252, options [nop,nop,TS val 84981600 ecr 84982965], length 023:03:46.616994 IP 169.144.0.10.amqp > 169.144.0.20.57812: Flags [.], ack 832263835, win 252, options [nop,nop,TS val 84981712 ecr 84983076], length 023:03:46.809344 IP 169.144.0.10.amqp > 169.144.0.20.57814: Flags [.], ack 2781799939, win 252, options [nop,nop,TS val 84981904 ecr 84983268], length 023:03:46.809485 IP 169.144.0.10.amqp > 169.144.0.20.57816: Flags [.], ack 1662816815, win 252, options [nop,nop,TS val 84981904 ecr 84983268], length 023:03:47.033301 IP 169.144.0.10.amqp > 169.144.0.20.57818: Flags [.], ack 2387094362, win 252, options [nop,nop,TS val 84982128 ecr 84983492], length 0^C10 packets captured12 packets received by filter0 packets dropped by kernel复制具体代码如下示例:11)在特定接口上捕获来自特定目的 IP 的数据包 语法: # tcpdump -n -i {接口名} dst {IP 地址} [[email 988365@gmail.com] ~]# tcpdump -n -i enp0s3 dst 169.144.0.1tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes23:10:43.520967 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 1439564171:1439564359, ack 3062005550, win 291, options [nop,nop,TS val 85404988 ecr 21390356], length 18823:10:43.521441 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 188:408, ack 1, win 291, options [nop,nop,TS val 85404988 ecr 21390359], length 22023:10:43.521719 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 408:604, ack 1, win 291, options [nop,nop,TS val 85404989 ecr 21390359], length 19623:10:43.521993 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 604:800, ack 1, win 291, options [nop,nop,TS val 85404989 ecr 21390359], length 19623:10:43.522157 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 800:996, ack 1, win 291, options [nop,nop,TS val 85404989 ecr 21390359], length 19623:10:43.522346 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 996:1192, ack 1, win 291, options [nop,nop,TS val 85404989 ecr 21390359], length 196.........................................................................................复制具体代码如下示例:12)捕获两台主机之间的 TCP 数据包通信 假设我想捕获两台主机 169.144.0.1 和 169.144.0.20 之间的 TCP 数据包,示例如下所示,[[email 988365@gmail.com] ~]# tcpdump -w two-host-tcp-comm.pcap -i enp0s3 tcp and \(host 169.144.0.1 or host 169.144.0.20\)复制具体代码如下使用 tcpdump 命令只捕获两台主机之间的 SSH 数据包流,[[email 988365@gmail.com] ~]# tcpdump -w ssh-comm-two-hosts.pcap -i enp0s3 src 169.144.0.1 and port 22 and dst 169.144.0.20 and port 22复制具体代码如下示例:13)捕获两台主机之间(来回)的 UDP 网络数据包 语法: # tcpdump -w -s -i udp and \(host and host \) [[email 988365@gmail.com] ~]# tcpdump -w two-host-comm.pcap -s 1000 -i enp0s3 udp and \(host 169.144.0.10 and host 169.144.0.20\)复制具体代码如下示例:14)捕获十六进制和 ASCII 格式的数据包 使用 tcpdump 命令,咱们可以以 ASCII 和十六进制格式捕获 TCP/IP 数据包, 要使用 -A 选项捕获 ASCII 格式的数据包,示例如下所示: [code][[email 988365@gmail.com] ~]# tcpdump -c 10 -A -i enp0s3tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes00:37:10.520060 IP compute-0-1.example.com.ssh > 169.144.0.1.39406: Flags [P.], seq 1452637331:1452637519, ack 3062125586, win 333, options [nop,nop,TS val 90591987 ecr 22687106], length 188E...[[email 988365@gmail.com] @...............V.|...T....MT.......fR..Z-....b.:..Z5...{.'p....]."}...Z..9.?......."[email 988365@gmail.com] |
如何在Linux中的特定时间运行命令