CentOS中使用tcpdump抓包
2020-10-30 本文已影响0人
老鼠AI大米_Java全栈
物联网下,很多情况需要与硬件交互,特别是硬件与服务器之间的交互处理,只能通过抓取数据包的方式去分析,下面看看如何抓取数据包。
安装tcpdump
直接通过命令安装yum install tcpdump
抓取网卡数据包
tcpdump
抓取第一块网卡所有数据包
[root@server110 tcpdump]# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:58:14.441562 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 2956277183:2956277391, ack 2178083060, win 336, length 208
15:58:14.442088 IP server110.34562 > ns-px.online.sh.cn.domain: 34223+ PTR? 169.202.16.18.in-addr.arpa. (44)
15:58:14.486822 IP 18.16.202.169.cvd > server110.ssh: Flags [.], ack 208, win 16419, length 0
15:58:14.692932 IP ns-px.online.sh.cn.domain > server110.34562: 34223 NXDomain 0/1/0 (116)
15:58:14.693416 IP server110.57017 > ns-px.online.sh.cn.domain: 12369+ PTR? 5.209.96.202.in-addr.arpa. (43)
15:58:14.693577 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 208:400, ack 1, win 336, length 192
15:58:14.695254 IP ns-px.online.sh.cn.domain > server110.57017: 12369 1/0/0 PTR ns-px.online.sh.cn. (75)
15:58:14.695519 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 400:656, ack 1, win 336, length 256
15:58:14.696577 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 656:1232, ack 1, win 336, length 576
15:58:14.697564 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 1232:1392, ack 1, win 336, length 160
15:58:14.698563 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 1392:1552, ack 1, win 336, length 160
tcpdump -i 抓取某一块网卡数据包, 可以用ifconfig命令查看。
[root@server110 tcpdump]# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:59:43.529881 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 2956715807:2956716015, ack 2178087524, win 336, length 208
15:59:43.530636 IP 18.16.202.169.cvd > server110.ssh: Flags [.], ack 208, win 16422, length 0
15:59:43.530732 IP server110.50508 > ns-px.online.sh.cn.domain: 42810+ PTR? 169.202.16.18.in-addr.arpa. (44)
15:59:43.533748 IP ns-px.online.sh.cn.domain > server110.50508: 42810 NXDomain 0/1/0 (116)
15:59:43.534054 IP server110.37348 > ns-px.online.sh.cn.domain: 43151+ PTR? 5.209.96.202.in-addr.arpa. (43)
15:59:43.534537 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 208:496, ack 1, win 336, length 288
15:59:43.540551 IP ns-px.online.sh.cn.domain > server110.37348: 43151 1/0/0 PTR ns-px.online.sh.cn. (75)
15:59:43.541536 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 496:1072, ack 1, win 336, length 576
15:59:43.542319 IP 18.16.202.169.cvd > server110.ssh: Flags [.], ack 1072, win 16425, length 0
15:59:43.542529 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 1072:1328, ack 1, win 336, length 256
15:59:43.543545 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 1328:1488, ack 1, win 336, length 160
监听特定主机
[root@server110 tcpdump]# tcpdump host 18.16.202.169
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:07:16.334596 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 2957160543:2957160751, ack 2178097380, win 336, length 208
16:07:16.375768 IP 18.16.202.169.cvd > server110.ssh: Flags [.], ack 208, win 16425, length 0
16:07:16.539595 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 208:496, ack 1, win 336, length 288
16:07:16.540553 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 496:656, ack 1, win 336, length 160
16:07:16.541564 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 656:816, ack 1, win 336, length 160
16:07:16.541731 IP 18.16.202.169.cvd > server110.ssh: Flags [.], ack 656, win 16423, length 0
16:07:16.542572 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 816:1072, ack 1, win 336, length 256
16:07:16.543565 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 1072:1232, ack 1, win 336, length 160
监听特定来源
[root@server110 tcpdump]# tcpdump src host 18.16.202.169
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:08:30.681395 IP 18.16.202.169.cvd > server110.ssh: Flags [.], ack 2957168815, win 16420, length 0
16:08:30.791328 IP 18.16.202.169.cvd > server110.ssh: Flags [.], ack 161, win 16420, length 0
16:08:30.833394 IP 18.16.202.169.cvd > server110.ssh: Flags [.], ack 321, win 16419, length 0
监听特定目标
[root@server110 tcpdump]# tcpdump dst host 18.16.202.169
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:09:27.404603 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 2958878511:2958878719, ack 2178100804, win 336, length 208
16:09:27.408521 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 208:400, ack 1, win 336, length 192
16:09:27.409530 IP server110.ssh > 18.16.202.169.cvd: Flags [P.], seq 400:560, ack 1, win 336, length 160
监听特定端口
[root@server110 tcpdump]# tcpdump port 8083 -vv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:10:31.361199 IP (tos 0x0, ttl 127, id 19231, offset 0, flags [DF], proto TCP (6), length 52)
18.16.202.169.14626 > server110.us-srv: Flags [S], cksum 0x3315 (correct), seq 2299766793, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:10:31.361264 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
server110.us-srv > 18.16.202.169.14626: Flags [S.], cksum 0x4b86 (correct), seq 1167811532, ack 2299766794, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
16:10:31.361594 IP (tos 0x0, ttl 127, id 19232, offset 0, flags [DF], proto TCP (6), length 40)
18.16.202.169.14626 > server110.us-srv: Flags [.], cksum 0xa54c (correct), seq 1, ack 1, win 8212, length 0
监听并保存数据包
[root@server110 tcpdump]# tcpdump tcp port 8083 -w ./abc.cap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C15 packets captured
15 packets received by filter
0 packets dropped by kernel
更复杂的例子
tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.cap
- tcp: ip icmp arp rarp 和 tcp、udp、icmp这些选项等都要放到第一个参数的位置,用来过滤数据报的类型
- -i eth1 : 只抓经过接口eth1的包
- -t : 不显示时间戳
- -s 0 : 抓取数据包时默认抓取长度为68字节。加上-S 0 后可以抓到完整的数据包
- -c 100 : 只抓取100个数据包
- dst port ! 22 : 不抓取目标端口是22的数据包
- src net 192.168.1.0/24 : 数据包的源网络地址为192.168.1.0/24
- -w ./target.cap : 保存成cap文件,方便用ethereal(即wireshark)分析
数据包分析
通过简单的命令抓取数据
tcpdump -i enp2s0 -w ./abc.cap
抓取的数据包可以下载(sz abc.cap)到本机分析,使用wireshark打开,可以看到tcp具体过程
image.png
上图可以清晰看到从189的服务器发给233硬件的信息,具体命令是从51开始的,这样就能确定服务器与硬件间的交互正常。