功能:网络抓包。常用选项-cN:收到N个数据包后退出。-n:以数字形式显示地址。-nn:以数字形式显示端口号。-iInterface监听指定的网络接口。-Qdirection:指定数据包的方向(in,out,orboth);direction可以是in,out,inout。-A:以ASCII码打印数据包的内容。-x:以十六进制形式打印数据包的内容。-e:打印链路层头信息。-t:不打印时间戳。1.监听指定网络接口进入或退出指定接口:[root@localhost~]#tcpdump-ieth0-n-nn-c2tcpdump:verboseoutputsuppressed,使用-v或-vv进行全协议decodelistening在eth0上,链接类型EN10MB(以太网),捕获大小262144bytes06:14:09.335167IP192.168.122.132.22>192.168.122.1.53800:Flags[P.],seq3166421438:3166421626,ackoptions545,572950[nop,nop,TSval17230918ecr2091022108],长度18806:14:09.335332IP192.168.122.1.53800>192.168.122.132.22:Flags[.],ack188,win1424,options[nop,nop,TSval2091022134ecr17230918],length02packetscaptured2ppbyetsfilterreceived02packetsspecified界面进入:[root@localhost~]#tcpdump-ieth0-Qin-c2tcpdump:verboseoutputsuppressed,use-vor-vvforeth0上的完整协议解码监听,链路类型EN10MB(以太网),捕获大小262144bytes06:21:19.100727IP192.168.122.1.53800>192.168.122.132.ssh:Flags[.],ack3166430042,win1424,options[nop,nop,TSval2091418841ecr17660684],length006:21:19.101696IP192.168.122.1.domain>192.168.122.132.53181:22222NXDomain0/0/0(46)捕获的数据包6个数据包被内核丢弃的filter0数据包从指定的接口出去:[root@localhost~]#tcpdump-ieth0-Qout-c2tcpdump:verboseoutputsuppressed,use-vor-vvforfullprotocoldecodelisteningoneth0,link-typeEN10MB(Ethernet),capturesize262144BYTES06:42:18.231062IP192.168.122.132.SSH>192.168.122.1.53800:旗帜[P.],SEQ3169833758:3169833758:3169833946,ACK545616298,WIN295,n981981989898989898989。18806:42:18.231775IP192.168.122.132.48232>192.168.122.1.domain:39110+PTR?1.122.168.192.in-addr.arpa。(44)2个数据包捕获6个数据包接收被kernel2丢弃的filter0数据包。监听指定主机,指定地址为源地址或目的地址:[root@localhost~]#tcpdump-ieth0host192.168.122.1-c2tcpdump:verboseoutputsuppressed,使用-v或-vv进行全协议解码监听在eth0上,链路类型EN10MB(以太网),捕获大小262144bytes06:20:25.095802IP192.168.122.132.ssh>192.168.122.1.53800:Flags[P.],seq3166428670:3166428858,ackoptions545,582950[nop,nop,TSval17606679ecr2091368949],长度18806:20:25.095965IP192.168.122.1.53800>192.168.122.132.ssh:Flags[.],ops142,[4]nop,TSval20913671760],length02packetscaptured6packetsreceivedbyfilter0packetsdroppedbykernel指定地址为源地址(相当于结合-Qin):[root@localhost~]#tcpdump-ieth0srchost192.168.122.1-c2tcpdump:verbose抑制输出,使用-v或-vv在eth0上进行完整协议解码侦听,链路类型EN10MB(以太网),捕获大小262144bytes06:22:54.673517IP192.168.122.1.53800>19168.122.132.ssh:标志[.],ack3166431854,win1424,选项[nop,nop,TSval2091507061ecr17756257],长度006:22:54.674494IP192.168.122.1.domain>192.168:1282.134NXDomain0/0/0(46)2packetscaptured3packetsreceivedbyfilter0packetsdroppedbykernel指定地址为目的地址(相当于结合-Qout):[root@localhost~]#tcpdump-ieth0dsthost192.168.122.1-c2tcpdump:抑制详细输出,使用-v或-vv在eth0上进行完整协议解码侦听,链路类型EN10MB(以太网),捕获大小262144bytes06:24:13.192880IP192.168.122.132.ssh1>1802.ssh1192.168。122.132.ssh1>192.2:Flags[P.],seq3166433542:3166433730,ack545587194,win295,options[nop,nop,TSval17834776ecr2091579506],length18806:24:13.194190IP192.168.122.132.49025>192.168.122.1.domain:23295+PTR?1.122.168.192.in-addr.arpa。(44)2packetscaptured3packetsreceivedbyfilter0packetsdroppedbykernel3.监听指定协议[root@localhost~]#tcpdump-ieth0arp[root@localhost~]#tcpdump-ieth0icmp[root@localhost~]#tcpdump-ieth0ip[root@localhost~]#tcpdump-ieth0tcp[root@localhost~]#tcpdump-ieth0udp4.监听指定端口sourceportorDestinationport,sourceport,destinationport:[root@localhost~]#tcpdump-ieth0port22-c2[root@localhost~]#tcpdump-ieth0srcport22-c2[root@localhost~]#tcpdump-ieth0dstport22-c25.监听指定网络源网络或目的网络,源网络,目的网络:[root@localhost~]#tcpdump-ieth0net192.168.122.0/24-c2[root@localhost~]#tcpdump-ieth0srcnet192.168.122.0/24-c2[root@localhost~]#tcpdump-ieth0dstnet192.168.122.0/24-c26.逻辑运算[root@localhost~]#tcpdump-ieth0host192.168.122.1andtcpandport22-c2[root@localhost~]#tcpdump-ieth0host192.168.122.1orwww.baidu.com-c2[root@localhost~]#tcpdump-ieth0nothost192.168.122.2and:logicaland.or:logicalor.not:logicalnot.7、以ASCII码形式打印数据包内容:[root@localhost~]#tcpdump-ieth0hostwww.baidu.com-A...06:45:55.722338IP182.61.200.7.http>192.168.122.132.35802:标志[.],seq1:1453,ack112,win908,长度1452:HTTP:HTTP/1.1200OKE.....@.$....=....z..P........P..Q..HTTP/1.1200OKContent-Length:2381Content-Type:text/htmlServer:bfeDate:Wed,18Aug202112:07:56GMT
<元http-equiv=content-typecontent=text/html;charset=utf-8>