Tcpdump抓包工具

tcpdump是linux下常用的抓包工具：

tcpdump的选项有很多，但是我们常用的不多：
-i：interface 监听的网卡。
-nn：表示以ip和port的方式显示来源主机和目的主机，而不是用主机名和服务。
-A：以ascii的方式显示数据包，抓取web数据时很有用。
-X：数据包将会以16进制和ascii的方式显示。
表达式：表达式有很多种，常见的有：host 主机；port 端口；src host 发包主机；dst host 收包主机。多个条件可以用and、or组合，取反可以使用!
注意在使用tcpdump时需要把用户更换到root用户，只有root用户才能使用tcpdump命令！

抓取网卡0的数据包10个：

[root@client ~]# tcpdump -i eth0 -c 10  /-c  指定抓取数据包的数量
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
02:34:24.703714 IP 192.168.1.112.ssh > 192.168.1.103.50134: Flags [P.], seq 3880171609:3880171805, ack 723186096, win 304, length 196
02:34:24.705623 ARP, Request who-has 192.168.1.1 tell 192.168.1.112, length 28
02:34:24.708147 ARP, Reply 192.168.1.1 is-at bc:46:99:41:22:de (oui Unknown), length 46
02:34:24.708153 IP 192.168.1.112.46550 > google-public-dns-a.google.com.domain: 28064+ PTR? 103.1.168.192.in-addr.arpa. (44)
02:34:24.803903 IP google-public-dns-a.google.com.domain > 192.168.1.112.46550: 28064 NXDomain 0/0/0 (44)
02:34:24.804331 IP 192.168.1.112.60134 > google-public-dns-a.google.com.domain: 1919+ PTR? 112.1.168.192.in-addr.arpa. (44)
02:34:24.881789 IP 192.168.1.112.ssh > 192.168.1.103.50134: Flags [P.], seq 4294967244:196, ack 1, win 304, length 248
02:34:24.882223 IP 192.168.1.103.50134 > 192.168.1.112.ssh: Flags [.], ack 196, win 252, options [nop,nop,sack 1 {4294967244:196}], length 0
02:34:24.903700 IP google-public-dns-a.google.com.domain > 192.168.1.112.60134: 1919 NXDomain 0/0/0 (44)
02:34:24.904152 IP 192.168.1.112.56792 > google-public-dns-a.google.com.domain: 22232+ PTR? 1.1.168.192.in-addr.arpa. (42)
10 packets captured
17 packets received by filter
0 packets dropped by kernel
[root@client ~]#

以ip和端口号的形式显示，并且把显示的内容放入文件1.cap中

[root@client ~]# tcpdump -nn -c 10 -w 1.cap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
10 packets captured
10 packets received by filter
0 packets dropped by kernel
[root@client ~]#

查看1.cap文件中的内容：/注意这样的文件用一本编辑器是打不开的！

[root@client ~]# tcpdump -r 1.cap
reading from file 1.cap, link-type EN10MB (Ethernet)
02:37:13.275584 IP 192.168.1.112.ssh > 192.168.1.103.50134: Flags [P.], seq 3880175945:3880176077, ack 723188752, win 304, length 132
02:37:13.475110 IP 192.168.1.103.50134 > 192.168.1.112.ssh: Flags [.], ack 132, win 253, length 0
02:37:13.942809 ARP, Request who-has 192.168.1.104 tell 192.168.1.1, length 46
02:37:14.966198 ARP, Request who-has 192.168.1.104 tell 192.168.1.1, length 46
02:37:15.900875 ARP, Request who-has 192.168.1.104 tell 192.168.1.1, length 46
02:37:16.403112 IP 192.168.1.1.1024 > 192.168.1.255.commplex-link: UDP, length 115
02:37:16.907312 IP6 fe80::249d:5806:de62:3dfa.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
02:37:19.260750 IP6 fe80::1576:7a67:2445:cbbf.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
02:37:24.993190 IP6 fe80::249d:5806:de62:3dfa.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
02:37:26.425316 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 266
[root@client ~]#