网络抓包 tcpdump 使用指南

在网络问题的调试中，tcpdump应该说是一个必不可少的工具，和大部分linux下优秀工具一样，它的特点就是简单而强大。它是基于Unix系统的命令行式的数据包嗅探工具，可以抓取流动在网卡上的数据包。

监听所有网卡所有包

tcpdump

监听指定网卡的包

tcpdump-iens18

监听指定IP的包

监听目标地址IP

监听指定端口

tcpdumpport80

监听TCP

tcpdumptcp

监听UDP

tcpdumpudp

监听192.168.1.11的tcp协议的80端口的数据包

:59:07.836563:Flags[.],ack867022485,win502,length011:59:07.836711:Flags[P.],seq0:77,ack1,win502,length77:HTTP:HEAD/HTTP/1.111:59:07.838462:Flags[.],ack248,win501,length011:59:07.838848:Flags[F.],seq77,ack248,win501,length011:59:07.839192:Flags[.],ack249,win501,length0

监听IP之间的包

:57:52.742468:Flags[S],seq3437424457,win64240,options[mss1460,sackOK,TSval2166810854ecr0,nop,wscale7],length011:57:52.742606:Flags[S.],seq3541873211,ack3437424458,win64240,options[mss1460,nop,nop,sackOK,nop,wscale7],length011:57:52.742841:Flags[.],ack1,win502,length011:57:52.742927:Flags[P.],seq1:78,ack1,win502,length77:HTTP:HEAD/HTTP/1.111:57:52.742943:Flags[.],ack78,win502,length011:57:52.744407:Flags[P.],seq1:248,ack78,win502,length247:HTTP:HTTP/1.1200OK11:57:52.744613:Flags[.],ack248,win501,length011:57:52.744845:Flags[F.],seq78,ack248,win501,length011:57:52.745614:Flags[F.],seq248,ack79,win502,length011:57:52.745772:Flags[.],ack249,win501,length0

监听除了与192.168.1.4之外的数据包

!192.168.1.411:57:20.862575:Flags[P.],seq3233461117:3233461356,ack1301434191,win9399,length23911:57:20.878165:Flags[P.],seq1:4097,ack239,win3081,length409611:57:20.878340:Flags[P.],seq4097:8193,ack239,win3081,length409611:57:20.878417:Flags[.],ack4097,win9384,length0

组合示例

tcpdumptcp-iens18-v-nn-t-A-s0-c50anddstport!22/24-w./(1)tcp:ipicmparprarp和tcp、udp、icmp这些选项等都要放到第一个参数的位置，用来过滤数据报的类型(2)-ieth1:只抓经过接口eth1的包(3)-t:不显示时间戳(4)-s0:抓取数据包时默认抓取长度为68字节。加上-S0后可以抓到完整的数据包(5)-c50:只抓取50个数据包(6)dstport!22:不抓取目标端口是22的数据包(7)/24:数据包的源网络地址为192.168.1.0/24(8)-w./:保存成cap文件，方便用ethereal(即wireshark)分析(9)-v使用-v，-vv和-vvv来显示更多的详细信息，通常会显示更多与特定协议相关的信息。(10)-nn单个n表示不解析域名，直接显示IP；两个n表示不解析域名和端口。(11)-A表示使用ASCII字符串打印报文的全部数据

组合过滤器《与/AND/》《或/OR/||》《非/not/!》andororor||notor!

在HTTP中提取用户头

tcpdump-nn-A-s0-l|grep"User-Agent:"User-Agent:Prometheus/2.30.0User-Agent:Microsoft-Delivery-Optimization/10.0

在HTTP中同时提取用户头和主机信息

tcpdump-nn-A-s0-l|egrep-i'User-Agent:|Host:'Host:192.168.1.42:9200User-Agent:Prometheus/2.30.0HOST:239.255.255.250:1900USER-AGENT:MicrosoftEdge/97.0.1072.55Windows

抓取HTTPGET流量

tcpdump-s0-A-vv'tcp[((tcp[12:1]0xf0)2):4]=0x47455420'11:55:13.704801IP(tos0x0,ttl64,id14605,offset0,flags[DF],protoTCP(6),length291):Flags[P.],cksum0x849a(incorrect-0xd0b0),seq3090925559:3090925798,ack809492640,win630,options[nop,nop,TSval2076158003ecr842090965],length239E....;..0?..v.{..321/metricsHTTP/1.1Host:192.168.1.43:9200User-Agent:Prometheus/2.30.0Accept:application/openmetrics-text;version=0.0.1,text/plain;version=0.0.4;q=0.5,*/*;q=0.1Accept-Encoding:gzipX-Prometheus-Scrape-Timeout-Seconds:10

抓取HTTPPOST请求流量

tcpdump-s0-A-vv'tcp[((tcp[12:1]0xf0)2):4]=0x504f5354'11:53:10.831855IP(tos0x0,ttl63,id0,offset0,flags[none],protoTCP(6),length643):Flags[P.],cksum0x1a41(correct),seq3331055769:3331056372,ack799860501,win4096,length603:HTTP,length:603POST/?tk=391f8956e632962ee9c1dc661a9b46779d86ca43fe252bddbfc09d2cc66bf875323f6e7f03b881db21133b1bf2ae5bc5HTTP/1.1Host:220.194.116.50:8080Accept:*/*Accept-Language:zh-CN,zh-Hans;q=0.9Q-Guid:e54764008893a559b852b6e9f1c8ae268958471308f41a96fd42e477e26323b8Q-UA:Accept-Encoding:gzip,deflateQ-UA2:QV=3PL=IOSRF=SDKPR=IBSPP==3.8.0.1824TBSVC=18500DE=PHONEVE=GACO=IMTTRL=1170*2532MO=iPhone14,2CHID=50001LCID=9751OS=15.1.1Content-Length:144User-Agent:QQ-S-ZIP:gzipConnection:keep-aliveContent-Type:application/multipart-formdataQ-Auth:E.?./.POST/?tk=391f8956e632962ee9c1dc661a9b46779d86ca43fe252bddbfc09d2cc66bf875323f6e7f03b881db21133b1bf2ae5bc5HTTP/1.1Host:220.194.116.50:8080Accept:*/*Accept-Language:zh-CN,zh-Hans;q=0.9Q-Guid:e54764008893a559b852b6e9f1c8ae268958471308f41a96fd42e477e26323b8Q-UA:Accept-Encoding:gzip,deflateQ-UA2:QV=3PL=IOSRF=SDKPR=IBSPP==3.8.0.1824TBSVC=18500DE=PHONEVE=GACO=IMTTRL=1170*2532MO=iPhone14,2CHID=50001LCID=9751OS=15.1.1Content-Length:144User-Agent:QQ-S-ZIP:gzipConnection:keep-aliveContent-Type:application/multipart-formdataQ-Auth:

注意：一个POST请求会被分割为多个TCP数据包

提取HTTP请求的主机名和路径

root@pve:~tcpdump-nnip6proto6-vtcpdump:listeningoneth0,link-typeEN10MB(Ethernet),capturesize262144bytes06:40:26.060313IP6(flowlabel0xfe65e,hlim64,next-headerTCP(6)payloadlength:40)2a00:b700::e831:2aff:fe27::2030:21:181::26:Flags[S],cksum0x451c(incorrect-0x24cd),seq3503520271,win64800,options[mss1440,sackOK,TSval2504544710ecr0,nop,wscale6],length006:40:34.296847IP6(flowlabel0xc9f9c,hlim64,next-headerTCP(6)payloadlength:40)2a00:b700::e831:2aff:fe27::1450:4010:c0e::84.443:Flags[S],cksum0x6754(incorrect-0x0813),seq3899361154,win64800,options[mss1440,sackOK,TSval2141524802ecr0,nop,wscale6],length0

发起的出站DNS请求和A记录响应

tcpdump-ieth0-s0port53tcpdump:verboseoutputsuppressed,use-vor-vvforfullprotocoldecodelisteningoneth0,link-typeEN10MB(Ethernet),capturesize262144bytes06:44:10.499529:34151+[1au]A?(61)06:44:10.500992:45667+[1au]PTR?219.3.144.45.(54)06:44:10.661142:45667NXDomain0/1/1(112)06:44:10.661438:45667+PTR?219.3.144.45.(43)06:44:10.687147:45667NXDomain0/1/0(101)06:44:10.806349:3415111/0/1,,,,,,,,,,(237)

抓取DHCP服务的请求和响应报文

tcpdump-v-nport67or6811:50:28.939726IP(tos0x0,ttl64,id35862,offset0,flags[DF],protoUDP(17),length320)192.168.1.136.68255.255.255.255.67:BOOTP/DHCP,Requestfrom70:3a:a6:cb:27:3c,length292,xid0x3ccba40c,secs11529,Flags[none]:3a:a6:cb:27:3cVor-rfc1048ExtensionsMagicCookie0x63825363DHCP-Message(53),length1:RequestClient-ID(61),length7:ether70:3a:a6:cb:27:3cHostname(12),length11:"S24G-U_273C"Vor-Class(60),length13:"CloudSwitch_1"MSZ(57),length2:800Parameter-Request(55),length5:Subnet-Mask(1),Default-Gateway(3),Hostname(12),Domain-Name-Server(6)Vor-Class(60)