全部文档
当前文档
最近更新时间:2025-12-11 14:56:49
tcpdump 是 Linux 系统下一个强大的命令行网络抓包工具,用于捕获、分析和记录网络数据包。本文介绍了如何使用tcpdump工具进行捕获和分析数据包。
# Ubuntu/Debian
sudo apt-get install tcpdump
# CentOS/RHEL/Fedora
sudo yum -y install tcpdump
# 检查是否安装成功
tcpdump --versiontcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX] [ -B size ] [ -c count ]
[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
[ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
[ -Q|-P in|out|inout ]
[ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
[ -immediate-mode ] [ -T type ] [ --version ] [ -V file ]
[ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ]
[ -Z user ] [ expression ]参数 | 说明 | 用法 |
| 指定网络接口 | tcpdump -i eth0 | any |
| 列出所有接口 | tcpdump -D |
| 数据包抓取长度 | tcpdump -s 0 -i eth0 |
| 指定捕获包数量 | tcpdump -c100 -i eth0 |
| 不解析主机和端口名 | tcpdump -i any -n |
| 输出详细信息 | tcpdump -i any -vvv |
| 将抓包结果写入文件(pcap格式) | tcpdump -i any -w xxx.pcap |
| 从pcap文件读取 | tcpdump -r xxx.pcap |
|
| tcpdump host192.168.1.100 tcpdump src|dst host192.168.1.100 tcpdump ICMP | TCP | UDP | ARP |
tcpdump -s 0 -i eth0 port 22 #-s 数据包抓取长度,指定为0会自适应抓取18:40:38.508411 IP vm10-0-0-31.ssh > 10.0.0.125.45968: Flags [P.], seq 6190212:6190368, ack 2845, win 344, length 156
18:40:38.508429 IP vm10-0-0-31.ssh > 10.0.0.125.45968: Flags [P.], seq 6190368:6190620, ack 2845, win 344, length 252
18:40:38.508444 IP vm10-0-0-31.ssh > 10.0.0.125.45968: Flags [P.], seq 6190620:6190776, ack 2845, win 344, length 156
18:40:38.508459 IP vm10-0-0-31.ssh > 10.0.0.125.45968: Flags [P.], seq 6190776:6190932, ack 2845, win 344, length 156
18:40:38.508474 IP vm10-0-0-31.ssh > 10.0.0.125.45968: Flags [P.], seq 6190932:6191088, ack 2845, win 344, length 156
18:40:38.508489 IP vm10-0-0-31.ssh > 10.0.0.125.45968: Flags [P.], seq 6191088:6191244, ack 2845, win 344, length 156
18:40:38.508504 IP vm10-0-0-31.ssh > 10.0.0.125.45968: Flags [P.], seq 6191244:6191400, ack 2845, win 344, length 156在抓取的时候还可以使用-vvv参数,控制台输出详细的交互信息
tcpdump -s 0 -i eth0 tcp14:20:13.184251 IP vm10-0-0-31.ssh > 10.0.0.125.45968: Flags [P.], seq 5947548:5947704, ack 2917, win 344, length 156
14:20:13.184268 IP vm10-0-0-31.ssh > 10.0.0.125.45968: Flags [P.], seq 5947704:5947956, ack 2917, win 344, length 252
14:20:13.184284 IP vm10-0-0-31.ssh > 10.0.0.125.45968: Flags [P.], seq 5947956:5948112, ack 2917, win 344, length 156
14:20:13.184299 IP vm10-0-0-31.ssh > 10.0.0.125.45968: Flags [P.], seq 5948112:5948268, ack 2917, win 344, length 156
14:20:13.184314 IP vm10-0-0-31.ssh > 10.0.0.125.45968: Flags [P.], seq 5948268:5948424, ack 2917, win 344, length 156
14:20:13.184329 IP vm10-0-0-31.ssh > 10.0.0.125.45968: Flags [P.], seq 5948424:5948580, ack 2917, win 344, length 156
14:20:13.184344 IP vm10-0-0-31.ssh > 10.0.0.125.45968: Flags [P.], seq 5948580:5948736, ack 2917, win 344, length 156tcpdump -s 0 -i eth0 -vvv dst 10.0.0.120 and icmp
#指定目标IP10.0.0.120请求的icmp协议包
#and 运算符与,此外还有运算符或or、运算符非nottcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
19:07:01.905937 IP (tos 0x0, ttl 64, id 38277, offset 0, flags [none], proto ICMP (1), length 84)
vm10-0-0-31 > 10.0.0.120: ICMP echo reply, id 8629, seq 4, length 64
19:07:02.905950 IP (tos 0x0, ttl 64, id 39081, offset 0, flags [none], proto ICMP (1), length 84)
vm10-0-0-31 > 10.0.0.120: ICMP echo reply, id 8629, seq 5, length 64
19:07:03.905965 IP (tos 0x0, ttl 64, id 39236, offset 0, flags [none], proto ICMP (1), length 84)
vm10-0-0-31 > 10.0.0.120: ICMP echo reply, id 8629, seq 6, length 64
19:07:04.905974 IP (tos 0x0, ttl 64, id 39846, offset 0, flags [none], proto ICMP (1), length 84)tcpdump -s 0 -i eth0 -w test.cap使用Ctrl+C,手动停止抓取
保存后的文件可以使用 Wireshark 等工具进行进一步分析,也可以通过 TCPdump 来查看:
tcpdump -r test.cap参考文档:Tcpdump
纯净模式