如何在 Linux 中安装 tcpdump
许多 Linux 发行版已经附带了tcpdump工具,如果您的系统上没有该工具,您可以使用以下任一命令来安装它。
$sudoaptinstalltcpdump[在Debian、Ubuntu和Mint上] $sudoyuminstalltcpdump[在RHEL/CentOS/Fedora和Rocky/AlmaLinux上] $sudoemerge-asys-apps/tcpdump[在GentooLinux上] $sudoapkaddtcpdump[在AlpineLinux上] $sudopacman-Stcpdump[在ArchLinux上] $sudozypperinstalltcpdump[在OpenSUSE上]
tcpdump 命令示例入门
一旦在系统上安装了tcpdump工具,您可以继续浏览以下命令及其示例。
1. 从特定接口捕获数据包
当我们执行tcpdump命令时,命令屏幕将向上滚动直到您中断。它将从所有接口捕获,但是使用-i切换仅从所需的接口捕获。
#tcpdump-ieth0 tcpdump:抑制详细输出,使用-v 或-vv 进行完整协议解码 在eth0上监听,链路类型EN10MB(以太网),捕获大小65535字节 11:33:31.976358 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler:标志[P.],seq 3500440357:3500440553,ack 3652628334,win 18760,长度 196 11:33:31.976603 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh:标志[.], ack 196,win 64487,长度0 11:33:31.977243ARP,请求who-hastecmint.comtell172.16.25.126,长度28 11:33:31.977359ARP,回复tecmint.comis-at00:14:5e:67:26:1d(ouiUnknown),长度46 11:33:31.977367IP172.16.25.126.54807>tecmint.com:4240+PTR?125.25.16.172.in-addr.arpa.(44) 11:33:31.977599IPtecmint.com>172.16.25.126.54807:4240NXDomain0/1/0(121) 11:33:31.977742IP172.16.25.126.44519>tecmint.com:40988+PTR?126.25.16.172.in-addr.arpa.(44) 11:33:32.028747 IP 172.16.20.33.netbios-ns > 172.16.31.255.netbios-ns: NBT UDP PACKET(137):查询;请求;广播 11:33:32.112045 IP 172.16.21.153.netbios-ns > 172.16.31.255.netbios-ns:NBT UDP 数据包(137):查询;请求;广播 11:33:32.115606 IP 172.16.21.144.netbios-ns > 172.16.31.255.netbios-ns:NBT UDP 数据包(137) :查询;请求;广播 11:33:32.156576 ARP,请求 who-has 172.16.16.37 tell old-oraclehp1.midcorp.mid-day.com,长度 46 11:33:32.348738 IP tecmint.com > 172.16.25.126.44519:40988 NXDomain 0/1/0(121)
2. 仅捕获 N 个数据包
当您运行tcpdump命令时,它将捕获指定接口的所有数据包,直到您点击取消按钮。但使用-c选项,您可以捕获指定数量的数据包。以下示例将仅捕获6 个数据包。
#tcpdump-c5-ieth0 tcpdump:抑制详细输出,使用-v 或-vv 进行完整协议解码 在eth0上监听,链路类型EN10MB(以太网),捕获大小65535字节 11:40:20.281355 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler:标志[P.],seq 3500447285:3500447481,ack 3652629474,win 18760,长度 196 11:40:20.281586 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh:标志[.],ack 196,win 65235,长度0 11:40:20.282244ARP,请求who-hastecmint.comtell172.16.25.126,长度28 11:40:20.282360ARP,回复tecmint.comis-at00:14:5e:67:26:1d(ouiUnknown),长度46 11:40:20.282369IP172.16.25.126.53216>tecmint.com.domain:49504+PTR?125.25.16.172.in-addr.arpa.(44) 11:40:20.332494 IP tecmint.com.netbios-ssn > 172.16.26.17.nimaux:标志[P.],序列号 3058424861:3058424914,ack 693912021,win 64190,长度 53 NBT 会话数据包:会话消息捕获了 6 个数据包 过滤器接收到了23个数据包内核 丢弃了0个数据包
3.以 ASCII 格式打印捕获的数据包
下面的带有选项的tcpdump命令以ASCII-A格式显示数据包。这是一种字符编码方案格式。
#tcpdump-A-ieth0 tcpdump:抑制详细输出,使用-v 或-vv 进行完整协议解码 在eth0上监听,链路类型EN10MB(以太网),捕获大小65535字节 09:31:31.347508 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1:标志[P.],seq 3329372346:3329372542,ack 4193416789,win 17688,长度 196 M.r0...vUP.EX......~.%..>N..oFk.........KQ..)Eq.d.,....r^l......m\.oyE....-....g~m..Xy.6..1.....cO@...o_..J....i.*.....2f.mQH...Qc..6....9.v.gb........;..4.).UiCY]..9..x.)..Z.XF....'|..E......M..u.5.......ul 09:31:31.347760IP192.168.0.1.nokia-ann-ch1>192.168.0.2.ssh:标志[.],ack196,win64351,长度0 M....vU.r1~P.._.......... ^C09:31:31.349560IP192.168.0.2.46393>b.resolvers.Level3.net.domain:11148+PTR?1.0.168.192.in-addr.arpa.(42) E..F..@.@............9.5.2.f+............1.0.168.192.in-addr.arpa..... 3packetscaptured 11packetsreceivedbyfilter 0packetsdroppedbykernel
4.显示可用接口
要列出系统上可用接口的数量,请运行以下命令并-D附加选项。
#tcpdump-D 1.eth0 2.eth1 3.usbmon1(USBbusnumber1) 4.usbmon2(USBbusnumber2) 5.usbmon3(USBbusnumber3) 6.usbmon4(USBbusnumber4) 7.usbmon5(USBbusnumber5) 8.any(Pseudo-devicethatcapturesonallinterfaces) 9.lo
5.以十六进制和 ASCII 格式显示捕获的数据包
以下命令带有选项,-XX捕获每个数据包的数据,包括其十六进制和ASCII格式的链接级头。
#tcpdump-XX-ieth0 11:51:18.974360 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler:标志[P.],seq 3509235537:3509235733,ack 3652638190,win 18760,长度 196 0x0000:b8ac 6f2e 57b3 0001 6c99 1468 0800 4510 ..oW..l..h..E. 0x0010:00ec 8783 4000 4006 275d ac10 197e ac10 ....@.@.']...~.. 0x0020:197d 0016 1129 d12a af51 d9b6 d5ee 5018 .}...).*.Q....P. 0x0030:49488bfa00000e12ea4d22d167c0f123IH.......M".g..# 0x0040:90138f68aa7029f32efcc51256604fe8...hp).....V`O. 0x0050:590ad631f939dd06e36a69edcac295b6Y..1.9...ji..... 0x0060:f8bab42a344b8e56a5c4b3a2ed82c3a1...*4K.V........ 0x0070:80c8798011ac9bd75b0118d581804536..y.....[.....E6 0x0080:30fd4f6d4190f66f2e24e877ed238eb00.OmA..o.$.w.#..0x0090 :5a1df3ec4be4e0fb85537c8517d9866fZ...K....S|....o 0x00a0:c2790d9c8f9d445b7b0181eb1b637f12.y....D[{....c.. 0x00b0:71b3135752c7cf0095c6c9f663b1ca51q..WR..c..Q 0x00c0:0ac6456e062038e610cb6139fb2aa756..En..8...a9.*.V 0x00d0:37d6c5f3f5f3d8e83316d14fd7abfd937..3..O.... 0x00e0:113761c16a5cb4d1ddda380af782d983.7a.j\....8..... 0x00f0:62ffa5a9bb394f80668ab....9O.f. 11:51:18.974759IP172.16.25.126.60952>mddc-01.midcorp.mid-day.com.domain:14620+PTR?125.25.16.172.in-addr.arpa.(44) 0x0000:00145e67261d00016c99146808004500..^g&...l..h..E. 0x0010:0048 5a83 4000 4011 5e25 ac10 197e ac10 .HZ.@.@.^%...~.. 0x0020:105e ee18 0035 0034 8242 391c 01000001 .^...5.4.B9..... 0x0030:0000000000000331 3235 0232 3502 3136 .......125.25.16 0x0040:0331 3732 0769 6e2d 6164 6472 0461 7270 .172.in-addr.arp 0x0050:6100000c0001a.....
6. 捕获数据包并保存在文件中
正如我们所说,tcpdump具有捕获并以.pcap格式保存文件的功能,只需执行带有-w选项的命令即可。
#tcpdump-w0001.pcap-ieth0 tcpdump:listeningoneth0,link-typeEN10MB(Ethernet),capturesize65535bytes 4packetscaptured 4packetsreceivedbyfilter 0packetsdroppedbykernel
8. 捕获 IP 地址数据包
要捕获特定接口的数据包,请运行以下命令并附带选项-n。
#tcpdump-n-ieth0 tcpdump:verboseoutputsuppressed,use-vor-vvforfullprotocoldecode listeningoneth0,link-typeEN10MB(Ethernet),capturesize65535bytes 12:07:03.952358IP172.16.25.126.ssh>172.16.25.125.apwi-rxspooler:Flags[P.],seq3509512873:3509513069,ack3652639034,win18760,length196 12:07:03.952602IP172.16.25.125.apwi-rxspooler>172.16.25.126.ssh:Flags[.],ack196,win64171,length0 12:07:03.953311IP172.16.25.126.ssh>172.16.25.125.apwi-rxspooler:Flags[P.],seq196:504,ack1,win18760,length308 12:07:03.954288IP172.16.25.126.ssh>172.16.25.125.apwi-rxspooler:Flags[P.],seq504:668,ack1,win18760,length164 12:07:03.954502IP172.16.25.125.apwi-rxspooler>172.16.25.126.ssh:Flags[.],ack668,win65535,length0 12:07:03.955298IP172.16.25.126.ssh>172.16.25.125.apwi-rxspooler:Flags[P.],seq668:944,ack1,win18760,length276 12:07:03.955425IP172.16.23.16.netbios-ns>172.16.31.255.netbios-ns:NBTUDPPACKET(137):REGISTRATION;REQUEST;BROADCAST 12:07:03.956299IP172.16.25.126.ssh>172.16.25.125.apwi-rxspooler:Flags[P.],seq944:1236,ack1,win18760,length292 12:07:03.956535IP172.16.25.125.apwi-rxspooler>172.16.25.126.ssh:Flags[.],ack1236,win64967,length0
9.仅捕获 TCP 数据包。
要基于TCP端口捕获数据包,请运行以下命令并附带选项tcp。
#tcpdump-ieth0tcp tcpdump:verboseoutputsuppressed,use-vor-vvforfullprotocoldecode listeningoneth0,link-typeEN10MB(Ethernet),capturesize65535bytes 12:10:36.216358IP172.16.25.126.ssh>172.16.25.125.apwi-rxspooler:Flags[P.],seq3509646029:3509646225,ack3652640142,win18760,length196 12:10:36.216592IP172.16.25.125.apwi-rxspooler>172.16.25.126.ssh:Flags[.],ack196,win64687,length0 12:10:36.219069IP172.16.25.126.ssh>172.16.25.125.apwi-rxspooler:Flags[P.],seq196:504,ack1,win18760,length308 12:10:36.220039IP172.16.25.126.ssh>172.16.25.125.apwi-rxspooler:Flags[P.],seq504:668,ack1,win18760,length164 12:10:36.220260IP172.16.25.125.apwi-rxspooler>172.16.25.126.ssh:Flags[.],ack668,win64215,length0 12:10:36.222045IP172.16.25.126.ssh>172.16.25.125.apwi-rxspooler:Flags[P.],seq668:944,ack1,win18760,length276 12:10:36.223036IP172.16.25.126.ssh>172.16.25.125.apwi-rxspooler:Flags[P.],seq944:1108,ack1,win18760,length164 12:10:36.223252IP172.16.25.125.apwi-rxspooler>172.16.25.126.ssh:Flags[.],ack1108,win65535,length0 ^C12:10:36.223461IPmid-pay.midcorp.mid-day.com.netbios-ssn>172.16.22.183.recipe:Flags[.],seq283256512:283256513,ack550465221,win65531,length1[|SMB]
10. 捕获特定端口的数据包
假设您想要捕获特定端口 22 的数据包,请通过指定端口号22执行以下命令,如下所示。
#tcpdump-ieth0port22 tcpdump:verboseoutputsuppressed,use-vor-vvforfullprotocoldecode listeningoneth0,link-typeEN10MB(Ethernet),capturesize65535bytes 10:37:49.056927IP192.168.0.2.ssh>192.168.0.1.nokia-ann-ch1:Flags[P.],seq3364204694:3364204890,ack4193655445,win20904,length196 10:37:49.196436IP192.168.0.2.ssh>192.168.0.1.nokia-ann-ch1:Flags[P.],seq4294967244:196,ack1,win20904,length248 10:37:49.196615IP192.168.0.1.nokia-ann-ch1>192.168.0.2.ssh:Flags[.],ack196,win64491,length0 10:37:49.379298IP192.168.0.2.ssh>192.168.0.1.nokia-ann-ch1:Flags[P.],seq196:616,ack1,win20904,length420 10:37:49.381080IP192.168.0.2.ssh>192.168.0.1.nokia-ann-ch1:Flags[P.],seq616:780,ack1,win20904,length164 10:37:49.381322IP192.168.0.1.nokia-ann-ch1>192.168.0.2.ssh:Flags[.],ack780,win65535,length0
11. 捕获指定源 IP 的数据包
要从源IP捕获数据包,假设您要捕获192.168.0.2的数据包,请使用以下命令。
#tcpdump-ieth0src192.168.0.2 tcpdump:verboseoutputsuppressed,use-vor-vvforfullprotocoldecode listeningoneth0,link-typeEN10MB(Ethernet),capturesize65535bytes 10:49:15.746474IP192.168.0.2.ssh>192.168.0.1.nokia-ann-ch1:Flags[P.],seq3364578842:3364579038,ack4193668445,win20904,length196 10:49:15.748554IP192.168.0.2.56200>b.resolvers.Level3.net.domain:11289+PTR?1.0.168.192.in-addr.arpa.(42) 10:49:15.912165IP192.168.0.2.56234>b.resolvers.Level3.net.domain:53106+PTR?2.0.168.192.in-addr.arpa.(42) 10:49:16.074720IP192.168.0.2.33961>b.resolvers.Level3.net.domain:38447+PTR?2.2.2.4.in-addr.arpa.(38)
12. 从目标 IP 捕获数据包
要从目标IP捕获数据包,假设您要捕获50.116.66.139的数据包,请使用以下命令。
#tcpdump-ieth0dst50.116.66.139 tcpdump:verboseoutputsuppressed,use-vor-vvforfullprotocoldecode listeningoneth0,link-typeEN10MB(Ethernet),capturesize65535bytes 10:55:01.798591IP192.168.0.2.59896>50.116.66.139.http:Flags[.],ack2480401451,win318,options[nop,nop,TSval7955710ecr804759402],length0 10:55:05.527476IP192.168.0.2.59894>50.116.66.139.http:Flags[F.],seq2521556029,ack2164168606,win245,options[nop,nop,TSval7959439ecr804759284],length0 10:55:05.626027IP192.168.0.2.59894>50.116.66.139.http:Flags[.],ack2,win245,options[nop,nop,TSval7959537ecr804759787],length0