tcpdump
tcpdump -Xnnnps0 -i any port $port and host $host -nn选项: 意思是说当tcpdump遇到协议号或端口号时,不要将这些号码转换成对应的协议名称或端口名称. -X选项: 告诉tcpdump命令,需要把协议头和包内容都原原本本的显示出来(tcpdump会以16进制和ASCII的形式显示). -p: 将网卡设置为非混杂模式,有时候不生效. -s: 抓报长度,一般设置为0,即65535字节,防止包截断.否则默认只抓68字节. -i : 抓指定网口的包 port: 抓指定端口的包 host: 抓指定地址的包 其他常用选项: -c选项: 是Count的含义,这设置了我们希望tcpdump帮我们抓几个包. -l 选项的作用就是将tcpdump的输出变为"行缓冲"方式,这样可以确保tcpdump遇到的内容一旦是换行符即将缓冲的内容输出到标准输出,以便于利用管道或重定向方式来进行后续处理.(Linux/UNIX的标准I/O提供了全缓冲、行缓冲和无缓冲三种缓冲方式.标准错误是不带缓冲的,终端设备常为行缓冲,而其他情况默认都是全缓冲的.) -e: 指定将监听到的数据包链路层的信息打印出来,包括源mac和目的mac,以及网络层的协议. -w: 指定将监听到的数据包写入文件中保存. tcpdump的过滤表达式: man pcap-filter 你会发现,过滤表达式大体可以分成三种过滤条件: 类型 ,方向和协议,这三种条件的搭配组合就构成了我们的过滤表达式. tcpdump支持如下的类型: 1 host: 指定主机名或IP地址,例如'host roclinux.cn'或'host 202.112.18.34' 2 net : 指定网络段,例如'arp net 128.3'或'dst net 128.3' 3 port: 指定端口,'port 20' 4 portrange: 指定端口区域,例如'src or dst portrange 6000-6008' 如果我们没有设置过滤类型,那么默认是host. dir: src, dst, src or dst, src and dst, ra, ta, addr1, addr2, addr3, and addr4. proto: Possible protos are: ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp. 1) 抓取45这台主机和192.168.1.1或者192.168.2.1 通讯的包 #tcpdump host 192.168.2.45 and \(192.168.1.1 or 192.168.2.1 \) 2) proto [ expr : size] proto => 协议 expr => 指定数据报偏移量 size => 从偏移量的位置开始提取多少个字节 如果只设置了expr,而没有设置size,则默认提取1个字节.比如ip[2:2],就表示提取出第3、4个字节;而ip[0]则表示提取ip协议头的第一个字节. 3) tcp[tcpflags] 只抓SYN包 #tcpdump -i eth1 'tcp[tcpflags] = tcp-syn' 抓SYN, ACK #tcpdump -i eth1 'tcp[tcpflags] & tcp-syn != 0 and tcp[tcpflags] & tcp-ack != 0' 抓RST #tcpdump -i eth1 'tcp[13] & 4 = 4' 抓HTTP GET数据 #tcpdump -i eth1 'tcp[(tcp[12]>>2):4] = 0x5353482D' ### exec exec 命令: 常用来替代当前 shell 并重新启动一个 shell,换句话说,并没有启动子shell. 使用这一命令时任何现有环境都将会被清除. exec在对文件描述符进行操作的时候,也只有在这时,exec不会覆盖你当前的 shell 环境. I/O重定向通常与FD有关,shell的FD通常为10个,即0~9. 常用重定向 &- 关闭标准输出 n&- 表示将 n 号输出关闭 2>&1 : 2>&1 也就是 FD2=FD1 ,这里并不是说FD2 的值等于FD1的值,因为 > 是改变送出的数据信道,也就是说把 FD2 的 "数据输出通道" 改为 FD1 的 "数据输出通道". [j]<>filename 为了读写"filename", 把文件"filename"打开, 并且将文件描述符"j"分配给它. 如果文件"filename"不存在, 那么就创建它. 如果文件描述符"j"没指定, 那默认是fd 0, stdin. 这种应用通常是为了写到一个文件中指定的地方. exec 3<> File # 打开"File"并且将fd 3分配给它.
tcpdump host 172.16.5.51
# tcpdump host 172.16.5.51 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 17:49:26.202556 IP 172.16.1.3 > 172.16.5.51: ICMP echo request, id 4, seq 22397, length 40 17:49:26.203002 IP 172.16.5.51 > 172.16.1.3: ICMP echo reply, id 4, seq 22397, length 40
显示所有到的FTP会话
# tcpdump -i eth1 'dst 202.40.100.5 and (port 21 or 20)'
$ tcpdump -n -i eth0 port 80
监控网络但排除 SSH 22 端口
$ sudo tcpdump -n not dst port 22 and not src port 22
显示所有到192.168.0.5的HTTP会话
# tcpdump -ni eth0 'dst 192.168.0.5 and tcp and port http'
监控DNS的网络流量
# tcpdump -i eth0 'udp port 53'
# tcpdump -n -i eth1 -s 0 -w output.txt src or dst port 80
使用wireshark分析输出文件,下面地址下载
http://www.wireshark.org/
src 监控源
# tcpdump -ni eth1 'tcp and src port 3000'
dst 监控目的地
# tcpdump -ni eth1 'tcp and dst port smtp'
演示 src 与 dst
[root@netkiller ~]# tcpdump -ni eth1 'tcp and dst port 3000' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 09:08:11.763041 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [S], seq 2048018668, win 8192, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0 09:08:11.763383 IP 219.90.123.138.12047 > 47.90.44.87.hbci: Flags [S], seq 2468955264, win 8192, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0 09:08:11.763774 IP 219.90.123.138.27092 > 47.90.44.87.hbci: Flags [S], seq 3069483725, win 8192, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0 09:08:11.763855 IP 219.90.123.138.8602 > 47.90.44.87.hbci: Flags [S], seq 2460960642, win 8192, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0 09:08:11.764323 IP 219.90.123.138.10480 > 47.90.44.87.hbci: Flags [S], seq 1687488150, win 8192, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0 09:08:11.786487 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [.], ack 1705484229, win 257, length 0 09:08:11.786535 IP 219.90.123.138.12047 > 47.90.44.87.hbci: Flags [.], ack 461089870, win 257, length 0 09:08:11.786543 IP 219.90.123.138.27092 > 47.90.44.87.hbci: Flags [.], ack 2893320938, win 257, length 0 09:08:11.788955 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [P.], seq 0:1025, ack 1, win 257, length 1025 09:08:11.789671 IP 219.90.123.138.10480 > 47.90.44.87.hbci: Flags [.], ack 1815033342, win 257, length 0 09:08:11.789692 IP 219.90.123.138.8602 > 47.90.44.87.hbci: Flags [.], ack 1519500600, win 257, length 0 09:08:11.886937 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [.], ack 2415, win 257, length 0 09:08:11.889665 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [.], ack 5215, win 257, length 0 09:08:11.893673 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [.], ack 8015, win 257, length 0 09:08:11.904151 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [.], ack 10815, win 257, length 0 09:08:11.904707 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [.], ack 13615, win 257, length 0 09:08:11.914796 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [.], ack 17815, win 257, length 0 09:08:11.923904 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [.], ack 19215, win 257, length 0 09:08:11.979687 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [.], ack 19880, win 254, length 0 09:08:14.761388 IP 219.90.123.138.28461 > 47.90.44.87.hbci: Flags [S], seq 3215826970, win 8192, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0 09:08:14.782284 IP 219.90.123.138.28461 > 47.90.44.87.hbci: Flags [.], ack 1574781090, win 257, length 0 ^C 21 packets captured 22 packets received by filter 0 packets dropped by kernel [root@netkiller ~]# tcpdump -ni eth1 'tcp and src port 3000' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 09:08:41.241996 IP 47.90.44.87.hbci > 219.90.123.138.28461: Flags [F.], seq 1574781090, ack 3215826972, win 115, length 0 09:08:41.242395 IP 47.90.44.87.hbci > 219.90.123.138.24925: Flags [S.], seq 1277500664, ack 2163858186, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 09:08:41.242498 IP 47.90.44.87.hbci > 219.90.123.138.27571: Flags [S.], seq 1906857203, ack 3261786724, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 09:08:41.243081 IP 47.90.44.87.hbci > 219.90.123.138.27152: Flags [S.], seq 3451566690, ack 2095717279, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 09:08:41.243223 IP 47.90.44.87.hbci > 219.90.123.138.25265: Flags [S.], seq 943843868, ack 3740664697, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 09:08:41.243413 IP 47.90.44.87.hbci > 219.90.123.138.27145: Flags [S.], seq 1814275155, ack 3577858982, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 09:08:41.247070 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [.], ack 2048020719, win 147, length 0 09:08:41.436542 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [P.], seq 0:1014, ack 1, win 147, length 1014 09:08:41.436595 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [.], seq 1014:3814, ack 1, win 147, length 2800 09:08:41.436608 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [.], seq 3814:6614, ack 1, win 147, length 2800 09:08:41.436613 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [.], seq 6614:9414, ack 1, win 147, length 2800 09:08:41.436617 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [.], seq 9414:12214, ack 1, win 147, length 2800 09:08:41.436624 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [.], seq 12214:13614, ack 1, win 147, length 1400 09:08:41.458774 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [.], seq 13614:16414, ack 1, win 147, length 2800 09:08:41.461374 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [.], seq 16414:19214, ack 1, win 147, length 2800 09:08:41.461388 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [P.], seq 19214:19879, ack 1, win 147, length 665 09:08:41.485084 IP 47.90.44.87.hbci > 219.90.123.138.24925: Flags [.], ack 1011, win 130, length 0 09:08:41.485958 IP 47.90.44.87.hbci > 219.90.123.138.27571: Flags [.], ack 999, win 130, length 0 09:08:41.486888 IP 47.90.44.87.hbci > 219.90.123.138.27152: Flags [.], ack 998, win 130, length 0 09:08:41.487791 IP 47.90.44.87.hbci > 219.90.123.138.25265: Flags [.], ack 1005, win 130, length 0 09:08:41.488224 IP 47.90.44.87.hbci > 219.90.123.138.27571: Flags [P.], seq 1:139, ack 999, win 130, length 138 09:08:41.488291 IP 47.90.44.87.hbci > 219.90.123.138.27145: Flags [.], ack 983, win 130, length 0 09:08:41.489100 IP 47.90.44.87.hbci > 219.90.123.138.24925: Flags [P.], seq 1:139, ack 1011, win 130, length 138 09:08:41.491998 IP 47.90.44.87.hbci > 219.90.123.138.27152: Flags [P.], seq 1:139, ack 998, win 130, length 138 09:08:41.492653 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [.], seq 12214:13614, ack 1, win 147, length 1400 09:08:41.494013 IP 47.90.44.87.hbci > 219.90.123.138.25265: Flags [P.], seq 1:139, ack 1005, win 130, length 138 09:08:41.499825 IP 47.90.44.87.hbci > 219.90.123.138.27145: Flags [P.], seq 1:139, ack 983, win 130, length 138 09:08:41.514427 IP 47.90.44.87.hbci > 219.90.123.138.27571: Flags [P.], seq 139:277, ack 1980, win 146, length 138 09:08:41.688727 IP 47.90.44.87.hbci > 219.90.123.138.27145: Flags [P.], seq 139:277, ack 2005, win 146, length 138 09:08:41.689548 IP 47.90.44.87.hbci > 219.90.123.138.27571: Flags [P.], seq 277:415, ack 2998, win 162, length 138 09:08:41.824277 IP 47.90.44.87.hbci > 219.90.123.138.27571: Flags [P.], seq 415:651, ack 3932, win 178, length 236 09:08:41.824391 IP 47.90.44.87.hbci > 219.90.123.138.27571: Flags [.], seq 651:3451, ack 3932, win 178, length 2800 09:08:41.824427 IP 47.90.44.87.hbci > 219.90.123.138.27571: Flags [.], seq 3451:6251, ack 3932, win 178, length 2800 09:08:41.824451 IP 47.90.44.87.hbci > 219.90.123.138.27571: Flags [.], seq 6251:7651, ack 3932, win 178, length 1400 09:08:41.846233 IP 47.90.44.87.hbci > 219.90.123.138.27571: Flags [P.], seq 7651:8537, ack 3932, win 178, length 886 ^C 35 packets captured 36 packets received by filter 0 packets dropped by kernel # tcpdump -ni any 'tcp and dst host 184.105.206.82 and port 25' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 05:46:31.833762 IP 107.178.142.42.49771 > 184.105.206.82.smtp: Flags [.], ack 231639512, win 229, options [nop,nop,TS val 2464661680 ecr 1677502875], length 0 05:46:31.833826 IP 107.178.142.42.49771 > 184.105.206.82.smtp: Flags [P.], seq 0:21, ack 1, win 229, options [nop,nop,TS val 2464661680 ecr 1677502875], length 21 05:46:32.515302 IP 107.178.142.42.49771 > 184.105.206.82.smtp: Flags [P.], seq 21:52, ack 62, win 229, options [nop,nop,TS val 2464662361 ecr 1677503046], length 31 05:46:32.886948 IP 107.178.142.42.49771 > 184.105.206.82.smtp: Flags [P.], seq 52:80, ack 70, win 229, options [nop,nop,TS val 2464662733 ecr 1677503139], length 28
$ sudo tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000' [sudo] password for neo: tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes 13:51:31.825893 CDPv2, ttl: 180s, checksum: 692 (unverified), length 375 Device-ID (0x01), length: 7 bytes: '4A3750G' Version String (0x05), length: 182 bytes: Cisco IOS Software, C3750 Software (C3750-IPBASE-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Thu 19-Jul-07 19:15 by nachen Platform (0x06), length: 23 bytes: 'cisco WS-C3750G-24TS-1U' Address (0x02), length: 13 bytes: IPv4 (1) 193.168.0.254 Port-ID (0x03), length: 21 bytes: 'GigabitEthernet1/0/15' Capability (0x04), length: 4 bytes: (0x00000029): Router, L2 Switch, IGMP snooping Protocol-Hello option (0x08), length: 32 bytes: VTP Management Domain (0x09), length: 3 bytes: 'example' Native VLAN ID (0x0a), length: 2 bytes: 11 Duplex (0x0b), length: 1 byte: full AVVID trust bitmap (0x12), length: 1 byte: 0x00 AVVID untrusted ports CoS (0x13), length: 1 byte: 0x00 Management Addresses (0x16), length: 13 bytes: IPv4 (1) 193.168.0.254 unknown field type (0x1a), length: 12 bytes: 0x0000: 0000 0001 0000 0000 ffff ffff 1 packets captured 1 packets received by filter 0 packets dropped by kernel
$ sudo tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000' tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes 13:52:03.451238 CDPv2, ttl: 180s, checksum: 692 (unverified), length 420 Device-ID (0x01), length: 9 bytes: 'O9-Switch' Version String (0x05), length: 248 bytes: Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 12.2(55)SE3, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2011 by Cisco Systems, Inc. Compiled Thu 05-May-11 16:56 by prod_rel_team Platform (0x06), length: 22 bytes: 'cisco WS-C2960S-48TD-L' Address (0x02), length: 4 bytes: Port-ID (0x03), length: 20 bytes: 'GigabitEthernet1/0/8' Capability (0x04), length: 4 bytes: (0x00000028): L2 Switch, IGMP snooping Protocol-Hello option (0x08), length: 32 bytes: VTP Management Domain (0x09), length: 0 byte: '' 1 packets captured 3 packets received by filter 0 packets dropped by kernel
$ sudo tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000' | grep GigabitEthernet [sudo] password for neo: tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes Port-ID (0x03), length: 21 bytes: 'GigabitEthernet1/0/15' 1 packets captured 1 packets received by filter 0 packets dropped by kernel
每一行中间都有这个包所携带的标志:
Flags [*]( S=SYN 发起连接标志 P=PUSH 传送数据标志 F=FIN 关闭连接标志 ack 表示确认包 RST= RESET 异常关闭连接 . 表示没有任何标志 )
#!/bin/bash tcpdump -i eth0 -s 0 -l -w - dst port 3306 | strings | perl -e ' while(<>) { chomp; next if /^[^ ]+[ ]*$/; if(/^(SELECT|UPDATE|DELETE|INSERT|SET|COMMIT|ROLLBACK|CREATE|DROP|ALTER)/i) { if (defined $q) { print "$q\n"; } $q=$_; } else { $_ =~ s/^[ \t]+//; $q.=" $_"; } }'
显示所有进出80端口IPv4 HTTP包,也就是只打印包含数据的包。例如:SYN、FIN包和ACK-only包输入:
# tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
tcpdump -i eth1 tcp port 1521 -A -s1500 | awk '$1 ~ "ORA-" {i=1;split($1,t,"ORA-");while (i <= NF) {if (i == 1) {printf("%s","ORA-"t[2])}else {printf("%s ",$i)};i++}printf("\n")}'
# tcpdump -nni any -x -X port 25 | more tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 05:55:43.133217 IP 184.105.206.85.25 > 59.153.146.101.42756: Flags [P.], seq 3205055214:3205055222, ack 3276605059, win 16022, options [nop,nop,TS val 2899843510 ecr 1568241053], length 8 0x0000: 4500 003c c773 4000 3b06 238b b869 ce55 E..<.s@.;.#..i.U 0x0010: 3b99 9265 0019 a704 bf09 42ee c34d 0683 ;..e......B..M.. 0x0020: 8018 3e96 1803 0000 0101 080a acd8 19b6 ..>............. 0x0030: 5d79 759d 3235 3020 4f6b 0d0a 0000 0000 ]yu.250.Ok...... 0x0040: 0000 0000 0000 0000 0000 0000 ............ 05:55:43.133247 IP 59.153.146.101.42756 > 184.105.206.85.25: Flags [.], ack 8, win 115, options [nop,nop,TS val 1568241323 ecr 2899843510], length 0 0x0000: 4500 0034 0478 4000 4006 e18e 3b99 9265 E..4.x@.@...;..e 0x0010: b869 ce55 a704 0019 c34d 0683 bf09 42f6 .i.U.....M....B. 0x0020: 8010 0073 54e4 0000 0101 080a 5d79 76ab ...sT.......]yv. 0x0030: acd8 19b6 0000 0000 0000 0000 0000 0000 ................ 0x0040: 0000 0000 .... 05:55:43.133321 IP 59.153.146.101.42756 > 184.105.206.85.25: Flags [P.], seq 1:32, ack 8, win 115, options [nop,nop,TS val 1568241323 ecr 2899843510], length 31 0x0000: 4500 0053 0479 4000 4006 e16e 3b99 9265 E..S.y@.@..n;..e 0x0010: b869 ce55 a704 0019 c34d 0683 bf09 42f6 .i.U.....M....B. 0x0020: 8018 0073 5503 0000 0101 080a 5d79 76ab ...sU.......]yv. 0x0030: acd8 19b6 4d41 494c 2046 524f 4d3a 3c6e ....MAIL.FROM:<n 0x0040: 6f72 6570 6c79 4063 6631 3339 2e63 6f6d oreply@139.com 0x0050: 3e0d 0a00 0000 0000 0000 0000 0000 0000 >............... 0x0060: 0000 00 ... 05:55:43.142280 IP 184.105.206.85.25 > 59.153.146.101.42756: Flags [.], ack 32, win 16022, options [nop,nop,TS val 2899843513 ecr 1568241323], length 0 0x0000: 4500 0034 c774 4000 3b06 2392 b869 ce55 E..4.t@.;.#..i.U 0x0010: 3b99 9265 0019 a704 bf09 42f6 c34d 06a2 ;..e......B..M.. 0x0020: 8010 3e96 d5a5 0000 0101 080a acd8 19b9 ..>............. 0x0030: 5d79 76ab 0000 0000 0000 0000 0000 0000 ]yv............. 0x0040: 0000 0000 .... 05:55:43.270436 IP 203.205.160.43.25 > 202.88.38.95.39594: Flags [.], ack 1271517256, win 159, options [nop,nop,TS val 1663885325 ecr 1568241310], length 0 0x0000: 4500 0034 18e5 4000 3806 cd2e cbcd a02b E..4..@.8......+ 0x0010: ca58 265f 0019 9aaa 800c c423 4bc9 d048 .X&_.......#K..H 0x0020: 8010 009f 0716 0000 0101 080a 632c e00d ............c,.. 0x0030: 5d79 769e 0000 0000 0000 0000 0000 0000 ]yv............. 0x0040: 0000 0000 ....
嗅探用户密码
# tcpdump -i any port http or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|userna me:|password:|login:|pass |user ' # tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20
# tcpdump -A -q -i any port 25 | grep "RCPT TO:" # tcpdump -l -s0 -w - tcp dst port 25 | strings | grep -i 'MAIL FROM\|RCPT TO'
原文出处:Netkiller 系列 手札
本文作者:陈景峯
转载请与作者联系,同时请务必标明文章原始出处和作者信息及本声明。