1,206 瀏覽數

Linux command – tcpdump

有時候設定一些跟網路相關的服務,服務雖然是啟動的,但是功能卻是有問題,這時候可透過 #tcpdump 這個指令來觀看目前封包的狀況.

測試環境為 Ubuntu 16.04 64bits

直接下 tcpdump 就可以看到所有的封包,但資料量太大了,封包資訊一下就過去了,可以加入參數來使用.

root@ubuntu:~# tcpdump
01:12:49.391892 IP 172.16.15.1.56792 > 172.16.15.208.ssh: Flags [.], ack 4256592, win 4081, options [nop,nop,TS val 864031640 ecr 535604], length 0
01:12:49.391917 IP 172.16.15.208.ssh > 172.16.15.1.56792: Flags [P.], seq 4257056:4257448, ack 2521, win 294, options [nop,nop,TS val 535604 ecr 864031640], length 392
...
^c
1561 packets captured
18232 packets received by filter
16665 packets dropped by kernel

promiscuous mode (混雜模式),讓網卡能接收所有經過它的封包,不管其目的地址是否與他有關.

root@ubuntu:~# dmesg
...
[   50.984751] device ens33 entered promiscuous mode
[   62.948837] device ens33 left promiscuous mode

-i interface

– 指定 tcpdump 所要監看的網路介面.

root@ubuntu:~# tcpdump -i ens33

-q

– Quick (quiet) 的封包輸出.封包以較少的資訊輸出.

root@ubuntu:~# tcpdump -i ens33 -q
...
01:13:33.487482 IP 172.16.15.1.56792 > 172.16.15.208.ssh: tcp 0
01:13:33.487502 IP 172.16.15.208.ssh > 172.16.15.1.56792: tcp 200

-w file

– Write the raw packets to file rather than parsing and printing them out.

-r file

– Read packets from file
有時候來不及直接看內容,建議可以儲存到檔案來觀看, -w 寫入檔案(raw packets), -r 讀取檔案

root@ubuntu:~# tcpdump -i ens33 -w tcpdump.txt
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
^C6 packets captured
7 packets received by filter
0 packets dropped by kernel
root@ubuntu:~# ls
tcpdump.txt
root@ubuntu:~# tcpdump -r tcpdump.txt
reading from file tcpdump.txt, link-type EN10MB (Ethernet)
01:24:48.774307 IP 172.16.15.208.ssh > 172.16.15.1.56792: Flags [P.], seq 2365396806:2365396850, ack 3797073080, win 294, options [nop,nop,TS val 715449 ecr 864741399], length 44
....

-nn

– 使用 IP 及 port number 來顯示(預設會顯示已知的主機與服務名稱).

root@ubuntu:~# tcpdump -i ens33 -nn 
01:48:15.861678 IP 172.16.15.208.22 > 172.16.15.1.56792: Flags [P.], seq 3176652:3177904, ack 1909, win 294, options [nop,nop,TS val 1067221 ecr 866140693], length 1252

沒使用時會顯示成 ssh (非 22 port)

root@ubuntu:~# tcpdump -i ens33
02:18:42.435672 IP 172.16.15.208.ssh > 172.16.15.1.56792: Flags [P.], seq 3655568:3655960, ack 2161, win 294, options [nop,nop,TS val 1523865 ecr 867961826], length 392

port

– 指定監視的埠 port , 可以是數字,也可以是服務名稱

root@ubuntu:~# tcpdump -i ens33 -nn port 22
....
02:21:01.052584 IP 172.16.15.1.56792 > 172.16.15.208.22: Flags [.], ack 11096912, win 4078, options [nop,nop,TS val 868099150 ecr 1558519], length 0
02:21:01.052605 IP 172.16.15.208.22 > 172.16.15.1.56792: Flags [P.], seq 11097420:11097632, ack 6625, win 294, options [nop,nop,TS val 1558519 ecr 868099150], length 212
02:21:01.052830 IP 172.16.15.1.56792 > 172.16.15.208.22: Flags [.], ack 11097420, win 4080, options [nop,nop,TS val 868099151 ecr 1558519], length 0
^C
57115 packets captured
57147 packets received by filter
30 packets dropped by kernel
root@ubuntu:~# tcpdump -i ens33 -nn port ssh
02:25:20.581604 IP 172.16.15.1.56792 > 172.16.15.208.ssh: Flags [.], ack 2214756, win 4083, options [nop,nop,TS val 868356938 ecr 1623401], length 0

host

– 指定監視的 host , 還可以指定 src (Source),也可以是 dst (destination)

root@ubuntu:~# tcpdump -i ens33 host 172.16.15.208
root@ubuntu:~# tcpdump -i ens33 src host 172.16.15.208
...
02:26:52.539255 IP 172.16.15.208.ssh > 172.16.15.1.56792: Flags [P.], seq 1092476:1092680, ack 613, win 294, options [nop,nop,TS val 1646391 ecr 868448203], length 204
02:26:52.539466 IP 172.16.15.208.ssh > 172.16.15.1.56792: Flags [P.], seq 1092680:1092884, ack 613, win 294, options [nop,nop,TS val 1646391 ecr 868448203], length 204
^C
5275 packets captured
5284 packets received by filter
9 packets dropped by kernel

net

– host 只能針對單一的 Host ,net 可以針對某個網域進行封包的監視.

root@ubuntu:~# tcpdump -i ens33 net 172.16

and & or

– 剛剛那些篩選條件還可以使用 and (所有條件都需要成立) 或是 or (其中一個條件成立即可)

root@ubuntu:~# tcpdump -i ens33 'port ssh and src host 172.16.15.208' 
root@ubuntu:~# tcpdump -i ens33 'port ssh or src host 172.16.15.208'

-v , -vv , -vvv

– 更詳細的輸出.

root@ubuntu:~# tcpdump -i ens33 -v ip6 
root@ubuntu:~# tcpdump -i ens33 -vv ip6

udp

– 預設監控 tcp 也可以指定為 udp

root@ubuntu:~# tcpdump -i ens33 udp

wireshark

– 不習慣用文字介面,還可以選擇圖示的 wireshark

root@ubuntu:~# apt install wireshark
root@ubuntu:~# wireshark

發表迴響