标签:centos -- Tcpdump packets 36 172.16 root tcpdump 抓包
Linux抓包工具–Tcpdump
描述
Tcpdump – dump traffic on a network;
tcpdump是类Unix系统下用于网络分析的问题排查的工具;
tcpdump支持针对网络层、协议、主机、网络或端口的过滤,并提供and、or、not等逻辑语句进行详细匹配;
命令解释
- 命令格式
tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ]
[ -c count ]
[ -C file_size ] [ -G rotate_seconds ] [ -F file ]
[ -i interface ] [ -j tstamp_type ] [ -m module ] [ -M secret ]
[ --number ] [ -Q|-P in|out|inout ]
[ -r file ] [ -V file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
[ --time-stamp-precision=tstamp_precision ]
[ --immediate-mode ] [ --version ]
[ expression ]
-
简易理解命令格式
tcpdump [option] [proto] [dir] [type]- option 指 -csivw 等可选参数
- proto 指 tcp/udp/icmp/arp/ip/ip6 等网络协议过滤规则
- dir 指 src/dst 报文方向过滤规则
- type 指 host/net/port/portrange 等报文详细信息过滤规则
-
报文输出结构
16:12:59.147595 IP 172.16.36.216.8190 > 120.2.2.100.35688: Flags [P.], seq 306:324, ack 239, win 1143, options [nop,nop,TS val 114256936 ecr 4089685146], length 18- 第一列:报文抓取时间信息(16:12:59.147595)
- 第二列:报文网络协议(IP)
- 第三列:报文源ip和端口号(172.16.36.216.8190)
- 第四列:数据流向(>)
- 第五列:报文目的ip和端口号(120.2.2.100.35688)
- 第六列:报文详细内容
使用方式
-
tcpdump常用选项
选项 描述 -D 列出可监听的接口 -i 指定监听接口,默认监听第一个网络接口 -P/Q 设置抓取的包是进(in)还是出(out),默认抓取双向(inout) -s 设置截取数据包文的长度,默认截取96字节,0表示报文全部内容 -c 设置抓取的报文数,达到数量后自动退出 -q 简洁打印 -n 打印报文信息中ip地址显示为数字,即不将ip转为域名 -nn 打印报文信息中ip地址和端口号均显示为数字,否则显示为主机名和端口服务名 -e 打印报文信息中显示源、目的mac -XX 打印报文信息同时输出16进制和ASCII的头部信息 -vv 更加详细的打印报文信息 -w 将抓取的报文写入到文件 -r 从文件中读取报文并显示 -C 限制写入文件的大小,单位1000000byte,达到限制后生成新文件 -G 限制写入文件的时间,单位s(秒),达到限制后生成新文件 -
选项示例
- 指定监听接口
[root@centos-36_2 tmp]# tcpdump -i em2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 16:28:31.595244 IP 120.0.11.222.snmp > centos-36_2.44722: GetResponse(196) interfaces.ifTable.ifEntry.ifAdminStatus.1=1 16:28:31.602364 IP centos-36_2.ssh > 172.16.36.25.evb-elm: Flags [P.], seq 447760258:447760498, ack 2828329192, win 160, length 240 16:28:31.602617 IP 172.16.36.25.evb-elm > centos-36_2.ssh: Flags [.], ack 240, win 8209, length 0 [root@centos-36_2 tmp]#- 监听接口时不做主机名解析
[root@centos-36_2 tmp]# tcpdump -i em2 -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 16:33:53.219281 IP 172.16.36.2.ssh > 172.16.36.25.evb-elm: Flags [P.], seq 448755026:448755266, ack 2828334664, win 160, length 240 16:33:53.219503 IP 172.16.36.2.ssh > 172.16.36.25.evb-elm: Flags [P.], seq 240:464, ack 1, win 160, length 224 [root@centos-36_2 tmp]#- 监听接口时不做主机名和端口服务名解析
[root@centos-36_2 tmp]# tcpdump -i em2 -nn -c 3 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 16:37:20.941472 IP 172.16.36.2.22 > 172.16.36.25.1504: Flags [P.], seq 449317922:449318162, ack 2828340520, win 160, length 240 16:37:20.941693 IP 172.16.36.25.1504 > 172.16.36.2.22: Flags [.], ack 240, win 8208, length 0 16:37:20.941763 IP 172.16.36.2.22 > 172.16.36.25.1504: Flags [P.], seq 240:464, ack 1, win 160, length 224 3 packets captured 4 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#- 监听接口时仅捕获入方向报文
[root@centos-36_2 tmp]# tcpdump -i em2 -nn -c3 -P in Warning: -P switch is not compatible with the upstream version. You should use -Q instead. tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 16:43:55.240671 IP 120.0.11.136.161 > 172.16.36.2.44722: GetResponse(51) .1.3.6.1.6.3.1.1.6.1.0=1461109654 .1.3.6.1.6.3.1.1.6.1.0=1461109654 16:43:55.241257 IP 172.16.36.25.1504 > 172.16.36.2.22: Flags [.], ack 449356178, win 8209, length 0 16:43:55.281595 IP 172.16.36.25.1504 > 172.16.36.2.22: Flags [.], ack 193, win 8208, length 0 3 packets captured 8 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#- 监听接口时截取报文部分信息
[root@centos-36_2 tmp]# tcpdump -i em2 -nn -c3 -s 40 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 40 bytes 17:05:45.292772 IP 172.16.36.2.22 > 172.16.36.25.1504: [|tcp] 17:05:45.292970 IP 172.16.36.2.22 > 172.16.36.25.1504: [|tcp] 17:05:45.293025 IP 172.16.36.25.1504 > 172.16.36.2.22: [|tcp] 3 packets captured 5 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#- 监听接口时简洁打印报文信息
[root@centos-36_2 tmp]# tcpdump -i em2 -nn -c3 -q tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 17:03:37.927450 IP 172.16.36.2.22 > 172.16.36.25.1504: tcp 240 17:03:37.927631 IP 172.16.36.25.1504 > 172.16.36.2.22: tcp 0 17:03:37.927697 IP 172.16.36.2.22 > 172.16.36.25.1504: tcp 160 3 packets captured 4 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#- 监听接口时打印报文mac信息
[root@centos-36_2 tmp]# tcpdump -i em3 -nn -c2 -e tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em3, link-type EN10MB (Ethernet), capture size 262144 bytes 17:34:52.798600 04:f9:38:d8:1c:30 > 01:80:c2:00:00:00, 802.3, length 105: LLC, dsap STP (0x42) Individual, ssap STP (0x42) Command, ctrl 0x03: STP 802.1s, Rapid STP, CIST Flags [Learn, Forward, Agreement], length 102 17:34:53.156985 14:18:77:33:97:d6 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 70: 192.166.160.22.62553 > 255.255.255.255.1092: UDP, length 28 2 packets captured 4 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#- 监听接口时打印报文16进制和ASCII的头部信息
[root@centos-36_2 tmp]# tcpdump -i em3 -nn -c2 -XX tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em3, link-type EN10MB (Ethernet), capture size 262144 bytes 17:36:29.365933 ARP, Request who-has 192.166.160.2 tell 192.166.160.12, length 46 0x0000: ffff ffff ffff 80f6 2e11 3b13 0806 0001 ..........;..... 0x0010: 0800 0604 0001 80f6 2e11 3b13 c0a6 a00c ..........;..... 0x0020: 0000 0000 0000 c0a6 a002 0000 0000 0000 ................ 0x0030: 0000 0000 0000 0000 0000 0000 ............ 17:36:29.823062 ARP, Request who-has 192.166.160.2 tell 192.166.160.22, length 46 0x0000: ffff ffff ffff 1418 7733 97d6 0806 0001 ........w3...... 0x0010: 0800 0604 0001 1418 7733 97d6 c0a6 a016 ........w3...... 0x0020: 0000 0000 0000 c0a6 a002 0000 0000 0000 ................ 0x0030: 0000 0000 0000 0000 0000 0000 ............ 2 packets captured 2 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#- 监听接口时打印报文详细信息
[root@centos-36_2 tmp]# tcpdump -i em3 -nn -c2 -vv tcpdump: listening on em3, link-type EN10MB (Ethernet), capture size 262144 bytes 17:37:05.966828 IP (tos 0x0, ttl 128, id 32746, offset 0, flags [none], proto UDP (17), length 78) 192.166.160.68.137 > 192.166.160.255.137: [udp sum ok] >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST TrnID=0xD1EC OpCode=0 NmFlags=0x11 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=TSS.UPDRV.COM NameType=0x00 (Workstation) QuestionType=0x20 QuestionClass=0x1 1 packets captured 1 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#- 监听接口时将抓取的报文写入文件
[root@centos-36_2 tmp]# tcpdump -i em3 -nn -c2 -w mypacket.pcap tcpdump: listening on em3, link-type EN10MB (Ethernet), capture size 262144 bytes 2 packets captured 2 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]# ll mypacket.pcap \-rw-r--r-- 1 tcpdump tcpdump 208 8月 9 17:39 mypacket.pcap [root@centos-36_2 tmp]#- 读取文件中的报文信息
[root@centos-36_2 tmp]# tcpdump -nn -r mypacket.pcap reading from file mypacket.pcap, link-type EN10MB (Ethernet) 17:39:10.643065 IP 192.166.160.22.137 > 192.166.160.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 17:39:10.911644 ARP, Request who-has 192.166.160.26 tell 192.166.160.29, length 46 [root@centos-36_2 tmp]#- 监听接口将报文写入文件,达到2min或文件大小超过1M时生成新文件
[root@centos-36_2 tmp]# tcpdump -i em2 -nn -w /tmp/capture-%H%M.pcap -G 120 -C 1& [1] 86939 [root@centos-36_2 tmp]# tcpdump: listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes [root@centos-36_2 tmp]# [root@centos-36_2 tmp]# ll -h | grep capture \-rw-r--r-- 1 tcpdump tcpdump 977K 8月 10 15:13 capture-1511.pcap \-rw-r--r-- 1 tcpdump tcpdump 528K 8月 10 15:13 capture-1511.pcap1 \-rw-r--r-- 1 tcpdump tcpdump 982K 8月 10 15:15 capture-1513.pcap \-rw-r--r-- 1 tcpdump tcpdump 245K 8月 10 15:15 capture-1513.pcap1 \-rw-r--r-- 1 tcpdump tcpdump 977K 8月 10 15:16 capture-1515.pcap \-rw-r--r-- 1 tcpdump tcpdump 738K 8月 10 15:17 capture-1515.pcap1 \-rw-r--r-- 1 tcpdump tcpdump 977K 8月 10 15:19 capture-1517.pcap \-rw-r--r-- 1 tcpdump tcpdump 527K 8月 10 15:19 capture-1517.pcap1 \-rw-r--r-- 1 tcpdump tcpdump 977K 8月 10 15:20 capture-1519.pcap \-rw-r--r-- 1 tcpdump tcpdump 364K 8月 10 15:21 capture-1519.pcap1 [root@centos-36_2 tmp]# -
tcpdump常用过滤条件
过滤条件 描述 ether 过滤指定二层协议的报文 host 过滤指定ip的报文 net 过滤指定ip网段的报文 port 过滤指定端口的报文 portrange 过滤指定端口范围的报文 tcp 过滤tcp报文 udp 过滤udp报文 icmp 过滤icmp报文 arp 过滤arp报文 src 指定过滤规则为源(ip/prot) dst 指定过滤规则为目的(ip/prot) 过滤条件之间可以使用
and/or/not(&&/||/!)进行组合; -
过滤条件示例
- 过滤指定目的mac的报文
[root@centos-36_2 tmp]# tcpdump -nn -i em2 -c2 -e ether dst 28:a6:db:b6:46:7e tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 18:53:49.879219 44:a8:42:44:64:8d > 28:a6:db:b6:46:7e, ethertype IPv4 (0x0800), length 179: 172.16.36.2.44722 > 120.0.11.139.161: GetBulk(121) N=0 M=2 .1.3.6.1.2.1.10.127.1.1.1.1.1 .1.3.6.1.2.1.10.127.1.1.1.1.2 .1.3.6.1.2.1.10.127.1.1.1.1.6 .1.3.6.1.2.1.10.127.1.1.4.1.5 .1.3.6.1.2.1.10.127.1.1.4.1.6 .1.3.6.1.4.1.4491.2.1.20.1.24.1.1 18:53:49.891230 44:a8:42:44:64:8d > 28:a6:db:b6:46:7e, ethertype IPv4 (0x0800), length 66: 172.16.36.2.7799 > 120.0.61.253.12268: Flags [.], ack 651313966, win 716, options [nop,nop,TS val 3950308240 ecr 214005535], length 0 2 packets captured 3 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#- 过滤指定源ip的报文
[root@centos-36_2 tmp]# tcpdump -nn -i em2 -c3 src host 172.16.36.25 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 18:26:43.685737 IP 172.16.36.25.1504 > 172.16.36.2.22: Flags [.], ack 451414338, win 8208, length 0 18:26:43.727125 IP 172.16.36.25.1504 > 172.16.36.2.22: Flags [.], ack 193, win 8207, length 0 18:26:43.770972 IP 172.16.36.25.1504 > 172.16.36.2.22: Flags [.], ack 385, win 8207, length 0 3 packets captured 3 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#- 过滤ICMP报文
[root@centos-36_2 tmp]# tcpdump -nn -i em2 -c3 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 18:27:52.131020 IP 172.16.36.20 > 172.16.36.2: ICMP echo request, id 6994, seq 1, length 64 18:27:52.131062 IP 172.16.36.2 > 172.16.36.20: ICMP echo reply, id 6994, seq 1, length 64 18:27:53.143968 IP 172.16.36.20 > 172.16.36.2: ICMP echo request, id 6994, seq 2, length 64 3 packets captured 4 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#- 过滤目的端口号是22的报文
[root@centos-36_2 tmp]# tcpdump -nn -i em2 -c3 dst port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 18:29:03.971793 IP 172.16.36.25.1504 > 172.16.36.2.22: Flags [.], ack 451421250, win 8207, length 0 18:29:04.015298 IP 172.16.36.25.1504 > 172.16.36.2.22: Flags [.], ack 193, win 8212, length 0 18:29:04.057272 IP 172.16.36.25.1504 > 172.16.36.2.22: Flags [.], ack 385, win 8211, length 0 3 packets captured 3 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#- 过滤指定目的ip且指定源端口号的报文
[root@centos-36_2 tmp]# tcpdump -nn -i em2 -c3 src port 22 and dst host 172.16.36.25 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 18:31:22.495543 IP 172.16.36.2.22 > 172.16.36.25.1504: Flags [P.], seq 451438898:451439138, ack 2828520008, win 160, length 240 18:31:22.495814 IP 172.16.36.2.22 > 172.16.36.25.1504: Flags [P.], seq 240:464, ack 1, win 160, length 224 18:31:22.495953 IP 172.16.36.2.22 > 172.16.36.25.1504: Flags [P.], seq 464:656, ack 1, win 160, length 192 3 packets captured 4 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#- 过滤指定目的ip1或ip2的报文
[root@centos-36_2 tmp]# tcpdump -nn -i em2 -c2 "dst host 172.16.36.12 or 172.16.36.15" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 18:34:11.642070 IP 172.16.36.2 > 172.16.36.15: ICMP echo request, id 12190, seq 1, length 64 18:34:13.562678 IP 172.16.36.2 > 172.16.36.12: ICMP echo request, id 12193, seq 1, length 64 2 packets captured 4 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]# [root@centos-36_2 tmp]# tcpdump -nn -i em2 -c3 dst host "172.16.36.12 || 172.16.36.15" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 18:37:50.894034 IP 172.16.36.2 > 172.16.36.15: ICMP echo request, id 12421, seq 1, length 64 18:37:52.073669 IP 172.16.36.2 > 172.16.36.12: ICMP echo request, id 12423, seq 1, length 64 18:37:56.590839 ARP, Request who-has 172.16.36.12 tell 172.16.36.3, length 46 3 packets captured 3 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]# -
tcpdump特殊过滤条件
proto [expr:size]- proto:指定协议(ether/ip/arp/tcp/udp/icmp/ipv6);
- expr:为数值时表示与指定的协议头开始处的字节偏移量;也可以是一个表达式;
- size:是可选的,expr为数值时,size表示从字节偏移量开始取的字节数量;
length- greater: 过滤长度大于n的报文
- less: 过滤长度小于n的报文
-
特殊过滤条件示例
- 过滤广播或组播mac报文
[root@centos-36_2 tmp]# tcpdump -i em1 -nn -c 2 -e ether broadcast tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em1, link-type EN10MB (Ethernet), capture size 262144 bytes 11:37:59.654385 14:18:77:33:97:d6 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 192.166.160.1 tell 192.166.160.22, length 46 11:37:59.667181 80:f6:2e:11:3b:13 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 192.166.160.2 tell 192.166.160.12, length 46 2 packets captured 2 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]# [root@centos-36_2 tmp]# tcpdump -i em1 -nn -c 2 -e ether multicast tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em1, link-type EN10MB (Ethernet), capture size 262144 bytes 11:38:18.565275 14:18:77:33:97:d6 > 33:33:00:01:00:03, ethertype IPv6 (0x86dd), length 84: fe80::ac98:797:791a:ae9b.64558 > ff02::1:3.5355: UDP, length 22 11:38:18.565292 14:18:77:33:97:d6 > 01:00:5e:00:00:fc, ethertype IPv4 (0x0800), length 64: 192.166.160.22.65051 > 224.0.0.252.5355: UDP, length 22 2 packets captured 2 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#- 过滤广播或组播ip报文
[root@centos-36_2 tmp]# tcpdump -i em2 -nn -c 2 ip broadcast tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 11:39:50.102639 IP 172.16.36.34.481 > 255.255.255.255.748: UDP, length 86 11:39:50.102735 IP 172.16.36.34.481 > 255.255.255.255.748: UDP, length 80 2 packets captured 4 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]# [root@centos-36_2 tmp]# tcpdump -i em2 -nn -c 2 ip multicast tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 11:39:59.399929 IP 172.16.36.62 > 224.0.0.18: VRRPv2, Advertisement, vrid 234, prio 200, authtype simple, intvl 1s, length 20 11:40:00.143633 IP 172.16.36.20 > 224.0.0.18: VRRPv2, Advertisement, vrid 123, prio 200, authtype simple, intvl 1s, length 20 2 packets captured 12 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#- 过滤IP头中total-length大于200的报文
[root@centos-36_2 tmp]# tcpdump -i em2 -nn -c 2 "ip[2:2]>200" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 11:47:02.455478 IP 172.16.36.2.22 > 172.16.36.25.1504: Flags [P.], seq 451771858:451772098, ack 2828654792, win 165, length 240 11:47:02.455758 IP 172.16.36.2.22 > 172.16.36.25.1504: Flags [P.], seq 240:464, ack 1, win 165, length 224 2 packets captured 3 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#- 过滤TCP且规定长度的报文
[root@OpenWrtEXT:my_script]#tcpdump -i eth0 -s 0 tcp and greater 83 -c 2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 19:33:32.987707 IP 172.16.36.217.8190 > 120.2.2.100.42828: Flags [P.], seq 1601883578:1601883596, ack 1366637051, win 1142, options [nop,nop,TS val 115460908 ecr 1430406092], length 18 19:33:34.333856 IP 172.16.36.215.8190 > 120.2.2.100.41168: Flags [P.], seq 18:36, ack 15, win 1143, options [nop,nop,TS val 115460969 ecr 4124341605], length 18 2 packets captured 8 packets received by filter 0 packets dropped by kernel [root@OpenWrtEXT:my_script]# [root@OpenWrtEXT:my_script]#tcpdump -i eth0 -s 0 tcp and less 83 -c 5 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 19:33:45.686332 IP 172.16.36.20.59870 > 172.16.36.25.6069: Flags [S], seq 2418787523, win 64240, options [mss 1460,sackOK,TS val 1145549881 ecr 0,nop,wscale 8], length 0 19:33:45.686339 IP 172.16.36.25.6069 > 172.16.36.20.59870: Flags [R.], seq 0, ack 2418787524, win 0, length 0 2 packets captured 11 packets received by filter 0 packets dropped by kernel [root@OpenWrtEXT:my_script]#- 根据ip protocol字段过滤IGMP报文
[root@centos-36_2 tmp]# tcpdump -i em2 -nn -c 2 ip[9:1]=2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 13:58:35.993945 IP 172.16.36.24 > 224.0.0.1: igmp query v3 13:58:36.152321 IP 172.16.36.63 > 239.255.255.250: igmp v2 report 239.255.255.250 2 packets captured 2 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#- 根据ether type字段过滤ARP报文
[root@centos-36_2 tmp]# tcpdump -i em2 -nn -c 2 ether[12:2]=2054 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 14:01:40.746018 ARP, Request who-has 172.16.36.156 tell 172.16.36.1, length 46 14:01:40.746484 ARP, Request who-has 172.16.36.157 tell 172.16.36.1, length 46 2 packets captured 3 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#- 根据IGMP type字段过滤report报文
[root@centos-36_2 tmp]# tcpdump -i em2 -nn -c 2 igmp[0:1]=22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes 14:03:45.951527 IP 172.16.36.62 > 224.0.0.251: igmp v2 report 224.0.0.251 14:03:50.144141 IP 172.16.36.25 > 239.255.255.250: igmp v2 report 239.255.255.250 2 packets captured 2 packets received by filter 0 packets dropped by kernel [root@centos-36_2 tmp]#
标签:centos,--,Tcpdump,packets,36,172.16,root,tcpdump,抓包 来源: https://blog.csdn.net/weixin_45876097/article/details/120378389
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。