tcpdump [ -AdDeflLnNOpqRStuUvxX ] [ -c count ]
[ -C file_size ] [ -F file ]
[ -i interface ] [ -m module ] [ -M secret ]
[ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -Z user ]
[ expression ]
-w file,将分析写进文件
-r file,从文件中读出数据进行分析
expression,只有满足这个表达式的网络包才会被tcpdump处理
-F file,从file读入expression,并覆盖命令行中的值
-c count,在不被中断的情况下,tcpdump将抓到count个网络包才会停
-A,以ASCII格式打印网络包
-D,查看有什么网络接口可以抓取
$ sudo /usr/sbin/tcpdump -D
1.eth0
2.any (Pseudo-device that captures on all interfaces)
3.lo
-i interface,只处理指定接口的包,any表示所有,默认选-D中的第一个
-e,打印连接层头
-n,不把ip转成域名
-nn,不把端口转成名字,例如把80端口转成http
-S,打印序列号的绝对值,而不是相对值
-s snaplen,取包的前snaplen字节,默认值够IP, ICMP, TCP and UDP使用,
这个设置太长,将加大处理时间,并可能提高丢包率,设置0,表示
抓取整个包
-v,-vv,-vvv,完整打印协议头,越多v打印的信息越多
proto: ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp, udp.
dir: src, dst, src or dst, src and dst
type: host, net, port, portrange
连接符:and(&&), or(||), not(!),compare
expression = proto dir type 参数 + [连接符 proto dir type 参数]
两个例子:
tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'
tcpdump 'gateway snup and ip[2:2] > 576'
tcpdump -l > dat & tail -f dat
将分析持续写入文件dat,并用tail查看
$ sudo /usr/sbin/tcpdump -i any -c 100 'tcp port 60530' -nn
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
16:19:00.561084 IP 127.0.0.1.49488 > 127.0.0.1.60530: S 89286447:89286447(0) win 32792 <mss 16396,sackOK,timestamp 1427326292 0,nop,wscale 7>
16:19:00.561103 IP 127.0.0.1.60530 > 127.0.0.1.49488: S 335804188:335804188(0) ack 89286448 win 32768 <mss 16396,sackOK,timestamp 1427326292 1427326292,nop,wscale 7>
16:19:00.561114 IP 127.0.0.1.49488 > 127.0.0.1.60530: . ack 1 win 257 <nop,nop,timestamp 1427326292 1427326292>
三次握手结束
16:19:00.561312 IP 127.0.0.1.49488 > 127.0.0.1.60530: P 1:4025(4024) ack 1 win 257 <nop,nop,timestamp 1427326292 1427326292>
16:19:00.561320 IP 127.0.0.1.60530 > 127.0.0.1.49488: . ack 4025 win 386 <nop,nop,timestamp 1427326292 1427326292>
16:19:04.691569 IP 127.0.0.1.60530 > 127.0.0.1.49488: P 1:6(5) ack 4025 win 386 <nop,nop,timestamp 1427330423 1427326292>
四次挥手开始,但是这里意外关闭发出一个reset包,
所以只有三次挥手,不用进入time_wait状态,这也是避免time_wait状态的一个办法。
16:19:04.691591 IP 127.0.0.1.60530 > 127.0.0.1.49488: R 6:6(0) ack 4025 win 386 <nop,nop,timestamp 1427330423 1427326292>
16:19:04.692180 IP 127.0.0.1.49488 > 127.0.0.1.60530: . ack 6 win 257 <nop,nop,timestamp 1427330423 1427330423>
16:19:04.692199 IP 127.0.0.1.60530 > 127.0.0.1.49488: R 335804194:335804194(0) win 0
^C
9 packets captured
18 packets received by filter
0 packets dropped by kernel
发生异常关闭的情况包括:
1、应用层还没有把tcp缓冲区内的数据读完就发起close
2、在读写的时候发生了异常,比如内存踩空了。
$ sudo /usr/sbin/tcpdump -i any -c 100 'tcp port 60530' -nn
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
22:25:48.571911 IP 127.0.0.1.49525 > 127.0.0.1.60530: S 2056888219:2056888219(0) win 32792 <mss 16396,sackOK,timestamp 1449334303 0,nop,wscale 7>
22:25:48.571929 IP 127.0.0.1.60530 > 127.0.0.1.49525: S 2331439954:2331439954(0) ack 2056888220 win 32768 <mss 16396,sackOK,timestamp 1449334303 1449334303,nop,wscale 7>
22:25:48.571941 IP 127.0.0.1.49525 > 127.0.0.1.60530: . ack 1 win 257 <nop,nop,timestamp 1449334303 1449334303>
三次握手结束
22:25:48.572145 IP 127.0.0.1.49525 > 127.0.0.1.60530: P 1:4025(4024) ack 1 win 257 <nop,nop,timestamp 1449334303 1449334303>
22:25:48.572153 IP 127.0.0.1.60530 > 127.0.0.1.49525: . ack 4025 win 386 <nop,nop,timestamp 1449334303 1449334303>
22:25:52.408552 IP 127.0.0.1.60530 > 127.0.0.1.49525: P 1:6(5) ack 4025 win 386 <nop,nop,timestamp 1449338140 1449334303>
四次挥手开始
22:25:52.408583 IP 127.0.0.1.60530 > 127.0.0.1.49525: F 6:6(0) ack 4025 win 386 <nop,nop,timestamp 1449338140 1449334303>
22:25:52.408654 IP 127.0.0.1.49525 > 127.0.0.1.60530: . ack 6 win 257 <nop,nop,timestamp 1449338140 1449338140>
22:25:52.408894 IP 127.0.0.1.49525 > 127.0.0.1.60530: F 4025:4025(0) ack 7 win 257 <nop,nop,timestamp 1449338140 1449338140>
22:25:52.408903 IP 127.0.0.1.60530 > 127.0.0.1.49525: . ack 4026 win 386 <nop,nop,timestamp 1449338140 1449338140>
具体见tcpdump的帮助文档