linux's docs

18.1.0: 网络抓包-抓包工具


1. 命令:tcpdump

作用:转储网络里传输的内容

man page description tcpdump - dump traffic on a network

安装:yum install tcpdump -y
语法: tcpdump [参数 [参数内容] ] [协议] and [host host address] and [port port number]

详细语法: man page description
tcpdump [ -AdDefIKlLnNOpqRStuUvxX ] [ -B buffer_size ] [ -c count ]
[ -C file_size ] [ -G rotate_seconds ] [ -F file ]
[ -i interface ] [ -m module ] [ -M secret ]
[ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
[ expression ]

参数:

  • -nn 把host、protocol、port等保留数字格式
  • -i 指定监听对象(tcpdump -i eth0)默认监听eth0
  • -c 指定抓包个数
  • -w 把包数据保存到文件,后缀为cap,文件为二进制,和重定向(只是包数据流向等信息)不同
  • -r 看保存下的数据包流向等信息,和-w是对应的
  • -s 0 抓取数据包时默认抓取长度为68字节,加上此参数时抓完整包,无限制

用法举例:

# -w参数转储包信息到文件
tcpdump -nn -c 10 -w /tmp/tcpdump1.cap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
10 packets captured
11 packets received by filter
0 packets dropped by kernel


# -r参数分析转储文件
tcpdump -r /tmp/tcpdump1.cap |head -2
reading from file /tmp/tcpdump1.cap, link-type EN10MB (Ethernet)
16:13:38.113868 IP 192.168.0.3.22 > 192.168.0.28.56918: Flags [P.], seq 3436852828:3436852972, ack 1010809782, win 543, length 144
16:13:38.163777 IP 192.168.0.28.56918 > 192.168.0.3.22: Flags [.], ack 144, win 253, length 0


# -nn参数保留host、port等为数字格式
tcpdump  -c 10 -r /tmp/tcpdump1.cap |head -2
reading from file /tmp/tcpdump1.cap, link-type EN10MB (Ethernet)
16:13:38.113868 IP web01.gateway.2wire.net.ssh > Essence-PC.gateway.2wire.net.56918: Flags [P.], seq 3436852828:3436852972, ack 1010809782, win 543, length 144
16:13:38.163777 IP Essence-PC.gateway.2wire.net.56918 > web01.gateway.2wire.net.ssh: Flags [.], ack 144, win 253, length 0
#和上面一样的命令,只是去掉了-nn参数,ip和端口都变成了name

2. 命令:tshark(wireshark)-非重点

作用:也是一个抓包工具
安装:yum install -y wireshark 参数:

  • -c 次数 - 采集次数,不代表采集到的包个数
  • -i interface - 指定网卡
  • -w outfile - 把结果输出到文件
  • -r infile - 读取已采集到的文件
  • -n - 禁用网络对象名称的解析,例如(hostname,tcp and udp port),-N会覆盖此参数
  • -N 解析标识符
    • m - 启用MAC地址解析
    • n - 启用网络地址解析
    • t - 启用transport-layer端口号解析
    • C - 启用DNS解析
  • -t 抓包时间标识符"
    • ad - 包被抓到的绝对时间+日期
    • a - 包被抓到的绝对时间
    • r - (默认)与抓到的第一个包的相对时间
    • d - 与前一个包的相对时间
    • dd - 与前一个displayed包的相对时间
    • e - 从新纪元epoch(Jan 1, 1970 00:00:00)到包被抓到时的秒数间隔
  • -T pdml|psml|ps|text|fields

    • pdml - packet details markup language, xml based format for the details of a decoded packet

    • psml - packet summary markup language, xml based format for the summary information of a decoded packet

    • ps - postscript for a human-readable one-line summary of each of the packets

    • text - text of a human-readable one-line summary of each of the packets

    • fields - 用-e来指定显示的字段内容,-E来指定字段格式

  • -R <read (display) filter>

用法示例:

# -c参数指定的是read的行数,而不是capture的包数
tshark -c 10 -n -t a -R http.request -T fields -E separator=, -E quote=d -e "frame.time" -e "ip.src" -e "http.host" -e "http.request.method" -e "http.request.uri"
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
"May 18, 2016 09:18:25.633553619","10.10.180.5","239.255.255.250:1900","M-SEARCH","*"
1 packet captured

# 采集100个raw包信息到文件中
tshark -c 100 -w somepackages.cap
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
100

# 用固定的格式来从上面的文件中读取10个包
tshark -c 10 -n -t a -T fields -E separator=, -E quote=d -e "frame.time" -e "ip.src" -e "http.host" -e "http.request.method" -e "http.request.uri" -r somepackages.cap
Running as user "root" and group "root". This could be dangerous.
"May 18, 2016 09:45:58.079852738","10.10.180.24",,,
"May 18, 2016 09:45:58.104581732","10.10.180.13",,,
"May 18, 2016 09:45:58.129686402","10.10.180.13",,,
"May 18, 2016 09:45:58.130439508","10.10.190.15",,,
"May 18, 2016 09:45:58.579824205","10.10.180.24",,,
"May 18, 2016 09:45:58.580003235","10.10.180.17",,,
"May 18, 2016 09:45:58.630626790","10.10.180.13",,,
"May 18, 2016 09:45:58.745632745","10.10.180.13",,,
"May 18, 2016 09:45:58.756622638","61.14.162.1",,,
"May 18, 2016 09:45:58.766094659","10.10.180.13",,,
# 不指定格式读取
tshark -c 10 -n -t a -r someP.cap
Running as user "root" and group "root". This could be dangerous.
  1 09:51:00.205546368  10.10.180.1 -> 224.0.0.5    OSPF 90 Hello Packet
  2 09:51:00.246736322 10.10.190.15 -> 10.10.180.13 TCP 60 60034 > 57345 [ACK] Seq=1 Ack=1 Win=16217 Len=1
  3 09:51:00.246753472 10.10.180.13 -> 10.10.190.15 TCP 66 57345 > 60034 [ACK] Seq=1 Ack=2 Win=251 Len=0 SLE=1 SRE=2
  4 09:51:00.267028716 10.10.180.24 -> 228.0.0.5    UDP 119 Source port: 45565  Destination port: 45565
  5 09:51:00.313430399 10.10.250.13 -> 10.10.180.13 TCP 60 55919 > 54573 [ACK] Seq=1 Ack=1 Win=256 Len=1
  6 09:51:00.313437636 10.10.180.13 -> 10.10.250.13 TCP 66 54573 > 55919 [ACK] Seq=1 Ack=2 Win=255 Len=0 SLE=1 SRE=2
  7 09:51:00.764243574 10.10.180.13 -> 61.14.162.1  ICMP 74 Echo (ping) request  id=0x0003, seq=59440/12520, ttl=64
  8 09:51:00.765282788 10.10.180.17 -> 10.10.180.13 SSH 118 Encrypted response packet len=64
  9 09:51:00.767178227 10.10.180.24 -> 228.0.0.5    UDP 119 Source port: 45565  Destination port: 45565
 10 09:51:00.773431609  61.14.162.1 -> 10.10.180.13 ICMP 74 Echo (ping) reply    id=0x0003, seq=59440/12520, ttl=247


# 发现读取到的很多字段是空,若我们按读取的格式来写入文件,然后在读取
# 试验后发现结果跟上面是一样的,以后研究,非重点

只讲了这一个用法:
tshark -n -t a -R http.request -T fields -e "frame.time" -e "ip.src" -e "http.host" -e "http.request.method" -e "http.request.uri"
可抓出时间,来源ip,做了哪些请求(head、get和post)

Contents