在Linux命令行中使用tcpdump「超详细」

灵活，强大的命令行工具有助于减轻网络问题排查的痛苦。

根据我作为系统管理员的经验，我经常发现网络连接问题难以排除故障。 对于那些情况，tcpdump是一个伟大的朋友。

Tcpdump是一个命令行实用程序，允许捕获和分析通过系统的网络流量。它通常用于帮助解决网络问题，以及安全工具。

tcpdump是一个功能强大且功能多样的工具，包含许多选项和过滤器，可用于各种情况。 由于它是一个命令行工具，因此最好在远程服务器或GUI不可用的设备上运行，以收集以后可以分析的数据。 它也可以在后台启动，也可以使用cron等工具作为预定作业启动。

在本文中，我们将介绍一些tcpdump最常见的功能。

1.在Linux上安装

Tcpdump包含在几个Linux发行版中，所以很可能已经安装了它。使用以下命令检查系统上是否安装了tcpdump：

$ which tcpdump

/usr/sbin/tcpdump

如果未安装tcpdump，则可以使用分发包管理器安装它。例如，在CentOS或Red Hat Enterprise Linux上，如下所示：

$ sudo yum install -y tcpdump

Tcpdump需要libpcap，这是一个用于网络数据包捕获的库。如果未安装，它将自动添加为依赖项。

现在准备开始抓取数据包。

2.使用tcpdump抓取数据包

要抓取数据包以进行故障排除或分析，tcpdump需要提升权限，因此在以下示例中，大多数命令都以sudo为前缀。

首先，使用命令tcpdump -D查看哪些接口可用于捕获：

$ sudo tcpdump -D

1.eth0

2.virbr0

3.eth1

4.any (Pseudo-device that captures on all interfaces)

5.lo [Loopback]

在上面的示例中，可以看到计算机中可用的所有接口。特殊接口any允许在任何活动界面中捕获。

让我们来开始捕获一些数据包。通过运行此命令捕获任何接口中的所有数据包：

$ sudo tcpdump -i any

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

09:56:18.293641 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 3770820720:3770820916, ack 3503648727, win 309, options [nop,nop,TS val 76577898 ecr 510770929], length 196

09:56:18.293794 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 196, win 391, options [nop,nop,TS val 510771017 ecr 76577898], length 0

09:56:18.295058 IP rhel75.59883 > gateway.domain: 2486+ PTR? 1.64.168.192.in-addr.arpa. (43)

09:56:18.310225 IP gateway.domain > rhel75.59883: 2486 NXDomain* 0/1/0 (102)

09:56:18.312482 IP rhel75.49685 > gateway.domain: 34242+ PTR? 28.64.168.192.in-addr.arpa. (44)

09:56:18.322425 IP gateway.domain > rhel75.49685: 34242 NXDomain* 0/1/0 (103)

09:56:18.323164 IP rhel75.56631 > gateway.domain: 29904+ PTR? 1.122.168.192.in-addr.arpa. (44)

09:56:18.323342 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 196:584, ack 1, win 309, options [nop,nop,TS val 76577928 ecr 510771017], length 388

09:56:18.323563 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 584, win 411, options [nop,nop,TS val 510771047 ecr 76577928], length 0

09:56:18.335569 IP gateway.domain > rhel75.56631: 29904 NXDomain* 0/1/0 (103)

09:56:18.336429 IP rhel75.44007 > gateway.domain: 61677+ PTR? 98.122.168.192.in-addr.arpa. (45)

09:56:18.336655 IP gateway.domain > rhel75.44007: 61677* 1/0/0 PTR rhel75. (65)

09:56:18.337177 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 584:1644, ack 1, win 309, options [nop,nop,TS val 76577942 ecr 510771047], length 1060

---- SKIPPING LONG OUTPUT -----

09:56:19.342939 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 1752016, win 1444, options [nop,nop,TS val 510772067 ecr 76578948], length 0

^C

9003 packets captured

9010 packets received by filter

7 packets dropped by kernel

$

Tcpdump继续捕获数据包，直到收到中断信号。可以按Ctrl + C中断捕获。正如在此示例中所看到的，tcpdump捕获了超过9,000个数据包。在这种情况下，由于我使用ssh连接到此服务器，tcpdump捕获了所有这些包。要限制捕获的数据包数并停止tcpdump，请使用-c选项：

$ sudo tcpdump -i any -c 5

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

11:21:30.242740 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 3772575680:3772575876, ack 3503651743, win 309, options [nop,nop,TS val 81689848 ecr 515883153], length 196

11:21:30.242906 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 196, win 1443, options [nop,nop,TS val 515883235 ecr 81689848], length 0

11:21:30.244442 IP rhel75.43634 > gateway.domain: 57680+ PTR? 1.64.168.192.in-addr.arpa. (43)

11:21:30.244829 IP gateway.domain > rhel75.43634: 57680 NXDomain 0/0/0 (43)

11:21:30.247048 IP rhel75.33696 > gateway.domain: 37429+ PTR? 28.64.168.192.in-addr.arpa. (44)

5 packets captured

12 packets received by filter

0 packets dropped by kernel

$

在这种情况下，tcpdump在捕获五个数据包后自动停止捕获。这在不同的场景中很有用，例如，如果正在排除连接并捕获一些初始包就足够了。当我们应用过滤器捕获特定数据包时，这甚至更有用（如下所示）。

默认情况下，tcpdump将IP地址和端口解析为名称，如上例所示。在排除网络问题时，通常更容易使用IP地址和端口号；使用选项-n和端口解析与-nn禁用名称解析：

$ sudo tcpdump -i any -c5 -nn

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

23:56:24.292206 IP 192.168.64.28.22 > 192.168.64.1.35110: Flags [P.], seq 166198580:166198776, ack 2414541257, win 309, options [nop,nop,TS val 615664 ecr 540031155], length 196

23:56:24.292357 IP 192.168.64.1.35110 > 192.168.64.28.22: Flags [.], ack 196, win 1377, options [nop,nop,TS val 540031229 ecr 615664], length 0

23:56:24.292570 IP 192.168.64.28.22 > 192.168.64.1.35110: Flags [P.], seq 196:568, ack 1, win 309, options [nop,nop,TS val 615664 ecr 540031229], length 372

23:56:24.292655 IP 192.168.64.1.35110 > 192.168.64.28.22: Flags [.], ack 568, win 1400, options [nop,nop,TS val 540031229 ecr 615664], length 0

23:56:24.292752 IP 192.168.64.28.22 > 192.168.64.1.35110: Flags [P.], seq 568:908, ack 1, win 309, options [nop,nop,TS val 615664 ecr 540031229], length 340

5 packets captured

6 packets received by filter

0 packets dropped by kernel

如上所示，捕获输出现在显示IP地址和端口号。这还可以防止tcpdump发出DNS查找，这有助于在排除网络问题时降低网络流量。

现在已经能够捕获网络数据包了，让我们来探索一下这些输出意味着什么。

3.了解输出格式

Tcpdump能够捕获和解码许多不同的协议，例如TCP，UDP，ICMP等等。虽然我们不能在这里介绍所有这些，但为了帮助入门，让我们探索TCP数据包。可以在tcpdump的手册页中找到有关不同协议格式的更多详细信息。tcpdump捕获的典型TCP数据包如下所示：

08:41:13.729687 IP 192.168.64.28.22 > 192.168.64.1.41916: Flags [P.], seq 196:568, ack 1, win 309, options [nop,nop,TS val 117964079 ecr 816509256], length 372

字段可能会根据发送的数据包类型而有所不同，但这是一般格式。

第一个字段08：41：13.729687表示根据本地时钟接收的数据包的时间戳。

接下来，IP表示网络层协议 - 在这种情况下是IPv4。对于IPv6数据包，值为IP6。

下一个字段192.168.64.28.22是源IP地址和端口。接下来是目标IP地址和端口，由192.168.64.1.41916表示。

在源和目标之后，可以找到TCP 标记 [P.]。 该字段的典型值包括：

值标记类型描述SSYN连接开始FFIN连接结束PPUSH数据 pushRRST连接重置.ACK确认

该字段也可以是这些值的组合，例如用于SYN-ACK分组的[S.]。

接下来是数据包中包含的数据的序列号。对于捕获的第一个数据包，这是一个绝对数字。后续数据包使用相对数字，以便更容易遵循。在该示例中，序列是seq 196：568，这意味着该分组包含该流的字节196到568。

接下来是Ack编号：ack 1.在这种情况下，它是1，因为这是发送数据的一方。对于接收数据的一方，该字段表示该流上的下一个预期字节（数据）。例如，此流程中下一个数据包的Ack编号为568。

下一个字段是窗口大小win 309，它表示接收缓冲区中可用的字节数，后跟TCP选项，例如MSS（最大段大小）或窗口比例。有关TCP协议选项的详细信息，请参阅传输控制协议（TCP）参数。

最后，我们有数据包长度，长度372，它表示有效载荷数据的长度（以字节为单位）。长度是序列号中最后一个字节和第一个字节之间的差值。

现在让我们学习如何过滤包以缩小结果范围，并更轻松地解决特定问题。

4.过滤数据包

如上所述，tcpdump可以捕获太多的软件包，其中一些甚至与正在排除故障的问题无关。 例如，如果正在解决与Web服务器的连接问题，那么对SSH流量不感兴趣，因此从输出中删除SSH数据包可以更轻松地处理真正的问题。

tcpdump最强大的功能之一是它能够使用各种参数过滤捕获的数据包，例如源和目标IP地址，端口，协议等。让我们看看一些最常见的参数。

协议

要根据协议过滤数据包，请在命令行中指定协议。例如，仅使用以下命令捕获ICMP数据包：

$ sudo tcpdump -i any -c5 icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

在另一个终端中，尝试ping另一台机器：

$ ping opensource.com

PING opensource.com (54.204.39.132) 56(84) bytes of data.

64 bytes from ec2-54-204-39-132.compute-1.amazonaws.com (54.204.39.132): icmp_seq=1 ttl=47 time=39.6 ms

回到tcpdump捕获，请注意tcpdump仅捕获并显示与ICMP相关的数据包。在这种情况下，tcpdump不显示解析名称opensource.com时生成的名称解析数据包：

09:34:20.136766 IP rhel75 > ec2-54-204-39-132.compute-1.amazonaws.com: ICMP echo request, id 20361, seq 1, length 64

09:34:20.176402 IP ec2-54-204-39-132.compute-1.amazonaws.com > rhel75: ICMP echo reply, id 20361, seq 1, length 64

09:34:21.140230 IP rhel75 > ec2-54-204-39-132.compute-1.amazonaws.com: ICMP echo request, id 20361, seq 2, length 64

09:34:21.180020 IP ec2-54-204-39-132.compute-1.amazonaws.com > rhel75: ICMP echo reply, id 20361, seq 2, length 64

09:34:22.141777 IP rhel75 > ec2-54-204-39-132.compute-1.amazonaws.com: ICMP echo request, id 20361, seq 3, length 64

5 packets captured

5 packets received by filter

0 packets dropped by kernel

主机

使用主机过滤器将捕获限制为仅限与特定主机相关的数据包：

$ sudo tcpdump -i any -c5 -nn host 54.204.39.132

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

09:54:20.042023 IP 192.168.122.98.39326 > 54.204.39.132.80: Flags [S], seq 1375157070, win 29200, options [mss 1460,sackOK,TS val 122350391 ecr 0,nop,wscale 7], length 0

09:54:20.088127 IP 54.204.39.132.80 > 192.168.122.98.39326: Flags [S.], seq 1935542841, ack 1375157071, win 28960, options [mss 1460,sackOK,TS val 522713542 ecr 122350391,nop,wscale 9], length 0

09:54:20.088204 IP 192.168.122.98.39326 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 122350437 ecr 522713542], length 0

09:54:20.088734 IP 192.168.122.98.39326 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 122350438 ecr 522713542], length 112: HTTP: GET / HTTP/1.1

09:54:20.129733 IP 54.204.39.132.80 > 192.168.122.98.39326: Flags [.], ack 113, win 57, options [nop,nop,TS val 522713552 ecr 122350438], length 0

5 packets captured

5 packets received by filter

0 packets dropped by kernel

在此示例中，tcpdump仅捕获并显示与主机54.204.39.132之间的数据包。

端口

要根据所需的服务或端口过滤数据包，请使用端口过滤器。例如，使用以下命令捕获与Web（HTTP）服务相关的数据包：

$ sudo tcpdump -i any -c5 -nn port 80

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

09:58:28.790548 IP 192.168.122.98.39330 > 54.204.39.132.80: Flags [S], seq 1745665159, win 29200, options [mss 1460,sackOK,TS val 122599140 ecr 0,nop,wscale 7], length 0

09:58:28.834026 IP 54.204.39.132.80 > 192.168.122.98.39330: Flags [S.], seq 4063583040, ack 1745665160, win 28960, options [mss 1460,sackOK,TS val 522775728 ecr 122599140,nop,wscale 9], length 0

09:58:28.834093 IP 192.168.122.98.39330 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 122599183 ecr 522775728], length 0

09:58:28.834588 IP 192.168.122.98.39330 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 122599184 ecr 522775728], length 112: HTTP: GET / HTTP/1.1

09:58:28.878445 IP 54.204.39.132.80 > 192.168.122.98.39330: Flags [.], ack 113, win 57, options [nop,nop,TS val 522775739 ecr 122599184], length 0

5 packets captured

5 packets received by filter

0 packets dropped by kernel

追踪IP/主机名

还可以根据源或目标IP地址或主机名过滤数据包。例如，要从主机192.168.122.98捕获数据包：

$ sudo tcpdump -i any -c5 -nn src 192.168.122.98

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

10:02:15.220824 IP 192.168.122.98.39436 > 192.168.122.1.53: 59332+ A? opensource.com. (32)

10:02:15.220862 IP 192.168.122.98.39436 > 192.168.122.1.53: 20749+ AAAA? opensource.com. (32)

10:02:15.364062 IP 192.168.122.98.39334 > 54.204.39.132.80: Flags [S], seq 1108640533, win 29200, options [mss 1460,sackOK,TS val 122825713 ecr 0,nop,wscale 7], length 0

10:02:15.409229 IP 192.168.122.98.39334 > 54.204.39.132.80: Flags [.], ack 669337581, win 229, options [nop,nop,TS val 122825758 ecr 522832372], length 0

10:02:15.409667 IP 192.168.122.98.39334 > 54.204.39.132.80: Flags [P.], seq 0:112, ack 1, win 229, options [nop,nop,TS val 122825759 ecr 522832372], length 112: HTTP: GET / HTTP/1.1

5 packets captured

5 packets received by filter

0 packets dropped by kernel

请注意，tcpdumps捕获了源IP地址为192.168.122.98的数据包，用于多种服务，例如名称解析（端口53）和HTTP（端口80）。由于源IP不同，因此不显示响应数据包。

相反，可以使用dst过滤器按目标IP /主机名进行过滤：

$ sudo tcpdump -i any -c5 -nn dst 192.168.122.98

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

10:05:03.572931 IP 192.168.122.1.53 > 192.168.122.98.47049: 2248 1/0/0 A 54.204.39.132 (48)

10:05:03.572944 IP 192.168.122.1.53 > 192.168.122.98.47049: 33770 0/0/0 (32)

10:05:03.621833 IP 54.204.39.132.80 > 192.168.122.98.39338: Flags [S.], seq 3474204576, ack 3256851264, win 28960, options [mss 1460,sackOK,TS val 522874425 ecr 122993922,nop,wscale 9], length 0

10:05:03.667767 IP 54.204.39.132.80 > 192.168.122.98.39338: Flags [.], ack 113, win 57, options [nop,nop,TS val 522874436 ecr 122993972], length 0

10:05:03.672221 IP 54.204.39.132.80 > 192.168.122.98.39338: Flags [P.], seq 1:643, ack 113, win 57, options [nop,nop,TS val 522874437 ecr 122993972], length 642: HTTP: HTTP/1.1 302 Found

5 packets captured

5 packets received by filter

0 packets dropped by kernel

复杂过滤

还可以使用逻辑运算符组合过滤器，或者创建更复杂的表达式。例如，要从源IP地址192.168.122.98和仅HTTP服务过滤数据包，请使用以下命令：

$ sudo tcpdump -i any -c5 -nn src 192.168.122.98 and port 80

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

10:08:00.472696 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [S], seq 2712685325, win 29200, options [mss 1460,sackOK,TS val 123170822 ecr 0,nop,wscale 7], length 0

10:08:00.516118 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [.], ack 268723504, win 229, options [nop,nop,TS val 123170865 ecr 522918648], length 0

10:08:00.516583 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [P.], seq 0:112, ack 1, win 229, options [nop,nop,TS val 123170866 ecr 522918648], length 112: HTTP: GET / HTTP/1.1

10:08:00.567044 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [.], ack 643, win 239, options [nop,nop,TS val 123170916 ecr 522918661], length 0

10:08:00.788153 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [F.], seq 112, ack 643, win 239, options [nop,nop,TS val 123171137 ecr 522918661], length 0

5 packets captured

5 packets received by filter

0 packets dropped by kernel

可以通过使用括号对过滤器进行分组来创建更复杂的表达式。在这种情况下，请用引号括起整个过滤器表达式，以防止shell将它们与shell表达式混淆：

$ sudo tcpdump -i any -c5 -nn "port 80 and (src 192.168.122.98 or src 54.204.39.132)"

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

10:10:37.602214 IP 192.168.122.98.39346 > 54.204.39.132.80: Flags [S], seq 871108679, win 29200, options [mss 1460,sackOK,TS val 123327951 ecr 0,nop,wscale 7], length 0

10:10:37.650651 IP 54.204.39.132.80 > 192.168.122.98.39346: Flags [S.], seq 854753193, ack 871108680, win 28960, options [mss 1460,sackOK,TS val 522957932 ecr 123327951,nop,wscale 9], length 0

10:10:37.650708 IP 192.168.122.98.39346 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 123328000 ecr 522957932], length 0

10:10:37.651097 IP 192.168.122.98.39346 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 123328000 ecr 522957932], length 112: HTTP: GET / HTTP/1.1

10:10:37.692900 IP 54.204.39.132.80 > 192.168.122.98.39346: Flags [.], ack 113, win 57, options [nop,nop,TS val 522957942 ecr 123328000], length 0

5 packets captured

5 packets received by filter

0 packets dropped by kernel

在此示例中，我们仅过滤HTTP服务（端口80）和源IP地址192.168.122.98或54.204.39.132的数据包。这是检查同一流程两侧的快速方法。

5.检查包内容

在前面的示例中，我们仅检查数据包的标头，以获取源，目标，端口等信息。有时，这就是解决网络连接问题所需的全部内容。但是，有时我们需要检查数据包的内容，以确保我们发送的消息包含我们需要的消息或我们收到的预期响应。 要查看数据包内容，tcpdump提供了两个附加标志：-X以十六进制打印内容，ASCII或-A以ASCII格式打印内容。

例如，检查Web请求的HTTP内容，如下所示：

$ sudo tcpdump -i any -c10 -nn -A port 80

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

13:02:14.871803 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [S], seq 2546602048, win 29200, options [mss 1460,sackOK,TS val 133625221 ecr 0,nop,wscale 7], length 0

E..<..@.@.....zb6.'....P...@......r............

............................

13:02:14.910734 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [S.], seq 1877348646, ack 2546602049, win 28960, options [mss 1460,sackOK,TS val 525532247 ecr 133625221,nop,wscale 9], length 0

E..<..@./..a6.'...zb.P..o..&...A..q a..........

.R.W....... ................

13:02:14.910832 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 133625260 ecr 525532247], length 0

E..4..@.@.....zb6.'....P...Ao..'...........

.....R.W................

13:02:14.911808 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 133625261 ecr 525532247], length 112: HTTP: GET / HTTP/1.1

E.....@.@..1..zb6.'....P...Ao..'...........

.....R.WGET / HTTP/1.1

User-Agent: Wget/1.14 (linux-gnu)

Accept: */*

Host: opensource.com

Connection: Keep-Alive

................

13:02:14.951199 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [.], ack 113, win 57, options [nop,nop,TS val 525532257 ecr 133625261], length 0

E..4.F@./.."6.'...zb.P..o..'.......9.2.....

.R.a....................

13:02:14.955030 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [P.], seq 1:643, ack 113, win 57, options [nop,nop,TS val 525532258 ecr 133625261], length 642: HTTP: HTTP/1.1 302 Found

E....G@./...6.'...zb.P..o..'.......9.......

.R.b....HTTP/1.1 302 Found

Server: nginx

Date: Sun, 23 Sep 2018 17:02:14 GMT

Content-Type: text/html; charset=iso-8859-1

Content-Length: 207

X-Content-Type-Options: nosniff

Location: https://opensource.com/

Cache-Control: max-age=1209600

Expires: Sun, 07 Oct 2018 17:02:14 GMT

X-Request-ID: v-6baa3acc-bf52-11e8-9195-22000ab8cf2d

X-Varnish: 632951979

Age: 0

Via: 1.1 varnish (Varnish/5.2)

X-Cache: MISS

Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>302 Found</title>

</head><body>

<h1>Found</h1>

<p>The document has moved <a href="https://opensource.com/">here</a>.</p>

</body></html>

................

13:02:14.955083 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [.], ack 643, win 239, options [nop,nop,TS val 133625304 ecr 525532258], length 0

E..4..@.@.....zb6.'....P....o..............

.....R.b................

13:02:15.195524 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [F.], seq 113, ack 643, win 239, options [nop,nop,TS val 133625545 ecr 525532258], length 0

E..4..@.@.....zb6.'....P....o..............

.....R.b................

13:02:15.236592 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [F.], seq 643, ack 114, win 57, options [nop,nop,TS val 525532329 ecr 133625545], length 0

E..4.H@./.. 6.'...zb.P..o..........9.I.....

.R......................

13:02:15.236656 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [.], ack 644, win 239, options [nop,nop,TS val 133625586 ecr 525532329], length 0

E..4..@.@.....zb6.'....P....o..............

.....R..................

10 packets captured

10 packets received by filter

0 packets dropped by kernel

这有助于解决API调用问题，假设调用使用普通HTTP。对于加密连接，此输出不太有用。

6.将捕获保存到文件

tcpdump提供的另一个有用功能是能够将捕获保存到文件中，以便稍后分析结果。例如，这允许你在批处理模式下捕获数据包，并在早上验证结果。当有太多数据包需要分析时，它也会有所帮助，因为实时捕获可能发生得太快。

要将数据包保存到文件而不是在屏幕上显示，请使用选项-w：

$ sudo tcpdump -i any -c10 -nn -w webserver.pcap port 80

[sudo] password for ricardo:

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

10 packets captured

10 packets received by filter

0 packets dropped by kernel

此命令将输出保存在名为webserver.pcap的文件中。.pcap扩展名代表“数据包捕获”，是此文件格式的约定。

如此示例所示，屏幕上不会显示任何内容，并且根据选项-c10捕获10个数据包后捕获完成。 如果需要一些反馈以确保捕获数据包，请使用选项-v。

Tcpdump以二进制格式创建文件，因此不能简单地使用文本编辑器打开它。要读取文件的内容，请使用-r选项执行tcpdump：

$ tcpdump -nn -r webserver.pcap

reading from file webserver.pcap, link-type LINUX_SLL (Linux cooked)

13:36:57.679494 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [S], seq 3709732619, win 29200, options [mss 1460,sackOK,TS val 135708029 ecr 0,nop,wscale 7], length 0

13:36:57.718932 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [S.], seq 1999298316, ack 3709732620, win 28960, options [mss 1460,sackOK,TS val 526052949 ecr 135708029,nop,wscale 9], length 0

13:36:57.719005 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 135708068 ecr 526052949], length 0

13:36:57.719186 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 135708068 ecr 526052949], length 112: HTTP: GET / HTTP/1.1

13:36:57.756979 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [.], ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 0

13:36:57.760122 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [P.], seq 1:643, ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 642: HTTP: HTTP/1.1 302 Found

13:36:57.760182 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [.], ack 643, win 239, options [nop,nop,TS val 135708109 ecr 526052959], length 0

13:36:57.977602 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [F.], seq 113, ack 643, win 239, options [nop,nop,TS val 135708327 ecr 526052959], length 0

13:36:58.022089 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [F.], seq 643, ack 114, win 57, options [nop,nop,TS val 526053025 ecr 135708327], length 0

13:36:58.022132 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [.], ack 644, win 239, options [nop,nop,TS val 135708371 ecr 526053025], length 0

$

由于不再直接从网络接口捕获数据包，因此不需要sudo来读取该文件。

还可以使用我们讨论过的任何过滤器来过滤文件中的内容，就像使用实时数据一样。 例如，通过执行以下命令从源IP地址54.204.39.132检查捕获文件中的数据包：

$ tcpdump -nn -r webserver.pcap src 54.204.39.132

reading from file webserver.pcap, link-type LINUX_SLL (Linux cooked)

13:36:57.718932 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [S.], seq 1999298316, ack 3709732620, win 28960, options [mss 1460,sackOK,TS val 526052949 ecr 135708029,nop,wscale 9], length 0

13:36:57.756979 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [.], ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 0

13:36:57.760122 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [P.], seq 1:643, ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 642: HTTP: HTTP/1.1 302 Found

13:36:58.022089 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [F.], seq 643, ack 114, win 57, options [nop,nop,TS val 526053025 ecr 135708327], length 0

下一步是什么？

tcpdump的这些基本功能将帮助你开始使用这个功能强大的多功能工具。要了解更多信息，请参阅tcpdump网站和手册页。

tcpdump命令行界面为捕获和分析网络流量提供了极大的灵活性。如果你需要图形工具来了解更复杂的流程，请查看Wireshark。

Wireshark的一个好处是它可以读取tcpdump捕获的.pcap文件。 可以使用tcpdump在没有GUI的远程计算机中捕获数据包，并使用Wireshark分析结果文件，但这是另一个主题。

原文链接：

https://opensource.com/article/18/10/introduction-tcpdump