Preface
本文章是在看完tcpdump的资料后作的笔记。
本文章的命令测试平台如下:
# MacOS Big Sur
# tcpdump:
sh-# tcpdump --version
tcpdump version tcpdump version -- Apple version
libpcap version
LibreSSL
# Linux等其他平台略有不同,但是大部分是通用的在有关网络协议文档中,有个单词叫做Octet,有些翻译叫做`八位组`,其中:1 Octet = 8 bit,和现在的概念字节(byte,B)一致。在大部分网络协议中,使用的是Octet而不是byte,那是因为很多年之前1 byte = bit,所以才有了1 Octet = 8bit这个约定。所以,如果提到第n个Octet,一般表示的是一段数据中的第n个字节,当然也要基于文字场景区分n是从0开始,还是从1开始。
很多人上来就拍脑袋瓜就开始写tcpdump命令,这种结果就是提示语法错误,为了避免这些问题,下面就从案例中说明一些注意事项:
- tcpdump需要加视情况加单引号和双引号;
- tcpdump后面的选项以及表达式的顺序请按照官方文档的要求来写;
fh@ ~ % NAME=ok
# 单引号会直接输出,不解析
fh@ ~ % echo 'Hello, $NAME'
Hello, $NAME
# 双引号会先解析变量,再输出
fh@ ~ % echo "Hello, $NAME"
Hello, ok
# ()会报错
fh@ ~ % echo (ok)
zsh: unknown sort specifier
fh@ ~ % echo ok && demo
ok
zsh: command not found: demo
# 使用"" 或者 ''包住字符串就不会出现问题
fh@ ~ % echo "ok && demo"
ok && demo
fh@ ~ % echo 'ok && demo'
ok && demo
fh@ ~ % 由于tcpdump中会有筛选的表达式,表达式包括() && || >>等特殊符号,针对这些符号,shell需要做转义,一般情况下,我们需要在筛选表达式用''或者""包住表达式,否则会出现异常。
# 建议按照以下格式编写
# 无值选项可以合并写,这是可以的
tcpdump 无值选项1 无值选项2 无值选项.k 有值选项名.1 有值选项值.1 有值选项名.2 有值选项值.2 有值选项名.n 有值选项值.n '表达式'由于本人水平有限,部分tcpdump不清楚部分,使用TODO来代替,后续弄懂会继续补充案例。
SYNOPSIS
NAME
tcpdump - dump traffic on a network
SYNOPSIS
tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ]
[ -c count ]
[ -C file_size ] [ -G rotate_seconds ] [ -F file ]
[ -i interface ] [ -j tstamp_type ] [ -k (metadata_arg) ]
[ -m module ] [ -M secret ]
[ --number ] [ -Q in|out|inout ]
[ -r file ] [ -V file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
[ -Q packet-metadata-filter ] [ -Q in|out|inout ]
[ --time-stamp-precision=tstamp_precision ]
[ --immediate-mode ] [ --version ]
[ expression ]Options
- -A
# -A: 以ASCII码的形式打印每个包(不包括链路层的头),一般用来捕获网页数据
sh-# tcpdump -A -c 1 -i any
:: IP . > .domain: + A? oth.eve.mdt.qq.com. ()
...f.n.._.....E..@....@.\....l.......5.,.d.............oth.eve.mdt.qq.com.....- -b
# 使用ASDOT表示法在BGP数据包中打印AS号,而不是ASPLAIN表示法
# 在BGP包中使用ASDOT表示法打印AS号,而不是ASPLAIN表示法
sh-# tcpdump -b -i any- ?B buffer_size
# -B buffer_size: 设置操作系统的捕获缓存大小,单位:KB
# -c count: 收到或者显示count个包后退出
# -i any: 监控所有的网络接口
# -w file: 将抓到的包保存到a.pcap里面,此文件可以用wireshark打开
sh-# tcpdump -B -c 3 -i any -w a.pcap- -c count或?c skip,count
# -c count: 抓取count包后tcpdump退出
sh-# tcpdump -c 1 -i any
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size bytes
:: IP . > .: Flags [R.], seq , ack , win , length packet captured
packets received by filter
0 packets dropped by kernel
sh-# # -c skip,count: -c选项的第二种使用形式,指的是忽略skip包后,再抓count个包停止
# 逗号之前的skip是必选,逗号之后的count是可选
sh-# tcpdump -c 5,3 -i any
# 有逗号、无count值表明忽略前面5个包,且一直抓包不退出
sh-# tcpdump -c 5, -i any- ?C file_size
# -C file_size: 将原始数据包存放到文件之前,先检查是否超过file_size(单位: 1000000B);
# -w file: 保存的文件
# 超过file_size则关闭文件,并创建新的文件继续写数据
# 新的文件名为"file"+"idx": idx从1开始
sh-# tcpdump -C 5 -i any -w f.pcap
# 注意:file_size指的是近似值,不是准确值
# 文件的名称为: file file1 file2 file3 filen
sh-# ls -lr
-rw-r--r-- 1 root wheel 5 : f.pcap7
-rw-r--r-- 1 root wheel 5 : f.pcap6
-rw-r--r-- 1 root wheel 5 : f.pcap5
-rw-r--r-- 1 root wheel 5 : f.pcap4
-rw-r--r-- 1 root wheel 5 : f.pcap3
-rw-r--r-- 1 root wheel 5 : f.pcap2
-rw-r--r-- 1 root wheel 5 : f.pcap1
-rw-r--r-- 1 root wheel 5 : f.pcap
sh-#- -d ~ -ddd
# -d: 以人类可读的形式,标准输出打印编排过的包匹配码
sh-# tcpdump -d
tcpdump: data link type PKTAP
() ret #
# -dd: 以C代码片段的形式打印出包匹配码
sh-# tcpdump -dd
tcpdump: data link type PKTAP
{ 0x6, 0, 0, 0x00040000 },
# 以十进制的形式打印出包匹配码(前面有count)
sh-# tcpdump -ddd
tcpdump: data link type PKTAP
- -D
# -D:打印在系统中,tcpdump可以捕获包的网络接口
# 每个网络接口,都有一个编号和一个网络接口名称,也可能带有一个网络接口的描述
# 编号或网络接口可以放在-i选项后面来表明在哪个网络接口上抓包
# 这个选项存在的意义是:Windows系统、缺少ifconfig -a选项的系统不会列出这些信息
# 编号在Windows 及以上的系统非常有用,因为他们的网络接口名称是一个复杂的字符串
# 如果tcpdump的依赖libpcap缺少pcap_findalldevs函数,那么tcpdump的此功能将是无效的
fh@Feihu-3 ~ % tcpdump -D
1.en0 [Up, Running]
2.awdl0 [Up, Running]
3.llw0 [Up, Running]
4.utun0 [Up, Running]
5.ap1 [Up, Running]
6.utun1 [Up, Running]
7.lo0 [Up, Running, Loopback]
8.bridge0 [Up, Running]
9.en1 [Up, Running]
.en2 [Up, Running]
.en3 [Up, Running]
.en4 [Up, Running]
.gif0 [none]
.stf0 [none]- -e
# -e: 每一行打印链路层的头信息。
# 比如可以打印以太网和IEEE 等协议的MAC层的地址
# 假设一个局域网内有两台设备的IP相同,我们可以通过这种方式来判断此包来源于哪个设备
sh-# tcpdump -c 1 -e -i any
:::8f:1d::9a:6e (oui Unknown) > Broadcast, ethertype ARP (0x0806), length : Request who-has tell , length
# 未指定-e选项的打印结果
sh-# tcpdump -c 1 -i any
:: ARP, Request who-has tell , length - -E
# 使用spi@ipaddr algo:secret用来解密一个发给addr的IPsec ESP包
# 这个包包括Security Parameter Index value spi
# 可以用多个spi@ipaddr algo:secret的值构建选项值,两两之间用逗号或者新行隔开
# algo字段可以是des-cbc, 3des-cbc, blowfish-cbc, rc3-cbc, cast128-cbc,none,默认是des-cbc
# 只有在tcpdump编译的时候启动解密功能才支持解密包的能力
# secret: ESP密钥的ASCII文本,如果是以0x开头,读的时候将是十六进制的值
# 本选项假定是RFC2406 ESP,而不是RFC1827 ESP
# 本选项是以调试为目的,使用真实的密钥值我们是劝阻的。
# 在命令行上使用IPsec密钥会以通过ps命令以及在其他场合对其他人可见
# 除了前面的语法外,可以使用file name语法让tcpdump读取,tcpdump在收到第一个ESP包的时候打开,
# 所以tcpdump被授予的任何特殊权限将会被放弃
[ -E spi@ipaddr algo:secret,... ]- -f
# 显示外部的IPv4时,采用的是数字方式而不是名字。
# TODO
sh-# tcpdump -f -i any
:: IP . > broadcasthost.commplex-link: UDP, length :: IP . > .domain: + PTR? .in-addr.arpa. (:: IP .domain > .: * 1/0/0 PTR . (:: IP . > .domain: + PTR? .in-addr.arpa. (:: IP .domain > .: * 0/0/:: IP . > .domain: + PTR? .in-addr.arpa. (:: IP .domain > .: * 1/0/0 PTR . ()
sh-# tcpdump -i any
:: ARP, Reply is-at :::7b:: (oui Unknown), length :: IP . > .domain: + PTR? .in-addr.arpa. (:: IP .domain > .: * 1/0/0 PTR . (:: IP . > .domain: + PTR? .in-addr.arpa. (:: IP .domain > .: * 1/0/0 PTR . ()
- -F file
# -F file: 使用file作为过滤表达式的输入,命令行的额外表达式将会被忽略。
# 过滤表达式为exp文件,目的端口号只能是
sh-# tcpdump -nn -i any -F exp
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size bytes
:: IP . > .: Flags [SEW], seq , win , options [mss ,nop,wscale 6,nop,nop,TS val ecr 0,sackOK,eol], length :: IP . > .: Flags [.], ack , win , length :: IP . > .: Flags [P.], seq 0:, ack 1, win , length : HTTP: GET / HTTP/:: IP . > .: Flags [.], ack , win , length :: IP . > .: Flags [F.], seq , ack , win , length :: IP . > .: Flags [F.], seq , ack , win , options [nop,nop,sack 1 {:}], length :: IP . > .: Flags [.], ack , win , length 0
# 直接向百度请求
fh@ ~ % curl www.baidu.com
# 产生一个文件,文件名是exp, 里面筛选是端口号是的包
sh-# cat exp
dst port
- -g
# -g: 为了便于解析,在详细模式下不在IP头之后插入换行符。
# TODO
sh-# tcpdump -g -vvv -c 3 -i any
tcpdump: data link type PKTAP
tcpdump: listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size bytes
:: ARP, Ethernet (len 6), IPv4 (len 4), Request who-has tell , length :: ARP, Ethernet (len 6), IPv4 (len 4), Reply is-at e0:b5:5f:f2:bb:a3 (oui Unknown), length :: IP (tos 0x0, ttl , id , offset 0, flags [none], proto UDP (), length . > .domain: [udp sum ok] + PTR? .in-addr.arpa. ()
3 packets captured
8 packets received by filter
0 packets dropped by kernel
sh-# - ?G rotate_seconds
# -G rotate_seconds: 如果-G和-w选项均指定了值,则每隔rotate_seconds时间重新存储到文件;
# 但是-w选项的值必须包含时间格式,具体格式可从参考man 3 strfttime
# 如果-w未指定时间格式,将会覆盖写原来的文件;
# 如果tcpdump同时指定了-C和-G,那么生成的文件名的格式是file
sh-# tcpdump -G 3 -i any -w 'fh_%Y-%m-%d_%T.pcap'
# 文件名fh_年-月-日_时-分-秒.pcap
sh-# ls -l
total
-rw-r--r-- 1 root wheel 5 : fh_2021--03_07::.pcap
-rw-r--r-- 1 root wheel 5 : fh_2021--03_07::.pcap
-rw-r--r-- 1 root wheel 5 : fh_2021--03_07::.pcap
-rw-r--r-- 1 root wheel 5 : fh_2021--03_07::.pcap
# -G、-C、-w混合使用
sh-# tcpdump -C 1 -G -i any -w f
# 抓包的文件名
sh-# ls -lrt
total
-rw-r--r-- 1 root wheel 5 : f
-rw-r--r-- 1 root wheel 5 : f1
-rw-r--r-- 1 root wheel 5 : f2
-rw-r--r-- 1 root wheel 5 : f3
-rw-r--r-- 1 root wheel 5 : f4
-rw-r--r-- 1 root wheel 5 : f5
-rw-r--r-- 1 root wheel 5 : f6 - -H
# -H: 尝试去检测.11s draft mesh headers
# TODO- ?i interface
# -i interface: 指定抓包的网络接口,可以是网卡名称,也可以是编号
# 可以通过tcpdump -D获取
# 如果指定所有,可以使用tcpdump -i any来说明
# 一般情况,如果用any的话,不会是混杂模式,所以,在某些情况下,仍然使用网卡名称- -I
# -I: 又可以换成??monitor?mode;当前仅支持IEEE WI-FI网络接口,也只能在部分操作系统上使用。- ??immediate?mode
# TODO- ?j tstamp_type
# TODO- -J
sh-# tcpdump -J
Time stamp types for pktap (use option -j to set):
host (Host)- ??time?stamp?precision=tstamp_precision
# --time-stamp-precision: 时间戳精度,只能是micro或者是nano,需要设备支持
sh-# tcpdump -c 3 -i any --time-stamp-precision=micro
:: IP . > .https: Flags [P.], seq :, ack , win , options [nop,nop,TS val ecr ], length :: IP . > .https: Flags [P.], seq :, ack 1, win , options [nop,nop,TS val ecr ], length :: IP . > .domain: + PTR? .in-addr.arpa. ()
# 抓取三个包,精度为纳秒,但是设备不支持
sh-# tcpdump -c 3 -i any --time-stamp-precision=nano
tcpdump: any: Can't set nanosecond time stamp precision: That device doesn't support that time stamp precision
sh-#- -k
# -k: 控制显示包的元数据信息,参数后面的值指定要显示的元数据类型的参数
# I: 网络接口名称或者网络接口ID
# N: 进程名称
# P: 进程ID
# S: 服务类
# D: 方向
# C: 注释
# C: flags
# U: 进程的UUID
# V: pcap-ng块的详细打印(默认不显示)
# A: 显示所有元数据类型
# Linux平台似乎不支持
sh-# tcpdump -l -i any -k INPSDCCUVA | grep 'proc QQMusic'
:: (en0, proc QQMusic::20d71810-64f0-3f16--55d62d68771a, svc BE, out, so) IP . > .http: Flags [S], seq , win , options [mss ,nop,wscale 6,nop,nop,TS val ecr 0,sackOK,eol], length 0
sh-# tcpdump -l -i any -k A | grep 'proc QQMusic'
:: (en0, proc kernel_task:0:, eproc QQMusic::, svc BE, in, so) IP localhost.http > .: Flags [F.], seq , ack , win , length 0- -K
# 不要试图验证TCP、UDP、IP的校验和;
# 这对于在硬件中执行部分或全部校验和计算的接口中很有用
# 否则,所有传出去的TCP校验和都将被标记为坏的。
sh-# tcpdump -K -i any-l
# -l: 缓存标准输出行
sh-# tcpdump -l -i any | tee data
:: IP . > broadcasthost.commplex-link: UDP, length
sh-# cat data
:: IP . > broadcasthost.commplex-link: UDP, length
# 可以一边转存到文件,一边终端监视
# 注意,某些系统,比如Mac即使你将终端关掉,也会继续在后台抓包的,有些将终端关闭,将会自动停止抓包
sh-# tcpdump -l -i any > tmp & tail -f tmp
[1] # tcpdump的进程号
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size bytes
:: IP . > .https: Flags [P.], seq :, ack , win , length
sh-# pidof tcpdump
sh-# cat tmp
:: IP . > .https: Flags [P.], seq :, ack , win , length - -L
# 列出网络接口的已知数据链路
sh-# tcpdump -L
Data link types for pktap (use option -y to set):
PKTAP (Apple DLT_PKTAP)
RAW (Raw IP)- ?m module
# TODO- ?M secret
# -M secret: 如果在TCP数据包中有TCP-MD5选项(RFC ),则为其摘要的验证指定一个公共的密钥secret
# TODO- -n
# -n: 不将地址(IP、端口号等)转换成名字
# 目的端口显示
sh-# tcpdump -n -i any dst port :: IP . > .: Flags [SEW], seq , win , options [mss ,nop,wscale 6,nop,nop,TS val ecr 0,sackOK,eol], length 0
# 目的端口显示http
sh-# tcpdump -i any dst port :: IP . > .http: Flags [SEW], seq , win , options [mss ,nop,wscale 6,nop,nop,TS val ecr 0,sackOK,eol], length 0-N
# -N: 不打印主机的域名部分,比如'nic.ddd.mil'只打印'nic'- --number
--number: 在行的开始打印可选的包数
# TODO,暂未发现用处- -O
# -O: 不启用包匹配时候的优化代码
sh-# tcpdump -O -i any- -P
-P: 在保存文件的形式使用pcap-ng文件格式。- -p
# -p: 不将网络接口设置为混杂模式
# TODO,暂未找到使用场景- -Q expression
# 通过进程来筛选抓包
# Linux平台可能不支持
# 抓取QQMusic的的网络包
sh-# tcpdump -l -k A -i any -Q "pid=`pidof QQMusic`"
:: (en0, proc QQMusic::20d71810-64f0-3f16--55d62d68771a, svc BE, out, so) IP . > .http: Flags [F.], seq , ack , win , options [nop,nop,TS val ecr ], length :: (en0, proc QQMusic::20d71810-64f0-3f16--55d62d68771a, svc BE, out, so) IP . > .http: Flags [S], seq , win , options [mss ,nop,wscale 6,nop,nop,TS val ecr 0,sackOK,eol], length :: (en0, proc QQMusic::20d71810-64f0-3f16--55d62d68771a, svc BE, out, so) IP . > .https: Flags [S], seq , win , options [mss ,nop,wscale 6,nop,nop,TS val ecr 0,sackOK,eol], length :: (en0, proc QQMusic::20d71810-64f0-3f16--55d62d68771a, eproc QQMusic::, svc BE, in, so) IP .http > .: Flags [S.], seq , ack , win , options [mss ,sackOK,TS val ecr ,nop,wscale 8], length :: (en0, proc QQMusic::20d71810-64f0-3f16--55d62d68771a, svc BE, out, so) IP . > .http: Flags [.], ack 1, win , options [nop,nop,TS val ecr ], length :: (en0, proc QQMusic::20d71810-64f0-3f16--55d62d68771a, eproc QQMusic::, svc BE, in, so) IP .https > .: Flags [S.], seq , ack , win , options [mss ,nop,nop,sackOK,nop,wscale 8], length :: (en0, proc QQMusic::20d71810-64f0-3f16--55d62d68771a, svc BE, out, so) IP . > .https: Flags [.], ack 1, win , length :: (en0, proc QQMusic::20d71810-64f0-3f16--55d62d68771a, svc BE, out, so) IP . > .http: Flags [P.], seq 1:, ack 1, win , options [nop,nop,TS val ecr ], length : HTTP: POST /3gmusic/fcgi-bin/imusic_tj HTTP/:: (en0, proc QQMusic::20d71810-64f0-3f16--55d62d68771a, svc BE, out, so) IP . > .http: Flags [P.], seq :, ack 1, win , options [nop,nop,TS val ecr ], length : HTTP
:: (en0, proc QQMusic::20d71810-64f0-3f16--55d62d68771a, svc BE, out, so) IP . > .https: Flags [P.], seq 1:, ack 1, win , length :: (en0, proc QQMusic::20d71810-64f0-3f16--55d62d68771a, svc BE, out, so) IP . > .http: Flags [S], seq , win , options [mss ,nop,wscale 6,nop,nop,TS val ecr 0,sackOK,eol], length :: (en0, proc QQMusic::20d71810-64f0-3f16--55d62d68771a, eproc QQMusic::, svc BE, in, so) IP .http > .: Flags [.], ack , win , options [nop,nop,TS val ecr ], length :: (en0, proc QQMusic::20d71810-64f0-3f16--55d62d68771a, eproc QQMusic::, svc BE, in, so) IP .http > .: Flags [.], ack , win , options [nop,nop,TS val ecr ], length :: (en0, proc QQMusic::20d71810-64f0-3f16--55d62d68771a, svc BE, out, so) IP . > .https: Flags [S], seq , win , options [mss ,nop,wscale 6,nop,nop,TS val ecr 0,sackOK,eol], length 0
^C19:: (en0, proc QQMusic::20d71810-64f0-3f16--55d62d68771a, svc BE, out, so) IP . > .http: Flags [S], seq , win , options [mss ,nop,wscale 6,nop,nop,TS val ecr 0,sackOK,eol], length 0# 抓取当前ping命令,且经过网卡en0的,并是出去的包
sh-# tcpdump -l -n -k A -i any -Q "(pid=`pidof ping` && if=en0) && (dir=out)"
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size bytes
:: (en0, proc ping::65df3803--3c14-9c20-c6029f7e6b65, svc CTL, out, so) IP > : ICMP echo request, id , seq , length :: (en0, proc ping::65df3803--3c14-9c20-c6029f7e6b65, svc CTL, out, so) IP > : ICMP echo request, id , seq , length :: (en0, proc ping::65df3803--3c14-9c20-c6029f7e6b65, svc CTL, out, so) IP > : ICMP echo request, id , seq , length :: (en0, proc ping::65df3803--3c14-9c20-c6029f7e6b65, svc CTL, out, so) IP > : ICMP echo request, id , seq , length - -Q direction
# -Q direction: 选择抓取包的发送/接收方向。这里的值可能为in、out、inout。
# 仅支持部分平台可用,比如在Mac Big Sur 上提示是语法错误,Linux可用
# -Q direction: 不支持
sh-# tcpdump -i any -Q inout
tcpdump: cannot parse term at:
tcpdump: invalid expression "inout"- -q
# 快速输出,输出行较短因为打印少量的协议信息
# 一般用来两个设备之间是否有通信
sh-# tcpdump -q -c 1 -i any
:: IP . > ec2-.compute-1.amazonaws.com.https: tcp - -r file
# -B buffer_size: 设置操作系统的捕获缓存大小,单位:KB
# -c count: 收到或者显示count个包后退出
# -i any: 监控所有的网络接口
# -w file: 将抓到的包保存到a.pcap里面,此文件可以用wireshark打开
sh-# tcpdump -B -c 3 -i any -w a.pcap
# -r: 读取存放的包文件
# 读取a.pcap文件并打印
sh-# tcpdump -r a.pcap- -S
# -S: 打印TCP绝对的序列号(Sequence number)
sh-# tcpdump -S -c 5 -i any tcp
:: IP . > .https: Flags [P.], seq :, ack , win , length
# 打印TCP相对序列号
# 可以看出,序列号值偏小
sh-# tcpdump -c 5 -i any tcp
:: IP .https > .: Flags [.], ack , win , options [nop,nop,TS val ecr ], length :: IP .https > .: Flags [P.], seq 1:, ack , win , options [nop,nop,TS val ecr ], length packets captured- ?s snaplen
# 抓取每个数据包的截取字节数,0表示不截断
# snaplen来自每个数据包的字节数,而不是默认的262144B。由于快照有限而被截断的数据包中用"[|proto]"表示,
# proto是发生截断的协议级别的名称。
# 较大的快照既增加了处理数据包所需的时间,也有效地减少了数据包缓冲的量,可能导致数据包丢失。
# 应该将snaplen限制为感兴趣的协议信息的最小数目;
# snaplen设置为0表示将其设置为默认值262144B
# tcpdump -i any -s 0- -T type
# -T type: 强制以type的协议进行解析。
# TODO,暂未使用到- -t n
# 不加-t等选项,打印时:分:秒:微妙
sh-# tcpdump -q -c 1 -i any
:: IP . > broadcasthost.commplex-link: UDP, length
# -t: 不打印时间
sh-# tcpdump -q -t -c 1 -i any
ARP, Request who-has tell , length
# -tt: 显示UTC时间, 单位:秒,精度:微妙
sh-# tcpdump -q -tt -c 1 -i any
ARP, Request who-has tell , length
# -ttt: 当前行与上一行的时间之差,精度:微妙
sh-# tcpdump -q -ttt -c 5 -i any
:: ARP, Request who-has tell , length
:: ARP, Reply is-at e0:b5:5f:f2:bb:a3 (oui Unknown), length
:: ARP, Request who-has tell , length
:: IP . > broadcasthost.commplex-link: UDP, length
:: ARP, Request who-has tell , length
# -tttt: 年-月-日 时-分-秒
sh-# tcpdump -q -tttt -c 5 -i any
:: ARP, Request who-has tell , length
# -ttttt: 当前行与第一行的时间之差
sh-# tcpdump -q -ttttt -c 5 -i any
:: ARP, Request who-has tell , length
:: IP . > .domain: UDP, length
:: IP .domain > .: UDP, length
:: IP . > .domain: UDP, length
:: IP .domain > .: UDP, length
# -t n: 指前面的-t -tt -ttt -tttt -ttttt,n的值为[0, 5]
# -t 4: 表示-tttt, 年-月-日 时-分-秒
sh-# tcpdump -q -t 4 -c 5 -i any
:: ARP, Request who-has tell , length :: ARP, Reply is-at e0:b5:5f:f2:bb:a3 (oui Unknown), length :: IP . > .domain: UDP, length :: IP .domain > .: UDP, length :: IP . > .domain: UDP, length - ?-time-zone-offset tz
# TODO,暂未找到使用场景- -u
# 打印未加密的NFS句柄
# TODO- -U
# 使得当tcpdump在使用-w 选项时, 其文件写入与包的保存同步- -v ~ -vvv
# 详细的输出
# time to live,TTL、identification、total length、options
# 完整的IP和ICMP头checksum校验
sh-# tcpdump -v -c 1 -i any
:: IP (tos 0x0, ttl , id , offset 0, flags [none], proto UDP (), length )
. > .domain: + Type65? oc.cgiaccess.tc.qq.com. ()
# 更详细的输出。例如NFS的响应包,SMB包的完全解码
sh-# tcpdump -vv -c 1 -i any
:: IP (tos 0x0, ttl , id 0, offset 0, flags [DF], proto TCP (6), length )
. > hn.kd.ny.adsl.http: Flags [S], cksum 0xfedc (correct), seq , win , options [mss ,nop,wscale 6,nop,nop,TS val ecr 0,sackOK,eol], length 0
# 更详细的输出,例如telnet的SB..SE选项将会被完整打印
sh-# tcpdump -vvv -c 1 -i any
:: IP (tos 0x0, ttl , id 0, offset 0, flags [DF], proto TCP (6), length )
. > .http: Flags [S], cksum 0xe2ff (correct), seq , win , options [mss ,nop,wscale 6,nop,nop,TS val ecr 0,sackOK,eol], length 0- ?V file
# Read a list of filenames from file. Standard input is used if file is ``-''.
# TODO- ?w file
# -B buffer_size: 设置操作系统的捕获缓存大小,单位:KB
# -c count: 收到或者显示count个包后退出
# -i any: 监控所有的网络接口
# -w file: 将抓到的包保存到a.pcap里面,此文件可以用wireshark打开
sh-# tcpdump -B -c 3 -i any -w a.pcap- -W
# 注意: 一般情况,-W和-G是不会混用的,混用效果如下,最终只有这个文件
# 如果与-G混用,将会限制转储文件的数量,当达到这个文件数量的时候,tcpdump将会退出
sh-# tcpdump -G 3 -i any -W -w 'fh_%Y-%m-%d_%T.pcap'
tcpdump: data link type PKTAP
tcpdump: listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size bytes
Maximum file limit reached: packets captured
packets received by filter
0 packets dropped by kernel
sh-#
sh-# ls -l
total
-rw-r--r-- 1 root wheel 5 : fh_2021--03_18::.pcap
-rw-r--r-- 1 root wheel 5 : fh_2021--03_18::.pcap
-rw-r--r-- 1 root wheel 5 : fh_2021--03_18::.pcap
-rw-r--r-- 1 root wheel 5 : fh_2021--03_18::.pcap
-rw-r--r-- 1 root wheel 5 : fh_2021--03_18::.pcap
-rw-r--r-- 1 root wheel 5 : fh_2021--03_18::.pcap
-rw-r--r-- 1 root wheel 5 : fh_2021--03_18::.pcap
-rw-r--r-- 1 root wheel 5 : fh_2021--03_18::.pcap
-rw-r--r-- 1 root wheel 5 : fh_2021--03_18::.pcap
-rw-r--r-- 1 root wheel 5 : fh_2021--03_18::.pcap
此选项与-C 选项配合使用, 这将限制可打开的文件数目, 并且当文件数据超过这里设置的限制时, 依次循环替代之前的文件, 这相当于一个拥有filecount 个文件的文件缓冲池. 同时, 该选项会使得每个文件名的开头会出现足够多并用来占位的0, 这可以方便这些文件被正确的排序.
# -W: 与-C选项配合使用,限制可打开的文件数目
# 当前文件大小超过设置的阈值
# 会逐步覆盖写掉最老的文件,
# 相当于一个拥有固定数目个文件的文件缓冲池
# 该选项会使得每个文件名的开头出现足够多并用来占位的0,以便于这些文件的正确排序
sh-# tcpdump -C -i any -W -w f.pcap
tcpdump: data link type PKTAP
tcpdump: listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size bytes
sh-# ls -l
total
-rw-r--r-- 1 root wheel 5 : f.pcap0
-rw-r--r-- 1 root wheel 5 : f.pcap1
-rw-r--r-- 1 root wheel 5 : f.pcap2
-rw-r--r-- 1 root wheel 5 : f.pcap3
-rw-r--r-- 1 root wheel 5 : f.pcap4
-rw-r--r-- 1 root wheel 5 : f.pcap5
-rw-r--r-- 1 root wheel 5 : f.pcap6
-rw-r--r-- 1 root wheel 5 : f.pcap7
-rw-r--r-- 1 root wheel 5 : f.pcap8
-rw-r--r-- 1 root wheel 5 : f.pcap9
- -x ~ -xx
# -x: 当解析和打印时,以十六进制的形式打印每个包的头和数据(不包括数据链路层)
# 完整包大小与snaplen的最小值将会被打印。
# 如果高层协议的长度较小,且有填充的数据,填充的数据也会被打印
sh-# tcpdump -x -c 1 -i any
:: IP . > broadcasthost.commplex-link: UDP, length
0x0000: ffff ffff ffff 808f 1d66 9a6e
0x0010: 2e6a 8b49 c0a8 ffff
0x0020: ffff 007d f2f5 0e00 e12b
0x0030: 83c7 f391 000a 544c 2d57
0x0040: 000b 312e
0x0050: 2d38 462d 2d36
0x0060: 362d 2d36 0b31 2e31
0x0070: 2e30 2e31 000a 6c6f
0x0080: 6e2e 636e 000a 000e 544c 2d57
0x0090: 2e30 000c 312e 372e
# -xx: 当解析和打印时,以十六进制的形式打印每个包的头和数据(包括数据链路层)
sh-# tcpdump -xx -c 1 -i any
:: IP > all-systems.mcast.net: igmp query v2
0x0000: 9c00 656e
0x0010:
0x0020: 0e00
0x0030: ffff ffff
0x0040:
0x0050: ffff ffff
0x0060:
0x0070:
0x0080:
0x0090: e0b5 5ff2
0x00a0: bba3 808f 1d66 9a6e
0x00b0: 83c9 c0a8 e000
0x00c0: ee9b
- -X ~ -XX
# -X: 以十六进制和ASCII形式打印每个包的头和数据(不包括数据链路层)
sh-# tcpdump -X -c 1 -i any
:: IP . > .: Flags [P.], seq :, ack , win , options [nop,nop,TS val ecr ], length
0x0000: 808f 1d66 9a6e e0b5 5ff2 bba3 ...f.n.._.....E.
0x0010: d6ff c0a8 006c .V..@.@......l.9
0x0020: e8f9 afac 11d5 4caf .U...g....L..%..
0x0030: c0de 080a 5aae ..........0.b.Z.
0x0040: d2f3 1d36 51f7 2f2f 61dc aec8 .......6Q.//a...
0x0050: 3e9f ad7d 2c52 17cb 3f69 5a0b >.qB.},R..?iXDZ.
0x0060: b730 68b2 .0h.
# -XX: 以十六进制和ASCII形式打印每个包的头和数据(包括数据链路层)
sh-# tcpdump -XX -c 1 -i any
:: ARP, Request who-has tell , length
0x0000: 9c00 656e ............en0.
0x0010: ................
0x0020: 0e00 ................
0x0030: ffff ffff ................
0x0040: ................
0x0050: ffff ffff ................
0x0060: ................
0x0070: ................
0x0080: ................
0x0090: ffff ffff ................
0x00a0: ffff 808f 1d66 9a6e .....f.n........
0x00b0: 808f 1d66 9a6e c0a8 .....f.n........
0x00c0: c0a8 .....f- ?y datalinktype
# -y表示设置要捕获的包的数据链路类型,后面的值可以通过tcpdump -L获取
sh-# tcpdump -c 3 -i any -y PKTAP
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size bytes
:: IP . > .domain: + Type65? init.itunes.apple.com. (:: IP . > .domain: + A? init.itunes.apple.com. (:: IP . > .domain: + PTR? .in-addr.arpa. ()- ?z postrotate-command
# TODO- ?Z user
# 如果tcpdump以root用户运行,
# 在打开捕获设备或输入savefile之后,在打开任何savefile输出之前,
# 需要将用户标识改成user,并将组表示改为user的主组
# 这个行为在编译的时候开启Simple Example
# 抓取从sundow出发或者到达sundown的包
tcpdump host sundown# 抓取从helios与hot之间的包或helios与ace之间的包
# 注意:由于括号要在shell中的特殊含义,所以需要转义
sh-# tcpdump host helios and \( hot or ace \)
# 加个单引号也行
sh-# tcpdump host 'helios and ( hot or ace )'# 抓取主机ace与其他设备(除了helios)的IP包
tcpdump ip host ace and not helios# 根据TCP的协议文档,标识位有
# CWR | ECE | URG | ACK | PSH | RST | SYN | FIN
# | | | | 8 | 4 | 2 | 1
# 由于协议是占据的是1字节去存储这些数据
# 所以只要哪个标识位有,那么响应的标识位的二进制数据为1
# tcp[]的值就等于所有的标识位组成的数据
# 例如,SYN和ECE有标识位,其它的都没有,即
# CWR | ECE | URG | ACK | PSH | RST | SYN | FIN
# 0 | 1 | 0 | 0 | 0 | 0 | 1 | 0
# 二进制数换算的十进制数位为2+=
# 抓取TCP头标识位SYN=1的包
# tcpflags与tcp-synn是固定字符串
sh-# tcpdump -c 3 -i any tcp[tcpflags] == tcp-syn
:: IP . > .http: Flags [S], seq , win , options [mss ,nop,wscale 6,nop,nop,TS val ecr 0,sackOK,eol], length 0
# 抓取TCP头标识位SYN=1的包
sh-# tcpdump -c 3 -i any "tcp[tcpflags] & tcp-syn != 0"
:: IP . > .: Flags [SEW], seq , win , options [mss ,nop,wscale 6,nop,nop,TS val ecr 0,sackOK,eol], length 0
# 抓取TCP头标识位SYN=1的包,其它的标识位必须是0
# 表示的是tcp头的八位组索引,也就是第个字节为止
sh-# tcpdump -c 3 -i any tcp[] == :: IP . > .http: Flags [S], seq , win , options [mss ,nop,wscale 6,nop,nop,TS val ecr 0,sackOK,eol], length 0
# 抓取TCP头标识位SYN=1的包,其它的标识位不确定
sh-# tcpdump -c 3 -i any 'tcp[] & 2 != 0'
:: IP .http > .: Flags [S.E], seq , ack , win , options [mss ,sackOK,TS val ecr ,nop,wscale 7], length 0
# 抓取TCP头标识位SYN=1的包
sh-# tcpdump -c 3 -i any "tcp[tcpflags] & 2 != 0"
:: IP .https > .: Flags [S.E], seq , ack , win , options [mss ,nop,nop,sackOK,nop,wscale 7], length 0
# 抓取TCP头标识位SYN=1的包
# SYN标识位子必须是1
sh-# tcpdump -c 3 -i any "tcp[] & tcp-syn != 0"
:: IP .https > .: Flags [S.E], seq , ack , win , options [mss ,sackOK,TS val ecr ,nop,wscale 7], length 0# 混合抓包
# 抓取S和E的,S是2,E是
sh-# tcpdump -c 3 -i any "tcp[] & != 0"
:: IP . > .https: Flags [SEW], seq , win , options [mss ,nop,wscale 6,nop,nop,TS val ecr 0,sackOK,eol], length :: IP .https > .: Flags [S.E], seq , ack , win , options [mss ,nop,nop,sackOK,nop,wscale 7], length 0# 抓取TCP头标识位SYN=1或者ACK=1的包
sh-# tcpdump -c 3 -i any "tcp[] == 2 || tcp[] == "
:: IP . > .http: Flags [.], ack , win , length :: IP .http > .: Flags [.], ack , win , length :: IP . > .http: Flags [.], ack , win , length packets captured
# 抓取TCP头标识位SYN=1或者ACK=1的包
sh-# tcpdump -c 3 -i any "tcp[tcpflags] == tcp-syn || tcp[tcpflags] == tcp-ack"
:: IP . > .http: Flags [.], ack , win , length :: IP .http > .: Flags [.], ack , win , length :: IP . > .http: Flags [.], ack , win , length 0
# 抓取TCP头标识位SYN=1或者ACK=1的包
sh-# tcpdump -c 3 -i any "tcp[tcpflags] & (tcp-syn | tcp-ack) != 0"
listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size bytes
:: IP . > .http: Flags [SEW], seq , win , options [mss ,nop,wscale 6,nop,nop,TS val ecr 0,sackOK,eol], length :: IP .http > .: Flags [S.E], seq , ack , win , options [mss ,nop,wscale 8,nop,nop,sackOK], length :: IP . > .http: Flags [.], ack 1, win , length 0# 抓取ICMP协议的响应包
sh-# tcpdump -l -i any 'icmp[icmptype] == icmp-echoreply'
:: IP > : ICMP echo reply, id , seq 0, length :: IP > : ICMP echo reply, id , seq 1, length :: IP > : ICMP echo reply, id , seq 2, length :: IP > : ICMP echo reply, id , seq 3, length :: IP > : ICMP echo reply, id , seq 4, length :: IP > : ICMP echo reply, id , seq 5, length # 抓取ICMP的发出包
sh-# tcpdump -l -i any 'icmp[icmptype] == icmp-echo'
:: IP > : ICMP echo request, id , seq , length :: IP > : ICMP echo request, id , seq , length # 抓取TCP头标记为SYN或者是FIN的包
sh-# tcpdump -c 3 -i any 'tcp[tcpflags] & (tcp-syn | tcp-fin) != 0'
:: IP . > .http: Flags [SEW], seq , win , options [mss ,nop,wscale 6,nop,nop,TS val ecr 0,sackOK,eol], length :: IP .http > .: Flags [S.EW], seq , ack , win , options [mss ,nop,wscale 5,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,sackOK,eol], length :: IP . > .http: Flags [F.], seq , ack , win , length 0# 错误的例子,注意,单词别写错了,是tcpflags不是tcp-flags
sh-# tcpdump -c 3 -i any 'tcp[tcp-flags] & (tcp-syn | tcp-fin) != 0'
pktap_filter_packet: pcap_add_if_info(en0, 1) failed: pcap_if_info_set_add: pcap_compile_nopcap() failed
pktap_filter_packet: pcap_add_if_info(en0, 1) failed: pcap_if_info_set_add: pcap_compile_nopcap() failed
pktap_filter_packet: pcap_add_if_info(en0, 1) failed: pcap_if_info_set_add: pcap_compile_nopcap() failed# 抓取包的长度小于等于的包
sh-# tcpdump -i any 'len <= '
:: IP > : igmp v2 report
:: ARP, Request who-has tell , length :: ARP, Request who-has tell , length :: ARP, Request who-has tell , length :: ARP, Request who-has tell , length :: ARP, Request who-has tell , length :: ARP, Request who-has tell , length # less x 与 len <= x 等价
sh-# tcpdump -i any 'less '
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size bytes
:: ARP, Request who-has tell , length :: IP > : igmp v2 report
:: ARP, Request who-has tell , length :: IP . > .https: Flags [.], ack , win , length 0# greater x 与len > x等价
sh-# tcpdump -i any 'greater '
:: IP > : ICMP echo request, id , seq , length :: IP . > .domain: + PTR? .in-addr.arpa. (:: IP .domain > .: * 1/0/0 PTR . (:: IP . > .domain: + PTR? .in-addr.arpa. (:: IP .domain > .: NXDomain* 0/0/:: IP . > .domain: + PTR? .in-addr.arpa. (:: IP .domain > .: * 1/0/0 PTR . (:: IP > : ICMP echo reply, id , seq , length :: IP > : ICMP echo request, id , seq , length :: IP > : ICMP echo reply, id , seq , length # 抓取长度为的包
sh-# tcpdump -i any 'len == '
:: IP . > .domain: + Type65? p1.glb6.com. (:: IP . > .domain: + A? p1.glb6.com. (:: IP .domain > .: /0/0 ()# 抓取Mac地址为:::7b::且是ping的响应包
# 本案例是另外一个终端,一致在ping www.baiud.com,而:::7b::的Mac地址是来自百度的
# 可以在host前面加上src,表明方向是从百度发过来的
sh-# tcpdump -e -i any 'icmp[icmptype] == icmp-echoreply && ether host :::7b::'
:::::7b:: (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length : > : ICMP echo reply, id , seq , length :::::7b:: (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length : > : ICMP echo reply, id , seq , length :::::7b:: (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length : > : ICMP echo reply, id , seq , length :::::7b:: (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length : > : ICMP echo reply, id , seq , length :::::7b:: (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length : > : ICMP echo reply, id , seq , length :::::7b:: (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length : > : ICMP echo reply, id , seq , length
fh@ ~ % ping www.baidu.com# 抓取Mac地址为:::7b::且是ping的响应包
sh-# tcpdump -e -i any 'icmp[icmptype] == icmp-echoreply && ether src host :::7b::'
:::::7b:: (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length : > : ICMP echo reply, id , seq , length :::::7b:: (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length : > : ICMP echo reply, id , seq , length :::::7b:: (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length : > : ICMP echo reply, id , seq , length :::::7b:: (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length : > : ICMP echo reply, id , seq , length :::::7b:: (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length : > : ICMP echo reply, id , seq , length :::::7b:: (oui Unknown) > e0:b5:5f:f2:bb:a3 (oui Unknown), ethertype IPv4 (0x0800), length : > : ICMP echo reply, id , seq , length
^C# 广播
sh-# tcpdump -i any ether broadcast
:: ARP, Request who-has tell , length :: ARP, Request who-has tell , length :: IP . > broadcasthost.commplex-link: UDP, length :: ARP, Request who-has tell , length # 多播
sh-# tcpdump -i any ether multicast
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size bytes
:: ARP, Request who-has tell , length :: ARP, Request who-has tell , length :: ARP, Request who-has tell , length :: ARP, Request who-has tell , length # IPv4多播
sh-# tcpdump -i any ip multicast
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size bytes
:: IP . > broadcasthost.commplex-link: UDP, length :: IP . > broadcasthost.commplex-link: UDP, length :: IP . > broadcasthost.commplex-link: UDP, length :: IP . > broadcasthost.commplex-link: UDP, length # IPv6多播
sh-# tcpdump -i any ip6 multicast
:: IP6 fe80::7:29a1:df91:ad39 > ff02::: HBH ICMP6, multicast listener report v2, 1 group record(s), length :: IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QU)? .d.a..f.d.1.a......e.f.ip6.arpa. (:: IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QU)? .d.a..f.d.1.a......e.f.ip6.arpa. (:: IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QU)? .d.a..f.d.1.a......e.f.ip6.arpa. (:: IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QU)? .d.a..f.d.1.a......e.f.ip6.arpa. (:: IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QU)? .d.a..f.d.1.a......e.f.ip6.arpa. (:: IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QM)? .d.a..f.d.1.a......e.f.ip6.arpa. (:: IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QM)? .d.a..f.d.1.a......e.f.ip6.arpa. (:: IP6 feihu-3.local.mdns > ff02::fb.mdns: 0 PTR (QM)? .d.a..f.d.1.a......e.f.ip6.arpa. ()# 筛选出tcp的dst端口号为,src端口号为的包,直接通过TCP包进行筛选
sh-# lsof -nP | grep -i qqmusic | grep TCP
QQMusic fh 37u IPv4 0x593c30f6d1324cb3 0t0 TCP :->: (ESTABLISHED)
tcp[n:c]:表示从第n个字节开始,以及后面的两个c字节,范围是[n, n+c-1],单位:字节
# 通过下面的端口号以及lsof可以看出,抓取的包是正确的。
sh-# tcpdump -l -nn -k A -i any 'tcp[2:2] == && tcp[0:2] == '
:: (en0, proc QQMusic::20d71810-64f0-3f16--55d62d68771a, svc BE, out, so) IP . > .: Flags [F.], seq , ack , win , options [nop,nop,TS val ecr ], length :: (en0, proc QQMusic::, svc BE, out, so) IP . > .: Flags [.], ack 2, win , options [nop,nop,TS val ecr ], length 0# icmp包后面不能直接跟host,
sh-# tcpdump -i any icmp dst host
pktap_filter_packet: pcap_add_if_info(lo0, 0) failed: pcap_if_info_set_add: pcap_compile_nopcap() failed
pktap_filter_packet: pcap_add_if_info(lo0, 0) failed: pcap_if_info_set_add: pcap_compile_nopcap() failed
pktap_filter_packet: pcap_add_if_info(lo0, 0) failed: pcap_if_info_set_add: pcap_compile_nopcap() failed
# 抓取icmp的筛选包,可以加上&&符号
sh-# tcpdump -i any icmp && dst host
:: IP > : ICMP echo request, id , seq , length :: IP > : ICMP echo reply, id , seq , length :: IP > : ICMP echo request, id , seq , length :: IP > : ICMP echo reply, id , seq , length # MacoS可以直接连接到Wireshark上,自动打开界面
sh-# tcpdump -i any -w - | /Applications/Wireshark.app/Contents/MacOS/Wireshark -k -i -
tcpdump: data link type PKTAP
tcpdump: listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size bytes
:: Wireshark[:] Warning: Expected min height of view: () to be less than or equal to but got a height of . This error will be logged once per view in violation.
packets captured
packets received by filter
0 packets dropped by kernel
sh-# # 可以通过ifname进行网卡筛选
sh-# tcpdump -k A -i any tcp && ifname en0
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size bytes
:: (en0, proc QQMusic::20d71810-64f0-3f16--55d62d68771a, eproc QQMusic::, svc BE, in, so) IP .http > .: Flags [F.], seq , ack , win , length :: (en0, proc QQMusic::20d71810-64f0-3f16--55d62d68771a, svc BE, out, so) IP . > .http: Flags [.], ack 1, win , length :: (en0, proc QQMusic::20d71810-64f0-3f16--55d62d68771a, svc BE, out, so) IP . > .http: Flags [F.], seq 1, ack 1, win , length :: (en0, proc QQMusic::20d71810-64f0-3f16--55d62d68771a, eproc QQMusic::, svc BE, in, so) IP .http > .: Flags [F.], seq , ack , win , length :: (en0, proc QQMusic::20d71810-64f0-3f16--55d62d68771a, svc BE, out, so) IP . > .http: Flags [.], ack 1, win , length :: (en0, proc QQMusic::20d71810-64f0-3f16--55d62d68771a, svc BE, out, so) IP . > .http: Flags [F.], seq 1, ack 1, win , length :: (en0, proc QQMusic::20d71810-64f0-3f16--55d62d68771a, eproc QQMusic::, svc BE, in, so) IP .https > .: Flags [P.], seq :, ack , win , length # 抓取且端口号不为的包
sh-# tcpdump -nn -i any '(dst portrange ) && (! dst port )'
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size bytes
:: IP . > .: + A? www.baidu.com. ()References
参考资料如下:
百度百科:octet
百度百家号:肝了三天,万字长文教你玩转 tcpdump,从此抓包不用愁
man tcpdump
man pcap-filter
rfc793 (TRANSMISSION CONTROL PROTOCOL)