TCPDUMP - The Easy Tutorial

Networking TCPdump
最近更新: Apr 22 2010


Chinese translation by YukiAlex.




If you like our tutorials, don't hesitate to support us and visit our sponsors!
Si vous aimez nos tutoriaux, n'hésitez pas à nous supporter et visiter nos sponsors!


TCPdump是一款功能强大的网络包窃听工具。

由于这套软件会将网络卡运行在promiscuous mode,所以只有root或者拥有superuser权利的用户才能执行该软件。

Wireshark(前身是ethereal)可以被视为拥有图形界面的TCPdump。Wireshark也可以读取TCPdump产生的logs。

1. 下载TCPDUMP 2. 使用TCPDUMP



1. 下载TCPDUMP

要下载TCPdump

#apt-get install tcpdump
要查看TCPdump的依赖关系

#apt-cache depends tcpdump
tcpdump
   Depends: libc6
   Depends: libpcap0.8
   Depends: libssl0.9.8


要查看TCPdump的版本

#apt-cache policy tcpdump
tcpdump:
   Installed: 3.9.4-2ubuntu0.1
   Candidate: 3.9.4-2ubuntu0.1
   Version table:
  *** 3.9.4-2ubuntu0.1 0
            500 http://security.ubuntu.com dapper-security/main Packages
            100 /var/lib/dpkg/status
         3.9.4-2 0
            500 http://ch.archive.ubuntu.com dapper/main Packages



2. 使用TCPDUMP

显示标准TCPdump输出

#tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

21:57:29.004426 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
21:57:31.228013 arp who-has 192.168.1.2 tell 192.168.1.1
21:57:31.228020 arp reply 192.168.1.2 is-at 00:04:75:22:22:22 (oui Unknown)
21:57:38.035382 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
21:57:38.613206 IP valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36


显示详细输出

#tcpdump -v
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

22:00:11.625995 IP (tos 0x0, ttl 128, id 30917, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
22:00:20.691903 IP (tos 0x0, ttl 128, id 31026, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
22:00:21.230970 IP (tos 0x0, ttl 114, id 4373, offset 0, flags [none], proto: UDP (17), length: 64) valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36
22:00:26.201715 arp who-has 192.168.1.2 tell 192.168.1.1
22:00:26.201726 arp reply 192.168.1.2 is-at 00:04:11:11:11:11 (oui Unknown)
22:00:29.706020 IP (tos 0x0, ttl 128, id 31133, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
22:00:38.751355 IP (tos 0x0, ttl 128, id 31256, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53


可以用来抓包的网络界面

#tcpdump -D
1.eth0
2.any (Pseudo-device that captures on all interfaces)
3.lo


显示IP地址,不显示DNS名称

#tcpdump -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

22:02:36.111595 IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53
22:02:36.669853 IP 68.142.64.164.27014 > 192.168.1.2.1034: UDP, length 36
22:02:41.702977 arp who-has 192.168.1.2 tell 192.168.1.1
22:02:41.702984 arp reply 192.168.1.2 is-at 00:04:11:11:11:11
22:02:45.106515 IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53
22:02:50.392139 IP 192.168.1.2.138 > 192.168.1.255.138: NBT UDP PACKET(138)
22:02:54.139658 IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53
22:02:57.866958 IP 125.175.131.58.3608 > 192.168.1.2.9501: S 3275472679:3275472679(0) win 65535


显示快速输出

#tcpdump -q
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

22:03:55.594839 IP a213-22-130-46.cpe.netcabo.pt.3546 > 192.168.1.2.9501: tcp 0
22:03:55.698827 IP 192.168.1.2.9501 > a213-22-130-46.cpe.netcabo.pt.3546: tcp 0
22:03:56.068088 IP a213-22-130-46.cpe.netcabo.pt.3546 > 192.168.1.2.9501: tcp 0
22:03:56.068096 IP 192.168.1.2.9501 > a213-22-130-46.cpe.netcabo.pt.3546: tcp 0
22:03:57.362863 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
22:03:57.964397 IP valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36
22:04:06.406521 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
22:04:15.393757 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53


抓取指定网络界面的数据包

tcpdump -i eth0
抓取UDP数据包

#tcpdump udp
抓取端口80的TCP数据包

#tcpdump port http
抓取储存在文件中的filter的数据包

#tcpdump -F file_name
在已经设置好的filter中新增文件(这里是TCP端口80)

#vim file_name
port 80
在抓取20个数据包之后停止

#tcpdump -c 20
将结果输出到文件中而不显示在屏幕上

#tcpdump -w capture.log
读取文件

#tcpdump -r capture.log
reading from file capture.log, link-type EN10MB (Ethernet)

09:33:51.977522 IP 192.168.1.36.40332 > rr.knams.wikimedia.org.www: P 1548302662:1548303275(613) ack 148796145 win 16527
09:33:52.031729 IP rr.knams.wikimedia.org.www > 192.168.1.36.40332: . ack 613 win 86
09:33:52.034414 IP rr.knams.wikimedia.org.www > 192.168.1.36.40332: P 1:511(510) ack 613 win86
09:33:52.034786 IP 192.168.1.36.40332 > rr.knams.wikimedia.org.www: . ack 511 win 16527


抓取的数据并不是储存成文本格式,因此不能用文本编辑器阅读。必须用特别的软件,比如TCP dump(见上文)或者提供图形界面的Wireshark(前身是Ethereal)。

用Wireshark打开抓取的日志


显示来源或目的地为"www.openmaniak.com" 的数据包

#tcpdump host www.openmaniak.com
显示从192.168.1.100 发送到 192.168.1.2的FTP数据包

#tcpdump src 192.168.1.100 and dst 192.168.1.2 and port ftp
显示数据包的内容

#tcpdump -A
在ftp连接中抓取数据包。由于FTP密码是用明文传送,所以能够被轻易截获。

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ath0, link-type EN10MB (Ethernet), capture size 96 bytes
20:53:24.872785 IP ubuntu.local.40205 > 192.168.1.2.ftp: S 4155598838:4155598838(0) win 5840
....g....................
............
20:53:24.879473 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 1228937421 win 183
....g.I@.............
........
20:53:24.881654 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 43 win 183
....g.I@.......8.....
......EN
20:53:26.402046 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 0:10(10) ack 43 win 183
....g.I@......`$.....
...=..ENUSER teddybear

20:53:26.403802 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 76 win 183
....h.I@.............
...>..E^
20:53:29.169036 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 10:25(15) ack 76 win 183
....h.I@......#c.....
......E^PASS wakeup

20:53:29.171553 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 96 win 183
....h.I@.,...........
......Ez
20:53:29.171649 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 25:31(6) ack 96 win 183
....h.I@.,...........
......EzSYST

20:53:29.211607 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 115 win 183
....h.I@.?.....j.....
......Ez
20:53:31.367619 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 31:37(6) ack 115 win 183
....h.I@.?...........
......EzQUIT

20:53:31.369316 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 155 win 183
....h.I@.g...........
......E.
20:53:31.369759 IP ubuntu.local.40205 > 192.168.1.2.ftp: F 37:37(0) ack 156 win 183
....h.I@.h.....e.....
......E.


We see in this capture the FTP username (teddybear) and password (wakeup).

Top of the page





If you liked our tutorials, don't hesitate to support us and visit our sponsors!
Si vous aimez nos tutoriaux, n'hésitez pas à nous supporter et visiter nos sponsors!