流量保存与回放
做过网络流量分析的朋友,或许都有一个共同的需求,那就是都要做"流量保存"和"流量回放"。
- 流量保存:把抓到的网络包存储到磁盘上,保存下来,为以后使用。
- 流量回放:把历史上的某一时刻段的流量,重新模拟回放出来,用于流量分析。
-w 选项:将流量保存到文件中
[root@test ~]# tcpdump -i ens39 -w tcp.txt
tcpdump: listening on ens39, link-type EN10MB (Ethernet), capture size 262144 bytes
^C97 packets captured
97 packets received by filter
0 packets dropped by kernel
通过例子可以看到,将流量保存到文件tcp.txt中了,tcpdump的-w方式是把 raw packets(原始网络包)直接存储到文件中,也就是存储的都是结构体数据,而非我们在屏幕所看到的文件格式的数据。
-r 选项:读取raw packets文件
[root@test ~]# tcpdump -r tcp.txt
reading from file tcp.txt, link-type EN10MB (Ethernet)
08:48:59.468322 IP 192.168.146.6.62625 > 192.168.146.131.ssh: Flags [P.], seq 614404439:614404507, ack 3852147140, win 4104, length 68
08:48:59.468478 IP 192.168.146.131.ssh > 192.168.146.6.62625: Flags [.], ack 68, win 274, length 0
08:48:59.469027 IP 192.168.146.131.ssh > 192.168.146.6.62625: Flags [P.], seq 1:85, ack 68, win 274, length 84
08:48:59.508838 IP 192.168.146.6.62625 > 192.168.146.131.ssh: Flags [.], ack 85, win 4104, length 0
过滤流量
只抓udp的包
[root@test ~]# tcpdump -i ens39 -c 1 'udp' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens39, link-type EN10MB (Ethernet), capture size 262144 bytes 09:09:25.727094 IP 192.168.146.131.bootpc > 192.168.146.254.bootps: BOOTP/DHCP, Request from 00:0c:29:ea:62:16 (oui Unknown), length 300 1 packet captured 2 packets received by filter 0 packets dropped by kernel
通过例子说明,tcpdump具有根据网络包的协议类型来进行过滤的能力,我们可以查询 ether、ip、ip6、arp、tcp、udp.
这些协议里面没有应用层的协议,理由是应用层协议非基础类网络协议,经常会新增或淘汰,而且往往也没呀固定的数据格式,tcpdump更不会深入到应用层部分去智能解析。
源和目标主机
专门查看源机器和目的机器之间的网络包,只要设置src(source)和dst (destination),而且tcpdump还支持使用and和or来进行搭配组合。
[root@test ~]# tcpdump -i ens39 -c 1 'dst 192.168.146.131'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens39, link-type EN10MB (Ethernet), capture size 262144 bytes
09:23:12.888140 IP 192.168.146.6.62625 > 192.168.146.131.ssh: Flags [P.], seq 614407867:614407935, ack 3852151096, win 4102, length 68
1 packet captured
47 packets received by filter
0 packets dropped by kernel
[root@test ~]# tcpdump -i ens32 -c 1 'dst 8.8.8.8'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens32, link-type EN10MB (Ethernet), capture size 262144 bytes
09:26:19.790385 IP test.44618 > google-public-dns-a.google.com.http: Flags [S], seq 991906839, win 29200, options [mss 1460,sackOK,TS val 3007011 ecr 0,nop,wscale 7], length 0
1 packet captured
3 packets received by filter
0 packets dropped by kernel
我们知道8.8.8.8是Google的开放DNS,所以,输出中可以看出,tcpdump将其展示成了其对应的域名google-public-dns-a.google.com。
只关注特定端口
只想看到目的端口22和80端口,其他的不关注
[root@test ~]# tcpdump -i ens39 -c 2 'dst port 22 or dst port 80'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens39, link-type EN10MB (Ethernet), capture size 262144 bytes
09:37:08.183655 IP 192.168.146.6.49672 > test.http: Flags [.], ack 825142687, win 4103, length 0
09:37:09.683676 IP 192.168.146.6.62625 > 192.168.146.131.ssh: Flags [P.], seq 614411047:614411099, ack 3852154800, win 4105, length 52
2 packets captured
11 packets received by filter
0 packets dropped by kernel
tcpdump还支持如下类型:
- host:指定主机名或IP地址,例如'host test.cn'或‘host 202.112.18.34’
- net:指定网络段,例如'Src net 128.3'或'dst net 128.3'
- portrange:指定端口区域,例如'src or dst portrange 6000-6008'