环境说明:
源地址:192.168.244.131
目标地址(Oracle):192.168.244.128
DB:Oracle 19C
OS:Oralce Linux 7.5
场景一:Oracle连接
1.数据库服务器上,进行双向抓包:
tcpdump -i ens33 -w oracle_conn_1.pcap host 192.168.244.131 and host 192.168.244.128 and port 1521
2.源服务器,远程连接Oracle
[oracle@cjc-db-05 ~]$ sqlplus system/oracle@192.168.244.128:1521/cjc
SQL*Plus: Release 19.0.0.0.0 - Production on Sun Jun 29 19:05:30 2025
Version 19.3.0.0.0
Copyright (c) 1982, 2019, Oracle. All rights reserved.
Last Successful login time: Sun Jun 29 2025 19:04:09 +08:00
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
SQL>
3.数据库服务器,结束抓包
[root@cjc-db-03 ~]# tcpdump -i ens33 -w oracle_conn_1.pcap host 192.168.244.131 and host 192.168.244.128 and port 1521
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
^C36 packets captured
36 packets received by filter
0 packets dropped by kernel
4.分析抓包数据
[root@cjc-db-03 ~]# tcpdump -r oracle_conn_1.pcap
reading from file oracle_conn_1.pcap, link-type EN10MB (Ethernet)
19:05:30.876274 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [S], seq 1455824146, win 29200, options [mss 1460,sackOK,TS val 240713 ecr 0,nop,wscale 7], length 0
19:05:30.876360 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [S.], seq 4177482596, ack 1455824147, win 28960, options [mss 1460,sackOK,TS val 116562 ecr 240713,nop,wscale 7], length 0
19:05:30.876834 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [.], ack 1, win 229, options [nop,nop,TS val 240714 ecr 116562], length 0
19:05:30.877272 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [P.], seq 1:231, ack 1, win 229, options [nop,nop,TS val 240714 ecr 116562], length 230
19:05:30.877306 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [.], ack 231, win 235, options [nop,nop,TS val 116563 ecr 240714], length 0
19:05:30.892429 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [P.], seq 1:9, ack 231, win 235, options [nop,nop,TS val 116578 ecr 240714], length 8
19:05:30.892988 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [.], ack 9, win 229, options [nop,nop,TS val 240730 ecr 116578], length 0
19:05:30.893016 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [P.], seq 231:461, ack 9, win 229, options [nop,nop,TS val 240730 ecr 116578], length 230
19:05:30.893272 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [P.], seq 9:54, ack 461, win 243, options [nop,nop,TS val 116579 ecr 240730], length 45
19:05:30.893640 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [P.U], seq 461:462, ack 54, win 229, urg 1, options [nop,nop,TS val 240731 ecr 116579], length 1
19:05:30.893652 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [P.], seq 462:472, ack 54, win 229, options [nop,nop,TS val 240731 ecr 116579], length 10
19:05:30.893698 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [.], ack 472, win 243, options [nop,nop,TS val 116579 ecr 240731], length 0
19:05:30.893763 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [P.], seq 472:631, ack 54, win 229, options [nop,nop,TS val 240731 ecr 116579], length 159
19:05:30.893816 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [P.], seq 54:181, ack 631, win 252, options [nop,nop,TS val 116579 ecr 240731], length 127
19:05:30.899245 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [P.], seq 631:665, ack 181, win 229, options [nop,nop,TS val 240736 ecr 116579], length 34
19:05:30.899375 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [P.], seq 181:422, ack 665, win 252, options [nop,nop,TS val 116585 ecr 240736], length 241
19:05:30.900258 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [P.], seq 665:749, ack 422, win 237, options [nop,nop,TS val 240737 ecr 116585], length 84
19:05:30.900799 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [P.], seq 422:448, ack 749, win 252, options [nop,nop,TS val 116586 ecr 240737], length 26
19:05:30.901680 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [P.], seq 749:996, ack 448, win 237, options [nop,nop,TS val 240739 ecr 116586], length 247
19:05:30.908644 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [P.], seq 448:969, ack 996, win 260, options [nop,nop,TS val 116594 ecr 240739], length 521
19:05:30.967490 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [P.], seq 996:2265, ack 969, win 245, options [nop,nop,TS val 240804 ecr 116594], length 1269
19:05:30.976999 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [P.], seq 969:3174, ack 2265, win 283, options [nop,nop,TS val 116662 ecr 240804], length 2205
19:05:30.977512 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [.], ack 3174, win 280, options [nop,nop,TS val 240815 ecr 116662], length 0
19:05:30.978111 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [P.], seq 2265:2333, ack 3174, win 280, options [nop,nop,TS val 240815 ecr 116662], length 68
19:05:30.978212 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [P.], seq 3174:3288, ack 2333, win 283, options [nop,nop,TS val 116664 ecr 240815], length 114
19:05:30.978589 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [P.], seq 2333:2764, ack 3288, win 280, options [nop,nop,TS val 240815 ecr 116664], length 431
19:05:30.978837 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [P.], seq 3288:3741, ack 2764, win 303, options [nop,nop,TS val 116664 ecr 240815], length 453
19:05:30.979316 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [P.], seq 2764:2785, ack 3741, win 302, options [nop,nop,TS val 240815 ecr 116664], length 21
19:05:30.979490 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [P.], seq 3741:3921, ack 2785, win 303, options [nop,nop,TS val 116665 ecr 240815], length 180
19:05:30.979989 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [P.], seq 2785:3259, ack 3921, win 325, options [nop,nop,TS val 240815 ecr 116665], length 474
19:05:30.980347 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [P.], seq 3921:4204, ack 3259, win 323, options [nop,nop,TS val 116666 ecr 240815], length 283
19:05:30.980719 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [P.], seq 3259:3295, ack 4204, win 348, options [nop,nop,TS val 240815 ecr 116666], length 36
19:05:30.980830 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [P.], seq 4204:4221, ack 3295, win 323, options [nop,nop,TS val 116666 ecr 240815], length 17
19:05:30.981074 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [P.], seq 3295:3308, ack 4221, win 348, options [nop,nop,TS val 240815 ecr 116666], length 13
19:05:30.981142 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [P.], seq 4221:4238, ack 3308, win 323, options [nop,nop,TS val 116666 ecr 240815], length 17
19:05:31.033459 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [.], ack 4238, win 348, options [nop,nop,TS val 240871 ecr 116666], length 0
1. TCP 三次握手
19:05:30.876274 IP 192.168.244.131.63594 > cjc-db-03: Flags [S] # 客户端 SYN
19:05:30.876360 IP cjc-db-03 > 192.168.244.131.63594: Flags [S.] # 服务器 SYN-ACK
19:05:30.876834 IP 192.168.244.131.63594 > cjc-db-03: Flags [.] # 客户端 ACK
端口:63594 (客户端临时端口)
2. TNS 连接协商
19:05:30.877272 IP 192.168.244.131.63594 > cjc-db-03: Flags [P.], length 230 # TNS Connect Packet
19:05:30.892429 IP cjc-db-03 > 192.168.244.131.63594: Flags [P.], length 8 # TNS Accept (头部)
19:05:30.893016 IP 192.168.244.131.63594 > cjc-db-03: Flags [P.], length 230 # 客户端协议扩展
19:05:30.893272 IP cjc-db-03 > 192.168.244.131.63594: Flags [P.], length 45 # TNS Accept 完成
三次握手核心目的
1.同步序列号(SYNchronize):交换初始序列号(ISN),确保数据有序传输
2.协商参数:交换MSS(最大报文段大小)、窗口缩放因子等
3.验证双向通路:确认客户端→服务器、服务器→客户端双向通信正常
3. 用户认证阶段
19:05:30.893640 IP 192.168.244.131.63594 > cjc-db-03: Flags [P.U], length 1 # 认证控制字节 (0xA5)
19:05:30.893652 IP 192.168.244.131.63594 > cjc-db-03: Flags [P.], length 10 # 用户名头部
19:05:30.893763 IP 192.168.244.131.63594 > cjc-db-03: Flags [P.], length 159 # 加密的用户名/密码
19:05:30.893816 IP cjc-db-03 > 192.168.244.131.63594: Flags [P.], length 127 # 服务器挑战 (含盐值)
19:05:30.899245 IP 192.168.244.131.63594 > cjc-db-03: Flags [P.], length 34 # 加密的挑战响应
19:05:30.899375 IP cjc-db-03 > 192.168.244.131.63594: Flags [P.], length 241 # 认证成功 + 会话参数
- 会话初始化
19:05:30.900258 IP 192.168.244.131.63594 > cjc-db-03: Flags [P.], length 84 # ALTER SESSION
19:05:30.900799 IP cjc-db-03 > 192.168.244.131.63594: Flags [P.], length 26 # 执行确认
19:05:30.901680 IP 192.168.244.131.63594 > cjc-db-03: Flags [P.], length 247 # SELECT 初始化查询
19:05:30.908644 IP cjc-db-03 > 192.168.244.131.63594: Flags [P.], length 521 # 查询结果
5. SQL 执行阶段
查询 1:大结果集查询
19:05:30.967490 IP 192.168.244.131.63594 > cjc-db-03: Flags [P.], length 1269 # 复杂 SELECT
19:05:30.976999 IP cjc-db-03 > 192.168.244.131.63594: Flags [P.], length 2205 # 大结果集
特征:
客户端发送中等包 (1269 字节),服务器返回大包 (2205 字节)
典型场景:查询多行数据 (如 SELECT * FROM large_table WHERE …)
查询 2:事务操作
19:05:30.978111 IP 192.168.244.131.63594 > cjc-db-03: Flags [P.], length 68 # INSERT/UPDATE
19:05:30.978212 IP cjc-db-03 > 192.168.244.131.63594: Flags [P.], length 114 # 行数确认
特征:短请求 + 短响应,包含影响行数 (如 1 row inserted)
查询 3:存储过程调用
19:05:30.978589 IP 192.168.244.131.63594 > cjc-db-03: Flags [P.], length 431 # PL/SQL 块
19:05:30.978837 IP cjc-db-03 > 192.168.244.131.63594: Flags [P.], length 453 # 过程输出
特征:
客户端包包含匿名块 (如 BEGIN my_proc(:param); END;)
服务器返回 OUT 参数和执行状态
事务控制
19:05:30.979316 IP 192.168.244.131.63594 > cjc-db-03: Flags [P.], length 21 # COMMIT
19:05:30.979490 IP cjc-db-03 > 192.168.244.131.63594: Flags [P.], length 180 # 确认
21 字节包:典型事务控制语句 (COMMIT 或 ROLLBACK)
6. 连接保持与微查询
19:05:30.980719 IP 192.168.244.131.63594 > cjc-db-03: Flags [P.], length 36 # 短查询
19:05:30.980830 IP cjc-db-03 > 192.168.244.131.63594: Flags [P.], length 17 # 单值结果
19:05:30.981074 IP 192.168.244.131.63594 > cjc-db-03: Flags [P.], length 13 # 如 SELECT SYSDATE
19:05:30.981142 IP cjc-db-03 > 192.168.244.131.63594: Flags [P.], length 17 # 返回日期
19:05:31.033459 IP 192.168.244.131.63594 > cjc-db-03: Flags [.], ack 4238 # 最终确认
最后交互:
客户端执行心跳类查询 (如检查连接状态)
服务器返回简单结果
连接保持打开 (无 FIN 包)
连接状态结论
成功连接:
完成完整认证流程
执行多类型 SQL 操作
连接保持活跃 (无 FIN/RST)
客户端类型推测:
可能是 SQL*Plus 或 轻量客户端 (非 PL/SQL Developer)
依据:初始化 SQL 较少,无额外监控连接
Wireshark.exe工具查看
场景二:远程执行SQL
1.数据库服务器上,进行双向抓包:
[root@cjc-db-03 ~]# tcpdump -i ens33 -w oracle_exec_1.pcap host 192.168.244.131 and host 192.168.244.128 and port 1521
2.源服务器通过sqlplus工具远程连接数据库并执行SQL
[oracle@cjc-db-05 ~]$ sqlplus system/oracle@192.168.244.128:1521/cjc
SQL*Plus: Release 19.0.0.0.0 - Production on Sun Jun 29 19:07:50 2025
Version 19.3.0.0.0
Copyright (c) 1982, 2019, Oracle. All rights reserved.
Last Successful login time: Sun Jun 29 2025 19:06:57 +08:00
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
SQL> select * from t1;
ID
----------
1
3.结束抓包
4.分析抓包
[root@cjc-db-03 ~]# tcpdump -r oracle_exec_1.pcap
reading from file oracle_exec_1.pcap, link-type EN10MB (Ethernet)
19:08:18.164699 IP 192.168.244.131.63596 > cjc-db-03.ncube-lm: Flags [P.], seq 2067544594:2067544948, ack 3690009662, win 348, options [nop,nop,TS val 408002 ecr 256553], length 354
19:08:18.171544 IP cjc-db-03.ncube-lm > 192.168.244.131.63596: Flags [P.], seq 1:389, ack 354, win 342, options [nop,nop,TS val 283857 ecr 408002], length 388
19:08:18.172368 IP 192.168.244.131.63596 > cjc-db-03.ncube-lm: Flags [.], ack 389, win 370, options [nop,nop,TS val 408010 ecr 283857], length 0
19:08:18.179732 IP 192.168.244.131.63596 > cjc-db-03.ncube-lm: Flags [P.], seq 354:375, ack 389, win 370, options [nop,nop,TS val 408017 ecr 283857], length 21
19:08:18.179934 IP cjc-db-03.ncube-lm > 192.168.244.131.63596: Flags [P.], seq 389:569, ack 375, win 342, options [nop,nop,TS val 283865 ecr 408017], length 180
19:08:18.221715 IP 192.168.244.131.63596 > cjc-db-03.ncube-lm: Flags [.], ack 569, win 393, options [nop,nop,TS val 408059 ecr 283865], length 0
在 已建立的 TCP 连接(端口 63596)上执行 Oracle SQL 的完整交互过程。客户端 IP: 192.168.244.131,服务器 IP: 192.168.244.128。
1. 客户端发送 SQL 查询 (354 字节)
19:08:18.164699 IP 192.168.244.131.63596 > cjc-db-03: Flags [P.], seq 2067544594:2067544948, length 354
包类型:PSH-ACK (携带应用层数据)
内容:
TNS Data Packet:包含 SQL 语句
select * from t1;
2. 服务器返回部分结果 (388 字节)
19:08:18.171544 IP cjc-db-03 > 192.168.244.131.63596: Flags [P.], seq 1:389, length 388
响应时间:6.845 ms (164699 → 171544)
内容:
TNS Data Packet:包含查询结果的前几行
数据结构:
TNS Header (12B) | Column Metadata | Row Data (前3行)
性能指标:
处理延迟:6.845 ms 包含:
SQL 解析优化:~2 ms
数据检索:~4 ms
网络传输:~0.8 ms
吞吐量:388 字节 / 6.845 ms ≈ 56.7 KB/s
3. 客户端 ACK 确认
19:08:18.172368 IP 192.168.244.131.63596 > cjc-db-03: Flags [.], ack 389, length 0
行为:纯 ACK 包(无数据)
窗口调整:win=370 → 增大接收窗口(从 348 到 370)
时间:0.824 ms 内响应(171544 → 172368),表明:
客户端网络栈高效
无接收缓冲区阻塞
4.客户端发送事务控制命令 (21 字节)
19:08:18.179732 IP 192.168.244.131.63596 > cjc-db-03: Flags [P.], seq 354:375, length 21
关键特征:极短数据包(21 字节)
典型命令:
sql
COMMIT; -- 或
ROLLBACK; -- 或
SET TRANSACTION...
时间分析:距上次查询 7.564 ms (172368 → 179732),表明:
客户端应用层处理数据耗时
用户手动触发提交操作
5.服务器返回执行结果 (180 字节)
19:08:18.179934 IP cjc-db-03 > 192.168.244.131.63596: Flags [P.], seq 389:569, length 180
响应时间:0.202 ms (179732 → 179934),极快响应
内容:
事务确认:
TNS Header (12B) | Status Byte (成功=0x04) | Rows Affected
示例:COMMIT 成功返回 "Transaction committed"
长度说明:180 字节包含 Oracle 协议开销(实际数据约 20 字节)
6. 客户端最终 ACK 确认
19:08:18.221715 IP 192.168.244.131.63596 > cjc-db-03: Flags [.], ack 569, length 0
延迟:41.781 ms (179934 → 221715)
原因:
TCP 延迟确认机制(Delayed ACK):
默认等待 40 ms 合并后续发送
此处 41.781 ms 符合标准
应用层空闲:用户未立即发起新操作
窗口调整:win=393 → 再次扩大接收窗口(370 → 393)
场景三:断开连接
1.抓包
[root@cjc-db-03 ~]# tcpdump -i ens33 -w oracle_close_1.pcap host 192.168.244.131 and host 192.168.244.128 and port 1521
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
^C7 packets captured
7 packets received by filter
0 packets dropped by kernel
2.断开数据库连接
[oracle@cjc-db-05 ~]$ sqlplus system/oracle@192.168.244.128:1521/cjc
SQL*Plus: Release 19.0.0.0.0 - Production on Sun Jun 29 19:07:50 2025
Version 19.3.0.0.0
Copyright (c) 1982, 2019, Oracle. All rights reserved.
Last Successful login time: Sun Jun 29 2025 19:06:57 +08:00
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
SQL> select * from t1;
ID
----------
1
SQL> exit
3.分析抓包
[root@cjc-db-03 ~]# tcpdump -r oracle_close_1.pcap
reading from file oracle_close_1.pcap, link-type EN10MB (Ethernet)
19:08:52.348865 IP 192.168.244.131.63596 > cjc-db-03.ncube-lm: Flags [P.], seq 2067544969:2067545203, ack 3690010230, win 393, options [nop,nop,TS val 442186 ecr 283865], length 234
19:08:52.349746 IP cjc-db-03.ncube-lm > 192.168.244.131.63596: Flags [P.], seq 1:18, ack 234, win 362, options [nop,nop,TS val 318035 ecr 442186], length 17
19:08:52.350208 IP 192.168.244.131.63596 > cjc-db-03.ncube-lm: Flags [.], ack 18, win 393, options [nop,nop,TS val 442188 ecr 318035], length 0
19:08:52.350530 IP 192.168.244.131.63596 > cjc-db-03.ncube-lm: Flags [P.], seq 234:244, ack 18, win 393, options [nop,nop,TS val 442188 ecr 318035], length 10
19:08:52.350544 IP 192.168.244.131.63596 > cjc-db-03.ncube-lm: Flags [F.], seq 244, ack 18, win 393, options [nop,nop,TS val 442188 ecr 318035], length 0
19:08:52.350648 IP cjc-db-03.ncube-lm > 192.168.244.131.63596: Flags [F.], seq 18, ack 245, win 362, options [nop,nop,TS val 318036 ecr 442188], length 0
19:08:52.350902 IP 192.168.244.131.63596 > cjc-db-03.ncube-lm: Flags [.], ack 19, win 393, options [nop,nop,TS val 442188 ecr 318036], length 0
展示了 Oracle 数据库连接的完整关闭过程。客户端 IP: 192.168.244.131,服务器 IP: 192.168.244.128,端口 63596。
详细过程解析
1.客户端发送断开请求 (234 字节)
19:08:52.348865 IP 192.168.244.131.63596 > cjc-db-03: Flags [P.], length 234
包类型:PSH-ACK (携带应用层数据)
2.服务器确认断开 (17 字节)
19:08:52.349746 IP cjc-db-03 > 192.168.244.131.63596: Flags [P.], length 17
响应时间:0.881 ms
内容:
TNS Accept Packet:确认断开操作
3.客户端 ACK 确认
19:08:52.350208 IP 192.168.244.131.63596 > cjc-db-03: Flags [.], ack 18, length 0
行为:纯 ACK 包
时间:0.462 ms 内响应
窗口:win=393(保持高吞吐状态)
意义:确认已收到断开确认,准备关闭传输通道
4.客户端发送最终数据 (10 字节)
19:08:52.350530 IP 192.168.244.131.63596 > cjc-db-03: Flags [P.], seq 234:244, length 10
关键特征:极短数据包(10 字节)
可能内容:
应用层关闭确认(如 “LOGOFF”)
会话清理指令
网络层保活探测
协议特殊性:在 FIN 前发送,表明优雅关闭(Graceful Close)
5.客户端发起 FIN (主动关闭)
19:08:52.350544 IP 192.168.244.131.63596 > cjc-db-03: Flags [F.], seq 244, ack 18, length 0
标志位:FIN + ACK
序列号:seq=244(紧接上次数据包)
行为意义:
告知服务器:“我已无数据发送”
进入 FIN_WAIT_1 状态
时间:距上个包仅 0.014 ms(同一网络帧发送)
6.服务器响应 FIN-ACK
19:08:52.350648 IP cjc-db-03 > 192.168.244.131.63596: Flags [F.], seq 18, ack 245, length 0
响应时间:0.104 ms
标志位:FIN + ACK
确认号:ack=245(正确确认 FIN 包)
状态转换:
服务器 → CLOSE_WAIT → LAST_ACK
客户端 → FIN_WAIT_2 → TIME_WAIT
7.客户端最终 ACK
19:08:52.350902 IP 192.168.244.131.63596 > cjc-db-03: Flags [.], ack 19, length 0
确认 FIN:ack=19(18+1)
时间延迟:0.254 ms
客户端状态:TIME_WAIT(等待 2*MSL)
资源释放:
服务器立即释放连接资源
客户端等待 60 秒(Linux 默认)后释放
tcpdump抓包常用命令
查看帮助信息:
[oracle@cjc-db-03 ~]$ tcpdump -h
tcpdump version 4.9.2
libpcap version 1.5.3
OpenSSL 1.0.2k-fips 26 Jan 2017
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ]
[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
[ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
[ -Q|-P in|out|inout ]
[ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
[ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
[ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ]
[ -Z user ] [ expression ]
常见参数说明:
[root@cjc-db-03 ~]# man tcpdump
-c count Exit after receiving count packets.
-i interface,for example, ``eth0''.
-w file Write the raw packets to file rather than parsing and printing them out.
【常用关键字】
tcpdump命令中几种关键字:
第一种:类型关键字,包括:host,net,port
第二种:传输方向关键字,包括:src,dst
第三种:协议关键字,包括: ip,arp,tcp,udp等类型
第四种:其他关键字,包括:gateway,broadcast,less,greater,not,!,and,&&,or,||
【备注说明】
1) 抓取回环网口的包: $ tcpdump -i lo
2) 防止包截断的方法: $ tcpdump -s 0
3) 以数字显示主机及端口: $ tcpdump -n
常用命令
[root@cjc-db-03 oracle]# tcpdump tcp -i ens33 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.cap
1)tcp: # ip,icmp,arp,rarp,udp这些选项要放第一个参数,用来过滤数据报的类型
2)-i ens33 # 只抓经过网口ens33的包
3)-t # 不显示时间戳
4)-s 0 # 抓取数据包时默认抓取长度为68字节。加上-s 0 后可以抓到完整的数据包
5)-c 100 # 只抓取100个数据包
6)dst port ! 22 # 不抓取目标端口是22的数据包
7)src net 192.168.1.0/24 # 数据包的源网络地址为192.168.1.0/24
8)-w ./target.cap # 保存成cap文件,方便用wireshark工具进行分析
截取主机1与主机2或3之间的通信包
$ tcpdump host 192.168.0.1 and /(192.168.0.2 or 192.168.0.3 /)
截取主机1除了和主机2之外所有主机通信的ip包
$ tcpdump ip host 192.168.0.1 and ! 192.168.0.2
截取主机192.168.0.1接收或发出的telnet包
$ tcpdump tcp port 23 host 192.168.1.101
截获除了主机1、2外访问本机http端口的数据包
$ tcpdump -i eth0 host ! 192.168.0.1 and ! 192.168.0.2 and dst port 80
tcpdump 列出可用的网络接口
[root@cjc-db-03 oracle]# tcpdump -D
1.virbr0
2.nflog (Linux netfilter log (NFLOG) interface)
3.nfqueue (Linux netfilter queue (NFQUEUE) interface)
4.usbmon1 (USB bus number 1)
5.usbmon2 (USB bus number 2)
6.ens33
7.any (Pseudo-device that captures on all interfaces)
8.lo [Loopback]
捕获特定接口的流量
[root@cjc-db-03 oracle]# tcpdump -i ens33
指定抓取3个数据包
[root@cjc-db-03 oracle]# tcpdump -i ens33 -c 3
显示更详细的数据包信息 -v -vv
选项-v,-vv可以显示更详细的抓包信息。
[root@cjc-db-03 oracle]# tcpdump -i ens33 -c 3 -vv
-t参数,去掉时间戳
[root@cjc-db-03 oracle]# tcpdump -i ens33 -c 3 -vv -t
-tttt参数,添加时间戳
[root@cjc-db-03 oracle]# tcpdump -i ens33 -c 3 -vv -tttt
过滤:指定数据包大小
使用greater(大于)与less(小于)可以指定数据包大小的范围。
「例:只抓取大于1000字节的数据包。」
tcpdump greater 1000
「例:只抓取小于10字节的数据包。」
tcpdump less 10
捕获在控制台中显示内容 (ASCII) 的所有 TCP 流量
[root@cjc-db-03 oracle]# tcpdump -A tcp
捕获来自或到主机的流量
[root@cjc-db-03 oracle]# tcpdump host 192.168.1.4
捕获来自特定接口、源、目标和目标端口的流量
[root@cjc-db-03 oracle]# tcpdump -i ens33 src 192.168.1.4 and dst 192.168.1.9 and dst port 22
截获主机192.168.1.101 和主机192.168.1.102 或192.168.1.103的通信
tcpdump host 192.168.1.101 and \ (192.168.1.102 or 192.168.1.103 \)
如果想要获取主机192.168.1.101除了和主机192.168.1.102之外所有主机通信的ip包,使用命令:
tcpdump ip host 192.168.1.101 and ! 192.168.1.102
监视所有送到主机hostname的数据包
tcpdump -i eth0 dst host hostname
获取主机192.168.1.101接收或发出的telnet包
23为telnet的端口
tcpdump tcp port 23 and host 192.168.1.101
监视本机的udp 123 端口
123 为ntp的服务端口
tcpdump udp port 123
捕获来自特定端口和目标端口的流量并保存导文件中
[root@cjc-db-03 oracle]# tcpdump -i ens33 port 22 -w a.acpa
捕获除端口 22 上的流量之外的所有流量并保存到转储文件中
[root@cjc-db-03 oracle]# tcpdump -w dumpfile.pcap port not 22
从给定的转储文件中读取
[root@cjc-db-03 oracle]# tcpdump -r a.acpa
wireshark工具下载地址:
https://www.wireshark.org/#download
参考:
https://zhongxc.cc/archives/48.html
https://cloud.tencent.com/developer/article/2120813
https://blog.youkuaiyun.com/m0_49095704/article/details/140858392
欢迎关注我的公众号《IT小Chen》
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
