tcpdump 网络抓包数据远程发送(收集)

最新推荐文章于 2025-09-18 15:25:26 发布

原创最新推荐文章于 2025-09-18 15:25:26 发布 · 391 阅读

0 ·

CC 4.0 BY-SA版权

linux_arm 专栏收录该内容

118 篇文章

订阅专栏

这篇博客介绍了多个用于远程网络抓包、分析和监控的工具，包括Ecap、Tele Traffic Tapper (TTT)、Fprobe、Zeek、Driftnet、Argus等。还提到了如何使用nprobe和ELK构建NetFlow分析平台，并讨论了tcpdump的远程捕获功能，如rpcapd。此外，还提及了Wireshark的远程抓包支持和不同平台的实现，如rpcapd-linux。

tcpdump 数据远程发送(收集)

http://www.tcpdump.org/related.html

ECap

https://bitbucket.org/nathanj/ecap/wiki/Home
Ecap (external capture) is a distributed network sniffer with a web front-end.

Ecap was written many years ago in 2005, but a post on the tcpdump-workers mailing list requested a similar application… so here it is.

It would be fun to update it and work on it again if there’s any interest.

Tele Traffic Tapper

https://www2.sonycsl.co.jp/person/kjc/kjc/software.html#ttt
TTT: Tele Traffic Tapper
TTT is yet another descendant of tcpdump but it is capable of real-time, graphical, and remote traffic-monitoring. ttt won’t replace tcpdump, rather, it helps you find out what to look into with tcpdump. ttt monitors the network and automatically picks up the main contributors of the traffic within the time window. The graphs are updated every second by default.

https://www2.sonycsl.co.jp/person/kjc/kjc/software.html

Linux下NetFlow输出工具Fprobe

Fprobe通过libpcap监听数据并输出NetFlow格式到分析端，极大方便网络管理及监控。

Fprobe监听eth0数据并输出NetFlow到127.0.0.1:9995：

fprobe -i eth0 127.0.0.1:9995

NetFlow分析端可使用Nfsen，测试下是否有Netflow数据输出：

tcpdump -i lo -nn port 9995
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes
14:49:33.004041 IP 127.0.0.1.57368 > 127.0.0.1.9995: UDP, length 1464
14:49:43.006334 IP 127.0.0.1.57368 > 127.0.0.1.9995: UDP, length 1464
14:49:48.003252 IP 127.0.0.1.57368 > 127.0.0.1.9995: UDP, length 264
14:49:53.002271 IP 127.0.0.1.57368 > 127.0.0.1.9995: UDP, length 744
14:49:58.002295 IP 127.0.0.1.57368 > 127.0.0.1.9995: UDP, length 456

Netflow分析工具Nfsight安装

https://www.haiyun.me/tag/nfsen/
Nfsight分为两部分，后端以Nfsen插件安装，前端以PHP显示分析图表。
安装Perl Mysql支持：
后端Nfsen插件安装：
前端Web安装：
新建Mysql数据库Nfsight：
之前有介绍Nfsen和Nfdump安装，本次记录下Nfsen端口查看插件PortTracker安装。
Centos5/Linux安装Nfdump和Nfsen图形界面分析netflow数据
Nfdump是linux下netflow数据采集分析工具，Nfsen是基于nfdump是web界面工具，服务器需先安装web服务器和php环境。
安装rrdtool及所需组件：

fprobe 用法

监听eth0网卡，使用非混杂模式，并指定原地址为10.6.6.6，发送到10.2.82.60的9999端口

fprobe -i eth0 -p -a 10.6.6.6 10.2.82.60:9999

监听bond1，只截取关于10.10.10.10且端口为80的数据包，生成v7版本，发送到10.2.82.60的9999端口

fprobe -i bond1 -n 7 -f "host 10.10.10.10 && port 80" 10.2.82.60:9999

zeek 入侵检测系列实验

Zeek (Bro) 是一款大名鼎鼎的开源网络安全分析工具。通过 Zeek 可以监测网络流量中的可疑活动，通过 Zeek 的脚本可以实现灵活的分析功能，可是实现多种协议的开相机用的分析。本文主要是将 Zeek 结合被动扫描器的一些实践的介绍，以及 Zeek 部署的踩过的一些坑。

zeek 入侵检测系列实验
Lab 1: Introduction to the Capabilities of Zeek
Lab 2: An Overview of Zeek Logs
Lab 3: Parsing, Reading and Organizing Zeek Log Files
Lab 4: Generating, Capturing and Analyzing Network Scanner Traffic
Lab 5: Generating, Capturing and Analyzing DoS and DDoS-centric Network Traffic
Lab 6: Introduction to Zeek Scripting
Lab 7: Introduction to Zeek Signatures
Lab 8: Advanced Zeek Scripting for Anomaly and Malicious Event Detection
Lab 9: Profiling and Performance Metrics of Zeek

Driftnet

Inspired by EtherPEG (though, not owning an Apple Macintosh, I’ve never actually seen it in operation), Driftnet is a program which listens to network traffic and picks out images from TCP streams it observes. Fun to run on a host which sees lots of web traffic.

In an experimental enhancement, driftnet now picks out MPEG audio streams from network traffic and tries to play them. You can also now use driftnet with Jamie Zawinski’s webcollage, so that it can run as a screen saver.

(Obviously, driftnet is an invasion of privacy of a fairly blatant sort. Also, if you are possessed of Victorian sensibilities, and share an unswitched network with others who are not, you should probably not use it. If you’re looking for a less dubious network monitoring application, you might want to take a look at Paul Warren’s iftop.)

Argus

Overview
Argus is a system and network monitoring application.
It will monitor nearly anything you ask it to monitor
(TCP + UDP applications, IP connectivity, SNMP OIDS, Programs, Databases, etc).
It presents a nice clean, easy to view web interface that will keep both the managers happy (Red Bad. Green Good.) and the techs happy (“Ah! that’s what the problem is”).
It can send alerts numerous ways (such as via pager) and can automatically escalate if someone falls asleep.

使用nprobe和ELK构建netflow分析平台

使用nprobe和ELK构建netflow分析平台
一、nprobe的安装

程序下载地址：http://packages.ntop.org/apt-stable/

作为流量采集软件的基本用法：sudo nprobe -i eh0 --collector 192.168.0.1:2055

其默认配置文件位于：/etc/probe/nprobe.conf

二、安装使用elastiflow

使用之前需要安装ELK套件，请使用6.4以上版本。主要是设置logstash以及kibana。

ElastiFlow使用ELK提供网络流数据收集和可视化。它支持Netflow v5/v9、sFlow和IPFIX流类型(1.x版本只支持Netflow v5/v9)。

other

Tele Traffic Taper (ttt)
http://www.csl.sony.co.jp/person/kjc/kjc/software.html
ZZZZ - incomplete. Real-time graphical remote traffic monitor

tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like ‘tcpdump’ shows a summary of packets seen on the wire, but usually doesn’t store the data that’s actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.
Tcpflow
http://www.circlemud.org/~jelson/software/tcpflow/

Sentinel
The sentinel project is an implementation of effective remote promiscuous detection techniques.
http://www.packetfactory.net/projects/sentinel/

RPCAP is a Remote Packet Capture system. It enables you to run a packet capture program (the server) on a target computer, which will sniff the network traffic on that system, and uplink the captured packets to another host (the client), where the captured packets can be processed, analysed and archived.
Rpcap
http://rpcap.sourceforge.net/
rtdump
http://rpcap.sourceforge.net/
Rtdump is a version of tcpdump modified to capture traffic on remote systems and networks. It links to librpcap rather than libpcap. Apart from the additional requirments introduced by the remote capture paradigm, rtdump is identical to tcpdump in command syntax and use.

nstreams
nstreams is a utility designed to identify the IP streams that are occuring on a network from a non-user friendly tcpdump output of several megabytes.
http://www.hsc.fr

http://www.nessus.org/
The “Nessus” Project aims to provide to the internet community a free, powerful, up-to-date and easy to use remote security scanner. A security scanner is a software which will audit remotely a given network and determine whether bad guys (aka ‘crackers’) may break into it, or misuse it in some way. Unlike many other security scanners, Nessus does not take anything for granted. That is, it will not consider that a given service is running on a fixed port - that is, if you run your web server on port 1234, Nessus will detect it and test its security. It will not make its security tests regarding the version number of the remote services, but will really attempt to exploit the vulnerability. Nessus is very fast, reliable and has a modular architecture that allows you to fit it to your needs.

KSniffer is a network statistics collector. It supports most TCP/IP protocols, (TCP, IP, UDP, ICMP, ARP, RARP as well as minimal IPX). Ksniffer reports on traffic in bytes or packets, activity (kbits/sec, kbytes/sec, packets/sec), as well as by protocol (http, irc, etc).
Ksniffer
http://software.freshmeat.net/projects/ksniffer/

http://ipaudit.sourceforge.net/
http://ipaudit.sourceforge.net/ipaudit-web/
Ipaudit
Ipaudit-web

idabench
IDABench is an web interface to many intrusion analysis tools. By the use of simple plug-ins, it allows an analyst to twist and turn hourly packet logs through such utilities as tcpdump, ngrep, tethereal, etc. Output is textual web pages, gnuplot graphs, and downloadable composite binary dumpfiles. Based on the US Navy’s SHADOW intrusion detection system, IDABench simplifies the writing of tcpdump filters, allows regular-expression context matching, and through a simple plugin API, can be extended to include other libpcap-based analysis tools, such as Snort, p0f, etc.
http://idabench.ists.dartmouth.edu
Ipaudit can summarize and/or log network activity down to the ip address and port level of detail, without recording every packet.

rpcap

WinPcap拥有远程捕获的能力。这个高级特性能够捕获在远程网络上传输的数据包。

它需要一个远程后台程序(remote daemon) (被称为rpcapd) ，它进行捕获，并把捕获到的数据发回。一个本地客户端会发送合适的命令并接收捕获到的数据。

WinPcap扩展了标准的WinPcap代码，这样，基于WinPcap的工具可以拥有远程捕获的能力。例如：远程后台程序被加入到客户软件中，我们并不需要另外修改，就能使程序拥有远程捕捉的能力。反之亦然，远程后台程序必须被安装(和配置)在远程机器上。

远程捕获运行模式
远程捕获协议 (RPCAP) 可以在两种模式下工作：

被动模式(Passive Mode) (默认): 客户机 (比如 a network sniffer) 连接到远程后台程序, 它发送一些合适的命令，并开始捕获。
主动模式(Active Mode): 远程后台程序试图连接到客户机 (比如 the network sniffer); 然后，客户机发送一些合适的命令，并开始捕获。主动这个词的来历是因为远程后台程序主动建立连接，而不是等待新的连接。
主动模式是有用的，除了当远程后台程序遇到了防火墙的阻止而不能访问外部网络时。在这种情况下，远程后台程序可以被配置成允许与已知的主机建立连接，而那个主机，只需要配置成等待连接即可。在连接建立完成之后，协议会继续自己的工作，这些工作在主动模式和被动模式下几乎是一样的。

Analyzer (http://analyzer.polito.it/30alpha/) 有一系列的命令 (在 Capture 菜单中) 。这些命令允许你接收一个远程连接，然后再远程设备上启动捕获。由于Analyzer需要一些代码上的修正，所以目前，它仅能工作在主动模式下。

配置远程后台程序 (rpcapd)
远程后台程序是一个标准的Win32可执行进程，它可以运行于受控模式或作为一个服务器。可执行进程可以在进入WinPcap文件夹后，使用下列语法找到它：

    rpcapd [-b <address>] [-p <port>] [-6] [-l <host_list>] [-a <host,port>] 
           [-n] [-v] [-d] [-s <file>] [-f <file>]

后台进程也可以在Linux平台上编译并运行

rpcap

http://rpcap.sourceforge.net/

Welcome to the rpcap home page

What is rpcap?
RPCAP is a Remote Packet Capture system. It enables you to run a packet capture program (the server) on a target computer, which will sniff the network traffic on that system, and uplink the captured packets to another host (the client), where the captured packets can be processed, analysed and archived . The rpcap system thus consists of two separate processes, the server (or agent) which captures network traffic on a remote system, and a client, which receives and processes these packets. The server code is a standalone executable program which uses the libpcap packet capture library to capture network traffic. The client is actually a library called librpcap, which is linked to a user program and used on the client system in a manner identical to libpcap, to receive and process the captured packets.
The librpcap client library exposes a subset of the pcap API as defined in the pcap (3) manpage. The API is used in a manner identical to that of libpcap, so that any programs which do not use the libpcap functions not present in rpcap can directly link to rpcap in place of pcap. The API functions as a set of pcap-compatible wrapper functions over a Sun RPC interface to the remote server, which invoke the corresponding libpcap functionality on it.

Platforms

At this time, rpcap has been built and tested only on Linux on Intel platforms. However, it should build on any UNIX like system that supports multithreading and has the RPC libraries and utilities available, so that it should be possible to build it on most systems. Please note however that there are a couple of bugs in the code (all my own!) that currently restrict it to little-endian systems. I will fix this ASAP.

Current Status

RPCAP is currently at version 0.23. It works, but is still alpha code. Be careful! There is an accompanying port of tcpdump, called rtdump, which has been linked against rpcap for remote capture applications. See the News and Documentation pages for details.

Licence

RPCAP is available under the GNU General Public Licence, a copy of which is included in the distribution in the file COPYING. You can also download a copy at the Free Software Foundation’s website.

Rtdump

Rtdump is a version of tcpdump modified to capture traffic on remote systems and networks. It links to librpcap rather than libpcap. Apart from the additional requirments introduced by the remote capture paradigm, rtdump is identical to tcpdump in command syntax and use.

Sentinel

The sentinel project is an implementation of effective remote promiscuous detection techniques.
http://www.packetfactory.net/projects/sentinel/

Tcpflow

Tele Traffic Taper (ttt)

http://www.csl.sony.co.jp/person/kjc/kjc/software.html
ZZZZ - incomplete. Real-time graphical remote traffic monitor

http://sunet.ftp.acc.umu.se/mirror/archive/ftp.sunet.se/pub/network/monitoring/kjc/

2

http://www.programming-pcap.aldabaknocking.com/code/ftp_grabber.c
http://www.programming-pcap.aldabaknocking.com/extrastuff.html

rpcapd-linux

https://github.com/rpcapd-linux/rpcapd-linux

保存上面内容为WiresharkRpcap.html文件，此处的"WiresharkRpcap://D:\Program Files (x86)\Wireshark\Wireshark.exe -B 1 -k -i rpcap://[192.168.10.188]:2002/eth0"就是对应的%1所表示的参数，解析之后就可以得到参数执行命令。

抓包启动是通过下面这一句代码执行的，但是如果直接调用wireshark，后面的参数是没法解析的，所以通过启动Start.exe来达到启动wireshark的目的。在Start内部解析参数，提取wireshark远程抓包的命令。 <a href="WiresharkRpcap://D:\Program Files (x86)\Wireshark\Wireshark.exe -B 1 -k -i rpcap://[192.168.10.188]:2002/eth0">

我们都知道，wireshark可以实现本地抓包，同时Wireshark也支持remote packet capture protocol（rpcapd）协议远程抓包，只要在远程主机上安装相应的rpcapd服务例程就可以实现在本地电脑执行wireshark 捕获远程电脑的流量了

实时抓取Android上的网卡数据包

https://blog.qwerdf.com/2019/03/25/wireshark-with-android/

找了找,发现了这篇文章.
既是用ADVsock2pipe来将Android转发来的socket重定向为一个pipe,
让wireshark认为是一个设备.

tcpdump -nn -w - -U -s 0 -i wlan0 | nc <ip> 6666
ADVsock2pipe.exe -pipe=pipeName -port 6666
< choose \\.\pipe\pipeName in wireshark >

tcpdump -n -s 0 -i wlan0 -w -| nc -l -p 7101
adb forward tcp:6100 tcp:7101
D:\backup\tools\msys64\usr\bin\nc.exe 127.0.0.1 6100 | "C:\Program Files\Wireshark\wireshark.exe" -k -S -i -

RPCAP协议法
在wireshark里发现了Remote Capture Interfaces,直接填tcpdump重定向过来的socket是不行的,查了查,发现是用了一种叫做rpcap的玩意.直接交叉编译相应的版本丢过去运行就ok了.
分别找到并尝试了以下版本

直接在./configure的时候加上–enable-remote即可

实时抓取移动设备上的通信包(ADVsock2pipe+Wireshark+nc+tcpdump)

https://www.freebuf.com/articles/wireless/6517.html
目前移动设备上的应用的通信分析，HTTP层数据包可以使用web代理工具进行抓包改包，而底层的数据包要实时并可视化的分析（非实时的可以在设备上安装tcpdump抓包），除了用移动设备去连接PC提供的共享网络进行抓包外（《mobile app 通信分析方法小议》），还有一种新的方法，这种方法其实早就存在，主要是我wireshark太不熟悉了，误以为它只能通过网络接口（网卡啥的）抓包，实在太丢脸了。

下面要介绍的方法的核心原理，就是开辟一条PC与移动设备的通信管道，然后在PC上，让wireshark基于管道（PIPE）抓包。

http://wiki.wireshark.org/CaptureSetup/Pipes

https://github.com/ADVTOOLS/ADVsock2pipe