# tcpdump host 172.16.5.51 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 17:49:26.202556 IP 172.16.1.3 > 172.16.5.51: ICMP echo request, id 4, seq 22397, length 40 17:49:26.203002 IP 172.16.5.51 > 172.16.1.3: ICMP echo reply, id 4, seq 22397, length 40
顯示所有到的FTP會話
# tcpdump -i eth1 'dst 202.40.100.5 and (port 21 or 20)'
$ tcpdump -n -i eth0 port 80
監控網絡但排除 SSH 22 連接埠
$ sudo tcpdump -n not dst port 22 and not src port 22
顯示所有到192.168.0.5的HTTP會話
# tcpdump -ni eth0 'dst 192.168.0.5 and tcp and port http'
監控DNS的網絡流量
# tcpdump -i eth0 'udp port 53'
# tcpdump -n -i eth1 -s 0 -w output.txt src or dst port 80
使用wireshark分析輸出檔案,下面地址下載
http://www.wireshark.org/
src 監控源
# tcpdump -ni eth1 'tcp and src port 3000'
dst 監控目的地
# tcpdump -ni eth1 'tcp and dst port smtp'
演示 src 與 dst
[root@netkiller ~]# tcpdump -ni eth1 'tcp and dst port 3000' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 09:08:11.763041 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [S], seq 2048018668, win 8192, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0 09:08:11.763383 IP 219.90.123.138.12047 > 47.90.44.87.hbci: Flags [S], seq 2468955264, win 8192, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0 09:08:11.763774 IP 219.90.123.138.27092 > 47.90.44.87.hbci: Flags [S], seq 3069483725, win 8192, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0 09:08:11.763855 IP 219.90.123.138.8602 > 47.90.44.87.hbci: Flags [S], seq 2460960642, win 8192, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0 09:08:11.764323 IP 219.90.123.138.10480 > 47.90.44.87.hbci: Flags [S], seq 1687488150, win 8192, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0 09:08:11.786487 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [.], ack 1705484229, win 257, length 0 09:08:11.786535 IP 219.90.123.138.12047 > 47.90.44.87.hbci: Flags [.], ack 461089870, win 257, length 0 09:08:11.786543 IP 219.90.123.138.27092 > 47.90.44.87.hbci: Flags [.], ack 2893320938, win 257, length 0 09:08:11.788955 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [P.], seq 0:1025, ack 1, win 257, length 1025 09:08:11.789671 IP 219.90.123.138.10480 > 47.90.44.87.hbci: Flags [.], ack 1815033342, win 257, length 0 09:08:11.789692 IP 219.90.123.138.8602 > 47.90.44.87.hbci: Flags [.], ack 1519500600, win 257, length 0 09:08:11.886937 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [.], ack 2415, win 257, length 0 09:08:11.889665 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [.], ack 5215, win 257, length 0 09:08:11.893673 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [.], ack 8015, win 257, length 0 09:08:11.904151 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [.], ack 10815, win 257, length 0 09:08:11.904707 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [.], ack 13615, win 257, length 0 09:08:11.914796 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [.], ack 17815, win 257, length 0 09:08:11.923904 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [.], ack 19215, win 257, length 0 09:08:11.979687 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [.], ack 19880, win 254, length 0 09:08:14.761388 IP 219.90.123.138.28461 > 47.90.44.87.hbci: Flags [S], seq 3215826970, win 8192, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0 09:08:14.782284 IP 219.90.123.138.28461 > 47.90.44.87.hbci: Flags [.], ack 1574781090, win 257, length 0 ^C 21 packets captured 22 packets received by filter 0 packets dropped by kernel [root@netkiller ~]# tcpdump -ni eth1 'tcp and src port 3000' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 09:08:41.241996 IP 47.90.44.87.hbci > 219.90.123.138.28461: Flags [F.], seq 1574781090, ack 3215826972, win 115, length 0 09:08:41.242395 IP 47.90.44.87.hbci > 219.90.123.138.24925: Flags [S.], seq 1277500664, ack 2163858186, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 09:08:41.242498 IP 47.90.44.87.hbci > 219.90.123.138.27571: Flags [S.], seq 1906857203, ack 3261786724, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 09:08:41.243081 IP 47.90.44.87.hbci > 219.90.123.138.27152: Flags [S.], seq 3451566690, ack 2095717279, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 09:08:41.243223 IP 47.90.44.87.hbci > 219.90.123.138.25265: Flags [S.], seq 943843868, ack 3740664697, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 09:08:41.243413 IP 47.90.44.87.hbci > 219.90.123.138.27145: Flags [S.], seq 1814275155, ack 3577858982, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 09:08:41.247070 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [.], ack 2048020719, win 147, length 0 09:08:41.436542 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [P.], seq 0:1014, ack 1, win 147, length 1014 09:08:41.436595 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [.], seq 1014:3814, ack 1, win 147, length 2800 09:08:41.436608 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [.], seq 3814:6614, ack 1, win 147, length 2800 09:08:41.436613 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [.], seq 6614:9414, ack 1, win 147, length 2800 09:08:41.436617 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [.], seq 9414:12214, ack 1, win 147, length 2800 09:08:41.436624 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [.], seq 12214:13614, ack 1, win 147, length 1400 09:08:41.458774 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [.], seq 13614:16414, ack 1, win 147, length 2800 09:08:41.461374 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [.], seq 16414:19214, ack 1, win 147, length 2800 09:08:41.461388 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [P.], seq 19214:19879, ack 1, win 147, length 665 09:08:41.485084 IP 47.90.44.87.hbci > 219.90.123.138.24925: Flags [.], ack 1011, win 130, length 0 09:08:41.485958 IP 47.90.44.87.hbci > 219.90.123.138.27571: Flags [.], ack 999, win 130, length 0 09:08:41.486888 IP 47.90.44.87.hbci > 219.90.123.138.27152: Flags [.], ack 998, win 130, length 0 09:08:41.487791 IP 47.90.44.87.hbci > 219.90.123.138.25265: Flags [.], ack 1005, win 130, length 0 09:08:41.488224 IP 47.90.44.87.hbci > 219.90.123.138.27571: Flags [P.], seq 1:139, ack 999, win 130, length 138 09:08:41.488291 IP 47.90.44.87.hbci > 219.90.123.138.27145: Flags [.], ack 983, win 130, length 0 09:08:41.489100 IP 47.90.44.87.hbci > 219.90.123.138.24925: Flags [P.], seq 1:139, ack 1011, win 130, length 138 09:08:41.491998 IP 47.90.44.87.hbci > 219.90.123.138.27152: Flags [P.], seq 1:139, ack 998, win 130, length 138 09:08:41.492653 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [.], seq 12214:13614, ack 1, win 147, length 1400 09:08:41.494013 IP 47.90.44.87.hbci > 219.90.123.138.25265: Flags [P.], seq 1:139, ack 1005, win 130, length 138 09:08:41.499825 IP 47.90.44.87.hbci > 219.90.123.138.27145: Flags [P.], seq 1:139, ack 983, win 130, length 138 09:08:41.514427 IP 47.90.44.87.hbci > 219.90.123.138.27571: Flags [P.], seq 139:277, ack 1980, win 146, length 138 09:08:41.688727 IP 47.90.44.87.hbci > 219.90.123.138.27145: Flags [P.], seq 139:277, ack 2005, win 146, length 138 09:08:41.689548 IP 47.90.44.87.hbci > 219.90.123.138.27571: Flags [P.], seq 277:415, ack 2998, win 162, length 138 09:08:41.824277 IP 47.90.44.87.hbci > 219.90.123.138.27571: Flags [P.], seq 415:651, ack 3932, win 178, length 236 09:08:41.824391 IP 47.90.44.87.hbci > 219.90.123.138.27571: Flags [.], seq 651:3451, ack 3932, win 178, length 2800 09:08:41.824427 IP 47.90.44.87.hbci > 219.90.123.138.27571: Flags [.], seq 3451:6251, ack 3932, win 178, length 2800 09:08:41.824451 IP 47.90.44.87.hbci > 219.90.123.138.27571: Flags [.], seq 6251:7651, ack 3932, win 178, length 1400 09:08:41.846233 IP 47.90.44.87.hbci > 219.90.123.138.27571: Flags [P.], seq 7651:8537, ack 3932, win 178, length 886 ^C 35 packets captured 36 packets received by filter 0 packets dropped by kernel # tcpdump -ni any 'tcp and dst host 184.105.206.82 and port 25' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 05:46:31.833762 IP 107.178.142.42.49771 > 184.105.206.82.smtp: Flags [.], ack 231639512, win 229, options [nop,nop,TS val 2464661680 ecr 1677502875], length 0 05:46:31.833826 IP 107.178.142.42.49771 > 184.105.206.82.smtp: Flags [P.], seq 0:21, ack 1, win 229, options [nop,nop,TS val 2464661680 ecr 1677502875], length 21 05:46:32.515302 IP 107.178.142.42.49771 > 184.105.206.82.smtp: Flags [P.], seq 21:52, ack 62, win 229, options [nop,nop,TS val 2464662361 ecr 1677503046], length 31 05:46:32.886948 IP 107.178.142.42.49771 > 184.105.206.82.smtp: Flags [P.], seq 52:80, ack 70, win 229, options [nop,nop,TS val 2464662733 ecr 1677503139], length 28
$ sudo tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000' [sudo] password for neo: tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes 13:51:31.825893 CDPv2, ttl: 180s, checksum: 692 (unverified), length 375 Device-ID (0x01), length: 7 bytes: '4A3750G' Version String (0x05), length: 182 bytes: Cisco IOS Software, C3750 Software (C3750-IPBASE-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Thu 19-Jul-07 19:15 by nachen Platform (0x06), length: 23 bytes: 'cisco WS-C3750G-24TS-1U' Address (0x02), length: 13 bytes: IPv4 (1) 193.168.0.254 Port-ID (0x03), length: 21 bytes: 'GigabitEthernet1/0/15' Capability (0x04), length: 4 bytes: (0x00000029): Router, L2 Switch, IGMP snooping Protocol-Hello option (0x08), length: 32 bytes: VTP Management Domain (0x09), length: 3 bytes: 'example' Native VLAN ID (0x0a), length: 2 bytes: 11 Duplex (0x0b), length: 1 byte: full AVVID trust bitmap (0x12), length: 1 byte: 0x00 AVVID untrusted ports CoS (0x13), length: 1 byte: 0x00 Management Addresses (0x16), length: 13 bytes: IPv4 (1) 193.168.0.254 unknown field type (0x1a), length: 12 bytes: 0x0000: 0000 0001 0000 0000 ffff ffff 1 packets captured 1 packets received by filter 0 packets dropped by kernel
$ sudo tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000' tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes 13:52:03.451238 CDPv2, ttl: 180s, checksum: 692 (unverified), length 420 Device-ID (0x01), length: 9 bytes: 'O9-Switch' Version String (0x05), length: 248 bytes: Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 12.2(55)SE3, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2011 by Cisco Systems, Inc. Compiled Thu 05-May-11 16:56 by prod_rel_team Platform (0x06), length: 22 bytes: 'cisco WS-C2960S-48TD-L' Address (0x02), length: 4 bytes: Port-ID (0x03), length: 20 bytes: 'GigabitEthernet1/0/8' Capability (0x04), length: 4 bytes: (0x00000028): L2 Switch, IGMP snooping Protocol-Hello option (0x08), length: 32 bytes: VTP Management Domain (0x09), length: 0 byte: '' 1 packets captured 3 packets received by filter 0 packets dropped by kernel
$ sudo tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000' | grep GigabitEthernet [sudo] password for neo: tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes Port-ID (0x03), length: 21 bytes: 'GigabitEthernet1/0/15' 1 packets captured 1 packets received by filter 0 packets dropped by kernel
每一行中間都有這個包所攜帶的標誌:
Flags [*]( S=SYN 發起連接標誌 P=PUSH 傳送數據標誌 F=FIN 關閉連接標誌 ack 表示確認包 RST= RESET 異常關閉連接 . 表示沒有任何標誌 )
#!/bin/bash tcpdump -i eth0 -s 0 -l -w - dst port 3306 | strings | perl -e ' while(<>) { chomp; next if /^[^ ]+[ ]*$/; if(/^(SELECT|UPDATE|DELETE|INSERT|SET|COMMIT|ROLLBACK|CREATE|DROP|ALTER)/i) { if (defined $q) { print "$q\n"; } $q=$_; } else { $_ =~ s/^[ \t]+//; $q.=" $_"; } }'
顯示所有進出80連接埠IPv4 HTTP包,也就是隻打印包含數據的包。例如:SYN、FIN包和ACK-only包輸入:
# tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
tcpdump -i eth1 tcp port 1521 -A -s1500 | awk '$1 ~ "ORA-" {i=1;split($1,t,"ORA-");while (i <= NF) {if (i == 1) {printf("%s","ORA-"t[2])}else {printf("%s ",$i)};i++}printf("\n")}'
# tcpdump -nni any -x -X port 25 | more tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 05:55:43.133217 IP 184.105.206.85.25 > 59.153.146.101.42756: Flags [P.], seq 3205055214:3205055222, ack 3276605059, win 16022, options [nop,nop,TS val 2899843510 ecr 1568241053], length 8 0x0000: 4500 003c c773 4000 3b06 238b b869 ce55 E..<.s@.;.#..i.U 0x0010: 3b99 9265 0019 a704 bf09 42ee c34d 0683 ;..e......B..M.. 0x0020: 8018 3e96 1803 0000 0101 080a acd8 19b6 ..>............. 0x0030: 5d79 759d 3235 3020 4f6b 0d0a 0000 0000 ]yu.250.Ok...... 0x0040: 0000 0000 0000 0000 0000 0000 ............ 05:55:43.133247 IP 59.153.146.101.42756 > 184.105.206.85.25: Flags [.], ack 8, win 115, options [nop,nop,TS val 1568241323 ecr 2899843510], length 0 0x0000: 4500 0034 0478 4000 4006 e18e 3b99 9265 E..4.x@.@...;..e 0x0010: b869 ce55 a704 0019 c34d 0683 bf09 42f6 .i.U.....M....B. 0x0020: 8010 0073 54e4 0000 0101 080a 5d79 76ab ...sT.......]yv. 0x0030: acd8 19b6 0000 0000 0000 0000 0000 0000 ................ 0x0040: 0000 0000 .... 05:55:43.133321 IP 59.153.146.101.42756 > 184.105.206.85.25: Flags [P.], seq 1:32, ack 8, win 115, options [nop,nop,TS val 1568241323 ecr 2899843510], length 31 0x0000: 4500 0053 0479 4000 4006 e16e 3b99 9265 E..S.y@.@..n;..e 0x0010: b869 ce55 a704 0019 c34d 0683 bf09 42f6 .i.U.....M....B. 0x0020: 8018 0073 5503 0000 0101 080a 5d79 76ab ...sU.......]yv. 0x0030: acd8 19b6 4d41 494c 2046 524f 4d3a 3c6e ....MAIL.FROM:<n 0x0040: 6f72 6570 6c79 4063 6631 3339 2e63 6f6d oreply@139.com 0x0050: 3e0d 0a00 0000 0000 0000 0000 0000 0000 >............... 0x0060: 0000 00 ... 05:55:43.142280 IP 184.105.206.85.25 > 59.153.146.101.42756: Flags [.], ack 32, win 16022, options [nop,nop,TS val 2899843513 ecr 1568241323], length 0 0x0000: 4500 0034 c774 4000 3b06 2392 b869 ce55 E..4.t@.;.#..i.U 0x0010: 3b99 9265 0019 a704 bf09 42f6 c34d 06a2 ;..e......B..M.. 0x0020: 8010 3e96 d5a5 0000 0101 080a acd8 19b9 ..>............. 0x0030: 5d79 76ab 0000 0000 0000 0000 0000 0000 ]yv............. 0x0040: 0000 0000 .... 05:55:43.270436 IP 203.205.160.43.25 > 202.88.38.95.39594: Flags [.], ack 1271517256, win 159, options [nop,nop,TS val 1663885325 ecr 1568241310], length 0 0x0000: 4500 0034 18e5 4000 3806 cd2e cbcd a02b E..4..@.8......+ 0x0010: ca58 265f 0019 9aaa 800c c423 4bc9 d048 .X&_.......#K..H 0x0020: 8010 009f 0716 0000 0101 080a 632c e00d ............c,.. 0x0030: 5d79 769e 0000 0000 0000 0000 0000 0000 ]yv............. 0x0040: 0000 0000 ....
嗅探用戶密碼
# tcpdump -i any port http or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|userna me:|password:|login:|pass |user ' # tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20
# tcpdump -A -q -i any port 25 | grep "RCPT TO:" # tcpdump -l -s0 -w - tcp dst port 25 | strings | grep -i 'MAIL FROM\|RCPT TO'