| Home | Mirror | Search |
# tcpdump host 172.16.5.51 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 17:49:26.202556 IP 172.16.1.3 > 172.16.5.51: ICMP echo request, id 4, seq 22397, length 40 17:49:26.203002 IP 172.16.5.51 > 172.16.1.3: ICMP echo reply, id 4, seq 22397, length 40
顯示所有到的FTP會話
# tcpdump -i eth1 'dst 202.40.100.5 and (port 21 or 20)'
$ tcpdump -n -i eth0 port 80
監控網絡但排除 SSH 22 連接埠
$ sudo tcpdump -n not dst port 22 and not src port 22
顯示所有到192.168.0.5的HTTP會話
# tcpdump -ni eth0 'dst 192.168.0.5 and tcp and port http'
監控DNS的網絡流量
# tcpdump -i eth0 'udp port 53'
# tcpdump -n -i eth1 -s 0 -w output.txt src or dst port 80
使用wireshark分析輸出檔案,下面地址下載
http://www.wireshark.org/
$ sudo tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'
[sudo] password for neo:
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
13:51:31.825893 CDPv2, ttl: 180s, checksum: 692 (unverified), length 375
Device-ID (0x01), length: 7 bytes: '4A3750G'
Version String (0x05), length: 182 bytes:
Cisco IOS Software, C3750 Software (C3750-IPBASE-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Thu 19-Jul-07 19:15 by nachen
Platform (0x06), length: 23 bytes: 'cisco WS-C3750G-24TS-1U'
Address (0x02), length: 13 bytes: IPv4 (1) 193.168.0.254
Port-ID (0x03), length: 21 bytes: 'GigabitEthernet1/0/15'
Capability (0x04), length: 4 bytes: (0x00000029): Router, L2 Switch, IGMP snooping
Protocol-Hello option (0x08), length: 32 bytes:
VTP Management Domain (0x09), length: 3 bytes: 'example'
Native VLAN ID (0x0a), length: 2 bytes: 11
Duplex (0x0b), length: 1 byte: full
AVVID trust bitmap (0x12), length: 1 byte: 0x00
AVVID untrusted ports CoS (0x13), length: 1 byte: 0x00
Management Addresses (0x16), length: 13 bytes: IPv4 (1) 193.168.0.254
unknown field type (0x1a), length: 12 bytes:
0x0000: 0000 0001 0000 0000 ffff ffff
1 packets captured
1 packets received by filter
0 packets dropped by kernel
$ sudo tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
13:52:03.451238 CDPv2, ttl: 180s, checksum: 692 (unverified), length 420
Device-ID (0x01), length: 9 bytes: 'O9-Switch'
Version String (0x05), length: 248 bytes:
Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 12.2(55)SE3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Thu 05-May-11 16:56 by prod_rel_team
Platform (0x06), length: 22 bytes: 'cisco WS-C2960S-48TD-L'
Address (0x02), length: 4 bytes:
Port-ID (0x03), length: 20 bytes: 'GigabitEthernet1/0/8'
Capability (0x04), length: 4 bytes: (0x00000028): L2 Switch, IGMP snooping
Protocol-Hello option (0x08), length: 32 bytes:
VTP Management Domain (0x09), length: 0 byte: ''
1 packets captured
3 packets received by filter
0 packets dropped by kernel
$ sudo tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000' | grep GigabitEthernet
[sudo] password for neo:
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
Port-ID (0x03), length: 21 bytes: 'GigabitEthernet1/0/15'
1 packets captured
1 packets received by filter
0 packets dropped by kernel
#!/bin/bash
tcpdump -i eth0 -s 0 -l -w - dst port 3306 | strings | perl -e '
while(<>) { chomp; next if /^[^ ]+[ ]*$/;
if(/^(SELECT|UPDATE|DELETE|INSERT|SET|COMMIT|ROLLBACK|CREATE|DROP|ALTER)/i) {
if (defined $q) { print "$q\n"; }
$q=$_;
} else {
$_ =~ s/^[ \t]+//; $q.=" $_";
}
}'