Linux命令 - tcpdump
1 | tcpdump [ -AdDefIKlLnNOpqRStuUvxX ] [ -B buffer_size ] [ -c count ] |
描述
-w标志保存packet数据到指定文件,-r读取指定文件中的packet数据。
指定expression的情况下,只有与其匹配才会被处理。
-c指定接收包的总数量。若不指定-c,则tcpdump会一直处理packet直至接收到SIGINT或SIGTERM信号。
tcpdump报告以下内容:
- 捕获的包数量
- 过滤器拦截的包数量
- 被kernel抛弃的包数量(由于缓冲空间不足)
SIGINFO…
从网络接口读取packets需要特殊的权限,参考pcap (3PCAP)帮助手册。
选项
-A: 以ASCII格式打印每个packet(不包含数据链路层头部)。捕获web网页时比较好用。
-B: 设置OS的capture缓存大小为buffer_size。
-c: 接收指定数目packets后退出。
-C: 将原始packet写入文件前,检查文件是否超过指定的file_size,若超过则关闭当前文件并新创建一个文件,新创建的文件名由-w指定名称及数字序号组成,起始值为1。file_size单位为1,000,000字节(不是1,048,576字节)。
注意: 使用-Z选项(默认启用)时,在打开第一个文件之前抛弃权限。
-d: 以易读格式dump编译后的packet-matching代码到标准输出并停止。
-dd: 以C程序片段形式dump packet-matching代码。
-ddd: Dump packet-matching code as decimal numbers (preceded with a count).
-D: 打印tcpdump可以截包的可用网络接口列表。对于每个网络接口,打印一个数字、接口名字,可能有接口描述信息。接口名称或数字可以由-i标志来指定截包接口。
若tcpdump构建于缺少pcap_findalldevs()函数的旧版本libpcap之上,则有可能不支持-D标志。
-e: 打印数据链路层头部。
-E: 使用spi@ipaddr algo:secret 来解密发往addr且包含Security Parameter Index值spi的IPsec ESP packets。
This combination may be repeated with comma or newline seperation.
Note that setting the secret for IPv4 ESP packets is supported at this time.
Algorithms may be des-cbc, 3des-cbc, blowfish-cbc, rc3-cbc, cast128-cbc, or none. The default is des-cbc. The ability to decrypt packets is only present if tcpdump was compiled with cryptography enabled.
secret is the ASCII text for ESP secret key. If preceeded by 0x, then a hex value will be read.
The option assumes RFC2406 ESP, not RFC1827 ESP. The option is only for debugging purposes, and the use of this option with a true ‘secret’ key is discouraged. By presenting IPsec secret key onto command line you make it visible to others, via ps(1) and other occasions.
In addition to the above syntax, the syntax file name may be used to have tcpdump read the provided file in. The file is opened upon receiving the first ESP packet, so any special permissions that tcpdump may have been given should already have been given up.
-f:
Print ‘foreign’ IPv4 addresses numerically rather than symbolically (this option is intended to get around serious brain damage
in Sun’s NIS server — usually it hangs forever translating non-local internet numbers).
The test for ‘foreign’ IPv4 addresses is done using the IPv4 address and netmask of the interface on which capture is being
done. If that address or netmask are not available, available, either because the interface on which capture is being done has
no address or netmask or because the capture is being done on the Linux "any" interface, which can capture on more than one
interface, this option will not work correctly.
-F: 使用文件中的filter表达式。命令行中的表达式将会被忽略。
-G:
If specified, rotates the dump file specified with the -w option every rotate_seconds seconds. Savefiles will have the name
specified by -w which should include a time format as defined by strftime(3). If no time format is specified, each new file
will overwrite the previous.
If used in conjunction with the -C option, filenames will take the form of ‘file<count>’.
-i: 监听指定接口。若不指定,则查找最小数标的接口(除loopback外)。
Ties are broken by choosing the earliest match.
在Linux 2.2及以上内核版本中,接口参数‘any’可以用来对所有接口截包。在promiscuous模式下,对‘any’设备截包不起作用。
若支持-D标志,则由该标志打印的接口数标可以用来作用接口参数。
-I: 将接口设置为monitor模式。该项只在IEEE 802.11 Wi-Fi接口上提供支持,且只有部分OS支持。
Note that in monitor mode the adapter might disassociate from the network with which it’s associated, so that you will not be
able to use any wireless networks with that adapter. This could prevent accessing files on a network server, or resolving host
names or network addresses, if you are capturing in monitor mode and are not connected to another network with another adapter.
This flag will affect the output of the -L flag. If -I isn’t specified, only those link-layer types available when not in mon-
itor mode will be shown; if -I is specified, only those link-layer types available when in monitor mode will be shown.
-K: 不去尝试验证IP/TCP/UDP的checksum值。对于在硬件内部计算checksum的接口很有用(否则验证失败)。
-l: 缓存标准输出行。Make stdout line buffered. Useful if you want to see the data while capturing it. E.g.,
‘‘tcpdump -l | tee dat’’ or ‘‘tcpdump -l > dat & tail -f dat’’.
-L List the known data link types for the interface, in the specified mode, and exit. The list of known data link types may be
dependent on the specified mode; for example, on some platforms, a Wi-Fi interface might support one set of data link types
when not in monitor mode (for example, it might support only fake Ethernet headers, or might support 802.11 headers but not
support 802.11 headers with radio information) and another set of data link types when in monitor mode (for example, it might
support 802.11 headers, or 802.11 headers with radio information, only in monitor mode).
-m Load SMI MIB module definitions from file module. This option can be used several times to load several MIB modules into tcp-
dump.
-M Use secret as a shared secret for validating the digests found in TCP segments with the TCP-MD5 option (RFC 2385), if present.
-n Don’t convert host addresses to names. This can be used to avoid DNS lookups.
-nn Don’t convert protocol and port numbers etc. to names either.
-N Don’t print domain name qualification of host names. E.g., if you give this flag then tcpdump will print ‘‘nic’’ instead of
‘‘nic.ddn.mil’’.
-O Do not run the packet-matching code optimizer. This is useful only if you suspect a bug in the optimizer.
-p Don’t put the interface into promiscuous mode. Note that the interface might be in promiscuous mode for some other reason;
hence, ‘-p’ cannot be used as an abbreviation for ‘ether host {local-hw-addr} or ether broadcast’.