抓包之tcpdump安装和使用

写在前面

公司的运维同事，以及搞C，C++开发的同事，经常回通过tcpdump工具抓包来排查问题。可以看出该技能还是比较重要的，所以就想着也来学习下，并记录在这里，希望也能能够帮助到你，并用在实际工作中。

1：安装

1.1：安装

从这里下载tcpdump和libcap:

因为是xz文件所以解压命令是：tar -xJf xxxx.tar.xz。安装libcap和tcpdump的命令都是：

./configure
make
make install

如果顺利的话，到这里就成功了，执行tcpdump就可以按照默认的配置来抓包了：

[root@localhost program]# tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), snapshot length 262144 bytes
02:37:58.562315 IP localhost.localdomain.ssh > 192.168.10.94.58517: Flags [P.], seq 462979098:462979286, ack 71636262, win 261, length 188
02:37:58.565888 IP 192.168.10.94.58517 > localhost.localdomain.ssh: Flags [.], ack 188, win 508, length 0
02:37:58.650063 IP localhost.localdomain.45844 > public1.alidns.com.domain: 17318+ PTR? 94.10.168.192.in-addr.arpa. (44)
^C02:37:58.651487 ARP, Request who-has 192.168.10.67 tell 192.168.10.118, length 46
...

1.2：可能遇到的问题

1.2.1：configure: error: no acceptable C compiler found in $PATH

执行yum install gcc。

1.2.2：configure: error: Neither flex nor lex was found.

解决：安装m4，bison，flex。
m4下载地址: http://ftp.gnu.org/gnu/m4/ 1.4.19

cd m4-1.4.19
./configure
make
make install

bison下载地址：http://ftp.gnu.org/gnu/bison/ bison-3.7.6.tar.gz

cd bison-3.7.6
./configure
make                           
make install

flex下载地址： https://github.com/westes/flex/releases flex-2.6.4.tar.gz

cd flex-2.6.4
./configure
make
make insatll

2：使用

2.1：列出所有的网卡

使用-D参数：

[root@localhost ~]# tcpdump -D
1.ens33 [Up, Running, Connected]
2.any (Pseudo-device that captures on all interfaces) [Up, Running]
3.lo [Up, Running, Loopback]
4.usbmon2 (Raw USB traffic, bus number 2)
5.usbmon1 (Raw USB traffic, bus number 1)
6.usbmon0 (Raw USB traffic, all USB buses) [none]
7.nflog (Linux netfilter log (NFLOG) interface) [none]
8.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]

2.2：抓特定网卡的包

-i 选择网卡设备，比如选择本地回环：

• 先抓着ing

[root@localhost ~]# tcpdump -i lo
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes

• 请求下ng

[root@localhost sbin]# curl http://127.0.0.1:80
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html> 

• 再看抓到东西了

[root@localhost sbin]# tcpdump -i lo
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes
00:37:52.923269 IP localhost.56470 > localhost.http: Flags [S], seq 843820990, win 43690, options [mss 65495,sackOK,TS val 255345234 ecr 0,nop,wscale 7], length 0
00:37:52.923281 IP localhost.http > localhost.56470: Flags [R.], seq 0, ack 843820991, win 0, length 0
00:37:58.641913 IP localhost.56472 > localhost.http: Flags [S], seq 1563503097, win 43690, options [mss 65495,sackOK,TS val 255350958 ecr 0,nop,wscale 7], length 0
00:37:58.641932 IP localhost.http > localhost.56472: Flags [S.], seq 214531868, ack 1563503098, win 43690, options [mss 65495,sackOK,TS val 255350958 ecr 255350958,nop,wscale 7], length 0
00:37:58.641946 IP localhost.56472 > localhost.http: Flags [.], ack 1, win 342, options [nop,nop,TS val 255350958 ecr 255350958], length 0
00:37:58.642024 IP localhost.56472 > localhost.http: Flags [P.], seq 1:74, ack 1, win 342, options [nop,nop,TS val 255350958 ecr 255350958], length 73: HTTP: GET / HTTP/1.1
00:37:58.642032 IP localhost.http > localhost.56472: Flags [.], ack 74, win 342, options [nop,nop,TS val 255350958 ecr 255350958], length 0
00:37:58.642355 IP localhost.http > localhost.56472: Flags [P.], seq 1:239, ack 74, win 342, options [nop,nop,TS val 255350959 ecr 255350958], length 238: HTTP: HTTP/1.1 200 OK
00:37:58.642364 IP localhost.56472 > localhost.http: Flags [.], ack 239, win 350, options [nop,nop,TS val 255350959 ecr 255350959], length 0
00:37:58.642394 IP localhost.http > localhost.56472: Flags [P.], seq 239:854, ack 74, win 342, options [nop,nop,TS val 255350959 ecr 255350959], length 615: HTTP
00:37:58.642402 IP localhost.56472 > localhost.http: Flags [.], ack 854, win 360, options [nop,nop,TS val 255350959 ecr 255350959], length 0
00:37:58.642581 IP localhost.56472 > localhost.http: Flags [F.], seq 74, ack 854, win 360, options [nop,nop,TS val 255350959 ecr 255350959], length 0
00:37:58.643250 IP localhost.http > localhost.56472: Flags [F.], seq 854, ack 75, win 342, options [nop,nop,TS val 255350960 ecr 255350959], length 0
00:37:58.643264 IP localhost.56472 > localhost.http: Flags [.], ack 855, win 360, options [nop,nop,TS val 255350960 ecr 255350960], length 0 

2.3：-c 抓取多少条报文

[root@localhost sbin]# tcpdump -i lo -c 2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes
01:20:44.768619 IP localhost.56474 > localhost.http: Flags [S], seq 2392252259, win 43690, options [mss 65495,sackOK,TS val 257917081 ecr 0,nop,wscale 7], length 0
01:20:44.768648 IP localhost.http > localhost.56474: Flags [S.], seq 4224015561, ack 2392252260, win 43690, options [mss 65495,sackOK,TS val 257917081 ecr 257917081,nop,wscale 7], length 0
2 packets captured
24 packets received by filter
0 packets dropped by kernel

2.4：–time-stamp-precision 指定捕获时的时间精度，默认毫秒 micro，可选纳秒 nano

2.5：过滤

过滤使用的是bpf过滤语法，比如过滤ip为127.0.0.1，port为80的数据包host 127.0.0.1 or dst port 80：

[root@localhost sbin]# tcpdump host 127.0.0.1 or dst port 80 -i lo -c 2 --time-stamp-precision nano
\tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes
01:47:42.644167857 IP localhost.56494 > localhost.http: Flags [S], seq 3263091779, win 43690, options [mss 65495,sackOK,TS val 259534961 ecr 0,nop,wscale 7], length 0
01:47:42.644196259 IP localhost.http > localhost.56494: Flags [S.], seq 1880556489, ack 3263091780, win 43690, options [mss 65495,sackOK,TS val 259534961 ecr 259534961,nop,wscale 7], length 0
2 packets captured
24 packets received by filter
0 packets dropped by kernel

另外过滤还有一些比较高级的用法，对于抓取特定状态的数据包很有用：

2.6：-w保存到文件中，并从文件中读取（读取多个文件）

• 保存到文件中

[root@localhost test]# tcpdump -c 2 -w a.pcap
tcpdump: listening on ens33, link-type EN10MB (Ethernet), snapshot length 262144 bytes
2 packets captured
14 packets received by filter
0 packets dropped by kernel

• 从文件中读取

[root@localhost test]# ll
total 4
-rw-r--r--. 1 root root 294 Jan 13 01:58 a.pcap
[root@localhost test]# tcpdump -r a.pcap 
reading from file a.pcap, link-type EN10MB (Ethernet), snapshot length 262144
01:58:31.049823 IP localhost.localdomain.ssh > 192.168.10.94.52601: Flags [P.], seq 3406851377:3406851501, ack 3681961471, win 261, length 124
01:58:31.100850 IP 192.168.10.94.52601 > localhost.localdomain.ssh: Flags [.], ack 124, win 508, length 0

• 加载到wireshark中
  文件-》打开，选择要加载的pcap：
  
• 读取多个文件
  准备多个文件：

[root@localhost test]# tcpdump -c 2 -w one.pcap
tcpdump: listening on ens33, link-type EN10MB (Ethernet), snapshot length 262144 bytes
2 packets captured
22 packets received by filter
0 packets dropped by kernel
[root@localhost test]# tcpdump -c 2 -w two.pcap
tcpdump: listening on ens33, link-type EN10MB (Ethernet), snapshot length 262144 bytes
2 packets captured
28 packets received by filter
0 packets dropped by kernel
[root@localhost test]# ll
total 12
-rw-r--r--. 1 root root 294 Jan 13 01:58 a.pcap
-rw-r--r--. 1 root root 294 Jan 13 02:49 one.pcap
-rw-r--r--. 1 root root 294 Jan 13 02:50 two.pcap

在一个文件中指定要读取的文件们：

[root@localhost test]# cat all 
one.pcap
two.pcap

读取,使用-V参数：

[root@localhost test]# tcpdump -V all
reading from file one.pcap, link-type EN10MB (Ethernet), snapshot length 262144
02:49:57.645367 IP localhost.localdomain.ssh > 192.168.10.94.52601: Flags [P.], seq 3406854861:3406854985, ack 3681965707, win 261, length 124
02:49:57.646647 IP 192.168.10.94.52601 > localhost.localdomain.ssh: Flags [.], ack 0, win 512, length 0
reading from file two.pcap, link-type EN10MB (Ethernet), snapshot length 262144
02:50:04.246070 IP localhost.localdomain.ssh > 192.168.10.94.52601: Flags [P.], seq 1136:1260, ack 661, win 261, length 124
02:50:04.246343 IP 192.168.10.94.52601 > localhost.localdomain.ssh: Flags [.], ack 1136, win 508, length 0
[root@localhost test]# 

2.7：-C限制单个文件大小，-W限制最大文件个数

当超过个数时，覆写最前面的：

这里—C 的单位是1000000字节，大概是1M。

2.8：-G设置每隔多久生成一个文件

每隔3秒生成一个文件，并指定时间后缀：

[root@localhost test]# tcpdump -G 3 -w def%M-%S
tcpdump: listening on ens33, link-type EN10MB (Ethernet), snapshot length 262144 bytes
^C525 packets captured
544 packets received by filter
0 packets dropped by kernel
[root@localhost test]# ll | grep def
-rw-r--r--. 1 root root  10540 Jan 13 03:12 def12-55
-rw-r--r--. 1 root root  12218 Jan 13 03:13 def12-58
-rw-r--r--. 1 root root  11281 Jan 13 03:13 def13-01
-rw-r--r--. 1 root root  13870 Jan 13 03:13 def13-04

2.9：控制显示详情

主要参数：

• -e显示数据链路层头部信息
  
• -S显示绝对序列号

[root@localhost test]# tcpdump -c 2 -S
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), snapshot length 262144 bytes
03:19:19.464455 IP localhost.localdomain.ssh > 192.168.10.94.52601: Flags [P.], seq 3406897957:3406898145, ack 3681977203, win 261, length 188
03:19:19.469906 IP 192.168.10.94.52601 > localhost.localdomain.ssh: Flags [.], ack 3406898145, win 508, length 0
2 packets captured
23 packets received by filter
0 packets dropped by kernel 

• -A 以ASCII码显示

[root@localhost test]# tcpdump -c 2 -A
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), snapshot length 262144 bytes
03:23:42.445345 IP localhost.localdomain.ssh > 192.168.10.94.52601: Flags [P.], seq 3406898785:3406898973, ack 3681977499, win 261, length 188
E...[U@.@.H...
*..
^...y..&a.v..P...........{./L'......`...sd.W8G_Ox..'0.O.O.2w...N...'....C...jf...Jm	..d.
	0..k..#'.?..t..M.^kZ..n...Q.AoAU.s......Ac.X..."B....kQ.xNjU{..T......`.i..m..i...UEib.1...?[W..........?.Zt.it......V.
03:23:42.449537 IP 192.168.10.94.52601 > localhost.localdomain.ssh: Flags [.], ack 188, win 511, length 0
E..(..@...^...
^..
*.y...v....'.P....+........
2 packets captured
17 packets received by filter
0 packets dropped by kernel 

• -x 以16进制显示

[root@localhost test]# tcpdump -c 2 -x
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), snapshot length 262144 bytes
03:23:56.847124 IP localhost.localdomain.ssh > 192.168.10.94.52601: Flags [P.], seq 3406899893:3406900081, ack 3681977651, win 261, length 188
	0x0000:  4510 00e4 5b5c 4000 4006 48cf c0a8 0a2a
	0x0010:  c0a8 0a5e 0016 cd79 cb11 2ab5 db76 8533
	0x0020:  5018 0105 96af 0000 482f 9f38 9a7e a876
	0x0030:  2ff5 f868 1012 51ea 58b2 6252 8ba8 c0d1
	0x0040:  bd2a 0c6b dcd8 89cc 21cc 2157 3c19 db35
	0x0050:  7f76 7380 ff93 319e 7d3a 223c 21b4 aa76
	0x0060:  448c fed4 0b50 af92 9e26 026c c13e 6b91
	0x0070:  be68 086b e481 0b0f 0daf 0e9d 07c5 bb02
	0x0080:  4e18 adc3 e07c 5705 fb6e f877 18a7 390f
	0x0090:  7707 7f84 cd9b 1b49 5535 9978 16b7 75a8
	0x00a0:  3679 c266 4eff 84ce 2b7f a921 7338 ba29
	0x00b0:  d8b2 c2bb c31a 5009 b642 9b54 821b 2ce2
	0x00c0:  7fd2 ebf4 a8f3 fed5 d700 6603 d767 7251
... 

• -X 以16进制和ASCII码显示

[root@localhost test]# tcpdump -c 2 -X
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), snapshot length 262144 bytes
03:24:39.963597 IP localhost.localdomain.ssh > 192.168.10.94.52601: Flags [P.], seq 3406903797:3406903985, ack 3681977911, win 261, length 188
	0x0000:  4510 00e4 5b69 4000 4006 48c2 c0a8 0a2a  E...[i@.@.H....*
	0x0010:  c0a8 0a5e 0016 cd79 cb11 39f5 db76 8637  ...^...y..9..v.7
	0x0020:  5018 0105 96af 0000 6e6e 36d6 f559 67ab  P.......nn6..Yg.
	0x0030:  8e7e 201d 6c43 5564 c62e 56be 7a9d e96b  .~..lCUd..V.z..k
	0x0040:  9483 b57e 6e5a 35fd cc6d 83de 4a4e b29d  ...~nZ5..m..JN..
	0x0050:  0838 9f45 7d2e 2d45 389a 0760 c30c 3c58  .8.E}.-E8..`..<X
	0x0060:  8201 54d8 f955 ebbd b313 4445 0f8f 1909  ..T..U....DE....
	0x0070:  f335 c2f4 ef65 5fc9 ab2b b3e7 acfd ea20  .5...e_..+......
	0x0080:  915b 5938 7f7d 64ce fdca 8587 bfec 5202  .[Y8.}d.......R.
	0x0090:  b8de 12f6 6de1 8cc7 fa55 a786 3f06 6e98  ....m....U..?.n.
	0x00a0:  731c 2de9 08e8 2ea5 1266 f485 c335 0869  s.-......f...5.i
	0x00b0:  9aaa 957d 0d2b 5e8e 5b4e 90f2 3c70 fb4d  ...}.+^.[N..<p.M
	0x00c0:  04d2 8315 3166 3418 ef8d dbba 8f60 281c  ....1f4......`(.
	0x00d0:  d52d 3a55 d733 00d9 0045 f32e ef90 be25  .-:U.3...E.....%
	0x00e0:  fdd1 fc86                                ....
03:24:39.963713 IP 192.168.10.185.mdns > mdns.mcast.net.mdns: 0*- [0q] 1/0/2 PTR M-oM-?M-=M-oM-?M-=M-oM-?M-=M-oM-?M-=M-oM-?M-=M-oM-?M-=M-]M-.._dosvc._tcp.local. (317)
	0x0000:  4500 0159 2f03 0000 0111 dd34 c0a8 0ab9  E..Y/......4....
	0x0010:  e000 00fb 14e9 14e9 0145 f77d 0000 8400  .........E.}....
	0x0020:  0000 0001 0000 0002 065f 646f 7376 6304  ........._dosvc.
	0x0030:  5f74 6370 056c 6f63 616c 0000 0c00 0100  _tcp.local......
	0x0040:  0000 0000 2814 efbf bdef bfbd efbf bdef  ....(...........
	0x0050:  bfbd efbf bdef bfbd ddae 065f 646f 7376  ..........._dosv
	0x0060:  6304 5f74 6370 056c 6f63 616c 0014 efbf  c._tcp.local....
	0x0070:  bdef bfbd efbf bdef bfbd efbf bdef bfbd  ................
	0x0080:  ddae 065f 646f 7376 6304 5f74 6370 056c  ..._dosvc._tcp.l
	0x0090:  6f63 616c 0000 2100 0100 0000 0000 2200  ocal..!.......".
	0x00a0:  0000 001e 0014 efbf bdef bfbd efbf bdef  ................
	... 

写在后面

参考文章列表

LINUX 抓包工具Tcpdump下载安装(非常详细)，从零基础入门到精通，看完这一篇就够了。