从帮助文档可以看出,包过滤的表达式一定要放在最后一个参数
tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ]
[ -c count ] [ --count ] [ -C file_size ]
[ -E spi@ipaddr algo:secret,... ]
[ -F file ] [ -G rotate_seconds ] [ -i interface ]
[ --immediate-mode ] [ -j tstamp_type ] [ -m module ]
[ -M secret ] [ --number ] [ --print ] [ -Q in|out|inout ]
[ -r file ] [ -s snaplen ] [ -T type ] [ --version ]
[ -V file ] [ -w file ] [ -W filecount ] [ -y datalinktype ]
[ -z postrotate-command ] [ -Z user ]
[ --time-stamp-precision=tstamp_precision ]
[ --micro ] [ --nano ]
[ expression ]
tcpdump -D
1.enp89s0 [Up, Running, Connected]
2.docker0 [Up, Running, Connected]
3.vetha051ecc [Up, Running, Connected]
4.vethe67e03a [Up, Running, Connected]
5.vethc58c174 [Up, Running, Connected]
tcpdump -i eth0
tcpdump -i any
tcpdump -n -i any
tcpdoump host 192.168.0.1
# 根据源IP过滤
tcpdump src 192.168.3.2
# 根据目标IP过滤
tcpdump dst 192.168.3.2
tcpdump tcp
# 根据某个端口过滤
tcpdomp port 33
# 根据源端口或者目标端口过滤
tcpdump dst port 33
tcpdump src port 33
# 根据端口范围过滤
tcpdump portrange 30-90
tcpdump -i ens33 tcp and host 192.168.40.30
tcpdump -i ens33 tcp and host 192.168.40.30 -w log.pcap
-G 30
表示每隔30秒写一个文件tcpdump -i ens33 -G 30 tcp and host 192.168.40.30 -w %Y_%m%d_%H%M_%S.log.pcap
-C 30
每达到30MB产生一个文件tcpdump -i ens33 -C 30 tcp and host 192.168.40.30 -w log.pcap
在流量很大的网络上抓包,如果写文件的话,很可能将磁盘写满。所以最好指定一个最大的抓包个数,在达到包的个数后,自动退出。
tcpdump -c 100000 -i eth0 host 21.23.3.2 -w test.pcap
把原来的包文件切割成20M大小的多个包
tcpdump -r old_file -w new_files -C 20
# 包长小于某个值
tcpdump less 30
# 包长大于某个值
tcpdump greater 30
port 53
src port 53
dest port 53
host 1.2.3.4
src host 1.2.3.4
dest host 1.2.3.4
host 1.2.3.4 and port 53
适用于从一个大的pcap文件中过滤出需要的包
tcpdump -r old.pcap -w new.pcap less 1280
有时候,抓包停止后,tcpdump打印xxx个包drop by kernel。一旦这个值不为零,就要注意了。某些包并不是在网络中丢包了,而是在tcpdump这个工具给丢弃了。
60 packets captured
279514 packets received by filter
279368 packets dropped by kernel
默认情况下,tcpdump抓包时会做dns解析,这个dns解析会降低tcpdump的处理速度,造成tcpdump的buffer被填满,然后就被tcpdump丢弃。
我们可以用两个方法解决这个问题
-n Don't convert host addresses to names. This can be used to avoid DNS lookups.
-nn Don't convert protocol and port numbers etc. to names either.
-B buffer_size
--buffer-size=buffer_size
Set the operating system capture buffer size to buffer_size, in units of KiB (1024 bytes).
« PREV Wireshark抓包教程 (opens new window)NEXT » (opens new window)