示例:5)捕获数据包并将其保存到文件(-w 选项)
使用 tcpdump 命令中的 -w 选项将捕获的 TCP/IP 数据包保存到一个文件中,以便我们可以在将来分析这些数据包以供进一步分析。
语法:
| # tcpdump -w 文件名.pcap -i {接口名} |
注意:文件扩展名必须为 .pcap。
假设我要把 enp0s3 接口捕获到的包保存到文件名为 enp0s3-26082018.pcap。
| [root@compute-0-1 ~]# tcpdump -w enp0s3-26082018.pcap -i enp0s3 |
上述命令将生成如下所示的输出,
| [root@compute-0-1 ~]# tcpdump -w enp0s3-26082018.pcap -i enp0s3 tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes ^C841 packets captured 845 packets received by filter 0 packets dropped by kernel [root@compute-0-1 ~]# ls anaconda-ks.cfg enp0s3-26082018.pcap [root@compute-0-1 ~]# |
捕获并保存大小大于 N 字节的数据包。
| [root@compute-0-1 ~]# tcpdump -w enp0s3-26082018-2.pcap greater 1024 |
捕获并保存大小小于 N 字节的数据包。
| [root@compute-0-1 ~]# tcpdump -w enp0s3-26082018-3.pcap less 1024 |
示例:6)从保存的文件中读取数据包(-r 选项)
在上面的例子中,我们已经将捕获的数据包保存到文件中,我们可以使用选项 -r 从文件中读取这些数据包,例子如下所示,
| [root@compute-0-1 ~]# tcpdump -r enp0s3-26082018.pcap |
用可读性高的时间戳读取包内容,
| [root@compute-0-1 ~]# tcpdump -tttt -r enp0s3-26082018.pcap reading from file enp0s3-26082018.pcap, link-type EN10MB (Ethernet) 2018-08-25 22:03:17.249648 IP compute-0-1.example.com.ssh > 169.144.0.1.39406: Flags [P.], seq 1426167803:1426167927, ack 3061962134, win 291, options [nop,nop,TS val 81358717 ecr 20378789], length 124 2018-08-25 22:03:17.249840 IP 169.144.0.1.39406 > compute-0-1.example.com.ssh: Flags [.], ack 124, win 564, options [nop,nop,TS val 20378791 ecr 81358 717], length 0 2018-08-25 22:03:17.454559 IP controller0.example.com.amqp > compute-0-1.example.com.57836: Flags [.], ack 1079416895, win 1432, options [nop,nop,TS v al 81352560 ecr 81353913], length 0 2018-08-25 22:03:17.454642 IP compute-0-1.example.com.57836 > controller0.example.com.amqp: Flags [.], ack 1, win 237, options [nop,nop,TS val 8135892 2 ecr 81317504], length 0 2018-08-25 22:03:17.646945 IP compute-0-1.example.com.57788 > controller0.example.com.amqp: Flags [.], seq 106760587:106762035, ack 688390730, win 237 , options [nop,nop,TS val 81359114 ecr 81350901], length 1448 2018-08-25 22:03:17.647043 IP compute-0-1.example.com.57788 > controller0.example.com.amqp: Flags [P.], seq 1448:1956, ack 1, win 237, options [nop,no p,TS val 81359114 ecr 81350901], length 508 2018-08-25 22:03:17.647502 IP controller0.example.com.amqp > compute-0-1.example.com.57788: Flags [.], ack 1956, win 1432, options [nop,nop,TS val 813 52753 ecr 81359114], length 0 ......................................................................................................................... |
