Linux系統網路抓包工具 tcpdump

linux抓包是通過註冊一種虛擬的底層網路協議來完成對網路報文（準確的是網路裝置）訊息的處理權。

命令：# netstat -i

1、型別的關鍵字

2、確定方向的關鍵字

3、協議的關鍵字（預設是所有協議的資訊包）

4、其它關鍵字

5、常用表示式

6、引數詳解

[root@bigdata ~]#tcpdump host 192.168.109.128 -i ens33 -c 10 -l -n

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on ens33, link-type en10mb (ethernet), capture size 262144 bytes

11:36:31.028164 ip 192.168.109.128.ssh > 192.168.109.1.50211: flags [p.], seq 2358425116:2358425312, ack 1911991573, win 263, length 196

11:36:31.031720 ip 192.168.109.128.ssh > 192.168.109.1.50211: flags [p.], seq 196:376, ack 1, win 263, length 180

11:36:31.032504 ip 192.168.109.128.ssh > 192.168.109.1.50211: flags [p.], seq 376:540, ack 1, win 263, length 164

11:36:31.033794 ip 192.168.109.128.ssh > 192.168.109.1.50211: flags [p.], seq 540:704, ack 1, win 263, length 164

11:36:31.034520 ip 192.168.109.128.ssh > 192.168.109.1.50211: flags [p.], seq 704:868, ack 1, win 263, length 164

11:36:31.035510 ip 192.168.109.128.ssh > 192.168.109.1.50211: flags [p.], seq 868:1032, ack 1, win 263, length 164

11:36:31.036110 ip 192.168.109.128.ssh > 192.168.109.1.50211: flags [p.], seq 1032:1196, ack 1, win 263, length 164

11:36:31.037443 ip 192.168.109.1.50211 > 192.168.109.128.ssh: flags [.], ack 376, win 253, length 0

11:36:31.038184 ip 192.168.109.128.ssh > 192.168.109.1.50211: flags [p.], seq 1196:1360, ack 1, win 263, length 164

11:36:31.042285 ip 192.168.109.1.50211 > 192.168.109.128.ssh: flags [.], ack 704, win 251, length 0

10 packets captured

10 packets received by filter

0 packets dropped by kernel

第一行：tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

使用選項v和vv，可以看出更全的詳細內容。

第二行：listening on ens33, link-type en10mb (ethernet), capture size 262144 bytes

說明監聽的是ens33這個nic裝置的網路包，且它的鏈路層是基於乙太網的，要抓的包大小限制262144，裝包大小限制可以用利用-s來控制。

第三行：11:36:31.028164 ip 192.168.109.128.ssh > 192.168.109.1.50211: flags [p.], seq 2358425116:2358425312, ack 1911991573, win 263, length 196

11:36:31.028164：抓包時間為時、分、秒、微妙