常用参数
- -i : 指定抓包接口,比如
tcpdump -i eth0 - -w file.pcap : 保存抓包结果到 file.pcap 文件,特别是需要将其交给 wireshark 分析的时候
- -nn : 不显示 host 和 port 名称
- -xx : HEX 和 ASCII 形式显示报文
- -c 5: 抓包数量
FLAGS 标志位
S: SYN,一般是 TCP 三次握手的第一个包S.: SYN+ACK,一般是 TCP 三次握手的第二个包.: ACK,只有 ACK 表示普通的确认包, TCP 三次握手的第三个包为这个标志位F: FINP: PUSHR: RSTU: URGW: ECNCWRE: ECN-Echo
一、三次握手抓包
以 www.baidu.com 为例
- 获取 www.baidu.com 的 IP,比如 180.101.50.242
- 指定 IP 方式访问 www.baidu.com
curl -v --resolve www.baidu.com:443:180.101.50.242 https://www.baidu.com
- 抓包命令
# tcpdump -i wan -xx -nn 'tcp and (host 180.101.50.242)'
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wan, link-type EN10MB (Ethernet), snapshot length 262144 bytes
16:37:58.706074 IP 192.168.71.99.58070 > 180.101.50.242.443: Flags [S], seq 1603245117, win 64240, options [mss 1460,sackOK,TS val 3258622839 ecr 0,nop,wscale 7], length 0
0x0000: 7cc9 26ef 0374 68ed a42a 7bdc 0800 4500
0x0010: 003c f38b 4000 4006 57cd c0a8 4763 b465
0x0020: 32f2 e2d6 01bb 5f8f 943d 0000 0000 a002
0x0030: faf0 1f9b 0000 0204 05b4 0402 080a c23a
0x0040: a377 0000 0000 0103 0307
16:37:58.717537 IP 180.101.50.242.443 > 192.168.71.99.58070: Flags [S.], seq 2565271776, ack 1603245118, win 8192, options [mss 1380,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 5], length 0
0x0000: 68ed a42a 7bdc 7cc9 26ef 0374 0800 4500
0x0010: 003c f38b 4000 3406 63cd b465 32f2 c0a8
0x0020: 4763 01bb e2d6 98e6 f0e0 5f8f 943e a012
0x0030: 2000 d9bc 0000 0204 0564 0402 0101 0101
0x0040: 0101 0101 0101 0103 0305
16:37:58.717717 IP 192.168.71.99.58070 > 180.101.50.242.443: Flags [.], ack 1, win 502, length 0
0x0000: 7cc9 26ef 0374 68ed a42a 7bdc 0800 4500
0x0010: 0028 f38c 4000 4006 57e0 c0a8 4763 b465
0x0020: 32f2 e2d6 01bb 5f8f 943e 98e6 f0e1 5010
0x0030: 01f6 5c53 0000
二、ICMP 抓包
# tcpdump -i wan -xx -nn 'icmp and (host 180.101.50.242)'
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wan, link-type EN10MB (Ethernet), snapshot length 262144 bytes
16:46:37.271699 IP 192.168.71.99 > 180.101.50.242: ICMP echo request, id 6, seq 13, length 64
0x0000: 7cc9 26ef 0374 68ed a42a 7bdc 0800 4500
0x0010: 0054 614d 4000 4001 e9f8 c0a8 4763 b465
0x0020: 32f2 0800 6673 0006 000d ed1a e366 0000
0x0030: 0000 fe24 0400 0000 0000 1011 1213 1415
0x0040: 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425
0x0050: 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435
0x0060: 3637
16:46:37.281541 IP 180.101.50.242 > 192.168.71.99: ICMP echo reply, id 6, seq 13, length 64
0x0000: 68ed a42a 7bdc 7cc9 26ef 0374 0800 4500
0x0010: 0054 614d 4000 3401 f5f8 b465 32f2 c0a8
0x0020: 4763 0000 6e73 0006 000d ed1a e366 0000
0x0030: 0000 fe24 0400 0000 0000 1011 1213 1415
0x0040: 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425
0x0050: 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435
0x0060: 3637
16:46:38.272985 IP 192.168.71.99 > 180.101.50.242: ICMP echo request, id 6, seq 14, length 64
0x0000: 7cc9 26ef 0374 68ed a42a 7bdc 0800 4500
0x0010: 0054 617a 4000 4001 e9cb c0a8 4763 b465
0x0020: 32f2 0800 6a6d 0006 000e ee1a e366 0000
0x0030: 0000 f929 0400 0000 0000 1011 1213 1415
0x0040: 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425
0x0050: 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435
0x0060: 3637
16:46:38.282791 IP 180.101.50.242 > 192.168.71.99: ICMP echo reply, id 6, seq 14, length 64
0x0000: 68ed a42a 7bdc 7cc9 26ef 0374 0800 4500
0x0010: 0054 617a 4000 3401 f5cb b465 32f2 c0a8
0x0020: 4763 0000 726d 0006 000e ee1a e366 0000
0x0030: 0000 f929 0400 0000 0000 1011 1213 1415
0x0040: 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425
0x0050: 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435
0x0060: 3637