|
抓包工具tcpdump和tshark
[iyunv@daixuan ~]# yum install -y tcpdump
[iyunv@daixuan ~]# tcpdump -nn -c 10 tcpdump抓包10个,使用-c指定抓包个数
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
20:39:57.354725 IP 192.168.101.230.22 > 192.168.101.17.51607: Flags [P.], seq 3786299588:3786299796, ack 1814585678, win 290, options [nop,nop,TS val 29500201 ecr 9046194], length 208
20:39:57.355709 IP 192.168.101.230.22 > 192.168.101.17.51607: Flags [P.], seq 208:448, ack 1, win 290, options [nop,nop,TS val 29500202 ecr 9046194], length 240
20:39:57.355894 IP 192.168.101.17.51607 > 192.168.101.230.22: Flags [.], ack 448, win 260, options [nop,nop,TS val 9046199 ecr 29500201], length 0
[iyunv@daixuan ~]# tcpdump -nn -i eth0 -c 5 -i eth0 抓包指定eth0网卡的数据包
[iyunv@daixuan ~]# tcpdump -nn -i eth0 port 22 -c 5 port 22指定抓包port 22端口的数据包
[iyunv@daixuan ~]# tcp -nn tcp and port 80 and host 192.168.101.17 指定host的包
[iyunv@daixuan ~]# tcpdump -r 1.cap 查看包的具体流向,-r
[iyunv@daixuan ~]# tcpdump -nn tcp and port 80 -c 10 > 2.cap 抓数据包流向到2.cap中
[iyunv@daixuan ~]# tcpdump -nn -c 10 -w 2.cap 抓数据包的内容到2.cap中, -w
[iyunv@daixuan ~]# tcpdump -nn -s0 -c 10 -w 2.cap -s0抓完整的数据包,不加-s0就抓不全
[iyunv@daixuan ~]# yum install -y wireshark
[iyunv@daixuan ~]# rpm -qf `which tshark` 脱意符 `
wireshark-1.8.10-17.el6.i686
[iyunv@daixuan ~]# tshark -nn tshark抓包
[iyunv@daixuan ~]# tshark -n -t a -R http.request -T fields -e "frame.time" -e "ip.src" -e "http.host" -e "http.request.method" -e "http.request.uri" 可以临时查看web 访问
|
|