大家都知道抓包指令:tcpdump 抓包的主要目的是测试端口、网络协议通不通,以及对抓取的数据包进行分析、测试,抓包对熟悉linux的大神都不陌生,网络对于我来说也是一窍不通,只是在这里记录一下自己在工作中常用到的一些抓包使用说明。
#抓取主机上所有来自四面八方的数据包
[root@AAA-caiji1 Log]# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:37:02.100344 IP 133.38.7.144.11811 > 133.37.22.83.radius: RADIUS, Unknown Command (202), id: 0xa4 length: 345
11:37:02.100352 IP 133.38.7.145.11811 > 133.37.22.83.radius: RADIUS, Unknown Command (137), id: 0x9b length: 33
#抓取本机指定网卡上的数据包,-i 指定的本机网卡eth0
[root@AAA-caiji1 Log]# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:03:12.238556 IP 133.38.7.144.11811 > 133.37.22.83.radius: RADIUS, Unknown Command (177), id: 0x49 length: 480
10:03:12.238559 IP 133.38.7.146.11811 > 133.37.22.83.radius: RADIUS, Unknown Command (93), id: 0x27 length: 524
#监听本机端口数据包,指定网卡eth0,端口1812
[root@AAA-caiji1 Log]# tcpdump -i eth0 -s 0 port 1812
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:46:41.940333 IP 133.38.7.144.11811 > 133.37.22.83.radius: RADIUS, Unknown Command (130), id: 0x14 length: 606
11:46:41.940333 IP 133.38.7.146.11811 > 133.37.22.83.radius: RADIUS, Unknown Command (160), id: 0xe4 length: 33
11:46:41.940894 IP 133.38.7.144.11811 > 133.37.22.83.radius: RADIUS, Unknown Command (131), id: 0x14 length: 606
#ICMP协议数据包(从一台主机对本机发起的ping)
[root@AAA-caiji1 Log]# tcpdump host 133.37.22.84
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:49:12.200801 IP 133.37.22.84 > 133.37.22.83: ICMP echo request, id 18010, seq 1, length 64
11:49:12.200954 IP 133.37.22.83 > 133.37.22.84: ICMP echo reply, id 18010, seq 1, length 64
#抓取来自于某个主机的数据包,src host x.x.x.x
[root@AAA-caiji1 Log]# tcpdump -i eth0 src host 133.38.7.144
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:00:06.768507 IP 133.38.7.144.11811 > 133.37.22.83.radius: RADIUS, Unknown Command (134), id: 0x22 length: 602
12:00:06.769007 IP 133.38.7.144.11811 > 133.37.22.83.radius: RADIUS, Unknown Command (135), id: 0x22 length: 344
12:00:06.769400 IP 133.38.7.144.11811 > 133.37.22.83.radius: RADIUS, Unknown Command (136), id: 0x22 length: 288
#抓包生成文件保存,将端口1812上抓到的包保存为b.cap文件,-w xxx.cap
[root@AAA-caiji1 Log]# tcpdump -i eth0 -s 0 port 1812 -w b.cap
抓包文件分析软件:Wireshark,对于各种抓包报文的解析规则,涉及更深层次的协议知识,后面会分享一篇关于redius协议的报文解析规则