如何在监控模式下从接口的 tcpdump 输出中获取绝对系统时间?

tag-icon tag-icon networking sync tcpdump
如何在监控模式下从接口的 tcpdump 输出中获取绝对系统时间?

我正在使用带有无线接口的 Ubuntu 22.10(Netgear AXE3000,驱动程序 mt7921u)处于监控模式,使用 tcpdump 捕获数据包(因为 airodump-ng 不会捕获 radiotap 标头)。

我使用以下命令在脚本中开始捕获:sudo tcpdump -i $1 -n -w pcap/tcpdump_$5_$4_ch$2.pcap

pcap 文件显示相对时间戳,从 0.000 开始。我想显示绝对系统时间。精度并不重要,+/1 几秒就可以了。

在里面tcpdump 手册页,我读到“-tttt 在每个转储行上打印一个时间戳,以小时、分钟、秒和自午夜以来的秒的分数表示,前面是日期。”

我尝试过这样的命令sudo tcpdump -tttt -i $1 -n -w pcap/tcpdump_$5_$4_ch$2.pcap。输出仍然包含 pcap 输出中的相对时间戳作为单个数字。

我试过tcpdump --list-time-stamp-types,它只将 enp0s31f6 以太网接口列为“适配器未同步”。它根本没有列出我捕获的 wlan0mon 接口。

我需要将以太网接口同步到系统时间吗?如果需要,该怎么做?那么从 wlan0mon 接口捕获时是否可以同步到以太网?

答案1

当使用-wtcpdump 的指令写出二进制文件时,其他一些指令会变得毫无意义且不再使用,这是 pcap 格式所规定的。您可以再次使用 tcpdump 读取二进制文件并使用所需的命令行选项。

示例1,使用中间二进制文件:

doug@s15:~$ sudo tcpdump -i br0 -c 20 -w example1.bin -Z doug
tcpdump: listening on br0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
20 packets captured
23 packets received by filter
0 packets dropped by kernel
doug@s15:~$ ls -l ex*
-rw-r--r-- 1 doug doug 3058 Mar 26 10:11 example1.bin
doug@s15:~$ tcpdump -n -tttt -r example1.bin
reading from file example1.bin, link-type EN10MB (Ethernet), snapshot length 262144
2023-03-26 10:11:04.180583 IP 192.168.111.1.22 > 192.168.111.122.49902: Flags [P.], seq 2415497751:2415497875, ack 2843214249, win 501, length 124
2023-03-26 10:11:04.235389 IP 192.168.111.122.49902 > 192.168.111.1.22: Flags [.], ack 124, win 1024, length 0
2023-03-26 10:11:04.732544 IP 192.168.111.123.8001 > 224.0.0.7.8001: UDP, length 204
2023-03-26 10:11:04.839004 IP 192.168.111.123.45565 > 52.212.137.244.5223: Flags [P.], seq 929499870:929499920, ack 2175724221, win 274, options [nop,nop,TS val 1742330 ecr 4192344644], length 50
2023-03-26 10:11:04.987732 IP 52.212.137.244.5223 > 192.168.111.123.45565: Flags [P.], seq 1:47, ack 50, win 138, options [nop,nop,TS val 4192384644 ecr 1742330], length 46
2023-03-26 10:11:04.989452 IP 192.168.111.123.45565 > 52.212.137.244.5223: Flags [.], ack 47, win 274, options [nop,nop,TS val 1742367 ecr 4192384644], length 0
2023-03-26 10:11:05.129238 IP 192.168.111.123.43952 > 192.168.111.255.15600: UDP, length 35
2023-03-26 10:11:06.733610 IP 192.168.111.123.8001 > 224.0.0.7.8001: UDP, length 204
2023-03-26 10:11:07.936307 ARP, Request who-has 192.168.111.1 tell 192.168.111.124, length 46
2023-03-26 10:11:07.936331 ARP, Reply 192.168.111.1 is-at f4:6d:04:65:2d:8e, length 28
2023-03-26 10:11:08.734974 IP 192.168.111.123.8001 > 224.0.0.7.8001: UDP, length 204
2023-03-26 10:11:09.499809 ARP, Request who-has 192.168.111.1 tell 192.168.111.137, length 46
2023-03-26 10:11:09.499825 ARP, Reply 192.168.111.1 is-at f4:6d:04:65:2d:8e, length 28
2023-03-26 10:11:10.202306 ARP, Request who-has 192.168.111.123 tell 192.168.111.1, length 28
2023-03-26 10:11:10.204729 ARP, Reply 192.168.111.123 is-at 64:1c:ae:dc:c0:d3, length 46
2023-03-26 10:11:10.737445 IP 192.168.111.123.8001 > 224.0.0.7.8001: UDP, length 204
2023-03-26 10:11:11.128335 IP 192.168.111.123.54112 > 192.168.111.255.15600: UDP, length 35
2023-03-26 10:11:12.738204 IP 192.168.111.123.8001 > 224.0.0.7.8001: UDP, length 204
2023-03-26 10:11:14.740411 IP 192.168.111.123.8001 > 224.0.0.7.8001: UDP, length 204
2023-03-26 10:11:16.743034 IP 192.168.111.123.8001 > 224.0.0.7.8001: UDP, length 204

示例2,没有中间二进制文件,而是保存文本文件:

doug@s15:~$ sudo tcpdump -tttt -n -i br0 -c 20 > example.txt
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
20 packets captured
41 packets received by filter
0 packets dropped by kernel
doug@s15:~$ ls -l example.txt
-rw-r--r-- 1 doug doug 2220 Mar 26 10:13 example.txt
doug@s15:~$ cat example.txt
2023-03-26 10:13:23.532099 IP 192.168.111.1.22 > 192.168.111.122.49902: Flags [P.], seq 2415508519:2415508707, ack 2843217909, win 501, length 188
2023-03-26 10:13:23.579772 IP 192.168.111.122.49902 > 192.168.111.1.22: Flags [.], ack 188, win 1022, length 0
2023-03-26 10:13:24.845673 IP 192.168.111.123.8001 > 224.0.0.7.8001: UDP, length 204
2023-03-26 10:13:26.846690 IP 192.168.111.123.8001 > 224.0.0.7.8001: UDP, length 204
2023-03-26 10:13:28.847504 IP 192.168.111.123.8001 > 224.0.0.7.8001: UDP, length 204
2023-03-26 10:13:29.152613 IP 192.168.111.123.55236 > 192.168.111.255.15600: UDP, length 35
2023-03-26 10:13:30.345180 IP 192.168.111.122.5353 > 224.0.0.251.5353: 0 PTR (QU)? _microsoft_mcc._tcp.local. (43)
2023-03-26 10:13:30.345780 IP6 fe80::27aa:2026:cbf8:31f.5353 > ff02::fb.5353: 0 PTR (QU)? _microsoft_mcc._tcp.local. (43)
2023-03-26 10:13:30.451259 IP 192.168.111.116.55008 > 66.110.49.114.443: Flags [.], seq 1684558270:1684558271, ack 2253231177, win 63805, length 1
2023-03-26 10:13:30.514875 IP 66.110.49.114.443 > 192.168.111.116.55008: Flags [.], ack 1, win 63672, length 0
2023-03-26 10:13:30.849755 IP 192.168.111.123.8001 > 224.0.0.7.8001: UDP, length 204
2023-03-26 10:13:31.346486 IP 192.168.111.122.5353 > 224.0.0.251.5353: 0 PTR (QM)? _microsoft_mcc._tcp.local. (43)
2023-03-26 10:13:31.346756 IP6 fe80::27aa:2026:cbf8:31f.5353 > ff02::fb.5353: 0 PTR (QM)? _microsoft_mcc._tcp.local. (43)
2023-03-26 10:13:32.849965 IP 192.168.111.123.8001 > 224.0.0.7.8001: UDP, length 204
2023-03-26 10:13:33.526249 ARP, Request who-has 192.168.111.1 tell 192.168.111.137, length 46
2023-03-26 10:13:33.526266 ARP, Reply 192.168.111.1 is-at f4:6d:04:65:2d:8e, length 28
2023-03-26 10:13:34.851497 IP 192.168.111.123.8001 > 224.0.0.7.8001: UDP, length 204
2023-03-26 10:13:35.144425 IP 192.168.111.116.55009 > 52.184.216.246.443: Flags [S], seq 1304893579, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
2023-03-26 10:13:35.148849 IP 192.168.111.123.44690 > 192.168.111.255.15600: UDP, length 35
2023-03-26 10:13:35.215857 IP 52.184.216.246.443 > 192.168.111.116.55009: Flags [S.], seq 1012560742, ack 1304893580, win 65535, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
doug@s15:~$

相关内容