这似乎是一个相当琐碎的问题,但经过一番搜索,我仍然找不到答案。可以使用“any”作为接口描述来运行 tcpdump,即:
# tcpdump -i any -n host 192.168.0.1
有什么方法可以强制 tcpdump 显示在哪个接口上捕获了数据包?
更新:
越来越多的人确认使用 vanilla tcpdump 可能无法实现这一点,有人能提出解决上述问题的方法吗?也许是使用不同的嗅探器?
一般问题如下:在具有 50 个接口的系统上,确定来自特定 IP 地址的数据包的入站接口是什么。
答案1
我希望有人仍然对这个问题的解决方案感兴趣。;)我们公司遇到了同样的问题,我开始为此编写脚本。
我也在下面分享了它......
代码如下:(请务必查看我的网站以获取将来的更新)
#!/bin/bash
#===================================================================================
#
# FILE: dump.sh
# USAGE: dump.sh [-i interface] [tcpdump-parameters]
# DESCRIPTION: tcpdump on any interface and add the prefix [Interace:xy] in front of the dump data.
# OPTIONS: same as tcpdump
# REQUIREMENTS: tcpdump, sed, ifconfig, kill, awk, grep, posix regex matching
# BUGS: ---
# FIXED: - In 1.0 The parameter -w would not work without -i parameter as multiple tcpdumps are started.
# - In 1.1 VLAN's would not be shown if a single interface was dumped.
# NOTES: ---
# - 1.2 git initial
# AUTHOR: Sebastian Haas
# COMPANY: pharma mall
# VERSION: 1.2
# CREATED: 16.09.2014
# REVISION: 22.09.2014
#
#===================================================================================
# When this exits, exit all background processes:
trap 'kill $(jobs -p) &> /dev/null && sleep 0.2 && echo ' EXIT
# Create one tcpdump output per interface and add an identifier to the beginning of each line:
if [[ $@ =~ -i[[:space:]]?[^[:space:]]+ ]]; then
tcpdump -l $@ | sed 's/^/[Interface:'"${BASH_REMATCH[0]:2}"'] /' &
else
for interface in $(ifconfig | grep '^[a-z0-9]' | awk '{print $1}')
do
tcpdump -l -i $interface -nn $@ | sed 's/^/[Interface:'"$interface"'] /' &
done
fi
# wait .. until CTRL+C
wait
答案2
您可以使用 -e 选项打印以太网头,然后可以将 src/dst MAC 地址与您的网络接口关联起来;)。
答案3
请注意,tcpdump 4.99 现在在输出中显示接口名称/方向:
[vagrant@localhost]$sudo tcpdump -i any arp
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
18:38:49.662151 br-ex Out ARP, Request who-has 172.18.1.10 tell localhost.localdomain, length 28
18:38:49.662432 br-ex In ARP, Reply 172.18.1.10 is-at fa:16:3e:31:b9:10 (oui Unknown), length 28
接口 br-ex,如上所述。
答案4
补充一下 Sebastian Haas 的优秀 bash 脚本。我不得不简化他的脚本,因为它在这一行失败了tcpdump -l $@ | sed 's/^/[Interface:'"${BASH_REMATCH[0]:2}"'] /' &。
虽然它不像原始脚本那样灵活,但它更有可能在精简的 Linux 系统中运行。
#!/bin/sh
interfaces="eth0 ip6tnl1" # Interfaces list separated by whitespace
#===================================================================================
#
# FILE: dump-stripped.sh
# USAGE: dump.sh [tcpdump-parameters]
# DESCRIPTION: tcpdump on any interface and add the prefix [Interace:xy] in
# front of the dump data. Simplified to work in more limited env.
# OPTIONS: similar to tcpdump
# REQUIREMENTS: tcpdump, sed, ifconfig, kill, awk, grep, posix regex matching
# AUTHOR: Sebastian Haas (Stripped down By Brian Khuu)
#
#===================================================================================
# When this exits, exit all background processes:
trap 'kill $(jobs -p) &> /dev/null && sleep 0.2 && echo ' EXIT
# Create one tcpdump output per interface and add an identifier to the beginning of each line:
for interface in $interfaces;
do tcpdump -l -i $interface -nn $@ | sed 's/^/[Interface:'"$interface"'] /' 2>/dev/null & done;
# wait .. until CTRL+C
wait;
您可能还对有关此功能遗漏的当前 github 问题单感兴趣https://github.com/the-tcpdump-group/tcpdump/issues/296。