如何在 Mac 和 Linux 上使用 tcpdump 从现有 tcp 套接字转储原始数据包?

如何在 Mac 和 Linux 上使用 tcpdump 从现有 tcp 套接字转储原始数据包?

一旦我知道了 IP 地址和端口号组合,我就可以运行它来查看一些数据包:

tcpdump | grep [IP地址]

有人知道我现在怎样才能看到原始数据包吗?

谢谢!

答案1

tcpdump(1)手册页:

   -x     When  parsing  and printing, in addition to printing
          the headers of each packet, print the data  of  each
          packet  (minus  its  link level header) in hex.  The
          smaller of the entire packet or snaplen  bytes  will
          be printed.  Note that this is the entire link-layer
          packet, so for link layers that pad (e.g. Ethernet),
          the  padding  bytes  will  also  be printed when the
          higher layer packet is  shorter  than  the  required
          padding.

   -xx    When  parsing  and printing, in addition to printing
          the headers of each packet, print the data  of  each
          packet, including its link level header, in hex.

   -X     When  parsing  and printing, in addition to printing
          the headers of each packet, print the data  of  each
          packet  (minus  its  link  level  header) in hex and
          ASCII.  This is very handy for analysing new  proto‐
          cols.

   -XX    When  parsing  and printing, in addition to printing
          the headers of each packet, print the data  of  each
          packet,  including its link level header, in hex and
          ASCII.

这些选项可能因 tcpdump 的不同版本而异。请参阅系统的手册页。

也许更容易使用的是由创建的 pcap 转储文件

   -w     Write the raw packets to file  rather  than  parsing
          and  printing  them  out.  They can later be printed
          with the -r option.  Standard output is used if file
          is ``-''.

          This output will be buffered if written to a file or
          pipe, so a program reading from the file or pipe may
          not  see  packets  for  an  arbitrary amount of time
          after they are received.  Use the -U flag  to  cause
          packets to be written as soon as they are received.

然后打开WireShark

顺便说一句,用 grep 来查看 tcpdump 的输出不是一个好习惯(因为在详细模式下,每个数据包的转储都是多行的)。考虑使用类似tcpdump host 10.0.0.1tcpdump net 10.0.0.0/24或 之类的东西tcpdump port 80。完整的过滤语法位于pcap 过滤器(7)

相关内容