一旦我知道了 IP 地址和端口号组合,我就可以运行它来查看一些数据包:
tcpdump | grep [IP地址]
有人知道我现在怎样才能看到原始数据包吗?
谢谢!
答案1
从tcpdump(1)手册页:
-x When parsing and printing, in addition to printing
the headers of each packet, print the data of each
packet (minus its link level header) in hex. The
smaller of the entire packet or snaplen bytes will
be printed. Note that this is the entire link-layer
packet, so for link layers that pad (e.g. Ethernet),
the padding bytes will also be printed when the
higher layer packet is shorter than the required
padding.
-xx When parsing and printing, in addition to printing
the headers of each packet, print the data of each
packet, including its link level header, in hex.
-X When parsing and printing, in addition to printing
the headers of each packet, print the data of each
packet (minus its link level header) in hex and
ASCII. This is very handy for analysing new proto‐
cols.
-XX When parsing and printing, in addition to printing
the headers of each packet, print the data of each
packet, including its link level header, in hex and
ASCII.
这些选项可能因 tcpdump 的不同版本而异。请参阅系统的手册页。
也许更容易使用的是由创建的 pcap 转储文件
-w Write the raw packets to file rather than parsing
and printing them out. They can later be printed
with the -r option. Standard output is used if file
is ``-''.
This output will be buffered if written to a file or
pipe, so a program reading from the file or pipe may
not see packets for an arbitrary amount of time
after they are received. Use the -U flag to cause
packets to be written as soon as they are received.
然后打开WireShark。
顺便说一句,用 grep 来查看 tcpdump 的输出不是一个好习惯(因为在详细模式下,每个数据包的转储都是多行的)。考虑使用类似tcpdump host 10.0.0.1或tcpdump net 10.0.0.0/24或 之类的东西tcpdump port 80。完整的过滤语法位于pcap 过滤器(7)。