tcpdump使用示例
前言
這段時間一直在研究kubernetes當中的網路, 包括通過keepalived來實現VIP的高可用時常常不得不排查一些網路方面的問題, 在這裡順道梳理一下tcpdump的使用姿勢, 若有寫的不好的地方, 歡迎各位道友扔磚頭.
注:
示例環境為一套kubernetes叢集, 包括k8s master node及k8s work node, 均為VM
- 檢視tcpdump可以進行抓包的網路介面
[root@10-10-40-110 ~]# tcpdump -D 1.eth0 2.docker0 3.cni0 4.vethd0fd7a3f 5.nflog (Linux netfilter log (NFLOG) interface) 6.nfqueue (Linux netfilter queue (NFQUEUE) interface) 7.eth1 8.flannel.1 9.usbmon1 (USB bus number 1) 10.vetha5e14de7 11.veth5b9890d0 12.vethf6e5a39c 13.veth59af7cc7 14.vethf98a2823 15.veth628e2234 16.veth861a08f6 17.veth0912b7b6 18.vethf2889e2b 19.vethd7109cca 20.veth421502a4 21.vethf561756e 22.any (Pseudo-device that captures on all interfaces) 23.lo [Loopback] [root@10-10-40-110 ~]#
- 對eth0網路介面進行抓包
[root@10-10-40-110 ~]# tcpdump -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
- 對所有介面進行抓包(需要進入混雜模式, Linux kernel >= 2.2)
[root@10-10-40-110 ~]# tcpdump -i any tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
-
以詳細輸出的方式進行抓包
注: 不加介面引數的話預設監聽第一個網路介面, 該環境下為eth0
[root@10-10-40-110 ~]# tcpdump -v tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
- 以更加詳細輸出的方式進行抓包
[root@10-10-40-110 ~]# tcpdump -vv tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
- 以最詳細輸出的方式進行抓包
[root@10-10-40-110 ~]# tcpdump -vvv tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 17:03:19.298070 IP (tos 0x12,ECT(0), ttl 64, id 7354, offset 0, flags [DF], proto TCP (6), length 176)
- 以詳細輸出的方式進行抓包並將資料包以十六進位制和ASCII方式列印輸出, 除了link level header
[root@10-10-40-110 ~]# tcpdump -v -X tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 17:04:46.063040 IP (tos 0x12,ECT(0), ttl 64, id 19261, offset 0, flags [DF], proto TCP (6), length 176)
- 以詳細輸出的方式進行抓包並將資料包以十六進位制和ASCII方式列印輸出, 包括link level header
[root@10-10-40-110 ~]# tcpdump -v -XX tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 21:40:45.439798 IP (tos 0x12,ECT(0), ttl 64, id 34723, offset 0, flags [DF], proto TCP (6), length 176)
- 安靜模式進行抓包(輸出比預設模式要少)
[root@10-10-40-110 ~]# tcpdump -q tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
- 限定抓取的資料包個數
[root@10-10-40-110 ~]# tcpdump -c 10 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 21:49:00.612030 IP 10-10-40-110.ssh > 121.121.0.65.54289: Flags [P.], seq 2802886126:2802886314, ack 3182814556, win 1432, options [nop,nop,TS val 454928787 ecr 807548508], length 188 21:49:00.612519 IP 10-10-40-110.44078 > public1.114dns.com.domain: 11925+ PTR? 65.0.121.121.in-addr.arpa. (43) 21:49:00.623275 IP public1.114dns.com.domain > 10-10-40-110.44078: 11925 NXDomain 0/1/0 (106) 21:49:00.624629 IP 10-10-40-110.51033 > public1.114dns.com.domain: 25277+ PTR? 110.40.10.10.in-addr.arpa. (43) 21:49:00.635649 IP public1.114dns.com.domain > 10-10-40-110.51033: 25277 NXDomain* 0/1/0 (78) 21:49:00.635906 IP 10-10-40-110.39356 > public1.114dns.com.domain: 9087+ PTR? 114.114.114.114.in-addr.arpa. (46) 21:49:00.635952 IP 10-10-40-110.ssh > 121.121.0.65.54289: Flags [P.], seq 188:408, ack 1, win 1432, options [nop,nop,TS val 454928811 ecr 807548508], length 220 21:49:00.644312 IP 121.121.0.65.54289 > 10-10-40-110.ssh: Flags [.], ack 188, win 32762, options [nop,nop,TS val 807549151 ecr 454928787], length 0 21:49:00.646272 IP public1.114dns.com.domain > 10-10-40-110.39356: 9087 1/0/0 PTR public1.114dns.com. (78) 21:49:00.646443 IP 10-10-40-110.ssh > 121.121.0.65.54289: Flags [P.], seq 408:1396, ack 1, win 1432, options [nop,nop,TS val 454928821 ecr 807549151], length 988 10 packets captured 10 packets received by filter 0 packets dropped by kernel [root@10-10-40-110 ~]#
-
將抓取的資料儲存到檔案, 檔案字尾為
.cap
注: 若想將資料儲存到檔案, 同時又想檢視終端輸出, 可以結合
tee
命令和管道使用tcpdump | tee > capture.cap
[root@10-10-40-110 ~]# tcpdump -c 10 -w capture.cap tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 10 packets captured 10 packets received by filter 0 packets dropped by kernel [root@10-10-40-110 ~]#
檢視檔案型別
[root@10-10-40-110 ~]# file capture.cap capture.cap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 262144) [root@10-10-40-110 ~]#
直接通過cat
檢視是沒法看的, 全是一堆亂碼, 若想檢視儲存的.cap
檔案的內容, 可以通過tcpdump -r
讀取
- 讀取儲存的cap檔案
[root@10-10-40-110 ~]# tcpdump -r capture.cap reading from file capture.cap, link-type EN10MB (Ethernet) 21:51:09.223140 IP 10-10-40-110.ssh > 121.121.0.65.54289: Flags [P.], seq 2802890002:2802890126, ack 3182816820, win 1432, options [nop,nop,TS val 455057398 ecr 807672709], length 124 21:51:09.596238 IP 121.121.0.65.54289 > 10-10-40-110.ssh: Flags [.], ack 124, win 32764, options [nop,nop,TS val 807673597 ecr 455057398], length 0 21:51:09.732159 IP 10.10.40.103 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 220, authtype simple, intvl 1s, length 20 21:51:10.732853 IP 10.10.40.103 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 220, authtype simple, intvl 1s, length 20 21:51:10.841674 STP 802.1s, Rapid STP, CIST Flags [Learn, Forward, Agreement], length 102 21:51:11.055641 ARP, Request who-has 10-10-40-110 tell 10.10.40.2, length 28 21:51:11.055657 ARP, Reply 10-10-40-110 is-at fa:8a:41:0f:73:00 (oui Unknown), length 28 21:51:11.733994 IP 10.10.40.103 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 220, authtype simple, intvl 1s, length 20 21:51:12.735129 IP 10.10.40.103 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 220, authtype simple, intvl 1s, length 20 21:51:12.841619 STP 802.1s, Rapid STP, CIST Flags [Learn, Forward, Agreement], length 102 [root@10-10-40-110 ~]#
- 以最詳細的方式讀取儲存的抓包資料
[root@10-10-40-110 ~]# tcpdump -vvv -r capture.cap
- 以IP加埠的方式展示而不是以域名和服務名稱的方式展示(有些系統需要指定-nn引數來顯示埠號)
[root@10-10-40-110 ~]# tcpdump -nn
- 抓取目標主機為10.10.40.200的所有資料包
[root@10-10-40-110 ~]# tcpdump -nn dst host 10.10.40.200
- 抓取源端主機為10.10.40.200的所有資料包
[root@10-10-40-110 ~]# tcpdump -nn src host 10.10.40.200
- 抓取源端或者目標端主機為10.10.40.200的所有資料包
[root@10-10-40-110 ~]# tcpdump -nn host 10.10.40.200
- 抓取所有目標網路為10.10.40.0/24的所有資料包
[root@10-10-40-110 ~]# tcpdump -nn dst net 10.10.40.0/24
- 抓取所有源端網路為10.10.40.0/24的所有資料包
[root@10-10-40-110 ~]# tcpdump -nn src net 10.10.40.0/24
- 抓取所有源端網路為10.10.40.0/24或者目標網路為10.10.40.0/24的所有資料包
[root@10-10-40-110 ~]# tcpdump -nn net 10.10.40.0/24
- 抓取所有目標埠為22的所有資料包
[root@10-10-40-110 ~]# tcpdump -nn dst port 22
- 抓取所有目標埠在1-1023範圍內的所有資料包
[root@10-10-40-110 ~]# tcpdump -nn dst portrange 1-1023
- 抓取所有目標埠範圍為1-1023的TCP報文
[root@10-10-40-110 ~]# tcpdump -nn tcp dst portrange 1-1023
- 抓取所有目標埠範圍為1-1023的UDP報文
[root@10-10-40-110 ~]# tcpdump -nn udp dst portrange 1-1023
- 抓取目標主機為10.10.40.200且目標埠為22的所有報文
[root@10-10-40-110 ~]# tcpdump -nn "dst host 10.10.40.200 and dst port 22"
- 抓取目標主機為10.10.40.200且目標埠為22或者443的所有報文
[root@10-10-40-200 ~]# tcpdump -nn dst "host 10.10.40.200 and (dst port 22 or dst port 443)"
-
抓取所有的ICMP報文
icmp可以替換成其他的協議, 如arp / tcp / udp / vrrp等
[root@10-10-40-110 ~]# tcpdump -nn -v icmp
- 抓取所有的ARP或者ICMP報文
[root@10-10-40-110 ~]# tcpdump -nn -v "icmp or arp"
- 抓取所有的廣播或者多播報文
[root@10-10-40-110 ~]# tcpdump -nn "multicast or broadcast"
-
指定抓取資料包的大小(Byte)
為0表示不限制
[root@10-10-40-110 ~]# tcpdump -nn icmp -s 100
-
結束抓包
通常情況下按
Ctl+C
需要過很長時間才能夠退出tcpdump, 這個時候可以採用Ctl+\
的方式強制退出程式
參考
man tcpdump