语法
tcpdump [option] [[proto] [dir] [type]]
查看版本:
tcpdump --version
tcpdump version 4.9.2
libpcap version 1.5.3
OpenSSL 1.0.2k-fips 26 Jan 2017
查看语法:
# 查看用法
tcpdump --help
# 具体参数解释手册
man tcpdump
# [expression]表达式手册 具体是否是pcap-filter,请查看man tcpdump 关于expression部分的描述
man pcap-filter
语法:
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ][ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ][ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ][ -Q|-P in|out|inout ][ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ][ --immediate-mode ] [ -T type ] [ --version ] [ -V file ][ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ][ -Z user ] [ expression ]Options:
| Option | description |
|---|---|
-A | 以ASCII格式打印出所有分组,并将链路层的头最小化。 |
-b | 在数据-链路层上选择协议,包括ip、arp、rarp、ipx都是这一层的。 |
-B buffer_size--buffer-size=buffer_size | |
-c count | 在收到指定的数量的分组后,tcpdump就会停止。 |
-C file_size | 在将一个原始分组写入文件之前,检查文件当前的大小是否超过了参数file_size 中指定的大小。如果超过了指定大小,则关闭当前文件,然后在打开一个新的文件。参数 file_size 的单位是兆字节(是1,000,000字节,而不是1,048,576字节)。 |
-d | 将匹配信息包的代码以人们能够理解的汇编格式给出。 |
-dd | 将匹配信息包的代码以c语言程序段的格式给出。 |
-ddd | 将匹配信息包的代码以十进制的形式给出。 |
-D--list-interfaces | 打印出系统中所有可以用tcpdump截包的网络接口。 |
-e | 在输出行 打印出数据链路层的头部信息。 |
-E | 用spi@ipaddr algo:secret解密那些以addr作为地址,并且包含了安全参数索引值spi的IPsec ESP分组。 |
-f | 将外部的Internet地址以数字的形式打印出来。 |
-F file | 从指定的文件中读取表达式,忽略命令行中给出的表达式。 |
-G rotate_seconds | |
-h--help | |
--version | |
-H | |
-i interface--interface=interface | 指定监听的网络接口。 |
-I--monitor-mode | |
--immediate-mode | |
-j tstamp_type--time-stamp-type=tstamp_type | |
-J--list-time-stamp-types | |
--time-stamp-precision=tstamp_precision | |
-K--dont-verify-checksums | |
-l | 使标准输出变为缓冲行形式,可以把数据导出到文件。 |
-L--list-data-link-types | 列出网络接口的已知数据链路。 |
-m module | 从文件module中导入SMI MIB模块定义。该参数可以被使用多次,以导入多个MIB模块。 |
-M secret | 如果tcp报文中存在TCP-MD5选项,则需要用secret作为共享的验证码用于验证TCP-MD5选选项摘要(详情可参考RFC 2385)。 |
-n | 不把网络地址转换成名字。 |
-nn | 不进行端口名称的转换。 |
-N | 不输出主机名中的域名部分。例如,‘nic.ddn.mil‘只输出’nic‘。 |
-#--number | |
-O--no-optimize | 不运行分组分组匹配(packet-matching)代码优化程序。 |
-p--no-promiscuous-mode | 不将网络接口设置成混杂模式。 |
| `-Q | -P direction<br/>–direction=direction` |
-q | 快速输出。只输出较少的协议信息。 |
-r file | 从指定的文件中读取包(这些包一般通过-w选项产生)。 |
-S--absolute-tcp-sequence-numbers | 将tcp的序列号以绝对值形式输出,而不是相对值。 |
-s snaplen--snapshot-length=snaplen | 从每个分组中读取最开始的snaplen个字节,而不是默认的68个字节。 |
-T type | 将监听到的包直接解释为指定的类型的报文,常见的类型有rpc(远程过程调用)和snmp(简单网络管理协议;)。 |
-t | 在输出的每一行不打印时间戳。 |
-tt | 在每一行中输出非格式化的时间戳。 |
-ttt | 输出本行和前面一行之间的时间差。 |
-tttt | 在每一行中输出由date处理的默认格式的时间戳。 |
-ttttt | |
-u | 输出未解码的NFS句柄。 |
-U--packet-buffered | |
-v | 输出一个稍微详细的信息,例如在ip包中可以包括ttl和服务类型的信息。 |
-vv | 输出详细的报文信息。 |
-vvv | |
-V file | |
-w file | 直接将分组写入文件中,而不是不分析并打印出来。 |
-W | |
-x | |
-xx | |
-X | |
-XX | |
-y datalinktype--linktype=datalinktype | |
-z postrotate-command | |
-Z user | |
--relinquish-privileges=user | |
-Z user --relinquish-privileges=user |
OPTIONS-A Print each packet (minus its link level header) in ASCII. Handy for capturing web pages.-b Print the AS number in BGP packets in ASDOT notation rather than ASPLAIN notation.-B buffer_size--buffer-size=buffer_sizeSet the operating system capture buffer size to buffer_size, in units of KiB (1024 bytes).-c countExit after receiving count packets.-C file_sizeBefore writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the currentsavefile and open a new one. Savefiles after the first savefile will have the name specified with the -w flag, with a number after it,starting at 1 and continuing upward. The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).-d Dump the compiled packet-matching code in a human readable form to standard output and stop.-dd Dump packet-matching code as a C program fragment.-ddd Dump packet-matching code as decimal numbers (preceded with a count).-D--list-interfacesPrint the list of the network interfaces available on the system and on which tcpdump can capture packets. For each network interface,a number and an interface name, possibly followed by a text description of the interface, is printed. The interface name or the numbercan be supplied to the -i flag to specify an interface on which to capture.This can be useful on systems that don't have a command to list them (e.g., Windows systems, or UNIX systems lacking ifconfig -a); thenumber can be useful on Windows 2000 and later systems, where the interface name is a somewhat complex string.The -D flag will not be supported if tcpdump was built with an older version of libpcap that lacks the pcap_findalldevs() function.-e Print the link-level header on each dump line. This can be used, for example, to print MAC layer addresses for protocols such as Eth‐ernet and IEEE 802.11.-E Use spi@ipaddr algo:secret for decrypting IPsec ESP packets that are addressed to addr and contain Security Parameter Index value spi.This combination may be repeated with comma or newline separation.Note that setting the secret for IPv4 ESP packets is supported at this time.Algorithms may be des-cbc, 3des-cbc, blowfish-cbc, rc3-cbc, cast128-cbc, or none. The default is des-cbc. The ability to decryptpackets is only present if tcpdump was compiled with cryptography enabled.secret is the ASCII text for ESP secret key. If preceded by 0x, then a hex value will be read.The option assumes RFC2406 ESP, not RFC1827 ESP. The option is only for debugging purposes, and the use of this option with a true`secret' key is discouraged. By presenting IPsec secret key onto command line you make it visible to others, via ps(1) and other occa‐sions.In addition to the above syntax, the syntax file name may be used to have tcpdump read the provided file in. The file is opened uponreceiving the first ESP packet, so any special permissions that tcpdump may have been given should already have been given up.-f Print `foreign' IPv4 addresses numerically rather than symbolically (this option is intended to get around serious brain damage inSun's NIS server — usually it hangs forever translating non-local internet numbers).The test for `foreign' IPv4 addresses is done using the IPv4 address and netmask of the interface on which capture is being done. Ifthat address or netmask are not available, available, either because the interface on which capture is being done has no address ornetmask or because the capture is being done on the Linux "any" interface, which can capture on more than one interface, this optionwill not work correctly.-F fileUse file as input for the filter expression. An additional expression given on the command line is ignored.-G rotate_secondsIf specified, rotates the dump file specified with the -w option every rotate_seconds seconds. Savefiles will have the name specifiedby -w which should include a time format as defined by strftime(3). If no time format is specified, each new file will overwrite theprevious.If used in conjunction with the -C option, filenames will take the form of `file<count>'.-h--help Print the tcpdump and libpcap version strings, print a usage message, and exit.--versionPrint the tcpdump and libpcap version strings and exit.-H Attempt to detect 802.11s draft mesh headers.-i interface--interface=interfaceListen on interface. If unspecified, tcpdump searches the system interface list for the lowest numbered, configured up interface(excluding loopback), which may turn out to be, for example, ``eth0''.On Linux systems with 2.2 or later kernels, an interface argument of ``any'' can be used to capture packets from all interfaces. Notethat captures on the ``any'' device will not be done in promiscuous mode.If the -D flag is supported, an interface number as printed by that flag can be used as the interface argument, if no interface on thesystem has that number as a name.-I--monitor-modePut the interface in "monitor mode"; this is supported only on IEEE 802.11 Wi-Fi interfaces, and supported only on some operating sys‐tems.Note that in monitor mode the adapter might disassociate from the network with which it's associated, so that you will not be able touse any wireless networks with that adapter. This could prevent accessing files on a network server, or resolving host names or net‐work addresses, if you are capturing in monitor mode and are not connected to another network with another adapter.This flag will affect the output of the -L flag. If -I isn't specified, only those link-layer types available when not in monitor modewill be shown; if -I is specified, only those link-layer types available when in monitor mode will be shown.--immediate-modeCapture in "immediate mode". In this mode, packets are delivered to tcpdump as soon as they arrive, rather than being buffered forefficiency. This is the default when printing packets rather than saving packets to a ``savefile'' if the packets are being printed toa terminal rather than to a file or pipe.-j tstamp_type--time-stamp-type=tstamp_typeSet the time stamp type for the capture to tstamp_type. The names to use for the time stamp types are given in pcap-tstamp(7); not allthe types listed there will necessarily be valid for any given interface.-J--list-time-stamp-typesList the supported time stamp types for the interface and exit. If the time stamp type cannot be set for the interface, no time stamptypes are listed.--time-stamp-precision=tstamp_precisionWhen capturing, set the time stamp precision for the capture to tstamp_precision. Note that availability of high precision time stamps(nanoseconds) and their actual accuracy is platform and hardware dependent. Also note that when writing captures made with nanosecondaccuracy to a savefile, the time stamps are written with nanosecond resolution, and the file is written with a different magic number,to indicate that the time stamps are in seconds and nanoseconds; not all programs that read pcap savefiles will be able to read thosecaptures.When reading a savefile, convert time stamps to the precision specified by timestamp_precision, and display them with that resolution. If theprecision specified is less than the precision of time stamps in the file, the conversion will lose precision.The supported values for timestamp_precision are micro for microsecond resolution and nano for nanosecond resolution. The default ismicrosecond resolution.-K--dont-verify-checksumsDon't attempt to verify IP, TCP, or UDP checksums. This is useful for interfaces that perform some or all of those checksum calcula‐tion in hardware; otherwise, all outgoing TCP checksums will be flagged as bad.-l Make stdout line buffered. Useful if you want to see the data while capturing it. E.g.,tcpdump -l | tee datortcpdump -l > dat & tail -f datNote that on Windows,``line buffered'' means ``unbuffered'', so that WinDump will write each character individually if -l is specified.-U is similar to -l in its behavior, but it will cause output to be ``packet-buffered'', so that the output is written to stdout at theend of each packet rather than at the end of each line; this is buffered on all platforms, including Windows.-L--list-data-link-typesList the known data link types for the interface, in the specified mode, and exit. The list of known data link types may be dependenton the specified mode; for example, on some platforms, a Wi-Fi interface might support one set of data link types when not in monitormode (for example, it might support only fake Ethernet headers, or might support 802.11 headers but not support 802.11 headers withradio information) and another set of data link types when in monitor mode (for example, it might support 802.11 headers, or 802.11headers with radio information, only in monitor mode).-m moduleLoad SMI MIB module definitions from file module. This option can be used several times to load several MIB modules into tcpdump.-M secretUse secret as a shared secret for validating the digests found in TCP segments with the TCP-MD5 option (RFC 2385), if present.-n Don't convert host addresses to names. This can be used to avoid DNS lookups.-nn Don't convert protocol and port numbers etc. to names either.-N Don't print domain name qualification of host names. E.g., if you give this flag then tcpdump will print ``nic'' instead of``nic.ddn.mil''.-#--numberPrint an optional packet number at the beginning of the line.-O--no-optimizeDo not run the packet-matching code optimizer. This is useful only if you suspect a bug in the optimizer.-p--no-promiscuous-modeDon't put the interface into promiscuous mode. Note that the interface might be in promiscuous mode for some other reason; hence, `-p'cannot be used as an abbreviation for `ether host {local-hw-addr} or ether broadcast'.-Q|-P direction--direction=directionChoose send/receive direction direction for which packets should be captured. Possible values are `in', `out' and `inout'. Not avail‐able on all platforms.-q Quick (quiet?) output. Print less protocol information so output lines are shorter.-r fileRead packets from file (which was created with the -w option or by other tools that write pcap or pcap-ng files). Standard input isused if file is ``-''.-S--absolute-tcp-sequence-numbersPrint absolute, rather than relative, TCP sequence numbers.-s snaplen--snapshot-length=snaplenSnarf snaplen bytes of data from each packet rather than the default of 262144 bytes. Packets truncated because of a limited snapshotare indicated in the output with ``[|proto]'', where proto is the name of the protocol level at which the truncation has occurred.Note that taking larger snapshots both increases the amount of time it takes to process packets and, effectively, decreases the amountof packet buffering. This may cause packets to be lost. You should limit snaplen to the smallest number that will capture the proto‐col information you're interested in. Setting snaplen to 0 sets it to the default of 262144, for backwards compatibility with recentolder versions of tcpdump.-T typeForce packets selected by "expression" to be interpreted the specified type. Currently known types are aodv (Ad-hoc On-demand DistanceVector protocol), carp (Common Address Redundancy Protocol), cnfp (Cisco NetFlow protocol), lmp (Link Management Protocol), pgm (Prag‐matic General Multicast), pgm_zmtp1 (ZMTP/1.0 inside PGM/EPGM), resp (REdis Serialization Protocol), radius (RADIUS), rpc (Remote Pro‐cedure Call), rtp (Real-Time Applications protocol), rtcp (Real-Time Applications control protocol), snmp (Simple Network ManagementProtocol), tftp (Trivial File Transfer Protocol), vat (Visual Audio Tool), wb (distributed White Board), zmtp1 (ZeroMQ Message Trans‐port Protocol 1.0) and vxlan (Virtual eXtensible Local Area Network).Note that the pgm type above affects UDP interpretation only, the native PGM is always recognised as IP protocol 113 regardless. UDP-encapsulated PGM is often called "EPGM" or "PGM/UDP".Note that the pgm_zmtp1 type above affects interpretation of both native PGM and UDP at once. During the native PGM decoding the appli‐cation data of an ODATA/RDATA packet would be decoded as a ZeroMQ datagram with ZMTP/1.0 frames. During the UDP decoding in additionto that any UDP packet would be treated as an encapsulated PGM packet.-t Don't print a timestamp on each dump line.-tt Print the timestamp, as seconds since January 1, 1970, 00:00:00, UTC, and fractions of a second since that time, on each dump line.-ttt Print a delta (micro-second resolution) between current and previous line on each dump line.-tttt Print a timestamp, as hours, minutes, seconds, and fractions of a second since midnight, preceded by the date, on each dump line.-ttttt Print a delta (micro-second resolution) between current and first line on each dump line.-u Print undecoded NFS handles.-U--packet-bufferedIf the -w option is not specified, make the printed packet output ``packet-buffered''; i.e., as the description of the contents of eachpacket is printed, it will be written to the standard output, rather than, when not writing to a terminal, being written only when theoutput buffer fills.If the -w option is specified, make the saved raw packet output ``packet-buffered''; i.e., as each packet is saved, it will be writtento the output file, rather than being written only when the output buffer fills.The -U flag will not be supported if tcpdump was built with an older version of libpcap that lacks the pcap_dump_flush() function.-v When parsing and printing, produce (slightly more) verbose output. For example, the time to live, identification, total length andoptions in an IP packet are printed. Also enables additional packet integrity checks such as verifying the IP and ICMP header check‐sum.When writing to a file with the -w option, report, every 10 seconds, the number of packets captured.-vv Even more verbose output. For example, additional fields are printed from NFS reply packets, and SMB packets are fully decoded.-vvv Even more verbose output. For example, telnet SB ... SE options are printed in full. With -X Telnet options are printed in hex aswell.-V fileRead a list of filenames from file. Standard input is used if file is ``-''.-w fileWrite the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option. Standard out‐put is used if file is ``-''.This output will be buffered if written to a file or pipe, so a program reading from the file or pipe may not see packets for an arbi‐trary amount of time after they are received. Use the -U flag to cause packets to be written as soon as they are received.The MIME type application/vnd.tcpdump.pcap has been registered with IANA for pcap files. The filename extension .pcap appears to be themost commonly used along with .cap and .dmp. Tcpdump itself doesn't check the extension when reading capture files and doesn't add anextension when writing them (it uses magic numbers in the file header instead). However, many operating systems and applications willuse the extension if it is present and adding one (e.g. .pcap) is recommended.See pcap-savefile(5) for a description of the file format.-W Used in conjunction with the -C option, this will limit the number of files created to the specified number, and begin overwritingfiles from the beginning, thus creating a 'rotating' buffer. In addition, it will name the files with enough leading 0s to support themaximum number of files, allowing them to sort correctly.Used in conjunction with the -G option, this will limit the number of rotated dump files that get created, exiting with status 0 whenreaching the limit. If used with -C as well, the behavior will result in cyclical files per timeslice.-x When parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link levelheader) in hex. The smaller of the entire packet or snaplen bytes will be printed. Note that this is the entire link-layer packet, sofor link layers that pad (e.g. Ethernet), the padding bytes will also be printed when the higher layer packet is shorter than therequired padding.-xx When parsing and printing, in addition to printing the headers of each packet, print the data of each packet, including its link levelheader, in hex.-X When parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link levelheader) in hex and ASCII. This is very handy for analysing new protocols.-XX When parsing and printing, in addition to printing the headers of each packet, print the data of each packet, including its link levelheader, in hex and ASCII.-y datalinktype--linktype=datalinktypeSet the data link type to use while capturing packets to datalinktype.-z postrotate-commandUsed in conjunction with the -C or -G options, this will make tcpdump run " postrotate-command file " where file is the savefile beingclosed after each rotation. For example, specifying -z gzip or -z bzip2 will compress each savefile using gzip or bzip2.Note that tcpdump will run the command in parallel to the capture, using the lowest priority so that this doesn't disturb the captureprocess.And in case you would like to use a command that itself takes flags or different arguments, you can always write a shell script thatwill take the savefile name as the only argument, make the flags & arguments arrangements and execute the command that you want.-Z user--relinquish-privileges=userIf tcpdump is running as root, after opening the capture device or input savefile, but before opening any savefiles for output, changethe user ID to user and the group ID to the primary group of user.This behavior can also be enabled by default at compile time.expressionselects which packets will be dumped. If no expression is given, all packets on the net will be dumped. Otherwise, only packets forwhich expression is `true' will be dumped.For the expression syntax, see pcap-filter(7).The expression argument can be passed to tcpdump as either a single Shell argument, or as multiple Shell arguments, whichever is moreconvenient. Generally, if the expression contains Shell metacharacters, such as backslashes used to escape protocol names, it is eas‐ier to pass it as a single, quoted argument rather than to escape the Shell metacharacters. Multiple arguments are concatenated withspaces before being parsed.EXAMPLESTo print all packets arriving at or departing from sundown:tcpdump host sundownTo print traffic between helios and either hot or ace:tcpdump host helios and \( hot or ace \)To print all IP packets between ace and any host except helios:tcpdump ip host ace and not heliosTo print all traffic between local hosts and hosts at Berkeley:tcpdump net ucb-etherTo print all ftp traffic through internet gateway snup: (note that the expression is quoted to prevent the shell from (mis-)interpreting theparentheses):tcpdump 'gateway snup and (port ftp or ftp-data)'To print traffic neither sourced from nor destined for local hosts (if you gateway to one other net, this stuff should never make it onto yourlocal net).tcpdump ip and not net localnetTo print the start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host.tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'To print all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets. (IPv6 is left as an exercise for the reader.)tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'To print IP packets longer than 576 bytes sent through gateway snup:tcpdump 'gateway snup and ip[2:2] > 576'To print IP broadcast or multicast packets that were not sent via Ethernet broadcast or multicast:tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'To print all ICMP packets that are not echo requests/replies (i.e., not ping packets):tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'应用
#查看所有网卡
tcpdump -D # 截获所有210.27.48.1 的主机收到的和发出的所有的数据包:
tcpdump host 210.27.48.1# 截获主机210.27.48.1 和主机210.27.48.2 或210.27.48.3的通信
tcpdump host 210.27.48.1 and / (210.27.48.2 or 210.27.48.3 /)# 获取主机210.27.48.1除了和主机210.27.48.2之外所有主机通信的ip包,
tcpdump ip host 210.27.48.1 and ! 210.27.48.2# 获取主机210.27.48.1接收或发出的telnet包
tcpdump tcp port 23 host 210.27.48.1# 对本机的udp 123 端口进行监视 123 为ntp的服务端口tcpdump udp port 123# 系统将只对名为hostname的主机的通信数据包进行监视。主机名可以是本地主机,也可以是网络上的任何一台计算机。
tcpdump -i eth0 src host hostname# 下面的命令可以监视所有送到主机hostname的数据包:
tcpdump -i eth0 dst host hostname# 监视通过指定网关的数据包:
tcpdump -i eth0 gateway Gatewayname# 监视编址到指定端口的TCP或UDP数据包
tcpdump -i eth0 host hostname and port 80# 获取主机210.27.48.1除了和主机210.27.48.2之外所有主机通信的ip包,
tcpdump ip host 210.27.48.1 and ! 210.27.48.2# 截获主机210.27.48.1 和主机210.27.48.2 或210.27.48.3的通信,
tcpdump host 210.27.48.1 and / (210.27.48.2 or 210.27.48.3 /)# 获取主机210.27.48.1除了和主机210.27.48.2之外所有主机通信的ip包tcpdump ip host 210.27.48.1 and ! 210.27.48.2# 获取主机210.27.48.1接收或发出的telnet包tcpdump tcp port 23 host 210.27.48.1
在命令行中适用括号时,一定要注意转义符号
附录
参考
地址:https://www.tcpdump.org/manpages/tcpdump.1-4.9.2.html
语法中expression地址:https://www.tcpdump.org/manpages/pcap-filter.7.html
https://www.cnblogs.com/maifengqiang/p/3863168.html
活久见!TCP两次挥手,你见过吗?那四次握手呢?
查看本地网卡状态
netstat -iKernel Interface table
Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
docker0 1500 40409 0 0 0 20376 0 0 0 BMU
ens5f0 1500 22999894941 0 0 0 25581016784 0 0 0 BMRU
lo 65536 850291094 0 0 0 850291094 0 0 0 LRU
Iface:存在的网卡。MTU:最大传输单元。RX-OKRX-ERRRX-DRPRX-OVR:正确接收(receive)数据报的数量以及发生错误、流式、碰撞的总数。TX-OKTX-ERRTX-DRPTX-OVR:正确发送(transfer)数据报的数量以及发生错误、流式、碰撞的总数。
expresion语法
expression表达式具有pcap-filter的语法,可参考man 7 pcap-filter。pcap-filter实际就是BPF syntax。
表达式由一个或者多个原语(primitives)组成。原语通常由一个id(名字或数字)组成,id前面跟一个或者多个限定符(qualifier)。
限定符通常有三种
type(种类),通常指id或者名称指代的对象type,可能的type有host,net,port和portrange。eg. host 1.2.3.4,port 22, portrange 33-44dir(报文方向),可能的取值有src,dst,src or dst,src and dst。eg. src or dst port 88,未指定时,默认为src or dstproto(协议),可能的取值有ether,fddi,tr,wlan,ip,ip6,arp,rarp,decnet,tcp,udp。eg.ether src 52:54:00:09:23:12,udp portrange 7000-7009
expr relop expr
若表达式成立,结果为true。relop由比较运算符构成(>, <, >=, <=, =, !=)。expr是一个算数表达式,它的构成有整数常量,二元运算符(+, -, *, /, &, |, <<, >>),长度运算符(len),特殊的数据包获取器。
特殊的数据包获取器(packet data accessor)语法是
proto[expr: size]
proto可能的取值有:ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet,tcp,udp
这里的expr是相对protol首部的字节偏移量,size是数据长度。比如
ether[0] & 1 != 0表示过滤所有的广播流量以太网首部是目的地址,
ether[0]取的是目的地址的第一个字节。比如需要根据vxlan内层ip来过滤报文,则可以取ether[76:4]表示ip地址。76是由vxlan报文的格式推算出ip地址首部相对于ether首部的偏移量,
类型的关键字
host:指明一台主机。如:host 10.1.110.110
net:指明一个网络地址,如:net 10.1.0.0
port:指明端口号:如:port 8090
确定方向的关键字
src:ip包的源地址,如:src 10.1.110.110
dst:ip包的目标地址。如:dst 10.1.110.110
协议的关键字(缺省是所有协议的信息包)
fddi、ip、arp、rarp、tcp、udp。
其它关键字
gateway、broadcast、less、greater
常用表达式
! or not
&& or and
|| or or
案例
连接池你用对了吗?一次Unexpected end of stream异常的排查:https://cloud.tencent.com/developer/article/1561376
K8S pod 抓包
#查找pod
(base) root@user:/opt/jurassic/sampleTest# docker ps | grep sample
8a868dc26070 192.168.1.36/jurassic/jurassic-sample-test "/cloud/cloud_entryp…" 16 minutes ago Up 16 minutes k8s_container-sample-test_sample-test-v1-85488d89b5-6jjlk_oio-service-oio3_e2ef8890-0eef-464f-bf6b-1878ba0970f8_0
fd9c12c9c378 registry.cn-beijing.aliyuncs.com/kubesphereio/pause:3.6 "/pause" 16 minutes ago Up 16 minutes k8s_POD_sample-test-v1-85488d89b5-6jjlk_oio-service-oio3_e2ef8890-0eef-464f-bf6b-1878ba0970f8_0# 查找 pid
(base) root@user:/opt/jurassic/sampleTest# docker inspect -f {{.State.Pid}} 8a868dc26070
22262
# 查找 网卡
(base) root@user:/opt/jurassic/sampleTest# nsenter -n -t 22262 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000link/ipip 0.0.0.0 brd 0.0.0.0##################### if 913 就是网卡号。
4: eth0@if913: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noqueue state UP group default qlen 1000link/ether c6:78:b9:4c:3b:5d brd ff:ff:ff:ff:ff:ff link-netnsid 0inet 10.233.91.5/32 scope global eth0valid_lft forever preferred_lft foreverinet6 fe80::c478:b9ff:fe4c:3b5d/64 scope link valid_lft forever preferred_lft forever
(base) root@user:/opt/jurassic/sampleTest#
# 查找虚拟网卡。
(base) root@user:/opt/jurassic/sampleTest# ip addr | grep 913
102: calic0f69d7d913@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noqueue state UP group default qlen 1000
################# @if4之前的就是虚拟网卡号。
913: cali2e905b33619@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noqueue state UP group default qlen 1000# 监控这个虚拟网卡。
tcpdump -i cali2e905b33619####OUT PUT
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on cali2e905b33619, link-type EN10MB (Ethernet), snapshot length 262144 bytes
10:20:37.055635 IP 10.233.91.5.60660 > 192.168.0.144.11800: Flags [P.], seq 2230551253:2230551520, ack 1954841063, win 64, options [nop,nop,TS val 627046257 ecr 403542829], length 267
10:20:37.055989 IP 10.233.91.5.60660 > 192.168.0.144.11800: Flags [P.], seq 267:350, ack 1, win 64, options [nop,nop,TS val 627046258 ecr 403542829], length 83
10:20:37.056686 IP 192.168.0.144.11800 > 10.233.91.5.60660: Flags [.], ack 350, win 1426, options [nop,nop,TS val 403543452 ecr 627046257], length 0
10:20:37.057167 IP 192.168.0.144.11800 > 10.233.91.5.60660: Flags [P.], seq 1:95, ack 350, win 1426, options [nop,nop,TS val 403543453 ecr 627046257], length 94
10:20:37.057182 IP 10.233.91.5.60660 > 192.168.0.144.11800: Flags [.], ack 95, win 64, options [nop,nop,TS val 627046259 ecr 403543453], length 0
10:20:38.055677 IP 10.233.91.5.60660 > 192.168.0.144.11800: Flags [P.], seq 350:617, ack 95, win 64, options [nop,nop,TS val 627047257 ecr 403543453], length 267
10:20:38.056711 IP 192.168.0.144.11800 > 10.233.91.5.60660: Flags [P.], seq 95:142, ack 617, win 1426, options [nop,nop,TS val 403544452 ecr 627047257], length 47
10:20:38.056735 IP 10.233.91.5.60660 > 192.168.0.144.11800: Flags [.], ack 142, win 64, options [nop,nop,TS val 627047258 ecr 403544452], length 0
10:20:38.475577 IP 10.233.91.5.56750 > 10.233.91.81.7015: Flags [P.], seq 2828671770:2828672213, ack 2673776586, win 72, options [nop,nop,TS val 2376176112 ecr 2427114427], length 443
10:20:38.478867 IP 10.233.91.81.7015 > 10.233.91.5.56750: Flags [P.], seq 1:7141, ack 443, win 1243, options [nop,nop,TS val 2427116433 ecr 2376176112], length 7140
10:20:38.478884 IP 10.233.91.81.7015 > 10.233.91.5.56750: Flags [P.], seq 7141:14281, ack 443, win 1243, options [nop,nop,TS val 2427116433 ecr 2376176112], length 7140
10:20:38.478895 IP 10.233.91.5.56750 > 10.233.91.81.7015: Flags [.], ack 14281, win 65, options [nop,nop,TS val 2376176116 ecr 2427116433], length 0
10:20:38.478917 IP 10.233.91.81.7015 > 10.233.91.5.56750: Flags [P.], seq 14281:21617, ack 443, win 1243, options [nop,nop,TS val 2427116433 ecr 2376176116], length 7336
10:20:38.478982 IP 10.233.91.81.7015 > 10.233.91.5.56750: Flags [P.], seq 21617:21622, ack 443, win 1243, options [nop,nop,TS val 2427116433 ecr 2376176116], length 5
10:20:38.479330 IP 10.233.91.5.56750 > 10.233.91.81.7015: Flags [.], ack 21622, win 62, options [nop,nop,TS val 2376176116 ecr 2427116433], length 0tcpdump -i cali2e905b33619 host 10.233.91.81
【Linux操作系统】)