CentOS抓包工具tcpdump

10.10 Linux下抓包

tcpdump

yum install -y tcpdump //安装

[root@centos-01 ~]# tcpdump -nn -i ens33  //-nn表示第3-4列显示为IP地址+端口号，否则将会是主机名+服务。 -i表示网卡，interface。
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
16:45:18.532009 IP 192.168.27.128.22 > 192.168.27.1.1891: Flags [P.], seq 2684718525:2684718737, ack 311414141, win 296, length 212
16:45:18.540380 IP 192.168.27.128.22 > 192.168.27.1.1891: Flags [P.], seq 212:408, ack 1, win 296, length 196
16:45:18.542187 IP 192.168.27.1.1891 > 192.168.27.128.22: Flags [.], ack 408, win 253, length 0
16:45:18.542263 IP 192.168.27.128.22 > 192.168.27.1.1891: Flags [P.], seq 408:572, ack 1, win 296, length 164
16:45:18.550287 IP 192.168.27.128.22 > 192.168.27.1.1891: Flags [P.], seq 572:832, ack 1, win 296, length 260
16:45:18.554025 IP 192.168.27.1.1891 > 192.168.27.128.22: Flags [.], ack 832, win 252, length 0
16:45:18.554068 IP 192.168.27.128.22 > 192.168.27.1.1891: Flags [P.], seq 832:996, ack 1, win 296, length 164
16:45:18.562529 IP 192.168.27.128.22 > 192.168.27.1.1891: Flags [P.], seq 996:1256, ack 1, win 296, length 260
16:45:18.564910 IP 192.168.27.1.1891 > 192.168.27.128.22: Flags [.], ack 1256, win 256, length 0
16:45:18.564979 IP 192.168.27.128.22 > 192.168.27.1.1891: Flags [P.], seq 1256:1420, ack 1, win 296, length 164


tcpdump -nn -i ens33 -c 100 //表示抓100个包
tcpdump -nn -i ens33 port 22
tcpdump -nn -i ens33 tcp and not port 22
tcpdump -nn -i ens33 port 22 and port 53

tcpdump -nn -i ens33 -c 100 -w /tmp/12.cap  //指定抓包存放的路径

tcpdump -r /tmp/12.cap  //因为12.cap是二进制数据包，不是文本，所以不能cat，应该用这种方式读取。

wireshark

yum install -y wireshark 安装wireshark

tshark -n -i eth1 -R 'mysql.query' -T fields -e "ip.src" -e "mysql.query"  //抓取eth1网卡上的mysql查询有哪些，仅适合mysql端口号为3306的情况。

但日常工作中，tcpdump就已经够用了。