tcpdump使用示例

前言

這段時間一直在研究kubernetes當中的網絡, 包括經過keepalived來實現VIP的高可用時經常不得不排查一些網絡方面的問題, 在這裏順道梳理一下tcpdump的使用姿式, 如有寫的很差的地方, 歡迎各位道友扔磚頭.

注:

示例環境爲一套kubernetes集羣, 包括k8s master node及k8s work node, 均爲VM

• 查看tcpdump能夠進行抓包的網絡接口

[root@10-10-40-110 ~]# tcpdump -D
1.eth0
2.docker0
3.cni0
4.vethd0fd7a3f
5.nflog (Linux netfilter log (NFLOG) interface)
6.nfqueue (Linux netfilter queue (NFQUEUE) interface)
7.eth1
8.flannel.1
9.usbmon1 (USB bus number 1)
10.vetha5e14de7
11.veth5b9890d0
12.vethf6e5a39c
13.veth59af7cc7
14.vethf98a2823
15.veth628e2234
16.veth861a08f6
17.veth0912b7b6
18.vethf2889e2b
19.vethd7109cca
20.veth421502a4
21.vethf561756e
22.any (Pseudo-device that captures on all interfaces)
23.lo [Loopback]
[root@10-10-40-110 ~]#

• 對eth0網絡接口進行抓包

[root@10-10-40-110 ~]# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

• 對全部接口進行抓包(須要進入混雜模式, Linux kernel >= 2.2)

[root@10-10-40-110 ~]# tcpdump -i any
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

• 以詳細輸出的方式進行抓包

  注: 不加接口參數的話默認監聽第一個網絡接口, 該環境下爲eth0

[root@10-10-40-110 ~]# tcpdump -v
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

• 以更加詳細輸出的方式進行抓包

[root@10-10-40-110 ~]# tcpdump -vv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

• 以最詳細輸出的方式進行抓包

[root@10-10-40-110 ~]# tcpdump -vvv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:03:19.298070 IP (tos 0x12,ECT(0), ttl 64, id 7354, offset 0, flags [DF], proto TCP (6), length 176)

• 以詳細輸出的方式進行抓包並將數據包以十六進制和ASCII方式打印輸出, 除了link level header

[root@10-10-40-110 ~]# tcpdump -v -X
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:04:46.063040 IP (tos 0x12,ECT(0), ttl 64, id 19261, offset 0, flags [DF], proto TCP (6), length 176)

• 以詳細輸出的方式進行抓包並將數據包以十六進制和ASCII方式打印輸出, 包括link level header

[root@10-10-40-110 ~]# tcpdump -v -XX
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
21:40:45.439798 IP (tos 0x12,ECT(0), ttl 64, id 34723, offset 0, flags [DF], proto TCP (6), length 176)

• 安靜模式進行抓包(輸出比默認模式要少)

[root@10-10-40-110 ~]# tcpdump -q
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

• 限定抓取的數據包個數

[root@10-10-40-110 ~]# tcpdump -c 10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
21:49:00.612030 IP 10-10-40-110.ssh > 121.121.0.65.54289: Flags [P.], seq 2802886126:2802886314, ack 3182814556, win 1432, options [nop,nop,TS val 454928787 ecr 807548508], length 188
21:49:00.612519 IP 10-10-40-110.44078 > public1.114dns.com.domain: 11925+ PTR? 65.0.121.121.in-addr.arpa. (43)
21:49:00.623275 IP public1.114dns.com.domain > 10-10-40-110.44078: 11925 NXDomain 0/1/0 (106)
21:49:00.624629 IP 10-10-40-110.51033 > public1.114dns.com.domain: 25277+ PTR? 110.40.10.10.in-addr.arpa. (43)
21:49:00.635649 IP public1.114dns.com.domain > 10-10-40-110.51033: 25277 NXDomain* 0/1/0 (78)
21:49:00.635906 IP 10-10-40-110.39356 > public1.114dns.com.domain: 9087+ PTR? 114.114.114.114.in-addr.arpa. (46)
21:49:00.635952 IP 10-10-40-110.ssh > 121.121.0.65.54289: Flags [P.], seq 188:408, ack 1, win 1432, options [nop,nop,TS val 454928811 ecr 807548508], length 220
21:49:00.644312 IP 121.121.0.65.54289 > 10-10-40-110.ssh: Flags [.], ack 188, win 32762, options [nop,nop,TS val 807549151 ecr 454928787], length 0
21:49:00.646272 IP public1.114dns.com.domain > 10-10-40-110.39356: 9087 1/0/0 PTR public1.114dns.com. (78)
21:49:00.646443 IP 10-10-40-110.ssh > 121.121.0.65.54289: Flags [P.], seq 408:1396, ack 1, win 1432, options [nop,nop,TS val 454928821 ecr 807549151], length 988
10 packets captured
10 packets received by filter
0 packets dropped by kernel
[root@10-10-40-110 ~]#

• 將抓取的數據保存到文件, 文件後綴爲.cap

  注: 若想將數據保存到文件, 同時又想查看終端輸出, 能夠結合tee命令和管道使用tcpdump | tee > capture.cap

[root@10-10-40-110 ~]# tcpdump -c 10 -w capture.cap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
10 packets captured
10 packets received by filter
0 packets dropped by kernel
[root@10-10-40-110 ~]#

查看文件類型

[root@10-10-40-110 ~]# file capture.cap
capture.cap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 262144)
[root@10-10-40-110 ~]#

直接經過cat查看是無法看的, 全是一堆亂碼, 若想查看保存的.cap文件的內容, 能夠經過tcpdump -r讀取

• 讀取保存的cap文件

[root@10-10-40-110 ~]# tcpdump -r capture.cap
reading from file capture.cap, link-type EN10MB (Ethernet)
21:51:09.223140 IP 10-10-40-110.ssh > 121.121.0.65.54289: Flags [P.], seq 2802890002:2802890126, ack 3182816820, win 1432, options [nop,nop,TS val 455057398 ecr 807672709], length 124
21:51:09.596238 IP 121.121.0.65.54289 > 10-10-40-110.ssh: Flags [.], ack 124, win 32764, options [nop,nop,TS val 807673597 ecr 455057398], length 0
21:51:09.732159 IP 10.10.40.103 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 220, authtype simple, intvl 1s, length 20
21:51:10.732853 IP 10.10.40.103 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 220, authtype simple, intvl 1s, length 20
21:51:10.841674 STP 802.1s, Rapid STP, CIST Flags [Learn, Forward, Agreement], length 102
21:51:11.055641 ARP, Request who-has 10-10-40-110 tell 10.10.40.2, length 28
21:51:11.055657 ARP, Reply 10-10-40-110 is-at fa:8a:41:0f:73:00 (oui Unknown), length 28
21:51:11.733994 IP 10.10.40.103 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 220, authtype simple, intvl 1s, length 20
21:51:12.735129 IP 10.10.40.103 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 220, authtype simple, intvl 1s, length 20
21:51:12.841619 STP 802.1s, Rapid STP, CIST Flags [Learn, Forward, Agreement], length 102
[root@10-10-40-110 ~]#

• 以最詳細的方式讀取保存的抓包數據

[root@10-10-40-110 ~]# tcpdump -vvv -r capture.cap

• 以IP加端口的方式展現而不是以域名和服務名稱的方式展現(有些系統須要指定-nn參數來顯示端口號)

[root@10-10-40-110 ~]# tcpdump -nn

• 抓取目標主機爲10.10.40.200的全部數據包

[root@10-10-40-110 ~]# tcpdump -nn dst host 10.10.40.200

• 抓取源端主機爲10.10.40.200的全部數據包

[root@10-10-40-110 ~]# tcpdump -nn src host 10.10.40.200

• 抓取源端或者目標端主機爲10.10.40.200的全部數據包

[root@10-10-40-110 ~]# tcpdump -nn host 10.10.40.200

• 抓取全部目標網絡爲10.10.40.0/24的全部數據包

[root@10-10-40-110 ~]# tcpdump -nn dst net 10.10.40.0/24

• 抓取全部源端網絡爲10.10.40.0/24的全部數據包

[root@10-10-40-110 ~]# tcpdump -nn src net 10.10.40.0/24

• 抓取全部源端網絡爲10.10.40.0/24或者目標網絡爲10.10.40.0/24的全部數據包

[root@10-10-40-110 ~]# tcpdump -nn net 10.10.40.0/24

• 抓取全部目標端口爲22的全部數據包

[root@10-10-40-110 ~]# tcpdump -nn dst port 22

• 抓取全部目標端口在1-1023範圍內的全部數據包

[root@10-10-40-110 ~]# tcpdump -nn dst portrange 1-1023

• 抓取全部目標端口範圍爲1-1023的TCP報文

[root@10-10-40-110 ~]# tcpdump -nn tcp dst portrange 1-1023

• 抓取全部目標端口範圍爲1-1023的UDP報文

[root@10-10-40-110 ~]# tcpdump -nn udp dst portrange 1-1023

• 抓取目標主機爲10.10.40.200且目標端口爲22的全部報文

[root@10-10-40-110 ~]# tcpdump -nn "dst host 10.10.40.200 and dst port 22"

• 抓取目標主機爲10.10.40.200且目標端口爲22或者443的全部報文

[root@10-10-40-200 ~]# tcpdump -nn dst "host 10.10.40.200 and (dst port 22 or dst port 443)"

• 抓取全部的ICMP報文

  icmp能夠替換成其餘的協議, 如arp / tcp / udp / vrrp等

[root@10-10-40-110 ~]# tcpdump -nn -v icmp

• 抓取全部的ARP或者ICMP報文

[root@10-10-40-110 ~]# tcpdump -nn -v "icmp or arp"

• 抓取全部的廣播或者多播報文

[root@10-10-40-110 ~]# tcpdump -nn "multicast or broadcast"

• 指定抓取數據包的大小(Byte)

  爲0表示不限制

[root@10-10-40-110 ~]# tcpdump -nn icmp -s 100

• 結束抓包

  一般狀況下按Ctl+C須要過很長時間纔可以退出tcpdump, 這個時候能夠採用Ctl+\的方式強制退出程序

參考

• man tcpdump
• https://www.rationallyparanoid.com/articles/tcpdump.html