在本实验中,你将学习如何使用强大的 tcpdump 命令在 Linux 系统上捕获和分析网络流量。tcpdump 是一个广泛使用的网络数据包分析工具,它允许你实时监控和检查网络数据包,是网络故障排除、安全分析和理解网络行为的宝贵工具。本实验将涵盖 tcpdump 的基本用法,包括捕获网络流量以及过滤输出以专注于特定类型的网络活动。
在本步骤中,你将学习 tcpdump 命令,这是一个强大的网络数据包分析工具,用于在 Linux 系统上捕获和分析网络流量。
tcpdump 命令允许你实时监控和检查网络数据包,是网络故障排除、安全分析和理解网络行为的宝贵工具。
让我们从在 Ubuntu 22.04 Docker 容器中安装 tcpdump 包开始:
sudo apt-get update
sudo apt-get install -y tcpdump示例输出:
Hit:1 http://archive.ubuntu.com/ubuntu jammy InRelease
Get:2 http://security.ubuntu.com/ubuntu jammy-security InRelease [110 kB]
Get:3 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [114 kB]
Get:4 http://archive.ubuntu.com/ubuntu jammy-backports InRelease [99.8 kB]
Get:5 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages [2,276 kB]
Get:6 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [2,644 kB]
Get:7 http://archive.ubuntu.com/ubuntu jammy-backports/main amd64 Packages [11.3 kB]
Fetched 5,255 kB in 2s (2,627 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
libpcap-dev libpcap0.8 tcpdump
Suggested packages:
tcpdump-dbg
The following NEW packages will be installed:
libpcap-dev libpcap0.8 tcpdump
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 521 kB of archives.
After this operation, 1,455 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://archive.ubuntu.com/ubuntu jammy/main amd64 libpcap0.8 amd64 1.10.1-5ubuntu1 [146 kB]
Get:2 http://archive.ubuntu.com/ubuntu jammy/main amd64 libpcap-dev amd64 1.10.1-5ubuntu1 [185 kB]
Get:3 http://archive.ubuntu.com/ubuntu jammy/main amd64 tcpdump amd64 4.99.1-3ubuntu1 [190 kB]
Fetched 521 kB in 0s (3,837 kB/s)
Selecting previously unselected package libpcap0.8:amd64.
(Reading database ... 14289 files and directories currently installed.)
Preparing to unpack .../libpcap0.8_1.10.1-5ubuntu1_amd64.deb ...
Unpacking libpcap0.8:amd64 (1.10.1-5ubuntu1) ...
Selecting previously unselected package libpcap-dev:amd64.
Preparing to unpack .../libpcap-dev_1.10.1-5ubuntu1_amd64.deb ...
Unpacking libpcap-dev:amd64 (1.10.1-5ubuntu1) ...
Selecting previously unselected package tcpdump.
Preparing to unpack .../tcpdump_4.99.1-3ubuntu1_amd64.deb ...
Unpacking tcpdump (4.99.1-3ubuntu1) ...
Setting up libpcap0.8:amd64 (1.10.1-5ubuntu1) ...
Setting up libpcap-dev:amd64 (1.10.1-5ubuntu1) ...
Setting up tcpdump (4.99.1-3ubuntu1) ...
Processing triggers for man-db (2.10.2-1) ...
Processing triggers for libc-bin (2.35-0ubuntu3.1) ...现在我们已经安装了 tcpdump,让我们探索一些基本用法:
sudo tcpdump -i any -n示例输出:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
16:25:32.792941 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 1, seq 1, length 64
16:25:32.793005 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 1, seq 1, length 64
16:25:33.792998 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 1, seq 2, length 64
16:25:33.793058 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 1, seq 2, length 64
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel-i any 选项告诉 tcpdump 捕获所有可用网络接口上的流量,而 -n 选项则禁止对 IP 地址进行 DNS 解析,这可能会减慢捕获过程。
此命令将开始捕获网络流量并实时显示捕获的数据包。你可以按 Ctrl+C 停止捕获。
在本步骤中,你将学习如何使用 tcpdump 命令捕获网络流量并分析捕获的数据包。
让我们从捕获默认网络接口上的所有网络流量开始:
sudo tcpdump -i any -c 10示例输出:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
16:29:56.832591 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 1, seq 3, length 64
16:29:56.832648 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 1, seq 3, length 64
16:29:57.832607 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 1, seq 4, length 64
16:29:57.832663 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 1, seq 4, length 64
16:29:58.832617 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 1, seq 5, length 64
16:29:58.832673 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 1, seq 5, length 64
16:29:59.832628 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 1, seq 6, length 64
16:29:59.832684 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 1, seq 6, length 64
17:00:00.832638 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 1, seq 7, length 64
17:00:00.832694 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 1, seq 7, length 64
10 packets captured
10 packets received by filter
0 packets dropped by kernel-c 10 选项告诉 tcpdump 最多捕获 10 个数据包,然后退出。
你也可以捕获数据包并将其保存到文件中以供后续分析:
sudo tcpdump -i any -w network_capture.pcap此命令将开始捕获网络流量并将其保存到名为 network_capture.pcap 的文件中。按 Ctrl+C 停止捕获。
要查看捕获的数据包,你可以使用网络协议分析工具(如 Wireshark)。或者,你也可以使用 tcpdump 命令分析捕获的文件:
sudo tcpdump -r network_capture.pcap这将显示 network_capture.pcap 文件的内容。
在本步骤中,你将学习如何使用 tcpdump 根据各种条件(如 IP 地址、端口和协议)过滤网络流量。
让我们从仅捕获 HTTP 流量开始:
sudo tcpdump -i any -c 10 tcp port 80示例输出:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
17:04:01.832648 IP 172.17.0.2.49154 > 172.17.0.1.80: Flags [S], seq 3569349168, win 64240, options [mss 1460,sackOK,TS val 1000 ecr 0,nop,wscale 7], length 0
17:04:01.832702 IP 172.17.0.1.80 > 172.17.0.2.49154: Flags [S.], seq 2662318800, ack 3569349169, win 65160, options [mss 1460,sackOK,TS val 1000 ecr 1000,nop,wscale 7], length 0
17:04:01.832736 IP 172.17.0.2.49154 > 172.17.0.1.80: Flags [.], ack 1, win 502, length 0
17:04:01.832747 IP 172.17.0.2.49154 > 172.17.0.1.80: Flags [P.], seq 1:74, ack 1, win 502, length 73
17:04:01.832766 IP 172.17.0.1.80 > 172.17.0.2.49154: Flags [.], ack 74, win 512, length 0
17:04:01.832774 IP 172.17.0.1.80 > 172.17.0.2.49154: Flags [P.], seq 1:1449, ack 74, win 512, length 1448
17:04:01.832785 IP 172.17.0.2.49154 > 172.17.0.1.80: Flags [.], ack 1449, win 502, length 0
17:04:01.832793 IP 172.17.0.2.49154 > 172.17.0.1.80: Flags [F.], seq 74, ack 1449, win 502, length 0
17:04:01.832807 IP 172.17.0.1.80 > 172.17.0.2.49154: Flags [F.], seq 1449, ack 75, win 512, length 0
17:04:01.832815 IP 172.17.0.2.49154 > 172.17.0.1.80: Flags [.], ack 1450, win 502, length 0
10 packets captured
10 packets received by filter
0 packets dropped by kerneltcp port 80 过滤器告诉 tcpdump 仅捕获 TCP 端口 80 上的数据包,这是 HTTP 流量的标准端口。
你也可以通过 IP 地址进行过滤:
sudo tcpdump -i any -c 10 host 172.17.0.2这将捕获与 IP 地址 172.17.0.2 相关的前 10 个数据包。
此外,你还可以组合多个过滤器:
sudo tcpdump -i any -c 10 tcp port 80 and host 172.17.0.2这将捕获与 IP 地址 172.17.0.2 相关的 HTTP 流量的前 10 个数据包。
在本实验中,你将学习如何使用 tcpdump 命令,这是一个强大的网络数据包分析工具,用于在 Linux 系统上捕获和分析网络流量。你将首先在 Ubuntu 22.04 Docker 容器中安装 tcpdump 包。然后,你将学习如何使用 tcpdump 捕获网络流量,包括根据源和目标 IP 地址、端口号和协议等各种条件过滤捕获的数据。通过本实验,你将深入了解如何利用 tcpdump 进行网络故障排除、安全分析和理解网络行为。
