基础使用

tcpdump -i eth0 -A host 10.0.0.1 and tcp port 80
tcpdump -i eth1 -A port 80 -w x.cap -c 1000
tcpdump -qns 0 -A -r x.cap

过滤ARP查询

tcpdump -i eth1 'arp and host 210.1.1.1'

过滤dns查询

tcpdump -n -K -i eth1 'dst port 53'

ssh到某一台主机上,执行tcpdump,然后管道传给本机的wireshark

ssh some-host tcpdump -w - 'tcp dst port 80' | wireshark -k -i -

# 复杂一点
ssh some-host "tcpdump -U -n -i any -w - 'port 9527 or port 444 or port 80 or port 443'"  | wireshark -k -i -

过滤到443端口的syn包

tcpdump -G 10 -w syn%s.cap -n -i eth0 'tcp dst port 443 and tcp[tcpflags] == tcp-syn'

过滤ICMP,v4和v6

tcpdump -i enp0s8 'icmp or icmp6' -vvXX

过滤HTTP流量

参考1

To monitor HTTP traffic including request and response headers and message body

tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

To monitor HTTP traffic including request and response headers and message body from a particular source:

tcpdump -A -s 0 'src example.com and tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

To monitor HTTP traffic including request and response headers and message body from local host to local host:

tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -i lo

过滤HTTP POST

tcpdump -n -A -i any 'dst port 80 and tcp[(tcp[12] & 0xf0) >> 2 : 4] = 0x504f5354'

tcpdump -s 0 -A 'tcp dst port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)'

过滤web服务器上,特定目的IP的HTTP请求

tcpdump -i eth1 -A -s 0 'tcp port 80 and dst host x.x.x.x and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

过滤web服务器上,特定来源IP的HTTP请求

tcpdump -i eth0 -A -s 0 'port 80 and (src host 10.0.0.1 or src host 10.0.0.2) and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

过滤icmp不可达报文,参考 https://www.howtouselinux.com/post/tcpdump-filter-icmpv6-packets

tcpdump -i eth0 'icmp[0] == 3' -n

案例

connect()报错

curl到某地址x.x.x.x,提示connect() failed (13: Permission denied), 可以抓包确认,这个地址可能是v6地址,所以要同时过滤icmp和icmp6。

tcpdump -i eth0 'host x.x.x.x or icmp or icmp6'

从抓包结果中,可以看到icmp不可达的报文,从而确定是路由问题。

还有另外一种报错connect() failed (113: No route to host) ,也可以用同样的方式抓包确认。

  1. https://sites.google.com/site/jimmyxu101/testing/use-tcpdump-to-monitor-http-traffic ↩︎