推荐加上-n, 或者-nn
-n 不做域名解析(显示ip)
-nn不做协议,端口解析
tcpdump默认做了反向域名解析,所有grep不到ip
[root@fqguoCentos ~]# tcpdump -i ens192 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes 22:22:04.350003 IP fqguoCentos.ssh > 10.201.4.135.51351: Flags [P.], seq 2211629083:2211629323, ack 3337987731, win 306, length 240 22:22:04.350323 IP fqguoCentos.51002 > hangzhou.zjhzptt.net.cn.domain: 32317+ PTR? 135.4.201.10.in-addr.arpa. (43) 22:22:04.350622 IP hangzhou.zjhzptt.net.cn.domain > fqguoCentos.51002: 32317 NXDomain* 0/1/0 (102) 22:22:04.350959 IP fqguoCentos.44141 > hangzhou.zjhzptt.net.cn.domain: 25933+ PTR? 83.106.168.192.in-addr.arpa. (45) 22:22:04.351176 IP hangzhou.zjhzptt.net.cn.domain > fqguoCentos.44141: 25933 NXDomain* 0/1/0 (104) 22:22:04.351316 IP fqguoCentos.37441 > hangzhou.zjhzptt.net.cn.domain: 36041+ PTR? 35.172.101.202.in-addr.arpa. (45) 22:22:04.351324 IP fqguoCentos.ssh > 10.201.4.135.51351: Flags [P.], seq 240:432, ack 1, win 306, length 192 22:22:04.352765 IP 10.201.4.135.51351 > fqguoCentos.ssh: Flags [.], ack 240, win 251, length 0 22:22:04.359955 IP hangzhou.zjhzptt.net.cn.domain > fqguoCentos.37441: 36041 1/0/0 PTR hangzhou.zjhzptt.net.cn. (82) 22:22:04.360086 IP fqguoCentos.ssh > 10.201.4.135.51351: Flags [P.], seq 432:704, ack 1, win 306, length 272 22:22:04.360117 IP fqguoCentos.ssh > 10.201.4.135.51351: Flags [P.], seq 704:1296, ack 1, win 306, length 592 22:22:04.360202 IP fqguoCentos.ssh > 10.201.4.135.51351: Flags [P.], seq 1296:1760, ack 1, win 306, length 464
●-t 不输出时间
[root@fqguoCentos ~]# tcpdump -i ens192 -t dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes IP fqguoCentos.ssh > 10.201.4.135.51351: Flags [P.], seq 2212171515:2212171755, ack 3337990259, win 507, length 240 IP fqguoCentos.59960 > hangzhou.zjhzptt.net.cn.domain: 57658+ PTR? 135.4.201.10.in-addr.arpa. (43) IP hangzhou.zjhzptt.net.cn.domain > fqguoCentos.59960: 57658 NXDomain* 0/1/0 (102) IP fqguoCentos.55148 > hangzhou.zjhzptt.net.cn.domain: 65180+ PTR? 83.106.168.192.in-addr.arpa. (45) IP hangzhou.zjhzptt.net.cn.domain > fqguoCentos.55148: 65180 NXDomain* 0/1/0 (104) IP fqguoCentos.50360 > hangzhou.zjhzptt.net.cn.domain: 17409+ PTR? 35.172.101.202.in-addr.arpa. (45) IP fqguoCentos.ssh > 10.201.4.135.51351: Flags [P.], seq 240:416, ack 1, win 507, length 176 IP hangzhou.zjhzptt.net.cn.domain > fqguoCentos.50360: 17409 1/0/0 PTR hangzhou.zjhzptt.net.cn. (82) IP fqguoCentos.ssh > 10.201.4.135.51351: Flags [P.], seq 416:1136, ack 1, win 507, length 720 IP fqguoCentos.ssh > 10.201.4.135.51351: Flags [P.], seq 1136:1296, ack 1, win 507, length 160 IP fqguoCentos.ssh > 10.201.4.135.51351: Flags [P.], seq 1296:1456, ack 1, win 507, length 160 IP fqguoCentos.ssh > 10.201.4.135.51351: Flags [P.], seq 1456:1616, ack 1, win 507, length 160 IP fqguoCentos.ssh > 10.201.4.135.51351: Flags [P.], seq 1616:1776, ack 1, win 507, length 160 IP fqguoCentos.ssh > 10.201.4.135.51351: Flags [P.], seq 1776:1936, ack 1, win 507, length 160 IP fqguoCentos.ssh > 10.201.4.135.51351: Flags [P.], seq 1936:2096, ack 1, win 507, length 160 IP 192.168.106.56.netbios-ns > 192.168.106.255.netbios-ns: UDP, length 50●-tt 输出时间戳
[root@fqguoCentos ~]# tcpdump -c 10 -i ens192 -tt dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes 1663295087.511500 IP fqguoCentos.ssh > 10.201.4.135.51351: Flags [P.], seq 2212766251:2212766491, ack 3337992691, win 580, length 240 1663295087.511834 IP fqguoCentos.52209 > hangzhou.zjhzptt.net.cn.domain: 32855+ PTR? 135.4.201.10.in-addr.arpa. (43) 1663295087.512089 IP hangzhou.zjhzptt.net.cn.domain > fqguoCentos.52209: 32855 NXDomain* 0/1/0 (102) 1663295087.512463 IP fqguoCentos.59282 > hangzhou.zjhzptt.net.cn.domain: 15892+ PTR? 83.106.168.192.in-addr.arpa. (45) 1663295087.512754 IP hangzhou.zjhzptt.net.cn.domain > fqguoCentos.59282: 15892 NXDomain* 0/1/0 (104) 1663295087.512868 IP fqguoCentos.42780 > hangzhou.zjhzptt.net.cn.domain: 2109+ PTR? 35.172.101.202.in-addr.arpa. (45) 1663295087.512906 IP fqguoCentos.ssh > 10.201.4.135.51351: Flags [P.], seq 240:432, ack 1, win 580, length 192 1663295087.513168 IP hangzhou.zjhzptt.net.cn.domain > fqguoCentos.42780: 2109 1/0/0 PTR hangzhou.zjhzptt.net.cn. (82) 1663295087.513264 IP fqguoCentos.ssh > 10.201.4.135.51351: Flags [P.], seq 432:1280, ack 1, win 580, length 848 1663295087.513304 IP fqguoCentos.ssh > 10.201.4.135.51351: Flags [P.], seq 1280:1456, ack 1, win 580, length 176 10 packets captured 10 packets received by filter 0 packets dropped by kernel●-ttt 两行打印的时间间隔(以毫秒为单位)
[root@fqguoCentos ~]# tcpdump -c 10 -i ens192 -ttt dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes 00:00:00.000000 IP fqguoCentos.ssh > 10.201.4.135.51351: Flags [P.], seq 2212769179:2212769259, ack 3337993459, win 580, length 80 00:00:00.000035 IP fqguoCentos.ssh > 10.201.4.135.51351: Flags [P.], seq 80:288, ack 1, win 580, length 208 00:00:00.000546 IP fqguoCentos.35319 > hangzhou.zjhzptt.net.cn.domain: 26390+ PTR? 135.4.201.10.in-addr.arpa. (43) 00:00:00.000348 IP hangzhou.zjhzptt.net.cn.domain > fqguoCentos.35319: 26390 NXDomain* 0/1/0 (102) 00:00:00.000317 IP fqguoCentos.34763 > hangzhou.zjhzptt.net.cn.domain: 56467+ PTR? 83.106.168.192.in-addr.arpa. (45) 00:00:00.000338 IP hangzhou.zjhzptt.net.cn.domain > fqguoCentos.34763: 56467 NXDomain* 0/1/0 (104) 00:00:00.000109 IP fqguoCentos.ssh > 10.201.4.135.51351: Flags [P.], seq 288:592, ack 1, win 580, length 304 00:00:00.000009 IP fqguoCentos.49622 > hangzhou.zjhzptt.net.cn.domain: 61571+ PTR? 35.172.101.202.in-addr.arpa. (45) 00:00:00.000211 IP hangzhou.zjhzptt.net.cn.domain > fqguoCentos.49622: 61571 1/0/0 PTR hangzhou.zjhzptt.net.cn. (82) 00:00:00.000061 IP fqguoCentos.ssh > 10.201.4.135.51351: Flags [P.], seq 592:768, ack 1, win 580, length 176●-tttt 在每行打印的时间戳之前添加日期的打印
[root@fqguoCentos ~]# tcpdump -c 10 -i ens192 -tttt dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes 2022-09-15 22:25:19.362468 IP fqguoCentos.ssh > 10.201.4.135.51351: Flags [P.], seq 2212771291:2212771531, ack 3337993651, win 580, length 240 2022-09-15 22:25:19.362736 IP fqguoCentos.52303 > hangzhou.zjhzptt.net.cn.domain: 30585+ PTR? 135.4.201.10.in-addr.arpa. (43) 2022-09-15 22:25:19.363069 IP hangzhou.zjhzptt.net.cn.domain > fqguoCentos.52303: 30585 NXDomain* 0/1/0 (102) 2022-09-15 22:25:19.363404 IP fqguoCentos.47101 > hangzhou.zjhzptt.net.cn.domain: 7843+ PTR? 83.106.168.192.in-addr.arpa. (45) 2022-09-15 22:25:19.363672 IP hangzhou.zjhzptt.net.cn.domain > fqguoCentos.47101: 7843 NXDomain* 0/1/0 (104) 2022-09-15 22:25:19.363779 IP fqguoCentos.49039 > hangzhou.zjhzptt.net.cn.domain: 38777+ PTR? 35.172.101.202.in-addr.arpa. (45) 2022-09-15 22:25:19.363819 IP fqguoCentos.ssh > 10.201.4.135.51351: Flags [P.], seq 240:448, ack 1, win 580, length 208 2022-09-15 22:25:19.363986 IP hangzhou.zjhzptt.net.cn.domain > fqguoCentos.49039: 38777 1/0/0 PTR hangzhou.zjhzptt.net.cn. (82) 2022-09-15 22:25:19.364067 IP fqguoCentos.ssh > 10.201.4.135.51351: Flags [P.], seq 448:1360, ack 1, win 580, length 912 2022-09-15 22:25:19.364110 IP fqguoCentos.ssh > 10.201.4.135.51351: Flags [P.], seq 1360:1536, ack 1, win 580, length 176 10 packets captured 10 packets received by filter 0 packets dropped by kernel
tcpdump -i any
tcpdump -i ens192 -c 10
-C 指定抓包文件大小
-W 当文件到达指定的大小后,保存几个文件
循环
[root@fqguoCentos tmp]# tcpdump -i ens192 -C 2 -W 5 -w /tmp/ttt dropped privs to tcpdump tcpdump: listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes ^C56947 packets captured 56951 packets received by filter 0 packets dropped by kernel [root@fqguoCentos tmp]# ll total 9188 -rw-rw-r--. 1 fqguo fqguo 0 Sep 15 08:33 aa drwx------. 3 root root 17 Aug 23 04:29 systemd-private-45eff7d8d95840e8ac264e256de42ef7-chronyd.service-OYPQej -rw-r--r--. 1 tcpdump tcpdump 2001230 Sep 15 22:35 ttt0 -rw-r--r--. 1 tcpdump tcpdump 2000210 Sep 15 22:35 ttt1 -rw-r--r--. 1 tcpdump tcpdump 2000976 Sep 15 22:35 ttt2 -rw-r--r--. 1 tcpdump tcpdump 1396260 Sep 15 22:35 ttt3 -rw-r--r--. 1 tcpdump tcpdump 2000220 Sep 15 22:35 ttt4 [root@fqguoCentos tmp]#
[root@fqguoCentos ~]# tcpdump -i ens192 -e -c 20 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes 10:37:52.376494 00:0c:29:2d:1d:a1 (oui Unknown) > 00:00:5e:00:01:c8 (oui IANA), ethertype IPv4 (0x0800), length 294: fqguoCentos.ssh > 192.168.107.235.51591: Flags [P.], seq 40574662:40574902, ack 1424672344, win 781, length 240 10:37:52.376790 00:0c:29:2d:1d:a1 (oui Unknown) > 00:00:5e:00:01:c8 (oui IANA), ethertype IPv4 (0x0800), length 88: fqguoCentos.42780 > hangzhou.zjhzptt.net.cn.domain: 15429+ PTR? 235.107.168.192.in-addr.arpa. (46) 10:37:52.377081 84:65:69:6f:4d:c4 (oui Unknown) > 00:0c:29:2d:1d:a1 (oui Unknown), ethertype IPv4 (0x0800), length 147: hangzhou.zjhzptt.net.cn.domain > fqguoCentos.42780: 15429 NXDomain* 0/1/0 (105) 10:37:52.377415 00:0c:29:2d:1d:a1 (oui Unknown) > 00:00:5e:00:01:c8 (oui IANA), ethertype IPv4 (0x0800), length 87: fqguoCentos.60316 > hangzhou.zjhzptt.net.cn.domain: 2294+ PTR? 83.106.168.192.in-addr.arpa. (45) 10:37:52.377709 84:65:69:6f:4d:c4 (oui Unknown) > 00:0c:29:2d:1d:a1 (oui Unknown), ethertype IPv4 (0x0800), length 146: hangzhou.zjhzptt.net.cn.domain > fqguoCentos.60316: 2294 NXDomain* 0/1/0 (104) 10:37:52.377823 00:0c:29:2d:1d:a1 (oui Unknown) > 00:00:5e:00:01:c8 (oui IANA), ethertype IPv4 (0x0800), length 87: fqguoCentos.34374 > hangzhou.zjhzptt.net.cn.domain: 26673+ PTR? 35.172.101.202.in-addr.arpa. (45) 10:37:52.377858 00:0c:29:2d:1d:a1 (oui Unknown) > 00:00:5e:00:01:c8 (oui IANA), ethertype IPv4 (0x0800), length 342: fqguoCentos.ssh > 192.168.107.235.51591: Flags [P.], seq 240:528, ack 1, win 781, length 288 10:37:52.378067 84:65:69:6f:4d:c4 (oui Unknown) > 00:0c:29:2d:1d:a1 (oui Unknown), ethertype IPv4 (0x0800), length 124: hangzhou.zjhzptt.net.cn.domain > fqguoCentos.34374: 26673 1/0/0 PTR hangzhou.zjhzptt.net.cn. (82) 10:37:52.378166 00:0c:29:2d:1d:a1 (oui Unknown) > 00:00:5e:00:01:c8 (oui IANA), ethertype IPv4 (0x0800), length 1590: fqguoCentos.ssh > 192.168.107.235.51591: Flags [P.], seq 528:2064, ack 1, win 781, length 1536 10:37:52.378220 00:0c:29:2d:1d:a1 (oui Unknown) > 00:00:5e:00:01:c8 (oui IANA), ethertype IPv4 (0x0800), length 326: fqguoCentos.ssh > 192.168.107.235.51591: Flags [P.], seq 2064:2336, ack 1, win 781, length 272 10:37:52.378259 00:0c:29:2d:1d:a1 (oui Unknown) > 00:00:5e:00:01:c8 (oui IANA), ethertype IPv4 (0x0800), length 326: fqguoCentos.ssh > 192.168.107.235.51591: Flags [P.], seq 2336:2608, ack 1, win 781, length 272 10:37:52.378321 00:0c:29:2d:1d:a1 (oui Unknown) > 00:00:5e:00:01:c8 (oui IANA), ethertype IPv4 (0x0800), length 326: fqguoCentos.ssh > 192.168.107.235.51591: Flags [P.], seq 2608:2880, ack 1, win 781, length 272 10:37:52.378383 00:0c:29:2d:1d:a1 (oui Unknown) > 00:00:5e:00:01:c8 (oui IANA), ethertype IPv4 (0x0800), length 326: fqguoCentos.ssh > 192.168.107.235.51591: Flags [P.], seq 2880:3152, ack 1, win 781, length 272 10:37:52.378436 00:0c:29:2d:1d:a1 (oui Unknown) > 00:00:5e:00:01:c8 (oui IANA), ethertype IPv4 (0x0800), length 326: fqguoCentos.ssh > 192.168.107.235.51591: Flags [P.], seq 3152:3424, ack 1, win 781, length 272 10:37:52.390140 84:65:69:6f:4d:c4 (oui Unknown) > 00:0c:29:2d:1d:a1 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.107.235.51591 > fqguoCentos.ssh: Flags [.], ack 240, win 4196, length 0 10:37:52.390153 00:0c:29:2d:1d:a1 (oui Unknown) > 00:00:5e:00:01:c8 (oui IANA), ethertype IPv4 (0x0800), length 326: fqguoCentos.ssh > 192.168.107.235.51591: Flags [P.], seq 3424:3696, ack 1, win 781, length 272 10:37:52.390244 00:0c:29:2d:1d:a1 (oui Unknown) > 00:00:5e:00:01:c8 (oui IANA), ethertype IPv4 (0x0800), length 518: fqguoCentos.ssh > 192.168.107.235.51591: Flags [P.], seq 3696:4160, ack 1, win 781, length 464 10:37:52.390316 00:0c:29:2d:1d:a1 (oui Unknown) > 00:00:5e:00:01:c8 (oui IANA), ethertype IPv4 (0x0800), length 326: fqguoCentos.ssh > 192.168.107.235.51591: Flags [P.], seq 4160:4432, ack 1, win 781, length 272 10:37:52.390375 00:0c:29:2d:1d:a1 (oui Unknown) > 00:00:5e:00:01:c8 (oui IANA), ethertype IPv4 (0x0800), length 326: fqguoCentos.ssh > 192.168.107.235.51591: Flags [P.], seq 4432:4704, ack 1, win 781, length 272 10:37:52.392585 84:65:69:6f:4d:c4 (oui Unknown) > 00:0c:29:2d:1d:a1 (oui Unknown), ethertype IPv4 (0x0800), length 66: 192.168.107.235.51591 > fqguoCentos.ssh: Flags [.], ack 528, win 4195, options [nop,nop,sack 1 {2064:2336}], length 0 20 packets captured 21 packets received by filter 0 packets dropped by kernel
[root@fqguoCentos ~]# tcpdump -i ens192 -Q in -c 20 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes 10:41:38.811420 IP 192.168.107.235.51591 > fqguoCentos.ssh: Flags [.], ack 40585254, win 4193, length 0 10:41:38.812133 IP hangzhou.zjhzptt.net.cn.domain > fqguoCentos.46304: 45180 NXDomain* 0/1/0 (104) 10:41:38.812805 IP hangzhou.zjhzptt.net.cn.domain > fqguoCentos.53212: 44282 NXDomain* 0/1/0 (105) 10:41:38.813314 IP hangzhou.zjhzptt.net.cn.domain > fqguoCentos.51862: 55899 1/0/0 PTR hangzhou.zjhzptt.net.cn. (82) 10:41:38.830906 IP 192.168.107.235.51591 > fqguoCentos.ssh: Flags [.], ack 529, win 4196, length 0 10:41:38.899027 IP 192.168.107.235.51591 > fqguoCentos.ssh: Flags [.], ack 689, win 4196, length 0 10:41:38.957398 IP 192.168.107.235.51591 > fqguoCentos.ssh: Flags [.], ack 849, win 4195, length 0 10:41:39.020331 IP 192.168.107.235.51591 > fqguoCentos.ssh: Flags [.], ack 1009, win 4195, length 0 10:41:39.085778 IP 192.168.107.235.51591 > fqguoCentos.ssh: Flags [.], ack 1169, win 4194, length 0 10:41:39.147766 IP 192.168.107.235.51591 > fqguoCentos.ssh: Flags [.], ack 1329, win 4193, length 0 10:41:39.170742 ARP, Request who-has 192.168.106.70 tell _gateway, length 46 10:41:39.171256 IP hangzhou.zjhzptt.net.cn.domain > fqguoCentos.45518: 26636 NXDomain* 0/1/0 (104) 10:41:39.171767 IP hangzhou.zjhzptt.net.cn.domain > fqguoCentos.44893: 5459 NXDomain* 0/1/0 (103) 10:41:39.187272 IP 192.168.107.235.51591 > fqguoCentos.ssh: Flags [.], ack 1825, win 4191, length 0 10:41:39.244328 IP 192.168.107.235.51591 > fqguoCentos.ssh: Flags [.], ack 1985, win 4196, length 0 10:41:39.308391 IP 192.168.107.235.51591 > fqguoCentos.ssh: Flags [.], ack 2145, win 4196, length 0 10:41:39.380643 IP 192.168.107.235.51591 > fqguoCentos.ssh: Flags [.], ack 2305, win 4195, length 0 10:41:39.445398 IP 192.168.107.235.51591 > fqguoCentos.ssh: Flags [.], ack 2465, win 4195, length 0 10:41:39.499997 IP 192.168.107.235.51591 > fqguoCentos.ssh: Flags [.], ack 2625, win 4194, length 0 10:41:39.555488 IP 192.168.107.235.51591 > fqguoCentos.ssh: Flags [.], ack 2785, win 4193, length 0 20 packets captured 41 packets received by filter 0 packets dropped by kernel
[root@fqguoCentos ~]# tcpdump -i ens192 -q -c 20 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes 10:44:16.911465 IP fqguoCentos.ssh > 192.168.107.235.51591: tcp 240 10:44:16.911836 IP fqguoCentos.33186 > hangzhou.zjhzptt.net.cn.domain: UDP, length 46 10:44:16.912063 IP hangzhou.zjhzptt.net.cn.domain > fqguoCentos.33186: UDP, length 105 10:44:16.912394 IP fqguoCentos.54929 > hangzhou.zjhzptt.net.cn.domain: UDP, length 45 10:44:16.912642 IP hangzhou.zjhzptt.net.cn.domain > fqguoCentos.54929: UDP, length 104 10:44:16.912744 IP fqguoCentos.52573 > hangzhou.zjhzptt.net.cn.domain: UDP, length 45 10:44:16.912785 IP fqguoCentos.ssh > 192.168.107.235.51591: tcp 128 10:44:16.912974 IP hangzhou.zjhzptt.net.cn.domain > fqguoCentos.52573: UDP, length 82 10:44:16.913067 IP fqguoCentos.ssh > 192.168.107.235.51591: tcp 656 10:44:16.913109 IP fqguoCentos.ssh > 192.168.107.235.51591: tcp 128 10:44:16.913146 IP fqguoCentos.ssh > 192.168.107.235.51591: tcp 128 10:44:16.913184 IP fqguoCentos.ssh > 192.168.107.235.51591: tcp 128 10:44:16.913243 IP fqguoCentos.ssh > 192.168.107.235.51591: tcp 128 10:44:16.913311 IP fqguoCentos.ssh > 192.168.107.235.51591: tcp 128 10:44:16.913375 IP fqguoCentos.ssh > 192.168.107.235.51591: tcp 128 10:44:16.927142 IP 192.168.107.235.51591 > fqguoCentos.ssh: tcp 0 10:44:16.927158 IP fqguoCentos.ssh > 192.168.107.235.51591: tcp 128 10:44:16.927225 IP fqguoCentos.ssh > 192.168.107.235.51591: tcp 192 10:44:16.927276 IP fqguoCentos.ssh > 192.168.107.235.51591: tcp 128 10:44:16.927319 IP fqguoCentos.ssh > 192.168.107.235.51591: tcp 128 20 packets captured 21 packets received by filter 0 packets dropped by kernel