1 số câu lệnh TCPDUMP thường được sử dụng

  • Thursday 11/03/2021

Bắt gói tin từ một giao diện ethernet cụ thể thông qua tcpdump -i

#tcpdump -i eth0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:55:39.449006 IP 103.252.252.30.https > 42.116.182.218.22942: Flags [.], seq 3571369033:3571371857, ack 329149107, win 150, length 2824
17:55:39.449025 IP 103.252.252.30.https > 42.116.182.218.22942: Flags [.], seq 2824:5648, ack 1, win 150, length 2824
17:55:39.449039 IP 103.252.252.30.https > 42.116.182.218.22942: Flags [.], seq 5648:8472, ack 1, win 150, length 2824
17:55:39.449052 IP 103.252.252.30.https > 42.116.182.218.22942: Flags [P.], seq 8472:11296, ack 1, win 150, length 2824
17:55:39.449103 IP 103.252.252.30.https > 42.116.182.218.22942: Flags [.], seq 11296:14120, ack 1, win 150, length 2824

Trong ví dụ trên, tcpdump sẽ bắt tất cả các gói tin trong eth0 và hiển thị theo chuẩn đầu ra.

Chỉ bắt số lượng N gói tin thông qua lệnh tcpdump -c

#tcpdump -c 2 -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:57:34.784288 IP dynamic-ip-adsl.viettel.vn.14377 > 103.252.252.27.https: Flags [S], seq 1112841271:1112841399, win 64, length 128
17:57:34.784346 IP 103.252.252.27.https > dynamic-ip-adsl.viettel.vn.14377: Flags [S.], seq 1138724080, ack 1112841272, win 14600, options [mss 1460], length 0
2 packets captured
2512 packets received by filter
2480 packets dropped by kernel

Hiển thị các gói tin được bắt trong hệ ASCII thông qua tcpdump -A

#tcpdump -A -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:59:11.854350 IP dynamic-ip-adsl.viettel.vn.15512 > 103.252.252.27.https: Flags [S], seq 481797841:481797969, win 64, length 128
E…….6.B…G.g…<……. z..P..@u…XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
17:59:11.854425 IP 103.252.252.27.https > dynamic-ip-adsl.viettel.vn.15512: Flags [S.], seq 1113066358, ack 481797842, win 14600, options [mss 1460], length 0
E..,..@.@…g…..G…<.BX.v….`.9………
17:59:11.854704 IP dynamic-ip-adsl.viettel.vn.15543 > 103.252.252.27.https: Flags [S], seq 2028292746:2028292874, win 64, length 128
E…U…6…….g…<…x.J.9:j.P..@I…XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Hiển thị các gói tin được bắt dưới dạng HEX và ASCII thông qua tcpdump -XX

# tcpdump -XX -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:00:37.687621 IP static.vnpt.vn.57994 > abc.dotvndns.com.https: Flags [.], ack 3397279286, win 4140, length 0
0x0000: 0cc4 7a90 5a98 00d0 0378 e800 0800 4500 ..z.Z….x….E.
0x0010: 0028 d9aa 4000 7506 8bb5 71b1 64de 70d5 .(..@.u…q.d.p.
0x0020: 590b e28a 01bb 8357 01b8 ca7e 5e36 5010 Y……W…~^6P.
0x0030: 102c 6d2e 0000 0000 0000 0000 .,m………
18:00:37.687637 IP static.vnpt.vn.57994 > abc.dotvndns.com.https: Flags [P.], seq 0:35, ack 1, win 4140, length 35
0x0000: 0cc4 7a90 5a98 00d0 0378 e800 0800 4500 ..z.Z….x….E.
0x0010: 004b d9ab 4000 7506 8b91 71b1 64de 70d5 .K..@.u…q.d.p.
0x0020: 590b e28a 01bb 8357 01b8 ca7e 5e36 5018 Y……W…~^6P.
0x0030: 102c 9cee 0000 1703 0300 1e25 487a 7e32 .,………%Hz~2
0x0040: 4e97 7af7 4e40 4d21 ce78 b139 47d9 72c3 N.z.N@M!.x.9G.r.
0x0050: ab71 3636 3ee3 db74 36 .q66>..t6

Bắt gói tin và ghi vào một file thông qua tcpdump -w

#tcpdump -w demo.pcap -i eth0
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
C3259 packets captured
3881 packets received by filter
621 packets dropped by kernel

Đọc các gói tin từ một file thông qua tcpdump -r

#tcpdump -tttt -r demo.pcap
reading from file demo.pcap, link-type EN10MB (Ethernet)
2021-02-18 18:02:29.770767 IP dynamic-ip-adsl.viettel.vn.16713 > 103.252.252.27.https: Flags [S], seq 866762254:866762382, win 64, length 128
2021-02-18 18:02:29.770823 IP 103.252.252.27.https > dynamic-ip-adsl.viettel.vn.16713: Flags [S.], seq 50719628, ack 866762255, win 14600, options [mss 1460], length 0
2021-02-18 18:02:29.771270 IP 116.110.146.94.15789 > 103.252.252.27.https: Flags [R], seq 639778925, win 0, length 0
2021-02-18 18:02:29.776754 IP static.vdc.vn.16738 > 103.252.252.27.https: Flags [S], seq 328815628:328815756, win 64, length 128
2021-02-18 18:02:29.776822 IP 103.252.252.27.https > static.vdc.vn.16738: Flags [S.], seq 2154188082, ack 328815629, win 14600, options [mss 1460], length 0

Bắt các gói tin với địa chỉ IP thông qua tcpdump -n

#tcpdump -n -i eth0

18:05:56.591610 IP 103.252.252.23.http > 69.118.137.52.39091: Flags [S.], seq 3498736373, ack 706941356, win 14600, options [mss 1460], length 0
18:05:56.591747 IP 15.161.49.23 > 27.0.13.166: ICMP echo request, id 21, seq 2798, length 64
18:05:56.591795 IP 27.0.13.166 > 15.161.49.23: ICMP echo reply, id 21, seq 2798, length 64
18:05:56.592495 IP 15.161.49.23 > 27.0.14.203: ICMP echo request, id 21, seq 2801, length 64

Bắt các gói tin với các dấu thời gian thông quan tcpdump -tttt

#tcpdump -n -tttt -i eth0

2021-02-18 18:07:41.305710 IP 221.132.29.215.44104 > 112.213.89.11.https: Flags [.], ack 380509, win 2369, options [nop,nop,TS val 2899488786 ecr 757347250], length 0
2021-02-18 18:07:41.305953 IP 221.132.29.215.44104 > 112.213.89.11.https: Flags [.], ack 383405, win 2369, options [nop,nop,TS val 2899488786 ecr 757347250], length 0
2021-02-18 18:07:41.305982 IP 112.213.89.11.https > 221.132.29.215.44104: Flags [.], seq 418157:426845, ack 708, win 130, options [nop,nop,TS val 757347254 ecr 2899488786], length 8688

Đọc các gói tin lớn hơn N byte

#tcpdump -w demo.pcap greater 1024

Chỉ nhận những gói tin trong với một kiểu giao thức cụ thể

#tcpdump -i eth0 arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:10:48.119873 ARP, Request who-has abc.dotvndns.vn tell 112.213.89.1, length 46
18:10:48.213887 ARP, Request who-has def.dotvndns.vn tell 112.213.89.1, length 46
18:10:48.543457 ARP, Request who-has ghi.dotvndns.vn tell mx1111.superdata.vn, length 46

Đọc các gói tin nhỏ hơn N byte

#tcpdump -w demo.pcap less 1024

Nhận các gói tin trên một cổng cụ thể thông qua tcpdump port

#tcpdump -i eth0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:25:34.891756 IP msnbot-40-77-167-43.search.msn.com.7552 > mx1111.superdata.vn.http: Flags [.], ack 101751120, win 64240, length 0
18:25:34.896197 IP abc.dotvndns.com.32844 > mail.mascom.vn.http: Flags [S], seq 746035693, win 14600, options [mss 1460,nop,nop,TS val 758420844 ecr 0,nop,wscale 7], length 0
18:25:34.921003 IP mail.mascom.vn.http > abc.dotvndns.com.32844: Flags [S.], seq 337654591, ack 746035694, win 14480, options [mss 1460,nop,nop,TS val 66831860 ecr 758420844,nop,wscale 7], length 0
18:25:34.921052 IP abc.dotvndns.com.32844 > mail.mascom.vn.http: Flags [.], ack 1, win 115, options [nop,nop,TS val 758420869 ecr 66831860], length 0

Bắt các gói tin trên địa chỉ IP và cổng đích

#tcpdump -i eth0 dst 103.252.252.27 and port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:28:06.700822 IP static.vnpt.vn.38974 > 103.252.252.27.https: Flags [.], ack 0, win 0, length 0
18:28:06.702049 IP 183.80.77.57.48415 > 103.252.252.27.https: Flags [S], seq 67575498:67575626, win 64, length 128
18:28:06.704494 IP 183.80.77.57.48415 > 103.252.252.27.https: Flags [R], seq 67575499, win 0, length 0
18:28:06.708437 IP 104.30.122.203.48773 > 103.252.252.27.https: Flags [S], seq 1728988065:1728988193, win 64, length 128

Bộ lọc gói tin tcpdump – Bắt tất cả các gói tin ngoại trừ arp và rarp

# tcpdump -i eth0 not arp and not rarp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:31:13.204678 IP 172.67.75.176.https > abc.dotvndns.com.35694: Flags [.], ack 3149438707, win 67, length 0
18:31:13.205426 IP 172.67.75.176.https > abc.dotvndns.com.35694: Flags [.], ack 2, win 67, length 0
18:31:13.208914 IP localhost.48702 > abc.dotvndns.com.https: Flags [S], seq 208180494, win 65535, options [mss 1400,nop,wscale 7,nop,nop,TS val 1041588212 ecr 0,sackOK,eol], length 0
18:31:13.208972 IP abc.dotvndns.com.https > localhost.48702: Flags [S.], seq 3511511742, ack 208180495, win 14480, options [mss 1460,nop,nop,TS val 758759157 ecr 1041588212,nop,wscale 7], length 0

Trích xuất HTTP User Agents

# tcpdump -i eth0 -nn -A -s1500 -l | grep “User-Agent:”
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.175 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

Chỉ bắt gói tin GET and POST HTTP

# tcpdump -i eth0 -s 0 -A -vv ‘tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420’
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:35:03.570220 IP (tos 0x0, ttl 64, id 54902, offset 0, flags [DF], proto TCP (6), length 166)
abc.dotvndns.com.40006 > mail.def.vn.http: Flags [P.], cksum 0x010f (incorrect -> 0xc155), seq 997233859:997233973, ack 1972346119, win 115, options [nop,nop,TS val 758989518 ecr 67400507], length 114
E….v@.@.cep.Y…c..F.P;p..u……s…….
-=B…s;GET /getdataxs?CMD=GETKQXSBYREGION&REGION=MN&DATE=01/01/1970 HTTP/1.0
Host: cmsxoso.wap.vn
Connection: close

18:35:03.862336 IP (tos 0x0, ttl 48, id 21389, offset 0, flags [DF], proto TCP (6), length 293)
do-prod-eu-west-clients-2212-13.do.binaryedge.ninja.36462 > 103.252.252.24.https: Flags [P.], cksum 0x54d7 (correct), seq 3158007201:3158007442, ack 1362485305, win 502, options [nop,nop,TS val 3364877514 ecr 758989604], length 241
E..%S.@.0.Rx.e.Tg….n…;].Q5.9….T……
….-=C$GET / HTTP/1.1
Host: 103.252.252.24:443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive