-
Notifications
You must be signed in to change notification settings - Fork 425
/
Copy pathtcpdump.html
406 lines (357 loc) · 25.8 KB
/
tcpdump.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2.2. tcpdump - A powerful tool for network monitoring and data acquisition</title><link rel="stylesheet" type="text/css" href="/docbook.css" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /><meta name="keywords" content="Sniffer, Scanner, Vulnerability, Penetration, nmap, tcpdump, sqlmap, Nessus, Backtrack" /><link rel="home" href="index.html" title="Netkiller Security 手札" /><link rel="up" href="sniffer.html" title="第 2 章 Sniffer" /><link rel="prev" href="sniffer.html" title="第 2 章 Sniffer" /><link rel="next" href="cdpr.html" title="2.3. cdpr - Cisco Discovery Protocol Reporter" /></head><body><a xmlns="" href="http://www.netkiller.cn/">Home</a> |
<a xmlns="" href="http://netkiller.github.io/">简体中文</a> |
<a xmlns="" href="http://netkiller.sourceforge.net/">繁体中文</a> |
<a xmlns="" href="/journal/index.html">杂文</a> |
<a xmlns="" href="//www.netkiller.cn/home/donations.html">打赏(Donations)</a> |
<a xmlns="" href="http://netkiller-github-com.iteye.com/">ITEYE 博客</a> |
<a xmlns="" href="http://my.oschina.net/neochen/">OSChina 博客</a> |
<a xmlns="" href="https://www.facebook.com/bg7nyt">Facebook</a> |
<a xmlns="" href="http://cn.linkedin.com/in/netkiller/">Linkedin</a> |
<a xmlns="" href="https://zhuanlan.zhihu.com/netkiller">知乎专栏</a> |
<a xmlns="" href="/search.html">Search</a> |
<a xmlns="" href="mailto:netkiller@msn.com">Email</a><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">2.2. tcpdump - A powerful tool for network monitoring and data acquisition</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sniffer.html">上一页</a> </td><th width="60%" align="center">第 2 章 Sniffer</th><td width="20%" align="right"> <a accesskey="n" href="cdpr.html">下一页</a></td></tr></table><hr /></div><table xmlns=""><tr><td><iframe src="http://ghbtns.com/github-btn.html?user=netkiller&repo=netkiller.github.io&type=watch&count=true&size=large" height="30" width="170" frameborder="0" scrolling="0" style="width:170px; height: 30px;" allowTransparency="true"></iframe></td><td><iframe src="http://ghbtns.com/github-btn.html?user=netkiller&repo=netkiller.github.io&type=fork&count=true&size=large" height="30" width="170" frameborder="0" scrolling="0" style="width:170px; height: 30px;" allowTransparency="true"></iframe></td><td><iframe src="http://ghbtns.com/github-btn.html?user=netkiller&type=follow&count=true&size=large" height="30" width="240" frameborder="0" scrolling="0" style="width:240px; height: 30px;" allowTransparency="true"></iframe></td></tr></table><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="tcpdump"></a>2.2. tcpdump - A powerful tool for network monitoring and data acquisition</h2></div></div></div>
<span class="command"><strong>tcpdump</strong></span>
<div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="idp37"></a>2.2.1. 监控网络适配器接口</h3></div></div></div>
<pre class="screen">
$ sudo tcpdump -n -i eth1
</pre>
</div>
<div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="idp38"></a>2.2.2. 监控主机</h3></div></div></div>
<span class="command"><strong>tcpdump host 172.16.5.51</strong></span>
<pre class="screen">
# tcpdump host 172.16.5.51
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:49:26.202556 IP 172.16.1.3 > 172.16.5.51: ICMP echo request, id 4, seq 22397, length 40
17:49:26.203002 IP 172.16.5.51 > 172.16.1.3: ICMP echo reply, id 4, seq 22397, length 40
</pre>
</div>
<div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="idp39"></a>2.2.3. 监控TCP端口</h3></div></div></div>
<p>显示所有到的FTP会话</p>
<pre class="screen">
# tcpdump -i eth1 'dst 202.40.100.5 and (port 21 or 20)'
</pre>
<pre class="screen">
$ tcpdump -n -i eth0 port 80
</pre>
<p>监控网络但排除 SSH 22 端口</p>
<pre class="screen">
$ sudo tcpdump -n not dst port 22 and not src port 22
</pre>
<p>显示所有到192.168.0.5的HTTP会话</p>
<pre class="screen">
# tcpdump -ni eth0 'dst 192.168.0.5 and tcp and port http'
</pre>
<p>监控DNS的网络流量</p>
<pre class="screen">
# tcpdump -i eth0 'udp port 53'
</pre>
</div>
<div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="idp40"></a>2.2.4. 监控协议</h3></div></div></div>
<pre class="screen">
$ tcpdump -n -i eth0 icmp or arp
</pre>
</div>
<div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="idp41"></a>2.2.5. 输出到文件</h3></div></div></div>
<pre class="screen">
# tcpdump -n -i eth1 -s 0 -w output.txt src or dst port 80
</pre>
<p>使用wireshark分析输出文件,下面地址下载</p>
<p>http://www.wireshark.org/</p>
</div>
<div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="idp42"></a>2.2.6. src / dst</h3></div></div></div>
<p>src 监控源</p>
<pre class="screen">
# tcpdump -ni eth1 'tcp and src port 3000'
</pre>
<p>dst 监控目的地</p>
<pre class="screen">
# tcpdump -ni eth1 'tcp and dst port smtp'
</pre>
<p>演示 src 与 dst</p>
<pre class="screen">
[root@netkiller ~]# tcpdump -ni eth1 'tcp and dst port 3000'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
09:08:11.763041 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [S], seq 2048018668, win 8192, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0
09:08:11.763383 IP 219.90.123.138.12047 > 47.90.44.87.hbci: Flags [S], seq 2468955264, win 8192, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0
09:08:11.763774 IP 219.90.123.138.27092 > 47.90.44.87.hbci: Flags [S], seq 3069483725, win 8192, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0
09:08:11.763855 IP 219.90.123.138.8602 > 47.90.44.87.hbci: Flags [S], seq 2460960642, win 8192, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0
09:08:11.764323 IP 219.90.123.138.10480 > 47.90.44.87.hbci: Flags [S], seq 1687488150, win 8192, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0
09:08:11.786487 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [.], ack 1705484229, win 257, length 0
09:08:11.786535 IP 219.90.123.138.12047 > 47.90.44.87.hbci: Flags [.], ack 461089870, win 257, length 0
09:08:11.786543 IP 219.90.123.138.27092 > 47.90.44.87.hbci: Flags [.], ack 2893320938, win 257, length 0
09:08:11.788955 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [P.], seq 0:1025, ack 1, win 257, length 1025
09:08:11.789671 IP 219.90.123.138.10480 > 47.90.44.87.hbci: Flags [.], ack 1815033342, win 257, length 0
09:08:11.789692 IP 219.90.123.138.8602 > 47.90.44.87.hbci: Flags [.], ack 1519500600, win 257, length 0
09:08:11.886937 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [.], ack 2415, win 257, length 0
09:08:11.889665 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [.], ack 5215, win 257, length 0
09:08:11.893673 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [.], ack 8015, win 257, length 0
09:08:11.904151 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [.], ack 10815, win 257, length 0
09:08:11.904707 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [.], ack 13615, win 257, length 0
09:08:11.914796 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [.], ack 17815, win 257, length 0
09:08:11.923904 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [.], ack 19215, win 257, length 0
09:08:11.979687 IP 219.90.123.138.28270 > 47.90.44.87.hbci: Flags [.], ack 19880, win 254, length 0
09:08:14.761388 IP 219.90.123.138.28461 > 47.90.44.87.hbci: Flags [S], seq 3215826970, win 8192, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0
09:08:14.782284 IP 219.90.123.138.28461 > 47.90.44.87.hbci: Flags [.], ack 1574781090, win 257, length 0
^C
21 packets captured
22 packets received by filter
0 packets dropped by kernel
[root@netkiller ~]# tcpdump -ni eth1 'tcp and src port 3000'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
09:08:41.241996 IP 47.90.44.87.hbci > 219.90.123.138.28461: Flags [F.], seq 1574781090, ack 3215826972, win 115, length 0
09:08:41.242395 IP 47.90.44.87.hbci > 219.90.123.138.24925: Flags [S.], seq 1277500664, ack 2163858186, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
09:08:41.242498 IP 47.90.44.87.hbci > 219.90.123.138.27571: Flags [S.], seq 1906857203, ack 3261786724, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
09:08:41.243081 IP 47.90.44.87.hbci > 219.90.123.138.27152: Flags [S.], seq 3451566690, ack 2095717279, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
09:08:41.243223 IP 47.90.44.87.hbci > 219.90.123.138.25265: Flags [S.], seq 943843868, ack 3740664697, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
09:08:41.243413 IP 47.90.44.87.hbci > 219.90.123.138.27145: Flags [S.], seq 1814275155, ack 3577858982, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
09:08:41.247070 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [.], ack 2048020719, win 147, length 0
09:08:41.436542 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [P.], seq 0:1014, ack 1, win 147, length 1014
09:08:41.436595 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [.], seq 1014:3814, ack 1, win 147, length 2800
09:08:41.436608 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [.], seq 3814:6614, ack 1, win 147, length 2800
09:08:41.436613 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [.], seq 6614:9414, ack 1, win 147, length 2800
09:08:41.436617 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [.], seq 9414:12214, ack 1, win 147, length 2800
09:08:41.436624 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [.], seq 12214:13614, ack 1, win 147, length 1400
09:08:41.458774 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [.], seq 13614:16414, ack 1, win 147, length 2800
09:08:41.461374 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [.], seq 16414:19214, ack 1, win 147, length 2800
09:08:41.461388 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [P.], seq 19214:19879, ack 1, win 147, length 665
09:08:41.485084 IP 47.90.44.87.hbci > 219.90.123.138.24925: Flags [.], ack 1011, win 130, length 0
09:08:41.485958 IP 47.90.44.87.hbci > 219.90.123.138.27571: Flags [.], ack 999, win 130, length 0
09:08:41.486888 IP 47.90.44.87.hbci > 219.90.123.138.27152: Flags [.], ack 998, win 130, length 0
09:08:41.487791 IP 47.90.44.87.hbci > 219.90.123.138.25265: Flags [.], ack 1005, win 130, length 0
09:08:41.488224 IP 47.90.44.87.hbci > 219.90.123.138.27571: Flags [P.], seq 1:139, ack 999, win 130, length 138
09:08:41.488291 IP 47.90.44.87.hbci > 219.90.123.138.27145: Flags [.], ack 983, win 130, length 0
09:08:41.489100 IP 47.90.44.87.hbci > 219.90.123.138.24925: Flags [P.], seq 1:139, ack 1011, win 130, length 138
09:08:41.491998 IP 47.90.44.87.hbci > 219.90.123.138.27152: Flags [P.], seq 1:139, ack 998, win 130, length 138
09:08:41.492653 IP 47.90.44.87.hbci > 219.90.123.138.28270: Flags [.], seq 12214:13614, ack 1, win 147, length 1400
09:08:41.494013 IP 47.90.44.87.hbci > 219.90.123.138.25265: Flags [P.], seq 1:139, ack 1005, win 130, length 138
09:08:41.499825 IP 47.90.44.87.hbci > 219.90.123.138.27145: Flags [P.], seq 1:139, ack 983, win 130, length 138
09:08:41.514427 IP 47.90.44.87.hbci > 219.90.123.138.27571: Flags [P.], seq 139:277, ack 1980, win 146, length 138
09:08:41.688727 IP 47.90.44.87.hbci > 219.90.123.138.27145: Flags [P.], seq 139:277, ack 2005, win 146, length 138
09:08:41.689548 IP 47.90.44.87.hbci > 219.90.123.138.27571: Flags [P.], seq 277:415, ack 2998, win 162, length 138
09:08:41.824277 IP 47.90.44.87.hbci > 219.90.123.138.27571: Flags [P.], seq 415:651, ack 3932, win 178, length 236
09:08:41.824391 IP 47.90.44.87.hbci > 219.90.123.138.27571: Flags [.], seq 651:3451, ack 3932, win 178, length 2800
09:08:41.824427 IP 47.90.44.87.hbci > 219.90.123.138.27571: Flags [.], seq 3451:6251, ack 3932, win 178, length 2800
09:08:41.824451 IP 47.90.44.87.hbci > 219.90.123.138.27571: Flags [.], seq 6251:7651, ack 3932, win 178, length 1400
09:08:41.846233 IP 47.90.44.87.hbci > 219.90.123.138.27571: Flags [P.], seq 7651:8537, ack 3932, win 178, length 886
^C
35 packets captured
36 packets received by filter
0 packets dropped by kernel
# tcpdump -ni any 'tcp and dst host 184.105.206.82 and port 25'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
05:46:31.833762 IP 107.178.142.42.49771 > 184.105.206.82.smtp: Flags [.], ack 231639512, win 229, options [nop,nop,TS val 2464661680 ecr 1677502875], length 0
05:46:31.833826 IP 107.178.142.42.49771 > 184.105.206.82.smtp: Flags [P.], seq 0:21, ack 1, win 229, options [nop,nop,TS val 2464661680 ecr 1677502875], length 21
05:46:32.515302 IP 107.178.142.42.49771 > 184.105.206.82.smtp: Flags [P.], seq 21:52, ack 62, win 229, options [nop,nop,TS val 2464662361 ecr 1677503046], length 31
05:46:32.886948 IP 107.178.142.42.49771 > 184.105.206.82.smtp: Flags [P.], seq 52:80, ack 70, win 229, options [nop,nop,TS val 2464662733 ecr 1677503139], length 28
</pre>
</div>
<div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="tcpdump.save"></a>2.2.7. 保存结果</h3></div></div></div>
<pre class="screen">
tcpdump -w tmp.pcap port not 22
tcpdump -r tmp.pcap -nnA
</pre>
</div>
<div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="tcpdump.cdp"></a>2.2.8. Cisco Discovery Protocol (CDP)</h3></div></div></div>
<pre class="screen">
$ sudo tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'
[sudo] password for neo:
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
13:51:31.825893 CDPv2, ttl: 180s, checksum: 692 (unverified), length 375
Device-ID (0x01), length: 7 bytes: '4A3750G'
Version String (0x05), length: 182 bytes:
Cisco IOS Software, C3750 Software (C3750-IPBASE-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Thu 19-Jul-07 19:15 by nachen
Platform (0x06), length: 23 bytes: 'cisco WS-C3750G-24TS-1U'
Address (0x02), length: 13 bytes: IPv4 (1) 193.168.0.254
Port-ID (0x03), length: 21 bytes: 'GigabitEthernet1/0/15'
Capability (0x04), length: 4 bytes: (0x00000029): Router, L2 Switch, IGMP snooping
Protocol-Hello option (0x08), length: 32 bytes:
VTP Management Domain (0x09), length: 3 bytes: 'example'
Native VLAN ID (0x0a), length: 2 bytes: 11
Duplex (0x0b), length: 1 byte: full
AVVID trust bitmap (0x12), length: 1 byte: 0x00
AVVID untrusted ports CoS (0x13), length: 1 byte: 0x00
Management Addresses (0x16), length: 13 bytes: IPv4 (1) 193.168.0.254
unknown field type (0x1a), length: 12 bytes:
0x0000: 0000 0001 0000 0000 ffff ffff
1 packets captured
1 packets received by filter
0 packets dropped by kernel
</pre>
<pre class="screen">
$ sudo tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
13:52:03.451238 CDPv2, ttl: 180s, checksum: 692 (unverified), length 420
Device-ID (0x01), length: 9 bytes: 'O9-Switch'
Version String (0x05), length: 248 bytes:
Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 12.2(55)SE3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Thu 05-May-11 16:56 by prod_rel_team
Platform (0x06), length: 22 bytes: 'cisco WS-C2960S-48TD-L'
Address (0x02), length: 4 bytes:
Port-ID (0x03), length: 20 bytes: 'GigabitEthernet1/0/8'
Capability (0x04), length: 4 bytes: (0x00000028): L2 Switch, IGMP snooping
Protocol-Hello option (0x08), length: 32 bytes:
VTP Management Domain (0x09), length: 0 byte: ''
1 packets captured
3 packets received by filter
0 packets dropped by kernel
</pre>
<pre class="screen">
$ sudo tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000' | grep GigabitEthernet
[sudo] password for neo:
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
Port-ID (0x03), length: 21 bytes: 'GigabitEthernet1/0/15'
1 packets captured
1 packets received by filter
0 packets dropped by kernel
</pre>
<p><a class="link" href="cdpr.html" title="2.3. cdpr - Cisco Discovery Protocol Reporter">cdpr - Cisco Discovery Protocol Reporter</a></p>
</div>
<div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Flags"></a>2.2.9. Flags</h3></div></div></div>
<p>每一行中间都有这个包所携带的标志:</p>
<pre class="screen">
Flags [*](
S=SYN 发起连接标志
P=PUSH 传送数据标志
F=FIN 关闭连接标志
ack 表示确认包
RST= RESET 异常关闭连接
. 表示没有任何标志
)
</pre>
</div>
<div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="example"></a>2.2.10. 案例</h3></div></div></div>
<div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="icmp"></a>2.2.10.1. 监控80端口与icmp,arp</h4></div></div></div>
<pre class="screen">
$ tcpdump -n -i eth0 port 80 or icmp or arp
</pre>
</div>
<div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="mysql"></a>2.2.10.2. monitor mysql tcp package</h4></div></div></div>
<pre class="screen">
#!/bin/bash
tcpdump -i eth0 -s 0 -l -w - dst port 3306 | strings | perl -e '
while(<>) { chomp; next if /^[^ ]+[ ]*$/;
if(/^(SELECT|UPDATE|DELETE|INSERT|SET|COMMIT|ROLLBACK|CREATE|DROP|ALTER)/i) {
if (defined $q) { print "$q\n"; }
$q=$_;
} else {
$_ =~ s/^[ \t]+//; $q.=" $_";
}
}'
</pre>
</div>
<div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="http"></a>2.2.10.3. HTTP 包</h4></div></div></div>
<pre class="screen">
tcpdump -i eth0 -s 0 -l -w - dst port 80 | strings
</pre>
</div>
<div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="syn"></a>2.2.10.4. 显示SYN、FIN和ACK-only包</h4></div></div></div>
<p>显示所有进出80端口IPv4 HTTP包,也就是只打印包含数据的包。例如:SYN、FIN包和ACK-only包输入:</p>
<pre class="screen">
# tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
</pre>
</div>
<div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="oracle"></a>2.2.10.5. 嗅探 Oracle 错误</h4></div></div></div>
<pre class="screen">
tcpdump -i eth1 tcp port 1521 -A -s1500 | awk '$1 ~ "ORA-" {i=1;split($1,t,"ORA-");while (i <= NF) {if (i == 1) {printf("%s","ORA-"t[2])}else {printf("%s ",$i)};i++}printf("\n")}'
</pre>
</div>
<div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="smtp"></a>2.2.10.6. smtp</h4></div></div></div>
<pre class="screen">
# tcpdump -nni any -x -X port 25 | more
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
05:55:43.133217 IP 184.105.206.85.25 > 59.153.146.101.42756: Flags [P.], seq 3205055214:3205055222, ack 3276605059, win 16022, options [nop,nop,TS val 2899843510 ecr 1568241053], length 8
0x0000: 4500 003c c773 4000 3b06 238b b869 ce55 E..<.s@.;.#..i.U
0x0010: 3b99 9265 0019 a704 bf09 42ee c34d 0683 ;..e......B..M..
0x0020: 8018 3e96 1803 0000 0101 080a acd8 19b6 ..>.............
0x0030: 5d79 759d 3235 3020 4f6b 0d0a 0000 0000 ]yu.250.Ok......
0x0040: 0000 0000 0000 0000 0000 0000 ............
05:55:43.133247 IP 59.153.146.101.42756 > 184.105.206.85.25: Flags [.], ack 8, win 115, options [nop,nop,TS val 1568241323 ecr 2899843510], length 0
0x0000: 4500 0034 0478 4000 4006 e18e 3b99 9265 E..4.x@.@...;..e
0x0010: b869 ce55 a704 0019 c34d 0683 bf09 42f6 .i.U.....M....B.
0x0020: 8010 0073 54e4 0000 0101 080a 5d79 76ab ...sT.......]yv.
0x0030: acd8 19b6 0000 0000 0000 0000 0000 0000 ................
0x0040: 0000 0000 ....
05:55:43.133321 IP 59.153.146.101.42756 > 184.105.206.85.25: Flags [P.], seq 1:32, ack 8, win 115, options [nop,nop,TS val 1568241323 ecr 2899843510], length 31
0x0000: 4500 0053 0479 4000 4006 e16e 3b99 9265 E..S.y@.@..n;..e
0x0010: b869 ce55 a704 0019 c34d 0683 bf09 42f6 .i.U.....M....B.
0x0020: 8018 0073 5503 0000 0101 080a 5d79 76ab ...sU.......]yv.
0x0030: acd8 19b6 4d41 494c 2046 524f 4d3a 3c6e ....MAIL.FROM:<n
0x0040: 6f72 6570 6c79 4063 6631 3339 2e63 6f6d oreply@139.com
0x0050: 3e0d 0a00 0000 0000 0000 0000 0000 0000 >...............
0x0060: 0000 00 ...
05:55:43.142280 IP 184.105.206.85.25 > 59.153.146.101.42756: Flags [.], ack 32, win 16022, options [nop,nop,TS val 2899843513 ecr 1568241323], length 0
0x0000: 4500 0034 c774 4000 3b06 2392 b869 ce55 E..4.t@.;.#..i.U
0x0010: 3b99 9265 0019 a704 bf09 42f6 c34d 06a2 ;..e......B..M..
0x0020: 8010 3e96 d5a5 0000 0101 080a acd8 19b9 ..>.............
0x0030: 5d79 76ab 0000 0000 0000 0000 0000 0000 ]yv.............
0x0040: 0000 0000 ....
05:55:43.270436 IP 203.205.160.43.25 > 202.88.38.95.39594: Flags [.], ack 1271517256, win 159, options [nop,nop,TS val 1663885325 ecr 1568241310], length 0
0x0000: 4500 0034 18e5 4000 3806 cd2e cbcd a02b E..4..@.8......+
0x0010: ca58 265f 0019 9aaa 800c c423 4bc9 d048 .X&_.......#K..H
0x0020: 8010 009f 0716 0000 0101 080a 632c e00d ............c,..
0x0030: 5d79 769e 0000 0000 0000 0000 0000 0000 ]yv.............
0x0040: 0000 0000 ....
</pre>
<p>嗅探用户密码</p>
<pre class="screen">
# tcpdump -i any port http or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|userna me:|password:|login:|pass |user '
# tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20
</pre>
<pre class="screen">
# tcpdump -A -q -i any port 25 | grep "RCPT TO:"
# tcpdump -l -s0 -w - tcp dst port 25 | strings | grep -i 'MAIL FROM\|RCPT TO'
</pre>
<pre class="screen">
</pre>
</div>
</div>
</div><div xmlns="" id="disqus_thread"></div><script xmlns="">
var disqus_config = function () {
this.page.url = "http://www.netkiller.cn"; // Replace PAGE_URL with your page's canonical URL variable
this.page.identifier = 'netkiller'; // Replace PAGE_IDENTIFIER with your page's unique identifier variable
};
(function() { // DON'T EDIT BELOW THIS LINE
var d = document, s = d.createElement('script');
s.src = '//netkiller.disqus.com/embed.js';
s.setAttribute('data-timestamp', +new Date());
(d.head || d.body).appendChild(s);
})();
</script><noscript xmlns="">Please enable JavaScript to view the <a href="https://disqus.com/?ref_noscript">comments powered by Disqus.</a></noscript><br xmlns="" /><script xmlns="" type="text/javascript" id="clustrmaps" src="//cdn.clustrmaps.com/map_v2.js?u=r5HG&d=9mi5r_kkDC8uxG8HuY3p4-2qgeeVypAK9vMD-2P6BYM"></script><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sniffer.html">上一页</a> </td><td width="20%" align="center"><a accesskey="u" href="sniffer.html">上一级</a></td><td width="40%" align="right"> <a accesskey="n" href="cdpr.html">下一页</a></td></tr><tr><td width="40%" align="left" valign="top">第 2 章 Sniffer </td><td width="20%" align="center"><a accesskey="h" href="index.html">起始页</a></td><td width="40%" align="right" valign="top"> 2.3. cdpr - Cisco Discovery Protocol Reporter</td></tr></table></div><script xmlns="">
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-11694057-1', 'auto');
ga('send', 'pageview');
</script><script xmlns="" async="async">
var _hmt = _hmt || [];
(function() {
var hm = document.createElement("script");
hm.src = "https://hm.baidu.com/hm.js?93967759a51cda79e49bf4e34d0b0f2c";
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(hm, s);
})();
</script><script xmlns="" async="async">
(function(){
var bp = document.createElement('script');
var curProtocol = window.location.protocol.split(':')[0];
if (curProtocol === 'https') {
bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
}
else {
bp.src = 'http://push.zhanzhang.baidu.com/push.js';
}
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(bp, s);
})();
</script><script xmlns="" type="text/javascript" src="/js/q.js" async="async"></script></body></html>