设为首页收藏本站
开启辅助访问

Linux使用tcpdump命令抓包保存pcap文件wireshark分析

 您所在的位置:网站首页 tcpdump抓包保存文件位置 Linux使用tcpdump命令抓包保存pcap文件wireshark分析

Linux使用tcpdump命令抓包保存pcap文件wireshark分析

2024-07-12 10:36| 来源: 网络整理| 查看: 265

[root@ok Desktop]# yum search tcpdump Loaded plugins: fastestmirror, refresh-packagekit, security Loading mirror speeds from cached hostfile * base: mirrors.yun-idc.com * extras: mirrors.yun-idc.com * updates: mirrors.yun-idc.com ======================================================================= N/S Matched: tcpdump ======================================================================== tcpdump.x86_64 : A network traffic monitoring tool Name and summary matches only, use "search all" for everything. [root@ok Desktop]# which tcpdump /usr/sbin/tcpdump [root@ok Desktop]# tcpdump -h tcpdump version 4.1-PRE-CVS_2015_07_23 libpcap version 1.4.0 Usage: tcpdump [-aAdDefhIJKlLnNOpqRStuUvxX] [ -B size ] [ -c count ] [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ] [ -i interface ] [ -j tstamptype ] [ -M secret ] [ -P in|out|inout ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z command ] [ -Z user ] [ expression ] [root@ok Desktop]# yum search wireshark Loaded plugins: fastestmirror, refresh-packagekit, security Loading mirror speeds from cached hostfile * base: mirrors.yun-idc.com * extras: mirrors.yun-idc.com * updates: mirrors.yun-idc.com ================================================ N/S Matched: wireshark ================================================ wireshark-devel.i686 : Development headers and libraries for wireshark wireshark-devel.x86_64 : Development headers and libraries for wireshark wireshark-gnome.x86_64 : Gnome desktop integration for wireshark and wireshark-usermode wireshark.i686 : Network traffic analyzer wireshark.x86_64 : Network traffic analyzer Name and summary matches only, use "search all" for everything.

安装:

[root@ok Desktop]# yum install wireshark* -y [root@ok Desktop]# which wireshark /usr/sbin/wireshark [root@ok Desktop]# rpm -qa|grep wiresharkwireshark-devel-1.8.10-17.el6.x86_64wireshark-1.8.10-17.el6.x86_64wireshark-gnome-1.8.10-17.el6.x86_64

保存tcpdump抓包结果

[root@bass Desktop]# tcpdump -i eth0 -w dump.pcap -i #是指定要抓取的网卡 -w #指定结果保存的位置 [root@bass Desktop]# tcpdump -i eth0 -w dump.pcap -v tcpdump: WARNING: eth0: no IPv4 address assigned tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 189 packets captured 189 packets received by filter 0 packets dropped by kernel -v#主要是为了得到Got 15这个数,当想要停止的时候,按下ctrl + c [root@bass Desktop]# ll -h dump.pcap -rw-r--r--. 1 tcpdump tcpdump 18K Aug 30 13:19 dump.pcap

在wireshark中打开

[root@bass Desktop]# wireshark dump.pcap #linux下查看

我们用tcpdump抓包的时候,默认是显示这样的 在这里插入图片描述 图中标出三块区域,红色框内,是用来显示简单的数据包信息,我们用tcpdump抓包如时候,默认情况是显示成这样的;深蓝框内,是用来显示选中的数据包的详细信息,是按照TCP/IP四层结构显示的,第一行是数据链路层的信息,第二行是网络层信息(IP协议),第三行是传输层信息(TCP协议),第四层是应用层信息(HTTP协议),可以展开第一行用来观察具体的内容;最后一个区域淡蓝色框中,是用来显示此数据包的真实面目。(下图列清楚) 在这里插入图片描述

sh-4.1# tcpdump -i eth0 -c 20 -w 20gebao -v tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 20 packets captured 20 packets received by filter 0 packets dropped by kernel

使用-c参数指定要监听到的数据包数量



【本文地址】


今日新闻

推荐新闻

CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3