内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容,详细介绍了相关技术的配置和使用方法。
风哥提示:
本文档详细介绍tcpdump和wireshark网络抓包工具的使用方法,帮助分析网络流量和故障。
Part01-tcpdump基础
1.1 tcpdump基本使用
$ sudo dnf install -y tcpdump
Last metadata expiration check: 0:45:23 ago on Thu 03 Apr 2026 18:30:15 AM CST.
Dependencies resolved.
================================================================================
Package Architecture Version Repository Size
================================================================================
Installing:
tcpdump x86_64 14:4.99.4-1.el10 baseos 456 k
Transaction Summary
================================================================================
Install 1 Packages
Total download size: 456 k
Installed size: 1.2 M
Complete!
# 查看网络接口
$ tcpdump -D
1.eth0 [Up, Running]
2.eth1 [Up, Running]
3.lo [Up, Running, Loopback]
4.any (Pseudo-device used for monitoring all interfaces) [Up, Running]
5.bluetooth-monitor (Bluetooth Linux Monitor) [none]
6.nflog (Linux netfilter log (NFLOG) interface) [none]
7.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
# 抓取eth0接口的数据包
$ sudo tcpdump -i eth0
tcpdump: verbose output suppressed, use -v[v]… for full protocol decfrom PG视频:www.itpux.comode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:35:00.123456 IP 192.168.1.100.ssh > 192.168.1.10.54321: Flags [P.], seq 1:53, ack 1, win 501, options [nop,nop,TS val 12345678 ecr 87654321], length 52
18:35:00.123789 IP 192.168.1.10.54321 > 192.168.1.100.ssh: Flags [.], ack 53, win 501, options [nop,nop,TS val 87654322 ecr 12345678], length 0
18:35:00.234567 IP 192.168.1.100.ssh > 192.168.1.10.54321: Flags [P.], seq 53:105, ack 1, win 501, options [nop,nop,TS val 12345679 ecr 87654322], length 52
^C
3 packets captured
3 packets received by filter
0 packets dropped by kernel
# 抓取指定数量的数据包
$ sudo tcpdump -i eth0 -c 5
tcpdump: verbose output suppressed, use -v[v]… for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:35:10.123456 IP 192.168.1.100.ssh > 192.168.1.10.54321: Flags [P.], seq 1:53, ack 1, win 501, length 52
18:35:10.123789 IP 192.168.1.10.54321 > 192.168.1.100.ssh: Flags [.], ack 53, win 501, length 0
18:35:10.234567 IP 192.168.1.100.ssh > 192.168.1.10.54321: Flags [P.], seq 53:105, ack 1, win 501, length 52
18:35:10.234890 IP 192.168.1.10.54321 > 192.168.1.100.ssh: Flags [.], ack 105, win 501, length 0
18:35:10.345678 IP 192.168.1.100.ssh > 192.168.1.10.54321: Flags [P.], seq 105:157, ack 1, win 501, length 52
5 packets captured
5 packets received by filter
0 packets dropped by kernel
Part02-tcpdump过滤
2.1 使用过滤器
$ sudo tcpdump -i eth0 host 192.168.1.10
tcpdump: verbose output suppressed, use -v[v]… for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:36:00.123456 IP 192.168.1.10.54321 > 192.168.1.100.ssh:更多学习教程公众号风哥教程itpux_com Flags [P.], seq 1:53, ack 1, win 501, length 52
18:36:00.123789 IP 192.168.1.100.ssh > 192.168.1.10.54321: Flags [.], ack 53, win 501, length 0
# 按源主机过滤
$ sudo tcpdump -i eth0 src host 192.168.1.10
# 按目标主机过滤
$ sudo tcpdump -i eth0 dst host 192.168.1.100
# 按端口过滤
$ sudo tcpdump -i eth0 port 80
tcpdump: verbose output suppressed, use -v[v]… for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:36:30.123456 IP 192.168.1.10.54322 > 192.168.1.100.http: Flags [S], seq 12345678, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 12345678 ecr 0,sackOK,eol], length 0
18:36:30.123789 IP 192.168.1.100.http > 192.168.1.10.54322: Flags [S.], seq 87654321, ack 12345679, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 87654321 ecr 12345678,sackOK,eol], length 0
# 按协议过滤
$ sudo tcpdump -i eth0 tcp
$ sudo tcpdump -i eth0 udp
$ sudo tcpdump -i eth0 icmp
# 组合过滤
$ sudo tcpdump -i eth0 ‘host 192.168.1.10 and port 80’
# 按网段过滤
$ sudo tcpdump -i eth0 net 192.168.1.0/24
# 按数据包大小过滤
$ sudo tcpdump -i eth0 greater 100
$ sudo tcpdump -i eth0 less 1000
Part03-tcpdump输出选项
3.1 详细输出和保存
$ sudo tcpdump -i eth0 -v
tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:37:00.123456 IP (tos 0x0, ttl 64, id 12345, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.100.ssh > 192.168.1.10.54321: Flags [S], seq 12345678, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 12345678 ecr 0,sackOK,eol], length 0
# 显示更详细信息
$ sudo tcpdump -i eth0 -vv
# 显示最详细信息
$ sudo tcpdump -i eth0 -vvv
# 显示MAC地址
$ sudo tcpdump -i eth0 -e
tcpdump: verbose output suppressed, use -v[v]… for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:37:30.123456 08:00:27:12:34:56 > 08:00:27:ab:cd:ef, ethertype IPv4 (0x0800), length 60: 192.168.1.100.ssh > 192.168.1.10.54321: Flags [S], seq 12345678, win 65535, length 0
# 以数字显示主机和端口
$ sudo tcpdump -i eth0 -n
tcpdump: verbose output suppressed, use -v[v]… for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:37:50.123456 IP 192.168.1.100.22 > 192.168.1.10.54321: Flags [P.], seq 1:53, ack 1, win 501, length 52
# 保存到文件
$ sudo tcpdump -i eth0 -w capture.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel
# 从文件读取
$ sudo tcpdump -r capture.pcap
reading from file capture.pcap, link-type EN10MB (Ethernet)
18:38:00.123456 IP 192.168.1.100.ssh > 192.168.1.10.54321: Flags [P.], seq 1:53, ack 1, win 501, length 52
Part04-wireshark使用
4.1 wireshark图形界面
$ sudo dnf install -y wireshark
Last metadata expiration check: 0:45:23 ago on Thu 03 Apr 2026 18:40:15 AM CST.
Dependencies resolved.
================================================================================
Package Architecture Version Repository Size
================================================================================
Installing:
wireshark x86_64 4.2.2-1.el10 appstream 12 M
Transaction Summary
================================================================================
Install 1 Packages
Total download size: 12 M
Installed size: 45 M
Complete!
# 启动wireshark(图形界面)
$ wireshark &
# 使用tshark命令行工具
$ sudo tshark -i eth0 -c 10
Capturing on ‘eth0’
1 0.000000000 192.168.1.100 → 192.168.1.10 SSH 92 Server: Encrypted packet
2 0.000234567 192.168.1.10 → 192.168.1.100 TCP 60 54321 → 22 [ACK] Seq=1 Ack=53 Win=501 Len=0
3 0.00045678学习交流加群风哥QQ1132571749 192.168.1.100 → 192.168.1.10 SSH 92 Server: Encrypted packet
4 0.000678901 192.168.1.10 → 192.168.1.100 TCP 60 54321 → 22 [ACK] Seq=1 Ack=105 Win=501 Len=0
5 0.000890123 192.168.1.100 → 192.168.1.10 SSH 92 Server: Encrypted packet
10 packets captured
# tshark过滤
$ sudo tshark -i eth0 -f “port 80” -c 10
# tshark显示过滤器
$ sudo tshark -i eth0 -Y “http” -c 10
# 保存到文件
$ sudo tshark -i eth0 -w output.pcap -c 100
Part05-抓包分析实战
5.1 常见协议分析
$ sudo tcpdump -i eth0 -A -s 0 ‘tcp port 80’
tcpdump: verbose output suppressed, use -v[v]… for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:40:00.123456 IP 192.168.1.10.54322 > 192.168.1.100.http: Flags [P.], seq 1:100, ack 1, win 501, length 99: HTTP: GET / HTTP/1.1
E…..@.@..@.d…d….P..M..v………..GET / H学习交流加群风哥微信: itpux-comTTP/1.1
Host: 192.168.1.100
User-Agent: curl/7.88.1
Accept: */*
# 抓取DNS流量
$ sudo tcpdump -i eth0 -n port 53
tcpdump: verbose output suppressed, use -v[v]… for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:40:30.123456 IP 192.168.1.100.54323 > 8.8.8.8.domain: 12345+ A? www.google.com. (32)
18:40:30.134567 IP 8.8.8.8.domain > 192.168.1.100.54323: 12345 1/0/0 A 142.250.185.68 (48)
# 抓取ICMP流量
$ sudo tcpdump -i eth0 icmp
tcpdump: verbose output suppressed, use -v[v]… for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:41:00.123456 IP 192.168.1.100 > 8.8.8.8: ICMP echo request, id 12345, seq 1, length 64
18:41:00.134567 IP 8.8.8.8 > 192.168.1.100: ICMP echo reply, id 12345, seq 1, length 64
# 抓取TCP三次握手
$ sudo tcpdump -i eth0 -n ‘tcp[tcpflags] & (tcp-syn|tcp-ack) != 0’
tcpdump: verbose output suppressed, use -v[v]… for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:41:30.123456 IP 192.168.1.10.54324 > 192.168.1.100.22: Flags [S], seq 12345678, win 65535, length 0
18:41:30.123789 IP 192.168.1.100.22 > 192.168.1.10.54324: Flags [S.], seq 87654321, ack 12345679, win 65535, length 0
18:41:30.124012 IP 192.168.1.10.54324 > 192.168.1.100.22: Flags [.], ack 1, win 65535, length 0
# 分析特定TCP流
$ sudo tcpdump -i eth0 -A -s 0 ‘tcp port 22 and host 192.168.1.10’
1. 使用过滤器减少抓包数据量
2. 保存抓包文件用于离线分析
3. 使用wireshark进行深度分析
4. 注意敏感信息保护
5. 合理设置抓包参数
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
