TCPDump 사용법

Notice

Recent Posts

Recent Comments

Link

« 2024/12 »
일	월	화	수	목	금	토
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30	31

Tags more

Archives

Today

Total

관리 메뉴

VIDEOCUBE

TCPDump 사용법 본문

명령어

TCPDump 사용법

라떼청년 2017. 12. 12. 01:38

Tcpdump는 주어진 조건 식을 만족하는 네트워크 인터페이스를 거치는 패킷들의 헤더들을 출력해 주는 프로그램이다.

CentOS 6 버전 minimal 버전에서는 기본적으로 설치가 되어 있지 않아 다음과 같이 yum 으로 설치하자

yum install tcpdump

dependency 에 보면 libpcap 이라는 것이 있다.

pcap (packet capture) 로서 tcpdump 에서는 해당 라이브러리를 이용하여 구현된 Application 이다.

나중에 pcap 을 이용하여, 개발에 이용해보도록 하고 오늘은 일부 명령어를 이용하여 패킷의 내용을 읽어 보자

root@linux-01:/root> tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

01:43:38.557914 IP 192.168.1.10.ssh > 192.168.1.101.52970: Flags [P.], seq 224829087:224829279, ack 2181104370, win 249, options [nop,nop,TS val 4294942793 ecr 982324183], length 192

01:43:38.558092 IP 192.168.1.101.52970 > 192.168.1.10.ssh: Flags [.], ack 192, win 4090, options [nop,nop,TS val 982324511 ecr 4294942793], length 0

01:43:38.570289 IP 192.168.1.10.46652 > 192.168.1.6.domain: 31829+ PTR? 101.1.168.192.in-addr.arpa. (44)

01:43:38.571062 IP 192.168.1.6.domain > 192.168.1.10.46652: 31829 NXDomain* 0/1/0 (101)

01:43:38.571215 IP 192.168.1.10.45042 > 192.168.1.6.domain: 79+ PTR? 10.1.168.192.in-addr.arpa. (43)

01:43:38.571586 IP 192.168.1.6.domain > 192.168.1.10.45042: 79 NXDomain* 0/1/0 (100)

01:43:38.571873 IP 192.168.1.10.58179 > 192.168.1.6.domain: 20938+ PTR? 6.1.168.192.in-addr.arpa. (42)

01:43:38.572105 IP 192.168.1.10.ssh > 192.168.1.101.52970: Flags [P.], seq 192:560, ack 1, win 249, options [nop,nop,TS val 4294942809 ecr 982324511], length 368

01:43:38.572152 IP 192.168.1.6.domain > 192.168.1.10.58179: 20938 NXDomain* 0/1/0 (99)

01:43:38.572275 IP 192.168.1.101.52970 > 192.168.1.10.ssh: Flags [.], ack 560, win 4084, options [nop,nop,TS val 982324525 ecr 4294942809], length 0

01:43:38.572757 IP 192.168.1.10.ssh > 192.168.1.101.52970: Flags [P.], seq 560:1488, ack 1, win 249, options [nop,nop,TS val 4294942810 ecr 982324525], length 928

01:43:38.572933 IP 192.168.1.101.52970 > 192.168.1.10.ssh: Flags [.], ack 1488, win 4067, options [nop,nop,TS val 982324525 ecr 4294942810], length 0

01:43:38.573942 IP 192.168.1.10.ssh > 192.168.1.101.52970: Flags [P.], seq 1488:1840, ack 1, win 249, options [nop,nop,TS val 4294942811 ecr 982324525], length 352

01:43:38.574154 IP 192.168.1.101.52970 > 192.168.1.10.ssh: Flags [.], ack 1840, win 4085, options [nop,nop,TS val 982324526 ecr 4294942811], length 0

01:43:38.574933 IP 192.168.1.10.ssh > 192.168.1.101.52970: Flags [P.], seq 1840:2192, ack 1, win 249, options [nop,nop,TS val 4294942812 ecr 982324526], length 352

01:43:38.575068 IP 192.168.1.101.52970 > 192.168.1.10.ssh: Flags [.], ack 2192, win 4085, options [nop,nop,TS val 982324526 ecr 4294942812], length 0

01:43:38.575886 IP 192.168.1.10.ssh > 192.168.1.101.52970: Flags [P.], seq 2192:2544, ack 1, win 249, options [nop,nop,TS val 4294942813 ecr 982324526], length 352

01:43:38.576033 IP 192.168.1.101.52970 > 192.168.1.10.ssh: Flags [.], ack 2544, win 4085, options [nop,nop,TS val 982324527 ecr 4294942813], length 0

01:43:38.576938 IP 192.168.1.10.ssh > 192.168.1.101.52970: Flags [P.], seq 2544:2896, ack 1, win 249, options [nop,nop,TS val 4294942814 ecr 982324527], length 352

01:43:38.577116 IP 192.168.1.101.52970 > 192.168.1.10.ssh: Flags [.], ack 2896, win 4085, options [nop,nop,TS val 982324528 ecr 4294942814], length 0

01:43:38.577917 IP 192.168.1.10.ssh > 192.168.1.101.52970: Flags [P.], seq 2896:3248, ack 1, win 249, options [nop,nop,TS val 4294942815 ecr 982324528], length 352

01:43:38.578093 IP 192.168.1.101.52970 > 192.168.1.10.ssh: Flags [.], ack 3248, win 4085, options [nop,nop,TS val 982324528 ecr 4294942815], length 0

01:43:38.578931 IP 192.168.1.10.ssh > 192.168.1.101.52970: Flags [P.], seq 3248:3600, ack 1, win 249, options [nop,nop,TS val 4294942816 ecr 982324528], length 352

01:43:38.579090 IP 192.168.1.101.52970 > 192.168.1.10.ssh: Flags [.], ack 3600, win 4085, options [nop,nop,TS val 982324529 ecr 4294942816], length 0

01:43:38.579896 IP 192.168.1.10.ssh > 192.168.1.101.52970: Flags [P.], seq 3600:3952, ack 1, win 249, options [nop,nop,TS val 4294942817 ecr 982324529], length 352

01:43:38.580085 IP 192.168.1.101.52970 > 192.168.1.10.ssh: Flags [.], ack 3952, win 4085, options [nop,nop,TS val 982324529 ecr 4294942817], length 0

01:43:38.580816 IP 192.168.1.10.ssh > 192.168.1.101.52970: Flags [P.], seq 3952:4304, ack 1, win 249, options [nop,nop,TS val 4294942818 ecr 982324529], length 352

01:43:38.580957 IP 192.168.1.101.52970 > 192.168.1.10.ssh: Flags [.], ack 4304, win 4085, options [nop,nop,TS val 982324530 ecr 4294942818], length 0

위와 같이 현재 장치에서 통신하는 모든 패킷 내용을 출력한다. 머가 먼지 대체 모르겠다.

제일 처음 두 라인을 확인해보자

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

device 는 eth0 을 listening 하며,

link-type : EN10MB

capture size : 65535 bytes

-v 또는 -vv 를 이용하여 좀 더 상세한 정보를 확인 할 수 있다.

[DNS] 관련 패킷을 확인할 수 있으며,

01:43:38.570289 IP 192.168.1.10.46652 > 192.168.1.6.domain: 31829+ PTR? 101.1.168.192.in-addr.arpa. (44)

01:43:38.571062 IP 192.168.1.6.domain > 192.168.1.10.46652: 31829 NXDomain* 0/1/0 (101)

01:43:38.571215 IP 192.168.1.10.45042 > 192.168.1.6.domain: 79+ PTR? 10.1.168.192.in-addr.arpa. (43)

01:43:38.571586 IP 192.168.1.6.domain > 192.168.1.10.45042: 79 NXDomain* 0/1/0 (100)

01:43:38.571873 IP 192.168.1.10.58179 > 192.168.1.6.domain: 20938+ PTR? 6.1.168.192.in-addr.arpa. (42)

대부분은 ssh 관련 패킷 내용이다.

root@linux-01:/root> netstat -nlp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1002/nginx

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 912/sshd

tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 989/master

tcp 0 0 :::22 :::* LISTEN 912/sshd

tcp 0 0 ::1:25 :::* LISTEN 989/master

nginx 를 올려놓고 nginx 간의 통신을 캡쳐해보자

다음은 80 에 대한 패킷을 ASCII Code 로 보여주는 명령행이다.

tcpdump 'host 192.168.1.10 and port 80' -A

다른 터미널을 열어 다음과 같이 날려보았다

root@linux-01:/root> curl http://192.168.1.10

아무런 반응이 없다.

192.168.1.10 이라는 서버에 올려있는 nginx 에서의 Response packet 은

eth0 Link encap:Ethernet HWaddr 08:00:27:FC:98:6C

inet addr:192.168.1.10 Bcast:192.168.1.255 Mask:255.255.255.0

inet6 addr: fe80::a00:27ff:fefc:986c/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:4189 errors:0 dropped:0 overruns:0 frame:0

TX packets:3958 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:294798 (287.8 KiB) TX bytes:2190948 (2.0 MiB)

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:62 errors:0 dropped:0 overruns:0 frame:0

TX packets:62 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:6300 (6.1 KiB) TX bytes:6300 (6.1 KiB)

Loopback 을 이용하여 통신을 한다. eth0 을 통하지 않는다.

해서 다음과 같이 명령행을 변경하였다.

tcpdump 'host 192.168.1.10 and port 80' -A -i lo

-i 옵션 은 device 를 선택할 수 있다.

다시

root@linux-01:/root> curl http://192.168.1.10 을 요청해 보자

01:59:42.678949 IP 192.168.1.10.48036 > 192.168.1.10.http: Flags [S], seq 3406512280, win 32792, options [mss 16396,sackOK,TS val 939619 ecr 0,nop,wscale 7], length 0

E..<..@.@..\...

...

...P..@.......... ....@....

..Vc........

01:59:42.678970 IP 192.168.1.10.http > 192.168.1.10.48036: Flags [S.], seq 714252809, ack 3406512281, win 32768, options [mss 16396,sackOK,TS val 939619 ecr 939619,nop,wscale 7], length 0

E..<..@.@..W...

...

.P..*.. ..@...........@....

..Vc..Vc....

01:59:42.678984 IP 192.168.1.10.48036 > 192.168.1.10.http: Flags [.], ack 1, win 257, options [nop,nop,TS val 939619 ecr 939619], length 0

E..4..@.@..c...

...

...P..@.*..

.....>.....

..Vc..Vc

01:59:42.679629 IP 192.168.1.10.48036 > 192.168.1.10.http: Flags [P.], seq 1:168, ack 1, win 257, options [nop,nop,TS val 939620 ecr 939619], length 167

E.....@.@......

...

...P..@.*..

.....2.....

..Vd..VcGET / HTTP/1.1

User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2

Host: 192.168.1.10

Accept: */*

01:59:42.679641 IP 192.168.1.10.http > 192.168.1.10.48036: Flags [.], ack 168, win 265, options [nop,nop,TS val 939620 ecr 939620], length 0

E..4.i@.@......

...

.P..*..

..A@... .......

..Vd..Vd

01:59:42.679725 IP 192.168.1.10.http > 192.168.1.10.48036: Flags [P.], seq 1:238, ack 168, win 265, options [nop,nop,TS val 939620 ecr 939620], length 237

E..!.j@.@......

...

.P..*..

..A@... .x.....

..Vd..VdHTTP/1.1 200 OK

Server: nginx/1.12.2

Date: Mon, 11 Dec 2017 16:59:42 GMT

Content-Type: text/html

Content-Length: 196

Last-Modified: Sat, 09 Dec 2017 17:49:32 GMT

Connection: keep-alive

ETag: "5a2c222c-c4"

Accept-Ranges: bytes

01:59:42.679786 IP 192.168.1.10.http > 192.168.1.10.48036: Flags [P.], seq 238:434, ack 168, win 265, options [nop,nop,TS val 939620 ecr 939620], length 196

E....k@.@../...

...

.P..*.....A@... .O.....

..Vd..Vd<html>

<body>

<H1>VideoCube Media Server</H1>

<div>

</video>

</div>

</body>

</html>

01:59:42.679805 IP 192.168.1.10.48036 > 192.168.1.10.http: Flags [.], ack 238, win 265, options [nop,nop,TS val 939620 ecr 939620], length 0

E..4..@.@..a...

...

...P..A@*...... .......

..Vd..Vd

01:59:42.679809 IP 192.168.1.10.48036 > 192.168.1.10.http: Flags [.], ack 434, win 273, options [nop,nop,TS val 939620 ecr 939620], length 0

E..4..@.@..`...

...

...P..A@*..............

..Vd..Vd

01:59:42.680391 IP 192.168.1.10.48036 > 192.168.1.10.http: Flags [F.], seq 168, ack 434, win 273, options [nop,nop,TS val 939621 ecr 939620], length 0

E..4..@.@.._...

...

...P..A@*..............

..Ve..Vd

01:59:42.680537 IP 192.168.1.10.http > 192.168.1.10.48036: Flags [F.], seq 434, ack 169, win 265, options [nop,nop,TS val 939621 ecr 939621], length 0

E..4.l@.@......

...

.P..*.....AA... .......

..Ve..Ve

01:59:42.680557 IP 192.168.1.10.48036 > 192.168.1.10.http: Flags [.], ack 435, win 273, options [nop,nop,TS val 939621 ecr 939621], length 0

E..4..@.@..^...

...

...P..AA*..............

..Ve..Ve

위 상단에 붉은 색으로 표기된 부분은 크롬이나 브라우징 할 때 개발자도구를 통해서 보통 많이 접했던 내용일 것이다.

다만 다른 패킷에 대해서는 listen 에 대한 소켓이 접속 하고 FIN 까지 진행 되는 과정을 볼 수 있다.

S : SYN ( synchronize sequence numbers - 연결 요청 )

ack : 상대방으로 부터 패킷을 받은 뒤에 알려주는 패킷킷

F : FIN ( 보낸 쪽에서 연결을 종료 - 정상적인 연결 종료 )

R : RST ( 비정상적으로 즉시 연결 종료 )

P : PSH ( 데이터를 즉시 어플리케이션으로 전달 )

Urg : 긴급한 데이터에 우선순위를 높게 준다

Hex Code 로 살펴보고 싶다면 -X 를 추가해 보자

root@linux-01:/root> tcpdump 'host 192.168.1.10 and port 80' -A -i lo -X

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes

02:07:29.874355 IP 192.168.1.10.48037 > 192.168.1.10.http: Flags [S], seq 2783161163, win 32792, options [mss 16396,sackOK,TS val 1406814 ecr 0,nop,wscale 7], length 0

0x0000: 4500 003c dc15 4000 4006 db41 c0a8 010a E..<..@.@..A....

0x0010: c0a8 010a bba5 0050 a5e3 ab4b 0000 0000 .......P...K....

0x0020: a002 8018 8592 0000 0204 400c 0402 080a ..........@.....

0x0030: 0015 775e 0000 0000 0103 0307 ..w^........

02:07:29.874377 IP 192.168.1.10.http > 192.168.1.10.48037: Flags [S.], seq 1018534960, ack 2783161164, win 32768, options [mss 16396,sackOK,TS val 1406814 ecr 1406814,nop,wscale 7], length 0

0x0000: 4500 003c 0000 4000 4006 b757 c0a8 010a E..<..@.@..W....

0x0010: c0a8 010a 0050 bba5 3cb5 9c30 a5e3 ab4c .....P..<..0...L

0x0020: a012 8000 3540 0000 0204 400c 0402 080a ....5@....@.....

0x0030: 0015 775e 0015 775e 0103 0307 ..w^..w^....

02:07:29.874392 IP 192.168.1.10.48037 > 192.168.1.10.http: Flags [.], ack 1, win 257, options [nop,nop,TS val 1406814 ecr 1406814], length 0

0x0000: 4500 0034 dc16 4000 4006 db48 c0a8 010a E..4..@.@..H....

0x0010: c0a8 010a bba5 0050 a5e3 ab4c 3cb5 9c31 .......P...L<..1

0x0020: 8010 0101 1d64 0000 0101 080a 0015 775e .....d........w^

0x0030: 0015 775e ..w^

02:07:29.874878 IP 192.168.1.10.48037 > 192.168.1.10.http: Flags [P.], seq 1:168, ack 1, win 257, options [nop,nop,TS val 1406814 ecr 1406814], length 167

0x0000: 4500 00db dc17 4000 4006 daa0 c0a8 010a E.....@.@.......

0x0010: c0a8 010a bba5 0050 a5e3 ab4c 3cb5 9c31 .......P...L<..1

0x0020: 8018 0101 8432 0000 0101 080a 0015 775e .....2........w^

0x0030: 0015 775e 4745 5420 2f20 4854 5450 2f31 ..w^GET./.HTTP/1

0x0040: 2e31 0d0a 5573 6572 2d41 6765 6e74 3a20 .1..User-Agent:.

0x0050: 6375 726c 2f37 2e31 392e 3720 2878 3836 curl/7.19.7.(x86

0x0060: 5f36 342d 7265 6468 6174 2d6c 696e 7578 _64-redhat-linux

0x0070: 2d67 6e75 2920 6c69 6263 7572 6c2f 372e -gnu).libcurl/7.

0x0080: 3139 2e37 204e 5353 2f33 2e31 332e 312e 19.7.NSS/3.13.1.

0x0090: 3020 7a6c 6962 2f31 2e32 2e33 206c 6962 0.zlib/1.2.3.lib

0x00a0: 6964 6e2f 312e 3138 206c 6962 7373 6832 idn/1.18.libssh2

0x00b0: 2f31 2e32 2e32 0d0a 486f 7374 3a20 3139 /1.2.2..Host:.19

0x00c0: 322e 3136 382e 312e 3130 0d0a 4163 6365 2.168.1.10..Acce

0x00d0: 7074 3a20 2a2f 2a0d 0a0d 0a pt:.*/*....

02:07:29.874890 IP 192.168.1.10.http > 192.168.1.10.48037: Flags [.], ack 168, win 265, options [nop,nop,TS val 1406814 ecr 1406814], length 0

0x0000: 4500 0034 eb6f 4000 4006 cbef c0a8 010a E..4.o@.@.......

0x0010: c0a8 010a 0050 bba5 3cb5 9c31 a5e3 abf3 .....P..<..1....

0x0020: 8010 0109 1cb5 0000 0101 080a 0015 775e ..............w^

0x0030: 0015 775e ..w^

02:07:29.874970 IP 192.168.1.10.http > 192.168.1.10.48037: Flags [P.], seq 1:238, ack 168, win 265, options [nop,nop,TS val 1406814 ecr 1406814], length 237

0x0000: 4500 0121 eb70 4000 4006 cb01 c0a8 010a E..!.p@.@.......

0x0010: c0a8 010a 0050 bba5 3cb5 9c31 a5e3 abf3 .....P..<..1....

0x0020: 8018 0109 8478 0000 0101 080a 0015 775e .....x........w^

0x0030: 0015 775e 4854 5450 2f31 2e31 2032 3030 ..w^HTTP/1.1.200

0x0040: 204f 4b0d 0a53 6572 7665 723a 206e 6769 .OK..Server:.ngi

0x0050: 6e78 2f31 2e31 322e 320d 0a44 6174 653a nx/1.12.2..Date:

0x0060: 204d 6f6e 2c20 3131 2044 6563 2032 3031 .Mon,.11.Dec.201

0x0070: 3720 3137 3a30 373a 3239 2047 4d54 0d0a 7.17:07:29.GMT..

0x0080: 436f 6e74 656e 742d 5479 7065 3a20 7465 Content-Type:.te

0x0090: 7874 2f68 746d 6c0d 0a43 6f6e 7465 6e74 xt/html..Content

0x00a0: 2d4c 656e 6774 683a 2031 3936 0d0a 4c61 -Length:.196..La

0x00b0: 7374 2d4d 6f64 6966 6965 643a 2053 6174 st-Modified:.Sat

0x00c0: 2c20 3039 2044 6563 2032 3031 3720 3137 ,.09.Dec.2017.17

0x00d0: 3a34 393a 3332 2047 4d54 0d0a 436f 6e6e :49:32.GMT..Conn

0x00e0: 6563 7469 6f6e 3a20 6b65 6570 2d61 6c69 ection:.keep-ali

0x00f0: 7665 0d0a 4554 6167 3a20 2235 6132 6332 ve..ETag:."5a2c2

0x0100: 3232 632d 6334 220d 0a41 6363 6570 742d 22c-c4"..Accept-

0x0110: 5261 6e67 6573 3a20 6279 7465 730d 0a0d Ranges:.bytes...

0x0120: 0a .

02:07:29.875026 IP 192.168.1.10.http > 192.168.1.10.48037: Flags [P.], seq 238:434, ack 168, win 265, options [nop,nop,TS val 1406814 ecr 1406814], length 196

0x0000: 4500 00f8 eb71 4000 4006 cb29 c0a8 010a E....q@.@..)....

0x0010: c0a8 010a 0050 bba5 3cb5 9d1e a5e3 abf3 .....P..<.......

0x0020: 8018 0109 844f 0000 0101 080a 0015 775e .....O........w^

0x0030: 0015 775e 3c68 746d 6c3e 0a09 3c62 6f64 ..w^<html>..<bod

0x0040: 793e 0a09 093c 4831 3e56 6964 656f 4375 y>...<H1>VideoCu

0x0050: 6265 204d 6564 6961 2053 6572 7665 723c be.Media.Server<

0x0060: 2f48 313e 0a09 093c 6469 763e 0a09 0909 /H1>...<div>....

0x0070: 093c 7669 6465 6f20 7769 6474 683d 2234 .<video.width="4

0x0080: 3234 2220 6865 6967 6874 3d22 3234 3022 24".height="240"

0x0090: 2063 6f6e 7472 6f6c 733e 0a09 0909 0909 .controls>......

0x00a0: 3c73 6f75 7263 6520 7372 633d 2242 6967 <source.src="Big

0x00b0: 4275 636b 4275 6e6e 792e 6d70 3422 2074 BuckBunny.mp4".t

0x00c0: 7970 653d 2276 6964 656f 2f6d 7034 223e ype="video/mp4">

0x00d0: 0a09 0909 093c 2f76 6964 656f 3e0a 0909 .....</video>...

0x00e0: 3c2f 6469 763e 0a09 3c2f 626f 6479 3e0a </div>..</body>.

0x00f0: 3c2f 6874 6d6c 3e0a </html>.

02:07:29.875045 IP 192.168.1.10.48037 > 192.168.1.10.http: Flags [.], ack 238, win 265, options [nop,nop,TS val 1406814 ecr 1406814], length 0

0x0000: 4500 0034 dc18 4000 4006 db46 c0a8 010a E..4..@.@..F....

0x0010: c0a8 010a bba5 0050 a5e3 abf3 3cb5 9d1e .......P....<...

0x0020: 8010 0109 1bc8 0000 0101 080a 0015 775e ..............w^

0x0030: 0015 775e ..w^

02:07:29.875048 IP 192.168.1.10.48037 > 192.168.1.10.http: Flags [.], ack 434, win 273, options [nop,nop,TS val 1406814 ecr 1406814], length 0

0x0000: 4500 0034 dc19 4000 4006 db45 c0a8 010a E..4..@.@..E....

0x0010: c0a8 010a bba5 0050 a5e3 abf3 3cb5 9de2 .......P....<...

0x0020: 8010 0111 1afc 0000 0101 080a 0015 775e ..............w^

0x0030: 0015 775e ..w^

02:07:29.875156 IP 192.168.1.10.48037 > 192.168.1.10.http: Flags [F.], seq 168, ack 434, win 273, options [nop,nop,TS val 1406814 ecr 1406814], length 0

0x0000: 4500 0034 dc1a 4000 4006 db44 c0a8 010a E..4..@.@..D....

0x0010: c0a8 010a bba5 0050 a5e3 abf3 3cb5 9de2 .......P....<...

0x0020: 8011 0111 1afb 0000 0101 080a 0015 775e ..............w^

0x0030: 0015 775e ..w^

02:07:29.875180 IP 192.168.1.10.http > 192.168.1.10.48037: Flags [F.], seq 434, ack 169, win 265, options [nop,nop,TS val 1406814 ecr 1406814], length 0

0x0000: 4500 0034 eb72 4000 4006 cbec c0a8 010a E..4.r@.@.......

0x0010: c0a8 010a 0050 bba5 3cb5 9de2 a5e3 abf4 .....P..<.......

0x0020: 8011 0109 1b02 0000 0101 080a 0015 775e ..............w^

0x0030: 0015 775e ..w^

02:07:29.875195 IP 192.168.1.10.48037 > 192.168.1.10.http: Flags [.], ack 435, win 273, options [nop,nop,TS val 1406814 ecr 1406814], length 0

0x0000: 4500 0034 dc1b 4000 4006 db43 c0a8 010a E..4..@.@..C....

0x0010: c0a8 010a bba5 0050 a5e3 abf4 3cb5 9de3 .......P....<...

0x0020: 8010 0111 1afa 0000 0101 080a 0015 775e ..............w^

0x0030: 0015 775e ..w^

그외에 -c 를 이용하여 원하는 범위를 조절하여 패킷을 캡쳐 할 수 있으며

tcpdump 'host 192.168.1.10 and port 80' -A -i lo -X -c 2

좀 더 상세하게 표시하고 싶으면 -vv 옵션을 넣을 수 있다

root@linux-01:/root> tcpdump 'host 192.168.1.10 and port 80' -A -i lo -XX -vv -c 2

tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes

02:11:08.671252 IP (tos 0x0, ttl 64, id 7251, offset 0, flags [DF], proto TCP (6), length 60)

192.168.1.10.48040 > 192.168.1.10.http: Flags [S], cksum 0x8fff (correct), seq 497996383, win 32792, options [mss 16396,sackOK,TS val 1625612 ecr 0,nop,wscale 7], length 0

0x0000: 0000 0000 0000 0000 0000 0000 0800 4500 ..............E.

0x0010: 003c 1c53 4000 4006 9b04 c0a8 010a c0a8 .<.S@.@.........

0x0020: 010a bba8 0050 1dae d25f 0000 0000 a002 .....P..._......

0x0030: 8018 8fff 0000 0204 400c 0402 080a 0018 ........@.......

0x0040: ce0c 0000 0000 0103 0307 ..........

02:11:08.671272 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)

192.168.1.10.http > 192.168.1.10.48040: Flags [S.], cksum 0x1c90 (correct), seq 4236028116, ack 497996384, win 32768, options [mss 16396,sackOK,TS val 1625612 ecr 1625612,nop,wscale 7], length 0

0x0000: 0000 0000 0000 0000 0000 0000 0800 4500 ..............E.

0x0010: 003c 0000 4000 4006 b757 c0a8 010a c0a8 .<..@.@..W......

0x0020: 010a 0050 bba8 fc7c a8d4 1dae d260 a012 ...P...|.....`..

0x0030: 8000 1c90 0000 0204 400c 0402 080a 0018 ........@.......

0x0040: ce0c 0018 ce0c 0103 0307 ..........

시간 정보를 출력하지 않으려면 -t 옵션을 사용한다.

root@linux-01:/root> tcpdump 'host 192.168.1.10 and port 80' -A -i lo -XX -vv -c 2 -t

IP (tos 0x0, ttl 64, id 15300, offset 0, flags [DF], proto TCP (6), length 60)

192.168.1.10.48042 > 192.168.1.10.http: Flags [S], cksum 0x6feb (correct), seq 2587635543, win 32792, options [mss 16396,sackOK,TS val 1971347 ecr 0,nop,wscale 7], length 0

0x0000: 0000 0000 0000 0000 0000 0000 0800 4500 ..............E.

0x0010: 003c 3bc4 4000 4006 7b93 c0a8 010a c0a8 .<;.@.@.{.......

0x0020: 010a bbaa 0050 9a3c 2f57 0000 0000 a002 .....P.</W......

0x0030: 8018 6feb 0000 0204 400c 0402 080a 001e ..o.....@.......

0x0040: 1493 0000 0000 0103 0307 ..........

IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)

192.168.1.10.http > 192.168.1.10.48042: Flags [S.], cksum 0x64b7 (correct), seq 2924890163, ack 2587635544, win 32768, options [mss 16396,sackOK,TS val 1971347 ecr 1971347,nop,wscale 7], length 0

0x0000: 0000 0000 0000 0000 0000 0000 0800 4500 ..............E.

0x0010: 003c 0000 4000 4006 b757 c0a8 010a c0a8 .<..@.@..W......

0x0020: 010a 0050 bbaa ae56 4833 9a3c 2f58 a012 ...P...VH3.</X..

0x0030: 8000 64b7 0000 0204 400c 0402 080a 001e ..d.....@.......

0x0040: 1493 001e 1493 0103 0307 ..........

시간 포맷 설정하지 않고 시간 정보 표시 -tt 옵션을 사용한다.

root@linux-01:/root> tcpdump 'host 192.168.1.10 and port 80' -A -i lo -XX -vv -c 2 -tt

tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes

1513012676.302813 IP (tos 0x0, ttl 64, id 56704, offset 0, flags [DF], proto TCP (6), length 60)

192.168.1.10.48043 > 192.168.1.10.http: Flags [S], cksum 0x2923 (correct), seq 1119411162, win 32792, options [mss 16396,sackOK,TS val 2033242 ecr 0,nop,wscale 7], length 0

0x0000: 0000 0000 0000 0000 0000 0000 0800 4500 ..............E.

0x0010: 003c dd80 4000 4006 d9d6 c0a8 010a c0a8 .<..@.@.........

0x0020: 010a bbab 0050 42b8 dbda 0000 0000 a002 .....PB.........

0x0030: 8018 2923 0000 0204 400c 0402 080a 001f ..)#....@.......

0x0040: 065a 0000 0000 0103 0307 .Z........

1513012676.302834 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)

192.168.1.10.http > 192.168.1.10.48043: Flags [S.], cksum 0xf36d (correct), seq 1522390149, ack 1119411163, win 32768, options [mss 16396,sackOK,TS val 2033242 ecr 2033242,nop,wscale 7], length 0

0x0000: 0000 0000 0000 0000 0000 0000 0800 4500 ..............E.

0x0010: 003c 0000 4000 4006 b757 c0a8 010a c0a8 .<..@.@..W......

0x0020: 010a 0050 bbab 5abd d485 42b8 dbdb a012 ...P..Z...B.....

0x0030: 8000 f36d 0000 0204 400c 0402 080a 001f ...m....@.......

0x0040: 065a 001f 065a 0103 0307 .Z...Z....

프로토콜에 대한 정보를 덜 출력하도록 설정하는 -q 옵션 약간 줄었다.

root@linux-01:/root> tcpdump 'host 192.168.1.10 and port 80' -A -i lo -XX -vv -c 5 -tt -x -q

tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes

1513012819.167326 IP (tos 0x0, ttl 64, id 56556, offset 0, flags [DF], proto TCP (6), length 60)

192.168.1.10.48047 > 192.168.1.10.http: tcp 0

0x0000: 0000 0000 0000 0000 0000 0000 0800 4500 ..............E.

0x0010: 003c dcec 4000 4006 da6a c0a8 010a c0a8 .<..@.@..j......

0x0020: 010a bbaf 0050 b6f2 e887 0000 0000 a002 .....P..........

0x0030: 8018 7a24 0000 0204 400c 0402 080a 0021 ..z$....@......!

0x0040: 346b 0000 0000 0103 0307 4k........

1513012819.167347 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)

192.168.1.10.http > 192.168.1.10.48047: tcp 0

0x0000: 0000 0000 0000 0000 0000 0000 0800 4500 ..............E.

0x0010: 003c 0000 4000 4006 b757 c0a8 010a c0a8 .<..@.@..W......

0x0020: 010a 0050 bbaf b338 ee14 b6f2 e888 a012 ...P...8........

0x0030: 8000 a451 0000 0204 400c 0402 080a 0021 ...Q....@......!

0x0040: 346b 0021 346b 0103 0307 4k.!4k....

1513012819.167362 IP (tos 0x0, ttl 64, id 56557, offset 0, flags [DF], proto TCP (6), length 52)

192.168.1.10.48047 > 192.168.1.10.http: tcp 0

0x0000: 0000 0000 0000 0000 0000 0000 0800 4500 ..............E.

0x0010: 0034 dced 4000 4006 da71 c0a8 010a c0a8 .4..@.@..q......

0x0020: 010a bbaf 0050 b6f2 e888 b338 ee15 8010 .....P.....8....

0x0030: 0101 8c75 0000 0101 080a 0021 346b 0021 ...u.......!4k.!

0x0040: 346b 4k

1513012819.168424 IP (tos 0x0, ttl 64, id 56558, offset 0, flags [DF], proto TCP (6), length 219)

192.168.1.10.48047 > 192.168.1.10.http: tcp 167

0x0000: 0000 0000 0000 0000 0000 0000 0800 4500 ..............E.

0x0010: 00db dcee 4000 4006 d9c9 c0a8 010a c0a8 ....@.@.........

0x0020: 010a bbaf 0050 b6f2 e888 b338 ee15 8018 .....P.....8....

0x0030: 0101 8432 0000 0101 080a 0021 346d 0021 ...2.......!4m.!

0x0040: 346b 4745 5420 2f20 4854 5450 2f31 2e31 4kGET./.HTTP/1.1

0x0050: 0d0a 5573 6572 2d41 6765 6e74 3a20 6375 ..User-Agent:.cu

0x0060: 726c 2f37 2e31 392e 3720 2878 3836 5f36 rl/7.19.7.(x86_6

0x0070: 342d 7265 6468 6174 2d6c 696e 7578 2d67 4-redhat-linux-g

0x0080: 6e75 2920 6c69 6263 7572 6c2f 372e 3139 nu).libcurl/7.19

0x0090: 2e37 204e 5353 2f33 2e31 332e 312e 3020 .7.NSS/3.13.1.0.

0x00a0: 7a6c 6962 2f31 2e32 2e33 206c 6962 6964 zlib/1.2.3.libid

0x00b0: 6e2f 312e 3138 206c 6962 7373 6832 2f31 n/1.18.libssh2/1

0x00c0: 2e32 2e32 0d0a 486f 7374 3a20 3139 322e .2.2..Host:.192.

0x00d0: 3136 382e 312e 3130 0d0a 4163 6365 7074 168.1.10..Accept

0x00e0: 3a20 2a2f 2a0d 0a0d 0a :.*/*....

1513012819.168446 IP (tos 0x0, ttl 64, id 55934, offset 0, flags [DF], proto TCP (6), length 52)

192.168.1.10.http > 192.168.1.10.48047: tcp 0

0x0000: 0000 0000 0000 0000 0000 0000 0800 4500 ..............E.

0x0010: 0034 da7e 4000 4006 dce0 c0a8 010a c0a8 .4.~@.@.........

0x0020: 010a 0050 bbaf b338 ee15 b6f2 e92f 8010 ...P...8...../..

0x0030: 0109 8bc2 0000 0101 080a 0021 346d 0021 ...........!4m.!

0x0040: 346d 4m

Host 정보를 출력하지 않도록 하기 위해서는

root@linux-01:/root> tcpdump 'host media.videocube.lab and port 80' -A -i lo -XX -vv -c 5 -tt -N

tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes

1513012964.781073 IP (tos 0x0, ttl 64, id 39587, offset 0, flags [DF], proto TCP (6), length 60)

192.48051 > 192.http: Flags [S], cksum 0xd47e (correct), seq 347207578, win 32792, options [mss 16396,sackOK,TS val 2321721 ecr 0,nop,wscale 7], length 0

0x0000: 0000 0000 0000 0000 0000 0000 0800 4500 ..............E.

0x0010: 003c 9aa3 4000 4006 1cb4 c0a8 010a c0a8 .<..@.@.........

0x0020: 010a bbb3 0050 14b1 f79a 0000 0000 a002 .....P..........

0x0030: 8018 d47e 0000 0204 400c 0402 080a 0023 ...~....@......#

0x0040: 6d39 0000 0000 0103 0307 m9........

1513012964.781093 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)

192.http > 192.48051: Flags [S.], cksum 0x3437 (correct), seq 1525602307, ack 347207579, win 32768, options [mss 16396,sackOK,TS val 2321721 ecr 2321721,nop,wscale 7], length 0

0x0000: 0000 0000 0000 0000 0000 0000 0800 4500 ..............E.

0x0010: 003c 0000 4000 4006 b757 c0a8 010a c0a8 .<..@.@..W......

0x0020: 010a 0050 bbb3 5aee d803 14b1 f79b a012 ...P..Z.........

0x0030: 8000 3437 0000 0204 400c 0402 080a 0023 ..47....@......#

0x0040: 6d39 0023 6d39 0103 0307 m9.#m9....

1513012964.781106 IP (tos 0x0, ttl 64, id 39588, offset 0, flags [DF], proto TCP (6), length 52)

192.48051 > 192.http: Flags [.], cksum 0x1c5b (correct), seq 1, ack 1, win 257, options [nop,nop,TS val 2321721 ecr 2321721], length 0

0x0000: 0000 0000 0000 0000 0000 0000 0800 4500 ..............E.

0x0010: 0034 9aa4 4000 4006 1cbb c0a8 010a c0a8 .4..@.@.........

0x0020: 010a bbb3 0050 14b1 f79b 5aee d804 8010 .....P....Z.....

0x0030: 0101 1c5b 0000 0101 080a 0023 6d39 0023 ...[.......#m9.#

0x0040: 6d39 m9

1513012964.782075 IP (tos 0x0, ttl 64, id 39589, offset 0, flags [DF], proto TCP (6), length 219)

192.48051 > 192.http: Flags [P.], cksum 0x8432 (incorrect -> 0xe904), seq 1:168, ack 1, win 257, options [nop,nop,TS val 2321723 ecr 2321721], length 167

0x0000: 0000 0000 0000 0000 0000 0000 0800 4500 ..............E.

0x0010: 00db 9aa5 4000 4006 1c13 c0a8 010a c0a8 ....@.@.........

0x0020: 010a bbb3 0050 14b1 f79b 5aee d804 8018 .....P....Z.....

0x0030: 0101 8432 0000 0101 080a 0023 6d3b 0023 ...2.......#m;.#

0x0040: 6d39 4745 5420 2f20 4854 5450 2f31 2e31 m9GET./.HTTP/1.1