环境说明:
源地址:192.168.244.131 目标地址(Oracle):192.168.244.128 DB:Oracle 19C OS:Oralce Linux 7.5
场景一:Oracle连接
1.数据库服务器上,进行双向抓包:
tcpdump -i ens33 -w oracle_conn_1.pcap host 192.168.244.131 and host 192.168.244.128 and port 1521
2.源服务器,远程连接Oracle
[oracle@cjc-db-05 ~]$ sqlplus system/oracle@192.168.244.128:1521/cjc SQL*Plus: Release 19.0.0.0.0 - Production on Sun Jun 29 19:05:30 2025 Version 19.3.0.0.0 Copyright (c) 1982, 2019, Oracle. All rights reserved. Last Successful login time: Sun Jun 29 2025 19:04:09 +08:00 Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Version 19.3.0.0.0 SQL>
3.数据库服务器,结束抓包
[root@cjc-db-03 ~]# tcpdump -i ens33 -w oracle_conn_1.pcap host 192.168.244.131 and host 192.168.244.128 and port 1521 tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes ^C36 packets captured 36 packets received by filter 0 packets dropped by kernel
4.分析抓包数据
[root@cjc-db-03 ~]# tcpdump -r oracle_conn_1.pcap reading from file oracle_conn_1.pcap, link-type EN10MB (Ethernet) 19:05:30.876274 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [S], seq 1455824146, win 29200, options [mss 1460,sackOK,TS val 240713 ecr 0,nop,wscale 7], length 0 19:05:30.876360 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [S.], seq 4177482596, ack 1455824147, win 28960, options [mss 1460,sackOK,TS val 116562 ecr 240713,nop,wscale 7], length 0 19:05:30.876834 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [.], ack 1, win 229, options [nop,nop,TS val 240714 ecr 116562], length 0 19:05:30.877272 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [P.], seq 1:231, ack 1, win 229, options [nop,nop,TS val 240714 ecr 116562], length 230 19:05:30.877306 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [.], ack 231, win 235, options [nop,nop,TS val 116563 ecr 240714], length 0 19:05:30.892429 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [P.], seq 1:9, ack 231, win 235, options [nop,nop,TS val 116578 ecr 240714], length 8 19:05:30.892988 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [.], ack 9, win 229, options [nop,nop,TS val 240730 ecr 116578], length 0 19:05:30.893016 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [P.], seq 231:461, ack 9, win 229, options [nop,nop,TS val 240730 ecr 116578], length 230 19:05:30.893272 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [P.], seq 9:54, ack 461, win 243, options [nop,nop,TS val 116579 ecr 240730], length 45 19:05:30.893640 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [P.U], seq 461:462, ack 54, win 229, urg 1, options [nop,nop,TS val 240731 ecr 116579], length 1 19:05:30.893652 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [P.], seq 462:472, ack 54, win 229, options [nop,nop,TS val 240731 ecr 116579], length 10 19:05:30.893698 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [.], ack 472, win 243, options [nop,nop,TS val 116579 ecr 240731], length 0 19:05:30.893763 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [P.], seq 472:631, ack 54, win 229, options [nop,nop,TS val 240731 ecr 116579], length 159 19:05:30.893816 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [P.], seq 54:181, ack 631, win 252, options [nop,nop,TS val 116579 ecr 240731], length 127 19:05:30.899245 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [P.], seq 631:665, ack 181, win 229, options [nop,nop,TS val 240736 ecr 116579], length 34 19:05:30.899375 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [P.], seq 181:422, ack 665, win 252, options [nop,nop,TS val 116585 ecr 240736], length 241 19:05:30.900258 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [P.], seq 665:749, ack 422, win 237, options [nop,nop,TS val 240737 ecr 116585], length 84 19:05:30.900799 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [P.], seq 422:448, ack 749, win 252, options [nop,nop,TS val 116586 ecr 240737], length 26 19:05:30.901680 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [P.], seq 749:996, ack 448, win 237, options [nop,nop,TS val 240739 ecr 116586], length 247 19:05:30.908644 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [P.], seq 448:969, ack 996, win 260, options [nop,nop,TS val 116594 ecr 240739], length 521 19:05:30.967490 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [P.], seq 996:2265, ack 969, win 245, options [nop,nop,TS val 240804 ecr 116594], length 1269 19:05:30.976999 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [P.], seq 969:3174, ack 2265, win 283, options [nop,nop,TS val 116662 ecr 240804], length 2205 19:05:30.977512 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [.], ack 3174, win 280, options [nop,nop,TS val 240815 ecr 116662], length 0 19:05:30.978111 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [P.], seq 2265:2333, ack 3174, win 280, options [nop,nop,TS val 240815 ecr 116662], length 68 19:05:30.978212 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [P.], seq 3174:3288, ack 2333, win 283, options [nop,nop,TS val 116664 ecr 240815], length 114 19:05:30.978589 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [P.], seq 2333:2764, ack 3288, win 280, options [nop,nop,TS val 240815 ecr 116664], length 431 19:05:30.978837 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [P.], seq 3288:3741, ack 2764, win 303, options [nop,nop,TS val 116664 ecr 240815], length 453 19:05:30.979316 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [P.], seq 2764:2785, ack 3741, win 302, options [nop,nop,TS val 240815 ecr 116664], length 21 19:05:30.979490 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [P.], seq 3741:3921, ack 2785, win 303, options [nop,nop,TS val 116665 ecr 240815], length 180 19:05:30.979989 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [P.], seq 2785:3259, ack 3921, win 325, options [nop,nop,TS val 240815 ecr 116665], length 474 19:05:30.980347 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [P.], seq 3921:4204, ack 3259, win 323, options [nop,nop,TS val 116666 ecr 240815], length 283 19:05:30.980719 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [P.], seq 3259:3295, ack 4204, win 348, options [nop,nop,TS val 240815 ecr 116666], length 36 19:05:30.980830 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [P.], seq 4204:4221, ack 3295, win 323, options [nop,nop,TS val 116666 ecr 240815], length 17 19:05:30.981074 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [P.], seq 3295:3308, ack 4221, win 348, options [nop,nop,TS val 240815 ecr 116666], length 13 19:05:30.981142 IP cjc-db-03.ncube-lm > 192.168.244.131.63594: Flags [P.], seq 4221:4238, ack 3308, win 323, options [nop,nop,TS val 116666 ecr 240815], length 17 19:05:31.033459 IP 192.168.244.131.63594 > cjc-db-03.ncube-lm: Flags [.], ack 4238, win 348, options [nop,nop,TS val 240871 ecr 116666], length 0复制
1. TCP 三次握手
19:05:30.876274 IP 192.168.244.131.63594 > cjc-db-03: Flags [S] # 客户端 SYN 19:05:30.876360 IP cjc-db-03 > 192.168.244.131.63594: Flags [S.] # 服务器 SYN-ACK 19:05:30.876834 IP 192.168.244.131.63594 > cjc-db-03: Flags [.] # 客户端 ACK
端口:63594 (客户端临时端口)
2. TNS 连接协商
19:05:30.877272 IP 192.168.244.131.63594 > cjc-db-03: Flags [P.], length 230 # TNS Connect Packet 19:05:30.892429 IP cjc-db-03 > 192.168.244.131.63594: Flags [P.], length 8 # TNS Accept (头部) 19:05:30.893016 IP 192.168.244.131.63594 > cjc-db-03: Flags [P.], length 230 # 客户端协议扩展 19:05:30.893272 IP cjc-db-03 > 192.168.244.131.63594: Flags [P.], length 45 # TNS Accept 完成
三次握手核心目的 1.同步序列号(SYNchronize):交换初始序列号(ISN),确保数据有序传输 2.协商参数:交换MSS(最大报文段大小)、窗口缩放因子等 3.验证双向通路:确认客户端→服务器、服务器→客户端双向通信正常
3. 用户认证阶段
19:05:30.893640 IP 192.168.244.131.63594 > cjc-db-03: Flags [P.U], length 1 # 认证控制字节 (0xA5) 19:05:30.893652 IP 192.168.244.131.63594 > cjc-db-03: Flags [P.], length 10 # 用户名头部 19:05:30.893763 IP 192.168.244.131.63594 > cjc-db-03: Flags [P.], length 159 # 加密的用户名/密码 19:05:30.893816 IP cjc-db-03 > 192.168.244.131.63594: Flags [P.], length 127 # 服务器挑战 (含盐值) 19:05:30.899245 IP 192.168.244.131.63594 > cjc-db-03: Flags [P.], length 34 # 加密的挑战响应 19:05:30.899375 IP cjc-db-03 > 192.168.244.131.63594: Flags [P.], length 241 # 认证成功 + 会话参数
- 会话初始化
19:05:30.900258 IP 192.168.244.131.63594 > cjc-db-03: Flags [P.], length 84 # ALTER SESSION 19:05:30.900799 IP cjc-db-03 > 192.168.244.131.63594: Flags [P.], length 26 # 执行确认 19:05:30.901680 IP 192.168.244.131.63594 > cjc-db-03: Flags [P.], length 247 # SELECT 初始化查询 19:05:30.908644 IP cjc-db-03 > 192.168.244.131.63594: Flags [P.], length 521 # 查询结果
5. SQL 执行阶段
查询 1:大结果集查询
19:05:30.967490 IP 192.168.244.131.63594 > cjc-db-03: Flags [P.], length 1269 # 复杂 SELECT 19:05:30.976999 IP cjc-db-03 > 192.168.244.131.63594: Flags [P.], length 2205 # 大结果集
特征: 客户端发送中等包 (1269 字节),服务器返回大包 (2205 字节) 典型场景:查询多行数据 (如 SELECT * FROM large_table WHERE …)
查询 2:事务操作
19:05:30.978111 IP 192.168.244.131.63594 > cjc-db-03: Flags [P.], length 68 # INSERT/UPDATE 19:05:30.978212 IP cjc-db-03 > 192.168.244.131.63594: Flags [P.], length 114 # 行数确认
特征:短请求 + 短响应,包含影响行数 (如 1 row inserted)
查询 3:存储过程调用
19:05:30.978589 IP 192.168.244.131.63594 > cjc-db-03: Flags [P.], length 431 # PL/SQL 块 19:05:30.978837 IP cjc-db-03 > 192.168.244.131.63594: Flags [P.], length 453 # 过程输出
特征: 客户端包包含匿名块 (如 BEGIN my_proc(:param); END;) 服务器返回 OUT 参数和执行状态
事务控制
19:05:30.979316 IP 192.168.244.131.63594 > cjc-db-03: Flags [P.], length 21 # COMMIT 19:05:30.979490 IP cjc-db-03 > 192.168.244.131.63594: Flags [P.], length 180 # 确认 21 字节包:典型事务控制语句 (COMMIT 或 ROLLBACK)
6. 连接保持与微查询
19:05:30.980719 IP 192.168.244.131.63594 > cjc-db-03: Flags [P.], length 36 # 短查询 19:05:30.980830 IP cjc-db-03 > 192.168.244.131.63594: Flags [P.], length 17 # 单值结果 19:05:30.981074 IP 192.168.244.131.63594 > cjc-db-03: Flags [P.], length 13 # 如 SELECT SYSDATE 19:05:30.981142 IP cjc-db-03 > 192.168.244.131.63594: Flags [P.], length 17 # 返回日期 19:05:31.033459 IP 192.168.244.131.63594 > cjc-db-03: Flags [.], ack 4238 # 最终确认
最后交互: 客户端执行心跳类查询 (如检查连接状态) 服务器返回简单结果 连接保持打开 (无 FIN 包)
连接状态结论 成功连接: 完成完整认证流程 执行多类型 SQL 操作 连接保持活跃 (无 FIN/RST)
客户端类型推测: 可能是 SQL*Plus 或 轻量客户端 (非 PL/SQL Developer) 依据:初始化 SQL 较少,无额外监控连接
Wireshark.exe工具查看
场景二:远程执行SQL
1.数据库服务器上,进行双向抓包:
[root@cjc-db-03 ~]# tcpdump -i ens33 -w oracle_exec_1.pcap host 192.168.244.131 and host 192.168.244.128 and port 1521
2.源服务器通过sqlplus工具远程连接数据库并执行SQL
[oracle@cjc-db-05 ~]$ sqlplus system/oracle@192.168.244.128:1521/cjc SQL*Plus: Release 19.0.0.0.0 - Production on Sun Jun 29 19:07:50 2025 Version 19.3.0.0.0 Copyright (c) 1982, 2019, Oracle. All rights reserved. Last Successful login time: Sun Jun 29 2025 19:06:57 +08:00 Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Version 19.3.0.0.0 SQL> select * from t1; ID ---------- 1
3.结束抓包
4.分析抓包
[root@cjc-db-03 ~]# tcpdump -r oracle_exec_1.pcap reading from file oracle_exec_1.pcap, link-type EN10MB (Ethernet) 19:08:18.164699 IP 192.168.244.131.63596 > cjc-db-03.ncube-lm: Flags [P.], seq 2067544594:2067544948, ack 3690009662, win 348, options [nop,nop,TS val 408002 ecr 256553], length 354 19:08:18.171544 IP cjc-db-03.ncube-lm > 192.168.244.131.63596: Flags [P.], seq 1:389, ack 354, win 342, options [nop,nop,TS val 283857 ecr 408002], length 388 19:08:18.172368 IP 192.168.244.131.63596 > cjc-db-03.ncube-lm: Flags [.], ack 389, win 370, options [nop,nop,TS val 408010 ecr 283857], length 0 19:08:18.179732 IP 192.168.244.131.63596 > cjc-db-03.ncube-lm: Flags [P.], seq 354:375, ack 389, win 370, options [nop,nop,TS val 408017 ecr 283857], length 21 19:08:18.179934 IP cjc-db-03.ncube-lm > 192.168.244.131.63596: Flags [P.], seq 389:569, ack 375, win 342, options [nop,nop,TS val 283865 ecr 408017], length 180 19:08:18.221715 IP 192.168.244.131.63596 > cjc-db-03.ncube-lm: Flags [.], ack 569, win 393, options [nop,nop,TS val 408059 ecr 283865], length 0
在 已建立的 TCP 连接(端口 63596)上执行 Oracle SQL 的完整交互过程。客户端 IP: 192.168.244.131,服务器 IP: 192.168.244.128。
1. 客户端发送 SQL 查询 (354 字节)
19:08:18.164699 IP 192.168.244.131.63596 > cjc-db-03: Flags [P.], seq 2067544594:2067544948, length 354
包类型:PSH-ACK (携带应用层数据) 内容: TNS Data Packet:包含 SQL 语句
select * from t1;
2. 服务器返回部分结果 (388 字节)
19:08:18.171544 IP cjc-db-03 > 192.168.244.131.63596: Flags [P.], seq 1:389, length 388 响应时间:6.845 ms (164699 → 171544)
内容: TNS Data Packet:包含查询结果的前几行
数据结构: TNS Header (12B) | Column Metadata | Row Data (前3行)
性能指标:
处理延迟:6.845 ms 包含:
SQL 解析优化:~2 ms
数据检索:~4 ms
网络传输:~0.8 ms
吞吐量:388 字节 / 6.845 ms ≈ 56.7 KB/s
3. 客户端 ACK 确认
19:08:18.172368 IP 192.168.244.131.63596 > cjc-db-03: Flags [.], ack 389, length 0
行为:纯 ACK 包(无数据)
窗口调整:win=370 → 增大接收窗口(从 348 到 370)
时间:0.824 ms 内响应(171544 → 172368),表明:
客户端网络栈高效
无接收缓冲区阻塞
4.客户端发送事务控制命令 (21 字节)
19:08:18.179732 IP 192.168.244.131.63596 > cjc-db-03: Flags [P.], seq 354:375, length 21
关键特征:极短数据包(21 字节) 典型命令:
sql COMMIT; -- 或 ROLLBACK; -- 或 SET TRANSACTION...
时间分析:距上次查询 7.564 ms (172368 → 179732),表明: 客户端应用层处理数据耗时 用户手动触发提交操作
5.服务器返回执行结果 (180 字节)
19:08:18.179934 IP cjc-db-03 > 192.168.244.131.63596: Flags [P.], seq 389:569, length 180 响应时间:0.202 ms (179732 → 179934),极快响应
内容: 事务确认:
TNS Header (12B) | Status Byte (成功=0x04) | Rows Affected 示例:COMMIT 成功返回 "Transaction committed"
长度说明:180 字节包含 Oracle 协议开销(实际数据约 20 字节)
6. 客户端最终 ACK 确认
19:08:18.221715 IP 192.168.244.131.63596 > cjc-db-03: Flags [.], ack 569, length 0 延迟:41.781 ms (179934 → 221715)
原因: TCP 延迟确认机制(Delayed ACK): 默认等待 40 ms 合并后续发送 此处 41.781 ms 符合标准 应用层空闲:用户未立即发起新操作 窗口调整:win=393 → 再次扩大接收窗口(370 → 393)
场景三:断开连接
1.抓包
[root@cjc-db-03 ~]# tcpdump -i ens33 -w oracle_close_1.pcap host 192.168.244.131 and host 192.168.244.128 and port 1521 tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes ^C7 packets captured 7 packets received by filter 0 packets dropped by kernel
2.断开数据库连接
[oracle@cjc-db-05 ~]$ sqlplus system/oracle@192.168.244.128:1521/cjc SQL*Plus: Release 19.0.0.0.0 - Production on Sun Jun 29 19:07:50 2025 Version 19.3.0.0.0 Copyright (c) 1982, 2019, Oracle. All rights reserved. Last Successful login time: Sun Jun 29 2025 19:06:57 +08:00 Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Version 19.3.0.0.0 SQL> select * from t1; ID ---------- 1 SQL> exit复制
3.分析抓包
[root@cjc-db-03 ~]# tcpdump -r oracle_close_1.pcap reading from file oracle_close_1.pcap, link-type EN10MB (Ethernet) 19:08:52.348865 IP 192.168.244.131.63596 > cjc-db-03.ncube-lm: Flags [P.], seq 2067544969:2067545203, ack 3690010230, win 393, options [nop,nop,TS val 442186 ecr 283865], length 234 19:08:52.349746 IP cjc-db-03.ncube-lm > 192.168.244.131.63596: Flags [P.], seq 1:18, ack 234, win 362, options [nop,nop,TS val 318035 ecr 442186], length 17 19:08:52.350208 IP 192.168.244.131.63596 > cjc-db-03.ncube-lm: Flags [.], ack 18, win 393, options [nop,nop,TS val 442188 ecr 318035], length 0 19:08:52.350530 IP 192.168.244.131.63596 > cjc-db-03.ncube-lm: Flags [P.], seq 234:244, ack 18, win 393, options [nop,nop,TS val 442188 ecr 318035], length 10 19:08:52.350544 IP 192.168.244.131.63596 > cjc-db-03.ncube-lm: Flags [F.], seq 244, ack 18, win 393, options [nop,nop,TS val 442188 ecr 318035], length 0 19:08:52.350648 IP cjc-db-03.ncube-lm > 192.168.244.131.63596: Flags [F.], seq 18, ack 245, win 362, options [nop,nop,TS val 318036 ecr 442188], length 0 19:08:52.350902 IP 192.168.244.131.63596 > cjc-db-03.ncube-lm: Flags [.], ack 19, win 393, options [nop,nop,TS val 442188 ecr 318036], length 0
展示了 Oracle 数据库连接的完整关闭过程。客户端 IP: 192.168.244.131,服务器 IP: 192.168.244.128,端口 63596。 详细过程解析
1.客户端发送断开请求 (234 字节)
19:08:52.348865 IP 192.168.244.131.63596 > cjc-db-03: Flags [P.], length 234
包类型:PSH-ACK (携带应用层数据)
2.服务器确认断开 (17 字节)
19:08:52.349746 IP cjc-db-03 > 192.168.244.131.63596: Flags [P.], length 17
响应时间:0.881 ms 内容: TNS Accept Packet:确认断开操作
3.客户端 ACK 确认
19:08:52.350208 IP 192.168.244.131.63596 > cjc-db-03: Flags [.], ack 18, length 0
行为:纯 ACK 包 时间:0.462 ms 内响应 窗口:win=393(保持高吞吐状态) 意义:确认已收到断开确认,准备关闭传输通道
4.客户端发送最终数据 (10 字节)
19:08:52.350530 IP 192.168.244.131.63596 > cjc-db-03: Flags [P.], seq 234:244, length 10
关键特征:极短数据包(10 字节) 可能内容: 应用层关闭确认(如 “LOGOFF”) 会话清理指令 网络层保活探测 协议特殊性:在 FIN 前发送,表明优雅关闭(Graceful Close)
5.客户端发起 FIN (主动关闭)
19:08:52.350544 IP 192.168.244.131.63596 > cjc-db-03: Flags [F.], seq 244, ack 18, length 0
标志位:FIN + ACK 序列号:seq=244(紧接上次数据包) 行为意义: 告知服务器:“我已无数据发送” 进入 FIN_WAIT_1 状态 时间:距上个包仅 0.014 ms(同一网络帧发送)
6.服务器响应 FIN-ACK
19:08:52.350648 IP cjc-db-03 > 192.168.244.131.63596: Flags [F.], seq 18, ack 245, length 0
响应时间:0.104 ms 标志位:FIN + ACK 确认号:ack=245(正确确认 FIN 包) 状态转换: 服务器 → CLOSE_WAIT → LAST_ACK 客户端 → FIN_WAIT_2 → TIME_WAIT
7.客户端最终 ACK
19:08:52.350902 IP 192.168.244.131.63596 > cjc-db-03: Flags [.], ack 19, length 0
确认 FIN:ack=19(18+1) 时间延迟:0.254 ms 客户端状态:TIME_WAIT(等待 2*MSL) 资源释放: 服务器立即释放连接资源 客户端等待 60 秒(Linux 默认)后释放
tcpdump抓包常用命令
查看帮助信息:
[oracle@cjc-db-03 ~]$ tcpdump -h tcpdump version 4.9.2 libpcap version 1.5.3 OpenSSL 1.0.2k-fips 26 Jan 2017 Usage: tcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ] [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ] [ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ] [ -Q|-P in|out|inout ] [ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ] [ --immediate-mode ] [ -T type ] [ --version ] [ -V file ] [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ] [ -Z user ] [ expression ]
常见参数说明:
[root@cjc-db-03 ~]# man tcpdump -c count Exit after receiving count packets. -i interface,for example, ``eth0''. -w file Write the raw packets to file rather than parsing and printing them out.
【常用关键字】 tcpdump命令中几种关键字:
第一种:类型关键字,包括:host,net,port 第二种:传输方向关键字,包括:src,dst 第三种:协议关键字,包括: ip,arp,tcp,udp等类型 第四种:其他关键字,包括:gateway,broadcast,less,greater,not,!,and,&&,or,||
【备注说明】
1) 抓取回环网口的包: $ tcpdump -i lo 2) 防止包截断的方法: $ tcpdump -s 0 3) 以数字显示主机及端口: $ tcpdump -n
常用命令
[root@cjc-db-03 oracle]# tcpdump tcp -i ens33 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.cap
1)tcp: # ip,icmp,arp,rarp,udp这些选项要放第一个参数,用来过滤数据报的类型 2)-i ens33 # 只抓经过网口ens33的包 3)-t # 不显示时间戳 4)-s 0 # 抓取数据包时默认抓取长度为68字节。加上-s 0 后可以抓到完整的数据包 5)-c 100 # 只抓取100个数据包 6)dst port ! 22 # 不抓取目标端口是22的数据包 7)src net 192.168.1.0/24 # 数据包的源网络地址为192.168.1.0/24 8)-w ./target.cap # 保存成cap文件,方便用wireshark工具进行分析
截取主机1与主机2或3之间的通信包 $ tcpdump host 192.168.0.1 and /(192.168.0.2 or 192.168.0.3 /) 截取主机1除了和主机2之外所有主机通信的ip包 $ tcpdump ip host 192.168.0.1 and ! 192.168.0.2 截取主机192.168.0.1接收或发出的telnet包 $ tcpdump tcp port 23 host 192.168.1.101 截获除了主机1、2外访问本机http端口的数据包 $ tcpdump -i eth0 host ! 192.168.0.1 and ! 192.168.0.2 and dst port 80 tcpdump 列出可用的网络接口 [root@cjc-db-03 oracle]# tcpdump -D 1.virbr0 2.nflog (Linux netfilter log (NFLOG) interface) 3.nfqueue (Linux netfilter queue (NFQUEUE) interface) 4.usbmon1 (USB bus number 1) 5.usbmon2 (USB bus number 2) 6.ens33 7.any (Pseudo-device that captures on all interfaces) 8.lo [Loopback] 捕获特定接口的流量 [root@cjc-db-03 oracle]# tcpdump -i ens33 指定抓取3个数据包 [root@cjc-db-03 oracle]# tcpdump -i ens33 -c 3 显示更详细的数据包信息 -v -vv 选项-v,-vv可以显示更详细的抓包信息。 [root@cjc-db-03 oracle]# tcpdump -i ens33 -c 3 -vv -t参数,去掉时间戳 [root@cjc-db-03 oracle]# tcpdump -i ens33 -c 3 -vv -t -tttt参数,添加时间戳 [root@cjc-db-03 oracle]# tcpdump -i ens33 -c 3 -vv -tttt 过滤:指定数据包大小 使用greater(大于)与less(小于)可以指定数据包大小的范围。 「例:只抓取大于1000字节的数据包。」 tcpdump greater 1000 「例:只抓取小于10字节的数据包。」 tcpdump less 10 捕获在控制台中显示内容 (ASCII) 的所有 TCP 流量 [root@cjc-db-03 oracle]# tcpdump -A tcp 捕获来自或到主机的流量 [root@cjc-db-03 oracle]# tcpdump host 192.168.1.4 捕获来自特定接口、源、目标和目标端口的流量 [root@cjc-db-03 oracle]# tcpdump -i ens33 src 192.168.1.4 and dst 192.168.1.9 and dst port 22 截获主机192.168.1.101 和主机192.168.1.102 或192.168.1.103的通信 tcpdump host 192.168.1.101 and \ (192.168.1.102 or 192.168.1.103 \) 如果想要获取主机192.168.1.101除了和主机192.168.1.102之外所有主机通信的ip包,使用命令: tcpdump ip host 192.168.1.101 and ! 192.168.1.102 监视所有送到主机hostname的数据包 tcpdump -i eth0 dst host hostname 获取主机192.168.1.101接收或发出的telnet包 23为telnet的端口 tcpdump tcp port 23 and host 192.168.1.101 监视本机的udp 123 端口 123 为ntp的服务端口 tcpdump udp port 123 捕获来自特定端口和目标端口的流量并保存导文件中 [root@cjc-db-03 oracle]# tcpdump -i ens33 port 22 -w a.acpa 捕获除端口 22 上的流量之外的所有流量并保存到转储文件中 [root@cjc-db-03 oracle]# tcpdump -w dumpfile.pcap port not 22 从给定的转储文件中读取 [root@cjc-db-03 oracle]# tcpdump -r a.acpa
wireshark工具下载地址:
https://www.wireshark.org/#download
参考:
https://zhongxc.cc/archives/48.html https://cloud.tencent.com/developer/article/2120813 https://blog.csdn.net/m0_49095704/article/details/140858392
欢迎关注我的公众号《
IT小Chen》
