Thank you for reading this post, don't forget to subscribe!
Tcpdump
- пакетный сниффер и главный инструмент сетевого анализа для специалистов по информационной безопасности. Рассмотрим несколько практических примеров “подслушивания” сетевого траффика.
Работает tcpdump
при помощи интерфейса bpf
(Berkeley Packet Filter). Если поддержку этого устройства отключить, то сниффинг в UNIX (и BSD) окажется невозможен. Установка утилиты не должна вызывать сложностей, в Debian/Ubuntu это можно сделать следующим образом:
1 2 |
apt install tcpdump |
в RedHat/Centos:
1 2 |
yum install tcpdump |
Если запустить утилиту tcpdump
без дополнительных опций, то она начнет анализировать траффик на всех доступных сетевых интерфейсах в системе:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
tcpdump tcpdump: data link <span class="hljs-built_in">type</span> PKTAP tcpdump: verbose output suppressed, use -v or -vv <span class="hljs-keyword">for</span> full protocol decode listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes 16:34:25.733424 STP 802.1w, Rapid STP, Flags [Learn, Forward], bridge-id 8000.d4:ca:6d:e0:84:31.8002, length 39 16:34:25.733579 STP 802.1w, Rapid STP, Flags [Learn, Forward], bridge-id 8000.d4:ca:6d:e0:83:31.8001, length 43 ^C16:34:25.733861 ARP, Probe 169.254.42.136, length 46 3 packets captured 89 packets received by filter 0 packets dropped by kernel |
Несколько наиболее часто используемых опций для утилиты tcpdump
:
-i interface
- какой сетевой интерфейс будет использоваться для захвата пакетов;-n
- вывод IP-адреса вместо имени хоста;-t
- не выводить метку времени (timestamp) в каждой строке;-X
- вывод содержимого пакета в ASCII- и hex-формате;-v, -vv, -vvv
- увеличение кол-ва подробной информации;-c N
- завершение работы после получения N пакетов;-s N
- кол-во байтов пакета, которые будет обрабатыватьtcpdump
;-S
- выводить абсолютные порядковые номера;-q
- вывод минимума информации (имя протокола, откуда и куда шел пакет, порты и количество переданных данных);-w file
- запись данныхtcpdump
в двоичном формате в файл.
Переходим к примерам.
- Вывод списка доступных сетевых интерфейсов:
1 2 |
tcpdump -D |
Результат выполнения команды:
1 2 3 4 5 6 7 |
1<span class="hljs-selector-class">.en0</span> <span class="hljs-selector-attr">[Up, Running]</span> 2<span class="hljs-selector-class">.p2p0</span> <span class="hljs-selector-attr">[Up, Running]</span> 3<span class="hljs-selector-class">.awdl0</span> <span class="hljs-selector-attr">[Up, Running]</span> 4<span class="hljs-selector-class">.bridge0</span> <span class="hljs-selector-attr">[Up, Running]</span> 5<span class="hljs-selector-class">.utun0</span> <span class="hljs-selector-attr">[Up, Running]</span> 6<span class="hljs-selector-class">.en1</span> <span class="hljs-selector-attr">[Up, Running]</span> |
- Захват 5 пакетов на сетевом интерфейсе
en0
:
1 2 |
tcpdump -i en0 -c 5 |
Результат:
1 2 3 4 5 6 7 8 9 10 11 |
tcpdump: verbose output suppressed, <span class="hljs-keyword">use</span> -v <span class="hljs-keyword">or</span> -vv <span class="hljs-keyword">for</span> <span class="hljs-keyword">full</span> protocol <span class="hljs-keyword">decode</span> listening <span class="hljs-keyword">on</span> en0, <span class="hljs-keyword">link</span>-<span class="hljs-keyword">type</span> EN10MB (Ethernet), capture <span class="hljs-keyword">size</span> <span class="hljs-number">262144</span> <span class="hljs-keyword">bytes</span> <span class="hljs-number">16</span>:<span class="hljs-number">48</span>:<span class="hljs-number">28.391511</span> IP <span class="hljs-number">10.0</span><span class="hljs-number">.1</span><span class="hljs-number">.72</span><span class="hljs-number">.50241</span> > <span class="hljs-number">239.255</span><span class="hljs-number">.255</span><span class="hljs-number">.250</span>.ssdp: UDP, <span class="hljs-keyword">length</span> <span class="hljs-number">174</span> <span class="hljs-number">16</span>:<span class="hljs-number">48</span>:<span class="hljs-number">28.401952</span> IP <span class="hljs-number">10.0</span><span class="hljs-number">.0</span><span class="hljs-number">.128</span><span class="hljs-number">.54878</span> > google-<span class="hljs-keyword">public</span>-dns-a.google.com.domain: <span class="hljs-number">53956</span>+ PTR? <span class="hljs-number">72.1</span><span class="hljs-number">.0</span><span class="hljs-number">.10</span>.in-addr.arpa. (<span class="hljs-number">40</span>) <span class="hljs-number">16</span>:<span class="hljs-number">48</span>:<span class="hljs-number">28.450276</span> IP google-<span class="hljs-keyword">public</span>-dns-a.google.com.domain > <span class="hljs-number">10.0</span><span class="hljs-number">.0</span><span class="hljs-number">.128</span><span class="hljs-number">.54878</span>: <span class="hljs-number">53956</span> NXDomain <span class="hljs-number">0</span>/<span class="hljs-number">0</span>/<span class="hljs-number">0</span> (<span class="hljs-number">40</span>) <span class="hljs-number">16</span>:<span class="hljs-number">48</span>:<span class="hljs-number">28.452045</span> IP <span class="hljs-number">10.0</span><span class="hljs-number">.0</span><span class="hljs-number">.128</span><span class="hljs-number">.55520</span> > google-<span class="hljs-keyword">public</span>-dns-a.google.com.domain: <span class="hljs-number">34082</span>+ PTR? <span class="hljs-number">250.255</span><span class="hljs-number">.255</span><span class="hljs-number">.239</span>.in-addr.arpa. (<span class="hljs-number">46</span>) <span class="hljs-number">16</span>:<span class="hljs-number">48</span>:<span class="hljs-number">28.498491</span> IP google-<span class="hljs-keyword">public</span>-dns-a.google.com.domain > <span class="hljs-number">10.0</span><span class="hljs-number">.0</span><span class="hljs-number">.128</span><span class="hljs-number">.55520</span>: <span class="hljs-number">34082</span> NXDomain <span class="hljs-number">0</span>/<span class="hljs-number">1</span>/<span class="hljs-number">0</span> (<span class="hljs-number">103</span>) <span class="hljs-number">5</span> packets captured <span class="hljs-number">11</span> packets received <span class="hljs-keyword">by</span> filter <span class="hljs-number">0</span> packets dropped <span class="hljs-keyword">by</span> kernel |
- Выводить номер порта вместо используемого им протокола (для той же самой команды):
1 2 |
tcpdump -i en0 -c 5 -nn |
Результат:
1 2 3 4 5 6 7 8 9 10 11 |
<span class="hljs-selector-tag">tcpdump</span>: <span class="hljs-selector-tag">verbose</span> <span class="hljs-selector-tag">output</span> <span class="hljs-selector-tag">suppressed</span>, <span class="hljs-selector-tag">use</span> <span class="hljs-selector-tag">-v</span> <span class="hljs-selector-tag">or</span> <span class="hljs-selector-tag">-vv</span> <span class="hljs-selector-tag">for</span> <span class="hljs-selector-tag">full</span> <span class="hljs-selector-tag">protocol</span> <span class="hljs-selector-tag">decode</span> <span class="hljs-selector-tag">listening</span> <span class="hljs-selector-tag">on</span> <span class="hljs-selector-tag">en0</span>, <span class="hljs-selector-tag">link-type</span> <span class="hljs-selector-tag">EN10MB</span> (<span class="hljs-selector-tag">Ethernet</span>), <span class="hljs-selector-tag">capture</span> <span class="hljs-selector-tag">size</span> 262144 <span class="hljs-selector-tag">bytes</span> 16<span class="hljs-selector-pseudo">:50</span><span class="hljs-selector-pseudo">:50.933442</span> <span class="hljs-selector-tag">IP</span> 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.92</span><span class="hljs-selector-class">.5353</span> > 224<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.251</span><span class="hljs-selector-class">.5353</span>: 0 <span class="hljs-selector-tag">AAAA</span> (<span class="hljs-selector-tag">QM</span>)? <span class="hljs-selector-tag">EPSON-655-3fl</span><span class="hljs-selector-class">.local</span>. (37) 16<span class="hljs-selector-pseudo">:50</span><span class="hljs-selector-pseudo">:50.933690</span> <span class="hljs-selector-tag">IP6</span> <span class="hljs-selector-tag">fe80</span><span class="hljs-selector-pseudo">::148c</span><span class="hljs-selector-pseudo">:40ea</span><span class="hljs-selector-pseudo">:542c</span><span class="hljs-selector-pseudo">:2d8c.5353</span> > <span class="hljs-selector-tag">ff02</span><span class="hljs-selector-pseudo">::fb.5353</span>: 0 <span class="hljs-selector-tag">AAAA</span> (<span class="hljs-selector-tag">QM</span>)? <span class="hljs-selector-tag">EPSON-655-3fl</span><span class="hljs-selector-class">.local</span>. (37) 16<span class="hljs-selector-pseudo">:50</span><span class="hljs-selector-pseudo">:50.934342</span> <span class="hljs-selector-tag">IP</span> 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.237</span><span class="hljs-selector-class">.2048</span> > 239<span class="hljs-selector-class">.255</span><span class="hljs-selector-class">.255</span><span class="hljs-selector-class">.250</span><span class="hljs-selector-class">.1900</span>: <span class="hljs-selector-tag">UDP</span>, <span class="hljs-selector-tag">length</span> 101 16<span class="hljs-selector-pseudo">:50</span><span class="hljs-selector-pseudo">:51.138480</span> 48<span class="hljs-selector-pseudo">:3b</span><span class="hljs-selector-pseudo">:38</span><span class="hljs-selector-pseudo">:2e</span><span class="hljs-selector-pseudo">:b9</span><span class="hljs-selector-pseudo">:12</span> > <span class="hljs-selector-tag">ff</span><span class="hljs-selector-pseudo">:ff</span><span class="hljs-selector-pseudo">:ff</span><span class="hljs-selector-pseudo">:ff</span><span class="hljs-selector-pseudo">:ff</span><span class="hljs-selector-pseudo">:ff</span> <span class="hljs-selector-tag">Null</span> <span class="hljs-selector-tag">Supervisory</span>, <span class="hljs-selector-tag">Receiver</span> <span class="hljs-selector-tag">not</span> <span class="hljs-selector-tag">Ready</span>, <span class="hljs-selector-tag">rcv</span> <span class="hljs-selector-tag">seq</span> 64, <span class="hljs-selector-tag">Flags</span> <span class="hljs-selector-attr">[Poll]</span>, <span class="hljs-selector-tag">length</span> 42 16<span class="hljs-selector-pseudo">:50</span><span class="hljs-selector-pseudo">:51.659581</span> <span class="hljs-selector-tag">IP</span> 93<span class="hljs-selector-class">.158</span><span class="hljs-selector-class">.134</span><span class="hljs-selector-class">.119</span><span class="hljs-selector-class">.443</span> > 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.128</span><span class="hljs-selector-class">.51991</span>: <span class="hljs-selector-tag">Flags</span> <span class="hljs-selector-attr">[P.]</span>, <span class="hljs-selector-tag">seq</span> 481586204<span class="hljs-selector-pseudo">:481586235</span>, <span class="hljs-selector-tag">ack</span> 4042079405, <span class="hljs-selector-tag">win</span> 147, <span class="hljs-selector-tag">options</span> <span class="hljs-selector-attr">[nop,nop,TS val 1448581989 ecr 1232876532]</span>, <span class="hljs-selector-tag">length</span> 31 5 <span class="hljs-selector-tag">packets</span> <span class="hljs-selector-tag">captured</span> 10 <span class="hljs-selector-tag">packets</span> <span class="hljs-selector-tag">received</span> <span class="hljs-selector-tag">by</span> <span class="hljs-selector-tag">filter</span> 0 <span class="hljs-selector-tag">packets</span> <span class="hljs-selector-tag">dropped</span> <span class="hljs-selector-tag">by</span> <span class="hljs-selector-tag">kernel</span> |
- Информация о входящих пакетах на всех интерфейсах на порту 53:
1 2 |
tcpdump dst port 53 |
Результат выполнения:
1 2 3 4 5 6 7 8 9 |
<span class="hljs-selector-tag">tcpdump</span>: <span class="hljs-selector-tag">data</span> <span class="hljs-selector-tag">link</span> <span class="hljs-selector-tag">type</span> <span class="hljs-selector-tag">PKTAP</span> <span class="hljs-selector-tag">tcpdump</span>: <span class="hljs-selector-tag">verbose</span> <span class="hljs-selector-tag">output</span> <span class="hljs-selector-tag">suppressed</span>, <span class="hljs-selector-tag">use</span> <span class="hljs-selector-tag">-v</span> <span class="hljs-selector-tag">or</span> <span class="hljs-selector-tag">-vv</span> <span class="hljs-selector-tag">for</span> <span class="hljs-selector-tag">full</span> <span class="hljs-selector-tag">protocol</span> <span class="hljs-selector-tag">decode</span> <span class="hljs-selector-tag">listening</span> <span class="hljs-selector-tag">on</span> <span class="hljs-selector-tag">pktap</span>, <span class="hljs-selector-tag">link-type</span> <span class="hljs-selector-tag">PKTAP</span> (<span class="hljs-selector-tag">Apple</span> <span class="hljs-selector-tag">DLT_PKTAP</span>), <span class="hljs-selector-tag">capture</span> <span class="hljs-selector-tag">size</span> 262144 <span class="hljs-selector-tag">bytes</span> 16<span class="hljs-selector-pseudo">:59</span><span class="hljs-selector-pseudo">:30.701385</span> <span class="hljs-selector-tag">IP</span> 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.128</span><span class="hljs-selector-class">.rockwell-csp2</span> > <span class="hljs-selector-tag">google-public-dns-a</span><span class="hljs-selector-class">.google</span><span class="hljs-selector-class">.com</span><span class="hljs-selector-class">.domain</span>: 38769+ <span class="hljs-selector-tag">A</span>? <span class="hljs-selector-tag">clients4</span><span class="hljs-selector-class">.google</span><span class="hljs-selector-class">.com</span>. (37) 16<span class="hljs-selector-pseudo">:59</span><span class="hljs-selector-pseudo">:30.707188</span> <span class="hljs-selector-tag">IP</span> 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.128</span><span class="hljs-selector-class">.49702</span> > <span class="hljs-selector-tag">google-public-dns-a</span><span class="hljs-selector-class">.google</span><span class="hljs-selector-class">.com</span><span class="hljs-selector-class">.domain</span>: 904+ <span class="hljs-selector-tag">PTR</span>? 128<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.10</span><span class="hljs-selector-class">.in-addr</span><span class="hljs-selector-class">.arpa</span>. (41) 16<span class="hljs-selector-pseudo">:59</span><span class="hljs-selector-pseudo">:38.394251</span> <span class="hljs-selector-tag">IP</span> 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.128</span><span class="hljs-selector-class">.33399</span> > <span class="hljs-selector-tag">google-public-dns-a</span><span class="hljs-selector-class">.google</span><span class="hljs-selector-class">.com</span><span class="hljs-selector-class">.domain</span>: 52728+ <span class="hljs-selector-tag">A</span>? <span class="hljs-selector-tag">www</span><span class="hljs-selector-class">.linkedin</span><span class="hljs-selector-class">.com</span>. (34) 16<span class="hljs-selector-pseudo">:59</span><span class="hljs-selector-pseudo">:39.167025</span> <span class="hljs-selector-tag">IP</span> 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.128</span><span class="hljs-selector-class">.neto-wol-server</span> > <span class="hljs-selector-tag">google-public-dns-a</span><span class="hljs-selector-class">.google</span><span class="hljs-selector-class">.com</span><span class="hljs-selector-class">.domain</span>: 13145+ <span class="hljs-selector-tag">A</span>? <span class="hljs-selector-tag">static</span><span class="hljs-selector-class">.licdn</span><span class="hljs-selector-class">.com</span>. (34) ... |
- Информация о пакетах на всех интерфейсах и всех портах, кроме 53:
1 2 |
tcpdump not port 53 |
Результат:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
tcpdump: data link type PKTAP tcpdump: verbose output suppressed, <span class="hljs-keyword">use</span> -v <span class="hljs-keyword">or</span> -vv <span class="hljs-keyword">for</span> <span class="hljs-keyword">full</span> protocol <span class="hljs-keyword">decode</span> listening <span class="hljs-keyword">on</span> pktap, <span class="hljs-keyword">link</span>-<span class="hljs-keyword">type</span> PKTAP (Apple DLT_PKTAP), capture <span class="hljs-keyword">size</span> <span class="hljs-number">262144</span> <span class="hljs-keyword">bytes</span> <span class="hljs-number">17</span>:<span class="hljs-number">02</span>:<span class="hljs-number">36.066118</span> IP <span class="hljs-number">10.0</span><span class="hljs-number">.1</span><span class="hljs-number">.50</span>.mdns > <span class="hljs-number">224.0</span><span class="hljs-number">.0</span><span class="hljs-number">.251</span>.mdns: <span class="hljs-number">0</span> [<span class="hljs-number">2</span>n] [<span class="hljs-number">1</span>au] <span class="hljs-keyword">ANY</span> (QM)? Apple-TV.local. (<span class="hljs-number">105</span>) <span class="hljs-number">17</span>:<span class="hljs-number">02</span>:<span class="hljs-number">36.066457</span> IP6 apple-tv.local.mdns > ff02::fb.mdns: <span class="hljs-number">0</span> [<span class="hljs-number">2</span>n] [<span class="hljs-number">1</span>au] <span class="hljs-keyword">ANY</span> (QM)? Apple-TV.local. (<span class="hljs-number">105</span>) <span class="hljs-number">17</span>:<span class="hljs-number">02</span>:<span class="hljs-number">36.168069</span> IP <span class="hljs-number">10.0</span><span class="hljs-number">.1</span><span class="hljs-number">.199</span>.mdns > <span class="hljs-number">224.0</span><span class="hljs-number">.0</span><span class="hljs-number">.251</span>.mdns: <span class="hljs-number">0</span> [<span class="hljs-number">1</span>a] A (QM)? EPSON<span class="hljs-number">-655</span><span class="hljs-number">-3</span>fl.local. (<span class="hljs-number">53</span>) <span class="hljs-number">17</span>:<span class="hljs-number">02</span>:<span class="hljs-number">36.168076</span> ARP, Probe <span class="hljs-number">169.254</span><span class="hljs-number">.137</span><span class="hljs-number">.194</span>, <span class="hljs-keyword">length</span> <span class="hljs-number">46</span> <span class="hljs-number">17</span>:<span class="hljs-number">02</span>:<span class="hljs-number">36.168433</span> IP <span class="hljs-number">10.0</span><span class="hljs-number">.0</span><span class="hljs-number">.195</span>.mdns > <span class="hljs-number">224.0</span><span class="hljs-number">.0</span><span class="hljs-number">.251</span>.mdns: <span class="hljs-number">0</span> [<span class="hljs-number">1</span>a] A (QM)? EPSON<span class="hljs-number">-655</span><span class="hljs-number">-3</span>fl.local. (<span class="hljs-number">53</span>) <span class="hljs-number">17</span>:<span class="hljs-number">02</span>:<span class="hljs-number">36.168968</span> IP <span class="hljs-number">10.0</span><span class="hljs-number">.0</span><span class="hljs-number">.75</span><span class="hljs-number">.56487</span> > <span class="hljs-number">239.255</span><span class="hljs-number">.255</span><span class="hljs-number">.250</span>.ssdp: UDP, <span class="hljs-keyword">length</span> <span class="hljs-number">174</span> <span class="hljs-number">17</span>:<span class="hljs-number">02</span>:<span class="hljs-number">36.312474</span> IP <span class="hljs-number">10.0</span><span class="hljs-number">.0</span><span class="hljs-number">.128</span>.mdns > <span class="hljs-number">224.0</span><span class="hljs-number">.0</span><span class="hljs-number">.251</span>.mdns: <span class="hljs-number">0</span> PTR (QU)? <span class="hljs-number">194.137</span><span class="hljs-number">.254</span><span class="hljs-number">.169</span>.in-addr.arpa. (<span class="hljs-number">46</span>) <span class="hljs-number">17</span>:<span class="hljs-number">02</span>:<span class="hljs-number">36.312525</span> IP6 ealebed-macbook.local.mdns > ff02::fb.mdns: <span class="hljs-number">0</span> PTR (QU)? <span class="hljs-number">194.137</span><span class="hljs-number">.254</span><span class="hljs-number">.169</span>.in-addr.arpa. (<span class="hljs-number">46</span>) <span class="hljs-number">17</span>:<span class="hljs-number">02</span>:<span class="hljs-number">36.373393</span> IP <span class="hljs-number">10.0</span><span class="hljs-number">.0</span><span class="hljs-number">.110</span>.mdns > <span class="hljs-number">224.0</span><span class="hljs-number">.0</span><span class="hljs-number">.251</span>.mdns: <span class="hljs-number">0</span> [<span class="hljs-number">1</span>a] A (QM)? EPSON<span class="hljs-number">-655</span><span class="hljs-number">-3</span>fl.local. (<span class="hljs-number">53</span>) <span class="hljs-number">17</span>:<span class="hljs-number">02</span>:<span class="hljs-number">36.475371</span> IP <span class="hljs-number">10.0</span><span class="hljs-number">.1</span><span class="hljs-number">.50</span>.mdns > <span class="hljs-number">224.0</span><span class="hljs-number">.0</span><span class="hljs-number">.251</span>.mdns: <span class="hljs-number">0</span> [<span class="hljs-number">2</span>n] [<span class="hljs-number">1</span>au] <span class="hljs-keyword">ANY</span> (QM)? Apple-TV.local. (<span class="hljs-number">105</span>) <span class="hljs-number">17</span>:<span class="hljs-number">02</span>:<span class="hljs-number">36.475793</span> IP6 apple-tv.local.mdns > ff02::fb.mdns: <span class="hljs-number">0</span> [<span class="hljs-number">2</span>n] [<span class="hljs-number">1</span>au] <span class="hljs-keyword">ANY</span> (QM)? Apple-TV.local. (<span class="hljs-number">105</span>) <span class="hljs-number">17</span>:<span class="hljs-number">02</span>:<span class="hljs-number">36.476560</span> IP6 apple-tv.local.mdns > ff02::fb.mdns: <span class="hljs-number">0</span>*- [<span class="hljs-number">0</span>q] <span class="hljs-number">1</span>/<span class="hljs-number">0</span>/<span class="hljs-number">1</span> PTR <span class="hljs-number">70</span><span class="hljs-number">-35</span><span class="hljs-number">-60</span><span class="hljs-number">-63.1</span> Apple TV._sleep-proxy._udp.local. (<span class="hljs-number">101</span>) <span class="hljs-number">17</span>:<span class="hljs-number">02</span>:<span class="hljs-number">36.476563</span> ARP, Probe <span class="hljs-number">169.254</span><span class="hljs-number">.137</span><span class="hljs-number">.194</span>, <span class="hljs-keyword">length</span> <span class="hljs-number">46</span> <span class="hljs-number">17</span>:<span class="hljs-number">02</span>:<span class="hljs-number">36.782405</span> IP <span class="hljs-number">10.0</span><span class="hljs-number">.1</span><span class="hljs-number">.50</span>.mdns > <span class="hljs-number">224.0</span><span class="hljs-number">.0</span><span class="hljs-number">.251</span>.mdns: <span class="hljs-number">0</span>*- [<span class="hljs-number">0</span>q] <span class="hljs-number">2</span>/<span class="hljs-number">0</span>/<span class="hljs-number">2</span> (<span class="hljs-keyword">Cache</span> <span class="hljs-keyword">flush</span>) AAAA fe80::<span class="hljs-number">1001</span>:<span class="hljs-number">93</span>a7:a8fe:<span class="hljs-number">7374</span>, (<span class="hljs-keyword">Cache</span> <span class="hljs-keyword">flush</span>) A <span class="hljs-number">10.0</span><span class="hljs-number">.1</span><span class="hljs-number">.50</span> (<span class="hljs-number">119</span>) <span class="hljs-number">17</span>:<span class="hljs-number">02</span>:<span class="hljs-number">36.782823</span> IP6 apple-tv.local.mdns > ff02::fb.mdns: <span class="hljs-number">0</span>*- [<span class="hljs-number">0</span>q] <span class="hljs-number">2</span>/<span class="hljs-number">0</span>/<span class="hljs-number">2</span> (<span class="hljs-keyword">Cache</span> <span class="hljs-keyword">flush</span>) AAAA fe80::<span class="hljs-number">1001</span>:<span class="hljs-number">93</span>a7:a8fe:<span class="hljs-number">7374</span>, (<span class="hljs-keyword">Cache</span> <span class="hljs-keyword">flush</span>) A <span class="hljs-number">10.0</span><span class="hljs-number">.1</span><span class="hljs-number">.50</span> (<span class="hljs-number">119</span>) ... |
- Информация о пакетах, переданных по протоколу
icmp
(в соседней консоли запускаемping 8.8.8.8
):
1 2 |
tcpdump -i en0 -c 5 -nn icmp |
Результат:
1 2 3 4 5 6 7 8 9 10 11 |
<span class="hljs-selector-tag">tcpdump</span>: <span class="hljs-selector-tag">verbose</span> <span class="hljs-selector-tag">output</span> <span class="hljs-selector-tag">suppressed</span>, <span class="hljs-selector-tag">use</span> <span class="hljs-selector-tag">-v</span> <span class="hljs-selector-tag">or</span> <span class="hljs-selector-tag">-vv</span> <span class="hljs-selector-tag">for</span> <span class="hljs-selector-tag">full</span> <span class="hljs-selector-tag">protocol</span> <span class="hljs-selector-tag">decode</span> <span class="hljs-selector-tag">listening</span> <span class="hljs-selector-tag">on</span> <span class="hljs-selector-tag">en0</span>, <span class="hljs-selector-tag">link-type</span> <span class="hljs-selector-tag">EN10MB</span> (<span class="hljs-selector-tag">Ethernet</span>), <span class="hljs-selector-tag">capture</span> <span class="hljs-selector-tag">size</span> 262144 <span class="hljs-selector-tag">bytes</span> 17<span class="hljs-selector-pseudo">:05</span><span class="hljs-selector-pseudo">:06.344119</span> <span class="hljs-selector-tag">IP</span> 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.128</span> > 8<span class="hljs-selector-class">.8</span><span class="hljs-selector-class">.8</span><span class="hljs-selector-class">.8</span>: <span class="hljs-selector-tag">ICMP</span> <span class="hljs-selector-tag">echo</span> <span class="hljs-selector-tag">request</span>, <span class="hljs-selector-tag">id</span> 54073, <span class="hljs-selector-tag">seq</span> 0, <span class="hljs-selector-tag">length</span> 64 17<span class="hljs-selector-pseudo">:05</span><span class="hljs-selector-pseudo">:06.394107</span> <span class="hljs-selector-tag">IP</span> 8<span class="hljs-selector-class">.8</span><span class="hljs-selector-class">.8</span><span class="hljs-selector-class">.8</span> > 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.128</span>: <span class="hljs-selector-tag">ICMP</span> <span class="hljs-selector-tag">echo</span> <span class="hljs-selector-tag">reply</span>, <span class="hljs-selector-tag">id</span> 54073, <span class="hljs-selector-tag">seq</span> 0, <span class="hljs-selector-tag">length</span> 64 17<span class="hljs-selector-pseudo">:05</span><span class="hljs-selector-pseudo">:07.348516</span> <span class="hljs-selector-tag">IP</span> 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.128</span> > 8<span class="hljs-selector-class">.8</span><span class="hljs-selector-class">.8</span><span class="hljs-selector-class">.8</span>: <span class="hljs-selector-tag">ICMP</span> <span class="hljs-selector-tag">echo</span> <span class="hljs-selector-tag">request</span>, <span class="hljs-selector-tag">id</span> 54073, <span class="hljs-selector-tag">seq</span> 1, <span class="hljs-selector-tag">length</span> 64 17<span class="hljs-selector-pseudo">:05</span><span class="hljs-selector-pseudo">:07.397421</span> <span class="hljs-selector-tag">IP</span> 8<span class="hljs-selector-class">.8</span><span class="hljs-selector-class">.8</span><span class="hljs-selector-class">.8</span> > 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.128</span>: <span class="hljs-selector-tag">ICMP</span> <span class="hljs-selector-tag">echo</span> <span class="hljs-selector-tag">reply</span>, <span class="hljs-selector-tag">id</span> 54073, <span class="hljs-selector-tag">seq</span> 1, <span class="hljs-selector-tag">length</span> 64 17<span class="hljs-selector-pseudo">:05</span><span class="hljs-selector-pseudo">:08.352231</span> <span class="hljs-selector-tag">IP</span> 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.128</span> > 8<span class="hljs-selector-class">.8</span><span class="hljs-selector-class">.8</span><span class="hljs-selector-class">.8</span>: <span class="hljs-selector-tag">ICMP</span> <span class="hljs-selector-tag">echo</span> <span class="hljs-selector-tag">request</span>, <span class="hljs-selector-tag">id</span> 54073, <span class="hljs-selector-tag">seq</span> 2, <span class="hljs-selector-tag">length</span> 64 5 <span class="hljs-selector-tag">packets</span> <span class="hljs-selector-tag">captured</span> 425 <span class="hljs-selector-tag">packets</span> <span class="hljs-selector-tag">received</span> <span class="hljs-selector-tag">by</span> <span class="hljs-selector-tag">filter</span> 0 <span class="hljs-selector-tag">packets</span> <span class="hljs-selector-tag">dropped</span> <span class="hljs-selector-tag">by</span> <span class="hljs-selector-tag">kernel</span> |
- Записываем перехваченные пакеты в файл для дальнейшего анализа:
1 2 |
tcpdump -i en0 -c 5 -nn tcp -w packets-record.cap <span class="hljs-_">-s</span> 0 |
Сами пакеты будут записаны в файл, в консоли увидим:
1 2 3 4 5 |
tcpdump: listening <span class="hljs-literal">on</span> en0, link-type EN10MB (Ethernet), capture size <span class="hljs-number">262144</span> bytes <span class="hljs-number">5</span> packets captured <span class="hljs-number">44</span> packets received <span class="hljs-keyword">by</span> filter <span class="hljs-number">0</span> packets dropped <span class="hljs-keyword">by</span> kernel |
- Читаем информацию из файла:
1 2 |
tcpdump -r packets-record.cap |
Результат:
1 2 3 4 5 6 7 |
<span class="hljs-selector-tag">reading</span> <span class="hljs-selector-tag">from</span> <span class="hljs-selector-tag">file</span> <span class="hljs-selector-tag">packets-record</span><span class="hljs-selector-class">.cap</span>, <span class="hljs-selector-tag">link-type</span> <span class="hljs-selector-tag">EN10MB</span> (<span class="hljs-selector-tag">Ethernet</span>) 17<span class="hljs-selector-pseudo">:08</span><span class="hljs-selector-pseudo">:21.821325</span> <span class="hljs-selector-tag">IP</span> 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.128</span><span class="hljs-selector-class">.51852</span> > <span class="hljs-selector-tag">ec2-107-23-203-104</span><span class="hljs-selector-class">.compute-1</span><span class="hljs-selector-class">.amazonaws</span><span class="hljs-selector-class">.com</span><span class="hljs-selector-class">.https</span>: <span class="hljs-selector-tag">Flags</span> <span class="hljs-selector-attr">[P.]</span>, <span class="hljs-selector-tag">seq</span> 601162185<span class="hljs-selector-pseudo">:601162473</span>, <span class="hljs-selector-tag">ack</span> 2264508809, <span class="hljs-selector-tag">win</span> 4096, <span class="hljs-selector-tag">options</span> <span class="hljs-selector-attr">[nop,nop,TS val 1233987441 ecr 638699261]</span>, <span class="hljs-selector-tag">length</span> 288 17<span class="hljs-selector-pseudo">:08</span><span class="hljs-selector-pseudo">:21.979792</span> <span class="hljs-selector-tag">IP</span> <span class="hljs-selector-tag">ec2-107-23-203-104</span><span class="hljs-selector-class">.compute-1</span><span class="hljs-selector-class">.amazonaws</span><span class="hljs-selector-class">.com</span><span class="hljs-selector-class">.https</span> > 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.128</span><span class="hljs-selector-class">.51852</span>: <span class="hljs-selector-tag">Flags</span> <span class="hljs-selector-attr">[.]</span>, <span class="hljs-selector-tag">ack</span> 288, <span class="hljs-selector-tag">win</span> 422, <span class="hljs-selector-tag">options</span> <span class="hljs-selector-attr">[nop,nop,TS val 638702514 ecr 1233987441]</span>, <span class="hljs-selector-tag">length</span> 0 17<span class="hljs-selector-pseudo">:08</span><span class="hljs-selector-pseudo">:21.979796</span> <span class="hljs-selector-tag">IP</span> <span class="hljs-selector-tag">ec2-107-23-203-104</span><span class="hljs-selector-class">.compute-1</span><span class="hljs-selector-class">.amazonaws</span><span class="hljs-selector-class">.com</span><span class="hljs-selector-class">.https</span> > 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.128</span><span class="hljs-selector-class">.51852</span>: <span class="hljs-selector-tag">Flags</span> <span class="hljs-selector-attr">[P.]</span>, <span class="hljs-selector-tag">seq</span> 1<span class="hljs-selector-pseudo">:326</span>, <span class="hljs-selector-tag">ack</span> 288, <span class="hljs-selector-tag">win</span> 422, <span class="hljs-selector-tag">options</span> <span class="hljs-selector-attr">[nop,nop,TS val 638702514 ecr 1233987441]</span>, <span class="hljs-selector-tag">length</span> 325 17<span class="hljs-selector-pseudo">:08</span><span class="hljs-selector-pseudo">:21.979868</span> <span class="hljs-selector-tag">IP</span> 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.128</span><span class="hljs-selector-class">.51852</span> > <span class="hljs-selector-tag">ec2-107-23-203-104</span><span class="hljs-selector-class">.compute-1</span><span class="hljs-selector-class">.amazonaws</span><span class="hljs-selector-class">.com</span><span class="hljs-selector-class">.https</span>: <span class="hljs-selector-tag">Flags</span> <span class="hljs-selector-attr">[.]</span>, <span class="hljs-selector-tag">ack</span> 326, <span class="hljs-selector-tag">win</span> 4085, <span class="hljs-selector-tag">options</span> <span class="hljs-selector-attr">[nop,nop,TS val 1233987599 ecr 638702514]</span>, <span class="hljs-selector-tag">length</span> 0 17<span class="hljs-selector-pseudo">:08</span><span class="hljs-selector-pseudo">:22.697706</span> <span class="hljs-selector-tag">IP</span> <span class="hljs-selector-tag">s167i</span><span class="hljs-selector-class">.storage</span><span class="hljs-selector-class">.yandex</span><span class="hljs-selector-class">.net</span><span class="hljs-selector-class">.https</span> > 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.128</span><span class="hljs-selector-class">.52124</span>: <span class="hljs-selector-tag">Flags</span> <span class="hljs-selector-attr">[.]</span>, <span class="hljs-selector-tag">ack</span> 246357771, <span class="hljs-selector-tag">win</span> 12, <span class="hljs-selector-tag">options</span> <span class="hljs-selector-attr">[nop,nop,TS val 663985568 ecr 1233984018]</span>, <span class="hljs-selector-tag">length</span> 0 |
- Более подробная информация о пакетах:
1 2 |
tcpdump -i en0 -c 5 -ttttnnvvS |
Результат:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
<span class="hljs-selector-tag">tcpdump</span>: <span class="hljs-selector-tag">listening</span> <span class="hljs-selector-tag">on</span> <span class="hljs-selector-tag">en0</span>, <span class="hljs-selector-tag">link-type</span> <span class="hljs-selector-tag">EN10MB</span> (<span class="hljs-selector-tag">Ethernet</span>), <span class="hljs-selector-tag">capture</span> <span class="hljs-selector-tag">size</span> 262144 <span class="hljs-selector-tag">bytes</span> 2018<span class="hljs-selector-tag">-09-14</span> 17<span class="hljs-selector-pseudo">:10</span><span class="hljs-selector-pseudo">:21.273159</span> <span class="hljs-selector-tag">IP</span> (<span class="hljs-selector-tag">tos</span> 0<span class="hljs-selector-tag">x0</span>, <span class="hljs-selector-tag">ttl</span> 2, <span class="hljs-selector-tag">id</span> 21387, <span class="hljs-selector-tag">offset</span> 0, <span class="hljs-selector-tag">flags</span> <span class="hljs-selector-attr">[DF]</span>, <span class="hljs-selector-tag">proto</span> <span class="hljs-selector-tag">UDP</span> (17), <span class="hljs-selector-tag">length</span> 160) 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.1</span><span class="hljs-selector-class">.63</span><span class="hljs-selector-class">.42699</span> > 239<span class="hljs-selector-class">.255</span><span class="hljs-selector-class">.255</span><span class="hljs-selector-class">.250</span><span class="hljs-selector-class">.1900</span>: <span class="hljs-selector-attr">[udp sum ok]</span> <span class="hljs-selector-tag">UDP</span>, <span class="hljs-selector-tag">length</span> 132 2018<span class="hljs-selector-tag">-09-14</span> 17<span class="hljs-selector-pseudo">:10</span><span class="hljs-selector-pseudo">:21.886917</span> <span class="hljs-selector-tag">STP</span> 802<span class="hljs-selector-class">.1w</span>, <span class="hljs-selector-tag">Rapid</span> <span class="hljs-selector-tag">STP</span>, <span class="hljs-selector-tag">Flags</span> <span class="hljs-selector-attr">[Learn, Forward]</span>, <span class="hljs-selector-tag">bridge-id</span> 8000<span class="hljs-selector-class">.d4</span><span class="hljs-selector-pseudo">:ca</span><span class="hljs-selector-pseudo">:6d</span><span class="hljs-selector-pseudo">:e0</span><span class="hljs-selector-pseudo">:84</span><span class="hljs-selector-pseudo">:31.8002</span>, <span class="hljs-selector-tag">length</span> 39 <span class="hljs-selector-tag">message-age</span> 0<span class="hljs-selector-class">.00s</span>, <span class="hljs-selector-tag">max-age</span> 20<span class="hljs-selector-class">.00s</span>, <span class="hljs-selector-tag">hello-time</span> 2<span class="hljs-selector-class">.00s</span>, <span class="hljs-selector-tag">forwarding-delay</span> 15<span class="hljs-selector-class">.00s</span> <span class="hljs-selector-tag">root-id</span> 8000<span class="hljs-selector-class">.d4</span><span class="hljs-selector-pseudo">:ca</span><span class="hljs-selector-pseudo">:6d</span><span class="hljs-selector-pseudo">:e0</span><span class="hljs-selector-pseudo">:84</span><span class="hljs-selector-pseudo">:31</span>, <span class="hljs-selector-tag">root-pathcost</span> 0, <span class="hljs-selector-tag">port-role</span> <span class="hljs-selector-tag">Designated</span> 2018<span class="hljs-selector-tag">-09-14</span> 17<span class="hljs-selector-pseudo">:10</span><span class="hljs-selector-pseudo">:21.886926</span> <span class="hljs-selector-tag">STP</span> 802<span class="hljs-selector-class">.1w</span>, <span class="hljs-selector-tag">Rapid</span> <span class="hljs-selector-tag">STP</span>, <span class="hljs-selector-tag">Flags</span> <span class="hljs-selector-attr">[Learn, Forward]</span>, <span class="hljs-selector-tag">bridge-id</span> 8000<span class="hljs-selector-class">.d4</span><span class="hljs-selector-pseudo">:ca</span><span class="hljs-selector-pseudo">:6d</span><span class="hljs-selector-pseudo">:e0</span><span class="hljs-selector-pseudo">:83</span><span class="hljs-selector-pseudo">:31.8001</span>, <span class="hljs-selector-tag">length</span> 43 <span class="hljs-selector-tag">message-age</span> 0<span class="hljs-selector-class">.00s</span>, <span class="hljs-selector-tag">max-age</span> 20<span class="hljs-selector-class">.00s</span>, <span class="hljs-selector-tag">hello-time</span> 2<span class="hljs-selector-class">.00s</span>, <span class="hljs-selector-tag">forwarding-delay</span> 15<span class="hljs-selector-class">.00s</span> <span class="hljs-selector-tag">root-id</span> 8000<span class="hljs-selector-class">.d4</span><span class="hljs-selector-pseudo">:ca</span><span class="hljs-selector-pseudo">:6d</span><span class="hljs-selector-pseudo">:e0</span><span class="hljs-selector-pseudo">:83</span><span class="hljs-selector-pseudo">:31</span>, <span class="hljs-selector-tag">root-pathcost</span> 0, <span class="hljs-selector-tag">port-role</span> <span class="hljs-selector-tag">Designated</span> 2018<span class="hljs-selector-tag">-09-14</span> 17<span class="hljs-selector-pseudo">:10</span><span class="hljs-selector-pseudo">:22.091541</span> <span class="hljs-selector-tag">ARP</span>, <span class="hljs-selector-tag">Ethernet</span> (<span class="hljs-selector-tag">len</span> 6), <span class="hljs-selector-tag">IPv4</span> (<span class="hljs-selector-tag">len</span> 4), <span class="hljs-selector-tag">Request</span> <span class="hljs-selector-tag">who-has</span> 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.1</span><span class="hljs-selector-class">.126</span> <span class="hljs-selector-tag">tell</span> 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.222</span>, <span class="hljs-selector-tag">length</span> 46 2018<span class="hljs-selector-tag">-09-14</span> 17<span class="hljs-selector-pseudo">:10</span><span class="hljs-selector-pseudo">:22.296521</span> <span class="hljs-selector-tag">IP</span> (<span class="hljs-selector-tag">tos</span> 0<span class="hljs-selector-tag">x0</span>, <span class="hljs-selector-tag">ttl</span> 2, <span class="hljs-selector-tag">id</span> 21580, <span class="hljs-selector-tag">offset</span> 0, <span class="hljs-selector-tag">flags</span> <span class="hljs-selector-attr">[DF]</span>, <span class="hljs-selector-tag">proto</span> <span class="hljs-selector-tag">UDP</span> (17), <span class="hljs-selector-tag">length</span> 161) 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.1</span><span class="hljs-selector-class">.63</span><span class="hljs-selector-class">.42699</span> > 239<span class="hljs-selector-class">.255</span><span class="hljs-selector-class">.255</span><span class="hljs-selector-class">.250</span><span class="hljs-selector-class">.1900</span>: <span class="hljs-selector-attr">[udp sum ok]</span> <span class="hljs-selector-tag">UDP</span>, <span class="hljs-selector-tag">length</span> 133 5 <span class="hljs-selector-tag">packets</span> <span class="hljs-selector-tag">captured</span> 5 <span class="hljs-selector-tag">packets</span> <span class="hljs-selector-tag">received</span> <span class="hljs-selector-tag">by</span> <span class="hljs-selector-tag">filter</span> 0 <span class="hljs-selector-tag">packets</span> <span class="hljs-selector-tag">dropped</span> <span class="hljs-selector-tag">by</span> <span class="hljs-selector-tag">kernel</span> |
- Пакеты, полученные с определенного ip-адреса:
1 2 |
tcpdump -i en0 -c 5 -ttttnnvvS src host 8.8.8.8 |
Результат:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size <span class="hljs-number">262144</span> bytes <span class="hljs-number">2018</span><span class="hljs-number">-09</span><span class="hljs-number">-14</span> <span class="hljs-number">17</span>:<span class="hljs-number">14</span>:<span class="hljs-number">29.214585</span> IP (tos <span class="hljs-number">0x0</span>, ttl <span class="hljs-number">108</span>, <span class="hljs-keyword">id</span> <span class="hljs-number">51066</span>, offset <span class="hljs-number">0</span>, flags [none], proto UDP (<span class="hljs-number">17</span>), length <span class="hljs-number">118</span>) <span class="hljs-number">8.8</span><span class="hljs-number">.8</span><span class="hljs-number">.8</span><span class="hljs-number">.53</span> > <span class="hljs-number">10.0</span><span class="hljs-number">.0</span><span class="hljs-number">.128</span><span class="hljs-number">.20936</span>: [udp sum ok] <span class="hljs-number">45411</span> q: A? <a class="vglnk" href="http://chatenabled.mail.google.com/" rel="nofollow">chatenabled.mail.google.com</a>. <span class="hljs-number">2</span>/<span class="hljs-number">0</span>/<span class="hljs-number">0</span> <a class="vglnk" href="http://chatenabled.mail.google.com/" rel="nofollow">chatenabled.mail.google.com</a>. <span class="hljs-built_in">CNAME</span> <a class="vglnk" href="http://b.googlemail.l.google.com/" rel="nofollow">b.googlemail.l.google.com</a>., <a class="vglnk" href="http://b.googlemail.l.google.com/" rel="nofollow">b.googlemail.l.google.com</a>. A <span class="hljs-number">172.217</span><span class="hljs-number">.16</span><span class="hljs-number">.7</span> (<span class="hljs-number">90</span>) <span class="hljs-number">2018</span><span class="hljs-number">-09</span><span class="hljs-number">-14</span> <span class="hljs-number">17</span>:<span class="hljs-number">15</span>:<span class="hljs-number">00.959303</span> IP (tos <span class="hljs-number">0x0</span>, ttl <span class="hljs-number">45</span>, <span class="hljs-keyword">id</span> <span class="hljs-number">20470</span>, offset <span class="hljs-number">0</span>, flags [none], proto UDP (<span class="hljs-number">17</span>), length <span class="hljs-number">102</span>) <span class="hljs-number">8.8</span><span class="hljs-number">.8</span><span class="hljs-number">.8</span><span class="hljs-number">.53</span> > <span class="hljs-number">10.0</span><span class="hljs-number">.0</span><span class="hljs-number">.128</span><span class="hljs-number">.61834</span>: [udp sum ok] <span class="hljs-number">32755</span> q: A? <a class="vglnk" href="http://contacts.google.com/" rel="nofollow">contacts.google.com</a>. <span class="hljs-number">2</span>/<span class="hljs-number">0</span>/<span class="hljs-number">0</span> <a class="vglnk" href="http://contacts.google.com/" rel="nofollow">contacts.google.com</a>. <span class="hljs-built_in">CNAME</span> <a class="vglnk" href="http://plus.l.google.com/" rel="nofollow">plus.l.google.com</a>., <a class="vglnk" href="http://plus.l.google.com/" rel="nofollow">plus.l.google.com</a>. A <span class="hljs-number">172.217</span><span class="hljs-number">.16</span><span class="hljs-number">.14</span> (<span class="hljs-number">74</span>) <span class="hljs-number">2018</span><span class="hljs-number">-09</span><span class="hljs-number">-14</span> <span class="hljs-number">17</span>:<span class="hljs-number">15</span>:<span class="hljs-number">01.030383</span> IP (tos <span class="hljs-number">0x0</span>, ttl <span class="hljs-number">108</span>, <span class="hljs-keyword">id</span> <span class="hljs-number">63166</span>, offset <span class="hljs-number">0</span>, flags [none], proto UDP (<span class="hljs-number">17</span>), length <span class="hljs-number">132</span>) <span class="hljs-number">8.8</span><span class="hljs-number">.8</span><span class="hljs-number">.8</span><span class="hljs-number">.53</span> > <span class="hljs-number">10.0</span><span class="hljs-number">.0</span><span class="hljs-number">.128</span><span class="hljs-number">.61171</span>: [udp sum ok] <span class="hljs-number">9697</span> q: A? <span class="hljs-keyword">static</span>-<span class="hljs-keyword">asm</span>-skype.trafficmanager.net. <span class="hljs-number">2</span>/<span class="hljs-number">0</span>/<span class="hljs-number">0</span> <span class="hljs-keyword">static</span>-<span class="hljs-keyword">asm</span>-skype.trafficmanager.net. <span class="hljs-built_in">CNAME</span> neu1-authgw.cloudapp.net., neu1-authgw.cloudapp.net. A <span class="hljs-number">52.178</span><span class="hljs-number">.207</span><span class="hljs-number">.179</span> (<span class="hljs-number">104</span>) <span class="hljs-number">2018</span><span class="hljs-number">-09</span><span class="hljs-number">-14</span> <span class="hljs-number">17</span>:<span class="hljs-number">15</span>:<span class="hljs-number">01.545424</span> IP (tos <span class="hljs-number">0x0</span>, ttl <span class="hljs-number">45</span>, <span class="hljs-keyword">id</span> <span class="hljs-number">26902</span>, offset <span class="hljs-number">0</span>, flags [none], proto UDP (<span class="hljs-number">17</span>), length <span class="hljs-number">152</span>) <span class="hljs-number">8.8</span><span class="hljs-number">.8</span><span class="hljs-number">.8</span><span class="hljs-number">.53</span> > <span class="hljs-number">10.0</span><span class="hljs-number">.0</span><span class="hljs-number">.128</span><span class="hljs-number">.65448</span>: [udp sum ok] <span class="hljs-number">3071</span> q: A? <span class="hljs-number">1180</span>c.ec.azureedge.net. <span class="hljs-number">3</span>/<span class="hljs-number">0</span>/<span class="hljs-number">0</span> <span class="hljs-number">1180</span>c.ec.azureedge.net. <span class="hljs-built_in">CNAME</span> lb.apr<span class="hljs-number">-1180</span>c.edgecastdns.net., lb.apr<span class="hljs-number">-1180</span>c.edgecastdns.net. <span class="hljs-built_in">CNAME</span> cs10.wpc.v0cdn.net., cs10.wpc.v0cdn.net. A <span class="hljs-number">68.232</span><span class="hljs-number">.34</span><span class="hljs-number">.200</span> (<span class="hljs-number">124</span>) <span class="hljs-number">2018</span><span class="hljs-number">-09</span><span class="hljs-number">-14</span> <span class="hljs-number">17</span>:<span class="hljs-number">15</span>:<span class="hljs-number">02.933648</span> IP (tos <span class="hljs-number">0x0</span>, ttl <span class="hljs-number">108</span>, <span class="hljs-keyword">id</span> <span class="hljs-number">56826</span>, offset <span class="hljs-number">0</span>, flags [none], proto UDP (<span class="hljs-number">17</span>), length <span class="hljs-number">102</span>) <span class="hljs-number">8.8</span><span class="hljs-number">.8</span><span class="hljs-number">.8</span><span class="hljs-number">.53</span> > <span class="hljs-number">10.0</span><span class="hljs-number">.0</span><span class="hljs-number">.128</span><span class="hljs-number">.11992</span>: [udp sum ok] <span class="hljs-number">46837</span> q: A? flant.ru. <span class="hljs-number">3</span>/<span class="hljs-number">0</span>/<span class="hljs-number">0</span> flant.ru. A <span class="hljs-number">46.4</span><span class="hljs-number">.70</span><span class="hljs-number">.143</span>, flant.ru. A <span class="hljs-number">88.99</span><span class="hljs-number">.236</span><span class="hljs-number">.188</span>, flant.ru. A <span class="hljs-number">176.9</span><span class="hljs-number">.67</span><span class="hljs-number">.92</span> (<span class="hljs-number">74</span>) <span class="hljs-number">5</span> packets captured <span class="hljs-number">1099</span> packets received by filter <span class="hljs-number">0</span> packets dropped by kernel |
- Пакеты, отправленные на определенный ip-адрес:
1 2 |
tcpdump -i en0 -c 5 -ttttnnvvS dst host 8.8.8.8 |
Результат:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
<span class="hljs-selector-tag">tcpdump</span>: <span class="hljs-selector-tag">listening</span> <span class="hljs-selector-tag">on</span> <span class="hljs-selector-tag">en0</span>, <span class="hljs-selector-tag">link-type</span> <span class="hljs-selector-tag">EN10MB</span> (<span class="hljs-selector-tag">Ethernet</span>), <span class="hljs-selector-tag">capture</span> <span class="hljs-selector-tag">size</span> 262144 <span class="hljs-selector-tag">bytes</span> 2018<span class="hljs-selector-tag">-09-14</span> 17<span class="hljs-selector-pseudo">:17</span><span class="hljs-selector-pseudo">:31.501414</span> <span class="hljs-selector-tag">IP</span> (<span class="hljs-selector-tag">tos</span> 0<span class="hljs-selector-tag">x0</span>, <span class="hljs-selector-tag">ttl</span> 255, <span class="hljs-selector-tag">id</span> 10013, <span class="hljs-selector-tag">offset</span> 0, <span class="hljs-selector-tag">flags</span> <span class="hljs-selector-attr">[none]</span>, <span class="hljs-selector-tag">proto</span> <span class="hljs-selector-tag">UDP</span> (17), <span class="hljs-selector-tag">length</span> 80) 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.128</span><span class="hljs-selector-class">.57664</span> > 8<span class="hljs-selector-class">.8</span><span class="hljs-selector-class">.8</span><span class="hljs-selector-class">.8</span><span class="hljs-selector-class">.53</span>: <span class="hljs-selector-attr">[udp sum ok]</span> 14939+ <span class="hljs-selector-tag">A</span>? <span class="hljs-selector-tag">gs-loc-new</span><span class="hljs-selector-class">.ls-apple</span><span class="hljs-selector-class">.com</span><span class="hljs-selector-class">.akadns</span><span class="hljs-selector-class">.net</span>. (52) 2018<span class="hljs-selector-tag">-09-14</span> 17<span class="hljs-selector-pseudo">:17</span><span class="hljs-selector-pseudo">:32.490921</span> <span class="hljs-selector-tag">IP</span> (<span class="hljs-selector-tag">tos</span> 0<span class="hljs-selector-tag">x0</span>, <span class="hljs-selector-tag">ttl</span> 64, <span class="hljs-selector-tag">id</span> 52451, <span class="hljs-selector-tag">offset</span> 0, <span class="hljs-selector-tag">flags</span> <span class="hljs-selector-attr">[none]</span>, <span class="hljs-selector-tag">proto</span> <span class="hljs-selector-tag">UDP</span> (17), <span class="hljs-selector-tag">length</span> 68) 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.128</span><span class="hljs-selector-class">.43217</span> > 8<span class="hljs-selector-class">.8</span><span class="hljs-selector-class">.8</span><span class="hljs-selector-class">.8</span><span class="hljs-selector-class">.53</span>: <span class="hljs-selector-attr">[udp sum ok]</span> 6632+ <span class="hljs-selector-tag">A</span>? <span class="hljs-selector-tag">storage</span><span class="hljs-selector-class">.mds</span><span class="hljs-selector-class">.yandex</span><span class="hljs-selector-class">.net</span>. (40) 2018<span class="hljs-selector-tag">-09-14</span> 17<span class="hljs-selector-pseudo">:17</span><span class="hljs-selector-pseudo">:32.767095</span> <span class="hljs-selector-tag">IP</span> (<span class="hljs-selector-tag">tos</span> 0<span class="hljs-selector-tag">x0</span>, <span class="hljs-selector-tag">ttl</span> 64, <span class="hljs-selector-tag">id</span> 49578, <span class="hljs-selector-tag">offset</span> 0, <span class="hljs-selector-tag">flags</span> <span class="hljs-selector-attr">[none]</span>, <span class="hljs-selector-tag">proto</span> <span class="hljs-selector-tag">UDP</span> (17), <span class="hljs-selector-tag">length</span> 68) 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.128</span><span class="hljs-selector-class">.55720</span> > 8<span class="hljs-selector-class">.8</span><span class="hljs-selector-class">.8</span><span class="hljs-selector-class">.8</span><span class="hljs-selector-class">.53</span>: <span class="hljs-selector-attr">[udp sum ok]</span> 3143+ <span class="hljs-selector-tag">A</span>? <span class="hljs-selector-tag">storage</span><span class="hljs-selector-class">.mds</span><span class="hljs-selector-class">.yandex</span><span class="hljs-selector-class">.net</span>. (40) 2018<span class="hljs-selector-tag">-09-14</span> 17<span class="hljs-selector-pseudo">:17</span><span class="hljs-selector-pseudo">:33.769442</span> <span class="hljs-selector-tag">IP</span> (<span class="hljs-selector-tag">tos</span> 0<span class="hljs-selector-tag">x0</span>, <span class="hljs-selector-tag">ttl</span> 64, <span class="hljs-selector-tag">id</span> 50447, <span class="hljs-selector-tag">offset</span> 0, <span class="hljs-selector-tag">flags</span> <span class="hljs-selector-attr">[none]</span>, <span class="hljs-selector-tag">proto</span> <span class="hljs-selector-tag">ICMP</span> (1), <span class="hljs-selector-tag">length</span> 56) 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.128</span> > 8<span class="hljs-selector-class">.8</span><span class="hljs-selector-class">.8</span><span class="hljs-selector-class">.8</span>: <span class="hljs-selector-tag">ICMP</span> 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.128</span> <span class="hljs-selector-tag">udp</span> <span class="hljs-selector-tag">port</span> 55720 <span class="hljs-selector-tag">unreachable</span>, <span class="hljs-selector-tag">length</span> 36 <span class="hljs-selector-tag">IP</span> (<span class="hljs-selector-tag">tos</span> 0<span class="hljs-selector-tag">x0</span>, <span class="hljs-selector-tag">ttl</span> 45, <span class="hljs-selector-tag">id</span> 17556, <span class="hljs-selector-tag">offset</span> 0, <span class="hljs-selector-tag">flags</span> <span class="hljs-selector-attr">[none]</span>, <span class="hljs-selector-tag">proto</span> <span class="hljs-selector-tag">UDP</span> (17), <span class="hljs-selector-tag">length</span> 84) 8<span class="hljs-selector-class">.8</span><span class="hljs-selector-class">.8</span><span class="hljs-selector-class">.8</span><span class="hljs-selector-class">.53</span> > 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.128</span><span class="hljs-selector-class">.55720</span>: <span class="hljs-selector-attr">[no cksum]</span> <span class="hljs-selector-attr">[|domain]</span> 2018<span class="hljs-selector-tag">-09-14</span> 17<span class="hljs-selector-pseudo">:17</span><span class="hljs-selector-pseudo">:34.438324</span> <span class="hljs-selector-tag">IP</span> (<span class="hljs-selector-tag">tos</span> 0<span class="hljs-selector-tag">x0</span>, <span class="hljs-selector-tag">ttl</span> 64, <span class="hljs-selector-tag">id</span> 43433, <span class="hljs-selector-tag">offset</span> 0, <span class="hljs-selector-tag">flags</span> <span class="hljs-selector-attr">[none]</span>, <span class="hljs-selector-tag">proto</span> <span class="hljs-selector-tag">UDP</span> (17), <span class="hljs-selector-tag">length</span> 71) 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.128</span><span class="hljs-selector-class">.51895</span> > 8<span class="hljs-selector-class">.8</span><span class="hljs-selector-class">.8</span><span class="hljs-selector-class">.8</span><span class="hljs-selector-class">.53</span>: <span class="hljs-selector-attr">[udp sum ok]</span> 55021+ <span class="hljs-selector-tag">A</span>? <span class="hljs-selector-tag">s23vla</span><span class="hljs-selector-class">.storage</span><span class="hljs-selector-class">.yandex</span><span class="hljs-selector-class">.net</span>. (43) 5 <span class="hljs-selector-tag">packets</span> <span class="hljs-selector-tag">captured</span> 244 <span class="hljs-selector-tag">packets</span> <span class="hljs-selector-tag">received</span> <span class="hljs-selector-tag">by</span> <span class="hljs-selector-tag">filter</span> 0 <span class="hljs-selector-tag">packets</span> <span class="hljs-selector-tag">dropped</span> <span class="hljs-selector-tag">by</span> <span class="hljs-selector-tag">kernel</span> |
- Пакеты (входящие и исходящие) от определенного хоста:
1 2 |
tcpdump -i en0 -c 5 -ttttnnvvS host 8.8.8.8 |
Результат:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
tcpdump: listening <span class="hljs-literal">on</span> en0, link-type EN10MB (Ethernet), capture size <span class="hljs-number">262144</span> bytes <span class="hljs-number">2018</span><span class="hljs-number">-09</span><span class="hljs-number">-14</span> <span class="hljs-number">17</span>:<span class="hljs-number">27</span>:<span class="hljs-number">27.825506</span> IP (tos <span class="hljs-number">0x0</span>, ttl <span class="hljs-number">64</span>, id <span class="hljs-number">25419</span>, offset <span class="hljs-number">0</span>, flags [none], proto UDP (<span class="hljs-number">17</span>), length <span class="hljs-number">61</span>) <span class="hljs-number">10.0</span><span class="hljs-number">.0</span><span class="hljs-number">.128</span><span class="hljs-number">.22110</span> > <span class="hljs-number">8.8</span><span class="hljs-number">.8</span><span class="hljs-number">.8</span><span class="hljs-number">.53</span>: [udp sum ok] <span class="hljs-number">55278</span>+ A? <a class="vglnk" href="http://ssl.gstatic.com/" rel="nofollow">ssl.gstatic.com</a>. (<span class="hljs-number">33</span>) <span class="hljs-number">2018</span><span class="hljs-number">-09</span><span class="hljs-number">-14</span> <span class="hljs-number">17</span>:<span class="hljs-number">27</span>:<span class="hljs-number">27.871838</span> IP (tos <span class="hljs-number">0x0</span>, ttl <span class="hljs-number">45</span>, id <span class="hljs-number">50798</span>, offset <span class="hljs-number">0</span>, flags [none], proto UDP (<span class="hljs-number">17</span>), length <span class="hljs-number">77</span>) <span class="hljs-number">8.8</span><span class="hljs-number">.8</span><span class="hljs-number">.8</span><span class="hljs-number">.53</span> > <span class="hljs-number">10.0</span><span class="hljs-number">.0</span><span class="hljs-number">.128</span><span class="hljs-number">.22110</span>: [udp sum ok] <span class="hljs-number">55278</span> q: A? <a class="vglnk" href="http://ssl.gstatic.com/" rel="nofollow">ssl.gstatic.com</a>. <span class="hljs-number">1</span>/<span class="hljs-number">0</span>/<span class="hljs-number">0</span> <a class="vglnk" href="http://ssl.gstatic.com/" rel="nofollow">ssl.gstatic.com</a>. A <span class="hljs-number">172.217</span><span class="hljs-number">.16</span><span class="hljs-number">.3</span> (<span class="hljs-number">49</span>) <span class="hljs-number">2018</span><span class="hljs-number">-09</span><span class="hljs-number">-14</span> <span class="hljs-number">17</span>:<span class="hljs-number">27</span>:<span class="hljs-number">33.255311</span> IP (tos <span class="hljs-number">0x0</span>, ttl <span class="hljs-number">255</span>, id <span class="hljs-number">22154</span>, offset <span class="hljs-number">0</span>, flags [none], proto UDP (<span class="hljs-number">17</span>), length <span class="hljs-number">80</span>) <span class="hljs-number">10.0</span><span class="hljs-number">.0</span><span class="hljs-number">.128</span><span class="hljs-number">.55402</span> > <span class="hljs-number">8.8</span><span class="hljs-number">.8</span><span class="hljs-number">.8</span><span class="hljs-number">.53</span>: [udp sum ok] <span class="hljs-number">19893</span>+ A? gs-loc-<span class="hljs-keyword">new</span>.ls-apple.com.akadns.net. (<span class="hljs-number">52</span>) <span class="hljs-number">2018</span><span class="hljs-number">-09</span><span class="hljs-number">-14</span> <span class="hljs-number">17</span>:<span class="hljs-number">27</span>:<span class="hljs-number">34.089989</span> IP (tos <span class="hljs-number">0x0</span>, ttl <span class="hljs-number">108</span>, id <span class="hljs-number">40535</span>, offset <span class="hljs-number">0</span>, flags [none], proto UDP (<span class="hljs-number">17</span>), length <span class="hljs-number">133</span>) <span class="hljs-number">8.8</span><span class="hljs-number">.8</span><span class="hljs-number">.8</span><span class="hljs-number">.53</span> > <span class="hljs-number">10.0</span><span class="hljs-number">.0</span><span class="hljs-number">.128</span><span class="hljs-number">.55402</span>: [udp sum ok] <span class="hljs-number">19893</span> q: A? gs-loc-<span class="hljs-keyword">new</span>.ls-apple.com.akadns.net. <span class="hljs-number">3</span>/<span class="hljs-number">0</span>/<span class="hljs-number">0</span> gs-loc-<span class="hljs-keyword">new</span>.ls-apple.com.akadns.net. CNAME gs-loc.ls-apple.com.akadns.net., gs-loc.ls-apple.com.akadns.net. A <span class="hljs-number">17.134</span><span class="hljs-number">.127</span><span class="hljs-number">.223</span>, gs-loc.ls-apple.com.akadns.net. A <span class="hljs-number">17.134</span><span class="hljs-number">.126</span><span class="hljs-number">.34</span> (<span class="hljs-number">105</span>) <span class="hljs-number">2018</span><span class="hljs-number">-09</span><span class="hljs-number">-14</span> <span class="hljs-number">17</span>:<span class="hljs-number">27</span>:<span class="hljs-number">43.508417</span> IP (tos <span class="hljs-number">0x0</span>, ttl <span class="hljs-number">64</span>, id <span class="hljs-number">63649</span>, offset <span class="hljs-number">0</span>, flags [none], proto UDP (<span class="hljs-number">17</span>), length <span class="hljs-number">69</span>) <span class="hljs-number">10.0</span><span class="hljs-number">.0</span><span class="hljs-number">.128</span><span class="hljs-number">.49142</span> > <span class="hljs-number">8.8</span><span class="hljs-number">.8</span><span class="hljs-number">.8</span><span class="hljs-number">.53</span>: [udp sum ok] <span class="hljs-number">11740</span>+ A? <a class="vglnk" href="http://pollserver.lastpass.com/" rel="nofollow">pollserver.lastpass.com</a>. (<span class="hljs-number">41</span>) <span class="hljs-number">5</span> packets captured <span class="hljs-number">504</span> packets received <span class="hljs-keyword">by</span> filter <span class="hljs-number">0</span> packets dropped <span class="hljs-keyword">by</span> kernel |
- Пакеты на определенном диапазоне портов:
1 2 |
tcpdump -i en0 -c 5 -nns 0 portrange 80-443 |
Результат:
1 2 3 4 5 6 7 8 9 10 11 |
<span class="hljs-selector-tag">tcpdump</span>: <span class="hljs-selector-tag">verbose</span> <span class="hljs-selector-tag">output</span> <span class="hljs-selector-tag">suppressed</span>, <span class="hljs-selector-tag">use</span> <span class="hljs-selector-tag">-v</span> <span class="hljs-selector-tag">or</span> <span class="hljs-selector-tag">-vv</span> <span class="hljs-selector-tag">for</span> <span class="hljs-selector-tag">full</span> <span class="hljs-selector-tag">protocol</span> <span class="hljs-selector-tag">decode</span> <span class="hljs-selector-tag">listening</span> <span class="hljs-selector-tag">on</span> <span class="hljs-selector-tag">en0</span>, <span class="hljs-selector-tag">link-type</span> <span class="hljs-selector-tag">EN10MB</span> (<span class="hljs-selector-tag">Ethernet</span>), <span class="hljs-selector-tag">capture</span> <span class="hljs-selector-tag">size</span> 262144 <span class="hljs-selector-tag">bytes</span> 17<span class="hljs-selector-pseudo">:29</span><span class="hljs-selector-pseudo">:53.147192</span> <span class="hljs-selector-tag">IP</span> 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.73</span><span class="hljs-selector-class">.137</span> > 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.3</span><span class="hljs-selector-class">.255</span><span class="hljs-selector-class">.137</span>: <span class="hljs-selector-tag">NBT</span> <span class="hljs-selector-tag">UDP</span> <span class="hljs-selector-tag">PACKET</span>(137): <span class="hljs-selector-tag">QUERY</span>; <span class="hljs-selector-tag">REQUEST</span>; <span class="hljs-selector-tag">BROADCAST</span> 17<span class="hljs-selector-pseudo">:29</span><span class="hljs-selector-pseudo">:53.147923</span> <span class="hljs-selector-tag">IP</span> 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.2</span><span class="hljs-selector-class">.164</span><span class="hljs-selector-class">.137</span> > 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.3</span><span class="hljs-selector-class">.255</span><span class="hljs-selector-class">.137</span>: <span class="hljs-selector-tag">NBT</span> <span class="hljs-selector-tag">UDP</span> <span class="hljs-selector-tag">PACKET</span>(137): <span class="hljs-selector-tag">QUERY</span>; <span class="hljs-selector-tag">REQUEST</span>; <span class="hljs-selector-tag">BROADCAST</span> 17<span class="hljs-selector-pseudo">:29</span><span class="hljs-selector-pseudo">:53.247888</span> <span class="hljs-selector-tag">IP</span> 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.1</span><span class="hljs-selector-class">.62</span><span class="hljs-selector-class">.137</span> > 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.3</span><span class="hljs-selector-class">.255</span><span class="hljs-selector-class">.137</span>: <span class="hljs-selector-tag">NBT</span> <span class="hljs-selector-tag">UDP</span> <span class="hljs-selector-tag">PACKET</span>(137): <span class="hljs-selector-tag">QUERY</span>; <span class="hljs-selector-tag">REQUEST</span>; <span class="hljs-selector-tag">BROADCAST</span> 17<span class="hljs-selector-pseudo">:29</span><span class="hljs-selector-pseudo">:53.248148</span> <span class="hljs-selector-tag">IP</span> 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.111</span><span class="hljs-selector-class">.137</span> > 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.3</span><span class="hljs-selector-class">.255</span><span class="hljs-selector-class">.137</span>: <span class="hljs-selector-tag">NBT</span> <span class="hljs-selector-tag">UDP</span> <span class="hljs-selector-tag">PACKET</span>(137): <span class="hljs-selector-tag">QUERY</span>; <span class="hljs-selector-tag">REQUEST</span>; <span class="hljs-selector-tag">BROADCAST</span> 17<span class="hljs-selector-pseudo">:29</span><span class="hljs-selector-pseudo">:53.249846</span> <span class="hljs-selector-tag">IP</span> 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.179</span><span class="hljs-selector-class">.137</span> > 10<span class="hljs-selector-class">.0</span><span class="hljs-selector-class">.3</span><span class="hljs-selector-class">.255</span><span class="hljs-selector-class">.137</span>: <span class="hljs-selector-tag">NBT</span> <span class="hljs-selector-tag">UDP</span> <span class="hljs-selector-tag">PACKET</span>(137): <span class="hljs-selector-tag">QUERY</span>; <span class="hljs-selector-tag">REQUEST</span>; <span class="hljs-selector-tag">BROADCAST</span> 5 <span class="hljs-selector-tag">packets</span> <span class="hljs-selector-tag">captured</span> 13 <span class="hljs-selector-tag">packets</span> <span class="hljs-selector-tag">received</span> <span class="hljs-selector-tag">by</span> <span class="hljs-selector-tag">filter</span> 0 <span class="hljs-selector-tag">packets</span> <span class="hljs-selector-tag">dropped</span> <span class="hljs-selector-tag">by</span> <span class="hljs-selector-tag">kernel</span> |
Больше информации об использовании данной утилиты можно найти здесь и здесь.