Здесь описан пример использования tcpdump для анализа трафика IP-телефона, проходящего через мост из двух сетевых карт.
Для использования tcpdump нужно узнать имена сетевых карточек, на которых будем глядеть трафик: # ifconfig В дампе вывода этой команды слева присутствуют имена интерфейсов. У меня они назывались bde0 (сетевушка BroadCom) и rl0 (сетевушка на чипе Realtek 8139). Так смотрятся все соединения, которые проходят, например, через карточку rl0 (известные порты вместо чисел будут иметь имена) # tcpdump -i rl0 А так - все соединения устройства, которое имеет MAC-адрес 00:0a:e4:75:a1:9e - это у меня был IP-телефон с IP loc1.loc2.2.164, который я подключил через мост (опция -n отключает подставление имен вместо IP-адресов и портов): # tcpdump -n ether host 00:0a:e4:75:a1:9e Пример вывода tcpdump: ;инициализация IP-телефона - после включения он ищет станцию 15:52:35.213243 arp who-has 192.168.100.101 tell 192.168.100.101 15:52:48.319508 arp who-has loc1.loc2.2.164 tell 0.0.0.0 15:52:48.821464 arp who-has loc1.loc2.2.164 tell loc1.loc2.2.164 15:52:50.888930 arp who-has loc1.loc2.0.56 tell loc1.loc2.2.164 15:52:50.889096 arp reply loc1.loc2.0.56 is-at 00:02:b3:ef:d4:95 15:52:50.889826 IP loc1.loc2.2.164.5000 > loc1.loc2.0.56.4100: UDP, length: 13 15:52:50.890461 IP loc1.loc2.0.56.4100 > loc1.loc2.2.164.5000: UDP, length: 6 15:52:50.892892 IP loc1.loc2.2.164.5000 > loc1.loc2.0.56.4100: UDP, length: 13 15:52:50.893059 IP loc1.loc2.0.56.4100 > loc1.loc2.2.164.5000: UDP, length: 6 15:52:50.893216 IP loc1.loc2.0.56.4100 > loc1.loc2.2.164.5000: UDP, length: 10 15:52:50.896602 IP loc1.loc2.2.164.5000 > loc1.loc2.0.56.4100: UDP, length: 10 ... 15:52:54.720344 IP loc1.loc2.0.163.7300 > loc1.loc2.2.164.5000: UDP, length: 9 15:52:54.728703 IP loc1.loc2.2.164.5000 > loc1.loc2.0.163.7300: UDP, length: 10 15:52:54.729529 IP loc1.loc2.2.164.5000 > loc1.loc2.0.163.7300: UDP, length: 15 15:52:54.729696 IP loc1.loc2.0.163.7300 > loc1.loc2.2.164.5000: UDP, length: 6 15:52:54.729852 IP loc1.loc2.0.163.7300 > loc1.loc2.2.164.5000: UDP, length: 10 15:52:54.738703 IP loc1.loc2.2.164.5000 > loc1.loc2.0.163.7300: UDP, length: 10 15:52:54.739526 IP loc1.loc2.2.164.5000 > loc1.loc2.0.163.7300: UDP, length: 20 15:52:54.739694 IP loc1.loc2.0.163.7300 > loc1.loc2.2.164.5000: UDP, length: 6 15:52:54.739850 IP loc1.loc2.0.163.7300 > loc1.loc2.2.164.5000: UDP, length: 11 15:52:54.739854 IP loc1.loc2.0.163.7300 > loc1.loc2.2.164.5000: UDP, length: 10 ... ;звонок на обычный (не IP) телефон Nortel 15:55:19.786602 IP loc1.loc2.2.164.5000 > loc1.loc2.0.163.5100: UDP, length: 13 15:55:19.786859 IP loc1.loc2.0.163.5100 > loc1.loc2.2.164.5000: UDP, length: 6 15:55:19.811359 IP loc1.loc2.0.163.5100 > loc1.loc2.2.164.5000: UDP, length: 20 15:55:19.811363 IP loc1.loc2.0.163.5100 > loc1.loc2.2.164.5000: UDP, length: 14 15:55:19.811367 IP loc1.loc2.0.163.5100 > loc1.loc2.2.164.5000: UDP, length: 12 15:55:19.811516 IP loc1.loc2.0.163.5100 > loc1.loc2.2.164.5000: UDP, length: 12 15:55:19.811673 IP loc1.loc2.0.163.5100 > loc1.loc2.2.164.5000: UDP, length: 11 15:55:19.811677 IP loc1.loc2.0.163.5100 > loc1.loc2.2.164.5000: UDP, length: 10 15:55:19.811836 IP loc1.loc2.0.163.5100 > loc1.loc2.2.164.5000: UDP, length: 11 15:55:19.811841 IP loc1.loc2.0.163.5100 > loc1.loc2.2.164.5000: UDP, length: 15 15:55:19.811987 IP loc1.loc2.0.163.5100 > loc1.loc2.2.164.5000: UDP, length: 9 15:55:19.811991 IP loc1.loc2.0.163.5100 > loc1.loc2.2.164.5000: UDP, length: 15 15:55:19.818512 IP loc1.loc2.2.164.5000 > loc1.loc2.0.163.5100: UDP, length: 10 15:55:19.818679 IP loc1.loc2.0.163.5100 > loc1.loc2.2.164.5000: UDP, length: 9 15:55:19.820128 IP loc1.loc2.2.164.5000 > loc1.loc2.0.163.5100: UDP, length: 10 15:55:19.820294 IP loc1.loc2.0.163.5100 > loc1.loc2.2.164.5000: UDP, length: 11 15:55:19.821007 IP loc1.loc2.2.164.5000 > loc1.loc2.0.163.5100: UDP, length: 10 15:55:19.821175 IP loc1.loc2.0.163.5100 > loc1.loc2.2.164.5000: UDP, length: 11 15:55:19.822621 IP loc1.loc2.2.164.5000 > loc1.loc2.0.163.5100: UDP, length: 10 15:55:19.822788 IP loc1.loc2.0.163.5100 > loc1.loc2.2.164.5000: UDP, length: 12 15:55:19.824382 IP loc1.loc2.2.164.5000 > loc1.loc2.0.163.5100: UDP, length: 10 ... 15:55:26.635539 arp reply loc1.loc2.2.164 is-at 00:0a:e4:75:a1:9e ... 15:55:26.674454 IP loc1.loc2.2.164.5000 > loc1.loc2.0.163.5100: UDP, length: 14 15:55:26.674621 IP loc1.loc2.0.163.5100 > loc1.loc2.2.164.5000: UDP, length: 6 15:55:26.706303 IP loc1.loc2.0.139.5204 > loc1.loc2.2.164.5200: UDP, length: 92 15:55:26.716292 IP loc1.loc2.0.139.5204 > loc1.loc2.2.164.5200: UDP, length: 92 15:55:26.726281 IP loc1.loc2.0.139.5204 > loc1.loc2.2.164.5200: UDP, length: 92 15:55:26.736271 IP loc1.loc2.0.139.5204 > loc1.loc2.2.164.5200: UDP, length: 92 15:55:26.746259 IP loc1.loc2.0.139.5204 > loc1.loc2.2.164.5200: UDP, length: 92 15:55:26.756248 IP loc1.loc2.0.139.5204 > loc1.loc2.2.164.5200: UDP, length: 92 15:55:26.766237 IP loc1.loc2.0.139.5204 > loc1.loc2.2.164.5200: UDP, length: 92 15:55:26.776381 IP loc1.loc2.0.139.5204 > loc1.loc2.2.164.5200: UDP, length: 92 15:55:26.786370 IP loc1.loc2.0.139.5204 > loc1.loc2.2.164.5200: UDP, length: 92 15:55:26.796358 IP loc1.loc2.0.139.5204 > loc1.loc2.2.164.5200: UDP, length: 92 15:55:26.806347 IP loc1.loc2.0.139.5204 > loc1.loc2.2.164.5200: UDP, length: 92 15:55:26.816336 IP loc1.loc2.0.139.5204 > loc1.loc2.2.164.5200: UDP, length: 92 15:55:26.826324 IP loc1.loc2.0.139.5204 > loc1.loc2.2.164.5200: UDP, length: 92 15:55:26.836469 IP loc1.loc2.0.139.5204 > loc1.loc2.2.164.5200: UDP, length: 92 15:55:26.846457 IP loc1.loc2.0.139.5204 > loc1.loc2.2.164.5200: UDP, length: 92 15:55:26.856446 IP loc1.loc2.0.139.5204 > loc1.loc2.2.164.5200: UDP, length: 92 15:55:26.866435 IP loc1.loc2.0.139.5204 > loc1.loc2.2.164.5200: UDP, length: 92 15:55:26.876423 IP loc1.loc2.0.139.5204 > loc1.loc2.2.164.5200: UDP, length: 92 15:55:26.886412 IP loc1.loc2.0.139.5204 > loc1.loc2.2.164.5200: UDP, length: 92 15:55:26.896245 IP loc1.loc2.0.139.5204 > loc1.loc2.2.164.5200: UDP, length: 92 15:55:26.906389 IP loc1.loc2.0.139.5204 > loc1.loc2.2.164.5200: UDP, length: 92 15:55:26.916377 IP loc1.loc2.0.139.5204 > loc1.loc2.2.164.5200: UDP, length: 92 15:55:26.924265 IP loc1.loc2.2.164.5200 > loc1.loc2.0.139.5204: UDP, length: 92 15:55:26.926308 IP loc1.loc2.0.139.5204 > loc1.loc2.2.164.5200: UDP, length: 92 15:55:26.934205 IP loc1.loc2.2.164.5200 > loc1.loc2.0.139.5204: UDP, length: 92 15:55:26.936249 IP loc1.loc2.0.139.5204 > loc1.loc2.2.164.5200: UDP, length: 92 15:55:26.944390 IP loc1.loc2.2.164.5200 > loc1.loc2.0.139.5204: UDP, length: 92 15:55:26.946434 IP loc1.loc2.0.139.5204 > loc1.loc2.2.164.5200: UDP, length: 92 15:55:26.954026 IP loc1.loc2.2.164.5200 > loc1.loc2.0.139.5204: UDP, length: 92 15:55:26.956382 IP loc1.loc2.0.139.5204 > loc1.loc2.2.164.5200: UDP, length: 92 15:55:26.963873 IP loc1.loc2.2.164.5200 > loc1.loc2.0.139.5204: UDP, length: 92 15:55:26.966384 IP loc1.loc2.0.139.5204 > loc1.loc2.2.164.5200: UDP, length: 92 15:55:26.973866 IP loc1.loc2.2.164.5200 > loc1.loc2.0.139.5204: UDP, length: 92 15:55:26.976379 IP loc1.loc2.0.139.5204 > loc1.loc2.2.164.5200: UDP, length: 92 15:55:26.984030 IP loc1.loc2.2.164.5200 > loc1.loc2.0.139.5204: UDP, length: 92 15:55:26.986386 IP loc1.loc2.0.139.5204 > loc1.loc2.2.164.5200: UDP, length: 92 15:55:26.993891 IP loc1.loc2.2.164.5200 > loc1.loc2.0.139.5204: UDP, length: 92 15:55:26.996403 IP loc1.loc2.0.139.5204 > loc1.loc2.2.164.5200: UDP, length: 92 ... 15:55:29.559781 IP loc1.loc2.0.163.5100 > loc1.loc2.2.164.5000: UDP, length: 11 15:55:29.559785 IP loc1.loc2.0.163.5100 > loc1.loc2.2.164.5000: UDP, length: 15 15:55:29.564248 IP loc1.loc2.2.164.5200 > loc1.loc2.0.139.5204: UDP, length: 92 15:55:29.565198 IP loc1.loc2.0.139 > loc1.loc2.2.164: icmp 36: loc1.loc2.0.139 udp port 5204 unreachable 15:55:29.569548 IP loc1.loc2.2.164.5000 > loc1.loc2.0.163.5100: UDP, length: 10 15:55:29.569714 IP loc1.loc2.0.163.5100 > loc1.loc2.2.164.5000: UDP, length: 9 15:55:29.571076 IP loc1.loc2.2.164.5000 > loc1.loc2.0.163.5100: UDP, length: 10 15:55:29.571243 IP loc1.loc2.0.163.5100 > loc1.loc2.2.164.5000: UDP, length: 15 15:55:29.571957 IP loc1.loc2.2.164.5000 > loc1.loc2.0.163.5100: UDP, length: 10 15:55:29.572123 IP loc1.loc2.0.163.5100 > loc1.loc2.2.164.5000: UDP, length: 9 15:55:29.573899 IP loc1.loc2.2.164.5200 > loc1.loc2.0.139.5204: UDP, length: 92 15:55:29.574848 IP loc1.loc2.0.139 > loc1.loc2.2.164: icmp 36: loc1.loc2.0.139 udp port 5204 unreachable 15:55:29.574928 IP loc1.loc2.2.164.5000 > loc1.loc2.0.163.5100: UDP, length: 10 15:55:29.575095 IP loc1.loc2.0.163.5100 > loc1.loc2.2.164.5000: UDP, length: 11 15:55:29.576467 IP loc1.loc2.2.164.5000 > loc1.loc2.0.163.5100: UDP, length: 10 15:55:29.577077 IP loc1.loc2.2.164.5000 > loc1.loc2.0.163.5100: UDP, length: 10 15:55:29.578112 IP loc1.loc2.2.164.5000 > loc1.loc2.0.163.5100: UDP, length: 10 15:55:29.579007 IP loc1.loc2.2.164.5000 > loc1.loc2.0.163.5100: UDP, length: 10 15:55:29.580104 IP loc1.loc2.2.164.5000 > loc1.loc2.0.163.5100: UDP, length: 10 15:55:29.580778 IP loc1.loc2.2.164.5000 > loc1.loc2.0.163.5100: UDP, length: 10 15:55:29.581395 IP loc1.loc2.2.164.5000 > loc1.loc2.0.163.5100: UDP, length: 10 15:55:29.582016 IP loc1.loc2.2.164.5000 > loc1.loc2.0.163.5100: UDP, length: 10 15:55:29.582620 IP loc1.loc2.2.164.5000 > loc1.loc2.0.163.5100: UDP, length: 10 15:55:29.584006 IP loc1.loc2.2.164.5200 > loc1.loc2.0.139.5204: UDP, length: 92 15:55:29.584691 IP loc1.loc2.2.164.5000 > loc1.loc2.0.163.5100: UDP, length: 10 15:55:29.584800 IP loc1.loc2.0.139 > loc1.loc2.2.164: icmp 36: loc1.loc2.0.139 udp port 5204 unreachable 15:55:29.586612 IP loc1.loc2.2.164.5000 > loc1.loc2.0.163.5100: UDP, length: 184 15:55:29.586831 IP loc1.loc2.0.163.5100 > loc1.loc2.2.164.5000: UDP, length: 6 15:55:29.594894 IP loc1.loc2.2.164.5200 > loc1.loc2.0.139.5204: UDP, length: 92 15:55:29.595844 IP loc1.loc2.0.139 > loc1.loc2.2.164: icmp 36: loc1.loc2.0.139 udp port 5204 unreachable 15:55:29.604611 IP loc1.loc2.2.164.5200 > loc1.loc2.0.139.5204: UDP, length: 92 15:55:29.605405 IP loc1.loc2.0.139 > loc1.loc2.2.164: icmp 36: loc1.loc2.0.139 udp port 5204 unreachable 15:55:29.613963 IP loc1.loc2.2.164.5200 > loc1.loc2.0.139.5204: UDP, length: 92 15:55:29.614757 IP loc1.loc2.0.139 > loc1.loc2.2.164: icmp 36: loc1.loc2.0.139 udp port 5204 unreachable 15:55:29.624089 IP loc1.loc2.2.164.5200 > loc1.loc2.0.139.5204: UDP, length: 92 15:55:29.625039 IP loc1.loc2.0.139 > loc1.loc2.2.164: icmp 36: loc1.loc2.0.139 udp port 5204 unreachable 15:55:29.634108 IP loc1.loc2.2.164.5200 > loc1.loc2.0.139.5204: UDP, length: 92 15:55:29.635057 IP loc1.loc2.0.139 > loc1.loc2.2.164: icmp 36: loc1.loc2.0.139 udp port 5204 unreachable 15:55:29.644375 IP loc1.loc2.2.164.5200 > loc1.loc2.0.139.5204: UDP, length: 92 15:55:29.645169 IP loc1.loc2.0.139 > loc1.loc2.2.164: icmp 36: loc1.loc2.0.139 udp port 5204 unreachable 15:55:29.654508 IP loc1.loc2.2.164.5200 > loc1.loc2.0.139.5204: UDP, length: 92 15:55:29.655302 IP loc1.loc2.0.139 > loc1.loc2.2.164: icmp 36: loc1.loc2.0.139 udp port 5204 unreachable 15:55:29.664278 IP loc1.loc2.2.164.5200 > loc1.loc2.0.139.5204: UDP, length: 92 15:55:29.665072 IP loc1.loc2.0.139 > loc1.loc2.2.164: icmp 36: loc1.loc2.0.139 udp port 5204 unreachable 15:55:29.673981 IP loc1.loc2.2.164.5200 > loc1.loc2.0.139.5204: UDP, length: 92 15:55:29.674774 IP loc1.loc2.0.139 > loc1.loc2.2.164: icmp 36: loc1.loc2.0.139 udp port 5204 unreachable 15:55:29.683871 IP loc1.loc2.2.164.5200 > loc1.loc2.0.139.5204: UDP, length: 92 15:55:29.684664 IP loc1.loc2.0.139 > loc1.loc2.2.164: icmp 36: loc1.loc2.0.139 udp port 5204 unreachable 15:55:30.517564 IP loc1.loc2.2.164.5000 > loc1.loc2.0.163.5100: UDP, length: 13 15:55:30.517731 IP loc1.loc2.0.163.5100 > loc1.loc2.2.164.5000: UDP, length: 6 15:55:30.542075 IP loc1.loc2.0.163.5100 > loc1.loc2.2.164.5000: UDP, length: 11 15:55:30.542079 IP loc1.loc2.0.163.5100 > loc1.loc2.2.164.5000: UDP, length: 12 15:55:30.546213 IP loc1.loc2.2.164.5000 > loc1.loc2.0.163.5100: UDP, length: 10 15:55:30.546842 IP loc1.loc2.2.164.5000 > loc1.loc2.0.163.5100: UDP, length: 10 ;конец звонка Еще использование tcpdump -n отключает имена вместо IP и номеров портов -F файл читает выражение фильтра из файла (пример содержимого файла фильтра: host loc1.loc2.2.164 or host 10.80.82.10 or host 10.80.82.1 or host 10.80.82.2 or host 10.80.82.3) -i eth1 задает имя интерфейса, который будет снимать статистику; eth1 может не иметь IP. -w - задает бинарный вывод (-w) на консоль (-) -l просто буферизирует вывод на консоль (будут выводиться только соединения с адресами и портами) | tee outfile.txt пишет все, что пошло на консоль в файл # tcpdump -n -F filt01.txt -i eth1 -w - | tee outfile.txt Эта строка берет фильтр из файла и обеспечивает одновременный вывод на консоль и в файл соединений с IP и номерами портов. # tcpdump -n -F filt02.txt -i eth1 -l | tee outfile.txt Эта строка берет фильтр из файла и обеспечивает одновременный вывод на консоль и в файл RAW-данных (они не теряются и не перекодируются). # tcpdump 'host 10.80.80.100 and udp' -n -i eth1 -l | tee outfile.txt Собирает только соединения 10.80.80.100 по протоколу UDP # tcpdump 'host 10.80.80.100 and udp port 5000' -n -i eth1 -l | tee outfile.txt Собирает только соединения 10.80.80.100 по протоколу UDP порт 5000 (5000-й порт исходящий для 10.80.80.100) См. также анализ трафика с помощью tethereal. |