运维自动抓包脚本

@

目录

运维自动抓包脚本

基于tcpdump命令写的抓包脚本工具

抓包解释参考:tcpdump抓包解释

抓包效果

[root@h11 ~]# sh scripts/tcpdump.sh
>>>>>>>>>>>>>>>> 欢迎使用tcpdump抓包工具 <<<<<<<<<<<<<<<<
—————————————————————————————————————————————————————————
PS2:不想设置的条件,按Enter跳过
PS1:输入-1回车,则不过滤条件直接打印结果
—————————————————————————————————————————————————————————
说明:
   Flags标识符
   [S]     # SYN(开始连接)
   [P]     # PSH(推送数据)
   [F]     # FIN(结束连接)
   [R]     # RST(重置连接)
   [.]     # 可以用来表示ACK标志位1
—————————————————————————————————————————————————————————
>>>>>>>>>>>>>>>> 本机网卡名与IP地址如下 <<<<<<<<<<<<<<<<
br-d6845e9ca2a7 192.168.32.1
docker0 192.168.0.1
eth0 10.27.158.33
eth1 116.35.0.11
lo 127.0.0.1
veth2757587
veth8627760
—————————————————————————————————————————————————————————
请输入网卡名>>>
docker0
请输入文件名>>>

是否arp(是填arp,否则回车)>>>

流入包还是流出包(in入,out出,inout全部)>>>
in
抓多少个包>>>
40
指定协议>>>
tcp
指定端口>>>
8080
稍等几秒,正在抓取...
稍等几秒,正在抓取...
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on docker0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:17:10.848265 IP 192.168.0.7.webcache > iZuf69q6pk0vy6d5bz2fkpZ.60328: Flags [.], ack 4135455973, win 1432, options [nop,nop,TS val 2742710829 ecr 2742710829], length 0
17:17:11.039516 IP 192.168.0.7.webcache > iZuf69q6pk0vy6d5bz2fkpZ.60328: Flags [P.], seq 0:4096, ack 1, win 1432, options [nop,nop,TS val 2742711020 ecr 2742710829], length 4096: HTTP: HTTP/1.1 200 OK
17:17:11.039659 IP 192.168.0.7.webcache > iZuf69q6pk0vy6d5bz2fkpZ.60328: Flags [.], seq 4096:11336, ack 1, win 1432, options [nop,nop,TS val 2742711021 ecr 2742711021], length 7240: HTTP
17:17:11.039680 IP 192.168.0.7.webcache > iZuf69q6pk0vy6d5bz2fkpZ.60328: Flags [.], seq 11336:18576, ack 1, win 1432, options [nop,nop,TS val 2742711021 ecr 2742711021], length 7240: HTTP
17:17:11.039697 IP 192.168.0.7.webcache > iZuf69q6pk0vy6d5bz2fkpZ.60328: Flags [.], seq 18576:28712, ack 1, win 1432, options [nop,nop,TS val 2742711021 ecr 2742711021], length 10136: HTTP
17:17:11.039700 IP 192.168.0.7.webcache > iZuf69q6pk0vy6d5bz2fkpZ.60328: Flags [.], seq 28712:38848, ack 1, win 1432, options [nop,nop,TS val 2742711021 ecr 2742711021], length 10136: HTTP
17:17:11.039726 IP 192.168.0.7.webcache > iZuf69q6pk0vy6d5bz2fkpZ.60328: Flags [.], seq 38848:50432, ack 1, win 1432, options [nop,nop,TS val 2742711021 ecr 2742711021], length 11584: HTTP
17:17:11.039730 IP 192.168.0.7.webcache > iZuf69q6pk0vy6d5bz2fkpZ.60328: Flags [.], seq 50432:62016, ack 1, win 1432, options [nop,nop,TS val 2742711021 ecr 2742711021], length 11584: HTTP
17:17:11.039759 IP 192.168.0.7.webcache > iZuf69q6pk0vy6d5bz2fkpZ.60328: Flags [.], seq 62016:73600, ack 1, win 1432, options [nop,nop,TS val 2742711021 ecr 2742711021], length 11584: HTTP
17:17:11.039761 IP 192.168.0.7.webcache > iZuf69q6pk0vy6d5bz2fkpZ.60328: Flags [P.], seq 73600:74254, ack 1, win 1432, options [nop,nop,TS val 2742711021 ecr 2742711021], length 654: HTTP
17:17:12.341998 IP 192.168.0.4.webcache > test.ehoo100.com.49240: Flags [S.], seq 64182531, ack 1278531220, win 28960, options [mss 1460,sackOK,TS val 2742712323 ecr 1315369259,nop,wscale 7], length 0
17:17:12.343743 IP 192.168.0.4.webcache > test.ehoo100.com.49240: Flags [.], ack 923, win 241, options [nop,nop,TS val 2742712325 ecr 1315369261], length 0
17:17:12.350619 IP 192.168.0.4.webcache > test.ehoo100.com.49240: Flags [P.], seq 1:843, ack 923, win 241, options [nop,nop,TS val 2742712332 ecr 1315369261], length 842: HTTP: HTTP/1.1 200 
17:17:12.351469 IP 192.168.0.4.webcache > test.ehoo100.com.49240: Flags [F.], seq 843, ack 924, win 241, options [nop,nop,TS val 2742712332 ecr 1315369268], length 0
17:17:14.229000 IP 192.168.0.4.webcache > test.ehoo100.com.49248: Flags [S.], seq 3202959926, ack 1054253435, win 28960, options [mss 1460,sackOK,TS val 2742714210 ecr 1315371146,nop,wscale 7], length 0
17:17:14.229372 IP 192.168.0.4.webcache > test.ehoo100.com.49248: Flags [.], ack 923, win 241, options [nop,nop,TS val 2742714210 ecr 1315371146], length 0
17:17:14.236271 IP 192.168.0.4.webcache > test.ehoo100.com.49248: Flags [P.], seq 1:843, ack 923, win 241, options [nop,nop,TS val 2742714217 ecr 1315371146], length 842: HTTP: HTTP/1.1 200 
17:17:14.237022 IP 192.168.0.4.webcache > test.ehoo100.com.49248: Flags [F.], seq 843, ack 924, win 241, options [nop,nop,TS val 2742714218 ecr 1315371153], length 0
17:17:15.701995 IP 192.168.0.4.webcache > test.ehoo100.com.49316: Flags [S.], seq 2064293092, ack 832032870, win 28960, options [mss 1460,sackOK,TS val 2742715683 ecr 1315372619,nop,wscale 7], length 0
17:17:15.705772 IP 192.168.0.4.webcache > test.ehoo100.com.49316: Flags [.], ack 923, win 241, options [nop,nop,TS val 2742715687 ecr 1315372623], length 0
17:17:15.713751 IP 192.168.0.4.webcache > test.ehoo100.com.49316: Flags [P.], seq 1:843, ack 923, win 241, options [nop,nop,TS val 2742715695 ecr 1315372623], length 842: HTTP: HTTP/1.1 200 
17:17:15.714623 IP 192.168.0.4.webcache > test.ehoo100.com.49316: Flags [F.], seq 843, ack 923, win 241, options [nop,nop,TS val 2742715696 ecr 1315372631], length 0
17:17:15.714813 IP 192.168.0.4.webcache > test.ehoo100.com.49316: Flags [.], ack 924, win 241, options [nop,nop,TS val 2742715696 ecr 1315372632], length 0
17:17:17.501019 IP 192.168.0.4.webcache > test.ehoo100.com.49320: Flags [S.], seq 786960601, ack 148800111, win 28960, options [mss 1460,sackOK,TS val 2742717482 ecr 1315374418,nop,wscale 7], length 0
17:17:17.505759 IP 192.168.0.4.webcache > test.ehoo100.com.49320: Flags [.], ack 923, win 241, options [nop,nop,TS val 2742717487 ecr 1315374423], length 0
17:17:17.513641 IP 192.168.0.4.webcache > test.ehoo100.com.49320: Flags [P.], seq 1:843, ack 923, win 241, options [nop,nop,TS val 2742717495 ecr 1315374423], length 842: HTTP: HTTP/1.1 200 
17:17:17.514370 IP 192.168.0.4.webcache > test.ehoo100.com.49320: Flags [F.], seq 843, ack 924, win 241, options [nop,nop,TS val 2742717495 ecr 1315374431], length 0
17:17:20.421409 IP 192.168.0.4.webcache > test.ehoo100.com.49332: Flags [S.], seq 2471822742, ack 700981135, win 28960, options [mss 1460,sackOK,TS val 2742720402 ecr 1315377338,nop,wscale 7], length 0
17:17:20.421864 IP 192.168.0.4.webcache > test.ehoo100.com.49332: Flags [.], ack 900, win 241, options [nop,nop,TS val 2742720403 ecr 1315377339], length 0
17:17:20.464331 IP 192.168.0.4.webcache > test.ehoo100.com.49332: Flags [P.], seq 1:825, ack 900, win 241, options [nop,nop,TS val 2742720445 ecr 1315377339], length 824: HTTP: HTTP/1.1 404 
17:17:20.464533 IP 192.168.0.4.webcache > test.ehoo100.com.49332: Flags [F.], seq 825, ack 900, win 241, options [nop,nop,TS val 2742720445 ecr 1315377339], length 0
17:17:20.464764 IP 192.168.0.4.webcache > test.ehoo100.com.49332: Flags [.], ack 901, win 241, options [nop,nop,TS val 2742720446 ecr 1315377382], length 0
17:17:23.141003 IP 192.168.0.4.webcache > test.ehoo100.com.49402: Flags [S.], seq 2651709246, ack 1905985077, win 28960, options [mss 1460,sackOK,TS val 2742723122 ecr 1315380058,nop,wscale 7], length 0
17:17:23.141428 IP 192.168.0.4.webcache > test.ehoo100.com.49402: Flags [.], ack 897, win 241, options [nop,nop,TS val 2742723122 ecr 1315380058], length 0
17:17:23.147550 IP 192.168.0.4.webcache > test.ehoo100.com.49402: Flags [P.], seq 1:843, ack 897, win 241, options [nop,nop,TS val 2742723128 ecr 1315380058], length 842: HTTP: HTTP/1.1 200 
17:17:23.148423 IP 192.168.0.4.webcache > test.ehoo100.com.49402: Flags [F.], seq 843, ack 898, win 241, options [nop,nop,TS val 2742723129 ecr 1315380065], length 0
17:17:24.762418 IP 192.168.0.4.webcache > test.ehoo100.com.49420: Flags [S.], seq 3174615154, ack 3246731667, win 28960, options [mss 1460,sackOK,TS val 2742724743 ecr 1315381679,nop,wscale 7], length 0
17:17:24.762846 IP 192.168.0.4.webcache > test.ehoo100.com.49420: Flags [.], ack 923, win 241, options [nop,nop,TS val 2742724744 ecr 1315381680], length 0
17:17:24.769061 IP 192.168.0.4.webcache > test.ehoo100.com.49420: Flags [P.], seq 1:843, ack 923, win 241, options [nop,nop,TS val 2742724750 ecr 1315381680], length 842: HTTP: HTTP/1.1 200 
17:17:24.769863 IP 192.168.0.4.webcache > test.ehoo100.com.49420: Flags [F.], seq 843, ack 924, win 241, options [nop,nop,TS val 2742724751 ecr 1315381686], length 0
40 packets captured
91 packets received by filter
0 packets dropped by kernel

tcpdump.sh

[root@h11 ~]# cat scripts/tcpdump.sh
#!/bin/bash
###############################################################
# 这是一个tcpdump的脚本
# 其中,各个数组作用如下
# func:用户输入的参数
# prompt:给用户的提示
# option:各个参数前面的选项
# FUNC:最后所执行的选项,也就是func和option的组合
# conditionnum:条件个数
# 如果要想添加额外条件,你需要做以下步骤
# 1、加几个条件,对应的conditionnum就加几
# 2、option加上前面相应的参数,注意后面要加上一个空格
# 3、prompt加上相应提示
# ------------------------------------------------------------
#   常用选项
#   -i       #监听哪一个网卡 any为所有网卡
#   -n       #不把ip解析成主机名
#   -nn      #不把端口解析成应用层协议
#   -c       #指定抓包的数量
#   -S       #不把随机序列和确认序列解析成绝对值
#   -w       #将流量保存到文件中,文件中的信息是无法直接查看的
#   -r       #读取文件中的内容
#   -v       #输出一个稍微详细的信息,例如在ip包中可以包括ttl和服务类型的信息
#   -vv      #输出详细的报文信息

#   Flags标识符
#   [S]     # SYN(开始连接)
#   [P]     # PSH(推送数据)
#   [F]     # FIN(结束连接)
#   [R]     # RST(重置连接)
#   [.]     # 可以用来表示ACK标志位1
#   
#   # 输出内容结构
#   时间
#   协议
#   发送方IP+端口号
#   数据流向
#   接收方IP+端口号
#   冒号
#   数据包内容:包含Flags标识符,seq号,ack号,win窗口,数据长度length
###############################################################
# 抓取网卡:any、eth0、docker0 或其他
# 抓取端口:需指定容器的内网端口,比如8886:8080,则需输入8080
###############################################################

Get_ip() {
# 先过滤网卡名称,存到数组a中
a=(`ifconfig | grep ^[a-z] | awk -F: '{print $1}'`)
# 在拿到IP地址,存到数组b中
b=(`ifconfig | grep 'inet' | sed 's/^.*inet //g' | sed 's/ *netmask.*$//g'`)
for ((i=0;i<${#a[@]};i++))
do
	echo ${a[$i]} ${b[$i]} 
done
}

Readme() {
echo "说明:
   Flags标识符
   [S]     # SYN(开始连接)
   [P]     # PSH(推送数据)
   [F]     # FIN(结束连接)
   [R]     # RST(重置连接)
   [.]     # 可以用来表示ACK标志位1"
}

Welcome() {
clear
echo ">>>>>>>>>>>>>>>> 欢迎使用tcpdump抓包工具 <<<<<<<<<<<<<<<<"
echo "—————————————————————————————————————————————————————————"
echo "PS2:不想设置的条件,按Enter跳过"
echo "PS1:输入-1回车,则不过滤条件直接打印结果"
echo "—————————————————————————————————————————————————————————"
	Readme
echo "—————————————————————————————————————————————————————————"
echo ">>>>>>>>>>>>>>>> 本机网卡名与IP地址如下 <<<<<<<<<<<<<<<<"
	Get_ip
echo "—————————————————————————————————————————————————————————"
}

Get_package() {
conditionnum=7
func=()
FUNC=()
options=('-i ' '-w ' '-b ' '-Q ' '-c ' '' 'port ')
prompt=('请输入网卡名>>>' "请输入文件名>>>" "是否arp(是填arp,否则回车)>>>" "流入包还是流出包(in入,out出,inout全部)>>>" "抓多少个包>>>" "指定协议>>>" "指定端口>>>")
 
i=0
for((; i<$conditionnum ;i++))
do
echo ${prompt[i]}
read func[i]
	if [ "${func[i]}" == "-1" ];then
		echo "稍等几秒,正在抓取..."
		break
	fi
done
 
j=0

for((; `expr "${func[j]}" != "-1"` && j < $conditionnum ;j++))
do
	if [ "${func[j]}" == '' ];then
		l=1
		echo "稍等几秒,正在抓取..."
	else
		FUNC[j]=${options[j]}${func[j]}
	fi
done
 
tcpdump ${FUNC[0]} ${FUNC[1]} ${FUNC[2]} ${FUNC[3]} ${FUNC[4]} ${FUNC[5]} ${FUNC[6]}
}

######################## 函数体调用 ########################
Welcome
Get_package
posted @ 2022-08-03 18:58  秋风お亦冷  阅读(292)  评论(0编辑  收藏  举报