什么是tcpdump

Tcpdump  prints  out  the  headers of packets on a network interface that match the boolean expression.

 

常用选项

-w可以将结果写入文件，而-r可以从制定文件读取数据

-c 接收指定数量的包后自动退出

-i 监听的网卡

-n 禁止将IP解析为域名

 

监听类型

Host –默认/Net/ Port

 

监听传输方向

Src/Dst/Dst or src –默认/Dst and src

 

监听传输协议

Fddi/Ip/Arp/Rarp/Tcp/Udp

 

逻辑运算符

取非运算Not或  !

与运算 and 或 &&

或运算 or 或 ||

 

具体语法

截获主机A和B或C的通信

Tcpdump host A and \(B or C\)

获取主机A除了和B之外所有的通信IP包

Tcpdump ip host A and ! B

获取主机A接收的telnet包

Tcpdump tcp port 23 dst host A

 

案例

1

通过shell自动捕获长时间运行的事务并用tcpdump跟踪

#!/bin/bash

# Begin by deleting things more than 7 days old

find /root/tcpdumps/ -type f -mtime +7 -exec rm -f '{}' \;

# Bail out if the disk is more than this %full.

PCT_THRESHOLD=95

# Bail out if the disk has less than this many MB free.

MB_THRESHOLD=100

# Make sure the disk isn't getting too full.

avail=$(df -m -P /root/tcpdumps/ | awk '/^\//{print $4}');

full=$(df -m -P /root/tcpdumps/ | awk '/^\//{print $5}' | sed -e 's/%//g');

if [ "${avail}" -le "${MB_THRESHOLD}" -o "${full}" -ge "${PCT_THRESHOLD}" ]; then

   echo "Exiting, not enough free space (${full}%, ${avail}MB free)">&2

   exit 1

fi

 

host=$(mysql -ss -e 'SELECT p.HOST FROM information_schema.innodb_lock_waits w INNER JOIN information_schema.innodb_trx b ON b.trx_id = w.blocking_trx_id INNER JOIN information_schema.processlist p on b.trx_mysql_thread_id = p.ID LIMIT 1')

if [ "${host}" ]; then

   echo "Host ${host} is blocking"

   port=$(echo ${host} | cut -d: -f2)

   tcpdump -i eth0 -s 65535 -x -nn -q -tttt port 3306 and port ${port} > /root/tcpdumps/`date +%s`-tcpdump &

   mysql -e 'show innodb status\Gshow full processlist' > /root/tcpdumps/`date +%s`-innodbstatus

   pid=$!

   sleep 30

   kill ${pid}

fi

 

2

利用tcpdump捕获mysql运行的sql

#!/bin/bash

#this script. used montor mysql network traffic.echo sql

while(<>) { chomp; next if /^[^ ]+[ ]*$/;

  if(/^(SELECT|UPDATE|DELETE|INSERT|SET|COMMIT|ROLLBACK|CREATE|DROP|ALTER)/i) {

    if (defined $q) { print "$q\n"; }

    $q=$_;

  } else {

    $_ =~ s/^[ \t]+//; $q.=" $_";

  }

}'

下面是执行脚本的输出

SELECT b.id FROM module as a,rights as b where a.id=b.module_id and b.sid='179' and a.pname like 'vip/member_order_manage.php%'

SELECT count(id) as cc,sum(cash) as total from morder_stat_all  where (ymd BETWEEN '1312214400' and '1312336486') and depart_id=5 an

d order_class=2

select id,name from media where symd='0000-00-00'

select id,name from depart where s_flag=' '  and noff=1 order by sno

select id,name from plank where depart_id=5  and noff=1 order by no

select id,name from grp where plank_id=0  and noff=1 order by no

select id,CONCAT(pname,'-',name) as name from pvc order by pname

select id,CONCAT(no,'-',name) as name from local where pvc_id=0 order by no

select id,name from product_breed

select color_name from product_color where id=5

select id,name from product where id = '0'

 

 

 

可使用来wireshark图形化解析

 

来自 “ ITPUB博客 ” ，链接：http://blog.itpub.net/15480802/viewspace-757723/，如需转载，请注明出处，否则将追究法律责任。