traffic-analysis
9
总安装量
9
周安装量
#33175
全站排名
安装命令
npx skills add https://github.com/chaterm/terminal-skills --skill traffic-analysis
Agent 安装分布
opencode
8
claude-code
7
codex
7
gemini-cli
7
github-copilot
6
cursor
5
Skill 文档
æµéåæä¸æå
æ¦è¿°
tcpdumpãWiresharkãæµéåæä¸ç½ç»è¯ææè½ã
tcpdump
åºç¡ç¨æ³
# çå¬æææ¥å£
tcpdump -i any
# æå®æ¥å£
tcpdump -i eth0
# 详ç»è¾åº
tcpdump -v
tcpdump -vv
tcpdump -vvv
# æ¾ç¤º ASCII
tcpdump -A
# æ¾ç¤ºåå
è¿å¶
tcpdump -X
tcpdump -XX
# ä¸è§£æ主æºå
tcpdump -n
# ä¸è§£æ端å£å
tcpdump -nn
è¿æ»¤è¡¨è¾¾å¼
# 主æºè¿æ»¤
tcpdump host 192.168.1.100
tcpdump src host 192.168.1.100
tcpdump dst host 192.168.1.100
# ç½æ®µè¿æ»¤
tcpdump net 192.168.1.0/24
# 端å£è¿æ»¤
tcpdump port 80
tcpdump src port 80
tcpdump dst port 443
tcpdump portrange 8000-9000
# åè®®è¿æ»¤
tcpdump tcp
tcpdump udp
tcpdump icmp
tcpdump arp
# ç»åè¿æ»¤
tcpdump 'host 192.168.1.100 and port 80'
tcpdump 'src 192.168.1.100 and dst port 443'
tcpdump 'tcp and (port 80 or port 443)'
tcpdump 'not port 22'
ä¿åä¸è¯»å
# ä¿åå°æ件
tcpdump -w capture.pcap
tcpdump -w capture.pcap -c 1000 # éå¶å
æ°
# 读åæ件
tcpdump -r capture.pcap
tcpdump -r capture.pcap -nn
# 轮转æ件
tcpdump -w capture-%H%M%S.pcap -G 3600 # æ¯å°æ¶
tcpdump -w capture.pcap -C 100 # æ¯ 100MB
é«çº§è¿æ»¤
# TCP æ å¿
tcpdump 'tcp[tcpflags] & tcp-syn != 0'
tcpdump 'tcp[tcpflags] & tcp-rst != 0'
tcpdump 'tcp[tcpflags] == tcp-syn'
# HTTP 请æ±
tcpdump -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
# DNS æ¥è¯¢
tcpdump -i any 'udp port 53'
# 大å
tcpdump 'greater 1000'
tcpdump 'less 100'
tshark (Wireshark CLI)
åºç¡ç¨æ³
# å®è£
apt install tshark
# çå¬
tshark -i eth0
# æå®è¿æ»¤å¨
tshark -i eth0 -f "port 80"
# æ¾ç¤ºè¿æ»¤å¨
tshark -i eth0 -Y "http"
å段æå
# æåç¹å®å段
tshark -r capture.pcap -T fields -e ip.src -e ip.dst -e tcp.port
# HTTP 请æ±
tshark -r capture.pcap -Y "http.request" -T fields -e http.host -e http.request.uri
# DNS æ¥è¯¢
tshark -r capture.pcap -Y "dns.qry.name" -T fields -e dns.qry.name
ç»è®¡åæ
# åè®®ç»è®¡
tshark -r capture.pcap -q -z io,phs
# ä¼è¯ç»è®¡
tshark -r capture.pcap -q -z conv,tcp
# HTTP ç»è®¡
tshark -r capture.pcap -q -z http,tree
# 端ç¹ç»è®¡
tshark -r capture.pcap -q -z endpoints,ip
ngrep
åºç¡ç¨æ³
# å®è£
apt install ngrep
# æç´¢å
容
ngrep -q 'GET' port 80
ngrep -q 'password' port 80
# æå®æ¥å£
ngrep -d eth0 'pattern'
# 忽ç¥å¤§å°å
ngrep -qi 'error'
iftop / nethogs
iftop
# å®è£
apt install iftop
# åºç¡ç¨æ³
iftop
iftop -i eth0
# ä¸è§£æ主æºå
iftop -n
# æ¾ç¤ºç«¯å£
iftop -P
# è¿æ»¤
iftop -f "dst port 80"
nethogs
# å®è£
apt install nethogs
# æè¿ç¨æ¾ç¤º
nethogs
nethogs eth0
# å·æ°é´é
nethogs -d 2
常è§åºæ¯
åºæ¯ 1ï¼HTTP æµéåæ
# æå HTTP 请æ±
tcpdump -i any -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
# æå HTTP 头
tcpdump -i any -A 'tcp port 80' | grep -E "^(GET|POST|HTTP|Host:|Content-)"
# tshark åæ
tshark -i any -Y "http.request" -T fields -e http.host -e http.request.method -e http.request.uri
åºæ¯ 2ï¼DNS é®é¢ææ¥
# æå DNS
tcpdump -i any -nn port 53
# è¯¦ç» DNS ä¿¡æ¯
tcpdump -i any -vvv port 53
# tshark DNS åæ
tshark -i any -Y "dns" -T fields -e dns.qry.name -e dns.a
åºæ¯ 3ï¼è¿æ¥é®é¢è¯æ
# TCP æ¡æ
tcpdump -i any 'tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-rst) != 0'
# éä¼
tcpdump -i any 'tcp[tcpflags] & tcp-syn != 0 and tcp[tcpflags] & tcp-ack != 0'
# è¿æ¥éç½®
tcpdump -i any 'tcp[tcpflags] & tcp-rst != 0'
åºæ¯ 4ï¼å¸¦å®½åæ
# å®æ¶å¸¦å®½
iftop -i eth0 -P -n
# æè¿ç¨
nethogs eth0
# ç»è®¡æµé
tcpdump -i eth0 -w - | pv > /dev/null
æ éææ¥
| é®é¢ | ææ¥æ¹æ³ |
|---|---|
| 丢å | æ£æ¥ tcpdump ç»è®¡ãç½å¡éå |
| 延è¿é« | åæ RTTãéä¼ |
| è¿æ¥å¤±è´¥ | æ£æ¥ SYN/RST å |
| 带宽å ç¨ | ä½¿ç¨ iftop/nethogs |
# æ¥ç丢å
tcpdump -i eth0 -w /dev/null 2>&1 | grep -i drop
# ç½å¡ç»è®¡
ethtool -S eth0 | grep -i error
cat /proc/net/dev
# è¿æ¥ç¶æ
ss -s
netstat -s | grep -i retrans