Linux 如何捕获远程系统网络流量?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/19597903/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to Capture Remote System network traffic?
提问by Bhanu Hoysala
I have been using wire-shark to analyse the packets of socket programs, Now i want to see the traffic of other hosts traffic, as i found that i need to use monitor mode that is only supported in Linux platform, so i tried but i couldn't capture any packets that is transferred in my network, listing as 0 packets captured.
我一直在用wire-shark来分析socket程序的包,现在想看其他主机的流量,因为我发现我需要使用Linux平台才支持的监控模式,所以我尝试了,但我无法捕获在我的网络中传输的任何数据包,列为捕获的 0 个数据包。
Scenario:
设想:
I'm having a network consisting of 50+ hosts (all are powered by windows Except mine), my IP address is 192.168.1.10, when i initiate a communication between any 192.168.1.xx it showing the captured traffic. But my requirement is to monitor the traffic of 192.168.1.21 b/w 192.168.1.22 from my host i,e. from 192.168.1.10.
我有一个由 50 多台主机组成的网络(除我的外,所有主机都由 Windows 提供支持),我的 IP 地址是 192.168.1.10,当我在任何 192.168.1.xx 之间发起通信时,它会显示捕获的流量。但我的要求是监控来自我的主机的 192.168.1.21 b/w 192.168.1.22 的流量,即 从 192.168.1.10。
1: is it possible to capture the traffic as i mentioned?
1:是否可以像我提到的那样捕获流量?
2: If it is possible then is wire-shark is right tool for it (or should i have to use differnt one)?
2:如果可能的话,wire-shark 是否适合它(或者我应该使用不同的工具)?
3: if it is not possible, then why?
3:如果不可能,那为什么?
采纳答案by Chris Hinshaw
You are connected to a switch which is "switching" traffic. It bases the traffic you see on your mac address. It will NOTsend you traffic that is not destined to your mac address. If you want to monitor all the traffic you need to configure your switch to use a "port mirror" and plug your sniffer into that port. There is no software that you can install on your machine that will circumvent the way network switching works.
您已连接到正在“切换”流量的交换机。它基于您在 mac 地址上看到的流量。它不会向您发送不是发往您的 mac 地址的流量。如果您想监控所有流量,您需要将交换机配置为使用“端口镜像”并将嗅探器插入该端口。没有任何软件可以安装在您的机器上,可以绕过网络切换的工作方式。
回答by Gilles Quenot
Just adapt this a bit with your own filters and ips : (on local host)
只需使用您自己的过滤器和 ip 稍微调整一下即可:(在本地主机上)
ssh -l root <REMOTE HOST> tshark -w - not tcp port 22 | wireshark -k -i -
or using bash:
或使用bash:
wireshark -k -i <(ssh -l root <REMOTE HOST> tshark -w - not tcp port 22)
You can use tcpdumpinstead of tsharkif needed :
如果需要,您可以使用tcpdump代替tshark:
ssh -l root <REMOTE HOST> tcpdump -U -s0 -w - -i eth0 'port 22' |
wireshark -k -i -
