9 tcpdump usages

Turn from: http://www.cnblogs.com/bangerlee/articles/2545612.html

Tcpdump can help us capture and save network packets, save the network packets can be used to analyze the network load, packets can be resolved by the tcpdump command, can also be saved as a suffix pcap files, using Wireshark and other software to view.

Here are 9 examples of using tcpdump to illustrate the specific use of tcpdump.

1. For the specific mesh grab bag (-i option)

When we execute tcpdump without any options, the tcpdump will crawl through all the ports, and with the-I option, we can grab the packet at a specified network port:

tcpdump- i eth0
Tcpdump:verbose output suppressed, use-v OR-VV for full protocol decode listening
on eth0, Link-type EN10MB (ethern ET), capture size bytes
10:50:28.607429 IP 10.70.121.92.autodesk-lm > 10.71.171.140.ssh:. ACK 116 Win 64951
  
   10:50:28.607436 IP 10.71.171.140.ssh > 10.70.121.92.autodesk-lm:p 116:232 (116) Ack 1 win 12864
10:50:30.384195 A RP Who-has 128.128.128.35 Tell 128.128.128.35
  

In the above example, tcpdump crawls all packets through the eth0.

2. Grab a specified number of packages (-C option)

By default, Tcpdump will hold the packet until the "CTRL + C" Abort is pressed, and the-C option allows us to specify the number of grasping packages:

tcpdump-c 2- i eth0
Tcpdump:verbose output suppressed, use-v OR-VV for full protocol decode listening
on eth0, Link-type EN10MB (ethern ET), capture size bytes
10:58:05.656104 IP 10.71.171.140.ssh > 10.70.121.92.autodesk-lm:p 1210443473:1210443589 (116) Ack 2583117929 win 12864
10:58:05.657074 IP 10.70.121.92.autodesk-lm > 10.71.171.140.SSH:. ACK 116 win 65211

2 packets captured
6 packets received by filter
0 packets dropped by kernel

In the above example, only 2 packets are scratched for the Eth0 network.

3. Write capture package to file (-w option)

With the-w option, we can record the scratch in a specified file for subsequent analysis

tcpdump-w 20120606.pcap- i eth0
Tcpdump:listening on eth0, Link-type EN10MB (Ethernet), capture size bytes-packets

captured
Rec Eived by filter
0 packets dropped by kernel

Files that should be saved as. Pcap suffixes allow us to read the analysis using tools such as Wireshark.

4. Read Tcpdump Save file (-r option)

For saved grab files, we can read using the-R option:

tcpdump-r 20120606 . Pcap
Reading from file 20120606.pcap, Link-type en10mb (Ethernet)
11:01:57.392907 IP 10.71.171.140.ssh > 10.70.121.92.autodesk-lm:p 1210446405:1210446457 ack 2583119957 win 12864
11:01:57.392917 IP 10.71.171.140. SSH > 10.70.121.92.autodesk-lm:p 52:168 (116) Ack 1 win 12864
11:01:57.393649 IP 10.70.121.92.autodesk-lm > 10. 71.171.140.SSH:. Ack 65327 win

5. Do not perform domain name resolution when grasping package (-n option)

By default, the Tcpdump grab results will be domain name resolution, displaying the domain name address instead of the IP address, using the-N option to specify the display IP address.

6. Increase grab time stamp (-tttt option)

With the-TTTT option, the capture date will be included in the grab package:

tcpdump-n-tttt-i eth0
 2012-06-06 11:14:59.539736 IP 10.71.171.140.22 > 10.70.121.95.1787:p 1:53 (m) ACK win 7504
2012-06-06 11:14:59 .539754 IP 10.71.171.140.22 > 10.70.121.95.1787:p 53:105 (M) Ack-win 7504 2012-06-06 11:14:59.539770
IP 10.71. 171.140.22 > 10.70.121.95.1787:p 105:157 (m) ACK win 7504

7. Specify the type of grab package

We can only catch some kind of protocol package, TCPDUMP support specifies the following protocol: Ip,ip6,arp,tcp,udp,wlan. The following example captures only the packets of the ARP protocol:

tcpdump- i eth0 arp
Tcpdump:verbose output suppressed, use-v OR-VV for full protocol decode listening
on eth0, Link-type EN10MB (ethern ET), capture size bytes
11:22:26.948656 arp who-has 10.10.1.30 tell 10.10.1.26
11:22:27.017406 ARP Who-has 10.1 0.1.30 tell 10.10.1.26
11:22:27.078803 arp who-has 10.10.1.30 tell 10.10.1.26

8. Specify the bag-holding port

If you want to grab a packet for a particular port, you can use the following command:

tcpdump-i eth0 Port
Tcpdump:verbose output suppressed, use-v OR-VV for full protocol decode listening
on eth0, Link-type EN10MB (ethern ET), capture size bytes
11:41:04.387547 IP 10.70.121.92.autodesk-lm > 10.71.171.140.ssh:. ACK 1216136825 win 64 751
11:41:04.387891 IP 10.71.171.140.ssh > 10.70.121.92.autodesk-lm:p 1:233 (232) ACK 0 win 16080
11:41:04.398973 IP 10.70.121.92.autodesk-lm > 10.71.171.140.ssh:p 0:52 (+) ACK 233 win 64519

9. Grab a specific destination IP and port package

The contents of the network package, including the source IP address, port and destination IP, port, we can be based on the target IP and port filtering tcpdump capture results, the following command illustrates this usage:

Tcpdump-i eth0 DST 10.70.121.92 and Port 22