tcpdump command format

The tcpdump takes the command line, and its command format is:

tcpdump [ -addefllnnopqrstuuvxx ] [ -c count ]            [ -C FILE_SIZE ] [ -F FILE ]            [ -i  ] [ -m  module ] [ -m secret ]            [ -r file ] [ -s snaplen ] [ -t type ] [  -w file ]           [ -W  filecount ]           [ -e [email  Protected] algo:secret,...   ]            [ -y datalinktype ] [ -z user ]            [ exprESSION ] 

tcpdump's Simple options introduction

-a   displays each packet in ASCII mode (does not display the link-Layer header information in the packet) . ,  easy to view data when crawling packets that contain Web page data (nt:  handy   capturing web pages).-c  count    tcpdump will exit after receiving count packets.-C   file-size  (nt:  This option is used with the-w file  option)      this option makes tcpdump  Before you save the original packet directly to a file,  check if this file size exceeds file-size.  if the file is more than, , and another file continues to be used for the original packet record .  the newly created file name with the-W The   option specifies a file name that is consistent,  but has a number after the file name. This number will increase from 1 onwards as new files are created. The  file-size unit is million bytes (nt:  here refers to 1,,000 bytes, not 1, 576 bytes,  The latter is calculated with 1024 bytes of 1k, 1024k bytes for 1M,  that is 1m= *  = ,,)-d   in an easy-to-read form, Print out the programmed package match code on the standard output,  then tcpdump stop. (nt | rt: human readable,  is easy to read, usually refers to the ASCII code to print some information . compiled,  orchestrated .  packet-matching code,  packet Matching code, meaning unknown,  need to supplement)-dd  print out the packet matching code in C language .-ddd  the packet matching code in the form of a decimal number ( will have an additional prefix before the package match code) .-d   all tcpdump in the print system can grab packets on the network interface .  each interface will print out the number,  the corresponding interface name,  and possibly a networkInterface Description .  where the network interface name and number can be used in the tcpdump -i flag  option (nt:  the name or number instead of flag),  to specify the network interface on which to grab the packet.      This option is useful on systems that do not support interface list commands (nt:  such as, windows  system,  or lack of  ifconfig -a   UNIX systems) the number of;  interfaces is useful in windows   or later systems,  because the interface names on these systems are more complex,  and not easy to use .      If the Tcpdump compiler relies on the Libpcap library too old,-d  option is not supported,  because of the lack of  pcap_findalldevs () function .-e   The Data link layer header information for the packet will be included in the printout of each row-e  [email protected] algo:secret,...      available by [ email protected] algo:secret  to decrypt the Ipsec esp bag (nt | rt:ipsec encapsulating  Security Payload,IPsec  encapsulated security Payload,  IPSEC can be understood as,  a complete set of cryptographic protocols to IP packets, esp  for the entire ip  Data packets or portions of their pelagic protocols are encrypted, the former working mode is called tunnel mode;  the latter's working mode is called transfer Mode  .  Working principle,  additional) .     It is important to note that, ,  can set the key for ipv4 esp packets  when the terminal starts tcpdump  (secret) .      algorithms that can be used for encryption include Des-cbc, 3des-cbc, blowfish-cbc, rc3-cbc, cast128-cbc,  or Not (none). The default is DES-CBC (nt: des, data  Encryption Standard,  Data Encryption Standard,  encryption Algorithm unknown,  additional) .secret  for esp  key,  using ASCII   String expression .  if you start with  0x ,  the key will be read in 16 binary .     the esp  definition in this option follows RFC2406,   instead of  RFC1827.  and,  this option is only for debugging,  it is not recommended to use this option with a real key (secret),  because it is unsafe:  The secret  entered on the command line can be viewed by other people through commands such as ps  .     in addition to the syntax format (nt:  = [email protected]  algo:secret),  can also add a syntax input file name for tcpdump  use (NT: that is, the [Email protected] algo:secret,...   ... Change to a syntax file name) .  This file will open this file when it is accepted to the first ESP package,  so it is best to cancel some of the privileges given to tcpdump  at this time (nt:  can be understood as,  so that the precaution,  When the file is maliciously written, it does not cause too much damage) .-f   displays the external ipv4  address (nt: foreign ipv4 addresses,  can be understood as,   Non-native IP address),  takes the form of a number instead of a name. (this option is used to counter the defect of Sun's NIS server (nt: nis,  Network Information Service, tcpdump  displays the name of the external address when she provides the name service):   This NIS server often falls into an endless query loop when querying for non-local address names .     because the local network interface (NT: TCPDUMP) is required for testing external (foreign) IPV4 addresses.   The interface used to grab the packet) and its ipv4  address and netmask .  if this address or netmask is not available,  or the interface does not have the appropriate network address and network mask set at all (nt: linux     network interface does not need to set the address and mask,  but this interface can receive packets from all the interfaces on the system,  this option does not work properly .-f  file      Use the file  file as the input to the filter expression,  the input on the command line is ignored .-i       the specified tcpdump  interface to be monitored .   if no, tcpdump  is specified, the configured interface with the smallest number is searched from the System interface list (excluding the  loopback  interface). One, but find the first qualifying interface.,  search ends immediately .     on linux  operating system with version 2.2 or later kernel,   This virtual network interface can be used to receive packets on all network interfaces (nt:  this will include the purpose of the network interface,  also includes the purpose is not the network interface) .  need to note that if the real network interface does not work in the mode (promiscuous) It is not possible to crawl its packet on this virtual network interface .     If the  -D  flag is specified,  tcpdump will print the interface number in the system, This number can be used here for the interface  parameter .-l   the standard output for row buffering (nt:  the standard output device encounters a newline character to print the contents of the line immediately). Useful when it is necessary to observe the capture package printing and to save the capture record at the same time .  such as,  can be achieved by the following combination of commands:      ' tcpdump  -l  |  tee dat  or   ' tcpdump  -l    > dat  &  tail  -f  dat. (nt:  the former uses tee to tcpdump The output of   is placed in both the file dat and the standard output,  the,  the tcpdump output to the dat  file via the redirect Operation,  while the contents of the DAT file are placed in the standard output by tail)-L    lists the types of data link layers supported by the specified network interface and exits. (nt:  specifies that the interface is specified by-i )-m  module     file  load smi  specified by module  mib  Module (nt: smi,structure of management information,  Management information Structure mib, management The  Information Base,  management Information base .  can be understood as,  both for SNMP (simple network management  PROTOCO) protocol packet fetching .  specific snmp  working principle unknown,  additional) .     This option can be used multiple times,  thus tcpdump  Load different mib  modules .-m  secret   if tcp  packet (tcp segments) has tcp-md5 option (in rfc  2385 related description),  specifies a public key for the validation of its digest secret.-n   the conversion to the name represented by a numeric representation of the address (such as the,  host address,  port number).-n   does not print out the host  domain part .  such as,  if you set this option, tcpdump  will print   instead of  .-O    does not enable optimization code for package matching .  when it is suspected that some bugs are caused by optimized code,  This option is useful .-p   generally,  set the network interface to non-modal .  but must be aware  ,  in special cases this network interface will still work in a mode;  thus,   and not set,  can not be used as the following to elect the pronoun:  or    (nt:  The former means that only packets that match the Ethernet address of host ,  the packet that matches the Ethernet address as the broadcast address) .-q   fast (perhaps better?) Print output .  print very little protocol-related information,  so that the output lines are relatively short .-r   set tcpdump  to the parsing of  ESP/AH  packets according to   RFC1825 instead of RFC1829 (nt: ah,  Authentication Header, esp,  Secure payload Encapsulation,  both are used in the secure transport mechanism of IP packets) .  If this option is set,  tcpdump  will not print out the domain (Nt: relay prevention field) .  In addition, because the ESP/AH specification does not stipulate that Esp/ah packets must have a protocol version number field, So tcpdump cannot derive the protocol version number from the received Esp/ah packet .-r  file     read the packet data from the file file  .  if the file   Fields    symbol,  tcpdump  will read the package data from the standard input .-s   the order number of tcp  packets,  use absolute order number,   Instead of relative sequential numbers. (nt:  relative sequence number can be understood as,  relative to the first tcp  packet sequence number of the gap,For example, the,  recipient receives the first packet with an absolute order number of 232323,  for the 2nd, 3rd packet that is received later,  tcpdump prints its serial number to 1, 2, respectively, indicating a difference of 1 from the first packet.   and  .  if the-s  option is set at this time,  the 3rd packet for the 2nd,  received later will print out its absolute order number:, ).-s  snaplen      set tcpdump packet fetch length to snaplen,  if not set by default will be 68 bytes (while support for network interface splitter (nt: nit,  described above, Searchable keywords found there) the default and minimum value for the SunOS series operating system is 96). 68 Bytes for ip, icmp (nt: internet control message  Protocol, Internet Control Message Protocol), tcp  and  UDP  protocol messages are sufficient,  but for name Services (nt:  can be understood as Dns, nis services),  NFS Service-related packets generate packet truncation .  If the packet truncation occurs, the [|proto] flag appears in the corresponding printout line of  tcpdump (proto  actually appears as the associated protocol hierarchy for truncated packets .  Note that,  takes a long fetch length (Nt: snaplen is larger),  increases packet processing time,  and reduces the number of packets tcpdump  can be cached,  This can result in packet loss .  so,  can grab the package we want,  the smaller the crawl length, the better. Setting snaplen  to 0  means that tcpdump automatically chooses the appropriate length to crawl the packet.-T   type     forces tcpdump to analyze received packets by the package structure described by the protocol specified by type .   currently known type  desirable protocols are:     aodv  (ad-hoc on-demand distance vector protocol,  on-demand distance vector routing protocol,  in Ad hoc ( Point-to-point mode),    cnfp  (Cisco  netflow  protocol),   rpc ( Remote procedure call), rtp  (real-time applications protocol),     rtcp  (Real-time applications con-trol protocol), snmp  (simple network  management protocol),    tftp  (trivial file transfer  protocol,  broken File Protocol), vat  (visual audio tool,  can be used to power    on internet     Video Conferencing Application layer protocol),  and wb  (distributed white board,  can be used for web conferencing application-layer protocols) .-t       does not print a timestamp in each row of output-tt     does not format the time per row of output (nt:  This format may not see its meaning at one glance,  If the timestamp is printed as 1261798315)-ttt   tcpdump  output,  a period of time (in milliseconds) between each two lines of printing-tttt   Add a date print-u  &nbsp before the timestamp of each line is printed;   prints an unencrypted nfs  handle (Nt: handle can be understood as a file handle used in nfs ,  This will include files in folders and folders)-u      makes it possible for tcpdump to,  its file writes to the save synchronization of the package when the-w  option is used. (nt:  is,  when each packet is saved,  it is written to the file in a timely manner, rather than when the output buffer of the file is full, the file is actually written)       -u The   flag does not work on the old version of the Libcap library (nt: tcpdump  relies on the Message capture library),  because of the lack of Pcap_cump_flush () function .-v      when analyzing and printing,  produces verbose output .  such as,  package lifetime,  identify,  total length and some options for IP packets .  This also opens some additional package integrity checks,   For example, the checksum .-vv    of the IP or ICMP packet header produces a more verbose output than-V .  for example, the additional fields in the  NFS response package will be printed,  SMB packets are also fully decoded .-vvv   produces more verbose output than-vv .  such as, telent , the sb, se  option used will be printed,  If Telnet is using the graphical interface at the same time,       its corresponding graphics options will be printed in 16 binary mode (nt: telnet  SB, SE option meaning unknown,  additional) .-w     write the package data directly to the file without parsing and printing output .  These packet data can then be passed through-r  option to reread and analyze and print .-w    filecount       This option is used in conjunction with the-c  option,   This will limit the openNumber of files,  and when the file data exceeds the limit set here,,  loops instead of the previous file,  this is equivalent to a file buffer pool with filecount  files .  at the same time,  This option causes a sufficient number of 0,  at the beginning of each file name to be used for the placeholder, which makes it easy for these files to be sorted correctly .-x     when analyzing and printing, tcpdump  The header data for each package is printed,  the data for each package (but not the header of the connection layer) is printed in 16. The total printed data size does not exceed the size of the entire packet and the minimum value in snaplen  .  It is important to note that,  If the high-level protocol data is not snaplen  so long, and the data link layer (for example,  ethernet layer) has populated data,  then these fill data will also be printed. (nt: so  link  layers  that pad,  fails to understand and translate,  need to supplement  )-XX    tcpdump  prints the header data for each packet,  also prints out the data for each package in 16 binary,  which includes the header of the data link layer .-x      When analyzing and printing,, tcpdump  prints the header data for each packet,  also prints the data for each package in 16 binary and ASCII format (excluding the header of the connection layer). This is convenient for analyzing packets of some new protocol .-xx    when analyzing and printing, tcpdump  will print the header data for each packet,  simultaneously print out the data for each packet in 16-and ASCII-coded form ,  includes the header of the data link layer. This is convenient for analyzing packets of some new protocol .-y    datalinktype        Set tcpdump  to capture only data Link layer protocol types that are Datalinktype packets-Z    USER &Nbsp;     allows tcpdump  to give up its super-privileges (if the root user starts Tcpdump, tcpdump will have superuser privileges),  and set the current tcpdump user ID to the user,  group ID set to the ID of the user's primary owning group (nt: tcpdump  here can be understood as the corresponding process after tcpdump  run)         This option can also be set to open by default at compile time. (nt:  at this time user  value unknown,  need to add)

tcpdump command format