Linux network protocol analysis tools tcpdump and tshark usage

Tcpdump is a basic tool for network protocol analysis. Tshark is the command line version of wireshark (formerly known as ethereal), a well-known open-source network protocol analysis tool. wireshark can decode and analyze thousands of network protocols. Wireshark and tcpdump both use the libpcap library (see the libpcap programming tutorial) for network packet capture.
For more information about TCPDUMP manpage, see tcpdump. The parameters of Tcpdump are divided into two parts: options and filter_expression ).
# Tcpdump [options] [filter_expression] Example
# Tcpdump-c 100-I eth0-w log tcp dst port 50000 some options parameters:
-C 100: Number of intercepted packages
-I eth0 indicates the network port to listen
-W log output to the file named log (libpcap format)
The filter_expression parameter is tcp dst port 50000, which only listens to tcp packets whose target port is 50000.
More examples:
# Tcpdump dst net not 192.168.3.0/24
# Tcpdump-n-nn port not \ (www.or 22 or 110 \)
Or
# Tcpdump-n-nn port! \ (Www or 22/110 \)

# Tcpdump ether src 00: 50: 04: BA: 9B

# Tcpdump src host 192.168.0.1 and dst port not telnet

Ip icmp arp rarp, tcp, udp, icmp, and other options must be placed at the first parameter to filter the data type. For example:
# Tcpdump ip src ...... // Only filter data-IP headers on the link layer
# Tcpdump udp and src host 192.168.0.1 // only filter all udp headers of the source host 192.168.0.1. TcpDump provides many options parameters for us to choose how to process the data, as shown below:
-L redirects data. For example, tcpdump-l> tcpcap.txt stores the obtained data in the tcpcap.txt file.
-N does not convert the IP address to the host name. If you do not use this option, TcpDump will convert the IP address to the host name display when a host's host name exists in the system, just like this: eth0 <ntc9.1165> router.domain.net. telnet: eth0 <192.168.0.9.1165> 192.168.0.1.telnet.
-Nn does not convert the port name. After using-nn, the above information becomes: eth0 <ntc9.1165> router.domain.net. 23.
-N does not print the default domain name. After N, it is eth0 <ntc9.1165> router. telnet.
-O does not optimize the matching code.
-T does not print the UNIX timestamp, that is, the time is not displayed.
-Tt prints the original, unformatted time.
-V has a more detailed output than a common TTL and service type.
For more information about Tshark parameters, see tshark manpage.
// List network interfaces that can listen for traffic. Tshark uses numbers such as 1, 2,... to identify eth0, eth1...
# Tshark-D //
Traffic of UDP port 1234 on the eth0 listening interface
# The strength of tshark-f "udp port 1234"-I 1tshark lies in the full decoding of the protocol, and even the re-decoding of the TCP packet of the slice, such
//
Listen to the http traffic of port 80 on the eth0 interface, and print the host and location of the http request header
# Tshark-f "dst port 80"-T fields-e http. host-e http. location-I 1
The-f parameter specifies the filtering expression (equivalent to the filter_expression of tcpdump)
-T fields specifies that the screen output information type is the specified protocol field (use-e to add the specified field), which is only supported in versions 0.99.6 and later of wireshark.
-I 1 indicates the network interface for the specified listener is 1. for specific field parameters for various protocols, see http://www.wireshark.org/docs/dfref/