One Linux command per day: tcpdump command

The tcpdump command is a grab-and-go sniffer tool that can print header information for all packets that pass through the network interface, or you can use the-w option to save the packet to a file for later analysis

Grammar

tcpdump (option)

Options

-A: Attempts to convert the network and broadcast addresses into names;
C <数据包数目> : After receiving the specified number of packets, the dumping operation is stopped;
-D: Converts the compiled packet encoding into a readable format and dumps it to the standard output;
-DD: Converts the compiled packet encoding into the C language format and dumps it to the standard output;
-DDD: Converts the compiled packet encoding into a decimal number format and dumps it to the standard output;
-E: Displays the header of the connection level on each column of dumping data;
-F: Digital display of the Internet address;
<表达文件> -F: Specifies the file containing the expression;
<网络界面> -I: Send the packet using the specified network section;
-L: Buffers using standard output columns;
-N: Do not convert the host's network address into a name;
-N: Do not list domain names;
-O: Do not optimize the packet encoding;
-P: Do not let the network interface into promiscuous mode;
-Q: Fast output, listing only a few transmission protocol information;
<数据包文件> -R: Reads packet data from the specified file;
<数据包大小> -S: Sets the size of each packet;
-S: Lists the number of TCP associations with absolute rather than relative values;
-T: Time stamp is not displayed on each column of dumping data;
-TT: Display of unformatted timestamp on each column of dumping data;
<数据包类型> -T: Forces the data packet specified by the expression to be translated into the set packet type;
-V: Displays the instruction execution process in detail;
-VV: Show the instruction execution process in more detail;
-X: The data packets are listed in hexadecimal loadline;
<数据包文件> -W: Writes the packet data to the specified file.

Example 1. Direct start tcpdump will monitor all packets flowing on the first network interface

Tcpdump

Monitoring packets for a specified network interface

Tcpdump-i eth0

If you do not specify a network card, the default tcpdump will only monitor the first network interface, typically eth0, and the following example does not specify an interface

Monitoring packets for a specified host

tcpdump host sundown
You can also specify IP, such as intercepting all packets received and emitted by all 210.27.48.1 hosts
tcpdump host 210.27.48.1
Print packets that Helios and hot or communicate with Aces
tcpdump host helios and \( hot or ace \)
Intercept host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3 communication
tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)
Prints the IP packets that the ACE communicates with any other host, but does not include packets between the Helios.
tcpdump ip host ace and not helios
If you want to get host 210.27.48.1 in addition to the IP packets that communicate with all hosts except host 210.27.48.2, use the command:
tcpdump ip host 210.27.48.1 and ! 210.27.48.2
Intercept all data sent by host hostname
tcpdump -i eth0 src host hostname
Monitor all packets sent to host hostname
tcpdump -i eth0 dst host hostname

Monitoring packets for a specified network

Print all communication packets between the local host and the host on the Berkeley Network
tcpdump net ucb-ether
Ucb-ether is understood here as the network address of the "Berkeley Network", the most primitive meaning of this expression is: print all packets with a network address of Ucb-ether
Print all FTP packets through the gateway Snup
tcpdump ‘gateway snup and (port ftp or ftp-data)‘
Note: Expressions are enclosed in quotation marks, which prevents the shell from parsing the parentheses
Print all the source or destination addresses are IP packets for the local host
Tcpdump ip and not net localnet
If the local network is connected to another network through a gateway, the other network does not count as a local network.

One Linux command per day: tcpdump command