Tcpdump command line packet capture (Article 1)

Tcpdump can obtain data flowing on the network card. tcpdump [-addefikllnnopqrstuuvxx] [-B buffer_size] [-C COUNT] [-C file_size] [-G rotate_seconds] [-F file] [-I interface] [-M module] [-M secret] [-r file] [-s snaplen] [-T type] [-W file] [-W filecount] [-E [email protected] algo: secret,...] [-y datalinktype] [-Z postrotate-command] [-Z user] [expression]-A prints each packet in ASCII code (excluding the link layer header ), for analysis Web pages It is convenient to use-C to capture the maximum number of packets-C is used to determine whether the size of the file to which the packet is written with the-W option exceeds this value, if this parameter is exceeded, a new file is created (the file name suffix is 1, 2, and 3 are added in turn).-D is used to list all network card numbers and names of the current host, you can use option-I-e to print the link layer header-I to listen to data streams on the NIC of the host. If this parameter is not specified, the minimum Nic ID is used (available in Option-D, but the loop interface is not included). The Linux 2.2 kernel and later versions support any Nic, it is used to indicate any NIC-L. If the-W option is not used, messages can be printed to the standard output terminal (this is the default) -R reads the captured packet file-S prints the absolute value of the TCP serial number, instead of the Relative Value-W, it writes the captured packets to the file expression. The logical expression used for filtering is used to capture network data when accessing a website. Such as website http://www.nibaozhu.cn/how to do? Tcpdump-I any host www.nibaozhu.cn visit this website wget www.nibaozhu.cn and print out some basic information to confirm why the serial number Ack is 1. This is the relative value. How can we display the absolute value tcpdump-s-I any host www.nibaozhu.cn? visit this website again wget www.nibaozhu.cn. We can see that TCP's three-way handshake wants to see detailed HTTP packets. How? Tcpdump-a-I any host www.nibaozhu.cn saves the captured results to the file, for example, how to read the basic information of the file file1tcpdump-a-I any-W file1 host www.nibaozhu.cn tcpdump-r file1, for example, the above HTTP packet tcpdump-a-r file1 also wants to print the confirmed serial number ack into the absolute value tcpdump-as-r file1. Note: The options without parameters such as-a,-s, -E, and so on. You can share a minus sign to only capture packets from www.nibaozhu.cn. What should I do? Tcpdump-I any SRC host www.nibaozhu.cn 'src host www.nibaozhu.cn 'belongs to the expression. If it is too long, you can enclose it in single quotes. What should I do? Tcpdump-I any DST host www.nibaozhu.cn if you use SRC, DST, and other keywords, you can ignore the host keyword (which is the default) tcpdump-I any SRC www. nibaozhu. cntcpdump-I any 'src www.nibaozhu.cn 'the first column of the captured packets is the timestamp: hour, minute, second, microsecond do not want to display this timestamp? Add the-T option tcpdump-t-I any host www.nibaozhu.cn to display the unformatted timestamp? Add the-TT option tcpdump-TT-I any host www.nibaozhu.cn to display the time interval between sending and receiving packets (from 00:00:00. starting from 000000, similar to Wireshark ), add the-TTT option tcpdump-TTT-I any host www.nibaozhu.cn. The second column is the name of the Internet protocol, and the third column is the IP address of the message sender in decimal format, and the dot-and-dot port number that follows it (occasionally a protocol name such as HTTP, if the port number is still displayed with the-nn option) tcpdump-nn-I any host www.nibaozhu.cn wants to capture the data streams of a certain network adapter, for example, eth2tcpdump-I eth2 host www.nibaozhu.cn wants to capture the data streams sent by a certain network adapter, first, check that the Network Protocol address ifconfig eth2 of the network adapter is the value of Inet ADDR, for example, 19. Listen 56.100tcpdump-I eth2 SRC host 192.168.56.100 can also be written as tcpdump-I any SRC host 192.168.56.100 note: the port number of the HTTP protocol client host is an increasing random number (if this time is 48151, it can be predicted that the next time is 48152) The fourth column is greater than the fifth column is the dot-decimal Internet Protocol address of the message receiver, and the dot-and-dot port number that follows it (occasionally a protocol name such as HTTP, if the port number is still displayed with the-nn option) to capture packets from port 80 of www.nibaozhu.cn (this is the default port number selected by the HTTP server), if not specified, all port numbers are captured. Tcpdump-I any SRC host www.nibaozhu.cn and SRC port 80 host, port, keyword. If it is not modified by SRC or DST, the default value is SRC and DST, which includes the source and target logic keywords: and is 'and'; or is 'or 'column 6 is colon, column 7 is flags, the possible value is [S.] [.] [p.] [F.] eighth, Ninth, Tenth ...... The column is the variable value of the TCP packet header. seq is the request synchronization serial number. Ack is the synchronized serial number. Win is the current available window size. length is the length of the TCP packet style. If- s option, we can see seq. Ack is the values separated by two colons, which indicate the values before and after the change, respectively.