Grab the host 221.177.154.197 package: tcpdump host 221.177.154.197-s 0-i eth2-w/root/cap20160705.cap-c 10m-z Root &----------- ---------------------------------------------the usage of super detailed tcpdump 2005-12-26 11:55 jeffyan CU font Size:T | T
The first is about the type of keywords, primarily including host,net,port, such as host 210.27.48.2, which indicates that 210.27.48.2 is a host, and that net 202.0.0.0 indicates that 202.0.0.0 is a network address, Port 23 Indicates that the port number is 23. If no type is specified, the default type is host.
Ad:51cto Net + 12th salon: The beauty of big data-how to drive user experience with data
The first is about the type of keywords, primarily including host,net,port, such as host 210.27.48.2, which indicates that 210.27.48.2 is a host, and that net 202.0.0.0 indicates that 202.0.0.0 is a network address, Port 23 Indicates that the port number is 23. If no type is specified, the default type is host.
The second is to determine the transmission direction of the keywords, mainly including SRC, DST, DST or SRC, DST and src, these keywords indicate the direction of transmission. For example, SRC 210.27.48.2, which indicates that the source address in the IP packet is 210.27.48.2, DST net 202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is indicated, the default is the src or DST keyword.
The third is the key word of the agreement, mainly including FDDI,IP,ARP,RARP,TCP,UDP and other types. FDDI indicates that it is a specific network protocol on FDDI (Distributed Optical Data Interface Network), in fact it is "ether" Alias, FDDI and Ether have similar source address and destination address, so the FDDI protocol packet can be treated and analyzed as a ether packet. The other key words are the protocol content of the listening packet. If no protocol is specified, tcpdump will listen for all protocol packets.
In addition to these three types of keywords, other important keywords are as follows: Gateway, Broadcast,less,greater, there are three logic operations, take non-operation is ' not '! ', and the operation is ' and ', ' && ', or the operation is ' or ', ' ││ '; These keywords can be combined to form a powerful combination of conditions to meet people's needs, as illustrated in a few examples below.
Under normal circumstances, direct start tcpdump will monitor all packets flowing through the first network interface.
# tcpdump
Tcpdump:listening on Fxp0
11:58:47.873028 202.102.245.40.netbios-ns > 202.102.245.127.NETBIOS-NS:UDP 50
11:58:47.974331 0:10:7b:8:3a:56 > 1:80:c2:0:0:0 802.1D ui/c len=43
0000 0000 0080 0000 1007 cf08 0900 0000
0e80 0000 902b 4695 0980 8701 0014 0002
000f 0000 902b 4695 0008 00
11:58:48.373134 0:0:e8:5b:6d:85 > Broadcast SAP E0 ui/c len=97
FFFF 0060 0004 ffff ffff ffff FFFF FFFF
0452 ffff ffff 0000 e85b 6d85 4008 0002
0640 4d41 5354 4552 5f57 4542 0000 0000
0000 00
Use the-i parameter to specify the tcpdump listening network interface, which is useful when the computer has multiple network interfaces.
Use the-c parameter to specify the number of packets to listen
Use the-w parameter to specify that the heard packet is written to a file to be saved
A want to intercept all packets received and sent by all 210.27.48.1 hosts:
#tcpdump Host 210.27.48.1
b to intercept host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3 communication, use the command: (when applying parentheses to the command line, be sure to
#tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)
c If you want to get host 210.27.48.1 in addition to the IP packets that communicate with all hosts except host 210.27.48.2, use the command:
#tcpdump IP host 210.27.48.1 and! 210.27.48.2
D If you want to get the Telnet packet received or issued by the host 210.27.48.1, use the following command:
#tcpdump TCP port, host 210.27.48.1
E Monitor the UDP 123 port on this computer 123 service port for NTP
# tcpdump UDP port 123
The F system will only monitor communications packets for the host named hostname. The hostname can be a local host, or it can be any computer on the network. The following command can read all data sent by the host hostname:
#tcpdump-i eth0 SRC host hostname
G The following command can monitor all packets sent to the host hostname:
#tcpdump-I eth0 DST host hostname
H we can also monitor packets by specifying the gateway:
#tcpdump-I eth0 Gateway Gatewayname
If you also want to monitor TCP or UDP packets addressed to the specified port, execute the following command:
#tcpdump-I eth0 host hostname and port 80
J If you want to get host 210.27.48.1 in addition to the IP packets that communicate with all hosts except host 210.27.48.2
, use the command:
#tcpdump IP host 210.27.48.1 and! 210.27.48.2
K want to intercept host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3 communication, use the command
: (When applying parentheses in the command line, be sure to
#tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)
If you want to get host 210.27.48.1 in addition to the IP packets that communicate with all hosts except host 210.27.48.2, use the command:
#tcpdump IP host 210.27.48.1 and! 210.27.48.2
M If you want to get the Telnet packet received or issued by the host 210.27.48.1, use the following command:
#tcpdump TCP port, host 210.27.48.1
The third is the Protocol keyword, mainly including Fddi,ip, ARP,RARP,TCP,UDP and other types
In addition to these three types of keywords, other important keywords are as follows: Gateway, broadcast,less,
Greater, there are three kinds of logic operations, take non-operation is ' not '! ', and the operation is ' and ', ' && '; or the operation is ' O
R ', ' | | ' ;
The second is to determine the transmission direction of the keywords, mainly including SRC, DST, DST or SRC, DST and SRC,
If we only need to list the packets sent to port 80, use DST port, if we only want to see the packets that return 80 ports, use SRC port.
#tcpdump –i eth0 host hostname and DST port 80 destination ports are 80
Or
#tcpdump –i eth0 host hostname and SRC port 80 source ports are 801-like hosts that provide HTTP services
If there are many conditions, add and or or or not before the condition
#tcpdump-I eth0 host! 211.161.223.70 and! 211.161.223.71 and DST Port 80
If the log that uses promiscuous mode system in Ethernet will be logged
May 7 20:03:46 localhost kernel:eth0:Promiscuous mode enabled.
May 7 20:03:46 localhost kernel:device eth0 entered promiscuous mode
May 7 20:03:57 localhost kernel:device eth0 left promiscuous mode
Tcpdump does not completely decode the intercepted data, and most of the content in the packet is printed directly out in hexadecimal form. Obviously this is not conducive to the analysis of network failures, the usual solution is to use the tcpdump with the-w parameter to intercept the data and save to a file, and then use other programs for decoding analysis. Of course, you should also define filtering rules to avoid capturing packets that fill the entire hard disk.
The usage of super detailed tcpdump
