The use of super detail tcpdump

The first is about the type of keywords, mainly including host,net,port, such as host 210.27.48.2, indicating that 210.27.48.2 is a host, net 202.0.0.0 indicates that 202.0.0.0 is a network address, Port 23 Indicates that the port number is 23. If no type is specified, the default type is host.

The second is to determine the direction of the transfer of keywords, mainly including SRC, DST, DST or SRC, DST and src, these keywords indicate the direction of the transfer. For example, SRC 210.27.48.2, indicating that the source address in the IP packet is 210.27.48.2, DST net 202.0.0.0 indicates the destination network address is 202.0.0.0. If no direction keyword is indicated, the SRC or DST keyword is the default.

The third is the key word of the protocol, mainly including FDDI,IP,ARP,RARP,TCP,UDP type. FDDI indicates a specific network protocol on FDDI (Distributed Optical Data Interface Network), in effect it is the alias of "Ether", FDDI and Ether have similar source address and destination address, so the FDDI protocol package can be treated and analyzed as ether package. Several other keywords refer to the protocol content of the packet being monitored. If no protocol is specified, tcpdump will listen for packets of all protocols.

In addition to these three types of keywords, other important keywords are as follows: Gateway, Broadcast,less,greater, there are three kinds of logic operations, take the non operation is ' not '! ', with the operation is ' and ', ' && ', or the operation is ' or ', ' ││ '; These keywords can be combined to form a powerful combination of conditions to meet people's needs, here are a few examples to illustrate.

Under normal circumstances, direct start tcpdump will monitor all packets flowing through the first network interface.

# tcpdump

Tcpdump:listening on Fxp0

11:58:47.873028 202.102.245.40.netbios-ns > 202.102.245.127.NETBIOS-NS:UDP 50

11:58:47.974331 0:10:7b:8:3a:56 > 1:80:c2:0:0:0 802.1d ui/c len=43

0000 0000 0080 0000 1007 cf08 0900 0000

0e80 0000 902b 4695 0980 8701 0014 0002

000f 0000 902b 4695 0008 00

11:58:48.373134 0:0:e8:5b:6d:85 > Broadcast SAP E0 ui/c len=97

FFFF 0060 0004 ffff ffff ffff FFFF FFFF

0452 ffff ffff 0000 e85b 6d85 4008 0002

0640 4d41 5354 4552 5f57 4542 0000 0000

0000 00

Use the-i parameter to specify the network interface for tcpdump listening, which is useful when the computer has multiple network interfaces,

Specify the number of packets to monitor using the-c parameter.

Use the-w parameter to specify that data packets that will be heard are saved in the file

A wants to intercept all packets received and sent by all 210.27.48.1 hosts:

#tcpdump Host 210.27.48.1

b want to intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, using the command: (when applying parentheses to the command line, be sure to

#tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)

c If you want to get host 210.27.48.1 IP packets that communicate with all hosts except the host 210.27.48.2, use the command:

#tcpdump IP host 210.27.48.1 and! 210.27.48.2

D If you want to obtain a Telnet package received or issued by the host 210.27.48.1, use the following command:

#tcpdump TCP Port Host 210.27.48.1

E monitors UDP 123 ports on this computer 123 for NTP service ports

# tcpdump UDP port 123