Common usage of tcpdump in Linux

Tcpdump adopts the command line method. its command format is: tcpdump [-adeflnNOpqStvx] [-c quantity] [-F file name] [-I network interface] [-r file name] [-ssnaplen] [-T type] [-w file name] [expression] 1. introduction to tcpdump options-a converts the network address and broadcast address into a name;-d converts the code that matches the information package in an assembly format that people can understand

TcpdumpThe command format is as follows:Tcpdump[-AdeflnNOpqStvx] [-c quantity] [-F file name] [-I network interface] [-r file name] [-ssnaplen] [-T type] [-w file name] [expression]

1. introduction to tcpdump options-a converts the network address and broadcast address into a name;-d converts the code that matches the information package in an assembly format that people can understand; -dd provides the matching information package code in the format of the C language program segment;-ddd provides the matching information package code in decimal format; -e prints the header information of the data link layer in the output line;-f prints the external Internet address in numbers;-l converts the standard output to the buffer line format; -n does not convert the network address into a name;-t does not print a timestamp in each output line;-v outputs a slightly detailed information, for example, the IP package can contain ttl and service type information;-vv outputs detailed packet information;-c stops tcpdump after receiving the specified number of packets; -F reads the expression from the specified file and ignores other expressions.-I specifies the network interface of the listener; -r reads packages from a specified file (these packages are generally generated using the-w option);-w directly writes the packages to the file without analysis and printing; -T directly interpret the listening packet as a specified type of message. Common types include rpc (remote process call) and snmp (Simple Network Management Protocol ;)

2. the expression of tcpdump introduces that the expression is a regular expression. tcpdump uses it as a condition for filtering packets. if a packet meets the expression conditions, the packet will be captured. If no conditions are provided, all information packets on the network will be intercepted. The following types of keywords are generally used in expressions,
One is about the type keyword, mainly including host, net, port, for example host210.27.48.2, indicating that 210.27.48.2 is a host, net 202.0.0.0 indicates that 202.0.0.0 is a network address, and port23 indicates that the port number is 23. If no type is specified, the default type is host.

The second type is the key words for determining the transmission direction, including src, dst, dst or src, dst andsrc, which indicate the transmission direction.

For example, src 210.27.48.2 indicates that the source address in the IP package is 210.27.48.2, and dst net202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified, the src or dst keyword is used by default.

The third type is the protocol keyword, which mainly includes fddi, ip, arp, rarp, tcp, udp, and other types. Fddi indicates a specific network protocol on FDDI (distributed optical fiber data interface network). In fact, it is an alias of "ether". fddi and ether have similar source and destination addresses, therefore, the fddi protocol package can be processed and analyzed as the ether package. The other keywords indicate the protocol content of the listener package. If no protocol is specified, tcpdump listens to the information packages of all protocols. In addition to these three types of keywords, other important keywords include gateway, broadcast, less, greater, and three logical operations. The non-operation type is 'not ''! ', And the operation is 'and',' & '; or the operation is 'or',' | ';

These keywords can be combined to form a powerful combination condition to meet people's needs. The following are several examples.
(1) to intercept all packets received and sent by all 210.27.48.1 hosts: # tcpdump host 210.27.48.1
(2) to intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, run the following command: (when brackets are applied in the command line, be sure to # tcpdumphost 210.27.48.1 and \ (210.27 \)
(3) If you want to obtain an IP packet for all hosts except 210.27.48.1 and 210.27.48.2, run the following command: # tcpdump iphost 210.27.48.1 and! 210.27.48.2
(4) If you want to obtain the telnet packet received or sent by the host 210.27.48.1, run the following command: # tcpdump tcp port 23 host 210.27.48.1 3. output result of tcpdump.