Detailed usage of tcpdump scanner

The first type keyword mainly includes host, net, port, such as host210.27.48.2, specifying 210.27.48.2 as a host, net202.0.0.0 specifying 202.0.0.0 as a network address, and port23 specifying port number as 23. If no type is specified, the default type is host. the second type is the key word used to determine the transmission direction. The first type is the key word about the type, including host, net, port, such as host 210.27.48.2, specifying
210.27.48.2 is a host. net 202.0.0.0 indicates that 202.0.0.0 is a network address and port 23
The port number is 23. If no type is specified, the default type is host.
The second type is the key words for determining the transmission direction, including src, dst, dst or src, dst and src.
These keywords indicate the transmission direction. For example, src 210.27.48.2 indicates that the source address in the IP package is 210.27.48.2, dstnet
202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified, the src or dst keyword is used by default.
The third type is the protocol keyword, which mainly includes fddi, ip, arp, rarp, tcp, udp, and other types. Fddi indicates that it is specific on FDDI (distributed optical fiber data interface network ).
The network protocol is actually the alias of "ether". fddi and ether have similar source and destination addresses, so the fddi protocol package can be processed as the ether package and
Analysis. The other keywords indicate the protocol content of the listener package. If no protocol is specified TcpdumpThe system listens to the information packages of all protocols.
In addition to the three types of keywords, other important keywords are as follows: gateway,
Broadcast, less, greater, and three other logical operations are available. The non-calculation is 'not ''! ',
The operation and operation are 'and', '&', or the operation is 'or'
, '│'; These keywords can be combined to form a powerful combination of conditions to meet people's needs. The following are several examples.
Under normal circumstances, directly starting tcpdump will monitor all the data packets flowing through the first network interface.
# Tcpdump
Tcpdump: listening on fxp0
11:58:47. 873028 202.102.245.40.netbios-ns> 202.102.245.127.netbios-ns: udp 50
11:58:47. Array74331 0: 10: 7b: 8: 3a: 56> 1: 80: c2: 0: 0 802.1d ui/Clen = 43
0000 0000 0080 00001007 cf08 0Array00 0000
0e80 0000 Array02b46Array5 0Array80 8701 0014
000f 0000 Array02b46Array5 0008 00
11:58:48. 373134 0: 0: e8: 5b: 6d: 85> Broadcast sap e0 ui/Clen = Array7
Ffff 0060 0004 ffffffff ffff
0452 ffff rje85b 6d85 4008 0002
0640 4d41 5354 45525f57 4542 0000 0000
00, 0000
Use the-I parameter to specify the network interface of the tcpdump listener, which is useful when the computer has multiple network interfaces,
Use the-c parameter to specify the number of data packets to be monitored,
Use the-w parameter to specify to write the listening data packet to the file and save it
A wants to intercept all packets received and sent by all 210.27.48.1 hosts:
# Tcpdump host 210.27.48.1
B. to intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, run the following command: (when parentheses are applied in the command line, be sure
# Tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)
C if you want to obtain the IP package for all hosts except 210.27.48.1 and 210.27.48.2, run the following command:
# Tcpdump ip host 210.27.48.1 and! 210.27.48.2
D. to obtain the telnet packet received or sent by the host 210.27.48.1, run the following command:
# Tcpdump tcp port 23 host 210.27.48.1
E. monitor the udp port 123 of the local machine. Port 123 is the ntp service port.
# Tcpdump udp port 123
The F system only monitors the communication data packets of the host named hostname. The host name can be a local host or any computer on the network. The following command reads all data sent by the host hostname:
# Tcpdump-I eth0 src host hostname
The command below G can monitor all data packets sent to the host hostname:
# Tcpdump-I eth0 dst host hostname
H we can also monitor the data packets through the specified Gateway:
# Tcpdump-I eth0 gateway Gatewayname
If you want to monitor the TCP or UDP data packets destined for the specified port, run the following command:
# Tcpdump-I eth0 host hostname and port 80
J. if you want to obtain an IP packet for all hosts except 210.27.48.1 and 210.27.48.2
, Run the following command:
# Tcpdump ip host 210.27.48.1 and! 210.27.48.2
K. to intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, run the following command:
(When using parentheses in the command line, be sure
# Tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)
L If you want to obtain an IP packet for all hosts except 210.27.48.1 and 210.27.48.2, run the following command:
# Tcpdump ip host 210.27.48.1 and! 210.27.48.2
M to obtain the telnet packet received or sent by the host 210.27.48.1, run the following command:
# Tcpdump tcp port 23 host 210.27.48.1
The third type is the protocol keyword, which mainly includes fddi, ip, arp, rarp, tcp, udp, and other types.
In addition to the three types of keywords, other important keywords are as follows: gateway, broadcast, less,
Greater, there are three logical operations. The non-operation is 'not ''! ', And the operation is 'and',' & '; or the operation is 'o
R', '| ';
The second type is the key words for determining the transmission direction, including src, dst, dst or src, dst and src,
If we only need to list the data packets sent to port 80, use dst port; if we only want to see the data packets returned to port 80, use src port.
# Tcpdump? I eth0 host hostname and dst port80 destination port is 80
Or
# Tcpdump? I eth0 host hostname and src port80 the source port is 80, which is generally a host that provides http services.
If there are many conditions, add and or not before the conditions.
# Tcpdump-I eth0 host! 211.161.223.70 and! 211.161.223.71 and dstport 80
Logs in the ethernet mixed mode system are recorded.
May 7 20:03:46 localhost kernel: eth0: Promiscuous modeenabled.
May 7 20:03:46 localhost kernel: device eth0 enteredpromiscuous mode
May 7 20:03:57 localhost kernel: device eth0 leftpromiscuous mode
Tcpdump does not thoroughly decode the intercepted data. most of the content in the data packet is printed in hexadecimal format. Obviously, this is not conducive to analyzing network faults. The common solution is
Use tcpdump with The-w parameter first
The data is intercepted and saved to the file, and then decoded and analyzed using other programs. Of course, filter rules should also be defined to prevent the captured data packets from filling the entire hard disk.