The following example uses the capture eth0 interface as an example. if "-ieth0" is not added, it indicates that all the interfaces including lo are crawled. First install tcpdump package: yuminstall-ytcpdump1, capture contains 172.16.1.122 package # tcpdump-ieth0-vnnhost172.16.1.1222, capture contains 172.16.1.0/24 network segment of the packet #
The following example uses the capture eth0 interface as an example. if "-I eth0" is not added, it indicates that all the interfaces including lo are crawled.
First install
TcpdumpPackage: yum install-y
Tcpdump
1. capture data packets containing 172.16.1.122
# Tcpdump-I eth0-vnn host 172.16.1.122
2. capture data packets containing the 172.16.1.0/24 network segment
# Tcpdump-I eth0-vnn net 172.16.1.0/24
3. capture data packets containing port 22
# Tcpdump-I eth0-vnn port 22
4. capture udp packets
# Tcpdump-I eth0-vnn udp
5. capture icmp data packets
# Tcpdump-I eth0-vnn icmp
6. capture arp packets
# Tcpdump-I eth0-vnn arp
7. capture IP protocol data packets
# Tcpdump-I eth0-vnn ip
8. capture data packets whose source ip address is 172.16.1.122.
# Tcpdump-I eth0-vnn src host 172.16.1.122
9. capture data packets whose destination ip address is 172.16.1.122
# Tcpdump-I eth0-vnn dst host 172.16.1.122
10. capture data packets whose source port is 22
# Tcpdump-I eth0-vnn src port 22
11. capture data packets whose source ip address is 172.16.1.253 and the target ip address is 22.
# Tcpdump-I eth0-vnn src host 172.16.1.253 and dst port 22
12. capture data packets whose source ip address is 172.16.1.122 or whose port is 22
# Tcpdump-I eth0-vnn src host 172.16.1.122 or port 22
13. capture data packets whose source ip address is 172.16.1.122 and whose port is not 22
[Root @ ftp] # tcpdump-I eth0-vnn src host 172.16.1.122 and not port 22
14. capture data packets whose source ip address is 172.16.1.2 and the destination port is 22, or whose source ip address is 172.16.1.65 and the destination port is 80.
# Tcpdump-I eth0-vnn \ (src host 172.16.1.2 and dst port 22 \) or \ (src host 172.16.1.65 and dst port 80 \)
15. capture data packets whose source ip address is 172.16.1.59 and the destination port is 22, or whose source ip address is 172.16.1.68 and the destination port is 80.
# Tcpdump-I eth0-vnn 'src host 172.16.1.59 and dst port 22 'or 'src host 172.16.1.68 and dst port 80'
16. Save the captured data packet records to the/tmp/fill file. after capturing 100 data packets, exit the program.
# Tcpdump? I eth0-vnn-w/tmp/fil1-c 100
17. read tcp packets from/tmp/fill records
# Tcpdump? I eth0-vnn-r/tmp/fil1 tcp
18. read data packets containing 172.16.1.58 from/tmp/fill records
# Tcpdump? I eth0-vnn-r/tmp/fil1 host 172.16.1.58
Tcpdump packet capture and save it as a cap file
Common parameters of tcpdump Tcpdump adopts the command line method. its command format is:
Tcpdump [-adeflnNOpqStvx] [-c quantity] [-F file name]
[-I network interface] [-r file name] [-s snaplen]
[-T type] [-w file name] [expression] 1. Introduction to tcpdump options
-A converts a network address and broadcast address into a name;
-D. give the code that matches the information package in an assembly format that people can understand;
-Dd provides the code that matches the information package in the format of the C program segment;
-Ddd provides the matching information package code in decimal format;
-E prints the header information of the data link layer in the output line;
-F print the Internet address in numbers;
-L changes the standard output to the buffer row format;
-N does not convert the network address into a name;
-T no timestamp is printed on each output line;
-V outputs a slightly detailed information. for example, the IP package can contain ttl and service type information;
-Vv: output detailed message information;
-C. after receiving the specified number of packages, tcpdump stops;
-F read the expression from the specified file and ignore other expressions;
-I indicates the network interface of the listener;
-R reads packets from a specified file (these packets are generally generated using the-w option );
-W directly writes the package into the file and does not analyze or print it out;
-T directly interpret the packet to be listened to as a specified type of message. Common types include rpc (remote process
Call) and snmp (Simple Network Management Protocol ;) When a network failure occurs, it is difficult to use tcpdump to capture packets and analyze the packets when there is a large amount of data in the network, using tcpdump's-w parameter + ethereal analysis can solve this problem well. the specific parameters are as follows: Tcpdump-I eth1-c 2000-w eth1.cap -I eth1: only capture the data of the eth1 Port -C 2000 indicates the number of packets, that is, only 2000 packets are captured. -W eth1.cap is saved as a cap file, which facilitates ethereal analysis. After the packets are captured, ftp will be sent to your FTP server, put it, and then enable it with the ethereal software for intuitive analysis. Note. after the cap file is uploaded to the FTP server, it is found that more than 65535 data packets are prompted when it is opened with ethreal. this is the reason why you did not use the bin mode for uploading or downloading it over ftp. In addition, some websites prompt to use the-s 0 command in tcpdump, for example, tcpdump-I eth1-c 2000-s0-w eth1.cap. the system prompts invalid parameters when running the command, remove the-s 0 parameter. Example: [Root @ localhost cdr] # tcpdump-I eth0-t tcp-s60000-w diaoxian. cap
[Root @ localhost cdr] # tcpdump host 58.240.72.195-s 60000-wx. cap |
The command parameter for saving tcpdump packets to a file is-w xxx. cap.
Capture the eth1 package
Tcpdump-I eth1-w/tmp/xxx. cap
Capture the packet of 192.168.1.123
Tcpdump-I eth1 host 192.168.1.123-w/tmp/xxx. cap
Capture Port 80 of 192.168.1.123
Tcpdump-I eth1 host 192.168.1.123 and port 80-w/tmp/xxx. cap
Capture the icmp packet of 192.168.1.123
Tcpdump-I eth1 host 192.168.1.123 and icmp-w/tmp/xxx. cap
Capture packets of port 80 of 192.168.1.123 and ports other than 110 and 25
Tcpdump-I eth1 host 192.168.1.123 and! Port 80 and! Port 25 and! Port 110-w/tmp/xxx. cap
Capture vlan 1 packets
Tcpdump-I eth1 port 80 and vlan 1-w/tmp/xxx. cap
Capture pppoe password
Tcpdump-I eth1 pppoes-w/tmp/xxx. cap
Save the file in 100 MB, and open a file larger than MB-C MB
Capture 10000 packets and exit-c 10000
Packet capture in the background, and the exit of the console will not be affected:
Nohup tcpdump-I eth1 port 110-w/tmp/xxx. cap &
You can use ethereal or wireshark to open the captured file. Wireshark is the new version of ethereal.
