Tcpdump command format

Tcpdump is a tool used to intercept network groups and output group content. With powerful functions and flexible interception policies, tcpdump becomes the preferred tool for network analysis and troubleshooting in UNIX-like systems. Tcpdump [-AdDeflLnNOpqRStuUvxX] [-ccount] [-Cfile_size] [-Ffile] [-iinterface] TcpdumpIs a tool used to intercept network groups and output group content. TcpdumpWith powerful functions and flexible interception policies, it becomes the preferred tool for network analysis and troubleshooting in UNIX-like systems.
Tcpdump [-AdDeflLnNOpqRStuUvxX] [-c count]
[-C file_size] [-F file]
[-I interface] [-m module] [-M secret]
[-R file] [-s snaplen] [-T type] [-w file]
[-W filecount]
[-E spi @ ipaddralgo: secret,...]
[-Y datalinktype] [-Z user]
[Expression]
-A prints all groups in ASCII format and minimizes the link layer header.
-C. after receiving a specified number of groups, tcpdump stops.
-C check whether the current file size exceeds the file_size parameter before writing an original group to a file
. If the size exceeds the specified size, close the current file and open a new file. Parameter file_size
The unit is mb (1,000,000 bytes, not 1,048,576 bytes ).
-D provides the code that matches the information package in an assembly format that people can understand.
-Dd provides the code that matches the information package in the format of the C program segment.
-Ddd provides the matching information package code in decimal format.
-D: print out all network interfaces in the system that can use tcpdump to capture packets.
-E prints the header information of the data link layer in the output line.
-E: use spi @ ipaddralgo: secret to decrypt the IPsec ESP groups that use addr as the address and contain the security parameter index value spi.
-F print the Internet address in numbers.
-F reads the expression from the specified file and ignores the expression given in the command line.
-I indicates the network interface of the listener.
-L changes the standard output to the buffer row format.
-L list the known data links of network interfaces.
-M: import the SMIMIB module definition from the file module. This parameter can be used multiple times to import multiple MIB modules.
-M if there is a TCP-MD5 option in the tcp message, you need to use secret as the shared verification code to verify the TCP-MD5 selection option Digest (for details, see RFC2385 ).
-N does not convert the network address into a name.
-N does not output the domain name section in the host name. For example, 'Nic .ddn.mil 'only outputs 'en '.
-T no timestamp is printed on each output line.
-O does not run the packet-matching code optimization program.
-P does not set network interfaces to the hybrid mode.
-Q: Quick output. Only a small amount of protocol information is output.
-R reads packages from a specified file (these packages are generally generated using the-w option ).
-S outputs the serial number of tcp in the absolute value form, rather than the relative value.
-S reads the initial snaplen bytes from each group, instead of the default 68 bytes.
-T directly interpret the packets to be listened to as specified types of packets. Common types include rpc remote process calls and snmp (Simple Network Management Protocol ;).
-T does not output the timestamp in each row.
-Tt outputs a non-formatted timestamp in each row.
-The time difference between the ttt output line and the previous line.
-Tttt outputs the default timestamp format processed by date in each row.
-U outputs undecoded NFS handle.
-V outputs a slightly detailed information. for example, the IP package can contain ttl and service type information.
-Vv: output detailed message information.
-W directly writes the group to the file, instead of printing it out without analysis.
Introduction to tcpdump expressions
The expression is a regular expression. tcpdump uses it as a condition for filtering packets. if a packet meets the expression conditions, the packet will be captured. If no conditions are provided, all information packets on the network will be intercepted.
The expressions generally have the following types of keywords:
The first type keyword mainly includes host, net, port, for example host 210.27.48.2, specifying
210.27.48.2 is a host. net 202.0.0.0 indicates that 202.0.0.0 is a network address and port 23
The port number is 23. If no type is specified, the default type is host.
The second type is the key words for determining the transmission direction, including src, dst, dst or src, dst and src,
These keywords indicate the transmission direction. For example, src 210.27.48.2 indicates that the source address in the IP package is 210.27.48.2, dstnet
202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified, the src or dst keyword is used by default.
The third type is the protocol keyword, which mainly includes fddi, ip, arp, rarp, tcp, udp, and other types. Fddi indicates that it is in FDDI
(Distributed optical fiber data interface network) specific network protocol, in fact, it is the alias of "ether", fddi and ether
The fddi protocol package can be treated as an ether package for processing and analysis.
The other keywords indicate the protocol content of the listener package. If no protocol is specified, tcpdump listens to the information packages of all protocols.
In addition to the three types of keywords, other important keywords are as follows: gateway, broadcast, less, greater,
There are three other logical operations. The non-operation is 'not ''! ', And the operation is 'and',' & '; or the operation is 'or',' | ';
These keywords can be combined to form a powerful combination condition to meet people's needs. The following are several examples.
(1) all groups received and sent by all hosts 210.27.48.1 are to be intercepted:
# Tcpdump host 210.27.48.1
(2) to intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, run the following command (note: the backslash before parentheses is required ):
# Tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)
(3) to obtain an IP packet for all hosts except 210.27.48.1 and 210.27.48.2, run the following command:
# Tcpdump ip host 210.27.48.1 and! 210.27.48.2
(4) to obtain the telnet packet received or sent by the host 210.27.48.1, run the following command:
# Tcpdump tcp port 23 host 210.27.48.1
Introduction to output results of tcpdump
Below we will introduce the output information of several typical tcpdump commands.
(1) data link layer header information
Run the following command:
# Tcpdump -- e host ICE
ICE is a linux host. Its MAC address is 0: Array0: 27: 58: AF: 1AH21Array is a SUN workstation with Solaris installed. Its MAC address is 8: 0: 20: 7 Array: 5B: 46; the output result of the previous command is as follows:
21:50:12. 84750 Array eth0 ICE. telne t 0: 0 (0) ack 22535 win 8760 (DF)
21:50:12 is the display time, 84750Array is the ID number, eth0 indicates the group sent from the network interface device, 8: 0: 20: 7 Array: 5b: 46 is the MAC address of the host H21Array, it indicates the group sent from the source address H21Array.
0: Array0: 27: 58: af: 1a is the MAC address of the host ICE, indicating that the destination address of the group is ICE. Ip indicates that the group is an IP Group, and 60 indicates the group length,
H21Array. 33357> ICE. telnet indicates that the group is the TELNET (23) Port sent from Port 33357 of host H21Array to host ICE.
Ack 22535 indicates to respond to a packet whose serial number is 222535. Win 8760 indicates that the size of the sending window is 8760.
(2) tcpdump output information of ARP packets
Run the following command:
# Tcpdump arp
The output result is:
22:32:42. 80250 Array eth0> arp who-has route tell ICE (0: Array0: 27: 58: af: 1a)
22:32:42. 802Array02 eth0
22:32:42 is the timestamp, 80250Array is the ID number, eth0> indicates that the group is sent from the host, arp indicates that it is the ARP Request packet, who-has
Route tell ICE indicates the MAC address that the host ICE sends to the host route. 0: Array0: 27: 58: af: 1a is the MAC address of the host ICE.
(3) TCP packet output information
The common output information of TCP packets captured with tcpdump is:
Src> dst: flags data-seqno ack window urgent options
Src> dst: Indicates from the source address to the destination address. flags indicates the flag information in the TCP packet, S indicates the SYN mark, F (FIN), P
(PUSH), R (RST) "." (not marked); data-seqno is the sequence number of the data in the message, and ack is the sequence number expected next time,
Window indicates the size of the received cache window. urgent indicates whether an emergency pointer exists in the message. Options is an option.
(4) UDP packet output information
The general output information of the UDP packet captured with tcpdump is:
Route. port1> ICE. port2: udp lenth
UDP is very simple. the output line above indicates a UDP packet sent from the port1 port of the host route to the port2 port of the host ICE. the type is UDP and the package length is lenth.