The tcpdump takes the command line, and its command format is:
tcpdump [ -addefllnnopqrstuuvxx ] [ -c count ]        [ -C FILE_SIZE ] [ -F FILE ] [ -i ] [ -m module ] [ -m secret ] [ -r file ] [ -s snaplen ] [ -t type ] [ -w file ] [ -W filecount ] [ -e [email Protected] algo:secret,... ] [ -y datalinktype ] [ -z user ] [ exprESSION ]
tcpdump's Simple options introduction
-a displays each packet in ASCII mode (does not display the link-Layer header information in the packet) . , easy to view data when crawling packets that contain Web page data (nt: handy capturing web pages).-c count tcpdump will exit after receiving count packets.-C file-size (nt: This option is used with the-w file option) this option makes tcpdump Before you save the original packet directly to a file, check if this file size exceeds file-size. if the file is more than, , and another file continues to be used for the original packet record . the newly created file name with the-W The option specifies a file name that is consistent, but has a number after the file name. This number will increase from 1 onwards as new files are created. The file-size unit is million bytes (nt: here refers to 1,,000 bytes, not 1, 576 bytes, The latter is calculated with 1024 bytes of 1k, 1024k bytes for 1M, that is 1m= * = ,,)-d in an easy-to-read form, Print out the programmed package match code on the standard output, then tcpdump stop. (nt | rt: human readable, is easy to read, usually refers to the ASCII code to print some information . compiled, orchestrated . packet-matching code, packet Matching code, meaning unknown, need to supplement)-dd print out the packet matching code in C language .-ddd the packet matching code in the form of a decimal number ( will have an additional prefix before the package match code) .-d all tcpdump in the print system can grab packets on the network interface . each interface will print out the number, the corresponding interface name, and possibly a networkInterface Description . where the network interface name and number can be used in the tcpdump -i flag option (nt: the name or number instead of flag), to specify the network interface on which to grab the packet. This option is useful on systems that do not support interface list commands (nt: such as, windows system, or lack of ifconfig -a UNIX systems) the number of; interfaces is useful in windows or later systems, because the interface names on these systems are more complex, and not easy to use . If the Tcpdump compiler relies on the Libpcap library too old,-d option is not supported, because of the lack of pcap_findalldevs () function .-e The Data link layer header information for the packet will be included in the printout of each row-e [email protected] algo:secret,... available by [ email protected] algo:secret to decrypt the Ipsec esp bag (nt | rt:ipsec encapsulating Security Payload,IPsec encapsulated security Payload,  IPSEC can be understood as, a complete set of cryptographic protocols to IP packets, esp for the entire ip Data packets or portions of their pelagic protocols are encrypted, the former working mode is called tunnel mode; the latter's working mode is called transfer Mode . Working principle, additional) . It is important to note that, , can set the key for ipv4 esp packets when the terminal starts tcpdump (secret) . algorithms that can be used for encryption include Des-cbc, 3des-cbc, blowfish-cbc, rc3-cbc, cast128-cbc, or Not (none). The default is DES-CBC (nt: des, data Encryption Standard, Data Encryption Standard, encryption Algorithm unknown, additional) .secret for esp key, using ASCII String expression . if you start with 0x , the key will be read in 16 binary . the esp definition in this option follows RFC2406, instead of RFC1827. and, this option is only for debugging, it is not recommended to use this option with a real key (secret), because it is unsafe: The secret entered on the command line can be viewed by other people through commands such as ps . in addition to the syntax format (nt: = [email protected] algo:secret), can also add a syntax input file name for tcpdump use (NT: that is, the [Email protected] algo:secret,... ... Change to a syntax file name) . This file will open this file when it is accepted to the first ESP package, so it is best to cancel some of the privileges given to tcpdump at this time (nt: can be understood as, so that the precaution, When the file is maliciously written, it does not cause too much damage) .-f displays the external ipv4 address (nt: foreign ipv4 addresses, can be understood as, Non-native IP address), takes the form of a number instead of a name. (this option is used to counter the defect of Sun's NIS server (nt: nis, Network Information Service, tcpdump displays the name of the external address when she provides the name service): This NIS server often falls into an endless query loop when querying for non-local address names . because the local network interface (NT: TCPDUMP) is required for testing external (foreign) IPV4 addresses. The interface used to grab the packet) and its ipv4 address and netmask . if this address or netmask is not available, or the interface does not have the appropriate network address and network mask set at all (nt: linux network interface does not need to set the address and mask, but this interface can receive packets from all the interfaces on the system, this option does not work properly .-f file Use the file file as the input to the filter expression, the input on the command line is ignored .-i the specified tcpdump interface to be monitored . if no, tcpdump is specified, the configured interface with the smallest number is searched from the System interface list (excluding the loopback interface). One, but find the first qualifying interface., search ends immediately . on linux operating system with version 2.2 or later kernel, This virtual network interface can be used to receive packets on all network interfaces (nt: this will include the purpose of the network interface, also includes the purpose is not the network interface) . need to note that if the real network interface does not work in the mode (promiscuous) It is not possible to crawl its packet on this virtual network interface . If the -D flag is specified, tcpdump will print the interface number in the system, This number can be used here for the interface parameter .-l the standard output for row buffering (nt: the standard output device encounters a newline character to print the contents of the line immediately). Useful when it is necessary to observe the capture package printing and to save the capture record at the same time . such as, can be achieved by the following combination of commands: ' tcpdump -l | tee dat or ' tcpdump -l > dat & tail -f dat. (nt: the former uses tee to tcpdump The output of is placed in both the file dat and the standard output, the, the tcpdump output to the dat file via the redirect Operation, while the contents of the DAT file are placed in the standard output by tail)-L lists the types of data link layers supported by the specified network interface and exits. (nt: specifies that the interface is specified by-i )-m module file load smi specified by module mib Module (nt: smi,structure of management information, Management information Structure mib, management The Information Base, management Information base . can be understood as, both for SNMP (simple network management PROTOCO) protocol packet fetching . specific snmp working principle unknown, additional) . This option can be used multiple times, thus tcpdump Load different mib modules .-m secret if tcp packet (tcp segments) has tcp-md5 option (in rfc 2385 related description), specifies a public key for the validation of its digest secret.-n the conversion to the name represented by a numeric representation of the address (such as the, host address, port number).-n does not print out the host domain part . such as, if you set this option, tcpdump will print instead of .-O does not enable optimization code for package matching . when it is suspected that some bugs are caused by optimized code, This option is useful .-p generally, set the network interface to non-modal . but must be aware , in special cases this network interface will still work in a mode; thus, and not set, can not be used as the following to elect the pronoun: or (nt: The former means that only packets that match the Ethernet address of host , the packet that matches the Ethernet address as the broadcast address) .-q fast (perhaps better?) Print output . print very little protocol-related information, so that the output lines are relatively short .-r set tcpdump to the parsing of ESP/AH packets according to RFC1825 instead of RFC1829 (nt: ah, Authentication Header, esp, Secure payload Encapsulation, both are used in the secure transport mechanism of IP packets) . If this option is set, tcpdump will not print out the domain (Nt: relay prevention field) . In addition, because the ESP/AH specification does not stipulate that Esp/ah packets must have a protocol version number field, So tcpdump cannot derive the protocol version number from the received Esp/ah packet .-r file read the packet data from the file file . if the file Fields symbol, tcpdump will read the package data from the standard input .-s the order number of tcp packets, use absolute order number, Instead of relative sequential numbers. (nt: relative sequence number can be understood as, relative to the first tcp packet sequence number of the gap,For example, the, recipient receives the first packet with an absolute order number of 232323, for the 2nd, 3rd packet that is received later, tcpdump prints its serial number to 1, 2, respectively, indicating a difference of 1 from the first packet. and . if the-s option is set at this time, the 3rd packet for the 2nd, received later will print out its absolute order number:, ).-s snaplen set tcpdump packet fetch length to snaplen, if not set by default will be 68 bytes (while support for network interface splitter (nt: nit, described above, Searchable keywords found there) the default and minimum value for the SunOS series operating system is 96). 68 Bytes for ip, icmp (nt: internet control message Protocol, Internet Control Message Protocol), tcp and UDP protocol messages are sufficient, but for name Services (nt: can be understood as Dns, nis services),  NFS Service-related packets generate packet truncation . If the packet truncation occurs, the [|proto] flag appears in the corresponding printout line of tcpdump (proto actually appears as the associated protocol hierarchy for truncated packets . Note that, takes a long fetch length (Nt: snaplen is larger), increases packet processing time, and reduces the number of packets tcpdump can be cached, This can result in packet loss . so, can grab the package we want, the smaller the crawl length, the better. Setting snaplen to 0 means that tcpdump automatically chooses the appropriate length to crawl the packet.-T type forces tcpdump to analyze received packets by the package structure described by the protocol specified by type . currently known type desirable protocols are: aodv (ad-hoc on-demand distance vector protocol, on-demand distance vector routing protocol, in Ad hoc ( Point-to-point mode), cnfp (Cisco netflow protocol), rpc ( Remote procedure call), rtp (real-time applications protocol), rtcp (Real-time applications con-trol protocol), snmp (simple network management protocol), tftp (trivial file transfer protocol, broken File Protocol), vat (visual audio tool, can be used to power on internet Video Conferencing Application layer protocol), and wb (distributed white board, can be used for web conferencing application-layer protocols) .-t does not print a timestamp in each row of output-tt does not format the time per row of output (nt: This format may not see its meaning at one glance, If the timestamp is printed as 1261798315)-ttt tcpdump output, a period of time (in milliseconds) between each two lines of printing-tttt Add a date print-u   before the timestamp of each line is printed; prints an unencrypted nfs handle (Nt: handle can be understood as a file handle used in nfs , This will include files in folders and folders)-u makes it possible for tcpdump to, its file writes to the save synchronization of the package when the-w option is used. (nt: is, when each packet is saved, it is written to the file in a timely manner, rather than when the output buffer of the file is full, the file is actually written) -u The flag does not work on the old version of the Libcap library (nt: tcpdump relies on the Message capture library), because of the lack of Pcap_cump_flush () function .-v when analyzing and printing, produces verbose output . such as, package lifetime, identify, total length and some options for IP packets . This also opens some additional package integrity checks, For example, the checksum .-vv of the IP or ICMP packet header produces a more verbose output than-V . for example, the additional fields in the  NFS response package will be printed, SMB packets are also fully decoded .-vvv produces more verbose output than-vv . such as, telent , the sb, se option used will be printed, If Telnet is using the graphical interface at the same time, its corresponding graphics options will be printed in 16 binary mode (nt: telnet SB, SE option meaning unknown, additional) .-w write the package data directly to the file without parsing and printing output . These packet data can then be passed through-r option to reread and analyze and print .-w filecount This option is used in conjunction with the-c option, This will limit the openNumber of files, and when the file data exceeds the limit set here,, loops instead of the previous file, this is equivalent to a file buffer pool with filecount files . at the same time, This option causes a sufficient number of 0, at the beginning of each file name to be used for the placeholder, which makes it easy for these files to be sorted correctly .-x when analyzing and printing, tcpdump The header data for each package is printed, the data for each package (but not the header of the connection layer) is printed in 16. The total printed data size does not exceed the size of the entire packet and the minimum value in snaplen . It is important to note that, If the high-level protocol data is not snaplen so long, and the data link layer (for example, ethernet layer) has populated data, then these fill data will also be printed. (nt: so link layers that pad, fails to understand and translate, need to supplement )-XX tcpdump prints the header data for each packet, also prints out the data for each package in 16 binary, which includes the header of the data link layer .-x When analyzing and printing,, tcpdump prints the header data for each packet, also prints the data for each package in 16 binary and ASCII format (excluding the header of the connection layer). This is convenient for analyzing packets of some new protocol .-xx when analyzing and printing, tcpdump will print the header data for each packet, simultaneously print out the data for each packet in 16-and ASCII-coded form , includes the header of the data link layer. This is convenient for analyzing packets of some new protocol .-y datalinktype Set tcpdump to capture only data Link layer protocol types that are Datalinktype packets-Z    USER &Nbsp; allows tcpdump to give up its super-privileges (if the root user starts Tcpdump, tcpdump will have superuser privileges), and set the current tcpdump user ID to the user, group ID set to the ID of the user's primary owning group (nt: tcpdump here can be understood as the corresponding process after tcpdump run) This option can also be set to open by default at compile time. (nt: at this time user value unknown, need to add)
tcpdump command format