Tcpdump for linux commands and tcpdump for linux commands
Tcpdump can completely intercept the "Header" of the packets transmitted in the network for analysis. It supports filtering at the network layer, protocol, host, network, or port. And provides logical statements such as and, or, and not to delete and select useless information.
Tcpdump options:
-A prints all groups in ASCII format and minimizes the link layer header.-c after receiving A specified number of groups, tcpdump stops-C. before writing an original group to a file, check whether the current file size exceeds the size specified in the file_size parameter. If the size exceeds the specified size, close the current file and open a new file. The unit of the file_size parameter is M bytes. -D provides the matching information package code in an Assembly format that people can understand. -Dd provides the matching information package code in C format. -Ddd provides the matching information package code in decimal format. -D: print out all network interfaces in the system that can be decompressed with tcpdump. -E prints the header information of the data link layer in the output line. -E uses spi @ ipaddr algo: secret to decrypt the IPsec ESP groups that use addr as the address and contain the security parameter index value spi. -F prints the external Internet address in numbers.-F reads the expression from the specified file and ignores the expression given in the command line-I specifies the network interface of the listener, -I changes the annotation output to the buffer row format. You can export data to a file. -L list the known data links of network interfaces. -M: import the smi mib module definition from the file module. This parameter can be used multiple times to import multiple MIB modules. -M if there is a TCP-MD5 option in the tcp Message, you need to use secret as the shared verification code to verify the TCP-MD5 selection option Digest (For details, refer to RFC 2385 ). -B selects the protocol on the data-link layer, including ip, arp, rarp, and ipx. -N does not convert the network address into a name. -Nn is directly displayed by IP address and port number, rather than the host and server name. -N does not output the domain name section in the host name. For example, 'nic .ddn.mil 'only outputs 'en '. -O does not run the packet-matching code optimizer-P does not set the network interface to the mixed mode. -Q: Quick output. Only a small amount of protocol information is output. -R reads packages from a specified file (these packages are generally generated using the-w option ). -S outputs the serial number of tcp in the absolute value form, rather than the relative value. -S reads the initial snaplen bytes from each group, instead of the default 68 bytes. -S 0 indicates that the length is not limited and the entire package is output. -T directly interpret the packets to be listened to as specified types of packets. Common types include rpc Remote Process calls and snmp (Simple Network Management Protocol ;). -T does not output the timestamp in each row. -Tt outputs a non-formatted timestamp in each row. -The time difference between the ttt output line and the previous line. -Tttt outputs the default timestamp format processed by date in each row. -U outputs undecoded NFS handle. -V outputs a slightly detailed information. For example, the IP package can contain ttl and service type information. -Vv: output more detailed information. -Vvv outputs detailed message information. -W directly writes the group to the file, instead of printing it out without analysis. (Output. pcap files can be opened in wireshark in windows for further analysis.)-X and-XX are output in hexadecimal and ASCII Formats, and data packets can be read and displayed, suitable for http, memcached ascii, and other plain text transmission protocols, you can see the content;
Example:
Intercept all groups received and sent by all hosts of 210.27.48.1:
Tcpdump host 210.27.48.1
Intercept communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3
Tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)
Obtain the IP packet for all hosts except 210.27.48.1 and the host 210.27.48.2. Run the following command:
Tcpdump ip host 210.27.48.1 and! 210.27.48.2
Obtain the ssh package received or sent by the host 192.168.228.246 without converting the host name using the following command:
Tcpdump-nn-n src host 192.168.228.246 and port 22 and tcp
Obtain the ssh package received or sent by the host 192.168.228.246 and display the mac address together:
Tcpdump-e src host 192.168.228.246 and port 22 and tcp-n-nn
The filtered source host is 192.168.0.1 and the destination network is 192.168.0.0:
Tcpdump src host 192.168.0.1 and dst net 192.168.0.0/24
Filter the header with the physical address of the source host being XXX:
Tcpdump ether src 00: 50: 04: BA: 9B and dst ......
The filters 192.168.0.1and the destination port are not telnet's headers and imported to the tes.t.txt file:
Tcpdump src host 192.168.0.1 and dst port not telnet-l> test.txt
Use tcpdump to listen for data packets from eth0 adapter and the communication protocol is port 22 and the target source is 192.168.1.100?
Tcpdump-I eth0-nn port 22 and src host 192.168.1.100
Use tcpdump to capture and access eth0 adapter card and the access port is tcp 9080?
Tcpdump-I eth0 dst 172.1670.35 and tcp port 9080
Use tcpdump to capture the communication packet with host 192.168.43.23 or host 192.168.43.24 and display it on the console
Tcpdump-X-s 1024-I eth0 host (192.168.43.23 or 192.168.43.24) and host 172.16.70.35