Basic Grammar ========
Filter Host
--------
-Crawl all network data through eth1, destination or source address is 192.168.1.1
# tcpdump-i ETH1 Host 192.168.1.1
-Source Address
# tcpdump-i eth1 src host 192.168.1.1
-Destination Address
# tcpdump-i eth1 DST host 192.168.1.1
Filter port
--------
-Crawl all network data through eth1, destination or source port is 25
# tcpdump-i Eth1 Port 25
-Source Port
# tcpdump-i eth1 Src port 25
-Destination Port
# tcpdump-i ETH1 DST port 25 network filtering
--------
# tcpdump-i eth1 Net 192.168
# tcpdump-i eth1 src net 192.168
# tcpdump-i eth1 DST Net 192.168
Protocol filtering
--------
# tcpdump-i eth1 ARP
# tcpdump-i eth1 IP
# tcpdump-i Eth1 TCP
# tcpdump-i eth1 UDP
# tcpdump-i eth1 ICMP
Common expressions
----------
Non -:! or "not" (remove double quotes)
And: && or "and"
Or: | | or "or"
-Crawl all TCP data that has passed through eth1, the destination address is 192.168.1.254 or 192.168.1.200 port is 80
# tcpdump-i eth1 ' ((TCP) and (port) and (DST host 192.168.1.254) or (DST host
192.168.1.200))) '
-Crawl all ICMP data that has passed through eth1, the target MAC address is 00:01:02:03:04:05
# tcpdump-i eth1 ' ((ICMP) and (Ether DST host 00:01:02:03:04:05)) '
-Crawl all through eth1, the destination network is 192.168, but the destination host is not 192.168.1.200 TCP data
# tcpdump-i eth1 ' ((TCP) and ((DST net 192.168) and (not DST host 192.168.1.200)) '
-Just grab the SYN bag.
# tcpdump-i eth1 ' tcp[tcpflags] = Tcp-syn '
-Grab SYN, ACK
# tcpdump-i eth1 ' tcp[tcpflags] & Tcp-syn!= 0 and Tcp[tcpflags] & tcp-ack!= 0 '
Grasping SMTP data
----------
# tcpdump-i Eth1 ' ((port) and (tcp[(TCP[12]>>2): 4] = 0x4d41494c)) '
Grab the data area started as "Mail" package, "mail" hexadecimal is 0x4d41494c.
Catching HTTP Get Data
--------------
# tcpdump-i eth1 ' tcp[(TCP[12]>>2): 4] = 0x47455420 '
The hexadecimal of "get" is 47455420
Grab SSH back
---------
# tcpdump-i eth1 ' tcp[(TCP[12]>>2): 4] = 0x5353482d '
The hexadecimal of "ssh-" is 0x5353482d
# tcpdump-i eth1 ' (tcp[(TCP[12]>>2): 4] = 0x5353482d) and (tcp[((tcp[12]>>2) +4): 2]
= 0x312e) ' Capture the old version of SSH return information, such as "SSH-1.99 ..."
-Grab DNS Request data
# tcpdump-i eth1 UDP DST Port 53
Other
----
-C parameter is also more common for operators, because the traffic is relatively large server, by artificial ctrl + C or
Catch too much, so you can use the-c parameter to specify how many packets to grab.
# time Tcpdump-nn-i eth0 ' tcp[tcpflags] = Tcp-syn '-C 10000 >/dev/null
The above command calculates how much time it takes to grab 10,000 SYN packets, and you can tell what the traffic is likely to be.
Real-time grab a GET packet of port number 8000 and write to GET.log
Tcpdump-i eth0 ' (Port 8000) and (tcp[(tcp[12]>>2): 4]=0x47455420)) '-nnal-w/tmp/get.log