Use an instance to learn the tcpdump command

Use an instance to learn the tcpdump command

tcpdumpIs a commonly used network packet analysis tool that can be used to display the TCP/IP and other network packets transmitted to the system over the network.tcpdumpThe libpcap library is used to capture Network reports. This library is available in almost all Linux/Unix systems.

tcpdumpYou can read content from the NIC or the data packet file you created earlier, or write the package into the file for later use. Must be a root user or use the sudo privilege to runtcpdump.

In this article, we will use some examples to demonstrate how to usetcpdumpCommand, but first let's look at how to installtcpdump.

 

Install

tcpdumpBy default, it is available in almost all Linux releases, but if you do not have it on Linux, use the following method for installation.

 

CentOS/RHEL

Run the following command to install on CentOS and RHEL:tcpdump,

1. $ sudoyum install tcpdump*

 

Fedora

Run the following command to install on Fedora:tcpdump:

1. $ dnf install tcpdump

 

Ubuntu/Debian/Linux Mint

Run the following command on Ubuntu/Debain/Linux Mint to installtcpdump:

1. $ apt-get install tcpdump

InstalltcpdumpNow let's look at some examples.

 

Case Study

 

Capture data packets from all NICs

Run the following command to capture data packets from all NICs:

1. $ tcpdump-i any

 

Capture data packets from a specified Nic

To capture data packets from the specified Nic, run:

1. $ tcpdump-i eth0

 

Write captured packages to files

Use-wOption to write all captured packages to a file:

1. $ tcpdump-i eth1 -w packets_file

 

Read the previously generated tcpdump File

Run the following command to read the content from the tcpdump file created earlier:

1. $ tcpdump-r packets_file

 

Get more package information and display the timestamp in readable form

To obtain more package information and display the timestamp in readable form, use:

1. $ tcpdump-ttttnnvvS

 

View data packets of the entire network

To obtain the data packets of the entire network, run the following command on the terminal:

1. $ tcpdump net 192.168.1.0/24

 

View packets by IP Address

To obtain the data packet of the specified IP address, whether as the source address or Destination Address, run the following command:

1. $ tcpdump host 192.168.1.100

To specify the IP address as the source address or Destination Address, use:

1. $ tcpdump src 192.168.1.100
2. $ tcpdump dst 192.168.1.100

 

View data packets of a protocol or port number

To view the data packets of a protocol, run the following command:

1. $ tcpdumpssh

To capture data packets of a port or a range, use:

1. $ tcpdump port 22
2. $ tcpdump portrange 22-125

We can alsosrcAnddstOption connection is used to capture packets from a specified source port or destination port.

We can also use "(and,&&), "Or "(or,||) And "Non "(not,!) To combine the two conditions. It is useful to analyze network packets based on certain conditions.

Use "and"

AvailableandOr symbol&&To combine two or more conditions. For example:

1. $ tcpdump src 192.168.1.100&& port 22-w ssh_packets

Use "or"

Or checks whether one of the conditions listed in the command is matched, as shown in the following code:

1. $ tcpdump src 192.168.1.100or dst 192.168.1.50&& port 22-w ssh_packets
2. $ tcpdump port 443or80-w http_packets

Use "Non"

When we want to express that a condition does not match, we can use "not", like this:

1. $ tcpdump-i eth0 src port not22

This will capture all communications except port 22 on eth0.

This is the end of our tutorial. In this tutorial, we explain how to install and usetcpdumpTo capture network packets. If you have any questions or suggestions, please leave a message.

Via: http://linuxtechlab.com/learn-use-tcpdump-command-examples/

Author: Shusain Translator: lujun9972 Proofreader: wxy

This article was originally compiled by LCTT and launched with the honor of Linux in China