Use an instance to learn the tcpdump command
tcpdump
Is a commonly used network packet analysis tool that can be used to display the TCP/IP and other network packets transmitted to the system over the network.tcpdump
The libpcap library is used to capture Network reports. This library is available in almost all Linux/Unix systems.
tcpdump
You can read content from the NIC or the data packet file you created earlier, or write the package into the file for later use. Must be a root user or use the sudo privilege to runtcpdump
.
In this article, we will use some examples to demonstrate how to usetcpdump
Command, but first let's look at how to installtcpdump
.
Install
tcpdump
By default, it is available in almost all Linux releases, but if you do not have it on Linux, use the following method for installation.
CentOS/RHEL
Run the following command to install on CentOS and RHEL:tcpdump
,
$ sudoyum install tcpdump*
Fedora
Run the following command to install on Fedora:tcpdump
:
$ dnf install tcpdump
Ubuntu/Debian/Linux Mint
Run the following command on Ubuntu/Debain/Linux Mint to installtcpdump
:
$ apt-get install tcpdump
Installtcpdump
Now let's look at some examples.
Case Study
Capture data packets from all NICs
Run the following command to capture data packets from all NICs:
$ tcpdump-i any
Capture data packets from a specified Nic
To capture data packets from the specified Nic, run:
$ tcpdump-i eth0
Write captured packages to files
Use-w
Option to write all captured packages to a file:
$ tcpdump-i eth1 -w packets_file
Read the previously generated tcpdump File
Run the following command to read the content from the tcpdump file created earlier:
$ tcpdump-r packets_file
Get more package information and display the timestamp in readable form
To obtain more package information and display the timestamp in readable form, use:
$ tcpdump-ttttnnvvS
View data packets of the entire network
To obtain the data packets of the entire network, run the following command on the terminal:
$ tcpdump net 192.168.1.0/24
View packets by IP Address
To obtain the data packet of the specified IP address, whether as the source address or Destination Address, run the following command:
$ tcpdump host 192.168.1.100
To specify the IP address as the source address or Destination Address, use:
$ tcpdump src 192.168.1.100
$ tcpdump dst 192.168.1.100
View data packets of a protocol or port number
To view the data packets of a protocol, run the following command:
$ tcpdumpssh
To capture data packets of a port or a range, use:
$ tcpdump port 22
$ tcpdump portrange 22-125
We can alsosrc
Anddst
Option connection is used to capture packets from a specified source port or destination port.
We can also use "(and
,&&
), "Or "(or
,||
) And "Non "(not
,!
) To combine the two conditions. It is useful to analyze network packets based on certain conditions.
Use "and"
Availableand
Or symbol&&
To combine two or more conditions. For example:
$ tcpdump src 192.168.1.100&& port 22-w ssh_packets
Use "or"
Or checks whether one of the conditions listed in the command is matched, as shown in the following code:
$ tcpdump src 192.168.1.100or dst 192.168.1.50&& port 22-w ssh_packets
$ tcpdump port 443or80-w http_packets
Use "Non"
When we want to express that a condition does not match, we can use "not", like this:
$ tcpdump-i eth0 src port not22
This will capture all communications except port 22 on eth0.
This is the end of our tutorial. In this tutorial, we explain how to install and usetcpdump
To capture network packets. If you have any questions or suggestions, please leave a message.
Via: http://linuxtechlab.com/learn-use-tcpdump-command-examples/
Author: Shusain Translator: lujun9972 Proofreader: wxy
This article was originally compiled by LCTT and launched with the honor of Linux in China