How to use tcpdump to analyze network packet capture instances in LINUX

Tcpdump helps us capture and save network packages. the saved network packages can be used to analyze network load conditions. The packages can be parsed using the tcpdump command, or saved as files suffixed with pcap, use wireshark and other software for viewing. The following nine examples of using tcpdump are provided to illustrate the specific use of tcpdump. 1. packet capture for specific network ports TcpdumpThis helps us capture and save network packages. the saved network packages can be used to analyze network load conditions. TcpdumpCommand parsing can also be saved as a file suffixed with pcap and viewed Using wireshark and other software.
The following nine examples of using tcpdump are provided to illustrate the specific use of tcpdump.

1. packet capture for a specific network port (-I option)
When tcpdump is executed without any options, tcpdump captures packets through all network ports. with the-I option, we can capture packets at a specified network Port:
Linux:/tmp/lx # Tcpdump- I eth0
Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode
Listening on eth0, link-type EN10MB (Ethernet), capture size bytes
: 28.607429 IP 10.70.121.92.autodesk-lm> 10.71.171.140.ssh:. ack win
: 28.607436 IP 10.71.171.140.ssh> 10.70.121.92.autodesk-lm: P :() ack win
: 30.384195 arp who-has 128.128.128.35 tell 128.128.128.35
In the preceding example, tcpdump captures all packages that pass eth0.

2. capture a specified number of packages (-c option)
By default, tcpdump will capture packets until you press ctrl + c to stop. we can use the-c option to specify the number of captured packets:
Linux:/tmp/lx # Tcpdump-c 2- I eth0
Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode
Listening on eth0, link-type EN10MB (Ethernet), capture size bytes
: 05.656104 IP 10.71.171.140.ssh> 10.70.121.92.autodesk-lm: P :() ack win
: 05.657074 IP 10.70.121.92.autodesk-lm> 10.71.171.140.ssh:. ack win
Packets captured
Packets partitioned ed by filter
Packets dropped by kernel
In the preceding example, only two packets are captured for the eth0 network port.

3. write the captured package to the file (-w option)
With The-w option, we can record captured packets to a specified file for subsequent analysis.
Linux:/tmp/lx # Tcpdump-w 20120606. pcap- I eth0
Tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size bytes
Packets captured
Packets partitioned ed by filter
Packets dropped by kernel
Files with the. pcap suffix should be saved so that we can use tools such as wireshark to read and analyze data.

4. read tcpdump and save the file (-r option)
You can use the-r option to read the saved packet capture files:
Linux:/tmp/lx # Tcpdump-r 20120606 . Pcap
Reading from file. pcap, link-type EN10MB (Ethernet)
: 57.392907 IP 10.71.171.140.ssh> 10.70.121.92.autodesk-lm: P :() ack win
: 57.392917 IP 10.71.171.140.ssh> 10.70.121.92.autodesk-lm: P :() ack win
: 57.393649 IP 10.70.121.92.autodesk-lm> 10.71.171.140.ssh:. ack win

5. domain name resolution is not performed during packet capture (-n option)
By default, the domain name will be resolved in the tcpdump packet capture result, displaying the domain name address rather than the IP address. you can use the-n option to specify the IP address to display.

6. added the packet capture timestamp (-tttt option)
With The-tttt option, the packet capture result will contain the packet capture date:
Linux:/tmp/lx # Tcpdump-n-tttt-I eth0
--: 59.539736 IP 10.71.171.140.> 10.70.121.95.: P :() ack win
--: 59.539754 IP 10.71.171.140.> 10.70.121.95.: P :() ack win
--: 59.539770 IP 10.71.171.140.> 10.70.121.95.: P :() ack win

7. specify the packet capture protocol type
We can only capture certain protocol packages. tcpdump supports specifying the following protocols: ip, ip6, arp, tcp, udp, wlan, etc. In the following example, only arp packets are captured:
Linux:/tmp/lx # Tcpdump- I eth0 arp
Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode
Listening on eth0, link-type EN10MB (Ethernet), capture size bytes
: 26.948656 arp who-has 10.10.1.30 tell 10.10.1.26
: 27.017406 arp who-has 10.10.1.30 tell 10.10.1.26
: 27.078803 arp who-has 10.10.1.30 tell 10.10.1.26

8. specify the packet capture port
To capture a specific port, run the following command:
Linux:/tmp/lx # Tcpdump-I eth0 port 22
Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode
Listening on eth0, link-type EN10MB (Ethernet), capture size bytes
: 04.387547 IP 10.70.121.92.autodesk-lm> 10.71.171.140.ssh:. ack win
: 04.387891 IP 10.71.171.140.ssh> 10.70.121.92.autodesk-lm: P :() ack win
: 04.398973 IP 10.70.121.92.autodesk-lm> 10.71.171.140.ssh: P :() ack win

9. capture packets with specific ip addresses and ports
The content of the network package contains the source ip address, port, target ip address, and Port. we can filter the tcpdump packet capture results based on the target ip address and port. the following command illustrates this usage:
Linux:/tmp/lx # Tcpdump-I eth0 dst 10.70.121.92 and port 22