How to use tcpdump to analyze network packet capture instances in LINUX
Source: Internet
Author: User
Tcpdump helps us capture and save network packages. the saved network packages can be used to analyze network load conditions. The packages can be parsed using the tcpdump command, or saved as files suffixed with pcap, use wireshark and other software for viewing. The following nine examples of using tcpdump are provided to illustrate the specific use of tcpdump. 1. packet capture for specific network ports
TcpdumpThis helps us capture and save network packages. the saved network packages can be used to analyze network load conditions.
TcpdumpCommand parsing can also be saved as a file suffixed with pcap and viewed Using wireshark and other software.
The following nine examples of using tcpdump are provided to illustrate the specific use of tcpdump.
1. packet capture for a specific network port (-I option) When tcpdump is executed without any options, tcpdump captures packets through all network ports. with the-I option, we can capture packets at a specified network Port:
Linux:/tmp/lx #
Tcpdump-I eth0 Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode
Listening on eth0, link-type EN10MB (Ethernet), capture size bytes
: 28.607429 IP 10.70.121.92.autodesk-lm> 10.71.171.140.ssh:. ack win
: 28.607436 IP 10.71.171.140.ssh> 10.70.121.92.autodesk-lm: P :() ack win
: 30.384195 arp who-has 128.128.128.35 tell 128.128.128.35
In the preceding example, tcpdump captures all packages that pass eth0.
2. capture a specified number of packages (-c option) By default, tcpdump will capture packets until you press ctrl + c to stop. we can use the-c option to specify the number of captured packets:
Linux:/tmp/lx #
Tcpdump-c 2-I eth0 Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode
Listening on eth0, link-type EN10MB (Ethernet), capture size bytes
: 05.656104 IP 10.71.171.140.ssh> 10.70.121.92.autodesk-lm: P :() ack win
: 05.657074 IP 10.70.121.92.autodesk-lm> 10.71.171.140.ssh:. ack win
Packets captured
Packets partitioned ed by filter
Packets dropped by kernel
In the preceding example, only two packets are captured for the eth0 network port.
3. write the captured package to the file (-w option) With The-w option, we can record captured packets to a specified file for subsequent analysis.
Linux:/tmp/lx #
Tcpdump-w 20120606. pcap-I eth0 Tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size bytes
Packets captured
Packets partitioned ed by filter
Packets dropped by kernel
Files with the. pcap suffix should be saved so that we can use tools such as wireshark to read and analyze data.
4. read tcpdump and save the file (-r option) You can use the-r option to read the saved packet capture files:
Linux:/tmp/lx #
Tcpdump-r 20120606. Pcap Reading from file. pcap, link-type EN10MB (Ethernet)
: 57.392907 IP 10.71.171.140.ssh> 10.70.121.92.autodesk-lm: P :() ack win
: 57.392917 IP 10.71.171.140.ssh> 10.70.121.92.autodesk-lm: P :() ack win
: 57.393649 IP 10.70.121.92.autodesk-lm> 10.71.171.140.ssh:. ack win
5. domain name resolution is not performed during packet capture (-n option) By default, the domain name will be resolved in the tcpdump packet capture result, displaying the domain name address rather than the IP address. you can use the-n option to specify the IP address to display.
6. added the packet capture timestamp (-tttt option) With The-tttt option, the packet capture result will contain the packet capture date:
Linux:/tmp/lx #
Tcpdump-n-tttt-I eth0 --: 59.539736 IP 10.71.171.140.> 10.70.121.95.: P :() ack win
--: 59.539754 IP 10.71.171.140.> 10.70.121.95.: P :() ack win
--: 59.539770 IP 10.71.171.140.> 10.70.121.95.: P :() ack win
7. specify the packet capture protocol type We can only capture certain protocol packages. tcpdump supports specifying the following protocols: ip, ip6, arp, tcp, udp, wlan, etc. In the following example, only arp packets are captured:
Linux:/tmp/lx #
Tcpdump-I eth0 arp Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode
Listening on eth0, link-type EN10MB (Ethernet), capture size bytes
: 26.948656 arp who-has 10.10.1.30 tell 10.10.1.26
: 27.017406 arp who-has 10.10.1.30 tell 10.10.1.26
: 27.078803 arp who-has 10.10.1.30 tell 10.10.1.26
8. specify the packet capture port To capture a specific port, run the following command:
Linux:/tmp/lx #
Tcpdump-I eth0 port 22 Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode
Listening on eth0, link-type EN10MB (Ethernet), capture size bytes
: 04.387547 IP 10.70.121.92.autodesk-lm> 10.71.171.140.ssh:. ack win
: 04.387891 IP 10.71.171.140.ssh> 10.70.121.92.autodesk-lm: P :() ack win
: 04.398973 IP 10.70.121.92.autodesk-lm> 10.71.171.140.ssh: P :() ack win
9. capture packets with specific ip addresses and ports The content of the network package contains the source ip address, port, target ip address, and Port. we can filter the tcpdump packet capture results based on the target ip address and port. the following command illustrates this usage:
Linux:/tmp/lx #
Tcpdump-I eth0 dst 10.70.121.92 and port 22
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.