Tcpdump is a professional network analysis tool that not only helps us analyze network packets, but also helps us learn TCP/IP, although many people think that Wireshark, another software, is more advanced. First, we will introduce the-s parameter. it refers to setting the size of the packet to be captured. by default, the packet size is smaller than 68Byte, setting 0 indicates capturing Tcpdump is a professional network analysis tool. it not only helps us analyze network packets, but also helps us learn TCP/IP, although many believe that Wireshark, another software, is more advanced.
First, we will introduce the-s parameter. it refers to setting the size of the packet to be captured. by default, the packet size smaller than 68Byte is captured. setting it to 0 indicates capturing all packets.
The following are a few parameters:
-I Network Interface: specifies the network interface to listen to (such as the network adapter eth0 ).
-N: the host name is not resolved (for example, if a machine name is Mars, its IP address is 1.1.2.2, and-n is specified to display the IP address, but Mars is not specified)
-Nn: the host name and port name are not resolved (for example, if port 80 is accessed, Mars. http is displayed without nn, and 1.1.2.2.80 is added)
-X: indicates the message content and the corresponding ASCII value in hexadecimal notation.
-V,-vv,-vvv: added the description package information.
-C: specify the number of captured packets.
-S: print the absolute serial number value (SEQ, ACK ).
-E: capture the Ethernet packet header.
Host // capture all packets whose IP address is 1.2.3.4
TcpdumpHost 1.2.3.4
Src, dst // capture packets whose source address is 2.3.4.5; capture packets whose destination address is 3.4.5.6
Tcpdump src 2.3.4.5
Tcpdump dst 3.4.5.6
Net // capture packets in the 1.2.3.0 CIDR block.
Tcpdump net 1.2.3.0/24
Proto // supports tcp, udp, icmp, ip, and icmp packet capture
Tcpdump icmp
Port // capture packets with port 3389
Tcpdump port 3389
Src, dst port // capture packets whose source port is 1025; capture packets whose destination port is 3389
Tcpdump src port 1025
Tcpdump dst port 3389
1. AND
And or &&
2. OR
Or |
3. snapshot T
Not or!
Capture packets with TCP protocol and source address 10.5.2.3 and target port 3389
# Tcpdump-nnvvS tcp and src 10.5.2.3 and dst port 3389
Capture packets whose source CIDR block is 192.168.0.0/16 and whose destination CIDR block is 10.0.0.0 or 172.16.0.0
# Tcpdump-nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or172.16.0.0/16
The size of the captured packet is 1514 bytes, the destination address is 192.168.0.2, the source network segment is 172.16.0.0, and the packet does not belong to the ICMP protocol:
# Tcpdump-nvvXSs 1514 dst 192.168.0.2 and src net 172.16.0.0/16and not icmp
Capture packets whose source host name is mars or pluto and the target port is not 22
# Tcpdump-vv src mars or pluto and not dst port 22
Capture packets whose source address is 10.0.2.4 and whose target Port is 3389 or 22 (note that this format is incorrect)
# Tcpdump src 10.0.2.4 and (dst port 3389 or 22)
If you run this command, you will receive a system error message because it contains parentheses. You can add '\' (not including quotation marks) before each bracket to escape, or add single quotation marks ''to both ends of the entire statement''
# Tcpdump 'src 10.0.2.4 and (dst port 3389 or 22 )'
# Tcpdump src 10.0.2.4 and \ (dst port 3389 or 22 \)
[Advanced]
You can only capture packets on the SYN-ACK and other flag Oh, this is I also learned, :( in the forum asked no one, only to find their own.
Tcpdump 'tcp [13] = 18'
Tcp [13] indicates the 13th bytes (relative offset value) of TCP packets ),! = 0 indicates that the packet with the corresponding flag 1 is captured.
I hope everyone can learn and make progress together.