How to use tcpdump

Tcpdump adopts the command line method. its command format is: tcpdump [-adeflnNOpqStvx] [-c quantity] [-F file name] [-I network interface] [-r file name] [-ssnaplen] [-T type] [-w file name] [expression] tcpdump option introduction-a converts the network address and broadcast address into a name; -d will match the email TcpdumpThe command format is as follows:
Tcpdump [-adeflnNOpqStvx] [-c quantity] [-F file name]
[-I network interface] [-r file name] [-s snaplen]
[-T type] [-w file name] [expression]
Introduction to tcpdump options
-A converts a network address and broadcast address into a name;
-D. give the code that matches the information package in an assembly format that people can understand;
-Dd provides the code that matches the information package in the format of the C program segment;
-Ddd provides the matching information package code in decimal format;
-E prints the header information of the data link layer in the output line;
-F print the Internet address in numbers;
-L changes the standard output to the buffer row format;
-N does not convert the network address into a name;
-T no timestamp is printed on each output line;
-V outputs a slightly detailed information. for example, the IP package can contain ttl and service type information;
-Vv: output detailed message information;
-C. after receiving the specified number of packages, tcpdump stops;
-F read the expression from the specified file and ignore other expressions;
-I indicates the network interface of the listener;
-R reads packets from a specified file (these packets are generally generated using the-w option );
-W directly writes the package into the file and does not analyze or print it out;
-T directly interpret the listening packet as a specified type of message. Common types include rpc (remote process call) and snmp (Simple Network Management Protocol ;)
Example:
A wants to intercept all packets received and sent by all hosts of 192.168.1.2:
Tcpdump host 192.168.1.2
B wants to intercept the communication between host 192.168.1.2 and host 192.168.1.3 or 192.168.1.4: (when brackets are applied in the command line, you must translate them using)
Tcpdump host 192.168.1.2 and \ (192.168.1.3 or 192.168.1.4 \)
C if you want to obtain the IP packet for all hosts except 192.168.1.3:
Tcpdump ip host 192.168.1.2 and! 192.168.1.3
D. to obtain the telnet packet received or sent by host 192.168.1.2:
Tcpdump tcp port 23 host 192.168.1.2
E. monitor the udp port 123 of the local machine. Port 123 is the ntp Service Port:
Tcpdump udp port 123
The F system only monitors the communication data packets of the host named hostname. The host name can be a local host or any computer on the network. The following command reads all data sent by the host hostname:
Tcpdump-I eth0 src host hostname
The command below G can monitor all data packets sent to the host hostname:
Tcpdump-I eth0 dst host hostname
H. you can monitor data packets sent through the specified Gateway:
Tcpdump-I eth0 gateway Gatewayname
If you want to monitor the TCP or UDP data packets destined for the specified port, run the following command:
Tcpdump-I eth0 host hostname and port 80

Protocol keywords, including fddi, ip, arp, rarp, tcp, udp, and other types. in addition to these three types of keywords, other important keywords are as follows: gateway, broadcast, less,
Greater, there are three logical operations. The non-operation is 'not ''! ', And the operation is 'and',' & '; or the operation is 'or',' | ';
Keyword used to determine the transmission direction, including src, dst, dst or src, dst and src,
If we only need to list the data packets sent to port 80, use dst port; if we only want to see the data packets returned to port 80, use src port.
# Tcpdump? I eth0 host hostname and dst port80 destination port is 80
Or
# Tcpdump? I eth0 host hostname and src port80 source port is 80. generally, it is the host that provides http services. if there are many conditions, add and or not before the conditions.
# Tcpdump-I eth0 host! 211.161.223.70 and! 211.161.223.71 and dstport 80
Logs in the ethernet mixed mode system are recorded.
May 7 20:03:46 localhost kernel: eth0: Promiscuous modeenabled.
May 7 20:03:46 localhost kernel: device eth0 enteredpromiscuous mode
May 7 20:03:57 localhost kernel: device eth0 leftpromiscuous mode
Tcpdump does not thoroughly decode the intercepted data. most of the content in the data packet is printed in hexadecimal format. Obviously, this is not conducive to the analysis of network faults. The common solution is to first use tcpdump with The-w parameter to capture data and save it to the file, and then use other programs for decoding and analysis. Of course, filter rules should also be defined to prevent the captured data packets from filling the entire hard disk.

# Tcpdump-I eth1 src host211.167.237.199
00:02:03. 096713 IP 211.167.237.199.ssh> 221.216.165.189.1467: P2010208: 2010352 (144) ack 33377 win 8576
00:02:03. 096951 IP 211.167.237.199.ssh> 221.216.165.189.1467: P2010352: 2010496 (144) ack 33377 win 8576
00:02:03. 100928 IP 211.167.237.199.ssh> 221.216.165.189.1467: P2010496: 2010640 (144) ack 33377 win 8576
00:02:03. 101165 IP 211.167.237.199.ssh> 221.216.165.189.1467: P2010640: 2010784 (144) ack 33377 win 8576
00:02:03. 102554 IP 211.167.237.199.ssh> 221.216.165.189.1467: P2010784: 2010928 (144) ack 33425 win 8576
It indicates that Port 211.167.237.199 is connected to Port 1467 of 221.216.165.189 through the ssh source port at 00:02:03.

# Tcpdump-I eth1 src host 211.167.237.199 and dst port 1467
00:09:27. 603075 IP 211.167.237.199.ssh> 221.216.165.189.1467: P180400: 180544 (144) ack 2833 win 8576
00:09:27. 605631 IP 211.167.237.199.ssh> 221.216.165.189.1467: P180544: 180688 (144) ack 2881 win 8576
Intercept all data packets of the host (host) with the source address (src) 192.168.0.5 and the destination (dst) port (port) of eth0 as 80

View the status of packets transmitted and received by the network adapter
$ Netstat-I
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-OVRFlg
Eth0 1500 0 14639 0 0 5705 119 0 0 BMRU
Iface: Nic
RX-OK RX-ERR RX-DRP RX-OVR: number of packets correctly received by the NIC and total number of errors, loss, collisions
TX-OK TX-ERR TX-DRP TX-OVR: number of packets correctly sent by the NIC and total number of errors, loss, collisions

Introduction to output results of tcpdump
(1) data link layer header information
Run the command # tcpdump -- e host ice
Ice is a linux host. her MAC address is 0: 90: 27: 58: AF: 1A.
H219 is a workstation with SOLARIC. its MAC address is 8: 0: 20: 79: 5B: 46; the previous one
Command output is as follows:
21:50:12. 847509 eth0 <8: 0: 20: 79: 5b: 46 0: 90: 27: 58: af: 1a ip 60: h219.33357> ice.
Telnet 0: 0 (0) ack 22535 win 8760 (DF)
Analysis: 21: 50: 12 indicates the display time, 847509 indicates the ID number, and eth0> indicates to send data packets from the network interface device, 8: 0: 20: 79: 5b: 46 is the MAC address of host H219, which indicates that it is a packet sent from source address H219. 0: 90: 27: 58: af: 1a is the MAC address of the host ICE, indicating that the destination address of the data packet is ICE. ip indicates that the data packet is an IP data packet, and 60 indicates the length of the data packet, h219.33357> ice. telnet indicates that the packet is the TELNET (23) Port sent from Port 33357 of host H219 to host ICE. ack 22535 indicates to respond to a packet whose serial number is 222535. win 8760 indicates that the size of the sending window is 8760.
(2) TCPDUMP output information of ARP packets
Run the command # tcpdump arp
The output result is:
22:32:42. 802509 eth0> arp who-has route tell ice (0: 90: 27: 58: af: 1a)
22:32:42. 802902 eth0 <arp reply route is-at 0: 90: 27: 12: 10: 66 (0: 90: 27: 58: af: 1a)
Analysis: 22:32:42 is the timestamp, 802509 is the ID number, eth0> indicates that the packet is sent from the host, arp indicates that the packet is an ARP Request packet, who-has route tell ice indicates that it is the MAC address of the host ROUTE requested by the host ICE. 0: 90: 27: 58: af: 1a is the MAC address of the host ICE.
(3) TCP packet output information
The common output information of TCP packets captured with TCPDUMP is:
Src> dst: flags data-seqno ack window urgent options
Src> dst: Indicates from the source address to the destination address. flags indicates the flag information in the TCP packet, S indicates the SYN mark, F (FIN), P (PUSH), R (RST )". "(not marked); data-seqno is the sequence number of data in the data packet, ack is the sequence number expected next time, window is the size of the window that receives the cache, and urgent indicates whether there is an emergency pointer in the data packet. options is an option.
(4) UDP packet output information
The general output information of the UDP packet captured with TCPDUMP is:
Route. port1> ice. port2: udp lenth
The output line above indicates a UDP packet sent from the port port1 of the host ROUTE to the port2 port of the host ICE. the type is UDP and the package length is lenth.