How to use the packet capture tool tcpdump in Linux

The packet capture tool has two advantages: one is snort and the other is tcpdump. this time, we don't mention snort. Although the tool is powerful, it is complicated, and tcpdump is relatively simple. Tcpdumpwindows and linux versions. You can download the linux version from www.tcpdump.org. after tcpdump is installed, run tcpdump:

Two of the best packet capture tools are: snort andTcpdumpI don't want to talk about snort this time. I think this tool is very powerful but complicated.TcpdumpRelatively simple. Tcpdumpwindows and linux versions. You can download the linux version from www.tcpdump.org.

After tcpdump is installed, run tcpdump:

1. tcpdump-D: get the network adapter list. The following is the result obtained on windows:

1. \ Device \ PssdkLoopback (PSSDK Loopback Ethernet EmulationAdapter)

2. \ Device \ {CF587901-C85F-4FD6-896F-D977DEFE76EC} (Intel (R) PRO/100 VE Network Co

Nnection)

2. tcpdump-I <需要监控的网络适配器编号> For example, I want to monitor lo (127.0.0.1), that is, 1. \ Device \ PssdkLoopback in the list above: (exclusive to windows, not applicable to linux)

Tcpdump-I 1

If you do not use-I to define the monitoring adapter, the first one in the list is used by default;

3. the monitoring host is the tcp protocol of port 8000 on port 192.9.200.59:

Tcpdump host 192.9.200.59 and tcp port 8000

4. if you want to display the data packet content, you need to use the-X parameter. for example, I want to display the captured http packet http header content:

Tcpdump-X host 192.9.200.59 and tcp port 8000

The result is as follows:

22:13:19. 717472 IP testhost59.12535> liujuan59.8000:. (329) ack 1 win 327

8

0x0000: 4500 0171 e616 00008006 cb2b 0000 0000 E. q... + ....

0x0010: c009 c83b 30f7 1f400000 0002 0000 0002 ......; 0 ..@........

0x0020: 5010 8000 b066 108504f 5354 202f 2048 P... f... POST ../. H

0x0030: 5454502F 312e 310d0a43 6f6e 7465 6e74 TTP/1. 1 .. Content

0x0040: 2d54 7970 653a 20746578 742f 786d 6c3b-Type:. text/xml;

0x0050: 2063. c

The result shows that only part of the http header is displayed, but not all is displayed, because tcpdump truncates the displayed data length by default. you can add the data length after-s, to set the data display length:

Tcpdump-X-s 0 host 192.9.200.59 and tcp port 8000

In the preceding example,-s 0 indicates that the length is automatically set to show all data.

5. if too much data is captured and the screen is constantly refreshed, you may need to record the data content to the file. you need to use the-w parameter:

Tcpdump-X-s 0-w aaa host 192.9.200.59 and tcp port 8000

Then, the content displayed on the screen is written to the aaa file under the Directory of the tcpdump executable file.

To view the file, use the-r parameter:

Tcpdump-X-s 0-r aaa host 192.9.200.59 and tcp port 8000

Write the following statement:

Tcpdump-r aaa

You can only see the simplest data transmission interaction process, but not the data packet content. you also need to use the corresponding parameters when viewing the data packet.

6. Summary

To sum up, the parameters of tcpdump are divided into two parts: Options and expressions ):

Tcpdump [-adeflnNOpqRStuvxX] [-c count]

[-C file _ size] [-F file]

[-Iinterface] [-m module] [-r file]

[-Ssnaplen] [-T type] [-w file]

[-Ealgo: secret] [expression]