How to use the tcpdump command in Linux

TCPDUMP introduction in traditional network analysis and testing technologies, sniffer is the most common and important technology. Sniffer is designed for network analysis by network administrators and network programmers. Network administrators can keep abreast of the actual network conditions when network performance drops sharply,

About TCPDUMP

In traditional network analysis and testing technologies, sniffer is the most common and important technology. Sniffer is designed for network analysis by network administrators and network programmers. Network administrators can keep abreast of the actual network conditions by using the sniffer. when network performance drops sharply, you can use the sniffer tool to analyze the causes and find out the source of network congestion. For network programmers, the sniffer tool is used to debug programs.

Anyone who has used the sniffer tool on windows (for example, netxray and snifferpro) may know that in a shared Lan, using the sniffer tool can provide a clear view of all the traffic in the network! The Sniffer tool is actually a packet capture tool on the network. It can also analyze captured packets. In a shared network, information packets are the network interfaces of all hosts in the network, but before the sniffer tool is used, the network device of the host determines whether the information packet should be received, so that it will discard the information packet that should not be received. the sniffer tool allows the network device of the host to receive all the information packets that have arrived, this achieves the effect of network listening.

Data collection and analysis is essential when Linux is a network server, especially a router or gateway. So, let's take a look at TcpDump, a powerful network data collection and analysis tool in Linux.

Define in simple wordsTcpdumpDump thetraffice on anetwork is a packet analysis tool that intercepts packets on the network according to user definitions.

As an essential tool for system administrators on the Internet, tcpdump, with its powerful functions and flexible interception policies, becomes one of the essential tools for every senior system administrator to analyze the network and troubleshoot problems.

As the name suggests, TcpDump can completely intercept the "header" of the packets transmitted in the network for analysis. It supports filtering network layer, protocol, host, network or port, and provides logical statements such as and, or, not to help you remove useless information.

Tcpdump provides source code and open interfaces, so it has high scalability and is a very useful tool for network maintenance and intruders. Tcpdump exists in the basic FreeBSD System. because it needs to set the network interface to the mixed mode, normal users cannot execute normally, however, users with root permissions can directly execute the command to obtain information on the network. Therefore, the network analysis tools in the system are not a threat to the security of the local machine, but a threat to the security of other computers on the network.

Under normal circumstances, directly starting tcpdump will monitor all the data packets flowing through the first network interface.

-----------------------

Bash-2.02 # tcpdump

Tcpdump: listening on eth0

11:58:47. 873028 202.102.245.40.netbios-ns> 202.102.245.127.netbios-ns: udp 50

11:58:47. 974331 0: 10: 7b: 8: 3a: 56> 1: 80: c2: 0: 0: 0 802.1dui/Clen = 43

0000 0000 0080 0000 1007 cf08 0900 0000

0e80 0000 902b 4695 0980 8701 0014

000f 0000 902b 4695 0008 00

11:58:48. 373134 0: 0: e8: 5b: 6d: 85> Broadcast sap e0ui/Clen = 97

Ffff 0060 0004 ffff

0452 ffff 0000 e85b 6d85 4008 0002

0640 4d41 5354 4552 5f57 4542 0000 0000

00, 0000

^ C

------------------------

First, we should pay attention to the following output: the output format of tcpdump is: System time source host. Port> target host. Port data packet parameter.

Parameter support for TcpDump

Tcpdump supports many different parameters. for example, you can use the-I parameter to specify the network interface of the tcpdump listener, which is useful when the computer has multiple network interfaces, use the-c parameter to specify the number of data packets to be monitored, and use the-w parameter to specify to write the data packets to the file for storage, and so on.

However, the more complex tcpdump parameter is used for filtering, because the traffic in the network is large. If no difference is added, all data packets are intercepted, and the data volume is too large, instead, it is difficult to find the required data packets. Filter rules defined by these parameters can be used to intercept specific data packets to narrow down the target so as to better analyze problems in the network. Tcpdump uses parameters to specify the type, address, and port of the data packet to be monitored. based on specific network problems, making full use of these filtering rules can quickly locate faults. Use mantcpdump to view the specific filter rules.Usage.

Obviously, this type of network analysis software should not be run on computers that are not used for network management. to shield them, we can shield bpfilter pseudo devices in the kernel. Generally, network hardware and TCP/IP stacks do not support receiving or sending data packets unrelated to the computer. to receive these data packets, you must use the network adapter's hybrid mode, and bypass the standard TCP/IP stack. In FreeBSD, the kernel must support bpfilter, a pseudo-device. Therefore, network analysis tools such as tcpdump can be shielded by canceling bpfilter in the kernel.

When the NIC is set to the hybrid mode, the system will leave a record in the console and log files, reminding the administrator to check whether the system is used as a springboard to attack other computers on the same network.

May 15 16:27:20 host1/kernel: fxp0: promiscuousmodeenabled

Although the network analysis tool can record the data transmitted over the network, the data traffic in the network is quite large, how to analyze, classify, and collect statistics on the data, and discover and report errors is more critical. Data packets in the network belong to different protocols, and the formats of data packets in different protocols are also different. Therefore, decoding captured data and displaying packet information as much as possible is more important for protocol analysis tools. The advantage of expensive commercial analysis tools is that they support many types of application layer protocols, not only tcp, udp and other low-layer protocols.

According to the output of tcpdump, tcpdump does not thoroughly decode the intercepted data. most of the content in the data packet is printed in hexadecimal format. Obviously, this is not conducive to the analysis of network faults. The common solution is to first use tcpdump with The-w parameter to capture data and save it to the file, and then use other programs for decoding and analysis. Of course, filter rules should also be defined to prevent the captured data packets from filling the entire hard disk.

TCP functions

Data Filtering

Without any parameters, TcpDump searches all network interfaces in the system and displays all the data it intercepts. this data is not necessarily all required for us, and too much data is not conducive to analysis. Therefore, we should first think about what data is needed. TcpDump provides the following parameters for us to select data:

-B selects the protocol on the data-link layer, including ip, arp, rarp, and ipx.

For example, tcpdump-B arp only displays arp in the network, that is, address translation protocol information.

-I: Select the network interface to be filtered. if a router has at least two network interfaces, you can use this option to filter only the data passed through the specified interface. For example:

Tcpdump-I eth0 only displays all headers on the eth0 interface.

The options src, dst, port, host, net, ether, and gateway include additional options such as src, dst, port, host, net, and ehost. They are used to identify the source and destination of data packets. src host192.168.0.1 specifies that the source host IP address is 192.168.0.1, and dst net192.168.0.0/24 specifies that the destination is 192.168.0.0. Similarly, the host is related to the specified host, whether it is the source or the target, and the net is related to the specified network. The ether is followed by a physical address instead of an IP address, while the gateway is used for the gateway host. It may be a bit complicated. let's see the following example:

Tcpdump src host 192.168.0.1 and dst net 192.168.0.0/24

Filters the headers whose source host is 192.168.0.1 and whose destination network is 192.168.0.0.

Tcpdump ether src 00: 50: 04: BA: 9B and dst ......

Filter the header with the physical address of the source host being XXX (why is there no host or net behind ether src? Of course, the physical address cannot have a network ).

Tcpdump src host 192.168.0.1 and dst port not telnet

Filter the source host 192.168.0.1 and the target Port are not the telnet header.

Ip icmp arp rarp, tcp, udp, icmp, and other options must be placed at the first parameter to filter the data type.

For example:

Tcpdump ip src ......

Only filter data-IP headers on the link layer.

Tcpdump udp and src host 192.168.0.1

Only filter all udp headers of the source host 192.168.0.1.

Data Display/input/output

TcpDump provides enough parameters for us to choose how to process the data, as shown below:

-L can redirect data.

For example, tcpdump-l> tcpcap.txt stores the obtained data in the tcpcap.txt file.

-N does not convert the IP address to the host name.

If you do not use this option, TcpDump will convert the IP address to the host name display when a host's host name exists in the system, just like this: eth0 <ntc9.1165> router.domain.net. telnet: eth0 <192.168.0.9.1165> 192.168.0.1.telnet.

-Nn does not convert the port name.

After using-nn, the above information becomes: eth0 <ntc9.1165> router.domain.net. 23.

-N does not print the default domain name.

After N, it is eth0 <ntc9.1165> router. telnet.

-O does not optimize the matching code.

-T does not print the UNIX timestamp, that is, the time is not displayed.

-Tt prints the original, unformatted time.

-V has a more detailed output than a common TTL and service type.

[Expression]Usage:

Expression is the most useful advanced of tcpdump.UsageYou can use it to match some special packages. The following describes the expressionUsageIs mainly about how to write the most strict expression that meets the requirements. If no expression exists in tcpdump, tcpdump will output all data packets on the NIC; otherwise, it will be output by the expression matching package.

Expression is composed of one or more [primitives], and [primitives] are composed of one or more [qualitifer] and one id (name) or number, their structure can be expressed:

Expression = ([qualitifer] + (id | number) +

In turn, expression is a complex conditional expression. [qualitifer] + (id | number) is a relatively basic condition. qualitifer expresses some names (items, variables ), id or number indicates a value (or constant ).

Qualitifer has three types:

Type indicates the types involved in id name or number. these words include host, nest, port, portrange, and so on.

Example:

Host foo is a simple primitive, host is qualitifer, foo is id name

Net 128.3 net is qualitifer, and 128.3 is number

Port 20

And so on.

Each privimtive must have a type word. if the expression does not exist, the default value is host.

Dir specifies the direction of data transmission. these words include src, dst, srcor dst, src and dst.

Example:

Dst net 128.3; this is a relatively complex primitive with the structure of dir typenumber, indicating the condition for the target network to be 128.3.

Src or dst port ftp-data this is a relatively simple structure than the previous one. src ordst indicates the source or target, ftp-data indicates the id, and ftp indicates the data transmission port in the ftp protocol, therefore, the data packet indicating the source or target Port ftp-data matches.

If there is no dir word in a primitive, the default value is src or dst. for example, hostfoo indicates that all data packets whose source or target host is foo match.

Proto is used to match a specific protocol. these terms include ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp, and udp. In fact, these words are often used to match a protocol, which is the most frequently used word group.

The above three qualitifer and id name or number form a primitive, which is usually the following method:

Proto dir type id (number), that is, primitive = protodir type (id | number)

For example:

Tcp src port 80

Ip dst host 192.168.1.1

If type appears, the id or num will appear.

If dir appears, type is also displayed. if not, the default value is host.

The proto can appear separately, such as tcpdump 'tcp'

Based on the three qualitifer mentioned above, we can quickly write a primitive. next I will use only one primitive as the expression to match the data packet.

(1) matching ether package

A packet that matches a specific mac address.

Tcpdump 'Ether src 00: 19: 21: 1D: 75: E6'

In the packet that matches the source mac for 00: 19: 21: 1D: 75: E6, src can be changed to dst, src or dst to change the condition.

Match the ether broadcast package. The ether broadcast package features mac full 1. Therefore, it can be matched as follows:

Tcpdump 'Ether dst ff: ff'

Ylin @ ylin :~ $ Sudo tcpdump-c 1 'etherdstff: ff: ff'

Tcpdump: verbose output suppressed, use-v or-vv forfullprotocol decode

Listening on eth0, link-type EN10MB (Ethernet), capturesize 96 bytes

10:47:57. 784099 arp who-has 192.168.240.77tell192.168.240.189

In this example, only one package is matched and the package exits. The first one is the arp Request packet. the arp Request packet is sent in broadcast mode and matched.

The ether multicast packet matches the ether multicast packet. the feature of the ether multicast packet is that the highest bit of mac is 1, and the other bit is used to represent the multicast group number. if you want to match the multicast group, you only need to know the MAC address of the group. For example

Tcpdump 'Ether dst 'Mac _ Address indicates the Address. enter the appropriate Address. If you want to match all the ether multicast data packets, put them down for now. Next, we will continue to explain more advanced applications for you.

(2) matching arp packets

An arp packet is a protocol used to convert IP addresses to Mac addresses, including arp requests and arp requests. arp request packets are sent through the ether broadcast method, that is, the mac address of the arp Request packet is full 1. Therefore, etherdstFF; FF can be used to match the arp Request packet, but cannot match the promised packet. Therefore, to match the arp communication process, only arp is used to specify the protocol.

Tcpdump 'arp 'can match arp packets on the network.

Ylin @ ylin :~ $ Arping-c 4 192.168.240.1>/dev/null & sudotcpdump-p 'arp'

[1] 9293

WARNING: interface is ignored: Operation not permitted

Tcpdump: verbose output suppressed, use-v or-vv forfullprotocol decode

Listening on eth0, link-type EN10MB (Ethernet), capturesize 96 bytes

11:09:25. 042479 arp who-has 192.168.240.1 (00: 03: d2: 20: 04: 28 (oui Unknown) tell ylin. local

11:09:25. 042702 arp reply 192.168.240.1 is-at00: 03: d2: 20: 04: 28 (oui Unknown)

11:09:26. 050452 arp who-has 192.168.240.1 (00: 03: d2: 20: 04: 28 (oui Unknown) tell ylin. local

11:09:26. 050765 arp reply 192.168.240.1 is-at00: 03: d2: 20: 04: 28 (oui Unknown)

11:09:27. 058459 arp who-has 192.168.240.1 (00: 03: d2: 20: 04: 28 (oui Unknown) tell ylin. local

11:09:27. 058701 arp reply 192.168.240.1 is-at00: 03: d2: 20: 04: 28 (oui Unknown)

11:09:33. 646514 arp who-has ylin. local tell 192.168.240.1

11:09:33. 646532 arp reply ylin. local is-at00: 19: 21: 1d: 75: e6 (oui Unknown)

In this example, arping-c 4 192.168.240.1 is used to generate arp requests and receive the promised packets, while tcpdump-p 'arp 'is matched. Here, The-p option enables the network to work in normal mode (non-mixed mode), so that you can conveniently view the matching results.

(3) matching IP packets

As we all know, the IP protocol is one of the most important protocols in TCP/IP. it is precisely because it can connect the Internet. it is essential that the expression matching the IP packet is analyzed below.

Matching IP addresses

Tcpdump 'IP src 192.168.240.69'

Ylin @ ylin :~ $ Sudo tcpdump-c 3 'IP src 192.168.240.69'

Tcpdump: verbose output suppressed, use-v or-vv forfullprotocol decode

Listening on eth0, link-type EN10MB (Ethernet), capturesize 96 bytes

11:20:00. 973605 IP ylin. local.51486> walnut.crossbeamsys.com. ssh: S 2706301341: 2706301341 (0) win5840

11:20:00. 974328 IP ylin. local.32849> 192.168.200.150.domain: 5858 + PTR? 2017200.168.192.in-addr. arpa. (45)

11:20:01. 243490 IP ylin. local.51486> walnut.crossbeamsys.com. ssh:. ack 2762262674 win 183

IP broadcast multicast packet match: you only need to specify the broadcast or multicast address.

Tcpdump 'IP dst 240.168.240.255'

Ylin @ ylin :~ $ Sudo tcpdump 'IP dst 192.168.240.255'

Tcpdump: verbose output suppressed, use-v or-vv forfullprotocol decode

Listening on eth0, link-type EN10MB (Ethernet), capturesize 96 bytes

11:25:29. 690658 IP dd. local> 192.168.240.255: ICMPechorequest, id 10022, seq 1, length 64

11:25:30. 694989 IP dd. local> 192.168.240.255: ICMPechorequest, id 10022, seq 2, length 64

11:25:31. 697954 IP dd. local> 192.168.240.255: ICMPechorequest, id 10022, seq 3, length 64

11:25:32. 697970 IP dd. local> 192.168.240.255: ICMPechorequest, id 10022, seq 4, length 64

11:25:33. 697970 IP dd. local> 192.168.240.255: ICMPechorequest, id 10022, seq 5, length 64

11:25:34. 697982 IP dd. local> 192.168.240.255: ICMPechorequest, id 10022, seq 6, length 64

The packet matches the ICMP broadcast packet. to generate this packet, you only need to run ping-b192.168.240.255 on another host in the same LAN. of course, you can also generate multicast packets, there is no suitable software for simulation, so we will not give an example here.

(4) TCP packet matching

TCP is also one of the most important protocols in the TCP/IP protocol stack. It provides end-to-end reliable data streams. at the same time, many application layer protocols use TCP as the underlying communication protocol, because TCP matching is very important.

If you want to match the HTTP communication data, you only need to specify a condition that matches port 80.

Tcpdump 'tcp dst port 80'

Ylin @ ylin :~ $ Wget http://www.baidu.com 2> 1>/dev/null & sudo tcpdump-c 5 'tcp port 80'

[1] 10762

Tcpdump: verbose output suppressed, use-v or-vv forfullprotocol decode

Listening on eth0, link-type EN10MB (Ethernet), capturesize 96 bytes

12:02:47. 549056 IP xd-22-43-a8.bta.net.cn.www> ylin. local.47945: S 1202130469: 1202130469 (0) ack 1132882351 win2896

12:02:47. 549085 IP ylin. local.47945> xd-22-43-a8.bta.net.cn.www:. ack 1 win 183

12:02:47. 549226 IP ylin. local.47945> xd-22-43-a8.bta.net.cn.www: P (101) ack 1 win 183

12:02:47. 688978 IP xd-22-43-a8.bta.net.cn.www> ylin. local.47945:. ack 102 win 698

12:02:47. 693897 IP xd-22-43-a8.bta.net.cn.www> ylin. local.47945:. 1409 (1408) ack 102 win 724

(5) udp packet matching

Udp is a connectionless and unreliable user datagram. Therefore, the main feature of udp is also a port. you can use the following method to match a Port:

Tcpdump 'upd port 53 'to view DNS data packets

Ylin @ ylin :~ $ Ping-c 1 www.baidu.com>/dev/null & sudotcpdump-p udp port 53

[1] 11424

Tcpdump: verbose output suppressed, use-v or-vv forfullprotocol decode

Listening on eth0, link-type EN10MB (Ethernet), capturesize 96 bytes

12:28:09. 221950 IP ylin. local.32853> 192.168.200.150.domain: 63228 + PTR? 43.22.108.202.in-addr. arpa. (44)

12:28:09. 222607 IP ylin. local.32854> 192.168.200.150.domain: 5114 + PTR? 150.200.168.192.in-addr. arpa. (46)

12:28:09. 487017 IP 192.168.200.150.domain> ylin. local.32853: 63228 1/0/0 (80)

12:28:09. 487232 IP 192.168.200.150.domain> ylin. local.32854: 5114 NXDomain * 0/1/0 (140)

12:28:14. 488054 IP ylin. local.32854> 192.168.200.150.domain: 60693 + PTR? 69.240.168.192.in-addr. arpa. (45)

12:28:14. 755072 IP 192.168.200.150.domain> ylin. local.32854: 60693 NXDomain 0/1/0 (122)

Ping www.baidu.com to generate DNS requests and promises. 53 is the DNS port number.

In addition, there are many qualitifer that have not been mentioned. Below are other valid primitive which can be directly used in tcpdump.

Gateway host

Match the data packet that uses the host as the gateway, that is, the mac address (source or destination) in the data packet is the host, but the source and destination addresses reported by the IP are not the data packets of the host.

Dst net

Src net

Net

Net mask netmask

Net/len

Match the IPv4/v6 address as the net network datagram.

Net can be 192.168.0.0 or 192.168. For example, net 192.168 or net192.168.0.0

Net mask netmask is only valid for IPv4 packets, such as net 192.168.0.0 mask1_255.0.0

Net/len is only valid for IPv4 packets, such as net 192.168.0.0/16.

Dst portrange port1-port2

Src portrange port1-port2

Portrange port1-port2

Ip/tcp, ip/upd, ip6/tcp and ip6/udp packets that match the port within the port1-port2 range. Dst and src indicate the source or target respectively. If not, it indicates src or dst.

The less length matches packets whose length is less than or equal to the length.

Greater length matches packets whose length is greater than or equal to length.

The ip protochain protocol matches the ip packet whose protocol field value is protocol.

The ip6 protochain protocol matches the packet whose protocol field value is protocol in the ipv6 packet.

For example, tcpdump 'IP protochain 6 matches TCP packets in ipv4 networks'UsageSimilarly, here we connect two primitive. 6 is the number of the TCP protocol in the IP message.

Ether broadcast

Matching Ethernet broadcast packets

Ether multicast

Match multiple Ethernet broadcasts

Ip broadcast

Matches IPv4 broadcast packets. That is, IPv4 packets whose host number is all 0 or all 1 in the IP address.

Ip multicast

Match IPv4 multicast packets, that is, packets with IP addresses that are multicast addresses.

Ip6 multicast

Match IPv6 multicast packets, that is, packets with IP addresses that are multicast addresses.

Vlan ID

Packets that match vlan packets and whose vlan is vlan_id

For this reason, we have been introducing how primitive is used, that is, expression has only one primitive. By learning to write each primtive, we can easily combine multiple primitive into an expression. the method is simple and can be connected by logical operators. logical operators include the following three:

"&" Or "and"

"|" Or "or"

"!" Or "not"

Complex join operations can be performed through.

For example, tcpdump 'IP & tcp'

Tcpdump 'host 192.168.240.3 & (tcp port 80 | tcpport 443 )'

Through the above various primitive, we can write a lot of conditions, such as ip, tcp, udp, vlan, and so on. For example, IP addresses can be matched by address, and tcp/udp can be matched by Port. But what if I want to match more detailed conditions? For example, what if tcp only contains syn and fin packets? The above primitive may be powerless. Don't worry, tcpdump provides you with the most powerful primitive for the last function. remember to use primitive instead of expression. You can use multiple primitive to form a more complex expression.

The last primitive form is expr relop expr.

If you mark this form as A, you can write tcpdump 'A1 & A2 & ip src192.168.200.1 'and so on.

Next, let's analyze the form of A to see how powerful it is. if you think it is messy, we suggest you use the above knowledge to perform the operations several times, or else it will be messy, because expression is too complex.

Form: expr relop expr

Relop indicates the relational operator, which can be >,<,>=, <=, = ,! = One,

Expr is an arithmetic expression consisting of integers and binary operators (+,-, *,/, &, |, <,>), length operations, and packet data access sub. All integers are unsigned, that is, 0x80000000 and 0 xffffffff> 0. To access data in packets, you can use the following method:

Proto [expr: size]

Proto indicates the message to be asked. The expr result indicates the offset of the message. The size is optional, indicating the szie bytes starting from the expr offset. the entire expression is in the proto message, the content of the szie byte starting from expr (unsigned integer)

The following is an example of primitive in the form of expr relop expr:

'Ether [0] & 1! = 0 'Ether the first bit in the message is 1, that is, the primtive of Ethernet broadcast or multicast.

In this way, we can match any byte of the message, so its function is very powerful.

The first byte in the 'IP [0] = 4' ip packet is version, that is, the packet that matches IPv4,

If we want to match a syn packet, we can use: 'tcp [13] = 2' because the tcp flag is 13th bytes of the tcp packet, the syn is 1 bit lower in this byte, so it matches packets with only the syn sign. the above conditions are sufficient and strict.

If you want to match pingCommandYou can use 'icmp [0] = 8' for the request message, because the 0th characters of the icmp message indicate the type. if the type value is 8, the request is returned.

For common TCP and ICMP bytes, such as the flag in TCP and the type in ICMP, this offset is sometimes forgotten. However, tcpdump provides you with more convenientUsageYou do not need to remember these numbers. you can replace them with characters.

For ICMP packets, the type byte can be icmptype to indicate its partial weighing. the above primitive can be changed to 'icmp [icmptype] = 8'. what if 8 cannot be remembered? Tcpdump also provides character representation for the value of this byte, for example, 'icmp [icmptype] = icmp-echo '.

The following is the character offset provided by tcpdump:

Icmptype: the offset of the byte in the icmp message.

Icmpcode: the offset of the encoded byte in the icmp message.

Tcpflags: the offset of the flag byte in the TCP message.

In addition, many values are provided to correspond to the above offset bytes:

The value of type bytes in ICMP can be:

Icmp-echoreply, icmp-unreach, icmp-sourcequench, icmp-redi? Rect, icmp-echo, icmp-routeradvert, icmp-routersolicit,

Icmp-timxceed, icmp-paramprob, icmp-tstamp, icmp-tstam? Preply, icmp-ireq, icmp-ireqreply, icmp-maskreq, icmp-maskreply.

The value of the flag byte in TCP can be:

Tcp-fin, tcp-syn, tcp-rst, tcp-push, tcp-ack, tcp-urg.

With the above characters, we can write the following primitive

'Tcp [tcpflags] = tcp-sync' matches tcp packets whose syn flag is set to 1.

'Tcp [tcpflags] & (tcp-syn | tcp-ack | tcp-fin )! = 0' match TCP packets containing syn, ack, or fin flag

For IP packets, no character support is provided. if you want to match more detailed conditions, you can use the numeric offset directly. However, you must have a deeper understanding of IP packets.

After learning to write primitive, expression is a piece of cake, composed of one or more primitive, and logical connector composition:

Tcpdump 'host 192.168.240.91 & icmp [icmptype] = icmp-echo'

Tcpdump 'host 192.168.1.100 & vrrp'

Tcpdump 'Ether src 00: 00: 00: 00: 02 & ether [0] & 1! = 0'

It allows you to use tcpdump as you like, and you no longer need to pick packets from complicated output!

In this way, we can write more complex expressions to match packets, such as the IP address or the packet id in TCP, the IP address is the segment mark in ICMP, and the type and code in ICMP.