In Linux, tcpdump is saved and the result is pcap file wireshark analysis.

The command parameter for saving tcpdump packets to a file is-wxxx. cap capture eth1 package tcpdump-ieth1-w/tmp/xxx. cap catch 192.168.1.123 package tcpdump-ieth1host192.168.1.123-w/tmp/xxx. cap catch 192.168.1.123 port 80 package tcpdump-ieth1ho

TcpdumpThe command parameter for saving a packet to a file is-w xxx. cap.

Capture the eth1 package

Tcpdump-I eth1-w/tmp/xxx. cap

Capture the packet of 192.168.1.123

Tcpdump-I eth1 host 192.168.1.123-w/tmp/xxx. cap

Capture Port 80 of 192.168.1.123

Tcpdump-I eth1 host 192.168.1.123 and port 80-w/tmp/xxx. cap

Capture the icmp packet of 192.168.1.123

Tcpdump-I eth1 host 192.168.1.123 and icmp-w/tmp/xxx. cap

Capture packets of port 80 of 192.168.1.123 and ports other than 110 and 25

Tcpdump-I eth1 host 192.168.1.123 and! Port 80 and! Port 25and! Port 110-w/tmp/xxx. cap

Capture vlan 1 packets

Tcpdump-I eth1 port 80 and vlan 1-w/tmp/xxx. cap

Capture pppoe password

Tcpdump-I eth1 pppoes-w/tmp/xxx. cap

Save the file in 100 MB, and open a file larger than MB-C MB

Capture 10000 packets and exit-c 10000

Packet capture in the background, and the exit of the console will not be affected:

Nohup tcpdump-I eth1 port 110-w/tmp/xxx. cap &

You can use ethereal or wireshark to open the captured file.