tcpdump Command Options Introduction
-a displays each packet in ASCII mode (does not display the link-Layer header information in the packet).
When crawling a packet containing web page data, it is easy to see the data (NT: handy for capturing web pages).
-C Count Tcpdump exits after the Count packet is accepted. -C File-size (NT: This option is used with the-w file option) This option allows tcpdump to check if the file size exceeds file-size before saving the original packet directly to the file. If it is exceeded, the file will be closed, and another file continues to be used for the original packet's record. The newly created file name is the same as the filename specified by the-w option, but there is a number after the file name. This number will increase from 1 onwards as new files are created. File-size is in million bytes (NT: This is 1,000,000 bytes, not 1,048,576 bytes, which is calculated as 1024 bytes 1k, 1024k bytes is 1M, i.e. 1m=1024 * 1024x768 = 1,048,576)-D for easy In the form of reading, the programmed package matching code is printed on the standard output and then tcpdump stopped. (NT | Rt:human readable, easy to read, usually refers to the ASCII code to print some information. compiled, orchestrated. Packet-matching code, package match code, meaning unknown, need to be supplemented)-DD print out packages in C language
Match code.
-DDD Prints the package match code as a decimal number (there is an additional ' count ' prefix before the package match code). -d The network interface on which all tcpdump in the print system can grab packets. Each interface will print out a numeric number, the corresponding interface name, and possibly a description of the network interface.
The network interface name and number can be used in the tcpdump-I flag option (NT: Name or number instead of flag) to specify the network interface on which to grab the packet. This option is useful on systems that do not support interface list commands (NT: For example, Windows systems, or UNIX systems that lack ifconfig-a);
The number of interfaces is useful in Windows 2000 or later systems because the interface names on these systems are complex and not easy to use. The-D option is not supported if the LIBPCAP library on which Tcpdump is compiled is too old, because of the lack of pcap_fThe Indalldevs () function.
The Data link layer header information for the packet will be included in the printout of-e per row-e spi@ipaddr algo:secret,... The IPSec ESP package (NT | rt:ipsec Encapsulating Security PAYLOAD,IPSEC encapsulated secure payload can be decrypted by Spi@ipaddr Algo:secret, which IPSec understands as a complete set of IP packets Secret protocol, ESP for the entire IP packet or its upper-pelagic protocol partially encrypted data, the former mode of operation is called tunnel mode; The latter's mode of operation is called transfer mode.
Working principle, need to be supplemented separately).
It is important to note that you can set the key (secret) for IPV4 ESP packets when the terminal starts tcpdump. Algorithms that can be used for encryption include DES-CBC, 3DES-CBC, BLOWFISH-CBC, RC3-CBC, CAST128-CBC, or none. The default is DES-CBC (Nt:des, Data encryption Standard, data encryption standards, encryption algorithms unknown, additional). Secret is the key used for ESP and is expressed in ASCII string mode.
If you start with 0x, the key will be read in 16 binary mode. The definition of ESP in this option follows RFC2406, not RFC1827.
Also, this option is only for debugging, and it is not recommended to use this option with a real key (secret) because it is unsafe: The secret entered on the command line can be viewed by other people through commands such as PS. In addition to the syntax format above (NT: refers to Spi@ipaddr algo:secret), you can also add a syntax to enter the file name for tcpdump use (NT: spi@ipaddr algo:secret,... In ... Change to a syntax file name).
This file will open this file when it is accepted to the first ESP package, so it is best to cancel some of the privileges given to tcpdump at this time (NT: This is understood so that, when the file is maliciously written, it does not cause too much damage). -F Displays the external IPv4 address (nt:foreign IPV4 addresses, which can be understood as a non-native IP address), in a digital manner instead of a name. (this option is used to counter the defect of Sun's NIS server (Nt:niS, Network Information Service, tcpdump display the name of the external address will use the name service she provided): This NIS server often falls into an endless query loop when querying non-local address names. Because testing of an external (foreign) IPV4 address requires a local network interface (the interface used to nt:tcpdump the packet) and its IPV4 address and netmask.
If this address or netmask is not available, or if the interface does not have the appropriate network address and netmask at all (the ' any ' network interface under Nt:linux does not need to set the address and mask, but this ' any ' interface can receive packets from all interfaces on the system, this option does not work correctly.)
-f file uses the file as the input for the filter expression, at which time the input on the command line is ignored. -I interface specifies the interface that the tcpdump needs to listen to.
If not specified, Tcpdump will search the System interface list for the configured interface with the smallest number (excluding the loopback interface). Once you find the first qualifying interface, the search ends immediately. On Linux operating systems with version 2.2 or later kernels, the ' any ' virtual network interface can be used to receive packets on all network interfaces (NT: This will include the purpose of the network interface, and also the destination is not the network interface).
It is important to note that if the real network interface does not work in ' promiscuous ' mode (promiscuous), it cannot crawl its packets on the ' any ' virtual network interface.
If the-d flag is specified, tcpdump prints the interface number in the system, which can be used for the interface parameter here. -l row buffer for standard output (NT: Prints the contents of the line as soon as the standard output device encounters a newline character). It is useful when you need to observe both the clutch print and the capture record. For example, this can be achieved by combining the following command: ' Tcpdump-l | Tee dat ' or ' tcpdump-l > Dat & tail-f dat '. (NT: The former uses the tee to put the output of the tcpdump in both the file dat and the standard output, the latter through the redirection operation ' > ', the output of the tcpdump into the DAT file, while the DAT file through the tail to put the content in the standard output)-l Lists the types of data link layers supported by the specified network interface and exits. (NT: Specifies that the interface passes-I to specify)-m module loads the SMI MIB module via the file specified by the module (Nt:smi,structure of Management information, management information structure MIB, Management i nformation Base, management information base. It is understood that both are used for fetching SNMP (simple Network Management protoco) protocol packets.
The specific SNMP operation principle is unknown, need to add additional).
This option can be used multiple times to load different MIB modules for tcpdump.
-M secret If a TCP packet (TCP segments) has a tcp-md5 option (described in RFC 2385), specify a public key secret for the validation of its digest.
-N does not represent the conversion of the address (for example, host address, port number) to a name representation. -N does not print out the domain name portion of host.
For example, if this option is set, tcpdump will print ' Nic ' instead of ' nic.ddn.mil '. -O does not enable optimization code for package matching.
This option is useful when you suspect that some bugs are caused by optimized code. -P Generally, the network interface is set to non-' promiscuous ' mode. However, it is important to note that in special cases this network interface will still work in a ' promiscuous ' mode, so that the '-p ' setting and not set is not synonymous with the following selection: ' Ether host {local-hw-add} ' or ' Ether Broadcast ' (NT: The former means only
A packet with an Ethernet address of host, which represents a packet that matches the Ethernet address as the broadcast address. -Q Fast (perhaps with ' quiet ' better?) Print output.
That is, print fewer protocol-related information, and the output lines are relatively short. -R Setting Tcpdump the parsing of Esp/ah packets is encapsulated by RFC1825 instead of RFC1829 (Nt:ah, Authentication Header, ESP, security payload, both of which are used in the secure transport mechanism of IP packets). If this option is set, tcpdump will not print out the ' No Relay ' field (Nt:relay prevention field).
Also, because the Esp/ah specification does not stipulate that the ESP/AH packet must have a protocol version number field, Tcpdump cannot derive the protocol version number from the Received Esp/ah packet. -R filE reads the package data from file files.
If the file field is the '-' symbol, Tcpdump reads the package data from the standard input. -s prints the sequence number of the TCP packet, using the absolute sequential number instead of the relative sequential number. (NT: Relative sequence number can be understood as, relative to the first TCP packet sequence number of the gap, for example, the recipient receives the first packet's absolute order number is 232323, for the subsequent received 2nd, 3rd packet, tcpdump will print its serial number 1, 2 indicates a gap of 1 and 2, respectively, with the first packet.
And if the-s option is set at this point, the 3rd packet will print out its absolute order number for the 2nd received later: 232324, 232325). -S Snaplen set tcpdump packet fetch length of Snaplen, if not set default will be 68 bytes (While Support network interface sub-connector (nt:nit, described above, can search ' network interface connector ' keyword found there) The default and minimum value for the SunOS series operating system is 96). 68 bytes for IP, ICMP (nt:internet control message Protocol, Internet Control Message Protocol), TCP and UDP packets are sufficient, but for the name service ( NT: Can be understood as DNS, NIS and other services), the NFS service-related packets will produce packet truncation. If a packet truncation occurs, the "[|proto]" flag appears in the corresponding printout line of tcpdump (the proto will actually appear as the associated protocol hierarchy for truncated packets). It is important to note that the long fetch length (nt:snaplen) increases the processing time of the packet and reduces the number of packets that can be cached by tcpdump, which can result in packet loss.
So, with the ability to grab the package we want, the smaller the crawl length, the better. Setting Snaplen to 0 means that tcpdump automatically chooses the appropriate length to crawl the packet. -T type forces tcpdump to parse the received packets by the package structure described by the protocol specified by type. The currently known type has the following protocols: AODV (Ad-hoc on-demand Distance Vector Protocol, on-demand distance vector routing protocol, used in Ad hoc (point-to-point mode) networks), CNFP (Cisco NetFlow protocol), RPC (Remote proceDure call), RTP (Real-time Applications Protocol), RTCP (Real-time Applications Con-trol Protocol), SNMP (Simple netwo RK Management Protocol), tftp (Trivial file Transfer Protocol, shredding Protocol), VAT (Visual Audio Tool, available for TV on the Internet
Conference call Application layer protocol), as well as WB (distributed white Board, can be used for Web conferencing Application layer protocol). -T does not print a timestamp in each line of output-TT does not format the time per line of output (NT: This format may not see its meaning at one glance, such as when the timestamp is printed to 1261798315)-ttt tcpdump output, a period of time between each two lines of printing seconds)-tttt printing out an unencrypted NFS handle (Nt:handle can be understood as a file handle used in NFS, which will include files in folders and folders) by adding a date before the timestamp of each line is printed-u so that when tcpdump is using the-W option, its file writes are synchronized with the save of the package. (NT: That is, when each packet is saved, it will be written to the file in a timely manner, not when the output buffer of the file is full before the file is actually written) the-U flag does not work on the old version of the Libcap library (Nt:tcpdump relies on the message capture library) because of the lack of PCAP_CU
The Mp_flush () function. -V generates verbose output when parsing and printing. For example, the lifetime of the package, the identity, the total length, and some options for the IP packet.
This also opens some additional package integrity checks, such as the checksum of the IP or ICMP packet headers. -VV produces more verbose output than-V.
For example, the additional domain in the NFS response package will be printed and the SMB packet will be fully decoded. The-VVV produces a more verbose output than the-VV.
For example, the telent used by the SB, SE option will be printed, if Telnet is also using a graphical interface, its corresponding graphics options will be printed in 16 binary mode (Nt:telnet the meaning of the sb,se option is unknown, additional). -W to the number of packetsThe file is written directly without analysis and printout.
These package data can then be re-read and analyzed and printed through the-r option. -W filecount This option works with the-C option, which limits the number of files that can be opened and, when the file data exceeds the limit set here, loops over the previous file, which is equivalent to a file buffer pool with filecount files.
At the same time, this option causes the beginning of each file name to appear as much as 0 of the placeholder, which makes it easier for these files to be sorted correctly. -X when analyzing and printing, tcpdump prints the header data for each packet, and prints the data for each package (but not the header of the connection layer) in 16. The total printed data size does not exceed the size of the entire packet and the minimum value in Snaplen. It is important to note that if the high-level protocol data is not snaplen so long, and the data link layer (for example, the Ethernet layer) has padding data, the fill data will also be printed.
(Nt:so for link layers that pad, which fails to understand and translate, need to be supplemented)-xx tcpdump prints the header data for each packet, and prints the data for each package in 16, including the header of the data link layer.
-X when analyzing and printing, tcpdump prints the header data for each packet, and prints the data for each package in 16 binary and ASCII format (excluding the header of the connection layer). This is convenient for analyzing packets of some new protocol.
-xx when analyzing and printing, tcpdump prints the header data for each packet, and the data for each package is printed in 16 binary and ASCII format, including the header of the data link layer. This is convenient for analyzing packets of some new protocol. The-y datalinktype setting tcpdump only captures the Data Link layer protocol type is the DATALINKTYPE packet-Z user makes tcpdump give up its super-privileges (if you start tcpdump with the root user, Tcpdump will have superuser privileges), and the user ID of the current tcpdump is set to users, the group ID is set to the ID of the user's primary owning group (Nt:tcpdump here can be understood as the corresponding process after the tcpdump run), this option can also be set at compile time to Open by default. (NT: User's value is unknown at this time, need to add)
tcpdump Simple Command
Tcpdump
Under normal circumstances, direct start tcpdump will monitor all packets flowing through the first network interface.
Monitoring packets for a specified network interface
Tcpdump-i eth1
If you do not specify a network card, the default tcpdump will only monitor the first network interface, typically eth0, and the following example does not specify a networking interface.
The packet that monitors the specified host prints all packets that enter or leave sundown.
Tcpdump Host Sundown
You can also specify IP, such as intercepting all packets received and emitted by all 210.27.48.1 hosts
print packets that Helios and hot or communicate with Aces
Tcpdump host Helios and \ (hot or ACE \)
Intercept Host
210.27.48.1
and Host
210.27.48.2
or
210.27.48.3
of Communication
Prints the IP packets that the ACE communicates with any other host, but does not include packets between the Helios.
Tcpdump IP host ace and not Helios
If you want to get host 210.27.48.1 in addition to the IP packets that communicate with all hosts except host 210.27.48.2, use the command:
Tcpdump IP host 210.27.48.1 and! 210.27.48.2
Intercept all data sent by host hostname
Tcpdump-i eth0 SRC host hostname
Monitor all packets sent to host hostname
Tcpdump-i eth0 DST host hostname