Introduction to the tcpdump command in Linux

As the name suggests, TcpDump, a network data collection and analysis tool, can completely intercept the "header" of packets transmitted in the network for analysis. It supports filtering network layer, protocol, host, network or port, and provides logical statements such as and, or, not to help you remove useless information. Tcpdump is a free network analysis tool.

Introduction to Network data collection and analysis tool TcpDump

As the name suggests, TcpDump can completely intercept the "header" of the packets transmitted in the network for analysis. It supports filtering network layer, protocol, host, network or port, and provides logical statements such as and, or, not to help you remove useless information.TcpdumpIt is a free network analysis tool, especially it provides sources and open interfaces, so it has high scalability and is very useful for network maintenance and intruders.TcpdumpIt exists in the basic FreeBSD System. because it needs to set the network interface to the mixed mode, normal users cannot execute normally, however, users with root permissions can directly execute the command to obtain information on the network. Therefore, the network analysis tools in the system are not a threat to the security of the local machine, but a threat to the security of other computers on the network.

Tcpdump is defined as simple as possible, namely: dump the traffice on anetwork. a packet analysis tool that intercepts packets on the network according to the user's definition. As a necessary tool for the classic system administrator on the Internet, tcpdump, with its powerful functions and flexible interception policies, becomes one of the essential tasks for every senior system administrator to analyze the network and troubleshoot problems. Tcpdump provides source code and open interfaces, so it has high scalability and is a very useful tool for network maintenance and intruders. Tcpdump exists in the basic FreeBSD System. because it needs to set the network interface to the mixed mode, normal users cannot execute normally, however, users with root permissions can directly execute the command to obtain information on the network. Therefore, the network analysis tools in the system are not a threat to the security of the local machine, but a threat to the security of other computers on the network.

Installation of network data collection and analysis tool TcpDump

System environmentCentos-5.5

Software tcpdump-3_4a5.rpm

Installation software rpm-ivh tcpdump-3_4a5.rpm

Usage

Introduction to tcpdump options

-A converts a network address and broadcast address into a name;

-D. give the code that matches the information package in an assembly format that people can understand;

-Dd provides the code that matches the information package in the format of the C program segment;

-Ddd provides the matching information package code in decimal format;

-E prints the header information of the data link layer in the output line;

-F print the Internet address in numbers;

-L changes the standard output to the buffer row format;

-N does not convert the network address into a name;

-T no timestamp is printed on each output line;

-V outputs a slightly detailed information. for example, the IP package can contain ttl and service type information;

-Vv: output detailed message information;

-C. after receiving the specified number of packages, tcpdump stops;

-F read the expression from the specified file and ignore other expressions;

-I indicates the network interface of the listener;

-R reads packets from a specified file (these packets are generally generated using the-w option );

-W directly writes the package into the file and does not analyze or print it out;

-T directly interpret the listening packet as a specified type of message. Common types include rpc (remote process call) and snmp (Simple Network Management Protocol ;)

Example description:

1. all packets received and sent by all hosts whose 192.168.0.102 are to be intercepted

Tcpdump host 192.168.0.102

2. obtain the IP packet for all hosts except the host 192.168.0.102 and the host 210.27.48.2

Tcpdump ip host 192.168.0.102 and! 119.75.217.56

3. obtain the telnet packet received or sent by the host 210.27.48.1

Tcpdump tcp port 23 host 210.27.48.1