Tcpdump is a common use of the Linux command to grab a package tool, record the usual way, test machine system is Ubuntu 12.04.
Tcpdump's command format
Tcpdump parameters are numerous, through the man tcpdump can see the detailed description of tcpdump, this side only some of the author's own commonly used parameters:
tcpdump [-I nic]-nnax ' expression '
The parameters are described as follows:
- -i:interface monitor the network card.
- -nn: Indicates that the source host and destination host are displayed as IP and port, instead of using the hostname and service.
- -A: Displays the packet in ASCII mode, which is useful when crawling web data.
- -X: The packet will be displayed in 16 binary and ASCII mode.
- Expressions: There are many types of expressions, common: host hosts; port ports; SRC host host; DST host host. Multiple conditions can be combined with and, or, can be used!, more use can view the man 7 pcap-filter.
Here are some command tests, if you do not have permission, you can switch to the root user first.
Monitor Nic Eth0
$ tcpdump-i eth0
This method is the simplest, but not much use, because basically can only see the information of the packet brush screen, can not see clearly, the use of CTRL + C interrupt exit, if there is a need, you can redirect the output to a file, so it is more convenient to view.
Listens for data from a specified protocol
$ tcpdump-i eth0-nn ' ICMP '
This is the data used to listen for the ICMP protocol, which is the protocol used by the ping command. Similarly, if you want to listen to TCP or UDP protocol, you just need to modify the ICMP on the previous example. Ping the Listening machine, the output is as follows:
Example of Linux using Tcpdump grab package
The meaning of each data representation of each line:
Capture the packet's time IP packet host and port > received host and Port packet contents
Listens on the specified host
$ tcpdump-i eth0-nn ' host 192.168.1.231 '
In this case, the packets received by the 192.168.1.231 host and the packets sent will be crawled.
$ tcpdump-i eth0-nn ' src host 192.168.1.231 '
Only the packets sent by the 192.168.1.231 host will be crawled.
$ tcpdump-i eth0-nn ' DST host 192.168.1.231 '
Only the packets received by the 192.168.1.231 host will be crawled.
Listening on the specified port
$ tcpdump-i Eth0-nna ' Port 80 '
The above example is used to listen to the host of the 80 port received and sent all the packets, combined with the-a parameter, in web development, is really very useful.
Listening on the specified host and port
$ tcpdump-i eth0-nna ' port and src host 192.168.1.231 '
Multiple conditions can be connected with and,or. The above example indicates listening for packets sent by the 192.168.1.231 host over Port 80.
Listen for other ports except one port
$ tcpdump-i Eth0-nna '!port 22 '
If you need to exclude a port or host, you can use the "!" Symbol, the above example indicates a packet that listens on a non-22 port.
Summary:
Tcpdump This function parameter is many, the expression option is also very many, is very powerful, but the commonly used function does not have much. Details can be viewed through the man system manual.
In addition, when crawling Web packages, send Web content is very strange characters, found that Apache turned on gzip compression for the sake of shutting down gzip compression can be. Under Ubuntu 12.04, edit the Vim/etc/apache2/mods-enabled/deflate.load file, comment out the statement that loaded the module Deflate_module, and then restart Apache for OK.
Reference article: http://www.01happy.com/linux-use-tcpdump-capture-network-packets/
Linux captures network packets using the Tcpdump capture tool, multi-sample Demo