Linux tcpdump command details how to use the Linux tcpdump command

Source: Internet
Author: User
Tags ack dns2 ssh nxdomain

Run the tcpdump command to list the packet headers that pass through the specified network. In Linux, you must be a system administrator.

Syntax

Tcpdump [-adeflnNOpqStvx] [-c <number of packets>] [-dd] [-ddd] [-F <File expression>] [-I <network interface>]

[-R <data packet File>] [-s <data packet size>] [-tt] [-T <data packet type>] [-vv] [-w <data packet File>] [output data column]

Parameter description:

  • -A tries to convert the network and broadcast address to a name.

  • -C

    <Number of data packets> after receiving the specified number of data packets, the dumping operation is stopped.

  • -D converts compiled data packet encoding into a readable format and dumps it to standard output.

  • -Dd converts the compiled data packet encoding to the C language format and dumps it to the standard output.

  • -Ddd converts the compiled data packet encoding to a decimal number format and dumps it to the standard output.

  • -E displays the connection level file header on each column of dumped data.

  • -F displays the internet address in numbers.

  • -F

    <Expression File> specify the file containing the expression.

  • -I

    <Network interface> send data packets using the specified network section.

  • -L use the buffer of the standard output column.

  • -N does not convert the network address of the host into a name.

  • -N does not list domain names.

  • -O does not optimize packet encoding.

  • -P prevents the network interface from entering the hybrid mode.

  • -Q: fast output. Only a few transmission protocol information are listed.

  • -R

    <Packet File> read data from the specified file.

  • -S

    <Packet size> set the size of each packet.

  • -S: use absolute rather than relative values to list the number of TCP connections.

  • -T the time stamp is not displayed on the dumped data in each column.

  • -Tt displays unformatted timestamps on the dumped data in each column.

  • -T

    <Data packet type> forcibly translate the data packet specified by the expression into the set data packet type.

  • -V displays the instruction execution process in detail.

  • -Vv: displays the instruction execution process in detail.

  • -X uses a hexadecimal code to list data packets.

  • -W

    <Data packet File> write the data packet to the specified file.

Instance

Show TCP packet information

# Tcpdump

Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

23:35:55. 129998 IP 192.168.0.3.ssh> 192.168.0.1.2101: P 148872068: 148872168 (100) ack 4184371747 win 2100

23:35:55. 182357 IP 192.168.0.1.2101> 192.168.0.3.ssh:. ack 100 win 64240

23:35:55. 182397 IP 192.168.0.3.ssh> 192.168.0.1.2101: P 100:200 (100) ack 1 win 2100

23:35:55. 131713 IP 192.168.0.3.32804> dns2.cs.hn.cn. domain: 50226 + PTR? 1.0.168.192.in-addr. arpa. (42)

23:35:55. 131896 PPPoE [ses 0x1cb0] IP 118.250.6.85.64215> dns2.cs.hn.cn. domain: 50226 + PTR? 1.0.168.192.in-addr. arpa. (42)

23:35:55. 154238 PPPoE [ses 0x1cb0] IP dns2.cs.hn.cn. domain> 118.250.6.85.64215: 50226 NXDomain 0/0/0 (42)

23:35:55. 156298 IP dns2.cs.hn.cn. domain> 192.168.0.3.32804: 50226 NXDomain 0/0/0 (42)

23:35:55. 159292 IP 192.168.0.3.32804> dns2.cs.hn.cn. domain: 30304 + PTR? 3.0.168.192.in-addr. arpa. (42)

23:35:55. 159449 PPPoE [ses 0x1cb0] IP 118.250.6.85.64215> dns2.cs.hn.cn. domain: 30304 + PTR? 3.0.168.192.in-addr. arpa. (42)

23:35:55. 179816 PPPoE [ses 0x1cb0] IP dns2.cs.hn.cn. domain> 118.250.6.85.64215: 30304 NXDomain 0/0/0 (42)

23:35:55. 181279 IP dns2.cs.hn.cn. domain> 192.168.0.3.32804: 30304 NXDomain 0/0/0 (42)

23:35:55. 181806 IP 192.168.0.3.ssh> 192.168.0.1.2101: P 200: 268 (68) ack 1 win 2100

23:35:55. 182177 IP 192.168.0.1.2101> 192.168.0.3.ssh:. ack 268 win 64198

23:35:55. 182677 IP 192.168.0.3.32804> dns2.cs.hn.cn. domain: 43983 + PTR? 112.96.103.202.in-addr. arpa. (45)

23:35:55. 182807 PPPoE [ses 0x1cb0] IP 118.250.6.85.64215> dns2.cs.hn.cn. domain: 43983 + PTR? 112.96.103.202.in-addr. arpa. (45)

23:35:55. 183055 IP 192.168.0.3.ssh> 192.168.0.1.2101: P 268: 352 (84) ack 1 win 2100

23:35:55. 201096 PPPoE [ses 0x1cb0] IP dns2.cs.hn.cn. domain> 118.250.6.85.64215: 43983 1/0/0 (72)

23:35:55. 203087 IP dns2.cs.hn.cn. domain> 192.168.0.3.32804: 43983 1/0/0 (72)

23:35:55. 204666 IP 192.168.0.3.ssh> 192.168.0.1.2101: P 352: 452 (100) ack 1 win 2100

23:35:55. 204852 IP 192.168.0.1.2101> 192.168.0.3.ssh:. ack 452 win 64152

23:35:55. 205305 IP 192.168.0.3.ssh> 192.168.0.1.2101: P 452: 520 (68) ack 1 win 2100

23:35:55. 205889 IP 192.168.0.3.32804> dns2.cs.hn.cn. domain: 9318 + PTR? 85.6.250.118.in-addr. arpa. (43)

23:35:55. 206071 PPPoE [ses 0x1cb0] IP 118.250.6.85.64215> dns2.cs.hn.cn. domain: 9318 + PTR? 85.6.250.118.in-addr. arpa. (43)

23:35:55. 215338 PPPoE [ses 0x1cb0] IP 115.238.1.45.3724> 118.250.6.85.64120: P 2392751922: 2392751987 (65) ack 2849759785 win 54

23:35:55. 216273 IP 115.238.1.45.3724> 192.168.0.65.2057: P 2392751922: 2392751987 (65) ack 2849759785 win 54

23:35:55. 329204 IP 192.168.0.1.2101> 192.168.0.3.ssh:. ack 520 win 64135

23:35:55. 458214 IP 192.168.0.65.2057> 115.238.1.45.3724:. ack 65 win 32590

23:35:55. 458221 PPPoE [ses 0x1cb0] IP 118.250.6.85.64120> 115.238.1.45.3724:. ack 65 win 32590

23:35:55. 708228 PPPoE [ses 0x1cb0] IP 115.238.1.45.3724> 118.250.6.85.64120: P 65: 118 (53) ack 1 win 54

23:35:55. 710213 IP 115.238.1.45.3724> 192.168.0.65.2057: P 65: 118 (53) ack 1 win 54

23:35:55. 865151 IP 192.168.0.65.2057> 115.238.1.45.3724:. ack 118 win 32768

23:35:55. 865157 PPPoE [ses 0x1cb0] IP 118.250.6.85.64120> 115.238.1.45.3724:. ack 118 win 32768

23:35:56. 242805 IP 192.168.0.65.2057> 115.238.1.45.3724: P (24) ack 118 win 32768

23:35:56. 242812 PPPoE [ses 0x1cb0] IP 118.250.6.85.64120> 115.238.1.45.3724: P (24) ack 118 win 32768

23:35:56. 276816 PPPoE [ses 0x1cb0] IP 115.238.1.45.3724> 118.250.6.85.64120:. ack 25 win 54

23:35:56. 278240 IP 115.238.1.45.3724> 192.168.0.65.2057:. ack 25 win 54

23:35:56. 349747 PPPoE [ses 0x1cb0] IP 115.238.1.45.3724> 118.250.6.85.64120: P 118:159 (41) ack 25 win 54

23:35:56. 351780 IP 115.238.1.45.3724> 192.168.0.65.2057: P 118:159 (41) ack 25 win 54

23:35:56. 400051 PPPoE [ses 0x1cb0] IP 119.147.18.44.8000> 118.250.6.85.4000: UDP, length 79

23:35:56. 475050 IP 192.168.0.65.2057> 115.238.1.45.3724:. ack 159 win 32762

23:35:56. 475063 PPPoE [ses 0x1cb0] IP 118.250.6.85.64120> 115.238.1.45.3724:. ack 159 win 32762

23:35:56. 508968 PPPoE [ses 0x1cb0] IP 115.238.1.45.3724> 118.250.6.85.64120: P 159: 411 (252) ack 25 win 54

23:35:56. 510182 IP 115.238.1.45.3724> 192.168.0.65.2057: P 159: 411 (252) ack 25 win 54

23:35:56. 592028 PPPoE [ses 0x1cb0] IP 117.136.2.43.38959> 118.250.6.85.63283: UDP, length 36

44 packets captured

76 packets partitioned ed by filter

0 packets dropped by kernel

Displays a specified number of packages

# Tcpdump-c 20

Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode

Listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

23:36:28. 949538 IP 192.168.0.3.ssh> 192.168.0.1.2101: P 148875984: 148876020 (36) ack 4184373187 win 2100

23:36:28. 994325 IP 192.168.0.1.2101> 192.168.0.3.ssh:. ack 36 win 64020

23:36:28. 994368 IP 192.168.0.3.ssh> 192.168.0.1.2101: P 36: 72 (36) ack 1 win 2100

23:36:28. 950779 IP 192.168.0.3.32804> dns2.cs.hn.cn. domain: 18242 + PTR? 1.0.168.192.in-addr. arpa. (42)

23:36:28. 950948 PPPoE [ses 0x1cb0] IP 118.250.6.85.64215> dns2.cs.hn.cn. domain: 18242 + PTR? 1.0.168.192.in-addr. arpa. (42)

23:36:28. 960105 PPPoE [ses 0x1cb0] IP 222.82.119.41.13594> 118.250.6.85.63283: UDP, length 36

23:36:28. 962192 IP 222.82.119.41.13594> 192.168.0.65.13965: UDP, length 36

23:36:28. 963118 IP 192.168.0.65.13965> 222.82.119.41.13594: UDP, length 34

23:36:28. 963123 PPPoE [ses 0x1cb0] IP 118.250.6.85.63283> 222.82.119.41.13594: UDP, length 34

23:36:28. 970185 PPPoE [ses 0x1cb0] IP dns2.cs.hn.cn. domain> 118.250.6.85.64215: 18242 NXDomain 0/0/0 (42)

23:36:28. 970413 IP dns2.cs.hn.cn. domain> 192.168.0.3.32804: 18242 NXDomain 0/0/0 (42)

23:36:28. 972352 IP 192.168.0.3.32804> dns2.cs.hn.cn. domain: 17862 + PTR? 3.0.168.192.in-addr. arpa. (42)

23:36:28. 972474 PPPoE [ses 0x1cb0] IP 118.250.6.85.64215> dns2.cs.hn.cn. domain: 17862 + PTR? 3.0.168.192.in-addr. arpa. (42)

23:36:28. 982287 PPPoE [ses 0x1cb0] IP 121.12.131.163.13109> 118.250.6.85.63283: UDP, length 27

23:36:28. 984162 IP 121.12.131.163.13109> 192.168.0.65.13965: UDP, length 27

23:36:28. 985021 IP 192.168.0.65.13965> 121.12.131.163.13109: UDP, length 103

23:36:28. 985027 PPPoE [ses 0x1cb0] IP 118.250.6.85.63283> 121.12.131.163.13109: UDP, length 103

23:36:28. 991919 PPPoE [ses 0x1cb0] IP dns2.cs.hn.cn. domain> 118.250.6.85.64215: 17862 NXDomain 0/0/0 (42)

23:36:28. 993142 IP dns2.cs.hn.cn. domain> 192.168.0.3.32804: 17862 NXDomain 0/0/0 (42)

23:36:28. 993574 IP 192.168.0.3.ssh> 192.168.0.1.2101: P 72: 140 (68) ack 1 win 2100

20 packets captured

206 packets partitioned ed by filter

129 packets dropped by kernel

Simplified display

# Tcpdump-c 10-q // 10 packages are displayed in simplified mode

Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode

Listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

23:43:05. 792280 IP 192.168.0.3.ssh> 192.168.0.1.2101: tcp 36

23:43:05. 842115 IP 192.168.0.1.2101> 192.168.0.3.ssh: tcp 0

23:43:05. 845074 IP 115.238.1.45.3724> 192.168.0.65.2057: tcp 0

23:43:05. 907155 IP 192.168.0.3.ssh> 192.168.0.1.2101: tcp 36

23:43:05. 793880 IP 192.168.0.3.32804> dns2.cs.hn.cn. domain: UDP, length 42

23:43:05. 794076 PPPoE [ses 0x1cb0] IP 118.250.6.85.64219> dns2.cs.hn.cn. domain: UDP, length 42

23:43:05. 811127 PPPoE [ses 0x1cb0] IP dns2.cs.hn.cn. domain> 118.250.6.85.64219: UDP, length 42

23:43:05. 814764 IP dns2.cs.hn.cn. domain> 192.168.0.3.32804: UDP, length 42

23:43:05. 816404 IP 192.168.0.3.32804> dns2.cs.hn.cn. domain: UDP, length 42

23:43:05. 816545 PPPoE [ses 0x1cb0] IP 118.250.6.85.64219> dns2.cs.hn.cn. domain: UDP, length 42

10 packets captured

39 packets partitioned ed by filter

0 packets dropped by kernel

Convert G reading format

# Tcpdump-d

(000) ret #96

Convert to decimal format

# Tcpdump-ddd

1

6 0 0 96

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.