Linux Grab Kit Tools tcpdump and Analysis kits Tools Wireshark__linux

Recently in the Learning Network card driver, you need to crawl the network card to send, receive data, and then found the tcpdump and Wireshark these two tools, tcpdump is used to crawl data, Wireshark is used to analyze the data crawled, the usage is recorded:

How to use Tcpdump
(1) The first is about the type of keywords mainly including host,net,port

For example: Host 210.27.48.2, indicating that 210.27.48.2 is a host, net 202.0.0.0 indicates that 202.0.0.0 is a network address, port 23 indicates that the port number is 23. If no type is specified, the default type is host.

(2) The second is to determine the direction of transmission key words mainly include SRC, DST, DST or SRC, DST and SRC
These keywords indicate the direction of the transfer, such as SRC 210.27.48.2, indicating that the source address in the IP packet is 210.27.48.2, and DST net 202.0.0.0 indicates the destination network address is 202.0.0.0. If the direction key is not indicated, the SRC or DST keyword is the default.

(3) The third is the key word of the protocol, mainly including FDDI,IP,ARP,RARP,TCP,UDP type.
FDDI indicates a specific network protocol on FDDI (Distributed Optical Data Interface Network), in effect it is the alias of "Ether", FDDI and Ether have similar source address and destination address, so the FDDI protocol package can be treated and analyzed as ether package. Several other keywords refer to the protocol content of the packet being monitored. If no protocol is specified, tcpdump will listen for packets of all protocols.

In addition to these three types of keywords, other important keywords are as follows: Gateway, Broadcast,less,greater, and three logical operations, the negation is ' not ', '! ', with the operation is ' and ', ' && ', or the operation is ' or ', ' ││ '; These keywords can be combined to form a powerful combination of conditions to meet people's needs, here are a few examples to illustrate. Under normal circumstances, direct start tcpdump will monitor all packets flowing through the first network interface.

A. Tcpdump–i Eth0–c 10

Use the-i parameter to specify the network interface for tcpdump listening, which is useful when the computer has multiple network interfaces,
Specify the number of packets to monitor using the-c parameter.
Use the-w parameter to specify that data packets that will be heard are saved in the file

B. Want to intercept the communication between host 172.16.14.107 and host 172.16.14.27 or 172.16.14.99, use the command: (when using parentheses in the command line, you must use ' \ '
Tcpdump host 172.16.14.107 and \ (172.16.14.27or172.16.14.99 \)

C. If you want to get the host 172.16.14.107 IP packets that communicate with all hosts except the host 172.16.14.27, use the command:
Tcpdump IP host 172.16.14.107 and! 172.16.14.27

D. If you want to obtain a telnet package that the host 172.16.14.107 receives or emits, use the following command:
Tcpdump TCP Port Host 172.16.14.107

E. Monitoring of native UDP 123 ports (123 for NTP service ports)
tcpdump UDP port 123

F. The system will only monitor traffic packets for hosts named hostname. The host name can be either a local host or any computer on the network. The following command can read all the data sent by the host hostname:
Tcpdump-i eth0 SRC host hostname

G. The following command can monitor all packets sent to the host hostname:
Tcpdump-i eth0 DST host hostname

#src表示源, that is to send
#dst表示目的地, that is to receive

H. We can also monitor packets through a specified gateway:
Tcpdump-i eth0 Gateway Gatewayname

I. If you also want to monitor TCP or UDP packets that address the specified port, execute the following command:
Tcpdump-i ETH0 host hostname and port 80

J. If you want to obtain a telnet package that the host 172.16.14.107 receives or emits, use the following command:
Tcpdump TCP Port Host 172.16.14.107

K. If we only need to list packets delivered to port 80, DST port 80; If we only want to see packets returning 80 ports, use SRC port 80.
Tcpdump–i ETH0 host hostname and DST port 80 destination ports are 80
Or
Tcpdump–i eth0 host hostname and SRC port 80 source ports are 80

80 ports are typically hosts that provide HTTP services

Tcpdump output format
The total output format is: System time source host. port > Target host. Port packet parameters

If you want to analyze the data using Wireshark:

Tcpdump-i eth0-c 100-s 0-w/home/data.pcap

Direct use of Wireshark/home/data.pcap can

This article from Csdn Blog, reproduced please indicate the source: http://blog.csdn.net/wyjie1987/archive/2011/05/30/6454534.aspx