Linux network analysis tool tcpdump

You must have the root permission to run tcpdump-wfile: save the captured packets to the specified file. -Rfile: reads packets from a specified file (Saved by the-w option), instead of capturing packets on the NIC-ccount: specify to capture count packets and then stop; otherwise, the packets will be captured continuously, you can use Ctrl-C to terminate-e: resolve the layer-2 packet header. the user must have the root permission to run it. Tcpdump
-W file: saves the captured packets to the specified file.
-R file: reads packets from a specified file (Saved by the-w option), instead of capturing packets on the NIC.
-C count: indicates that the system stops capturing count packets. Otherwise, the system keeps capturing packets. you can use Ctrl-C to terminate packets.
-E: second-layer message headers are also parsed. By default, only the IP address header is parsed.
The second-layer header is also parsed.
-F: the packet capture filtering condition is read from the specified file.
-D: list the network adapters that can be crawled. the following example shows three network adapters.
[P01056 @ localhost ~] $ Sudo/usr/sbin/tcpdump-D
1. eth3
2. any (Pseudo-device that captures on all interfaces)
3. lo
-I interface: capture the packets on the specified Nic. the parameter is the interfaces listed in-D.
If this parameter is not specified, the network adapter with the smallest serial number in the link-up status will be crawled (except for the loopback interface)
For example, the following figure shows how to capture the packets on the lo interface (ping your own packets)
[P01056 @ localhost ~] $ Sudo/usr/sbin/tcpdump-I 3
Tcpdump: verbose output suppressed, use-v or-vv for fullprotocol decode
Listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes
15:37:24. 266382 IP 10.153.107.75> 10.153.107.75: ICMP echorequest, id
13934, seq 1, length 64
15:37:24. 266434 IP 10.153.107.75> 10.153.107.75: ICMP echoreply, id 13934,
Seq 1, length 64
-N: do not convert host address to dns name
-Nn: do not convert protocol numbers and port numbers into names
Without-nn
15:43:37. 223798 IP 10.153.107.72.tsdos390> 10.153.107.75.ssh:. ack 441 win
62371
Add-nn
15:43:45. 936130 IP 10.153.107.72.1237> 10.153.107.75.22: P1: 53 (52) ack
429495 5024 win 64467
-Q: The quick output mode outputs less protocol information.
-S: print the absolute value of the tcp sequence number, instead of the relative sequence number.
-T: No timestamp is printed.
-Ttt: time difference between printing and the previous packet
-V: print verbose information
-Vv: print more verbose information
-Vvv: print more verbose information
-X: it is printed in hexadecimal format and does not contain layer 2 headers.
-Xx: it is printed in hexadecimal format and contains two-layer headers.
-X: it is printed in hexadecimal notation and the ASCII code is output at the same time, excluding the layer 2 header.
-XX: it is printed in hexadecimal notation and the ASCII code is output at the same time. it contains two-layer headers.
Filter condition: put it at the end of the command
It consists of one or more qualifiers plus IDs (names or numbers.
There are three types of delimiters:
Type: indicates the id type, such as host, net, port, and portrange.
Dir: specifies the id transmission direction, such as src/dst/src or dst/src and dst.
Proto: indicates the protocol type, such as ether, ip, and arp.
For example:
Ether dst ehost
Ether dst 68: b5: 99: 79: 17: b2: Destination mac = 68: b5: 99: 79: 17: b2
Ip src10.153.107.73: source IP address = 10.153.107.73
Tcp dst port22: tcp destination port number = 22 (ssh)
You can use and or to connect multiple simple filter conditions to a filter condition. For example, ip src
10.153.107.79 & tcp dst port 22
Sudo/usr/sbin/tcpdump-e-c 10 ip src 10.153.107.79 & tcp dst port 22