Linux tcpdump Command Detailed

Introduction

The simple definition of tcpdump is: The dump the traffic on a network, based on the user's definition of the packet interception of packets on the Data Packet Analysis tool. Tcpdump can intercept the "head" of the packets that are transmitted in the network to provide analysis. It supports filtering on the network layer, protocol, host, network, or port, and provides logical statements such as and, or, not, to help you get rid of useless information.

Practical Command Instances

Default startup

Tcpdump

under normal circumstances, direct start tcpdump all packets that flow through the first network interface are monitored.

Monitoring packets for a specified network interface

Tcpdump-i eth1

If you do not specify a network card, the default tcpdump will only monitor the first network interface, typically eth0, and the following example does not specify a networking interface.

Monitoring packets for a specified host

Print all packets entering or leaving the sundown.

Tcpdump Host Sundown

You can also specify IP, such as intercepting all packets received and emitted by all 210.27.48.1 hosts

Tcpdump host 210.27.48.1

Print packets that Helios and hot or communicate with Aces

Tcpdump host Helios and \ (hot or ACE \)

Intercept Host 210.27.48.1 and Host 210.27.48.2 or 210.27.48.3 of Communication

Tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)

Prints the IP packets that the ACE communicates with any other host, but does not include packets between the Helios.

Tcpdump IP host ace and not Helios

If you want to get host 210.27.48.1 in addition to the IP packets that communicate with all hosts except host 210.27.48.2 , use the command:

Tcpdump IP host 210.27.48.1 and! 210.27.48.2

Intercept all data sent by host hostname

Tcpdump-i eth0 SRC host hostname

Monitor all packets sent to host hostname

Tcpdump-i eth0 DST host hostname

Monitoring packets for a specified host and port

If you want to get a host 210.27.48.1 received or issued by telnet package, use the following command

Tcpdump TCP port and host 210.27.48.1

for this machine's UDP 123 Ports for monitoring 123 to be NTP the service port

tcpdump UDP port 123

Monitoring packets for a specified network

Print all communication packets between the local host and the host on the Berkeley Network (Nt:ucb-ether, which can be understood here as the network address of the ' Berkeley Network ', the most primitive meaning of which can be expressed as: print all packets with a network address of Ucb-ether)

tcpdump Net Ucb-ether

Print all FTP packets via Gateway Snup (note that the expression is enclosed in quotation marks, which prevents the shell from parsing the parentheses)

Tcpdump ' Gateway Snup and (port ftp or Ftp-data) '

Print all the source or destination addresses are IP packets for the local host

(If the local network is connected to another network through a gateway, the other network does not count as a local network.) (NT: This translation is tortuous and needs to be supplemented). LocalNet to really replace the name of the cost of the network when actually used)

tcpdump IP and not net LocalNet

Monitoring packets for a specified protocol

The start and end packets in the TCP session are printed, and the source or destination of the packets is not a host on the local network. (Nt:localnet, actual use to actually replace the name of the cost of the network))

Tcpdump ' tcp[tcpflags] & (tcp-syn|tcp-fin)! = 0 and not src and DST net localnet '

The print all source or destination port is 80, the Network layer protocol is IPV4, and contains data, not syn,fin and ack-only packets without data. (IPv6 version of the expression can do exercises)

Tcpdump ' TCP port and (((Ip[2:2)-((IP[0]&0XF) <<2)-((tcp[12]&0xf0) >>2))! = 0) '

(NT: It can be understood that ip[2:2] represents the length of the entire IP packet, (IP[0]&0XF) <<2) represents the length of the IP packet header (IP[0]&0XF represents the IHL domain in the package, and the unit of this domain is 32bit, to be converted

The number of bytes needs to be multiplied by 4, that is, shift left by 2. (TCP[12]&0XF0) >>4 represents the length of the TCP header, the units of this domain are also 32bit, converted to bits ((tcp[12]&0xf0) >> 4) << 2,
That is ((tcp[12]&0xf0) >>2). ((Ip[2:2]-((IP[0]&0XF) <<2))-((tcp[12]&0xf0) >>2))! = 0 means: The length of the entire IP packet minus the length of the IP header, minus
The length of the TCP header is not 0, which means that there is really data in the IP packet. For the IPv6 version simply consider the difference between the ' Payload length ' and ' TCP header lengths ' in the IPv6 header, and where the expression ' ip[' ' needs to be ' ip6['.)

The print length exceeds 576 bytes, and the gateway address is an IP packet of Snup

Tcpdump ' Gateway Snup and Ip[2:2] > 576 '

Print all IP-layer broadcast or multicast packets, but not broadcast or multicast datagrams on the physical Ethernet layer

Tcpdump ' ether[0] & 1 = 0 and ip[16] >= 224 '

Print ICMP packets other than the ' echo request ' or ' echo Reply ' type (for example, you need to print all non-ping program-generated packets to be available to this expression.)
(NT: ' Echo reuqest ' and ' echo reply ' These two types of ICMP packets are usually generated by the ping program))

Tcpdump ' icmp[icmptype]! = Icmp-echo and Icmp[icmptype]! = Icmp-echoreply '

Linux tcpdump Command Detailed