Linux tcpdump command usage

Linux tcpdump is one of the most important technologies in Linux. Today, we will take you to learn about the Linux tcpdump expressions and the output results of Linux tcpdump. Tcpdump adopts the command line method. Its command format is: tcpdump [-adeflnNOpqStvx] [-c quantity] [-F file name] [-I network interface] [-r file name] [-ssnaplen] [-T type] [-w file name] [expression]

Introduction to Linux tcpdump options
-A converts a network address and broadcast address into a name;
-D. Give the code that matches the information package in an Assembly format that people can understand;
-Dd provides the code that matches the information package in the format of the C program segment;
-Ddd provides the matching information package code in decimal format;
-E prints the header information of the data link layer in the output line;
-F print the Internet address in numbers;
-L changes the standard output to the buffer row format;
-N does not convert the network address into a name;
-T no timestamp is printed on each output line;
-V outputs a slightly detailed information. For example, the IP package can contain ttl and service type information;
-Vv: Output detailed message information;
-C. After receiving the specified number of packages, tcpdump stops;
-F Read the expression from the specified file and ignore other expressions;
-I indicates the network interface of the listener;
-R reads packets from a specified file (these packets are generally generated using the-w option );
-W directly writes the package into the file and does not analyze or print it out;
-T directly interpret the monitored packets as specified types of packets. Common types include rpc Remote Process calls) and snmp Simple Network Management Protocol ;)

Introduction to tcpdump expressions in Linux

The expression is a regular expression. tcpdump uses it as a condition for filtering packets. If a packet meets the expression conditions, the packet will be captured. If no conditions are provided, all information packets on the network will be intercepted. In an expression, the following types of keywords are generally used. One is about the type of keywords, including host, net, and port. For example, host210.27.48.2 indicates that 210.27.48.2 is a host, net202.0.0.0 indicates that 202.0.0.0 is a network address, and port23 indicates that the port number is 23. If no type is specified, the default type is host. The second type is the keyword determining the transmission direction, including src, dst, dstorsrc, and dstandsrc. These keywords indicate the transmission direction.

For example, src210.27.48.2 indicates that the source address in the IP package is 210.27.48.2, and dstnet202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified, the srcordst keyword is used by default. The third type is the protocol keyword, which mainly includes fddi, ip, arp, rarp, tcp, udp, and other types. Fddi indicates a specific network protocol on FDDI (Distributed Optical Fiber Data Interface Network). In fact, it is an alias of "ether". fddi and ether have similar source and destination addresses, therefore, the fddi protocol package can be processed and analyzed as the ether package. The other keywords indicate the Protocol content of the listener package. If no protocol is specified, tcpdump listens to the information packages of all protocols.

In addition to these three types of keywords, other important keywords include gateway, broadcast, less, greater, and three logical operations. The non-operation type is 'not ''! ', And the operation is 'and',' & '; or the operation is 'or',' | '; these keywords can be combined to form a powerful combination condition to meet people's needs. The following are several examples.
(1) To intercept all packets received and sent by all 210.27.48.1 hosts: # tcpdumphost210.27.48.1
(2) to intercept the communication between the host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, run the following command: When brackets are applied to the command line, make sure # tcpdumphost210.27.48.1and \)
(3) If you want to obtain an IP packet for all hosts except 210.27.48.1 and 210.27.48.2, run the following command: # tcpdumpiphost210.27.48.1and! 210.27.48.2
(4) to obtain the telnet packet received or sent by the host 210.27.48.1, run the following command: # tcpdumptcpport23host210.27.48.1

Introduction to output results of Linux tcpdump

Below we will introduce the output information of several typical tcpdump commands.

(1) data link layer header information
Run the command # tcpdump -- ehosticeice is a host with Linux installed, and her MAC address is 0: 90: 27: 58: AF: 1AH219 is a SUN Workstation With SOLARIC, its MAC address is 8: 0: 20: 79: 5B: 46. The output result of the previous command is as follows:

21:50:12. 847509eth0 <8: 0: 20: 79: 5b: 460: 90: 27: 58: af: 1aip60: h219.33357>; ice. telnet0: 0 (0) ack22535win8760 (DF) Analysis: 21: 50: 12 indicates the display time, 847509 indicates the ID number, and eth0 indicates that eth0 accepts the data packet from the network interface. eth0>; the packet sent from the network interface device. 8: 0: 20: 79: 5b: 46 is the MAC address of the host H219. It indicates the packet sent from the source address H219. 0: 90: 27: 58: af: 1a is the MAC address of the host ICE, indicating that the destination address of the data packet is ICE. ip indicates that the data packet is an IP packet, and 60 indicates the packet degree. h219.33357>; ice. telnet indicates that the packet is the TELNET (23) port sent from Port 33357 of host H219 to host ICE. ack22535 indicates to respond to a packet whose serial number is 222535. the value of win8760 indicates that the size of the sending window is 8760.

(2) TCPDUMP output information of ARP packets
Run the command # tcpdumparp to obtain the following output:
22:32:42. 802509eth0>; arpwho-hasroutetellice (0: 90: 27: 58: af: 1a)
22:32:42. 802902eth0 analysis: 22: 32: 42 is the timestamp, 802509 is the ID, eth0>; indicates that the packet is sent from the host, arp indicates that it is an ARP request packet, who-hasroutetellice indicates the MAC address of the host ROUTE requested by the host ICE. 0: 90: 27: 58: af: 1a is the MAC address of the host ICE.

(3) TCP packet output information
The general output information of the TCP packet captured with TCPDUMP is: src>; dst: flagsdata-seqnoackwindowurgentoptionssrc>; dst: indicates that flags are the Flag Information in the TCP packet from the source address to the destination address, S is the SYN mark, F (FIN), P (PUSH), R (RST )". "(not marked); data-seqno is the sequence number of data in the data packet, ack is the sequence number expected next time, window is the size of the window that receives the cache, and urgent indicates whether there is an emergency pointer in the data packet. options is an option.

(4) UDP packet output information
The general output of the UDP packet captured with TCPDUMP is: route. port1>; ice. port2: udplenthUDP is very simple. The output line above indicates that a UDP packet is sent from the port1 port of the host ROUTE to the port2 port of the host ICE. The type is UDP and the package length is lenth.

1. How to Use the sniffer TcpDump to analyze Network Security
2. Usage of super detailed Tcpdump
3. UnixWare upgrades tcpdump
4. The "dwarf" in the Linux family of Slax Operating Systems"
5. How SVN is automatically started when Linux is started