Linux uses the tcpdump command to capture packets.

Tcpdump is a commonly used packet capture tool in linux command lines. it records the commonly used methods and the testing machine system is ubuntu12.04. The tcpdump command format contains many tcpdump parameters. you can use mantcpdump to view detailed descriptions of tcpdump. here, only some common parameters are listed: tcpdump [-I Nic]-nnAX expressions TcpdumpIs a commonly used packet capture tool in linux command lines. record the commonly used methods. the testing machine system is ubuntu 12.04.

Command format of tcpdump
Tcpdump has many parameters. you can view the detailed description of tcpdump through man tcpdump. here, only some common parameters are listed:
Tcpdump [-I Nic]-nnAX 'expression'
Parameters are described as follows:
-I: The Nic that the interface listens.
-Nn: displays the source host and target host in ip and port mode, instead of host name and service.
-A: displays data packets in ascii format, which is useful when capturing web data.
-X: data packets are displayed in hexadecimal and ascii formats.
Expressions: There are many common expressions: host, port, src host packet sending host, and dst host packet collecting host. Multiple conditions can be combined with "and" or ". The inverse condition can be used !, For more information, see man 7 pcap-filter.
The following are some command tests. if you do not have the permission, you can switch to the root user first.

Eth0
$ Tcpdump-I eth0
This method is the easiest, but not very useful, because we can only see the packet information fl, can not see at all, you can use ctrl + c to interrupt the exit, if there is a need, you can redirect the output content to a file, which makes it easier to view.

Listen to data of a specified protocol
$ Tcpdump-I eth0-nn 'icmp'
This is used to listen to icmp data, that is, the protocol used by the ping command. Similarly, if you want to listen to the tcp or udp protocol, you only need to modify the icmp protocol in the previous example. Ping the monitored machine. the output is as follows:

Example of using tcpdump to capture packets in linux
Meaning of each data expression in each row:
Packet capture time IP address packet sending host and Port> Received host and port packet content

Listen to the specified host
$ Tcpdump-I eth0-nn 'host 192.168.1.231'
In this case, all packets received and sent by the host 192.168.1.231 will be captured.
$ Tcpdump-I eth0-nn 'src host 192.168.1.231'
In this way, only the packets sent by the host 192.168.1.231 will be captured.
$ Tcpdump-I eth0-nn 'dst host 192.168.1.231'
In this way, only packets received by the host 192.168.1.231 will be captured.

Listen to the specified port
$ Tcpdump-I eth0-nnA 'Port 80'
The preceding example is used to listen to all data packets received and sent by Port 80 of the host. combined with the-A parameter, it is very useful in web development.

Listen to specified host and port
$ Tcpdump-I eth0-nnA 'Port 80 and src host 192.168.1.231'
You can use and or to connect multiple conditions. The preceding example indicates listening for packets sent by the host 192.168.1.231 over port 80.

Listen to other ports except a port
$ Tcpdump-I eth0-nnA '! Port 22'
To exclude a port or host, use "!" Symbol. in the preceding example, it is used to listen to packets not on port 22.

Summary:
Tcpdump has many function parameters and many expression options, which are very powerful. However, there are not many common functions. For more information, see man.
In addition, when capturing a web package, the content sent to the web page is a strange character. it is found that gzip compression is enabled in apache, so you can disable gzip compression. Under ubuntu12.04, edit the vim/etc/apache2/mod-enabled/deflate. load file, comment out the deflate_module statement, and restart apache.