Linuxtcpdump User Manual

TCPDUMP (8) TCPDUMP (8) NAMEtcpdump-dumps [-AdDefIKlLnNOpqRStuUvxX] [-Bbuffer_size] [-ccount] [-Cfile_size] [-Grotate_seconds] [-Ffile] [-ii TCPDUMP (8) TCPDUMP)

NAME
Tcpdump-Dump traffic on a network

SYNOPSIS
Tcpdump [-AdDefIKlLnNOpqRStuUvxX] [-Bbuffer_size] [-c count]
[-C file_size] [-G rotate_seconds] [-Ffile]
[-I interface] [-m module] [-M secret]
[-R file] [-s snaplen] [-T type] [-wfile]
[-W filecount]
[-E spi @ ipaddr algo: secret,...]
[-Y datalinktype] [-z postrotate-command] [-Z user]
[Expression
--------------------------------
-Option param
-S snaplen specifies the captured data packet size to prevent packet loss due to excessive package size. commonly used:-s 0 sets the packet size to 65535 bytes
-I interface: specifies the network interface name, such as eth0 eth1.
-W file: specifies the file name and stores the capture results. you can save the captured results as a pcap file or a cap file for wireshark analysis tools.
-R file reads packets from a specified file (these packets are generally generated using the-w option)
-C count: specifies the number of captured packets. by default, the number of captured packets is unlimited.
-L> result.txt: redirects the capture package to a text file.
----------------------------------
-Option
-V outputs a slightly detailed information. for example, the IP package can contain ttl and service type information;
-Vv: output detailed message information;
-N does not perform address domain name conversion
-Nn does not convert the port number service name, for example, port 22 to ssh.

-X displays the packet content in hexadecimal and text formats.
--------------------------------------------------
Option
Direction: src, dst, src or dst, src and dst
Port: port value
Range: host value, single ip address, net netvalue network address (in the 192.168.0.0/24 format), ether value (MAC address), gatewayvalue (Gateway)
Logic: and, or, not ,&&,!, |
Protocol: tcp, udp, ip, arp, icmp

Note that the brackets in tcpdump must be escaped \ (\) for example:
Tcpdump-I eth0 host \ (192.168.59.1 or 192.168.59.htm \) andtcp
--------------------------------------------------
Tcp packet flag:
S = SYN, indicating the connection to be initiated.
P = PUSH, data transfer flag.
F = FIN. the connection flag is closed.
R = RESET. the connection is closed due to an exception.
. Indicates that there is no flag. Generally, only ACK packets are sent. In fact, the ACK standard is 1.
Ack indicates the confirmation package.

--------------------------------------------------

1. capture a network interface packet

Tcpdump-I eth0

2. capture a protocol packet on a network port

Tcpdump-I eth0 tcp

3. capture a protocol and a port packet on a network port

Tcpdump-I eth0 tcp port 80

4. tcpdump-I etho src host 192.168.59.11 and dst port 22

5. tcpdump-I etho src net 192.168.59.0/24 and dst port 22

6. view the captured data packet file
[Root @ localhost ~] # Tcpdump-r my. pcap
Reading from file my. pcap, link-type EN10MB (Ethernet)
09:39:19. 264188 ARP, Request who-has 192.168.59.w.tell192.168.59.1, length 46
09:39:19. 264275 ARP, Reply 192.168.59.large is-at00: 0c: 29: 27: f4: a8 (oui Unknown), length 28

7. tcpdump-I etho src host 192.168.59.11 and dst port 22-c 500-w ssh. pcap
8. tcpdump-I eth0 tcp port 22-n-nn-l> tcp. dump
---------------------------------------
1. capture the eth1 package
Tcpdump-I eth1-w/tmp/xxx. cap

2. capture the 192.168.1.123 package
Tcpdump-I eth1 host 192.168.1.123-w/tmp/xxx. cap

3. capture port 80 of 192.168.1.123
Tcpdump-I eth1 host 192.168.1.123 and port 80-w/tmp/xxx. cap

4. capture the icmp packet of 192.168.1.123
Tcpdump-I eth1 host 192.168.1.123 and icmp-w/tmp/xxx. cap

5. capture packets from Port 80 of 192.168.1.123 and ports other than 110 and 25
Tcpdump-I eth1 host 192.168.1.123 and! Port 80 and! Port 25 and! Port 110-w/tmp/xxx. cap

6. capture vlan 1 packets
Tcpdump-I eth1 port 80 and vlan 1-w/tmp/xxx. cap
---------------------------------------
1. Note that the brackets in tcpdump must be escaped \(\)
Tcpdump-I eth0 dst host 192.168.59.htm and tcp tcpdump-I eth0 dst host 192.168.59.htm and tcp and dst port22
Tcpdump-I eth0 dst net 192.168.59.0/24 and tcp and dst port22
Tcpdump-I eth0 host \ (192.168.59.1 or 192.168.59.htm \) andtcp

---------------------------------------
A wants to intercept all packets received and sent by all 210.27.48.1 hosts:
# Tcpdump host 210.27.48.1

B. to intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, run the following command: (when brackets are applied in the command line, be sure to escape them)
# Tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)

C if you want to obtain the IP package for all hosts except 210.27.48.1 and 210.27.48.2, run the following command:
# Tcpdump ip host 210.27.48.1 and! 210.27.48.2

D. to obtain the telnet packet received or sent by the host 210.27.48.1, run the following command:
# Tcpdump tcp port 23 host 210.27.48.1

E. monitor the udp port 123 of the local machine. Port 123 is the ntp service port.
# Tcpdump udp port 123

The F system only monitors the communication data packets of the host named hostname. The host name can be a local host or any computer on the network. The following command reads all data sent by the host hostname:
# Tcpdump-I eth0 src host hostname

The command below G can monitor all data packets sent to the host hostname:
# Tcpdump-I eth0 dst host hostname

H we can also monitor the data packets through the specified Gateway:
# Tcpdump-I eth0 gateway Gatewayname

If you want to monitor the TCP or UDP data packets destined for the specified port, run the following command:
# Tcpdump-I eth0 host hostname and port 80

J. if you want to obtain an IP packet for all hosts except 210.27.48.1 and 210.27.48.2
, Run the following command:
# Tcpdump ip host 210.27.48.1 and! 210.27.48.2

K wants to intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3,
# Tcpdump host 210.27.48.1 and (210.27.48.2 or 210.27.48.3)

L If you want to obtain an IP packet for all hosts except 210.27.48.1 and 210.27.48.2, run the following command:
# Tcpdump ip host 210.27.48.1 and! 210.27.48.2

M to obtain the telnet packet received or sent by the host 210.27.48.1, run the following command:
# Tcpdump tcp port 23 host 210.27.48.1