Summary of common tcpdump parameters

TCPDUMP packet analysis and its role in server maintenance. The usage of windump is similar. Today, we set up two virtual machines to test tcpdump and test the commands described. To fully understand tcpdump. Vmware is used for centos5 virtual machines. Introduction to tcpdump options-a converts network addresses and broadcast addresses into names;-d analyzes TCPDUMP packets and its role in server maintenance. The usage of windump is similar. Today, especially for testing TcpdumpTwo virtual machines are set up to test the commands. To fully understand Tcpdump. Environment Centos5. vmware is used for virtual machines.

Introduction to tcpdump options

-A converts a network address and broadcast address into a name;
-D. give the code that matches the information package in an assembly format that people can understand;
-Dd provides the code that matches the information package in the format of the C program segment;
-Ddd provides the matching information package code in decimal format;
-E prints the header information of the data link layer in the output line;
-F print the Internet address in numbers;
-L changes the standard output to the buffer row format;
-N does not convert the network address into a name;
-T no timestamp is printed on each output line;
-V outputs a slightly detailed information. for example, the IP package can contain ttl and service type information;
-Vv: output detailed message information;
-C. after receiving the specified number of packages, tcpdump stops;
-F read the expression from the specified file and ignore other expressions;
-I indicates the network interface of the listener;
-R reads packets from a specified file (these packets are generally generated using the-w option );
-W directly writes the package into the file and does not analyze or print it out;
-T directly interpret the listening packet as a specified type of message. Common types include rpc (remote process call) and snmp (Simple Network Management Protocol ;)

Tcpdump-nnnv arp is often used to identify the original MAC address of an ARP attack.
Tcpdump-nnnv udp port 53 the DNS server port 53 is used to view the attack source when it is under ARP attacks.
Tcpdump-nnnv udp and not port53 can be used to determine whether there are non-53 ports of large-volume UDP attacks.
Tcpdump-nnnv port 80 and host 192.168.0.1 find the IP packet received or sent from port 80 of 192.168.0.1.
Tcpdump-nnnv ip host 210.27.48.1 and! 210.27.48.2 obtain IP packets for all hosts except 210.27.48.1

Tcpdump-nnnv host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \) intercept communication between the host 210.27.48.1 and the host 210.27.48.2 or 210.27.48.3

Tcpdump-nnnv host! 192.168.15.129 and! 192.168.15.130 and dstport 80
Capture packets except host 192.168.15.129 and 192.168.15.130 and to Port 80 of the local target.

Tcpdump-nnnv src 192.168.15.129 and port 53 capture packets from 192.168.15.129 to port 53 of the local machine. Whether it is UDP or TCP