Tcpdump, a packet capture tool in linux

The packet capture tool tcpdump in linux. The packet capture tool has two advantages: one is snort and the other is tcpdump. this time, we don't mention snort. Although the tool is powerful, it is complicated, and tcpdump is relatively simple. Tcpdumpwindows and tcpdump
 
 
This article describes the packet capture tool in linux.
 
The packet capture tool has two advantages: one is snort and the other is tcpdump. this time, we don't mention snort. Although the tool is powerful, it is complicated, and tcpdump is relatively simple. Tcpdump for windows and linux. You can download the linux version from www.tcpdump.org.
 
After tcpdump is installed, run tcpdump:
 
1. tcpdump-D: get the network adapter list. The following is the result obtained on windows:
 
1. \ Device \ PssdkLoopback (PSSDK Loopback Ethernet Emulation Adapter)
2. \ Device \ {CF587901-C85F-4FD6-896F-D977DEFE76EC} (Intel (R) PRO/100 VE Network Co
Nnection)
 
 
 
 
2. tcpdump-I <需要监控的网络适配器编号> For example, if you want to monitor lo (127.0.0.1), that is, 1. \ Device \ PssdkLoopback: (exclusive to windows, not applicable to linux)
 
Tcpdump-I 1
 
 
 
 
If you do not use-I to define the monitoring adapter, the first one in the list is used by default;
 
3. the monitoring host is the tcp protocol of port 8000 on port 192.9.200.59:
 
Tcpdump host 192.9.200.59 and tcp port 8000
 
 
 
 
4. if you want to display the data packet content, you need to use the-X parameter. for example, I want to display the captured http packet http header content:
 
Tcpdump-X host 192.9.200.59 and tcp port 8000
 
 
 
 
The result is as follows:
 
22:13:19. 717472 IP testhost59.12535> liujuan59.8000:. (329) ack 1 win 327
8
0x0000: 4500 0171 e616 0000 8006 cb2b 0000 0000 E. q... + ....
0x0010: c009 c83b 30f7 1f40 0000 0002 0000 0002 ......; 0 ..@........
0x0020: 5010 8000 b066 0000 504f 5354 202f 2048 P... f... POST ../. H
0x0030: 5454 502f 312e 310d 0a43 6f6e 7465 6e74 TTP/1 .. Content
0x0040: 2d54 7970 653a 2074 6578 742f 786d 6c3b-Type:. text/xml;
0x0050: 2063. c
 
 
 
 
The result shows that only part of the http header is displayed, but not all is displayed, because tcpdump truncates the displayed data length by default. you can add the data length after-s, to set the data display length:
 
Tcpdump-X-s 0 host 192.9.200.59 and tcp port 8000
 
 
 
 
In the preceding example,-s 0 indicates that the length is automatically set to show all data.
 
5. if too much data is captured and the screen is constantly refreshed, you may need to record the data content to the file. you need to use the-w parameter:
 
Tcpdump-X-s 0-w aaa host 192.9.200.59 and tcp port 8000
 
 
 
 
Then, the content displayed on the screen is written to the aaa file under the Directory of the tcpdump executable file.
 
To view the file, use the-r parameter:
 
Tcpdump-X-s 0-r aaa host 192.9.200.59 and tcp port 8000
 
 
 
 
Write the following statement:
 
Tcpdump-r aaa
 
 
 
 
You can only see the simplest data transmission interaction process, but not the data packet content. you also need to use the corresponding parameters when viewing the data packet.
 
6. Summary
 
To sum up, the parameters of tcpdump are divided into two parts: Options and expressions ):
 
Tcpdump [-adeflnNOpqRStuvxX] [-ccount]
[-Cfile_size] [-Ffile]
[-Iinterface] [-mmodule] [-rfile]
[-Ssnaplen] [-Ttype] [-wfile]
[-Ealgo: secret] [expression]
 
From fallenleaves