In Linux, the packet capture tool tcpdump and the analysis package tool wiresharkTcpdump are used. (1) The first type of keyword mainly includes host and net, port such as host210.27.48.2, indicating that 210.27.48.2 is a host, net202.0.0.0 indicates 202 .... how to use tcpdump, a packet capture tool, and wireshark Tcpdump in Linux (1) The first type of keyword mainly includes host and net, port for example: host 210.27.48.2, specify 210.27.48.2 as a host. net 202.0.0.0 indicates that 202.0.0.0 is a network address, and port 23 indicates that the port number is 23. If no type is specified, the default type is host. (2) The second keyword determines the transmission direction mainly includes src, dst, dst or src, dst and src, which indicate the transmission direction, for example, src 210.27.48.2, specify that the source address in the IP package is 210.27.48.2, and dst net 202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified, the src or dst keyword is used by default. (3) The third is the protocol keyword, which mainly includes fddi, ip, arp, rarp, tcp, udp, and other types. Fddi indicates a specific network protocol on FDDI (distributed optical fiber data interface network). In fact, it is an alias of "ether". fddi and ether have similar source and destination addresses, therefore, the fddi protocol package can be processed and analyzed as the ether package. The other keywords indicate the protocol content of the listener package. If no protocol is specified, tcpdump listens to the information packages of all protocols. In addition to these three types of keywords, other important keywords include gateway, broadcast, less, greater, and three logical operations. The non-calculation is 'not ','! ', And the operation is 'and',' & '; or the operation is 'or',' │ '; these keywords can be combined to form a powerful combination condition to meet people's needs. The following are several examples. Under normal circumstances, directly starting tcpdump will monitor all the data packets flowing through the first network interface. A. tcpdump-I eth0-c 10 use the-I parameter to specify the network interface of the tcpdump listener, which is very useful when the computer has multiple network interfaces, use the-c parameter to specify the number of data packets to be monitored, and use the-w parameter to specify to write the data packets to the file to save B. to intercept communication between host 172.16.14.107 and host 172.16.14.27 or 172.16.14.99, run '\ 'tcpdump host 172.16.14.107 and \ (172.16.14.27or172.16.14.99 \) C. if you want to obtain an ip packet for all hosts except 172.16.14.107 and 172.16.14.27, run the command: tcpdump ip host 172.16.14.107 and! 172.16.14.27 D. to obtain the telnet packet received or sent by the host 172.16.14.107, run the following command: tcpdump tcp port 23 host 172.16.14.107 E. monitor the udp port 123 of the local machine (123 is the ntp service port) tcpdump udp port 123 F. the system only monitors the communication data packets of the host named hostname. The host name can be a local host or any computer on the network. The following command reads all data sent by the host hostname: tcpdump-I eth0 src host hostname G. the following Command monitors all data packets sent to the host hostname: tcpdump-I eth0 dst host hostname # src indicates the source, that is, sending # dst indicates the destination, that is, receiving H. we can also monitor the data packets through the specified gateway: tcpdump-I eth0 gateway Gatewayname I. if you want to monitor the TCP or UDP data packets mapped to the specified port, run the following command: tcpdump-I eth0 host hostname and port 80 J. to obtain the telnet packet received or sent by the host 172.16.14.107, run the following command: tcpdump tcp port 23 host 172.16.14.107 K. if we only need to list the packets sent to port 80, use dst Port 80; if we only want to see the packet that returns port 80, use src port 80. Tcpdump-I eth0 host hostname and dst port 80 destination port is 80 or tcpdump-I eth0 host hostname and src port 80 source port is 80 port is generally the host tcpdump that provides http services the output format is as follows: system time source host. port> target host. if wireshark is used to analyze Port data packet parameters: tcpdump-I eth0-c 100-s 0-w/home/data. pcap directly uses wireshark/home/data. pcap
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.