TCPDUMP command details

TCPDUMP commands have been being used in the work, and it is very convenient. Today, Baidu's usage of tcpdump is on a whim, only to find that there are so many powerful functions that I don't know, that's a sweat. This document serves as a backup to record some newly known usage. If any of you have any new usage, you can tell me how to add it in time to enrich it. Haha! Www.2cto.com my mailbox: rick1026zhang@gmail.com nonsense not much said, cut into the subject. The command and explanation are in red, and the parameter values of the command are marked in italic. Let's take a look at a basic usage: tcpdump-I eth0 where eth0 is the parameter value, indicating the network port for packet capture. This is a required parameter. Tcpdump supports many keywords. Let's take a look at several examples: (Example 1) tcpdump-I eth0 host 192.168.0.250 ----- capture all data packets whose host address is 192.168.0.250 on the network port eth0. (Example 2) tcpdump-I eth0 net 192.168.0.0/24 ------ capture all packets whose network address is 192.168.0.0/24 on the network port eth0 (Example 3) tcpdump-I eth0 port 80 ------ capture all data packets with port 80 on the network port eth0 (note: the source port or destination port is not distinguished here) Of course, you can also specify the source port or destination port www.2cto.com (Example 4) tcpdump-I eth0 src port 80 and dst port6100 --- capture packets whose source port is 80 and the destination port is 6100 ON THE eth0. The and logical operator is used here, next we will introduce (example 5) tcpdump-I eth0 icmp --- capture all icmp protocol data packets on the network port eth0. The above examples can roughly reflect the basic usage of tcpdump. In fact, tcpdump mainly includes three types of keywords. The first type is about the type of keywords, including host, net, port. In the example above (1) (2) (3 ), the second type is the key words for determining the transmission direction, including src, dst, src or dst, src and dst. These keywords indicate the transmission direction, as shown in example (4) above ). The third is the protocol keyword, including fddi, ip, arp, rarp, tcp, udp, imcp, etc., as shown in the preceding example (5 ). In addition to the three types of keywords, there are other important keywords, such as gateway, broadcast, less, greater, and three logical operations. The non-calculation values are not and ','! ', And the operator is 'and',' & ', or the operator is 'or',' | ', these keywords can be combined to form powerful combination conditions to meet our needs. First, let's take a look at the specific parameters and significance of tcpdump:-I: Specify the network interface-s of the tcpdump listener: specify the length of the packet to be monitored www.2cto.com-c: specify the number of packets to be monitored, when the number of packets reaches the specified value, packet capture will be automatically stopped-w: specify to write the listening data packet to the file and Save-A: Specify to print each listening data packet with acsiz' visible characters-n: specify to convert the domain name in each listening packet to an IP address and then display-nn: specify to convert the domain name in each listening packet to an IP address, and the port from the application name to the port number. Then, the system displays-e: Specifies to print the information on the Link Layer of the listening packet, including source mac, destination mac, and network-layer protocol-p: sets the NIC to non-hybrid mode and cannot be used with host or broadcast-r: specify to read data packets from a file-S: Specify to print the absolute TCP serial number of each listening packet rather than the relative serial number OK. The parameter introduction is here first, let's take a few concrete examples: www.2cto.com tcpdump-I eth 0-s 1400-nn host 192.168.0.250 and! 192.168.0.74 and icmp-e capture the icmp packet tcpdump-I eth0-s 1400-nn tcp and \ (host 192.168.0.250 and! 192.168.0.74 \) capture all tcp packets except 192.168.0.74 and 192.168.0.250 on the eth0. brackets are used here. Note that escape must be used when brackets are used in tcpdump. Tcpdump-I eth0 ether src or dst 00: 21: 85: 6C9: A3 capture the source mac address on the eth0 or the target mac address is 00: 21: 85: 6C9: all packets in A3. Note that the mac address format must be separated.