Tcpdump command line packet capture tool

In order to prevent crawlers from crawling articles on unscrupulous websites, we hereby mark and repost the source of the article. Laplacedemon/sjq.

Http://www.cnblogs.com/shijiaqi1066/p/3898248.html

 

 

 

Overview

The tcpdump command is a Linux packet capture command tool that is powerful and easy to use. Tcpdump is developed based on the underlying libpcap library and requires the root permission to run the program.

 

Basic usage and Command Options

For example, all packets received and sent by the host are intercepted.

Command:Tcpdump

Note:

By default, tcpdump captures the packet header.

Basic Format: Time packet type Source IP port/protocol> Destination IP port/protocol details

 

Press Ctrl + C to terminate the tcpdump command. Statistics are generated at the end.

 

 

Option View

Command:Tcpdump -- H

Tcpdump version 4.1-The PRE-CVS_2012_03_26 represents the tool version.

Libpcap version 1.4.0 indicates the version of Libpcap.

 

Option:

-A converts the network address and broadcast address into a name.-C stops tcpdump after receiving the specified number of packets; -D. The code that matches the information package is provided in a compilation format that people can understand; it is output in a readable format. -Dd provides the matching information package code in the format of the C language program segment;-DDD provides the matching information package code in decimal format; -E prints the header information of the data link layer in the output line;-F prints the external internet address in numbers;-l converts the standard output to the buffer line format; -N: the IP address is displayed directly, but the name is not realistic.-NN: the port name is displayed as a number.-T: The timestamp is not printed on each output line; -V outputs a slightly detailed information. For example, the IP package can contain TTL and service type information.-VV outputs detailed message information.-F reads the expression from the specified file, ignore other expressions;-I indicates the network interface of the listener;-r reads packets from the specified file (these packets are generally generated using the-W option ); -W directly writes the package into the file, and does not analyze and print it out.-T directly interprets the listening package as a specified type of message, common types include RPC (Remote process call) and SNMP (Simple Network Management Protocol ;)

 

 

 

Number of captured packets-C

2 Data packets are captured.

Command:Tcpdump-C 2

Note:

Statistics are automatically generated.

 

Write packet capture information to file-W

Use the-W option to specify the record file.

Command:Tcpdump-C 10-W tcpdump_test.log

Note:

The saved file is not in text format and cannot be viewed directly. The format of tcpdump files can be read by almost all mainstream packet capture tools. Therefore, you can use a user-friendly graphical interface tool to view record files.

 

Read record file-R

Use the-r option to read files.

Command:Tcpdump-r tcpdump_test.log

 

Print all workable interfaces-d

Command:Tcpdump-d

The network adapter is eth0 and eth1.

 

Network adapter-I

Command:Tcpdump-I eth0

 

Show more detailed packet information-v-VV

Option-V and-VV show more detailed packet capture information.

 

 

Do not use domain name reverse-n

After-N is used, tcpdump displays the IP address directly, but not the domain name (similar to the netstat command ).

 

Added the packet capture timestamp-tttt option.

With the-tttt option, the packet capture result will contain the packet capture date:

Command:Tcpdump-tttt

 

 

 

Conditional Filtering

Filter: Specify the protocol to be crawled

Tcpdump can only capture packets of certain protocols and supports specifying the following protocols: IP, ip6, ARP, TCP, UDP, WLAN, etc.

Command:

Tcpdump UDP

Tcpdump ICMP

Tcpdump TCP

Tcpdump ARP

 

Filter: Port Number of the specified Protocol

Use the port parameter to specify the port number.

Command:Tcpdump TCP port 80

 

Use the portrange parameter to specify the port range.

Command:Tcpdump TCP portrange 1-1024

 

Filter: Specify the source and target

SRC indicates the source.

DST indicates the target.

Command:

Tcpdump SRC port 8080

Tcpdump DST port 80

 

Filter: Specify the message package of a specific host.

Use host to specify the host to be monitored.

Command:Tcpdump host 192.168.1.113

Note: If the host parameter is used, the computer name or domain name is used. For example, if tcpdump host Shi-PC, the-n option cannot be used.

 

Filter: Specify the data packet size.

You can use greater (greater than) and less than to specify the packet size range.

For example, capture only data packets larger than 1000 bytes.

Command:Tcpdump greater 1000

For example, only data packets smaller than 10 bytes are captured.

Command:Tcpdump less 10

 

 

 

View complete data packet content

Tcpdump does not display the details of the data packet by default.

 

Method 1: Use the-a parameter to display data packets in ASCII code.

For example, capture only one data packet and display its content.

Command:Tcpdump-C 1-

 

 

Method 2: Use the-x parameter to display data packets in hexadecimal notation and ASCII code.

For example, capture only one data packet and display its content.

Command:Tcpdump-C 1-x

 

 

 

Logical expression

Use basic logic combinations to assemble more precise filtering conditions.

Logic and relationship, and use and.

Command:

Tcpdump TCP and host 192.168.1.112

Tcpdump TCP and SRC 192.168.1.112 and port 8080

 

Logic or link. Use or.

Command:

Tcpdump host 192.168.1.112 or 192.168.1.113

 

Logical non-relational. You can also use not! .

If yes! It must be separated by a space.

For example, when tcpdump is remotely used through the SSH protocol, to avoid output of SSH data packets, the output of SSH data packets is generally prohibited.

Command:

Tcpdump not TCP port 22

Tcpdump! TCP port 22

 

Brackets

Brackets must be enclosed in quotation marks or implicitly used. Otherwise, an error is reported.

For example, capture TCP data packets with non-22 ports and host 192.168.1.112 and 192.168.1.113.

Command:

Tcpdump not TCP port 22 and host \ (192.168.1.112 or 192.168.1.113 \)

Tcpdump "not TCP port 22 and host (192.168.1.112 or 192.168.1.113 )"

Tcpdump not TCP port 22 and host "(192.168.1.112 or 192.168.1.113 )"

 

 

 

 

In order to prevent crawlers from crawling articles on unscrupulous websites, we hereby mark and repost the source of the article. Laplacedemon/sjq.

Http://www.cnblogs.com/shijiaqi1066/p/3898248.html