Tcpdump command parameters and application instances

Tcpdump is a packet analysis tool that intercepts packets on the network according to user definitions. Tcpdump can completely intercept the "header" of the packets transmitted in the network for analysis. It supports filtering network layer, protocol, host, network or port, and provides logical statements such as and, or, not to help TcpdumpDump the traffic on anetwork is a packet analysis tool that intercepts packets on the network according to the user's definition. TcpdumpIt can completely intercept the "header" of the packets transmitted in the network for analysis. It supports filtering network layer, protocol, host, network or port, and provides logical statements such as and, or, not to help you remove useless information.

Options:
-A converts a network address and broadcast address into a name;
-D. give the code that matches the information package in an assembly format that people can understand;
-Dd provides the code that matches the information package in the format of the C program segment;
-Ddd provides the matching information package code in decimal format;
-E prints the header information of the data link layer in the output line;
-F print the Internet address in numbers;
-L changes the standard output to the buffer row format;
-N does not convert the network address into a name;
-T no timestamp is printed on each output line;
-V outputs a slightly detailed information. for example, the IP package can contain ttl and service type information;
-Vv: output detailed message information;
-C. after receiving the specified number of packages, tcpdump stops;
-F read the expression from the specified file and ignore other expressions;
-I indicates the network interface of the listener;
-R reads packets from a specified file (these packets are generally generated using the-w option );
-W directly writes the package into the file and does not analyze or print it out;
-T directly interpret the packets to be listened to as specified types of packets. Common types include rpc (remote process call) and snmp (Simple Network Management Protocol)

1. start:
Tcpdump
By default, eth0 data packets are monitored, that is, the first network interface.
2. Monitor data packets of a specified network interface
Tcpdump-I eth1
3. data packets of the specified host
Tcpdump host dev211
4. data packets of the specified ip address
Tcpdump host 192.168.0.99
Tcpdump host 192.168.0.99 and \ (192.168.0.98 or192.168.0.97 \)
5. intercept data sent by the host
Tcpdump-I eth0 src host hostname
6. monitor the data received by the host
Tcpdump-I eth0 dst host hostname
7. monitoring host and port data packets
Tcpdump tcp port 23 host 192.168.0.211
Tcpdump udp port 123
8. capture http packets
Tcpdump-XvvennSs 0-I eth0 tcp [20:2] = 0x4745 ortcp [20:2] = 0x4854

Instance:
Tcpdump-I eth0-tnn dst port 80-c 1000 | awk-F ". "'{print $1 ". "$2 ". "$3 ". "$4} '| sort | uniq-c | sort-nr | head-n 10
/Usr/sbin/tcpdump-I eth0-s 0-l-w-dst port 3306 | strings | egrep-I 'SELECT | UPDATE | DELETE | INSERT | SET | COMMIT | ROLLBACK | CREATE | DROP | ALTER | CALL'