Grammar:
tcpdump (option)
Options:
-A prints out all the groupings in ASCII format and minimizes the head of the link layer.
-A: Attempts to convert the network and broadcast addresses into names;
-c< number of packets;: After receiving the specified number of packets, stop the dumping operation;
- D: converts the compiled packet encoding into a readable format and dumps it to the standard output;
-DD: Converts the compiled packet encoding into the C language format and dumps it to the standard output;
-DDD: Converts the compiled packet encoding into a decimal number format and dumps it to the standard output;
-E: Displays the header of the connection level on each column of dumping data;
-F: Digital display of the Internet address;
-f< expression file;: Specify the file containing the expression;
-i< network interface;: Send the packet using the specified network section;
-L: Buffers using standard output columns;
-N: Do not convert the host's network address into a name;
-nn does not perform a conversion of port names.
-N: Do not list domain names;
-O: Do not optimize the packet encoding;
-P: Do not let the network interface into promiscuous mode;
-Q: Fast output, listing only a few transmission protocol information;
-r< packet file;: Reads packet data from the specified file;
-s< packet size;: Sets the size of each packet;
-S: Lists the number of TCP associations with absolute rather than relative values;
-T: Time stamp is not displayed on each column of dumping data;
-TT: Display of unformatted timestamp on each column of dumping data;
-t< packet type;: Forces the data packet specified by the expression to be translated into the set packet type;
-V: Displays the instruction execution process in detail;
-VV: Show the instruction execution process in more detail;
-X: The data packets are listed in hexadecimal loadline;
-w< packet File: Writes the packet data to the specified file.
Instance:
Direct start Tcpdump will monitor all packets flowing on the first network interface
Monitoring packets for a specified network interface
Tcpdump-i eth1
If you do not specify a network card, the default tcpdump will only monitor the first network interface, typically eth0, and the following example does not specify a networking interface.
monitoring packets for a specified host
Print all packets entering or leaving the sundown
tcpdump Host Sundown
You can also specify IP, such as intercepting all packets received and emitted by all 210.27.48.1 hosts
tcpdump host 210.27.48.1
print packets that Helios and hot or communicate with Aces
tcpdump host Helios and \ (hot or ace \)
Intercept host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3 communication
tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \
Prints the IP packets that the ACE communicates with any other host, but does not include packets between the Helios.
tcpdump IP host ace and not Helios
If you want to get host 210.27.48.1 in addition to the IP packets that communicate with all hosts except host 210.27.48.2, use the command:
tcpdump IP host 210.27.48.1 and! 210.27.48.2
intercept all data sent by host hostname
tcpdump-i eth0 SRC host hostname
Monitor all packets sent to host hostname
tcpdump-i eth0 DST host hostname
monitoring packets for a specified host and port
If you want to get the Telnet packet received or issued by the host 210.27.48.1, use the following command
tcpdump TCP port, host 210.27.48.1
Monitoring the UDP 123 port on this computer 123 service port for NTP
tcpdump UDP port 123
Sniff 80-port access with tcpdump to see who is the tallest
#tcpdump-I ETH0-TNN DST Port 80-c 1000 | Awk-f "." ' {print $ '. $ "." $ "." $4} ' | Sort | uniq-c | Sort-nr | HEAD-20 Linux Web Server site Failure Analysis common commands
This article is from the "Wsyht blog" blog, make sure to keep this source http://wsyht2015.blog.51cto.com/9014030/1790698
tcpdump Command Usage Introduction