Tcpdump captures packets based on the mac address, tcpdumpmac
1. When tcpdump is just started, the command tcpdump-I eth1 host 192.168.1.1 is commonly used to capture packet information based on the IP address.
Tcpdump-I eth1 (Interface Name) host 192.168.1.1 (computer ip address)
2. In the analysis of customers' networks, tcpdump software is often used on the device, and wireshark software on the PC end is used to check and analyze customers' network conditions.
At this time, the common tcpdump parameter is:
Tcpdump-I eth1-nn (no address resolution)-s0 (no restriction on the length of captured packets)-v (more details are displayed. You can add two more) -e (List link layer headers)-c 20 (capture a specified number of packets. For example, if 20 packets are written here, the system stops capturing 20 packets)
If the-n parameter is not added, the captured data packet will display the host name or domain name information, and the port will also be displayed as a related service. For example, if port 80 is captured, it will be displayed as http
If the-s0 parameter is not added, only one part (68 bytes) is captured by default, the data packet is opened in wireshark, and the data packet is incomplete.
3. When analyzing problems such as dhcp packet interaction (IP address delivery) and arp attacks, it involves capturing the link layer header, that is, the mac address. The capture command is
Tcpdump-I eth1 ether src 6c: 41: 6a: ac: 11: 42-c 10 // ON THE eth1 interface, capture the source mac address 6c: 41: 6a: ac: 01: 42. The number of data packets is 10.