Tcpdump Wireshark Practical Filter expressions (for IP, protocol, port, length, and content) examples

Source: Internet
Author: User

Brief introduction

The simple definition of tcpdump is: The dump the traffic on a network, based on the user's definition of the packet interception of packets on the Data Packet Analysis tool. Tcpdump can intercept the "head" of the packets that are transmitted in the network to provide analysis. It supports filtering on the network layer, protocol, host, network, or port, and provides logical statements such as and, or, not, to help you get rid of useless information.

Practical Command Instances

Default startup

Tcpdump

Under normal circumstances, direct start tcpdump will monitor all packets flowing through the first network interface.

Monitoring packets for a specified network interface

Tcpdump-i eth1

If you do not specify a network card, the default tcpdump will only monitor the first network interface, typically eth0, and the following example does not specify a networking interface.

Monitoring packets for a specified host

Print all packets entering or leaving the sundown.

Tcpdump Host Sundown

You can also specify IP, such as intercepting all packets received and emitted by all 210.27.48.1 hosts

Print packets that Helios and hot or communicate with Aces

Tcpdump host Helios and \ (hot or ACE \)

Intercept host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3 communication

Prints the IP packets that the ACE communicates with any other host, but does not include packets between the Helios.

Tcpdump IP host ace and not Helios

If you want to get host 210.27.48.1 in addition to the IP packets that communicate with all hosts except host 210.27.48.2, use the command:

Tcpdump IP host 210.27.48.1 and! 210.27.48.2

Intercept all data sent by host hostname

Tcpdump-i eth0 SRC host hostname

Monitor all packets sent to host hostname

Tcpdump-i eth0 DST host hostname

Monitoring packets for a specified host and port

If you want to get the Telnet packet received or issued by the host 210.27.48.1 , use the following command

Tcpdump TCP port and host 210.27.48.1

monitoring the UDP 123 port on this computer 123 service port for NTP

Monitoring packets for a specified network

Print all communication packets between the local host and the host on the Berkeley Network (Nt:ucb-ether, which can be understood here as the network address of the ' Berkeley Network ', the most primitive meaning of which can be expressed as: print all packets with a network address of Ucb-ether)

tcpdump Net Ucb-ether

Print all FTP packets via Gateway Snup (note that the expression is enclosed in quotation marks, which prevents the shell from parsing the parentheses)

Tcpdump ' Gateway Snup and (port ftp or Ftp-data) '

Print all the source or destination addresses are IP packets for the local host

(If the local network is connected to another network through a gateway, the other network does not count as a local network.) (NT: This translation is tortuous and needs to be supplemented). LocalNet to really replace the name of the cost of the network when actually used)

tcpdump IP and not net LocalNet

Monitoring packets for a specified protocol

The start and end packets in the TCP session are printed, and the source or destination of the packets is not a host on the local network. (Nt:localnet, actual use to actually replace the name of the cost of the network))

Tcpdump ' tcp[tcpflags] & (tcp-syn|tcp-fin)! = 0 and not src and DST net localnet '

The print all source or destination port is 80, the Network layer protocol is IPV4, and contains data, not syn,fin and ack-only packets without data. (IPv6 version of the expression can do exercises)

Tcpdump ' TCP port and (((Ip[2:2)-((IP[0]&0XF) <<2)-((tcp[12]&0xf0) >>2))! = 0) '

(NT: It can be understood that ip[2:2] represents the length of the entire IP packet, (IP[0]&0XF) <<2) represents the length of the IP packet header (IP[0]&0XF represents the IHL domain in the package, and the unit of this domain is 32bit, to be converted

The number of bytes needs to be multiplied by 4, that is, shift left by 2. (TCP[12]&0XF0) >>4 represents the length of the TCP header, the units of this domain are also 32bit, converted to bits ((tcp[12]&0xf0) >> 4) << 2,
That is ((tcp[12]&0xf0) >>2). ((Ip[2:2]-((IP[0]&0XF) <<2))-((tcp[12]&0xf0) >>2))! = 0 means: The length of the entire IP packet minus the length of the IP header, minus
The length of the TCP header is not 0, which means that there is really data in the IP packet. For the IPv6 version simply consider the difference between the ' Payload length ' and ' TCP header lengths ' in the IPv6 header, and where the expression ' ip[' ' needs to be ' ip6['.)

The print length exceeds 576 bytes, and the gateway address is an IP packet of Snup

Tcpdump ' Gateway Snup and Ip[2:2] > 576 '

Print all IP-layer broadcast or multicast packets, but not broadcast or multicast datagrams on the physical Ethernet layer

Tcpdump ' ether[0] & 1 = 0 and ip[16] >= 224 '

Print ICMP packets other than the ' echo request ' or ' echo Reply ' type (for example, you need to print all non-ping program-generated packets to be available to this expression.)
(NT: ' Echo reuqest ' and ' echo reply ' These two types of ICMP packets are usually generated by the ping program))

Tcpdump ' icmp[icmptype]! = Icmp-echo and Icmp[icmptype]! = Icmp-echoreply '

Tcpdump and Wireshark

Wireshark (formerly Ethereal) is a very easy-to-use grab tool under Windows. But under Linux it's hard to find a handy graphical grab bag tool.
Fortunately there are tcpdump. We can do this with the perfect combination of Tcpdump + Wireshark: Grab the package in Linux, and then analyze the package in Windows.

Tcpdump tcp-i eth1-t-S 0-c and DST Port! and src net 192.168.1.0/24-w./target.cap

(1) tcp:ip icmp arp rarp and TCP, UDP, ICMP these options are put to the position of the first parameter, to filter the type of the datagram
(2)-I eth1: Only grab packets that pass through the interface eth1
(3)-T: Time stamp not shown
(4)-S 0: The default fetch length is 68 bytes when fetching packets. Plus-S 0 can catch complete packets
(5)-C 100: Fetch only 100 packets
(6) DST Port! 22: Packets that do not crawl the destination port are 22
(7) SRC net 192.168.1.0/24: The source network address of the packet is 192.168.1.0/24
(8)-W./target.cap: Save as a cap file for easy analysis with ethereal (i.e. Wireshark)

Http://www.cnblogs.com/ggjucheng/archive/2012/01/14/2322659.html

Http://network.51cto.com/art/200512/15473.htm

Tcpdump Wireshark Practical Filter expressions (for IP, protocol, port, length, and content) examples

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.