Tcpdump Installation and use

Installation: Yum Install tcpdump

The network packet that intercepts the host of an IP:

Tcpdump host 192.168.0.123

TCP protocol to establish a connection after 3 "handshake", the intercepted packet is also starting from 3 handshake, you can see the status of the first three packages (Flags) are:

[s], [S.], [.]

Cron can schedule time to grab the packet

Grab Package Command:

Tcpdump-c 100000-w/home/kang/desktop/test.txt-n

Note: Catch 100,000 packets, exist in the Test.txt file,-n means not to the original address and destination address for DNS query

Read the file command:

Tcpdump-r/home/kang/desktop/test.txt-x-VV

Note:-r is a read file, and-X is the ASCII code display content. -VV is displayed with detailed message information.

Parameters:

-i<interface> interface

-V Detail

-VV more details

-X Displays the packet in hexadecimal

-X Displays the packet in ASCII code

-N does not query DNS

-f<file> reading an expression from a specified file

-D displays the available network interfaces

-S sets the length of the capture packet

Tcpdump the intercepted data is not completely decoded, most of the content in the packet is printed directly in hexadecimal form, so the usual solution is to display the tcpdump with-W in the I file, then use the Wireshark for decoding analysis, and define the filtering rules To prevent the captured packets from spreading across the entire hard drive.

Tcpdump in order to facilitate wireshark tools to understand, save the filename is best xx.pcap suffix. For example:

Tcpdump-nn-s 0 Host 192.168.0.120 and Port-80-w Wireshark.pcap

Tcpdump Parsing HTTP requests:

Tcpdump-xvvennss 0-i eth0 tcp[20:2]=0x4745 or tcp[20:2]=0x4854

0x4745 is "GET" the first two letters "GE", 0x4854 "HTTP" the first two letters "HT"

101.227.172.51.80
115.25.210.10.80
61.135.132.59.80
222.23.55.208.80
61.135.132.59
220.181.11.98
Ip/dns parsing: http://dns.aizhan.com/, querying the URL and address of DNS resolution

Tcpdump Installation and use