Tcpdump parameter and usage introduction

Source: Internet
Author: User

Original address:


-A converts the network address and broadcast address into a name;
-D gives the code of the matching packets in a compiled format that people can understand;
-DD the code of the matching packet is given in the format of the C Language Program section;
-DDD the code for matching packets is given in decimal form;
-e Prints the header information of the data link layer in the output line;
-F Prints the external Internet address as a digital form.
-L causes the standard output to become the buffer line form;
-N Do not convert the network address into a name;
-T does not print timestamps on each line of the output;
-V outputs a slightly specific message. For example, in the IP packet can contain TTL and service type of information;
-VV output the specific message information;
-C After the number of packets that are specified is received. Tcpdump will cease;
-F reads the expression from the specified file, ignoring the other expressions;
-i specifies the network interface to listen on.
-R reads packets from the specified file (these packages are typically generated via the-w option);
-W writes the package directly to the file and does not parse and print it;
-T directly interprets the heard packet as a specified type of message, common types are RPC (remote Procedure Call) and SNMP (Simple Network Management Protocol)
-P Specify protocol Tcp,udp,icmp,arp
-s Specifies the size of the capture number of packets, in bytes, by default 96 Max 65536

Keyword can be used:
Protocol,-P TCP,UDP,ICMP,ARP, etc.
Packet: DST,SRC,PORT,DST port,src port,host
Operator: OR and not (!)
Multiple conditions: DST \ ( or \) with parentheses and \ Escape
When sniffing, it must be placed in promiscuous mode to sniff, and the system will have logging
grep "Promiscuous"/var/log/messages//Promiscuous mode
The general output information for TCP packets captured with Tcpdump is:
Src.port > Dst.port:flags data-seq ack win urgent options
Src.port > Dst.port: Source addresses. Source port to destination address. Destination Port
FLAGS:TCP the flag information in the package, S is the SYN flag, F (FIN), P (PUSH)
R (RST) "." (not marked)

DATA-SEQ: Is the sequence number in the packet (sequential numbers)
Ack:acknowledge Number (Confirmation)
window is the size of the form that receives the cache,
Urgent indicates whether there is an emergency pointer in the packet.
Note TCP flag bit:
SYN (Synchronous establish online) ACK (acknowledgement acknowledgement)

PSH (push transfer) FIN (finish end) RST (reset reset) URG (Urgent emergency)

To view ICMP packets:
1,tcpdump-i eth0-p ICMP (and src

To view a broadcast package:

2,tcpdump-i eth0-p Broadcast

View ARP Packets

3,tcpdump-i eth0-p ARP

4,tcpdump-x-I eth0-p TCP port 21//Sniffing 21 ports data and unpacking
Get FTPPassword instance:
Tcpdump-x-I eth0-p TCP port > 21.log &
Cat 21.log | grep "User\."
Cat 21.log | grep "Pass\."
More accurate sniffing:
Sniff packets from to for 21:

Tcpdump-i eth0-x-tnn-p TCP and src and DST and Port 21

5.tcpdump-x-n-p TCP DST port 80//sniff 80 port data and unpack (add-t will not show time)

6.tcpdump-i eth0 Host hosts

7,//sniffing packets from to or

Tcpdump-i eth0-tnn src and DST \ ( or \)

8, the use of tcpdump statistics of various types of data packages:
Count the number of IP connections in 1000 packets and sort them in order from many to fewer, listing the top 3
Tcpdump-i Ethp-tnn-c 1000 | Awk-f "." "{print $". " $ "." $ "." $4} ' | Sort | Uniq-c |sort-nr | Head-n 3//by the big to the small smooth
Ordered and ranked out with three names
Tcpdump-i Ethp-tnn-c 1000 | Awk-f "." "{print $". " $ "." $ "." $4} ' | Sort | uniq-c | awk ' $ > 100 '//show more than 100 packets
Sort: sorted-nr from big to small-rn to big
Uniq-c: Filter repeatedly and print repeated lines in front of
awk ' $ > 100 ': Assuming that the number of the parameters is greater than 100

Head-n 3: Show first 3 rows

9,tcpdump-i ETH0-TNN host and-p TCP or UDP or ICMP//sniffer all TCP,UDP,ICMP message does not convert network name (heightening speed)

10, Sniff dhcpserver IP (capture illegal DHCP Server):
Tcpdump-i ETH0-TNN Port 67
Then dhclient eth0 to make a DHCP request, seize the DHCP server IP address
Or look directly at it cat/var/messages | grep "DHCPACK from"

Tcpdump parameter and usage introduction (Turn)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.