Original address: http://dogdogcom.blog.51cto.com/2402458/490398
Tcpdump
-A converts the network address and broadcast address into a name;
-D gives the code of the matching packets in a compiled format that people can understand;
-DD the code of the matching packet is given in the format of the C Language Program section;
-DDD the code for matching packets is given in decimal form;
-e Prints the header information of the data link layer in the output line;
-F Prints the external Internet address as a digital form.
-L causes the standard output to become the buffer line form;
-N Do not convert the network address into a name;
-T does not print timestamps on each line of the output;
-V outputs a slightly specific message. For example, in the IP packet can contain TTL and service type of information;
-VV output the specific message information;
-C After the number of packets that are specified is received. Tcpdump will cease;
-F reads the expression from the specified file, ignoring the other expressions;
-i specifies the network interface to listen on.
-R reads packets from the specified file (these packages are typically generated via the-w option);
-W writes the package directly to the file and does not parse and print it;
-T directly interprets the heard packet as a specified type of message, common types are RPC (remote Procedure Call) and SNMP (Simple Network Management Protocol)
-P Specify protocol Tcp,udp,icmp,arp
-s Specifies the size of the capture number of packets, in bytes, by default 96 Max 65536
Keyword can be used:
Protocol,-P TCP,UDP,ICMP,ARP, etc.
Packet: DST,SRC,PORT,DST port,src port,host
Operator: OR and not (!)
Multiple conditions: DST \ (172.16.1.1 or 172.16.1.13 \) with parentheses and \ Escape
When sniffing, it must be placed in promiscuous mode to sniff, and the system will have logging
grep "Promiscuous"/var/log/messages//Promiscuous mode
The general output information for TCP packets captured with Tcpdump is:
Src.port > Dst.port:flags data-seq ack win urgent options
Src.port > Dst.port: Source addresses. Source port to destination address. Destination Port
FLAGS:TCP the flag information in the package, S is the SYN flag, F (FIN), P (PUSH)
R (RST) "." (not marked)
DATA-SEQ: Is the sequence number in the packet (sequential numbers)
Ack:acknowledge Number (Confirmation)
window is the size of the form that receives the cache,
Urgent indicates whether there is an emergency pointer in the packet.
Note TCP flag bit:
SYN (Synchronous establish online) ACK (acknowledgement acknowledgement)
PSH (push transfer) FIN (finish end) RST (reset reset) URG (Urgent emergency)
To view ICMP packets:
1,tcpdump-i eth0-p ICMP (and src 192.168.1.xxx)
To view a broadcast package:
2,tcpdump-i eth0-p Broadcast
View ARP Packets
3,tcpdump-i eth0-p ARP
4,tcpdump-x-I eth0-p TCP port 21//Sniffing 21 ports data and unpacking
Get FTPPassword instance:
Tcpdump-x-I eth0-p TCP port > 21.log &
Cat 21.log | grep "User\."
Cat 21.log | grep "Pass\."
More accurate sniffing:
Sniff packets from 172.16.1.1 to 172.16.1.2port for 21:
Tcpdump-i eth0-x-tnn-p TCP and src 172.16.1.1 and DST 172.16.1.2 and Port 21
5.tcpdump-x-n-p TCP DST port 80//sniff 80 port data and unpack (add-t will not show time)
6.tcpdump-i eth0 Host 202.96.128.68//designated hosts
7,//sniffing packets from 172.16.1.2 to 172.16.1.1 or 172.16.1.13
Tcpdump-i eth0-tnn src 172.16.1.2 and DST \ (172.16.1.1 or 172.16.1.13 \)
8, the use of tcpdump statistics of various types of data packages:
Count the number of IP connections in 1000 packets and sort them in order from many to fewer, listing the top 3
Tcpdump-i Ethp-tnn-c 1000 | Awk-f "." "{print $". " $ "." $ "." $4} ' | Sort | Uniq-c |sort-nr | Head-n 3//by the big to the small smooth
Ordered and ranked out with three names
Tcpdump-i Ethp-tnn-c 1000 | Awk-f "." "{print $". " $ "." $ "." $4} ' | Sort | uniq-c | awk ' $ > 100 '//show more than 100 packets
Sort: sorted-nr from big to small-rn to big
Uniq-c: Filter repeatedly and print repeated lines in front of
awk ' $ > 100 ': Assuming that the number of the parameters is greater than 100
Head-n 3: Show first 3 rows
9,tcpdump-i ETH0-TNN host 192.168.1.100 and-p TCP or UDP or ICMP//sniffer all TCP,UDP,ICMP message does not convert network name (heightening speed)
10, Sniff dhcpserver IP (capture illegal DHCP Server):
Tcpdump-i ETH0-TNN Port 67
Then dhclient eth0 to make a DHCP request, seize the DHCP server IP address
Or look directly at it cat/var/messages | grep "DHCPACK from"
Tcpdump parameter and usage introduction (Turn)