Tcpdump parameter usage description The following describes how to use tcpdump (1) tcpdump option-a converts the network address and broadcast address to the name; -d: the code that matches the information package is provided in an assembly format that people can understand.-dd will match the code of the information package... information
Tcpdump parameter usage description The following describes how to use tcpdump (1) tcpdump option-a converts the network address and broadcast address to the name; -d. give the code that matches the information package in a compilation format that people can understand.-dd will give the code that matches the information package in the format of the C program segment; -ddd provides the matching information package code in decimal format;-e prints the header information of the data link layer in the output line; -f print the external Internet address in numbers;-l converts the standard output to the buffer line format;-n does not convert the network address to the name; -t does not print the timestamp in each output line;-v outputs a slightly detailed information, for example, it can include ttl and service type information in the IP package; -vv outputs detailed message information.-c stops tcpdump after receiving the specified number of packets.-F reads the expression from the specified file and ignores other expressions; -I indicates the network interface of the listener.-r reads packets from the specified file (these packets are generally generated using the-w option).-w directly writes the packets to the file. -T directly interprets the packet to be a specified type of message. the common types are rpc (remote process call) and snmp (Simple Network Management Protocol;) (2 ). the expression of tcpdump is a regular expression. tcpdump uses it as a condition for filtering packets. if a packet meets the expression conditions, the packet will be captured. If no conditions are provided, all information packets on the network will be intercepted. The following types of keywords are generally used in expressions. The first type keyword mainly includes host, net, port, for example host 210.27.48.2. it indicates that 210.27.48.2 is a host, and net 202.0.0.0 indicates that 202.0.0.0 is a network address, port 23 indicates that the port number is 23. If no type is specified, the default type is host. the second type is the key words for determining the transmission direction, including src, dst, dst or src, dst and src, which indicate the transmission direction. For example, src 210.27.48.2 indicates that the source address in the IP package is 210.27.48.2, and dst net 202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified, the src or dst keyword is used by default. The third type is the protocol keyword, which mainly includes fddi, ip, arp, rarp, tcp, udp, and other types. Fddi indicates a specific network protocol on FDDI (distributed optical fiber data interface network). In fact, it is an alias of "ether". fddi and ether have similar source and destination addresses, therefore, the fddi protocol package can be processed and analyzed as the ether package. The other keywords indicate the protocol content of the listener package. If no protocol is specified, tcpdump listens to the information packages of all protocols. In addition to these three types of keywords, other important keywords include gateway, broadcast, less, greater, and three logical operations. The non-operation type is 'not ''! ', And the operation is 'and',' & '; or the operation is 'or',' │ '; these keywords can be combined to form a powerful combination condition to meet people's needs. The following are several examples. A) to intercept all packets received and sent by all 210.27.48.1 hosts: tcpdump host 210.27.48.1B) to intercept communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, run the following command: (escape when using parentheses in the command line) tcpdump host 210.27.48.1 and (210.27.48.2 or 210.27.48.3) C) if you want to obtain the ip package for all hosts except 210.27.48.1 and 210.27.48.2, run the command tcpdump ip host 210.27.48.1 and! 210.27.48.2D) to obtain the telnet packet received or sent by the host 210.27.48.1, run the following command: tcpdump tcp port 23 and host 210.27.48.1 (3 ). tcpdump output result below we will introduce the output information of several typical tcpdump commands www.2cto.com A) data link layer header information using the command tcpdump -- e host iceice is A host with linux installed, her MAC address is 0: 90: 27: 58: AF: 1AH219 is a SUN workstation with a SOLARIC. its MAC address is 8: 0: 20: 79: 5B: 46. the output result of the previous command is as follows: 21: 50: 12.847509 eth0 <8: 0: 20: 79: 5b: 46 0: 90: 27: 58: af: 1a ip 60: h219.33357> ice. telnet 0: 0 (0) ack 22535 win 8760 (DF) analysis: 21: 50: 12 is the display time, 847509 is the ID number, eth0 <表示从网络接口eth0 接受该数据包,eth0> The packet sent from the network interface device. 8: 0: 20: 79: 5b: 46 is the MAC address of the host H219. it indicates the packet sent from the source address H219. 0: 90: 27: 58: af: 1a is the MAC address of the host ICE, indicating that the destination address of the data packet is ICE. ip indicates that the data packet is an IP data packet, and 60 indicates the length of the data packet, h219.33357> ice. telnet indicates that the packet is the TELNET (23) Port sent from Port 33357 of host H219 to host ICE. ack 22535 indicates to respond to a packet whose serial number is 222535. win 8760 indicates that the size of the sending window is 8760. (www.2cto.com B) the output information of the TCPDUMP ARP packet is obtained using the command tcpdump arp: 22: 32: 42.802509 eth0> arp who-has route tell ice (0: 90: 27: 58: af: 1a) 22:32:42. 80290 2 eth0 <arp reply route is-at 0: 90: 27: 12: 10: 66 (0: 90: 27: 58: af: 1a) analysis: 22:32:42 is the timestamp, 802509 indicates the ID, eth0> indicates that the packet is sent from the host, arp indicates that the packet is an ARP Request packet, and who-has route tell ice indicates that it is the MAC address of the host ICE requesting the host ROUTE. 0: 90: 27: 58: af: 1a is the MAC address of the host ICE. C) the output information of the TCP packet captured by TCPDUMP. the general output information of the TCP packet is: src> dst: flags data-seqno ack window urgent optionssrc> dst: indicates from the source address to the target address. flags indicates the flag information in the TCP packet, S indicates the SYN mark, F (FIN), P (PUSH), R (RST) ". "(not marked); data-seqno is the sequence number of data in the data packet, ack is the sequence number expected next time, window is the size of the window receiving the cache, urgent indicates whether the data packet has an emergency pointer. options is an option. www.2cto.com D) the output information of the UDP packet captured by TCPDUMP. the general output information of the UDP packet is: route. port1> ice. port2: udp lenthUDP is very simple. the output line above indicates a UDP packet sent from the port1 port of the host ROUTE to the p of the host ICE Ort2 port, UDP type, and lenth package length. Note: We usually use sudo tcpdump-s 0-nX host 172.27.193.234-I eth1 or-w to use wireshark.
