Tcpdump parameters and usage (conversion) and tcpdump Parameters
Address: http://dogdogcom.blog.51cto.com/2402458/490398
Tcpdump Parameters
-A converts a network address and broadcast address into a name;
-D. Give the code that matches the information package in an Assembly format that people can understand;
-Dd provides the code that matches the information package in the format of the C program segment;
-Ddd provides the matching information package code in decimal format;
-E prints the header information of the data link layer in the output line;
-F print the Internet address in numbers;
-L changes the standard output to the buffer row format;
-N does not convert the network address into a name;
-T no timestamp is printed on each output line;
-V outputs a slightly detailed information. For example, the IP package can contain ttl and service type information;
-Vv: Output detailed message information;
-C. After receiving the specified number of packages, tcpdump stops;
-F Read the expression from the specified file and ignore other expressions;
-I indicates the network interface of the listener;
-R reads packets from a specified file (these packets are generally generated using the-w option );
-W directly writes the package into the file and does not analyze or print it out;
-T directly interpret the packets to be listened to as specified types of packets. Common types include rpc (Remote process call) and snmp (Simple Network Management Protocol)
-P specifies the protocol tcp, udp, icmp, arp
-S: Specifies the size of several packets captured. The unit is byte. The default value is 96. The maximum value is 65536.
Keywords available:
Protocol,-p tcp, udp, icmp, arp, etc.
Data Packet: dst, src, port, dst port, src port, host
Operator: or and not (!)
Multiple conditions: dst \ (172.16.1.1 or 172.16.1.13 \) are enclosed in brackets and \ escape
During sniffing, the system must be in the hybrid mode to sniff, and the system will have a log record
Grep "promiscuous"/var/log/messages // Mixed Mode
The common output information of TCP packets captured with TCPDUMP is:
Src. port> dst. port: flags data-Seq ack win urgent options
Src. port> dst. port: Source Address. Source port to destination address. Destination port
Flags: indicates the Flag Information in the TCP packet. S indicates the SYN mark, F (FIN), P (PUSH)
R (RST) "." (not marked)
Data-Seq: the Sequence number (Sequence number) in the data packet)
Ack: Acknowledge number (confirmation number)
Window is the size of the received cache window,
Urgent indicates whether there is an emergency pointer in the data packet.
Note tcp flag bit:
SYN (synchronous online) ACK (acknowledgement confirmation)
PSH (push transfer) FIN (finish finished) RST (reset) URG (urgent)
View icmp Packets:
1, tcpdump-I eth0-p icmp (and src 192.168.1.xxx)
View broadcast packages:
2, tcpdump-I eth0-p broadcast
View arp packets
3, tcpdump-I eth0-p arp
4, tcpdump-X-I eth0-p tcp port 21 // sniff port 21 data and unpack
Obtain an ftp password instance:
Tcpdump-X-I eth0-p tcp port 21> 21.log &
Cat 21.log | grep "USER \."
Cat 21.log | grep "PASS \."
More precise sniffing:
Sniffing packets from 172.16.1.1 to 172.16.1.2 with port 21:
Tcpdump-I eth0-X-tnn-p tcp and src 172.16.1.1 and dst 172.16.1.2 and port 21
5. tcpdump-X-n-p tcp dst port 80 // sniff port 80 data and unpack the data (adding-t does not display the time)
6. tcpdump-I eth0 host 202.96.128.68 // specify the host
7, // sniff packets from 172.16.1.2 to 172.16.1.1 or 172.16.1.13
Tcpdump-I eth0-tnn src 172.16.1.2 and dst \ (172.16.1.1 or 172.16.1.13 \)
8. Use tcpdump to collect data packets:
// Count the ip connections among the 1000 data packets and sort the data packets in the ascending order. The first three data packets are listed.
Tcpdump-I ethp-tnn-c 1000 | awk-F ". "" {print $1 ". "$2 ". "$3 ". "$4} '| sort | uniq-c | sort-nr | head-n 3 // follow the Ascending Order
Sort and list three
Tcpdump-I ethp-tnn-c 1000 | awk-F ". "" {print $1 ". "$2 ". "$3 ". "$4} '| sort | uniq-c | awk' $1> 100' // display packets larger than 100
Sort: sort-nr from large to small-rn from small to large
Uniq-c: Filter duplicate rows and print duplicate rows in front
Awk '$1> 100': if the $1 parameter (number) is greater than 100
Head-n 3: show the first three rows
9, tcpdump-I eth0-tnn host 192.168.1.100 and-p tcp or udp or icmp // sniffing all tcp, udp, icmp messages do not convert network names (speed up)
10. Sniff the ip address of the dhcp Server (capture the invalid DHCP Server ):
Tcpdump-I eth0-tnn port 67
Then use dhclient eth0 for dhcp requests to capture the IP address of the dhcp server.
Or you can view the log directly. cat/var/messages | grep "DHCPACK from"
How does tcpdump in Linux display the message content? What parameters are used? For example
The packet capture command tcpdump tcp-A port 22-w a. cap stores the packet content in a. cap. A. The cap file is in binary format and needs to be read using the ethreal tool.
Tcpdump cannot capture data packets after adding Parameters
.. Reversed
