TCPDump usage Summary

 

Packet Capture is often required during network testing. Of course, many testing tools are available, such as sniffer and ethreal. however, TCPDump is the most convenient and simple method. this tool is basically included in Linux releases. TCPDump sets the network interface to the hybrid mode to capture each packet. some common options for TCPDump are as follows:

 

-I <interface> specifies the network interface of the listener

 

-V: Specify the detailed mode to output detailed message information.

 

-Vv: Specify the more detailed mode to output more detailed message information

 

-X indicates to display data packets in hexadecimal format

 

-X indicates that the output is displayed in ASCII format.

 

-N indicates that the IP address does not need to be queried from DNS during the capture process.

 

-F <file> reads the expression from the specified file

 

-D: display available network interfaces

 

-S <length> sets the length of captured packets.

 

TCPDump expression:

 

By default, TCPDump will capture all the packets that arrive at the network. This is not what we want, so we must use expressions to limit unnecessary traffic and only output the packets we need to listen.

 

1. Type limiters

 

Type restrictions: host, port, and net. host are used to specify the host or Destination Address, port is used to specify the port, and net can be used to specify a subnet. For example:

 

Tcpdump 'port 80' listens to port 80

 

Tcpdump 'net 192.168.1' listens to the subnet 192.168.1.0

 

Tcpdump 'net 192.168.1.0/24'

 

2. logical operators

 

Logical operators include AND, OR, and not. (), which can combine multiple expressions.

 

Tcpdump 'port 80 and (host 192.168.1.10 or host 192.168.1.11 )'

 

Listen to port 80 of host 192.168.1.10 or 192.168.1.11.

 

3. Definition of Transmission Direction

 

Key words src specify source address, dst specify destination address

 

Tcpdump 'port 80 and (src 192.168.1.10 or src 192.168.1.11 )'

 

Tcpdump 'dst port 25'

 

4. Protocol qualifiers

 

Packets used to capture specific protocols include: ether (Ethernet), TCP, UDP, ICMP, IP, ip6 (IPv6), ARP, and rarp (reverse ARP.

 

5. primitives

 

Primitives mainly include: Arithmetic Operators (+,-, *,/,>, <, >=, <= ,! =), Broadcast, gateway, greater, less.

 

Broadcast captures broadcast data packets. greater and less are equivalent to >=and <=.

 

Example:

 

// Capture packets for communication at port 20000 of the Local Machine

 

Tcpdump-s 0-I lo port 20000-w/tmp/20000. pcap

 

// 10.8.2.181: packet capture for port 7001 Communication

 

Tcpdump-I eth0-s 0 host 10.8.2.181 and port 7001-w/tmp/syrk. pcap