Here are 9 examples of using tcpdump to illustrate how tcpdump is used.
1. Grab the packet for a specific network port (-i option)
When we do not add any option to execute tcpdump, Tcpdump will crawl through all the network ports of the package, using the-i option, we can grab a packet at a specified network port:
tcpdump- i eth0tcpdump:verbose output suppressed, use-v OR-VV for full protocol decodelistening on eth0, Link-type EN10 MB (Ethernet), capture size bytes10:50:28.607429 IP 10.70.121.92.autodesk-lm > 10.71.171.140.ssh:. Ack 6495110:50:28.607436 win IP 10.71.171.140.ssh > 10.70.121.92.autodesk-lm:p 116:232 ($) Ack 1 win 1286410:50:3 0.384195 ARP Who-has 128.128.128.35 tell 128.128.128.35
In the example above, tcpdump crawls all packages that pass through eth0.
2. Crawl a specified number of packages (-C option)
By default tcpdump will grab the packet until the "CTRL + C" Abort is pressed, and with the-C option we can specify the number of packets to grab:
tcpdump-c 2- i eth0tcpdump:verbose output suppressed, use-v OR-VV for full protocol decodelistening on eth0, Link-type EN10 MB (Ethernet), capture size bytes10:58:05.656104 IP 10.71.171.140.ssh > 10.70.121.92.autodesk-lm:p 1,210,443,473:1210 443589 ($) Ack 2583117929 win 1286410:58:05.657074 IP 10.70.121.92.autodesk-lm > 10.71.171.140.ssh:. ACK packets win 652112 CAPTURED6 packets received by FILTER0 packets dropped by kernel
In the above example, only 2 packets are captured for the Eth0 network port.
3. Write the catch package to the file (-w option)
With the-w option, we can record the capture in a specified file for subsequent analysis
tcpdump-w 20120606.pcap- i eth0tcpdump:listening on eth0, Link-type EN10MB (Ethernet), capture size, BYTES75 packets captured150 Packet S received by FILTER0 packets dropped by kernel
Should be saved as a. pcap suffix file So we could read the analysis using tools such as Wireshark.
4. Read Tcpdump Save file (-r option)
For the saved grab file, we can read it using the-r option:
tcpdump-r 20120606 . pcapreading from file 20120606.pcap, Link-type en10mb (Ethernet) 11:01:57.392907 IP 10.71.171.140.ssh > 10.70.121.92.autodesk-lm:p 1210446405:1210446457 (*) Ack 2583119957 win 1286411:01:57.392917 IP 10.71.171.140.ssh > 10.70.121.92.autodesk-lm:p 52:168 ($) Ack 1 win 1286411:01:57.393649 IP 10.70.121.92.autodesk-lm > 10.71.171.140. Ssh:. Ack 65327
5. No domain name resolution (-n option) when grabbing a package
By default, the Tcpdump capture results will be resolved in the domain name, displaying the domain name address instead of the IP address, using the-n option, you can specify the display IP address.
6. Increase the packet timestamp (-tttt option)
With the-TTTT option, the capture date will be included in the package result:
tcpdump-n-tttt-i eth02012-06-06 11:14:59.539736 IP 10.71.171.140.22 > 10.70.121.95.1787:p 1:53 (100) ACK Win 75042012-06-06 11:14:59.539754 IP 10.71.171.140.22 > 10.70.121.95.1787:p 53:105 () Ack 11 win 75042012-06-06 : 14:59.539770 IP 10.71.171.140.22 > 10.70.121.95.1787:p 105:157 (7504) ACK
7. Specify the type of protocol to grab the package
We can only catch a package of some kind of protocol, TCPDUMP support specifies the following protocol: Ip,ip6,arp,tcp,udp,wlan and so on. The following example fetches only the packets for the ARP protocol:
tcpdump- i eth0 arptcpdump:verbose output suppressed, use-v OR-VV for full protocol decodelistening on eth0, Link-type EN10MB (Ethernet), capture size bytes11:22:26.948656 arp Who-has 10.10.1.30 tell 10.10.1.2611:22:27.017406 ARP Who-has 10.10.1.30 tell 10.10.1.2611:22:27.078803 ARP Who-has 10.10.1.30 tell 10.10.1.26
8. Specify the packet-grabbing port
If you want to grab a packet for a particular port, you can use the following command:
tcpdump-i eth0 Porttcpdump:verbose output suppressed, use-v OR-VV for full protocol decodelistening on ETH 0, Link-type EN10MB (Ethernet), capture size bytes11:41:04.387547 IP 10.70.121.92.autodesk-lm > 10.71.171.140.ssh:. Ack 1216136825 win 6475111:41:04.387891 IP 10.71.171.140.ssh > 10.70.121.92.autodesk-lm:p 1:233 (232) ACK 0 win 160801 1:41:04.398973 IP 10.70.121.92.autodesk-lm > 10.71.171.140.ssh:p 0:52 (64519) ACK 233 win
9. Fetching packets for a specific destination IP and port
The contents of the network package, including the source IP address, port and destination IP, port, we can filter the tcpdump according to the target IP and port, the following command illustrates this usage:
Tcpdump-i eth0 DST 10.70.121.92 and Port 22
Reference:packet analyzer:15 TCPDUMP Command Examples
Tcpdump using common 9 instances