1. Filter the Host
----------------------------------------------------------------
-Crawl all eth1, destination or source address is 192.168.1.1 network data # tcpdump-i ETH1 host 192.168.1.1-Source address # tcpdump-i eth1 SRC host 192.168.1.1-Destination address # tcpdump-i eth1 DST host 192.168.1.1
2. Filter port
----------------------------------------------------------------
-Crawl all eth1, destination or source port is 25 network data # Tcpdump-i eth1 port 25-Source Port # tcpdump-i eth1 SRC port 25-Destination Port # tcpdump-i eth1 DST Port 25
3, Network filtering
----------------------------------------------------------------
# tcpdump-i eth1 net 192.168# tcpdump-i eth1 src net 192.168# tcpdump-i eth1 DST net 192.168
4. Protocol filtering
----------------------------------------------------------------
# tcpdump-i eth1 arp# tcpdump-i eth1 ip# tcpdump-i eth1 tcp# tcpdump-i eth1 udp# tcpdump-i eth1 ICMP
5. Common expressions
----------------------------------------------------------------
Non -:! or "not" (minus double quotes) and: && or "and" or: | | or "or"-fetch all the eth1, the destination address is the TCP data of the 192.168.1.254 or 192.168.1.200 port is 80 # tcpdump-i eth1 ' ((TCP) and (port) and (DST Host 192.168.1.254) or (DST host192.168.1.200)) '-Crawl all the eth1, the destination MAC address is 00:01:02:03:04:05 ICMP data # tcpdump-i eth1 ' (( ICMP) and ((Ether DST host 00:01:02:03:04:05)) '-Crawl all the eth1, the destination network is 192.168, but the destination host is not 192.168.1.200 TCP data # tcpdump-i ETH 1 ' ((TCP) and ((DST net 192.168) and (not DST host 192.168.1.200)) '
6. Catch only SYN Packets
----------------------------------------------------------------
# tcpdump-i eth1 ' tcp[tcpflags] = Tcp-syn '
7. Catch SYN, ACK
----------------------------------------------------------------
# tcpdump-i eth1 ' tcp[tcpflags] & Tcp-syn! = 0 and Tcp[tcpflags] & Tcp-ack! = 0 '
8. Grasping SMTP Data
----------------------------------------------------------------
# tcpdump-i Eth1 ' ((port) and (tcp[(TCP[12]>>2): 4] = 0x4d41494c)) ' Crawl data area starts as ' mail ' package, ' mail ' hex is 0x4d41494c.
9. Grabbing HTTP GET data
----------------------------------------------------------------
# tcpdump-i eth1 ' tcp[(TCP[12]>>2): 4] = 0x47455420 ' GET ' hex is 47455420
10. Catch SSH Back
----------------------------------------------------------------
# tcpdump-i eth1 ' tcp[(TCP[12]>>2): 4] = 0x5353482d ' "ssh-" hex is 0x5353482d# tcpdump-i eth1 ' (tcp[(tcp[12]>> 2): 4] = 0x5353482d) and (tcp[((tcp[12]>>2) +4): 2]= 0x312e) ' Catch the old version of SSH return information, such as ' SSH-1.99. '
11. Grasping DNS Request data
----------------------------------------------------------------
# tcpdump-i eth1 UDP DST Port 53
12. Capture the Get packet of port number 8000 in real time and write to GET.log
----------------------------------------------------------------
Tcpdump-i eth0 ' (Port 8000) and (tcp[(tcp[12]>>2): 4]=0x47455420)) '-nnal-w/tmp/get.log
Other
----------------------------------------------------------------
The-c parameter is also more commonly used for operation and maintenance personnel, because the traffic is relatively large server, by manual CTRL + C or
Grasping too much, so you can use the-c parameter to specify how many packets to catch.
# time Tcpdump-nn-i eth0 ' tcp[tcpflags] = Tcp-syn '-C 10000 >/dev/null The above command calculates how long it takes to catch 10,000 syn packets, and you can tell what the traffic is about.
Tcpdump very practical Grab Pack 12 example