The first type keyword mainly includes host, net, port, such as host210.27.48.2, specifying 210.27.48.2 as a host, net202.0.0.0 specifying 202.0.0.0 as a network address, and port23 specifying port number as 23. If no type is specified, the default type is host. the second is the keyword determining the transmission direction, mainly including src and d. The first is the keyword about the type, mainly including host, net and port. for example, host 210.27.48.2 indicates that 210.27.48.2 is a host, net 202.0.0.0 indicates that 202.0.0.0 is a network address, port 23 indicates that the port number is 23. If no type is specified, the default type is host.
The second type is the key words for determining the transmission direction, including src, dst, dst or src, dst and src, which indicate the transmission direction. For example, src 210.27.48.2 indicates that the source address in the IP package is 210.27.48.2, and dst net 202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified, the src or dst keyword is used by default.
The third type is the protocol keyword, which mainly includes fddi, ip, arp, rarp, tcp, udp, and other types. Fddi indicates a specific network protocol on FDDI (distributed optical fiber data interface network). In fact, it is an alias of "ether". fddi and ether have similar source and destination addresses, therefore, the fddi protocol package can be processed and analyzed as the ether package. The other keywords indicate the protocol content of the listener package. If no protocol is specifiedTcpdumpThe system listens to the information packages of all protocols.
In addition to these three types of keywords, other important keywords include gateway, broadcast, less, greater, and three logical operations. The non-operation type is 'not ''! ', And the operation is 'and',' & '; or the operation is 'or',' │ '; these keywords can be combined to form a powerful combination condition to meet people's needs. The following are several examples.
Under normal circumstances, directly starting tcpdump will monitor all the data packets flowing through the first network interface.
# Tcpdump
Tcpdump: listening on fxp0
11:58:47. 873028 202.102.245.40.netbios-ns> 202.102.245.127.netbios-ns: udp 50
11:58:47. 974331 0: 10: 7b: 8: 3a: 56> 1: 80: c2: 0: 0: 0 802.1d ui/C len = 43
0000 0000 0080 0000 1007 cf08 0900 0000
0e80 0000 902b 4695 0980 8701 0014
000f 0000 902b 4695 0008 00
11:58:48. 373134 0: 0: e8: 5b: 6d: 85> Broadcast sap e0 ui/C len = 97
Ffff 0060 0004 ffff
0452 ffff 0000 e85b 6d85 4008 0002
0640 4d41 5354 4552 5f57 4542 0000 0000
00, 0000
Use the-I parameter to specify the network interface of the tcpdump listener, which is useful when the computer has multiple network interfaces,
Use the-c parameter to specify the number of data packets to be monitored,
Use the-w parameter to specify to write the listening data packet to the file and save it
A wants to intercept all packets received and sent by all 210.27.48.1 hosts:
# Tcpdump host 210.27.48.1
B. to intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, run the following command: (when parentheses are applied in the command line, be sure
# Tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)
C if you want to obtain the IP package for all hosts except 210.27.48.1 and 210.27.48.2, run the following command:
# Tcpdump ip host 210.27.48.1 and! 210.27.48.2
D. to obtain the telnet packet received or sent by the host 210.27.48.1, run the following command:
# Tcpdump tcp port 23 host 210.27.48.1
E. monitor the udp port 123 of the local machine. Port 123 is the ntp service port.
# Tcpdump udp port 123
The F system only monitors the communication data packets of the host named hostname. The host name can be a local host or any computer on the network. The following command reads all data sent by the host hostname:
# Tcpdump-I eth0 src host hostname
The command below G can monitor all data packets sent to the host hostname:
# Tcpdump-I eth0 dst host hostname
H we can also monitor the data packets through the specified Gateway:
# Tcpdump-I eth0 gateway Gatewayname
If you want to monitor the TCP or UDP data packets destined for the specified port, run the following command:
# Tcpdump-I eth0 host hostname and port 80
J. if you want to obtain an IP packet for all hosts except 210.27.48.1 and 210.27.48.2
, Run the following command:
# Tcpdump ip host 210.27.48.1 and! 210.27.48.2
K. to intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, run the following command:
(When using parentheses in the command line, be sure
# Tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)
L If you want to obtain an IP packet for all hosts except 210.27.48.1 and 210.27.48.2, run the following command:
# Tcpdump ip host 210.27.48.1 and! 210.27.48.2
M to obtain the telnet packet received or sent by the host 210.27.48.1, run the following command:
# Tcpdump tcp port 23 host 210.27.48.1
The third type is the protocol keyword, which mainly includes fddi, ip, arp, rarp, tcp, udp, and other types.
In addition to the three types of keywords, other important keywords are as follows: gateway, broadcast, less,
Greater, there are three logical operations. The non-operation is 'not ''! ', And the operation is 'and',' & '; or the operation is 'o
R', '| ';
The second type is the key words for determining the transmission direction, including src, dst, dst or src, dst and src,
If we only need to list the data packets sent to port 80, use dst port; if we only want to see the data packets returned to port 80, use src port.
# Tcpdump? I eth0 host hostname and dst port 80 the destination port is 80
Or
# Tcpdump? I eth0 host hostname and src port 80 the source port is 80. generally, it is the host that provides http services.
If there are many conditions, add and or not before the conditions.
# Tcpdump-I eth0 host! 211.161.223.70 and! 211.161.223.71 and dst port 80
Logs in the ethernet mixed mode system are recorded.
May 7 20:03:46 localhost kernel: eth0: Promiscuous mode enabled.
May 7 20:03:46 localhost kernel: device eth0 entered promiscuous mode
May 7 20:03:57 localhost kernel: device eth0 left promiscuous mode
Tcpdump does not thoroughly decode the intercepted data. most of the content in the data packet is printed in hexadecimal format. Obviously, this is not conducive to the analysis of network faults. The common solution is to first use tcpdump with The-w parameter to capture data and save it to the file, and then use other programs for decoding and analysis. Of course, filter rules should also be defined to prevent the captured data packets from filling the entire hard disk.
----------------------------------------
Tcpdump can be triggered only when an ip connection is established.
For example, the tcpdump package connecting to qq is as follows:
Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode
Listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
09:18:02. 483241 IP 192.168.0.1.32769> 239.00000000250.1900: UDP, length 325 (company router broadcast message)
09:18:02. 483777 IP liuxiaoqin-desktop.o.bj.ebupt.net.53545> ns1.o.bj.ebupt.net. domain: 39614 + PTR? 250.00000000239.in-addr. arpa. (46)
09:18:02. 484297 IP ns1.o.bj.ebupt.net. domain> liuxiaoqin-desktop.o.bj.ebupt.net.53545: 39614 NXDomain 0/1/0 (103)
09:18:02. 584774 IP liuxiaoqin-desktop.o.bj.ebupt.net.mdns> 224.0.0.251.mdns: 0 PTR (QM )? 250.00000000239.in-addr. arpa. (46)
09:18:02. 593275 IP 192.168.0.1.32769> 239.00000000250.1900: UDP, length 334
09:18:02. 630281 IP6 fe80: 1c81: 256a: 7a4a: 3c46. 50070> ff02: c.1900: UDP, length 146
09:18:02. 703275 IP 192.168.0.1.32769> 239.00000000250.1900: UDP, length 334
09:18:02. 793924 STP 802.1d, Config, Flags [none], bridge-id 8387.00: 22: 91: b6: 19: 00.800e, length 43
09:18:02. 813302 IP 192.168.0.1.32769> 239.00000000250.1900: UDP, length 389 (link to qq is UDP)
09:18:02. 888154 IP 192.168.0.1.32769> 239.00000000250.1900: UDP, length 325
09:18:02. 923311 IP 192.168.0.1.32769> 239.00000000250.1900: UDP, length 389
09:18:02. 996816 IP 192.168.0.1.32769> 239.00000000250.1900: UDP, length 325
09:18:03. 033866 IP 192.168.0.1.32769> 239.00000000250.1900: UDP, length 399
09:18:03. 106807 IP 192.168.0.1.32769> 239.00000000250.1900: UDP, length 334
09:18:03. 132911 IP yujie-PC.o.bj.ebupt.net.62573> 234.34.23.234.33674: UDP, length 20
(Yujie-pc sends the corresponding packet for multicast messages) may have just started the machine?
09:18:03. 143352 IP 192.168.0.1.32769> 239.00000000250.1900: UDP, length 399
09:18:03. 216819 IP 192.168.0.1.32769> 239.00000000250.1900: UDP, length 334
09:18:03. 326853 IP 192.168.0.1.32769> 239.00000000250.1900: UDP, length 389
09:18:03. 436878 IP 192.168.0.1.32769> 239.00000000250.1900: UDP, length 389
09:18:03. 463298 ARP, Reply 192.168.0.1 is-at 00: b0: 0c: 25: 36: 10 (oui Unknown), length 46
09:18:03. 547384 IP 192.168.0.1.32769> 239.00000000250.1900: UDP, length 399
09:18:03. 585976 IP liuxiaoqin-desktop.o.bj.ebupt.net.mdns> 224.0.0.251.mdns: 0 PTR (QM )? 250.00000000239.in-addr. arpa. (46)
09:18:03. 656898 IP 192.168.0.1.32769> 239.00000000250.1900: UDP, length 399
09:18:04. 356930 ARP, Reply 192.168.0.1 is-at 00: b0: 0c: 25: 1c: b8 (oui Unknown), length 46