Using tcpdump for packet capture and wireshark analysis in Linux
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞
Recently, when learning the NIC driver, we need to capture the situations where the Nic sends and receives data. so we found the tcpdump and wireshark tools, which are used to capture data, wireshark is used to analyze the captured data. the usage is recorded below: Tcpdump usage method (1) first, key words about the type mainly include host, net recently, when learning the NIC driver, you need to capture the situation where the Nic sends and receives data.
TcpdumpAnd wireshark tools,
TcpdumpIt is used to capture data, and wireshark is used to analyze the captured data. the usage is recorded below:
(1) The first type of keywords mainly include host, net, port
For example, host 18.104.22.168 indicates that 22.214.171.124 is a host, net 126.96.36.199 indicates that 188.8.131.52 is a network address, and port 23 indicates that the port number is 23. If no type is specified, the default type is host.
(2) The second keyword mainly includes src, dst, dst or src, dst andsrc.
These keywords indicate the transmission direction. for example, src 184.108.40.206 indicates that the source address in the IP package is 220.127.116.11, and dst net18.104.22.168 indicates that the destination network address is 22.214.171.124. If no direction keyword is specified, the src or dst keyword is used by default.
(3) The third is the protocol keyword, which mainly includes fddi, ip, arp, rarp, tcp, udp, and other types.
Fddi indicates a specific network protocol on FDDI (distributed optical fiber data interface network). In fact, it is an alias of "ether". fddi and ether have similar source and destination addresses, therefore, the fddi protocol package can be processed and analyzed as the ether package. The other keywords indicate the protocol content of the listener package. If no protocol is specified, tcpdump listens to the information packages of all protocols.
In addition to these three types of keywords, other important keywords include gateway, broadcast, less, greater, and three logical operations. The non-calculation is 'not ','! ', And the operation is 'and',' & '; or the operation is 'or',' │ '; these keywords can be combined to form a powerful combination condition to meet people's needs. The following are several examples. Under normal circumstances, directly starting tcpdump will monitor all the data packets flowing through the first network interface.
A. tcpdump? I eth0? C 10
Use the-I parameter to specify the network interface of the tcpdump listener, which is useful when the computer has multiple network interfaces,
Use the-c parameter to specify the number of data packets to be monitored,
Use the-w parameter to specify to write the listening data packet to the file and save it
B. to intercept communication between host 172.16.14.107 and host 172.16.14.27 or 172.16.14.99, run the following command: (when using parentheses in the command line, use '\'
Tcpdump host 172.16.14.107 and \ (172.16.14.27or172.16.14.99 \)
C. If you want to obtain an IP packet for all hosts except 172.16.14.107 and 172.16.14.27, run the following command:
Tcpdump ip host 172.16.14.107 and! 172.16.14.27
D. to obtain the telnet packet received or sent by the host 172.16.14.107, run the following command:
Tcpdump tcp port 23 host 172.16.14.ee. monitor the udp port 123 of the local machine (123 is the ntp service port)
Tcpdump udp port123F. The system only monitors the communication data packets of the host named hostname. The host name can be a local host or any computer on the network. The following command reads all data sent by the host hostname:
Tcpdump-I eth0 src hosthostnameG. the following command can monitor all data packets sent to the host hostname:
Tcpdump-I eth0 dst host hostname # src indicates the source, that is, sending
# Dst indicates the destination, that is, receiving
H. we can also monitor data packets through the specified Gateway:
Tcpdump-I eth0 gateway Gatewayname
I. If you want to monitor the TCP or UDP data packets destined for the specified port, run the following command:
Tcpdump-I eth0 host hostname and port80J. to obtain the telnet packet received or sent by the host 172.16.14.107, run the following command:
Tcpdump tcp port 23 host 172.16.14.20.k. if we only need to list the data packets sent to port 80, use dst port 80. if we only want to see the data packets returned to port 80, use srcport 80.
Tcpdump? I eth0 host hostname and dst port 80 the destination port is 80
Tcpdump? I eth0 host hostname and src port 80 source port is 80
Port 80 is generally a host that provides http services.
Tcpdump output format
The overall output format is: System time source host. Port> target host. Port data packet parameter
If you want to use wireshark to analyze data:
Tcpdump-I eth0-c 100-s 0-w/home/data. pcap
Use wireshark/home/data. pcap directly
This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or
reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or
complaint, to firstname.lastname@example.org. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
and provide relevant evidence. A staff member will contact you within 5 working days.