Using tcpdump for packet capture and wireshark analysis in Linux

Source: Internet
Author: User
Recently, when learning the NIC driver, we need to capture the situations where the Nic sends and receives data. so we found the tcpdump and wireshark tools, which are used to capture data, wireshark is used to analyze the captured data. the usage is recorded below: Tcpdump usage method (1) first, key words about the type mainly include host, net recently, when learning the NIC driver, you need to capture the situation where the Nic sends and receives data. TcpdumpAnd wireshark tools, TcpdumpIt is used to capture data, and wireshark is used to analyze the captured data. the usage is recorded below:
Tcpdump usage
(1) The first type of keywords mainly include host, net, port
For example, host 210.27.48.2 indicates that 210.27.48.2 is a host, net 202.0.0.0 indicates that 202.0.0.0 is a network address, and port 23 indicates that the port number is 23. If no type is specified, the default type is host.
(2) The second keyword mainly includes src, dst, dst or src, dst andsrc.
These keywords indicate the transmission direction. for example, src 210.27.48.2 indicates that the source address in the IP package is 210.27.48.2, and dst net202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified, the src or dst keyword is used by default.
(3) The third is the protocol keyword, which mainly includes fddi, ip, arp, rarp, tcp, udp, and other types.
Fddi indicates a specific network protocol on FDDI (distributed optical fiber data interface network). In fact, it is an alias of "ether". fddi and ether have similar source and destination addresses, therefore, the fddi protocol package can be processed and analyzed as the ether package. The other keywords indicate the protocol content of the listener package. If no protocol is specified, tcpdump listens to the information packages of all protocols.
 
In addition to these three types of keywords, other important keywords include gateway, broadcast, less, greater, and three logical operations. The non-calculation is 'not ','! ', And the operation is 'and',' & '; or the operation is 'or',' │ '; these keywords can be combined to form a powerful combination condition to meet people's needs. The following are several examples. Under normal circumstances, directly starting tcpdump will monitor all the data packets flowing through the first network interface.
 
A. tcpdump? I eth0? C 10
Use the-I parameter to specify the network interface of the tcpdump listener, which is useful when the computer has multiple network interfaces,
Use the-c parameter to specify the number of data packets to be monitored,
Use the-w parameter to specify to write the listening data packet to the file and save it
B. to intercept communication between host 172.16.14.107 and host 172.16.14.27 or 172.16.14.99, run the following command: (when using parentheses in the command line, use '\'
Tcpdump host 172.16.14.107 and \ (172.16.14.27or172.16.14.99 \)
C. If you want to obtain an IP packet for all hosts except 172.16.14.107 and 172.16.14.27, run the following command:
Tcpdump ip host 172.16.14.107 and! 172.16.14.27
D. to obtain the telnet packet received or sent by the host 172.16.14.107, run the following command:
Tcpdump tcp port 23 host 172.16.14.ee. monitor the udp port 123 of the local machine (123 is the ntp service port)
Tcpdump udp port123F. The system only monitors the communication data packets of the host named hostname. The host name can be a local host or any computer on the network. The following command reads all data sent by the host hostname:
Tcpdump-I eth0 src hosthostnameG. the following command can monitor all data packets sent to the host hostname:
Tcpdump-I eth0 dst host hostname # src indicates the source, that is, sending
# Dst indicates the destination, that is, receiving
H. we can also monitor data packets through the specified Gateway:
Tcpdump-I eth0 gateway Gatewayname
I. If you want to monitor the TCP or UDP data packets destined for the specified port, run the following command:
Tcpdump-I eth0 host hostname and port80J. to obtain the telnet packet received or sent by the host 172.16.14.107, run the following command:
Tcpdump tcp port 23 host 172.16.14.20.k. if we only need to list the data packets sent to port 80, use dst port 80. if we only want to see the data packets returned to port 80, use srcport 80.
Tcpdump? I eth0 host hostname and dst port 80 the destination port is 80
Or
Tcpdump? I eth0 host hostname and src port 80 source port is 80
Port 80 is generally a host that provides http services.
 
Tcpdump output format
The overall output format is: System time source host. Port> target host. Port data packet parameter
 
If you want to use wireshark to analyze data:
Tcpdump-I eth0-c 100-s 0-w/home/data. pcap
Use wireshark/home/data. pcap directly

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.