Shulou(Shulou.com)06/01 Report--

This article is about how to use the tcpdump command in Linux. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Linux common command tcpdump command is a packet grab, sniffer tool, it can print all the packet header information through the network interface, you can also use the-w option to save the packet to a file to facilitate later analysis.

Tcpdump, a sniffer tool, is a bag grabbing tool and sniffer on Linux.

Syntax tcpdump (option) option-a: attempt to convert network and broadcast addresses to names;-c: stop dumping after receiving a specified number of packets;-d: convert compiled packet encoding to readable format and dump it to standard output;-dd: convert compiled packet encoding to C format and dump it to standard output -ddd: converts the compiled packet encoding to decimal number format and dumps it to standard output;-e: displays the connection-level header on each column of dump data;-f: displays the Internet address in numbers;-F: specifies the file containing the expression;-I: sends the packet using the specified network section;-l: uses the buffer of the standard output column -n: do not convert the network address of the host to a name;-N: do not list the domain name;-O: do not optimize packet coding;-p: do not put the network interface into promiscuous mode;-Q: fast output, list only a small number of transport protocol information;-r: read packet data from the specified file;-s: set the size of each packet -S: lists TCP correlation numbers in absolute rather than relative values;-t: does not display a timestamp on each column of dumping data;-tt: displays an unformatted timestamp on each column of dumping data;-T: forces the translation of packets specified by the expression into a set packet type;-v: shows instruction execution in detail;-vv: shows instruction execution in more detail -x: lists the packet data in hexadecimal code;-w: writes the packet data to the specified file. If the instance starts tcpdump directly, it will monitor all packets flowing on the first network interface.

Tcpdump monitors packets for specified network interfaces

If tcpdump-I eth2 does not specify a network card, the default tcpdump will only monitor the first network interface, usually eth0. The following examples do not specify a network interface.

Monitor packets for specified hosts

Print all packets entering or leaving the sundown.

Tcpdump host sundown can also specify ip, such as intercepting all packets received and sent by 210.27.48.1 hosts

Tcpdump host 210.27.48.1 prints packets that communicate between helios and hot or with ace

Tcpdump host helios and\ (hot or ace\) intercepts the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3

Tcpdump host 210.27.48.1 and\ (210.27.48.2 or 210.27.48.3\) prints IP packets communicating between ace and any other host, excluding packets with helios.

Tcpdump ip host ace and not helios if you want to get the ip packets of host 210.27.48.1 communicating with all hosts except host 210.27.48.2, use the command:

Tcpdump ip host 210.27.48.1 and! 210.27.48.2 grab the packet on the eth0 network card, use:

Sudo tcpdump-I eth0 intercepts all data sent by the host hostname

Tcpdump-I eth0 src host hostname monitors all packets sent to the host hostname

Tcpdump-I eth0 dst host hostname monitors packets for specified hosts and ports

If you want to get the telnet packets received or sent by host 210.27.48.1, use the following command

Tcpdump tcp port 23 and host 210.27.48.1 monitors the native udp 123service port for ntp

Tcpdump udp port 123monitors packets for a specified network

Print all communication packets between the local host and the host on the Berkeley network

Tcpdump net ucb-etherucb-ether can be understood here as the network address of the "Berkeley network". The original meaning of this expression can be expressed as: print all packets with a network address of ucb-ether

Print all ftp packets that pass through the gateway snup

Tcpdump 'gateway snup and (port ftp or ftp-data)' Note: the expression is enclosed in single quotation marks, which prevents shell from misparsing the parentheses in it.

Print all IP packets whose source or destination address is the local host

Tcpdump ip and not net localnet if the local network is connected to another network through a gateway, the other network does not count as the local network.

Grab the HTTP message at port 80 and display it as text:

Sudo tcpdump-i any port 80-A Thank you for reading! This is the end of the article on "how to use tcpdump commands in Linux". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.