Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to use tcpdump, a tool for grabbing packages under Linux, and wireshark, a tool for analyzing packages. The content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Recently, when learning the Nic driver, you need to grab the data sent and received by the Nic, so you have found two tools, tcpdump and wireshark. Tcpdump is used to grab data, and wireshark is used to analyze the captured data. Now record the usage:

How to use Tcpdump

(1) the first is that the keywords about types mainly include host,net,port

For example, host 210.27.48.2 indicates that 210.27.48.2 is a host, net 202.0.0.0 indicates that 202.0.0.0 is a network address, and port 23 indicates that the port number is 23. If no type is specified, the default type is host.

(2) the second is that the keywords for determining the transmission direction mainly include src, dst, dst or src and dst and src.

These keywords indicate the direction of transmission, for example: src 210.27.48.2, indicating that the source address in the ip packet is 210.27.48.2, and dst net 202.0.0.0 indicating that the destination network address is 202.0.0.0. If no direction keyword is specified, the default is the src or dst keyword.

(3) the third type is the key word of the protocol, which mainly includes fddi,ip,arp,rarp,tcp,udp and other types.

Fddi indicates that it is a specific network protocol on FDDI (distributed Optical Fiber data Interface Network). In fact, it is an alias for "ether". Fddi and ether have similar source and destination addresses, so fddi protocol packets can be processed and analyzed as ether packets. Several other keywords indicate the protocol content of the listening packet. If no protocol is specified, tcpdump will listen for packets for all protocols.

In addition to these three types of keywords, other important keywords are as follows: gateway, broadcast,less,greater, there are three logical operations, take non-operation is' not','!', and operation is' and','&&';'or operation is' or',' ││'; these keywords can be combined to form a strong combination of conditions to meet people's needs, here are a few examples to illustrate. Normally, starting tcpdump directly will monitor all packets that flow through the first network interface.

A. tcpdump-I eth0-c 10

Use the-I parameter to specify the network interface for tcpdump monitoring, which is useful when the computer has multiple network interfaces

Use the-c parameter to specify the number of packets to listen for

Use the-w parameter to specify that the monitored packet is written to a file to save

b. To intercept communication between host 172.16.14.107 and host 172.16.14.27 or 172.16.14.99, use the command: (be sure to use'\ 'when using parentheses on the command line

Tcpdump host 172.16.14.107 and\ (172.16.14.27or172.16.14.99\)

c. If you want to get the ip packets that host 172.16.14.107 communicates with all hosts except host 172.16.14.27, use the command:

Tcpdump ip host 172.16.14.107 and! 172.16.14.27

d. If you want to get the telnet packets received or sent by host 172.16.14.107, use the following command:

Tcpdump tcp port 23 host 172.16.14.107

e. Monitor the local udp 123port (123is the service port of ntp)

Tcpdump udp port 123

f. The system will only monitor the communication packets of the host named hostname. The hostname can be the local host or any computer on the network. The following command reads all data sent by the host hostname:

Tcpdump-I eth0 src host hostname

g. The following command monitors all packets sent to the host hostname:

Tcpdump-I eth0 dst host hostname

# src indicates the source, that is, send

# dst indicates the destination, that is, receiving

h. We can also monitor packets passing through a specified gateway:

Tcpdump-I eth0 gateway Gatewayname

i. If you also want to monitor TCP or UDP packets addressed to a specified port, execute the following command:

Tcpdump-I eth0 host hostname and port 80

j. If you want to get the telnet packets received or sent by host 172.16.14.107, use the following command:

Tcpdump tcp port 23 host 172.16.14.107

k. If we only need to list the packets sent to port 80, use dst port 80; if we only want to see packets returning to port 80, use src port 80.

Tcpdump-I eth0 host hostname and dst port 80 destination port is 80

Or

Tcpdump-I eth0 host hostname and src port 80 source port is 80

Port 80 is generally the host that provides http services.

Tcpdump output format

The overall output format is: the system time source host. Port > target host. Port packet parameters

If you want to analyze the data with wireshark:

Tcpdump-I eth0-c 100-s 0-w / home/data.pcap

Just use wireshark / home/data.pcap directly.

On the Linux package grab tool tcpdump and analysis package tool wireshark how to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.