Shulou(Shulou.com)06/01 Report--

What are the packet capture commands in linux? Many novices are not very clear about this. In order to help you solve this problem, the following editor will explain it in detail. People with this need can come and learn. I hope you can gain something.

What is Linux system Linux is a free-to-use and free-spread UNIX-like operating system, is a POSIX-based multi-user, multi-task, multi-threaded and multi-CPU operating system, using Linux can run major Unix tools, applications and network protocols.

The tcpdump command is a Datagram sniffing tool based on the command line of the unix system, which can grab data packets flowing on the network card.

As the name implies, tcpdump can completely intercept the "header" of packets transmitted in the network for analysis. It supports filtering against network layer, protocol, host, network or port, and provides and, or, not and other logic statements to help you get rid of useless information. With its powerful function and flexible interception strategy, tcpdump has become the preferred tool for network analysis and problem checking in UNIX-like systems.

Examples of practical commands:

(1)。 Start by default

# normally, starting tcpdump directly will monitor all packets flowing on the first network interface. [root@localhost ~] # tcpdump

(2)。 Monitor packets for a specified network interface

[root@localhost] # tcpdump-I eth0-c 10

(3)。 Monitor packets for specified hosts

[root@localhost] # tcpdump-I eth0 host 10.20.3.25

(4.) Get all the data sent by host 10.20.3.25

[root@localhost] # tcpdump-I eth0 src host 10.20.3.25

(5)。 Monitor all packets sent to host 10.20.3.25

[root@localhost] # tcpdump-I eth0 dst host 10.20.3.25

(6)。 Monitor packets for specified hosts and ports

[root@localhost] # tcpdump tcp port 22 and host 10.20.3.25

(7)。 Monitor packets on a specified network, such as those that communicate with the 10.20.3 network segment. "- c 10" means that only 10 packets are crawled.

[root@localhost] # tcpdump-c 10 net 10.20.3

(8)。 Grab ping package

[root@localhost] # tcpdump-c 5-nn-I eth0 icmp

(9)。 Parsing packet data

[root@localhost] # tcpdump-c 2-Q-XX-vvv-nn-I eth0 tcp dst port 22tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes10:22:22.334383 IP (tos 0x0, ttl 63, id 26834, offset 0, flags [DF], proto TCP (6) Length 40) 10.20.3.25.60401 > 10.20.9.131.22: tcp 0 0x0000: 0050 5685 2ba8 0074 9c0f c748 0800 4500 .PV. +.. H. E. 0x0010: 0028 68d2 4000 3f06 b23a 0a14 0319 0a14. 0x0020: 0983 ebf1 0016 93e3 6ba8 cd6b d1ce 5010 k.. k.. P. 0x0030: f6b4 0d8e 0000 0000 0000 .10: 22 93e3 6ba8 cd6b d1ce 22.376759 IP (tos 0x0, ttl 63, id 26835, offset 0, flags [DF], proto TCP (6) Length 40) 10.20.3.25.60401 > 10.20.9.131.22: tcp 0 0x0000: 0050 5685 2ba8 0074 9c0f c748 0800 4500 .PV. +.. H. E. 0x0010: 0028 68d3 4000 3f06 b239 0a14 0319 0a14. 0x0020: 0983 ebf1 0016 93e3 6ba8 cd6b d392 5010. K.. P. 0x0030: faf0 078e 0000 0000 0000. 2 packets captured2 packets received by filter0 packets dropped by kernel [root@test-core-services-03 ~] #

(10) .TCPdump crawls HTTP packets

Tcpdump-XvvennSs 0-I eth0 tcp [20:2] = 0x4745 or tcp [20:2] = 0x48540x4745 is the first two letters of "GET"GE" and 0x4854 is the first two letters "HT" of "HTTP".

Common options for tcpdump:

Its command format is:

Tcpdump [- DenNqvX] [- c count] [- F file] [- I interface] [- r file] [- s snaplen] [- w file] [expression] grab packet option:-c: specify the number of packets to be crawled. Note that you end up getting so many packages. For example, specifying "- c 10" will get 10 packages, but 100 packages may have been processed, but only 10 packages meet the criteria. -I interface: specify the interface that the tcpdump needs to listen to. If this option is not specified, the configured interface with the lowest number will be searched from the list of system interfaces (excluding loopback interface, use tcpdump-I lo to grab loopback interface). The search will end as soon as the first qualified interface is found. You can use the 'any' keyword to represent all network interfaces. -n: the address is explicit numerically, otherwise the hostname is explicit, that is, the-n option does not do hostname resolution. -nn: in addition to the function of-n, the port is displayed as a numeric value, otherwise the port service name is displayed. -N: do not print out the domain name part of host. For example, tcpdump will print 'nic' instead of' nic.ddn.mil'. -P: specifies whether the packet to be crawled is an incoming or outgoing packet. The values that can be given are "in", "out", and "inout", and the default is "inout". -s len: set the packet crawl length of tcpdump to len. If it is not set, the default will be 65535 bytes. When the packet to be crawled is large, packet truncation may occur if the length is not set enough. If packet truncation occurs, the "[| proto]" flag appears in the output line (proto is actually displayed as the protocol name). However, the longer the crawl len, the longer the packet processing time, and it will reduce the number of cacheable packets in tcpdump, which will lead to the loss of packets, so under the premise that we can grab the packets we want, the smaller the crawl length, the better. Output option:-e: each line of the output will include data link layer header information, such as source MAC and destination MAC. -Q: fast printout. That is, very little protocol-related information is printed, so that the output lines are relatively short. -X: the header data of the output package will be output in both hexadecimal and ASCII. -XX: the header data of the output package will be output in both hexadecimal and ASCII, in more detail. -v: when analyzed and printed, detailed output is generated. -vv: produces more detailed output than-v. -vvv: produces more detailed output than-vv. Other functional options:-D: list the interfaces that can be used to grab the package. The numerical number and interface name of the interface will be listed, both of which can be used after "- I". -F: reads the expression of the grab package from the file. If you use this option, other expressions given on the command line will be invalidated. -w: output package data to a file instead of standard output. You can also use the "- G time" option to automatically switch the output file to another file every time second. These files can be loaded through the "- r" option for analysis and printing. -r: reads data from a given packet file. Use "-" to indicate reading from standard input. Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.