Shulou(Shulou.com)06/01 Report--

Detailed explanation of Tcpdump command parameters

# # options for tcpdump:

Tcpdump [- adeflnNOpqStvx] [- c quantity] [- F file name] [- I network interface] [- r file name] [- s snaplen] [- T type] [- w file name] [expression]

The parameters are described as follows:

-a convert network and broadcast addresses into names

-b Select protocols on the data-link layer, including ip, arp, rarp, and ipx. Tcpdump-b arp will display only the arp or address translation protocol information in the network

-c after receiving a specified number of packets, tcpdump will stop

-d give the code that matches the packet in an assembly format that people can understand

-dd gives the code to match the packet in the format of a c language program segment

-ddd gives the code that matches the packet in decimal form

-e prints the header information of the data link layer on the output line

-f print out the external Internet address as a number

-F reads expressions from the specified file, ignoring other expressions

-I specify the network interface on which to listen

-l causes standard output to be in the form of buffered lines, such as tcpdump-l > tcpcap.txt to store the resulting data in the tcpcap.txt file

-n No translation from IP address to hostname

-N does not print the default domain name

-nn n does not convert port names

-O does not optimize the matching code, which is useful when it is suspected that some bug is caused by optimized code

-r reads packages from the specified file (these packages are usually generated by the-w option)

-s the default crawl length is 68 bytes when grabbing packets. After adding-s 0, you can catch the complete data packet.

-t does not print a UNIX timestamp on each line of the output, that is, it does not display the time

-T interprets the monitored packet directly as a message of the specified type. The common types are rpc (remote procedure call) and snmp.

-tt prints the original, unformatted time

-v outputs a slightly more detailed information, such as ttl and service type information that can be included in the ip package

-vv outputs detailed message information

-w writes the package directly to the file and does not analyze and print it

Tcpdump [- I Nic]-nnAX 'expression'

-I: the network card that interface monitors.

-nn: indicates that the source and destination hosts are displayed in ip and port instead of hostname and service.

-A: display packets as ascii, which is useful when crawling web data.

-X: the packet will be displayed in hexadecimal and ascii.

Expressions: there are many kinds of expressions, the common ones are: host host; port port; src host sending host; dst host receiving host. Multiple conditions can be combined with and and or, reverse can be used!, for more use, you can see man 7 pcap-filter.

# # here are some other examples of tcpdump

1. Grab the packet containing 10.10.10.122

Tcpdump-I eth0-vnn host 10.10.10.122

2. Grab the packet containing the 10.10.10.0.0ax 24 network segment

Tcpdump-I eth0-vnn net 10.10.10.

3. Grab the packet containing port 22

Tcpdump-I eth0-vnn port 22

4. Grab the data packet of udp protocol

Tcpdump-I eth0-vnn udp

5. Grab data packets of icmp protocol

Tcpdump-I eth0-vnn icmp

6. Grab the data packet of arp protocol

Tcpdump-I eth0-vnn arp

7. Grab data packets of ip protocol

Tcpdump-I eth0-vnn ip

8. The capture source ip is 10.10.10.122 packets.

Tcpdump-I eth0-vnn src host 10.10.10.122

9. The crawling destination ip is 10.10.10.122 packet.

Tcpdump-I eth0-vnn dst host 10.10.10.122

10. Capture the packet whose source port is 22

Tcpdump-I eth0-vnn src port 22

11. Capture a packet whose source ip is 10.10.10.253 and destination ip is 22

Tcpdump-I eth0-vnn src host 10.10.10.253 and dst port 22

12. Capture the packet whose source ip is 10.10.10.122 or contains port 22

Tcpdump-I eth0-vnn src host 10.10.10.122 or port 22

13. Capture packets whose source ip is 10.10.10.122 and port is not 22

Tcpdump-I eth0-vnn src host 10.10.10.122 and not port 22

14. Capture packets with a source ip of 10.10.10.2 and a destination port of 22, or a source ip of 10.10.10.65 and a destination port of 80.

Tcpdump-I eth0-vnn\ (src host 10.10.10.2 and dst port 22\) or\ (src host 10.10.65 and dst port 80\)

15. Capture packets with a source ip of 10.10.10.59 and a destination port of 22, or a source ip of 10.10.10.68 and a destination port of 80.

Tcpdump-I eth0-vnn 'src host 10.10.10.59 and dst port 22' or 'src host 10.10.10.68 and dst port 80'

16. Save the crawled packet record in the / tmp/fill file, and exit the program after grabbing the 100th packet.

Tcpdump-I eth0-vnn-w / tmp/fil1-c 100

17. Read tcp protocol packets from / tmp/fill record

Tcpdump-I eth0-vnn-r / tmp/fil1 tcp

18. Read the packet containing 10.10.10.58 from the / tmp/fill record

Tcpdump-I eth0-vnn-r / tmp/fil1 host 10.10.10.58

19. If you want to grab the package of vlan 1, the command format is as follows:

Tcpdump-I eth0 port 80 and vlan 1-w / tmp/vlan.cap

20. Grab the eth0 package on port 80 in the background. The command format is as follows:

Nohup tcpdump-I eth0 port 80-w / tmp/temp.cap &

21. Tcpdump output information of ARP package

Tcpdump arp-nvv

22. Use tcpdump to grab the communication message with the host 192.168.43.23 or 192.168.43.24, and display it on the console

Tcpdump-X-s 1024-I eth0 host\ (192.168.43.23 or 192.168.43.24\) and host 172.16.70.35

23. Collection of common commands

Tcpdump-I eth0-nn 'dst host 172.100.6.231'

Tcpdump-I eth0-nn 'src host 172.100.6.12'

Tcpdump-I eth0-nnA 'port 80'

Tcpdump-I eth0-XnnA 'port 22'

Tcpdump-I eth0-nnA 'port 80 and src host 192.168.1.231'

Tcpdump-I eth0-nnA'! port 22 'and' src host 172.100.6.230'

Tcpdump-I eth0-nnA'! port 22'

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.