Shulou(Shulou.com)06/01 Report--

This article introduces how to use tcpdump command in Linux system, including examples of how to use tcpdump command in Linux system, application skills, summary of basic knowledge points and matters needing attention. It has a certain reference value, and friends who need it can refer to it.

What is Linux system Linux is a free-to-use and free-spread UNIX-like operating system, is a POSIX-based multi-user, multi-task, multi-threaded and multi-CPU operating system, using Linux can run major Unix tools, applications and network protocols.

Brief introduction to Command

Tcpdump is a powerful network package grabbing tool that runs on the Linux platform. Familiarity with the use of tcpdump can help us analyze and debug network data. But if you want to master tcpdump well, you must have some understanding of network message (TCP/IP protocol). But for simple use, as long as there is a basic concept of the network.

As a classic necessary tool for system administrators on the Internet, tcpdump, with its powerful functions and flexible interception strategy, has become one of the necessary tools for every senior system administrator to analyze the network and troubleshoot problems. In practice, the command needs to be executed with root privileges.

Tcpdump is a very complex command, it is not easy to understand all aspects of it, and it is not recommended to be able to use it to solve daily work problems is the key, so, the following summary I will focus more on the actual work, sort out some of the usages often used in the actual work, for some unpopular usage, I will not involve here, if used in the future work, I will update here.

Detailed explanation of command

Let's start with a summary of some common options for tcpdump.

-s number:tcpdump only intercepts the first 96 bytes by default. If you want to intercept all the contents of a message, you need to use this option. Number is the number of bytes of text that need to be intercepted. If 0, it means intercepting all the contents of the message.

-nn: indicates that the domain name is not resolved and IP is displayed directly. This option is also available in the netstat command.

-X: display message content using hex and ascii at the same time

-S: displays the absolute serial number (sequence number) instead of the relative number

-I: specify the network card to monitor.-I any means to monitor all network cards.

-vmam Methov vjjmmai vvvv: show more details.

-c number: intercepts number messages, and then ends

-w: write the monitored packets to the file and save them without analyzing and printing them.

-A: only use ascii to print all the data of the message, not with the-X option. You can use sudo tcpdump-nSA port 80 to intercept HTTP requests

Although there are many options for the tcpdump command, there are only a few commonly used options. I will focus more on using examples here and learn the tcpdump command by using examples.

Filter

First of all, it is necessary to master some basic theoretical knowledge of the use of tcpdump when explaining the use of examples. Let's talk about the filter first.

There are many network messages on the server, and most of the time we only pay attention to the data messages related to specific problems, but these useful messages only account for a very small part. In order not to let us lose ourselves in the sea of messages, it is very necessary for us to learn the flexible and powerful filters provided by tcpdump.

Filters can also be simply divided into three categories: type,dir and proto.

Type: mainly used to distinguish filter message source types, which is mainly composed of host host messages, net network segment messages and port designated port messages.

Dir: filter only the source and destination addresses of messages, including the src source address and dst destination address

Proto: only the protocol types of messages are filtered, and tcp,udp and icmp are supported. You can omit the proto keyword when using it:

Tcpdump-I eth2 arp

Tcpdump-I eth2 ip

Tcpdump-I eth2 tcp

Tcpdump-I eth2 udp

Tcpdump-I eth2 icmp

These filters are indispensable when we use the tcpdump command.

Conditional combination

In the vast network, it is difficult to find the network packet you want. In order to catch the network packet we want, the more restrictions we include in the packet capture command, the fewer irrelevant packets we will catch, so we can use "and" (and, & &), "OR" (or, |) and "not" (not,!) to combine multiple conditions. This is very useful for us to analyze network packets based on certain conditions.

Use an example

Command: tcpdump-I eth2

Description: monitor packets on a specified network interface

Command: tcpdump host 210.27.48.3

Description: intercept all packets received and sent by 210.27.48.3 host

Command: tcpdump host 210.27.48.4 and (210.27.48.5 or 210.27.48.6)

Description: intercept all packets of communication between 210.27.48.3 hosts and 210.27.48.5 or 210.27.48.6 hosts

Command: tcpdump net 192.168.1.0 Universe 24

Description: intercept data packets of 192.168.1.0 and 24 of the entire network

Command: tcpdump-I eth0 src host 210.27.48.3

Description: monitor all network packets on the eth0 network card with the source address 210.27.48.3

Command: tcpdump-I eth0 dst host 210.27.48.3

Note: monitor all network packets on the eth0 network card with the destination address of 210.27.48.3

Command: tcpdump tcp port 23 and host 210.27.48.3

Description: get all TCP protocol packets sent and received by applications with port 23 on host 210.27.48.3

Command: tcpdump udp port 123

Description: get all UDP protocol packets sent and received by local port 123

Command: tcpdump src host 10.126.1.222 and dst net 10.126.1.0 Universe 24

Description: intercept the source primary address is 10.126.1.222, the destination address is 10.126.1.0 Universe 24 the entire network

Command: tcpdump-I eth0-s0-G 60-Z root-w% Y_%m%d_%H%M_%S.pcap

Description: after grabbing the message, it is saved at the specified time interval; the-G option is followed by time (in seconds); the above command is to save a file every 60 seconds.

Command: tcpdump-I eth0-s0-C1-Z root-w eth0Packet.pcap

Note: after grabbing the message, it is saved according to the specified message size; the-C option is followed by the file size in MB;. The above command is to use a new file to save the newly captured message every time the packet file reaches 1MB.

So far, this is the end of this article on how to use the tcpdump command in the Linux system. For more related content, please search the previous articles or continue to browse the relevant articles below. I hope you will support me in the future!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.