Shulou(Shulou.com)06/01 Report--

Most people do not understand the knowledge points of this article "how to use the tcpdump command in Linux", so the editor summarizes the following contents, detailed contents, clear steps, and has a certain reference value. I hope you can get something after reading this article. Let's take a look at this "how to use the tcpdump command in Linux" article.

The tcpdump command is a Datagram sniffing tool based on the command line of the unix system, which can grab data packets flowing on the network card. Its principle is roughly as follows: * * linux grabs packets by registering a virtual underlying network protocol to complete the processing of network messages (network devices, to be exact). * * when the Nic receives a network message, it traverses all the registered network protocols in the system, such as Ethernet protocol and x25 protocol processing module, to try to parse the message. When the packet capture module disguises itself as a network protocol, the system will give the pseudo protocol a chance to deal with the insulation received by the network card when it receives the message, and the module will take advantage of the opportunity to snoop on the message, that is, ah, a complete copy of the message, pretending to be the message received by itself, and reporting it to the packet capture module.

In general, the Linux system will come with tcpdump tools, if the system is not installed, just use the command to install it.

Installation command: yum install-y tcpdump

View the installation command: tcpdump-- help

View the network card command:

Knowing the network card, you can use the tcpdump tool to monitor and filter the network data for the network card on the server.

Common tcpdump commands:

# grab all network data that passes through eth0 with the destination or source address of 192.168.29.162

Command: tcpdump-n-I eth0 host 192.168.29.162

# Source address

Command: tcpdump-I eth2 src host 192.168.29.162

# destination address

Command: tcpdump-I eth2 dst host 192.168.29.162

# grab the network data of the current server eth0 Nic port 8080

Command: tcpdump-n-I eth0 port 8080

# fetching sql statements executed by mysql

Command: tcpdump-I eth2-s 0-l-w-dst port 3306 | strings

# grab the network packet of mysql communication (cap is opened with wireshark)

Command tcpdump-n-nn-tttt-I eth0-s 65535 'port 3306'-w 20160505mysql.cap

# fetching SMTP data

Command: tcpdump-I eth2'tcp [tcpflags] & tcp-syn! = 0 and tcp [tcpflags] & tcp-ack! = 0'

# grab HTTP GET data. The hexadecimal value of "GET" is 47455420

Command: tcpdump-I eth2 'tcp [(tcp [12] > > 2): 4] = 0x47455420'

# fetching SSH returned. The hexadecimal of "SSH-" is 0x5353482D.

Command: tcpdump-I eth2 'tcp [(tcp [12] > > 2): 4] = 0x5353482D'

# grab the GET packet of port number 8080 in real time, and then write it to GET.log

Command: tcpdump-I eth0'((port 8080) and (tcp [(tcp [12] > > 2): 4] = 0x47455420))'- nnAl-w / tmp/GET.log

# crawl specifies the number of SYN, and the-c parameter specifies how many packets to grab.

Command: time tcpdump-nn-I eth0'tcp [tcpflags] = tcp-syn'-c 10 is the content of this article on "how to use tcpdump commands in Linux". I believe you all have some understanding. I hope the content shared by the editor will be helpful to you. If you want to know more about the relevant knowledge, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.