Shulou(Shulou.com)06/01 Report--

This article is about how Linux uses the tcpdump command. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Tcpdump is: dump the traffic on a network, a packet analysis tool that intercepts packets on the network according to the definition of the user. Tcpdump can completely intercept the "header" of packets transmitted in the network for analysis. It supports filtering against network layer, protocol, host, network or port, and provides and, or, not and other logic statements to help you get rid of useless information.

Installation

Tcpdump is available by default in almost all Linux distributions, but if you don't have it on your Linux, use the following method to install it.

CentOS/RHEL

Install tcpdump on CentOS and RHEL using the following command

$sudo yum install tcpdump*Fedora

Install tcpdump on Fedora using the following command:

$dnf install tcpdumpUbuntu/Debian/Linux Mint

Install tcpdump on Ubuntu/Debain/Linux Mint using the following command:

$apt-get install tcpdump

Now that you have installed tcpdump, let's look at some examples.

Case demonstration capturing packets from all network cards

Run the following command to capture packets from all network cards:

$tcpdump-I any captures packets from the specified network card

To capture a packet from a specified network card, run:

$tcpdump-I eth0 writes the captured package to a file

Use the-w option to write all captured packages to a file:

$tcpdump-I eth2-w packets_file reads the previously generated tcpdump file

Use the following command to read from the tcpdump file you created earlier:

$tcpdump-r packets_file gets more package information and displays the timestamp in a readable form

To get more package information and display the timestamp in a readable form, use:

$tcpdump-ttttnnvvS to view packets across the network

To get packets for the entire network, execute the following command at the terminal:

$tcpdump net 192.168.1.0 Compact 24 View messages based on IP address

To get a packet for the specified IP, whether as a source or destination address, use the following command:

$tcpdump host 192.168.1.100

To specify whether the IP address is a source or destination address, use:

$tcpdump src 192.168.1.100$ tcpdump dst 192.168.1.100 View packets for a protocol or port number

To view packets for a protocol, run the following command:

$tcpdump ssh

To capture packets from a port or range, use:

$tcpdump port 22$ tcpdump portrange 22-125

We can also use the src and dst options to capture messages from a specified source port or a specified destination port.

We can also combine the two conditions using "and" (and,&&), "or" (or, |) and "not" (notpr.). It is very useful when we need to analyze network messages based on certain conditions.

Use "and"

You can use and or the symbol & & to combine two or more conditions. For example:

$tcpdump src 192.168.1.100 & & port 22-w ssh_packets

Use "or"

Or checks to see if it matches one of the conditions listed in the command, like this:

$tcpdump src 192.168.1.100 or dst 192.168.1.50 & & port 22-w ssh_packets$ tcpdump port 443 or 80-w http_packets use "not"

We can use "not" when we want to express that we do not match a condition, like this:

$tcpdump-I eth0 src port not 22

This will capture all traffic on the eth0 except port 22.

This concludes our tutorial, which shows you how to install and use tcpdump to capture network packets.

Thank you for reading! This is the end of this article on "how to use tcpdump commands in Linux". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.