Shulou(Shulou.com)06/02 Report--

Editor to share with you the method of using tcpdump to grab packages under the linux system, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

1. Common parameters tcpdump-I eth0-nn-S0-v port 80Mui choose to monitor the network card-nn does not resolve the host name and port number, captures a large amount of data, name resolution will reduce the resolution speed-S0 capture length unlimited-v increase the amount of detailed information displayed in the output port 80 port filter, capture only port 80 traffic Usually HTTP2.tcpdump-A-s 0 port 80 ASCII An output ASCII data-X output hexadecimal data and ASCII data 3.tcpdump-I eth0 udpudp filter, capture only udp data proto 17 protocol 17 is equivalent to udpproto 6 equivalent to tcp4.tcpdump-I eth0 host 10.10.1.1host filter, filter 5.tcpdump-I eth0 dst 10.105.38.204dst filter based on IP address, filter src filter according to destination IP Filter 6.tcpdump-I eth0-s 0-w test.pcap-w to write to a file according to the source IP. You can analyze 7.tcpdump-I eth0-s 0-l port 80 in Wireshark. When grep 'Server:'-l is used with some pipe commands, such as grep8. Combined filtering and or & & or or | | not or! 9. Quickly extract HTTP UAtcpdump-nn-A-s1500-l | grep "User-Agent:" use egrep to match UA and Hosttcpdump-nn-A-s1500-l | egrep-I 'User-Agent: | Host:'10. The packet tcpdump-s 0-A-vv 'tcp matching GET [(tcp [12:1] & 0xf0) > > 2): 4] = 0x47455420' matches the POST packet. The data of POST may not be in the packet tcpdump-s 0-A-vv 'tcp [((tcp [12:1] & 0xf0) > > 2): 4] = 0x504f5354'11. Match HTTP request header tcpdump-s0-v-n-l | egrep-I "POST / | GET / | Host:" match some POST data tcpdump-s0-A-n-l | egrep-I "POST / | pwd= | passwd= | password= | Host:" match some cookie information tcpdump-nn-A-S0-l | egrep-I 'Set-Cookie | Host: | Cookie:'12. Capture DNS request and response tcpdump-I eth0-s 0 port 5313. Use tcpdump to capture and view the ssh remote connection server to execute tcpdump commands in Wireshark, and analyze ssh root@remotesystem 'tcpdump-s0-c 1000-nn-w-not port 22' in the local wireshark | wireshark-k-I-ssh ubuntu@115.159.28.111' sudo tcpdump-s0-c 1000-nn-w-not port 22' | wireshark-k-I-14. Cooperate with shell to obtain the highest number of IP tcpdump-nnn-t-c 200 | cut-f 1, cut, 3, and 4-d'.'| sort | uniq-c | sort-nr | head-n 2015. Capture DHCP request and response tcpdump-v-n port 67 or 68

The above are all the contents of the method of using tcpdump to grab packages under the linux system. Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.