How to use the tcpdump command in the Linux system

tcpdump is a packet capture command in the Linux command. It can intercept and analyze the data packets transmitted by the network. It is a very powerful network data collection and analysis tool. How to use the tcpdump command in Linux systems. The following small series makes a brief introduction to the usage of the tcpdump command.

Practical examples of commands

default boot

tcpdump

Under ordinary circumstances, direct start tcpdump will monitor all streams on the first network interface The data packet passed.

Monitoring packets for a specified network interface

tcpdump -i eth1

If you do not specify a network card, the default tcpdump will only monitor the first network interface, typically eth0, below The examples do not specify a network interface.

Monitoring Packets for a Specified Host

Prints all packets entering or leaving sundown.

tcpdump host sundown

You can also specify ip, for example, to intercept all packets received and sent by all 210.27.48.1 hosts

tcpdump host 210.27.48.1< Br>

Print the data packets that helios communicates with hot or with ace

tcpdump host helios and \\( hot or ace \\)

intercept host 210.27.48.1 and host 210.27. Communication with 48.2 or 210.27.48.3

tcpdump host 210.27.48.1 and \\ (210.27.48.2 or 210.27.48.3 \\)

Print IP packets for communication between ACE and any other host, But does not include the packet between the helios.

tcpdump ip host ace and not helios

If you want to get the ip packet of host 210.27.48.1 except for all hosts except host 210.27.48.2, use the command:

tcpdump ip host 210.27.48.1 and ! 210.27.48.2

Intercept all data sent by host hostname

tcpdump -i eth0 src host hostname

Monitor all packets sent to host hostname

Tcpdump -i eth0 dst host hostname

Monitoring packets for the specified host and port

If you want to get the telnet packet received or sent by host 210.27.48.1, use the following command

tcpdump tcp port 23 host 210.27.48.1

Monitoring the udp 123 port of this machine 123 ntp service port

tcpdump udp port 123

Monitoring data of the specified network Package

Prints all communication packets between the local host and the host on the Berkeley network (nt: ucb-ether, here can be understood as ‘ Berkeley Network & rsquo; network address, the expression is the original The meaning can be expressed as: Print all packets with network address ucb-ether)

tcpdump net ucb-ether

Print all ftp packets through gateway snup (note, expression sheet Quotation marks, this can The shell will parse the parentheses in it.

tcpdump ‘gateway snup and (port ftp or ftp-data)’

Print all source or destination addresses as local host IPs Packet

(If the local network is connected to another network through the gateway, the other network is not counted as a local network. (nt: This sentence is translated and twisted, need to be added). Localnet should be replaced when actually used. The name of the cost network)

tcpdump ip and not net localnet

Monitoring the packet of the specified protocol

Printing the start and end packets in the TCP session, and the data The source or destination of the package is not a host on the local network. (nt: localnet, the actual name of the network to be replaced in actual use))

tcpdump ‘tcp[tcpflags] & (tcp-syn| Tcp-fin)! = 0 and not src and dst net localnet’

Print all source or destination ports is 80, network layer protocol is IPv4, and contains data instead of SYN, FIN and ACK-only data without data package. (The expression of the ipv6 version can be practiced)

tcpdump ‘tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)" "2)) - ((tcp[12]&0xf0)》 2)) != 0)’

(nt: understandable, ip[2:2] indicates the length of the entire ip packet, (ip [0]&0xf) "2" indicates the length of the ip packet header (ip[0]&0xf represents the IHL field in the packet, and the unit of this field is 32bit, to be converted

The number of bytes needs to be multiplied by 4, that is, shifted to the left by 2. (tcp[12]&0xf0)""4 indicates the length of the tcp header. The unit of this field is also 32bit, which is converted into the number of bits ((tcp[12]& ;0xf0) 》》 4) "2,

ie ((tcp[12]&0xf0)" 2). ((ip[2:2] - ((ip[0]& 0xf) "2)) - ((tcp[12]&0xf0)" 2)) != 0 means: the length of the entire ip packet minus the length of the ip header, then subtract

The length of the tcp header is not 0, which means that the ip packet does There is data. For the ipv6 version, just consider the difference between & lsquo;Payload Length& rsquo; and ‘tcp header length & rsquo; in the ipv6 version, and the expression ‘ip[]’ needs to be replaced with ‘ip6[ ]’.)

Prints IP packets longer than 576 bytes and the gateway address is snup

tcpdump ‘gateway snup and ip[2:2] 576’

Print all IP layer broadcast or multicast packets, but not broadcast or multicast datagrams on the physical Ethernet layer

tcpdump ‘ether[0] & 1 = 0 and ip[ 16] 》= 224’

Print ICMP packets other than ‘echo request’ or ‘echo reply’ (for example, you can use this expression when you need to print all packets generated by non-ping programs)

(nt: ‘echo reuqest’ with ‘echo reply’ These two types of ICMP packets are usually generated by the ping program))

tcpdump ‘icmp[icmptype] ! = icmp-echo and icmp[icmptype] ! = icmp-echoreply’
Previous1234Next page Total 4 pages