Defining tcpdump in simple terms is to dump traffic to a network, a packet analysis tool that intercepts packets on the network according to the user's definition. Tcpdump can completely intercept the "header" of data packets transmitted in the network for analysis. It supports filtering network layer, protocol, host, network or port, and provides logic statements such as AND, OR and not to help you get rid of useless information.

Practical command instance

Default startup

tcpdump

Under normal circumstances, starting tcpdump directly will monitor all packets flowing on the first network interface.

Monitor packets on the specified network interface.

tcpdump -i eth 1

If no network card is specified, the default tcpdump will only monitor the first network interface, which is generally eth0. None of the following examples specify a network interface.

Monitor the packets of the specified host

Print all packages coming in and out at sunset.

Tcpdump host sunset

You can also specify an ip, such as intercepting all packets sent and received by all hosts of 2 10.27.48. 1.

Tcpdump host 2 10.27.48. 1

Print the data packets communicated between helios and hot or ace.

Tcpdump host helios and \( hot or ace \)

Intercept the communication between host 2 10.27.48. 1 and host 2 10.27.48.2 or 2 10.27.48.3.

Tcpdump host 2 10.27.48. 1 and \ (2 10.27.48.2 or 2 10.27.48.3 \)

Print IP packets communicated between ace and any other host, but excluding packets using helios.

Tcpdump ip host ace instead of helios

If you want to get the ip packets that the host 2 10.27.48. 1 communicates with all hosts except the host 2 10.27.48.2, use the following command:

Tcpdump ip host 2 10.27.48. 1 and! 2 10.27.48.2

Intercept all data sent by the host name.

Tcpdump -i eth0 src host hostname

Monitor all packets sent to the host hostname.

Tcpdump -i eth0 dst host hostname

Monitor packets for the specified host and port.

If you want the host 2 10.27.48. 1 to receive or send telnet packets, use the following command.

Tcpdump tcp port 23 and host 2 10.27.48. 1

The UDP port 123 of the listening machine, 123 is the service port of ntp.

Tcpdump udp port 123

Monitor packets on the specified network.

Print all communication packets between the local host and the host on the Berkeley network (nt: ucb-ether, which can be understood as the network address of the Berkeley network here. The original intention of this expression can be expressed as: print all packets with the network address of ucb-ether).

tcpdump net ucb-ether

Print all ftp packets that pass through the gateway snup (note that the expression is enclosed in single quotation marks, which can prevent the shell from misinterpreting parentheses).

Tcpdump' gateway snup and (port ftp or ftp-data)'

Print all IP packets whose source address or destination address is the local host.

(If the local network is connected to another network through a gateway, the other network cannot be counted as a local network. Nt: This sentence is tortuous and needs to be supplemented. When you actually use the LAN, you really should change the name of the LAN. )

Tcpdump ip and not net localnet