Current location - Quotes Website - Team slogan - Tcpdump detailed tutorial
Tcpdump detailed tutorial
Tcpdump-Dumps traffic on the network

Tcpdump is a tool to intercept network packets and output the contents of the packets. With its powerful function and flexible interception strategy, it has become the first choice tool for network analysis and problem troubleshooting in UNIX-like systems.

Tcpdump supports filtering network layer, protocol, host, network or port, and provides logic statements such as AND, OR and not to help you eliminate useless information.

-c: Specify the number of packages to grab.

-i interface: specifies the interface that tcpdump needs to listen to. By default, the first network interface will be grabbed.

-n: The address is explicitly expressed as a number, otherwise it is explicitly expressed as a host name, which means that the -n option does not resolve the host name.

-nn: except for the function of -n, the port is displayed as a numerical value, otherwise, the port service name is displayed.

-P: Specifies whether the packet to be grabbed is an inflow packet or an outflow packet. The values that can be given are "in", "out" and "inout", and the default value is "inout".

-s len: set the packet capture length of tcpdump to len, otherwise it defaults to 65535 bytes. When the packet to be captured is large, packet truncation may occur if the length is not set enough. If packet truncation occurs,

: The symbol "[|proto]" will appear in the output line (proto will actually be displayed as the protocol name). However, the longer it takes to grab len, the longer the packet processing time will be, and the number of packets that tcpdump can cache will decrease.

This will lead to packet loss, so as long as you can grab the desired packet, the smaller the length, the better.

-e: Each line of output will contain data link layer header information, such as source MAC and destination MAC.

-Q: Quick printout. In other words, very little protocol information is printed, so the output line is relatively short.

-X: The header data of the output package will be output in 16 hexadecimal and ASCII mode.

-XX: The header data of the output package will be output in 16 and ASCII at the same time.

-v: Produce detailed output during analysis and printing.

-vv: produces more detailed output than-v.

-vvv: produces more detailed output than -vv.

-D: Lists the interfaces that can be used to grab the package. Interface number and interface name are listed, which can be used after "-i".

-F: Read the expression of grabbing the package from the file. If you use this option, all other expressions given on the command line will be invalid.

-w: Output the captured data to a file instead of the standard output. Can cooperate at the same time "-G

Time "option makes the output file automatically switch to another file every second. These files can be loaded with the "-r" option for analysis and printing.

-r: Read data from the given packet file. Use "-"to read from standard input.

= = The format of the basic expression unit is "Original Directory Type ID”= = =

For expression syntax, please refer to pcap-filter pcap-filter- packet filtering syntax.

Host, Network, Port, Port Range

For example: host192.168.201.128, network 128.3, port 20, port range 6000-6008'

Src, dst, src or dst, src and dst

Tcp, udp, icmp, if no protocol type is given, all possible types are matched.

= = operator "and/&; & amp/ or / || / not /!" Join to form a complex conditional expression = =. Such as "host foo and not port FTP and not port FTP-data", that is, the filtered data packet should meet the requirements of "package with host foo and port not FTP (port 2 1) and FTP-data (port 20)", and the correspondence between common ports and names can be found in the /etc/service file in linux system.

In addition, the same modifier can be omitted, for example, "tcp dstport ftp or ftp-data or domain" has the same meaning as "tcp dstport ftp or TCP dstport FTP-data or TCP dstport domain", indicating that the protocol of the packet is TCP and the destination port is FTP or FTP-data or domain (port 53).

Use brackets "()" to change the priority of the expression, but it should be noted that brackets will be interpreted by the shell, so use backslashes ","to escape to "()" and enclose them in quotation marks if necessary.

==**tcpdump can only capture packets that flow through this computer * * = =

By default, starting tcpdump directly will monitor all packets circulating on the first network interface (non-lo port). In this way, the results of grabbing will be very many and the scrolling will be very fast.

Note that the expression is enclosed in single quotation marks, which can prevent the shell from misinterpreting the parentheses.

Related articles
  • 165438+1October 65438+June 6 Nanning CDC issued an emergency reminder on epidemic prevention (165438+1October 65438+June 6 Nanning CDC issued an emergency reminder phone).
  • Prose of sports meeting
  • Congratulations on the postgraduate entrance examination.
  • Dunhuang Mogao grottoes travel guide
  • Implementation Plan of Putonghua Promotion Week in 2022 (6 Highlights)
  • When did mahjong start?
  • Cheerleading slogan of provincial games
  • Four-leaf clover black exo, how to refute it?
  • When will the Jiangxi-Shenzhen high-speed railway be completed? What time does it open? Strengthen the development of the Central Soviet Area!
  • What do you mean by benevolence, righteousness, propriety and wisdom?

    • copyright 2024 Quotes Website All rights reserved