tcpdump Using the command line to filter and grab the data packets of the interface, Its rich features are shown in flexible expressions.

Without any optionstcpdump, The first network interface will be grabbed by default, And only willtcpdump Process termination stops packet grabbing.

for example:
shell> tcpdump -nn -i eth0 icmp
Here are the detailstcpdump usage.

<>

1.1 tcpdump option

Its command format is:
tcpdump [ -DenNqvX ] [ -c count ] [ -F file ] [ -i interface ] [ -r file ] [
-s snaplen ] [ -w file ] [ expression ] Grab options: -c: Specify the number of packages to grab. Be careful, It's about getting so many packages in the end. for example, Appoint"
-c 10" Will get10 Package, But it may have been dealt with100 Package, It's just10 Packages are packages that meet the conditions. -i interface: Appointtcpdump Interface to be monitored.
If this option is not specified, The configured interface with the smallest number will be searched from the system interface list( Barringloopback Interface, Grabloopback Interface usagetcpdump -i lo),
: Once the first qualified interface is found, The search is over. have access to'any' Keyword indicates all network interfaces. -n: Number address, Otherwise, it is explicitly the host name, In other words-
n Option not to do hostname resolution.-nn: except-n Function outside, Also display the port as a value, Otherwise, the port service name will be displayed. -N: Do not print outhost Domain name part of. for exampletcpdump Will print'nic'
Instead of'nic.ddn.mil'. -P: Specifies whether the packets to be fetched are inbound or outbound. The values that can be given are"in","out" and"inout", Default is"inout". -s
len: Set uptcpdump The packet fetching length of islen, If not set, the default will be65535 byte. When the packet to be fetched is large, Insufficient length setting may result in packet truncation, If package truncation occurs,
: Appears in the output line"[|proto]"
Logo(proto It will be displayed as the agreement name). But grablen Longer, The longer the package takes to process, And it will reducetcpdump Number of packets that can be cached,
: This will result in packet loss, So if we can grab the package we want, The smaller the grab length, the better. output option: -e: Output
Data link layer header information will be included in each line, Sources such asMAC And targetMAC. -q: Fast printout. That is, printing very little protocol related information, So the output lines are shorter. -
X: Output package header data, Will take16 Binary sumASCII Two modes output at the same time.-XX: Output package header data, Will take16 Binary sumASCII Two modes output at the same time, More detailed. -
v: When analyzing and printing, Generate detailed output.-vv: Generation ratio-v More detailed output. -vvv: Generation ratio-vv More detailed output. Other functional options:
-D: List the interfaces available for packet grabbing. The numeric number and interface name of the interface will be listed, They can be used for"-i" after.-
F: Read the expression of packet grabbing from the file. If you use this option, All other expressions given on the command line will be invalidated.-w: Output capture data to file instead of standard output. Can work together at the same time"-G time"
Option to make the output file everytime Seconds to automatically switch to another file. May pass"-r" Options to load these files for analysis and printing. -r: Read data from the given package file. Use"-"
Indicates read from standard input.
So these are the common options:

* tcpdump -D
* tcpdump -c num -i int -nn -XX -vvv
<>

1.2 tcpdump Expression


Expressions are used to filter which types of packets to output, If no expression is given, All packets will be output, Otherwise, only the output expression istrue Package. In expressionsshell Single quotes are recommended for metacharacters.

tcpdump The expression for is composed of one or more" unit" Form, Each unit generally containsID 's modifier and aID( Number or name). There are three modifiers:

(1).type: AppointID Types.

The values that can be given arehost/net/port/portrange. for example"host foo","net 128.3","port 20","portrange
6000-6008". Defaulttype byhost.

(2).dir: AppointID Direction.

Values that can be given includesrc/dst/src or dst/src and dst, Default issrc or dst. for example,"src
foo" Indicates that the source host isfoo Data package,"dst net 128.3" Indicates that the target network is128.3 Data package,"src or dst port
22" Indicates that the source or destination port is22 Data package.

(3).proto: Define matching packet types by given protocol.

Common protocols aretcp/udp/arp/ip/ether/icmp etc. If no protocol type is given, Match all possible types. for example"tcp port 21","udp
portrange 7000-7009".

therefore, A basic expression cell format is"proto dir type ID"



In addition to using modifiers andID Composed expression unit, There are also key expression units:gateway,broadcast,less,greater And arithmetic expressions.

Operators can be used between expression cells" and / && / or / || / not / ! " Link up, So as to form a complex conditional expression. as"host foo and
not port ftp and not port
ftp-data", This means that the filtered packets should meet the" Host isfoo And the port is notftp( port21) andftp-data( port20) Package", The corresponding relationship between common ports and names can be found inlinux In the system/etc/service Found in file.

in addition, The same modifier can be omitted, as"tcp dst port ftp or ftp-data or domain" And"tcp dst port ftp or
tcp dst port ftp-data or tcp dst port
domain" Same meaning, Both indicate that the protocol of the package istcp And the destination port isftp orftp-data ordomain( port53).

Use brackets"()" You can change the priority of an expression, But it's important to note that parentheses can beshell explain, So you should use a backslash"\" Escape from"\(\)", When needed, You also need to surround it in quotes.

<>

1.3 tcpdump Example

Be careful,tcpdump Only packets passing through the machine can be grabbed.

(1). Default startup
tcpdump
By default, Direct starttcpdump First network interface will be monitored( wronglo mouth) All current packets on. So the result of grabbing is very much, Roll very fast.

(2). Monitor packets for a specified network interface
tcpdump -i eth1
If you do not specify a network card, defaulttcpdump Only the first network interface will be monitored, aseth0.

(3). Monitor packets for the specified host, E.g. all entry or exitlongshuai Data package
tcpdump host longshuai
(4). Printinghelios<-->hot orhelios<-->ace Packets communicating between
tcpdump host helios and \( hot or ace \)
(5). Printingace Communicating with any other hostIP data packet, But excluding andhelios Packets between
tcpdump ip host ace and not helios
(6). Intercepting hosthostname All data sent
tcpdump src host hostname
(7). Monitor all sent to hostshostname Data package
tcpdump dst host hostname
(8). Monitor packets for the specified host and port
tcpdump tcp port 22 and host hostname
(9). Nativeudp 123 Port for monitoring(123 byntp Service port for)
tcpdump udp port 123
(10). Monitor packets for a specified network, For example, local computer and192.168 Packet of network segment communication,"-c 10" Indicates only grab10 Package
tcpdump -c 10 net 192.168
(11). Print all through gatewayssnup Offtp data packet( Be careful, The expression is enclosed in single quotes, This preventsshell Wrong parsing of parentheses)
shell> tcpdump 'gateway snup and (port ftp or ftp-data)'
(12). Graspping package
[[email protected] ~]# tcpdump -c 5 -nn -i eth0 icmp tcpdump: verbose output
suppressed, use-v or -vv for full protocol decode listening on eth0, link-type
EN10MB (Ethernet), capture size65535 bytes 12:11:23.273638 IP 192.168.100.70 >
192.168.100.62: ICMP echo request, id 16422, seq 10, length 64 12:11:23.273666
IP192.168.100.62 > 192.168.100.70: ICMP echo reply, id 16422, seq 10, length 64
12:11:24.356915 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16422,
seq 11, length 64 12:11:24.356936 IP 192.168.100.62 > 192.168.100.70: ICMP echo
reply,id 16422, seq 11, length 64 12:11:25.440887 IP 192.168.100.70 > 192.168.
100.62: ICMP echo request, id 16422, seq 12, length 64 5 packets captured 6
packets received by filter0 packets dropped by kernel
If it is clear to grab the host as192.168.100.70 Nativeping, Then useand Operator.
[[email protected] ~]# tcpdump -c 5 -nn -i eth0 icmp and src 192.168.100.62
tcpdump: verbose output suppressed, use-v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 12:09:
29.957132 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16166, seq 1
, length64 12:09:31.041035 IP 192.168.100.70 > 192.168.100.62: ICMP echo
request,id 16166, seq 2, length 64 12:09:32.124562 IP 192.168.100.70 > 192.168.
100.62: ICMP echo request, id 16166, seq 3, length 64 12:09:33.208514 IP 192.168
.100.70 > 192.168.100.62: ICMP echo request, id 16166, seq 4, length 64 12:09:
34.292222 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16166, seq 5
, length64 5 packets captured 5 packets received by filter 0 packets dropped by
kernel
Be careful not to write directlyicmp src 192.168.100.70, becauseicmp Protocol does not support direct applicationhost thistype.

(13). Grab to the machine22 Port package
[[email protected] ~]# tcpdump -c 10 -nn -i eth0 tcp dst port 22 tcpdump: verbose
output suppressed, use-v or -vv for full protocol decode listening on eth0, link
-type EN10MB (Ethernet), capture size65535 bytes 12:06:57.574293 IP 192.168.
100.1.5788 > 192.168.100.62.22: Flags [.], ack 535528834, win 2053, length 0 12:
06:57.629125 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 193, win
2052, length 0 12:06:57.684688 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags
[.], ack385, win 2051, length 0 12:06:57.738977 IP 192.168.100.1.5788 > 192.168.
100.62.22: Flags [.], ack 577, win 2050, length 0 12:06:57.794305 IP 192.168.
100.1.5788 > 192.168.100.62.22: Flags [.], ack 769, win 2050, length 0 12:06:
57.848720 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 961, win
2049, length 0 12:06:57.904057 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags
[.], ack1153, win 2048, length 0 12:06:57.958477 IP 192.168.100.1.5788 > 192.168
.100.62.22: Flags [.], ack 1345, win 2047, length 0 12:06:58.014338 IP 192.168.
100.1.5788 > 192.168.100.62.22: Flags [.], ack 1537, win 2053, length 0 12:06:
58.069361 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 1729, win
2052, length 0 10 packets captured 10 packets received by filter 0 packets
dropped by kernel
(14). Parse package data
[[email protected] ~]# tcpdump -c 2 -q -XX -vvv -nn -i eth0 tcp dst port 22
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535
bytes12:15:54.788812 IP (tos 0x0, ttl 64, id 19303, offset 0, flags [DF], proto
TCP (6), length 40) 192.168.100.1.5788 > 192.168.100.62.22: tcp 0 0x0000: 000c
2908 9234 0050 56c0 0008 0800 4500 ..)..4.PV.....E. 0x0010: 0028 4b67 4000 4006
a5d8 c0a86401 c0a8 .([email protected]@.....d... 0x0020: 643e 169c 0016 2426 5fd6 1fec 2b62
5010 d>....$&_...+bP. 0x0030: 0803 7844 0000 0000 0000 0000 ..xD........ 12:15:
54.842641 IP (tos 0x0, ttl 64, id 19304, offset 0, flags [DF], proto TCP (6),
length40) 192.168.100.1.5788 > 192.168.100.62.22: tcp 0 0x0000: 000c 2908 9234
0050 56c0 0008 0800 4500 ..)..4.PV.....E. 0x0010: 0028 4b68 4000 4006 a5d7 c0a8
6401 c0a8 .([email protected]@.....d... 0x0020: 643e 169c 0016 2426 5fd6 1fec 2d62 5010
d>....$&_...-bP. 0x0030: 0801 7646 0000 0000 0000 0000 ..vF........ 2 packets
captured2 packets received by filter 0 packets dropped by kernel
In general,tcpdump The basic packet capturing method is relatively simple. Only a limited number of options are available(-nn -XX -vvv -i -c -q), Combine the expressions again.

 

Sister articles: Network scan toolnmap <http://www.cnblogs.com/f-ck-need-u/p/7064323.html>