tcpdump Using the command line to filter and grab the data package of the interface , Its rich features are shown in flexible expressions .

Without any options tcpdump, The first network interface will be grabbed by default , And only tcpdump Process termination stops packet grabbing .

for example :
shell> tcpdump -nn -i eth0 icmp
Here are the details tcpdump usage .

<>

1.1 tcpdump option

Its command format is :
tcpdump [ -DenNqvX ] [ -c count ] [ -F file ] [ -i interface ] [ -r file ] [
-s snaplen ] [ -w file ] [ expression ] Grab options : -c: Specify the number of packages to grab . be careful , It's about getting so many packages in the end . for example , appoint "
-c 10" Will get 10 Bags , But it may have been dealt with 100 Bags , It's just 10 Packages are packages that meet the conditions . -i interface: appoint tcpdump Interface to be monitored .
If this option is not specified , The configured interface with the smallest number will be searched from the system interface list ( barring loopback Interface , To grab loopback Interface use tcpdump -i lo),
: Once the first qualified interface is found , The search is over . have access to 'any' Keyword indicates all network interfaces . -n: Number address , Otherwise, it is explicitly the host name , in other words -
n Option not to do hostname resolution .-nn: except -n Out of action , Also display the port as a value , Otherwise, the port service name will be displayed . -N: Do not print out host Domain name part of . for example tcpdump Will print 'nic'
instead of 'nic.ddn.mil'. -P: Specifies whether the packets to be fetched are inbound or outbound . The values that can be given are "in","out" and "inout", Default is "inout". -s
len: set up tcpdump The packet fetching length of is len, If not set, the default will be 65535 byte . When the packet to be fetched is large , Insufficient length setting may result in packet truncation , If package truncation occurs ,
: Appears in the output line "[|proto]"
Logo of (proto It will be displayed as the agreement name ). But grab len The longer , The longer the package takes to process , And it will reduce tcpdump Number of packets that can be cached ,
: This will result in packet loss , So if we can grab the package we want , The smaller the grab length, the better . output option : -e: Output
Data link layer header information will be included in each line , For example, source MAC And goals MAC. -q: Fast printout . That is, printing very little protocol related information , So the output lines are shorter . -
X: Output package header data , Will use 16 Base sum ASCII Two modes output at the same time .-XX: Output package header data , Will use 16 Base sum ASCII Two modes output at the same time , More detailed . -
v: When analyzing and printing , Generate detailed output .-vv: Production ratio -v More detailed output . -vvv: Production ratio -vv More detailed output . Other functional options :
-D: List the interfaces available for packet grabbing . The numeric number and interface name of the interface will be listed , They can be used for "-i" after .-
F: Read the expression of packet grabbing from the file . If you use this option , All other expressions given on the command line will be invalidated .-w: Output capture data to file instead of standard output . Can work together at the same time "-G time"
Option to make the output file every time Seconds to automatically switch to another file . Available through "-r" Options to load these files for analysis and printing . -r: Read data from the given package file . use "-"
Indicates read from standard input .
So these are the common options :

* tcpdump -D
* tcpdump -c num -i int -nn -XX -vvv
<>

1.2 tcpdump expression


Expressions are used to filter which types of packets to output , If no expression is given , All packets will be output , Otherwise, only the output expression is true 's bag . In expressions shell Single quotes are recommended for metacharacters .

tcpdump The expression for is composed of one or more " unit " form , Each unit generally contains ID 's modifier and a ID( Number or name ). There are three modifiers :

(1).type: appoint ID Type of .

The values that can be given are host/net/port/portrange. for example "host foo","net 128.3","port 20","portrange
6000-6008". default type by host.

(2).dir: appoint ID Direction of .

Values that can be given include src/dst/src or dst/src and dst, Default is src or dst. for example ,"src
foo" Indicates that the source host is foo Packets for ,"dst net 128.3" Indicates that the target network is 128.3 Packets for ,"src or dst port
22" Indicates that the source or destination port is 22 Packets for .

(3).proto: Define matching packet types by given protocol .

Common protocols are tcp/udp/arp/ip/ether/icmp etc. , If no protocol type is given , Match all possible types . for example "tcp port 21","udp
portrange 7000-7009".

therefore , A basic expression cell format is "proto dir type ID"



In addition to using modifiers and ID Composed expression unit , There are also key expression units :gateway,broadcast,less,greater And arithmetic expressions .

Operators can be used between expression cells " and / && / or / || / not / ! " Connect , So as to form a complex conditional expression . as "host foo and
not port ftp and not port
ftp-data", This means that the filtered packets should meet the " Host is foo And the port is not ftp( port 21) and ftp-data( port 20) 's bag ", The corresponding relationship between common ports and names can be found in linux In the system /etc/service Found in file .

in addition , The same modifier can be omitted , as "tcp dst port ftp or ftp-data or domain" And "tcp dst port ftp or
tcp dst port ftp-data or tcp dst port
domain" Same meaning , Both indicate that the protocol of the package is tcp And the destination port is ftp or ftp-data or domain( port 53).

Use parentheses "()" You can change the priority of an expression , But it's important to note that parentheses can be shell explain , So you should use a backslash "\" Escaped as "\(\)", When needed , You also need to surround it in quotes .

<>

1.3 tcpdump Example

be careful ,tcpdump Only packets passing through the machine can be grabbed .

(1). Default startup
tcpdump
By default , Direct start tcpdump First network interface will be monitored ( wrong lo mouth ) All current packets on . So the result of grabbing is very much , Roll very fast .

(2). Monitor packets for a specified network interface
tcpdump -i eth1
If you do not specify a network card , default tcpdump Only the first network interface will be monitored , as eth0.

(3). Monitor packets for the specified host , E.g. all entry or exit longshuai Packets for
tcpdump host longshuai
(4). Printing helios<-->hot or helios<-->ace Packets for communication between
tcpdump host helios and \( hot or ace \)
(5). Printing ace Communicating with any other host IP data packet , But excluding and helios Packets between
tcpdump ip host ace and not helios
(6). Intercept host hostname All data sent
tcpdump src host hostname
(7). Monitor all sent to hosts hostname Packets for
tcpdump dst host hostname
(8). Monitor packets for the specified host and port
tcpdump tcp port 22 and host hostname
(9). For native udp 123 Port for monitoring (123 by ntp Service port for )
tcpdump udp port 123
(10). Monitor packets for a specified network , Such as local and 192.168 Packet of network segment communication ,"-c 10" Indicates only grab 10 Bags
tcpdump -c 10 net 192.168
(11). Print all through gateways snup Of ftp data packet ( be careful , The expression is enclosed in single quotes , This prevents shell Wrong parsing of parentheses )
shell> tcpdump 'gateway snup and (port ftp or ftp-data)'
(12). Grab ping package
[[email protected] ~]# tcpdump -c 5 -nn -i eth0 icmp tcpdump: verbose output
suppressed, use-v or -vv for full protocol decode listening on eth0, link-type
EN10MB (Ethernet), capture size65535 bytes 12:11:23.273638 IP 192.168.100.70 >
192.168.100.62: ICMP echo request, id 16422, seq 10, length 64 12:11:23.273666
IP192.168.100.62 > 192.168.100.70: ICMP echo reply, id 16422, seq 10, length 64
12:11:24.356915 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16422,
seq 11, length 64 12:11:24.356936 IP 192.168.100.62 > 192.168.100.70: ICMP echo
reply,id 16422, seq 11, length 64 12:11:25.440887 IP 192.168.100.70 > 192.168.
100.62: ICMP echo request, id 16422, seq 12, length 64 5 packets captured 6
packets received by filter0 packets dropped by kernel
If it is clear to grab the host as 192.168.100.70 For native ping, Use and Operator .
[[email protected] ~]# tcpdump -c 5 -nn -i eth0 icmp and src 192.168.100.62
tcpdump: verbose output suppressed, use-v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 12:09:
29.957132 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16166, seq 1
, length64 12:09:31.041035 IP 192.168.100.70 > 192.168.100.62: ICMP echo
request,id 16166, seq 2, length 64 12:09:32.124562 IP 192.168.100.70 > 192.168.
100.62: ICMP echo request, id 16166, seq 3, length 64 12:09:33.208514 IP 192.168
.100.70 > 192.168.100.62: ICMP echo request, id 16166, seq 4, length 64 12:09:
34.292222 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16166, seq 5
, length64 5 packets captured 5 packets received by filter 0 packets dropped by
kernel
Be careful not to write directly icmp src 192.168.100.70, because icmp Protocol does not support direct application host this type.

(13). Grab to the machine 22 Port package
[[email protected] ~]# tcpdump -c 10 -nn -i eth0 tcp dst port 22 tcpdump: verbose
output suppressed, use-v or -vv for full protocol decode listening on eth0, link
-type EN10MB (Ethernet), capture size65535 bytes 12:06:57.574293 IP 192.168.
100.1.5788 > 192.168.100.62.22: Flags [.], ack 535528834, win 2053, length 0 12:
06:57.629125 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 193, win
2052, length 0 12:06:57.684688 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags
[.], ack385, win 2051, length 0 12:06:57.738977 IP 192.168.100.1.5788 > 192.168.
100.62.22: Flags [.], ack 577, win 2050, length 0 12:06:57.794305 IP 192.168.
100.1.5788 > 192.168.100.62.22: Flags [.], ack 769, win 2050, length 0 12:06:
57.848720 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 961, win
2049, length 0 12:06:57.904057 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags
[.], ack1153, win 2048, length 0 12:06:57.958477 IP 192.168.100.1.5788 > 192.168
.100.62.22: Flags [.], ack 1345, win 2047, length 0 12:06:58.014338 IP 192.168.
100.1.5788 > 192.168.100.62.22: Flags [.], ack 1537, win 2053, length 0 12:06:
58.069361 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 1729, win
2052, length 0 10 packets captured 10 packets received by filter 0 packets
dropped by kernel
(14). Parse package data
[[email protected] ~]# tcpdump -c 2 -q -XX -vvv -nn -i eth0 tcp dst port 22
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535
bytes12:15:54.788812 IP (tos 0x0, ttl 64, id 19303, offset 0, flags [DF], proto
TCP (6), length 40) 192.168.100.1.5788 > 192.168.100.62.22: tcp 0 0x0000: 000c
2908 9234 0050 56c0 0008 0800 4500 ..)..4.PV.....E. 0x0010: 0028 4b67 4000 4006
a5d8 c0a86401 c0a8 .([email protected]@.....d... 0x0020: 643e 169c 0016 2426 5fd6 1fec 2b62
5010 d>....$&_...+bP. 0x0030: 0803 7844 0000 0000 0000 0000 ..xD........ 12:15:
54.842641 IP (tos 0x0, ttl 64, id 19304, offset 0, flags [DF], proto TCP (6),
length40) 192.168.100.1.5788 > 192.168.100.62.22: tcp 0 0x0000: 000c 2908 9234
0050 56c0 0008 0800 4500 ..)..4.PV.....E. 0x0010: 0028 4b68 4000 4006 a5d7 c0a8
6401 c0a8 .([email protected]@.....d... 0x0020: 643e 169c 0016 2426 5fd6 1fec 2d62 5010
d>....$&_...-bP. 0x0030: 0801 7646 0000 0000 0000 0000 ..vF........ 2 packets
captured2 packets received by filter 0 packets dropped by kernel
in general ,tcpdump The basic packet capturing method is relatively simple . Only a limited number of options are available (-nn -XX -vvv -i -c -q), Combine the expressions again .

 

Sisters : Network scan tool nmap <http://www.cnblogs.com/f-ck-need-u/p/7064323.html>