linux network network capture tool tcpdump Comments

Introduction

tcpdump is a run on the capture command line tool, which allows users to send or to intercept and display received network connection to the computer's TCP / IP and other packets.

installation

[root@k8smaster ~]# yum install -y tcpdump

Command explanations

[root@k8smaster ~]# tcpdump --help
tcpdump version 4.9.2
libpcap version 1.5.3
OpenSSL 1.0.2k-fips  26 Jan 2017
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ]
        [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
        [ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
        [ -Q|-P in|out|inout ]
        [ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
        [ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
        [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ]
        [ -Z user ] [ expression ]
[root@k8smaster ~]#
-s number: tcpdump default only interception of the first 96 bytes of content, in order to intercept all message content, you need to use this option, where number is the number of bytes needed to intercept the message, if it is 0, then, that the interception the entire contents of the message;
-nN: said they did not name, the direct display IP, in netstat command, also have this option;
-X: use both hex and ascii display message content;
-S: displays the absolute serial number (sequence number ), rather than a relative number;
-i: Specifies the monitor card
-w: the overheard packet writing files to save, but do not analyze and print out
-c number: interception number represents a message, and then ends

 

General Case

Command: the tcpdump -i ens33
Description: Specifies the monitor data packet network interface

Command: tcpdump host 192.168.23.100
Note: 192.168.23.100 host intercepts all packets received and sent

Command: tcpdump -i ens33 src Host 192.168.23.100
Note: source address on the card to monitor all network packets ens33 of 192.168.23.100

Command: tcpdump -i ens33 dst Host 192.168.23.100
Note: the destination address on the card is to monitor all network packets ens33 of 192.168.23.100

Command: the tcpdump TCP Port 23 and Host 192.168.23.100
Description: Gets the port 23 on the host 192.168.23.100 all TCP protocol packets sent and received by the application

Command: the tcpdump UDP Port 123
Description: Gets all UDP protocol packets of the machine 123 to make and receive port

Command: the tcpdump -i ens33 -s0 the -Z -G 60% -w the root D_ Y_% m%%% H% of M_ S.pcap
Description: crawl packets stored specified time interval; -G option then later time, seconds; above command every 60 seconds is a living document, to prevent the cut package during capture, digital 0 0 s0, grasping a complete packet must be added s0

Command: tcpdump -i ens33 -s0 -C 1 -Z root -w ens33Packet.pcap 
Description: grab preserved in accordance with the specified size of the packet after packet; -C option to access file size, in MB; each of the above command is arrested package file reaches 1MB on the use of a new file to save the new message caught prevent packet capture truncated when, s0 0 is the number 0, grab a complete package must be added s0