tcpdump
tcpdump is a network for intercepting a packet, and outputs the contents of the packet tool. With powerful and flexible strategy interception, making it the tool of choice for network analysis and troubleshooting problems under UNIX-like system of
tcpdump support for the network layer, protocol, host, network or port filtering, and to provide and, or, not logic statements and other information to help you get rid of useless.
Parameters are as follows:
- A try to convert network and broadcast addresses into names. -c <packet number> after the specified number of packets received, for tilting operation is stopped. - D compiled the data packets encoded into a format readable and poured into standard output. - dd the compiled format into data packets encoded in the C language, and poured to the standard output. - ddd converts the compiled data packets encoded into a decimal number format, and poured to the standard output. - E display file-level connector on each column of data dump. - F Internet address of the digital display. -F <expression file> Specifies the file containing the expression. -i <Network Interface> Use specified network sectional sending packets. - L using the standard buffer output columns. - the n-not to convert the host network addresses into names. - N does not list the domain name. - O packet data is not encoded optimization. - the p-let network interface into promiscuous mode. - Q fast output, only a few are listed transport protocol information. -r <package file> read packet data from the specified file. -s <packet size> Set the size of each packet. -S absolute rather than relative values listed in the associated TCP number. - t does not display the time stamp on each column of data dump. - tt display unformatted timestamp on each column of data dump. -T <Packet Type> forcibly expression specified packets translated packet type settings. - V shown in detail during instruction execution. - VV show more detail during instruction execution. - the X-list packet data in hexadecimal code word. - W <package file> the packet data into the specified file.
Specific Usage:
The first type is a keyword on, including the host, net, port, e.g. Host 210.27 . 48.2 , indicating 210.27 . 48 .2 is a host, NET 202.0 . 0.0 specified 202.0 . 0 .0 is a network address, port 23 indicates the port number is 23. If you do not specify a type, the default is the type of host. The second is to determine the direction of transmission keywords, including src, dst, dst or src, dst and src, these keywords indicate the direction of transmission. Illustration, the src 210.27 . 48.2 , ip packet indicates the source address is 210. 27.48 . 2 , DST NET 202.0 . 0.0 specified in the destination network address 202. 0.0 . 0 . If you do not specify the direction of the keyword, the default is src or dst keyword. The third is the key agreements, including fddi, ip, arp, rarp, tcp, udp and other types. Fddi particular network protocol is specified in the FDDI (Fiber Distributed Data Interface Network), in fact it is the " ether " alias, and fddi ether have similar source and destination addresses, so it can be used as a protocol packet fddi ether packets for processing and analysis. Several other keywords that indicate the contents of the agreement listening package. If you do not specify any agreement, tcpdump will monitor packets for all protocols. In addition to these three types of keywords, other important keywords as follows: Gateway, Broadcast, less , Greater, there are three logical operations, is negated by ' Not ' ' ! ' , The operation is ' and ' , ' &&; or operation is ' or ' , ' || ' ; these keywords may be combined to form a powerful combination of conditions to meet people's needs attention, tcpdump can fetch packets flowing through the machine.
View version # tcpdump tcpdump - H
NIC # query can use tcpdump -D
Packet network interface # specified monitoring
the tcpdump -i eth0
# monitor specified host data packet, for example, monitors the network interface eth0 to enter, 172.16.40.6 packets leave the host, -C gripping specified entry
tcpdump -i eth0 host 172.16. 5 -c 40.6
# -w to the store to fetch the data to a file for later analysis, you can use wireshark to see
tcpdump -i eth0 -w aa.pcap host 172.16.40.6 -c 5
# intercepted and in addition to a host 172.16.40.2 ip packet communication than all hosts host 172.16.40.24
the tcpdump ip host 172.16.40.2 and 172.16.40.24 Not
# Monitor specified host and port packets
tcpdump tcp port 22 and host 172.16.40.24
# Host intercepts all data transmitted 172.16.40.24
the tcpdump the src Host 172.16.40.24
# monitors all packets sent to the host of 172.16.40.24
tcpdump dst host 172.16.40.24
# Fetch 172.16.40.24 is transferred from the machine to the packet port 8000, i.e. the unit from the access port 8000 172.16.40.24:
the tcpdump Host 172.16.40.24 DST Port 8000 and
# fetch port 22 to return the machine to 172.16.40.24 data packets on the
tcpdump src Port and Host 172.16.40.24 22
# multi-criteria query
tcpdump -i enp0s31f6 host! 172.16.40.6 and not 172.16.40.2 and src port 8000