Talking about the Linux packet capture command tcpdump
Preface
Tcpdump can completely intercept the "head" of the data packet transmitted on the network to provide analysis. It supports filtering for network layers, protocols, hosts, networks or ports, and provides logical statements such as and, or, not to help remove useless information. The total output format of TcpDump is: system time, source host + port, target host + port, data packet parameters.
How to avoid the monitoring and analysis of Tcpdump? Generally, the network hardware and TCP/IP stack do not support receiving or sending data packets that have nothing to do with the computer. In order to receive these generally, the network hardware and TCP/IP stack do not support receiving or sending data packets that are not related to the computer. To receive these packets, you must use the promiscuous mode of the network card and bypass the standard TCP/IP stack. Under FreeBSD, this requires the kernel to support pseudo-device bpfilter. Therefore, removing bpfilter support in the kernel can shield network analysis tools such as tcpdump.
tcpdump [ -AbdDefhHIJKlLnNOpqRStuUvxX ] [ -B buffer_size ] [ -c count ]
[ -C file_size ] [ -G rotate_seconds ] [ -F file ]
[ -i interface ] [ -j tstamp_type ] [ -m module ] [ -M secret ]
[ -P in|out|inout ]
[ -r file ] [ -V file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
[ expression ]
Basic Tcpdump instructions:
tcpdump
Under normal circumstances, directly starting tcpdump will monitor all the data packets flowing on the first network interface.
2. Operation
ifconfig
View native network card
The network card in the figure above can be eth0/lo
tcpdump -i eth1
If you do not specify a network card, tcpdump will only monitor the first network interface by default, which is usually eth0. The following examples do not specify a network interface.
tcpdump host 210.27.48.1
Intercept all data packets received and sent by all 210.27.48.1 hosts
tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)
Intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3
tcpdump ip host 210.27.48.1 and ! 210.27.48.2
If you want to get the ip packets of all hosts communicating with host 210.27.48.1 except for host 210.27.48.2
Intercept all data sent by the host hostname
tcpdump -i eth0 src host hostname
Monitor all packets sent to the host hostname
tcpdump -i eth0 dst host hostname
tcpdump tcp port port and host host ip
tcpdump -c receives the specified number
tcpdump host/net/port src/dst/src or dst/dst and src
Host/network address/port. If not specified, it is host
Specify source address/specify network address
tcpdump -i eth1 src port 443
Simple example
172.24.18.25 ping 172.24.18.8
Capture 172.24.18.8 in 172.24.18.8
IP iZ88BFRKH96Z is the hostname of 18.8, which shows that the packet capture was successful