Those who know packet capture basically know Wireshark, but those who have not done server operation and maintenance or wireless cracking rarely know that there is a packet capture tool tcpdump under Linux.
The reason why it is a weapon is not only the comprehensive package capture function, but also the command line operation, which is quick and convenient for geeks.
The basic command format is shown in the figure above. The system usually comes with it, and there is no self-installing Google command.
First look at the specific parameters and meaning of
tcpdump : -i: specify the network interface that tcpdump monitors
-s: specify the length
of the data packet to be monitored -c: specify the number of data packets to be monitored, and automatically stop capturing packets when the specified number is reached
-w : Specifies to write the monitored data packets into a file and save them
-A: Specifies that each monitored data packet is printed with ACSII visible characters
-n: Specifies that each domain name in the monitored data packet is converted into an IP address and displayed
-nn: Specify to convert the domain name in each monitored data packet to IP, and the port to be displayed after converting the application name to the port number
-v: output a slightly detailed information, for example, ttl and service type information can be included in the ip package;
-vv: output more detailed message information
-e: Specify to print out the information of the link layer of the monitored data packet, including the source mac and destination mac, and the protocol of the network layer
-p: set the network card to non-promiscuous mode, and cannot be used with host or broadcast
-r : Specify to read data packets from a file
-S: Specify to print the TCP absolute serial number of each monitored data packet instead of the relative serial number
Here is a brief introduction to some commonly used ones, and back them up for later use.
Start by default
tcpdump
Start tcpdump directly to capture all data packets flowing on the eth0 interface .
Monitor the packets of the specified network interface
tcpdump -i eth1
If you don't specify a network card, tcpdump will only monitor the first network interface eth0 by default.
监视指定主机的数据包
打印所有进入或离开Kali的数据包.
tcpdump host Kali
也可以指定ip,例如截获所有192.168.0.22 的主机收到的和发出的所有的数据包
tcpdump host 192.168.0.22
非 : ! or not
且 : && or and
或 : || 或 or
打印Kali与 hot 或者与 cool 之间通信的数据包
tcpdump host Kali and \( hot or cool \)
截获主机192.168.0.1 和主机192.168.0.2 或192.168.0.3的通信
tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)
如果想要获取主机192.168.0.1除了和主机192.168.0.2之外所有主机通信的ip包,使用命令:
tcpdump ip host 192.168.0.1 and ! 192.168.0.2
截获主机hostname发送的所有数据
tcpdump -i eth0 src host hostname
监视所有送到主机hostname的数据包
tcpdump -i eth0 dst host hostname
监视指定主机和端口的数据包
如果想要获取主机192.168.0.1接收或发出的telnet包,使用如下命令
tcpdump tcp port 23 and host 192.168.0.1
对本机的udp 123 端口进行监视 (123 为ntp的服务端口)
tcpdump udp port 123
比如指定端口号9996上做NetFlow流量监控,需要采集数据:
tcpdump -i eth0 -nnA port 9996 -c 2000 -w aa.cap (-c指定抓包数目,-w将抓取数据输出保存到当前目录下的aa.cap文件)
命令可以根据需求自由选择,把数据包保存再拷出来,然后用wireshark进行图形查看更利于分析。