Introduction to Commonly Used Packet Capture Tools
The following describes the commonly used packet capture tools in Linux and Windows environments: Packet Capture Tool in
Linux Environment Packet Capture Tool in
Windows Environment
Packet capture tool in Linux environment
In the Linux environment, tcpdump is usually used for packet capture and analysis. It is a data packet capture and analysis tool pre-installed in almost all Linux distributions. For how to obtain and install the tcpdump tool, please refer to the official tcpdump documentation .
tcpdump usage example
tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ]
[ -c count ]
[ -C file_size ] [ -G rotate_seconds ] [ -F file ]
[ -i interface ] [ -j tstamp_type ] [ -m module ] [ -M secret ]
[ --number ] [ -Q in|out|inout ]
[ -r file ] [ -V file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
[ --time-stamp-precision=tstamp_precision ]
[ --immediate-mode ] [ --version ]
[ expression ]
Description of common parameters (case sensitive)
-s is used to set the packet capture length. If -s is 0, it means that the appropriate length is automatically selected to capture the data packet.
-w is used to export the capture results to a file instead of analyzing and printing out on the console.
-i is used to specify the interface (network card) that needs to be monitored.
-vvv is used to output detailed interactive data.
expression is a regular expression used to filter messages. It mainly includes the following categories:
keywords of the specified type: including host (host), net (network) and port (port).
Keyword specifying the transmission direction: including src (source), dst (destination), dst or src (source or target) and dst and src (source and target).
Keyword of the specified protocol: including icmp, ip, arp, rarp, tcp, udp and other protocol types.
For more parameter description and usage, please refer to the Manpage of tcpdump .
Common usage and sample output
Capture the interactive data of the specified port of the specified network card.
Operating instructions:
tcpdump -s 0 -i eth0 port 22
Sample output:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
20:24:59.414951 IP 172.16.2.226.ssh > 42.120.74.107.43414: Flags [P.], seq 442372:442536, ack 53, win 141, length 164
20:24:59.415002 IP 172.16.2.226.ssh > 42.120.74.107.43414: Flags [P.], seq 442536:442700, ack 53, win 141, length 164
20:24:59.415052 IP 172.16.2.226.ssh > 42.120.74.107.43414: Flags [P.], seq 442700:442864, ack 53, win 141, length 164
20:24:59.415103 IP 172.16.2.226.ssh > 42.120.74.107.43414: Flags [P.], seq 442864:443028, ack 53, win 141, length 164</code></pre>
Grab the interactive data sent by the specified network card to the specified port on the specified IP, and output detailed interactive information on the console.
Operating instructions:
tcpdump -s 0 -i eth1 -vvv port 22</code></pre>
Sample output:
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
20:24:20.991006 IP (tos 0x10, ttl 64, id 22747, offset 0, flags [DF], proto TCP (6), length 316)
172.16.2.226.ssh > 42.120.74.107.43414: Flags [P.], cksum 0x2504 (incorrect -> 0x270d), seq 133624:133900, ack 1, win 141, length 276
20:24:20.991033 IP (tos 0x0, ttl 53, id 2348, offset 0, flags [DF], proto TCP (6), length 92)
42.120.74.107.43414 > 172.16.2.226.ssh: Flags [P.], cksum 0x4759 (correct), seq 1:53, ack 129036, win 15472, length 52
20:24:20.991130 IP (tos 0x10, ttl 64, id 22748, offset 0, flags [DF], proto TCP (6), length 540)
172.16.2.226.ssh > 42.120.74.107.43414: Flags [P.], cksum 0x25e4 (incorrect -> 0x5e78), seq 133900:134400, ack 53, win 141, length 500
20:24:20.991162 IP (tos 0x0, ttl 53, id 2349, offset 0, flags [DF], proto TCP (6), length 40)
42.120.74.107.43414 > 172.16.2.226.ssh: Flags [.], cksum 0xf39e (correct), seq 53, ack 129812, win 15278, length 0
Capture the ping interaction data sent to the specified IP, and output detailed interaction data on the console.
Operating instructions:
tcpdump -s 0 -i eth1 -vvv dst 223.5.5.5 and icmp
Sample output:
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
20:26:00.368958 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
172.16.2.226 > public1.alidns.com: ICMP echo request, id 55097, seq 341, length 64
20:26:01.369996 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
172.16.2.226 > public1.alidns.com: ICMP echo request, id 55097, seq 342, length 64
20:26:02.371058 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
172.16.2.226 > public1.alidns.com: ICMP echo request, id 55097, seq 343, length 64
20:26:03.372181 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
172.16.2.226 > public1.alidns.com: ICMP echo request, id 55097, seq 344, length 64
Grab all interface data in the system and save it to a specified file.
Operating instructions:
tcpdump -i any -s 0 -w test.cap</code></pre>
Sample output:
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
Packet capture tool in Windows environment
Wireshark packet capture step
1. Install and open Wireshark.
2. Choose Capture> Options.
3. In the WireShark capture interface interface, select the network card that needs to be captured according to the interface name or the corresponding IP address, and then click Start.
4. After capturing enough data packets, select Capture> Stop.
5. Select File> Save to save the capture result to the specified file.
For the use of Wireshark tools and data analysis methods, please refer to the official Wireshark documentation .