Introduction
tcpdump is a packet capture tool that runs on the command line. It allows users to intercept and display TCP/IP and other data packets that have been sent or received through a network connection to the computer.
Detailed parameter
-A 以ASCII的形式显示抓包的内容
-c 在收到指定的包的数目后,tcpdump就会停止;
-F 从指定的文件中读取表达式,忽略其它的表达式;
-i 指定监听的网络接口;
-r 从指定的文件中读取包(这些包一般通过-w选项产生);
-w 直接将包写入文件中,并不分析和打印出来;
-s snaplen表示从一个包中截取的字节数。0表示包不截断,抓完整的数据包。默认的话 tcpdump 只显示部分数据包,默认68字节。
-T 将监听到的包直接解释为指定的类型的报文,常见的类型有rpc (远程过程调用)和snmp(简单网络管理协议;)
-X 把协议头和包内容都原原本本的显示出来(tcpdump会以16进制和ASCII的形式显示),这在进行协议分析时是绝对的利器。
-n 不把IP地址解析成域名。
Example exercises
Grab and read files
Capture the data packet of the network card ens32, the data packet is not truncated, and save the captured data packet to the a.cap file
tcpdump -i ens32 -s 0 -w a.cap
Read the contents of the a.cap file
tcpdump -r a.cap
Read the contents of the a.cap file in ASCII form
tcpdump -A -r a.cap
Read the content in the a.cap file in hexadecimal form
tcpdump -X -r a.cap
Capture TCP data packets of port 22 on the network card ens32
tcpdump -i ens32 tcp port 22
Capture TCP data packets of port 80 on the network card ens32
tcpdump -i ens32 tcp port 80
Grab the UDP packet of port 53 on the network card ens32
tcpdump -i ens32 udp port 53
tcpdump filter
Specify column filter
tcpdump -n -r HTTP.cap | awk '{print $3}'|sort -u
Specify source IP address filtering
tcpdump -n src host 174.143.213.184 -r HTTP.cap
Specify destination IP address filtering
tcpdump -n dst host 174.143.213.184 -r HTTP.cap
Specify port number filter
tcpdump -n port 80 -r HTTP.cap
Specify the protocol port number filter
tcpdump -n tcp port 80 -r HTTP.cap
Specify the 13th byte as 24 filter
tcpdump -A -n 'tcp[13] = 24' -r HTTP.cap