tcpdump usage options

tcpdump use options
Packet capture options:

-c: Specify the number of packets to be captured. Note that so many packages will eventually be obtained. For example, specifying "-c 10" will get 10 packets, but 100 packets may have been processed, but only 10 packets are eligible.
-i interface: Specify the interface that tcpdump needs to monitor. If this option is not specified, the system interface list will be searched for the configured interface with the smallest number (not including loopback interface, use tcpdump
-i lo to capture the loopback interface )
: Once the first qualified interface is found, The search will end immediately. You can use the'any' keyword to indicate all network interfaces.
-n: Display the address numerically, otherwise it will be the host name, which means that the -n option does not do host name resolution.
-nn: In addition to the function of -n, the port is also displayed as a number, otherwise the port service name is displayed.
-N: Do not print out the domain name part of the host. For example, tcpdump will print'nic' instead of'nic.ddn.mil'.
-P: Specify whether the packet to be captured is an incoming or outgoing packet. The given values are "in", "out" and "inout", and the default is "inout".
-s len: Set the tcpdump data packet capture length to len, if not set, the default will be 65535 bytes. When the data packet to be captured is large, the length setting is not enough, and packet truncation may occur. If packet truncation
occurs, the "[|proto]" mark will appear in the output line (proto will actually be displayed as the protocol name). But the longer the capture len, the longer the packet processing time, and it will reduce the number of data packets that tcpdump can cache. This
will lead to the loss of data packets, so on the premise that we can capture the packets we want, capture The smaller the length, the better. Output options:
-e: Each line of the output will include data link layer header information, such as source MAC and destination MAC.
-E:
-q: Quick printout. That is, little protocol-related information is printed, so the output lines are relatively short.
-X: The header data of the output packet will be output in both hexadecimal and ASCII modes at the same time.
-XX: The header data of the output packet will be output in both hexadecimal and ASCII modes at the same time, in more detail.
-v: Produce detailed output when analyzing and printing.
-vv: Produce more detailed output than -v.
-vvv: Produce more detailed output than -vv. Other functional options:
-D: List the interfaces that can be used to capture packets. The numerical number and interface name of the interface will be listed, both of which can be used after "-i".
-F: Read the expression of the captured packet from the file. If this option is used, all other expressions given in the command line will be invalid.
-w: output the captured data to a file instead of standard output. You can also cooperate with the "-G time" option to make the output file automatically switch to another file every time seconds. These files can be loaded with the "-r" option for analysis and printing.
-r: Read data from the given packet file. Use "-" to read from standard input.
-S: Print out absolute sequence numbers
-t: easy to view timestamp
-tttt: easiest to view timestamp
-l: line-based output, easy for you to save and view, or give it to other tools for analysis

tcp logic operation

Negation operation: not or!

AND operation: and or &&

Or operation: or or ||

Select the host as 192.168.99.129 or 120 and port 80 packets
tcpdump'port 80 and (host 192.168.99.129 or host 192.168.99.120)'

Three commonly used types of tcp

Type keywords
host, net, port define the scope of the captured data packet

#Capturing all packets of 99.128 host communication
tcpdump host 192.168.99.128 #Capturing packets in a
certain network
tcpdump net 192.168.99.0/24
#Capturing packets of
host 99.128 communicating with 99.129 or 99.130 tcpdump -nn host 192.168.99.128 and'(192.168.99.129 or 192.168.99.130)' #Get host 192.168.99.128 and
all communication packets except 192.168.99.130
tcpdump -nn host 192.168.99.128 and! 192.168.99.130
#Get 99.128 on the host and received and received on port 80 All data packets sent
tcpdump host 192.168.99.128 and port 80
#All data packets entering or leaving dev-99-128
tcpdump host 192.168.99.128 #Print data packets
communicated between helios<-->hot or helios<-->ace
tcpdump host helios and (hot or ace) #Print
IP data packets communicated between ace and any other host, but not the data packets between helios
tcpdump ip host ace and not helios

Direction keywords

src, dst, dst or src, dst and src These describe the transmission direction of the traffic packet
# Get the data packet whose source IP is 192.168.99.120 and destination IP is 192.168.99.128
tcpdump -nn src 192.168.99.120 and dst 192.168.99.128
# Intercept all data sent by
host hostname tcpdump src host hostname #Monitor
all data packets sent to host hostname
tcpdump dst host hostname

Protocol keywords
mainly include ip, arp, rarp, tcp, udp, icmp, etc.

#Monitor the data packets of the specified host and port tcpdump tcp port 22 and host hostname #Monitor
the udp 123 port of the machine (123 is the service port of ntp)
tcpdump udp port 123
#Monitor the data packets of the specified network, such as the machine and 192.168 Network segment communication data packets, "-c 10" means that only 10 packets are captured
tcpdump -c 10 net 192.168
#Print all ftp packets that pass through the gateway snup (note that the expression is enclosed in single quotes, which can prevent the shell Parse the brackets incorrectly)
tcpdump'gateway snup and (port ftp or ftp-data)' # Common service ports can be viewed in /etc/service
#Grab the ping package
tcpdump -c 5 -nn -i eth0 icmp
#If you clearly want to capture the ping from the host 192.168.100.70 to this machine, use the and operator
tcpdump -c 5 -nn -i eth0 icmp and src 192.168.100.62 # Note that you cannot write icmp src 192.168.100.70 directly, because of the icmp protocol Direct application of host this type is not supported
# Grab the local 22 port package
tcpdump -c 10 -nn -i eth0 tcp dst port 22

Common cases

Find traffic based on IP
tcpdump host 1.1.1.1

Only show ipv6 traffic
tcpdump ip6

Check the traffic of a port segment
tcpdump portrange 21-23

Query based on packet size
If you are viewing packets of a specific size, you can use this parameter. Use less, greater or the corresponding mathematical symbols
tcpdump less 32
tcpdump greater 64
tcpdump <= 128

Raw data output
Use combined parameters to view detailed output. Do not resolve the host name or port number. Use absolute serial numbers to display easy-to-read timestamps:
tcpdump -ttnnvvS

From a certain network segment to which network segment to go to
tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16

Non-icmp traffic arriving at a certain IP
tcpdump dst 192.168.0.2 and src net and not icmp
#from the mars host, sent to the non-ssh port
tcpdump -vv src mars and not dst port 22 #from the
2.4 host and the access port is 3389 or 22 flow
tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'

tcpdump usage options

Guess you like