Commonly used tcpdump usage method
-A Print out all packets in ASCII format, and minimize the link layer header.
-c After receiving the specified number of packets, tcpdump will stop.
-C Before writing a raw packet to the file, check whether the current size of the file exceeds the size specified in the parameter file_size. If it exceeds the specified size, the current file is closed, and then a new file is opened. The unit of the parameter file_size is megabytes (1,000,000 bytes, not 1,048,576 bytes).
-d will match the code of the information packet to the assembly format that people can understand.
-dd Gives the code of the matching information packet in the format of a C language program segment.
-ddd Gives the code of the matched packet in decimal form.
-D Print out all network interfaces in the system that can be intercepted by tcpdump.
-e Print out the header information of the data link layer on the output line.
-E Use spi@ipaddr algo:secret to decrypt IPsec ESP packets with addr as the address and containing the security parameter index value spi.
-f Print out the external Internet address in digital form.
-F Read expressions from the specified file, ignoring the expressions given in the command line.
-i Specifies the network interface to be monitored.
-l Make the standard output into a buffer line format, you can export the data to a file.
-L lists the known data links of the network interface.
-m Import the SMI MIB module definition from the file module. This parameter can be used multiple times to import multiple MIB modules.
-M If there are TCP-MD5 options in the tcp message, you need to use secret as the shared verification code to verify the summary of the TCP-MD5 options (for details, refer to RFC 2385).
-b Select the protocol at the data-link layer, including ip, arp, rarp, and ipx at this layer.
-n Does not convert network addresses to names.
-nn is displayed directly by IP and port number, rather than host and server name.
-N Does not output the domain name part of the host name. For example,'nic.ddn.mil' only outputs'nic'.
-t Do not print a timestamp on each line of output. (-Tt -ttt)
-O Do not run the packet-matching code optimization program.
-P does not set the network interface to promiscuous mode.
-q Quick output. Only output less protocol information.
-r Read packages from the specified file (these packages are usually generated by the -w option).
How to use tcpdump
-S Output the serial number of tcp as an absolute value, rather than a relative value.
-s Read the first snaplen bytes from each packet instead of the default 68 bytes. -s 0 means that the length is not limited, and the entire packet is output.
-T interprets the monitored packet directly as a specified type of message, the common types are rpc remote procedure call) and snmp (simple network management protocol;).
-t Do not output the timestamp in each line.
-tt Output an unformatted timestamp on each line.
-ttt Output the time difference between this line and the previous line.
-tttt Output the timestamp in the default format processed by date in each line.
-u Output undecoded NFS handle.
-v output a slightly detailed information, for example, ttl and service type information can be included in the ip package.
-vv output more detailed information.
-vv output detailed message information.
-w Write the grouping directly to the file instead of not analyzing and printing it out. (The output .pcap file can be opened with wireshark in windows for further analysis)
To enable wireshark to analyze tcpdump packets, the key point is the -s parameter, and the output file must be saved for -w.
-X and -XX, output in hexadecimal and ASCII mode, can display data packets in readable mode, suitable for HTTP, memcached ascii and other plaintext transmission protocols, you can see the content;
more advanced tcpdump usage