If we need to capture packets quickly, we can use the following command, provided that the server's data traffic is not large
tcpdump -i any -vvv -w test.cap
This command means to grab the packets of all network cards of the server and save them to the test.cap file
The -i option means to make a network card, such as eth0
-vvv indicates that the output data is very detailed information.
host captures packets from the specified host
-X displays the contents of the protocol header and packet as they are
-a Convert network addresses and broadcast addresses into names
-A output in ascii code format
-n Convert the domain name in each monitored data packet to an IP address and display it. Do not convert the network address to a name.
-w save the captured package to the specified file
-r Read the contents of the specified package that has been captured
-c specifies the number of captured packets
-t do not print the timestamp
src represents the source address
dst represents the destination address
port specifies the port number
tcp[tcpflags] can capture the specified tcp protocol flag packet, such as ACK, SYN, etc.
For example: tcpdump -i ens33'tcp[tcpflags] = tcp-syn'
Indicates to grab the syn package
Capture packets whose destination port is 22