Packet capture tool tcpdump usage instructions
This article directory:
tcpdump uses the command line to filter and capture the data packets of the interface, and its rich features are reflected in flexible expressions.
tcpdump without any options will capture the first network interface by default, and will stop capturing packets only when the tcpdump process is terminated.
E.g:
shell> tcpdump -nn -i eth0 icmp
The following is the detailed tcpdump usage.
1.1 tcpdump options
Its command format is:
tcpdump [ -DenNqvX ] [ -c count ] [ -F file ] [ -i interface ] [ -r file ]
[ -s snaplen ] [ -w file ] [ expression ]
Packet capture options:
-c: Specifies the number of packets to crawl. Note that it is necessary to obtain so many packages in the end. For example, specifying "-c 10" will get 10 packets, but maybe 100 packets have been processed, but only 10 packets are eligible.
-i interface : Specifies the interface that tcpdump needs to listen on. If this option is not specified, the configured interface with the lowest number will be searched from the system interface list (excluding the loopback interface, use tcpdump -i lo to capture the loopback interface),
: Once the first qualified interface is found, The search is over now. All network interfaces can be represented using the 'any' keyword.
-n: The address is numerically explicit, otherwise it is explicitly the hostname, that is, the -n option does not perform hostname resolution.
-nn: In addition to the function of -n, the port is also displayed as a numerical value, otherwise the port service name is displayed.
-N: Do not print out the domain name part of the host. For example tcpdump will print 'nic' instead of 'nic.ddn.mil'.
-P: Specifies whether the packets to be captured are incoming or outgoing packets. The values that can be given are "in", "out" and "inout", the default is "inout".
-s len: Set the packet capture length of tcpdump to len. If not set, the default will be 65535 bytes. When the data packet to be captured is large, the length setting is not enough, which may cause packet truncation. If the packet is truncated,
the "[|proto]" mark will appear in the output line (proto will actually be displayed as the protocol name). However, the longer the capture len, the longer the processing time of the packet, and will reduce the number of data packets that can be cached by tcpdump,
which will lead to the loss of data packets, so on the premise that we can capture the packets we want, capture The smaller the length, the better.
Output options:
-e: Data link layer header information such as source MAC and destination MAC will be included in each line of output.
-q: Quickly print output. That is, very little protocol-related information is printed, so that the output lines are short.
-X: The header data of the output packet will be output in hexadecimal and ASCII at the same time.
-XX : The header data of the output packet will be output in hexadecimal and ASCII at the same time, more detailed.
-v: When parsed and printed, produce verbose output.
-vv: Produce more verbose output than -v.
-vvv: Produce more verbose output than -vv.
Other functional options:
-D: List the interfaces available for packet capture. The interface number and interface name will be listed, both of which can be used after "-i".
-F: The expression to read the captured packets from the file. If this option is used, all other expressions given on the command line will have no effect.
-w: Output the captured data to a file instead of standard output. You can also use the "-G time" option to automatically switch the output file to another file every time seconds. These files can be loaded with the "-r" option for analysis and printing.
-r: Read data from the given packet file. Use "-" to read from standard input.
So the common options are as follows:
- tcpdump -D
- tcpdump -c num -i int -nn -XX -vvv
1.2 tcpdump expression
The expression is used to filter which types of packets to output. If no expression is given, all packets will be output, otherwise only packets whose expression is true will be output. Shell metacharacters appearing in expressions are recommended to be surrounded by single quotes.
A tcpdump expression consists of one or more "units", each of which generally contains an ID modifier and an ID (number or name). There are three modifiers:
(1).type: Specifies the type of ID.
The values that can be given are host/net/port/portrange. For example "host foo", "net 128.3", "port 20", "portrange 6000-6008". The default type is host.
(2).dir: Specifies the direction of the ID.
The values that can be given include src/dst/src or dst/src and dst, the default is src or dst. For example, "src foo" means packets with source host foo, "dst net 128.3" means packets with destination network 128.3, and "src or dst port 22" means packets with source or destination port 22.
(3).proto: Define the matched packet type by the given protocol.
Commonly used protocols are tcp/udp/arp/ip/ether/icmp, etc. If the protocol type is not given, all possible types are matched. For example "tcp port 21", "udp portrange 7000-7009".
So, a basic expression unit format is "proto dir type ID"
In addition to expression units using modifiers and IDs, there are also keyword expression units: gateway, broadcast, less, greater, and arithmetic expressions.
Expression units can be connected using the operators " and / && / or / || / not / ! " to form complex conditional expressions. Such as "host foo and not port ftp and not port ftp-data", which means that the filtered packets must satisfy "the host is foo and the port is not ftp (port 21) and ftp-data (port 20) Packets", commonly used ports The corresponding relationship with the name can be found in the /etc/service file in the Linux system.
In addition, the same modifier can be omitted. For example, "tcp dst port ftp or ftp-data or domain" has the same meaning as "tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain", which means that the protocol of the packet is tcp and the destination port is ftp or ftp-data or domain (port 53).
Use parentheses "()" to change the precedence of expressions, but it should be noted that the parentheses will be interpreted by the shell, so you should use the backslash "\" to escape to "\(\)", and when needed, also It needs to be enclosed in quotation marks.
1.3 tcpdump example
(1). Default start
tcpdump
By default, starting tcpdump directly will monitor all packets flowing on the first network interface (non-lo interface). In this way, the results of the fetch will be very large, and the scrolling will be very fast.
(2). Monitor the packets of the specified network interface
tcpdump -i eth1
If you do not specify a network card, by default tcpdump will only monitor the first network interface, such as eth0.
(3). Monitor the packets of the specified host, such as all packets entering or leaving longshuai
tcpdump host longshuai
(4). Print the data packets communicated between helios<-->hot or helios<-->ace
tcpdump host helios and \( hot or ace \)
(5) Print the IP packets communicated between ace and any other host, but not with helios
tcpdump ip host ace and not helios
(6). Intercept all data sent by the host hostname
tcpdump src host hostname
(7). Monitor all packets sent to the host hostname
tcpdump dst host hostname
(8). Monitor the packets of the specified host and port
tcpdump tcp port 22 and host hostname
(9). Monitor the udp 123 port of the machine (123 is the service port of ntp)
tcpdump udp port 123
(10). Monitor the data packets of the specified network, such as the data packets communicated between the local machine and the 192.168 network segment, "-c 10" means to capture only 10 packets
tcpdump -c 10 net 192.168
(11) Print all ftp packets that pass through the gateway snup (note that the expression is enclosed in single quotes, which prevents the shell from misinterpreting the brackets)
shell> tcpdump 'gateway snup and (port ftp or ftp-data)'
(12). Grab the ping packet
[root@server2 ~]# tcpdump -c 5 -nn -i eth0 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 12:11:23.273638 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16422, seq 10, length 64 12:11:23.273666 IP 192.168.100.62 > 192.168.100.70: ICMP echo reply, id 16422, seq 10, length 64 12:11:24.356915 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16422, seq 11, length 64 12:11:24.356936 IP 192.168.100.62 > 192.168.100.70: ICMP echo reply, id 16422, seq 11, length 64 12:11:25.440887 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16422, seq 12, length 64 5 packets captured 6 packets received by filter 0 packets dropped by kernel
If you want to capture the ping of the local machine from the host 192.168.100.70, use the and operator.
[root@server2 ~]# tcpdump -c 5 -nn -i eth0 icmp and src 192.168.100.62 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 12:09:29.957132 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16166, seq 1, length 64 12:09:31.041035 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16166, seq 2, length 64 12:09:32.124562 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16166, seq 3, length 64 12:09:33.208514 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16166, seq 4, length 64 12:09:34.292222 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16166, seq 5, length 64 5 packets captured 5 packets received by filter 0 packets dropped by kernel
Note that icmp src 192.168.100.70 cannot be written directly, because the icmp protocol does not support the direct application of the host type.
(13). Grab the local 22 port package
[root@server2 ~]# tcpdump -c 10 -nn -i eth0 tcp dst port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 12:06:57.574293 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 535528834, win 2053, length 0 12:06:57.629125 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 193, win 2052, length 0 12:06:57.684688 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 385, win 2051, length 0 12:06:57.738977 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 577, win 2050, length 0 12:06:57.794305 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 769, win 2050, length 0 12:06:57.848720 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 961, win 2049, length 0 12:06:57.904057 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 1153, win 2048, length 0 12:06:57.958477 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 1345, win 2047, length 0 12:06:58.014338 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 1537, win 2053, length 0 12:06:58.069361 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 1729, win 2052, length 0 10 packets captured 10 packets received by filter 0 packets dropped by kernel
(14). Parse packet data
[root@server2 ~]# tcpdump -c 2 -q -XX -vvv -nn -i eth0 tcp dst port 22
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:15:54.788812 IP (tos 0x0, ttl 64, id 19303, offset 0, flags [DF], proto TCP (6), length 40)
192.168.100.1.5788 > 192.168.100.62.22: tcp 0
0x0000: 000c 2908 9234 0050 56c0 0008 0800 4500 ..)..4.PV.....E.
0x0010: 0028 4b67 4000 4006 a5d8 c0a8 6401 c0a8 .(Kg@[email protected]...
0x0020: 643e 169c 0016 2426 5fd6 1fec 2b62 5010 d>....$&_...+bP.
0x0030: 0803 7844 0000 0000 0000 0000 ..xD........
12:15:54.842641 IP (tos 0x0, ttl 64, id 19304, offset 0, flags [DF], proto TCP (6), length 40)
192.168.100.1.5788 > 192.168.100.62.22: tcp 0
0x0000: 000c 2908 9234 0050 56c0 0008 0800 4500 ..)..4.PV.....E.
0x0010: 0028 4b68 4000 4006 a5d7 c0a8 6401 c0a8 .(Kh@[email protected]...
0x0020: 643e 169c 0016 2426 5fd6 1fec 2d62 5010 d>....$&_...-bP.
0x0030: 0801 7646 0000 0000 0000 0000 ..vF........
2 packets captured
2 packets received by filter
0 packets dropped by kernel
This article directory:
tcpdump uses the command line to filter and capture the data packets of the interface, and its rich features are reflected in flexible expressions.
tcpdump without any options will capture the first network interface by default, and will stop capturing packets only when the tcpdump process is terminated.
E.g:
shell> tcpdump -nn -i eth0 icmp
The following is the detailed tcpdump usage.
1.1 tcpdump options
Its command format is:
tcpdump [ -DenNqvX ] [ -c count ] [ -F file ] [ -i interface ] [ -r file ]
[ -s snaplen ] [ -w file ] [ expression ]
Packet capture options:
-c: Specifies the number of packets to crawl. Note that it is necessary to obtain so many packages in the end. For example, specifying "-c 10" will get 10 packets, but maybe 100 packets have been processed, but only 10 packets are eligible.
-i interface : Specifies the interface that tcpdump needs to listen on. If this option is not specified, the configured interface with the lowest number will be searched from the system interface list (excluding the loopback interface, use tcpdump -i lo to capture the loopback interface),
: Once the first qualified interface is found, The search is over now. All network interfaces can be represented using the 'any' keyword.
-n: The address is numerically explicit, otherwise it is explicitly the hostname, that is, the -n option does not perform hostname resolution.
-nn: In addition to the function of -n, the port is also displayed as a numerical value, otherwise the port service name is displayed.
-N: Do not print out the domain name part of the host. For example tcpdump will print 'nic' instead of 'nic.ddn.mil'.
-P: Specifies whether the packets to be captured are incoming or outgoing packets. The values that can be given are "in", "out" and "inout", the default is "inout".
-s len: Set the packet capture length of tcpdump to len. If not set, the default will be 65535 bytes. When the data packet to be captured is large, the length setting is not enough, which may cause packet truncation. If the packet is truncated,
the "[|proto]" mark will appear in the output line (proto will actually be displayed as the protocol name). However, the longer the capture len, the longer the processing time of the packet, and will reduce the number of data packets that can be cached by tcpdump,
which will lead to the loss of data packets, so on the premise that we can capture the packets we want, capture The smaller the length, the better.
Output options:
-e: Data link layer header information such as source MAC and destination MAC will be included in each line of output.
-q: Quickly print output. That is, very little protocol-related information is printed, so that the output lines are short.
-X: The header data of the output packet will be output in hexadecimal and ASCII at the same time.
-XX : The header data of the output packet will be output in hexadecimal and ASCII at the same time, more detailed.
-v: When parsed and printed, produce verbose output.
-vv: Produce more verbose output than -v.
-vvv: Produce more verbose output than -vv.
Other functional options:
-D: List the interfaces available for packet capture. The interface number and interface name will be listed, both of which can be used after "-i".
-F: The expression to read the captured packets from the file. If this option is used, all other expressions given on the command line will have no effect.
-w: Output the captured data to a file instead of standard output. You can also use the "-G time" option to automatically switch the output file to another file every time seconds. These files can be loaded with the "-r" option for analysis and printing.
-r: Read data from the given packet file. Use "-" to read from standard input.
So the common options are as follows:
- tcpdump -D
- tcpdump -c num -i int -nn -XX -vvv
1.2 tcpdump expression
The expression is used to filter which types of packets to output. If no expression is given, all packets will be output, otherwise only packets whose expression is true will be output. Shell metacharacters appearing in expressions are recommended to be surrounded by single quotes.
A tcpdump expression consists of one or more "units", each of which generally contains an ID modifier and an ID (number or name). There are three modifiers:
(1).type: Specifies the type of ID.
The values that can be given are host/net/port/portrange. For example "host foo", "net 128.3", "port 20", "portrange 6000-6008". The default type is host.
(2).dir: Specifies the direction of the ID.
The values that can be given include src/dst/src or dst/src and dst, the default is src or dst. For example, "src foo" means packets with source host foo, "dst net 128.3" means packets with destination network 128.3, and "src or dst port 22" means packets with source or destination port 22.
(3).proto: Define the matched packet type by the given protocol.
Commonly used protocols are tcp/udp/arp/ip/ether/icmp, etc. If the protocol type is not given, all possible types are matched. For example "tcp port 21", "udp portrange 7000-7009".
So, a basic expression unit format is "proto dir type ID"
In addition to expression units using modifiers and IDs, there are also keyword expression units: gateway, broadcast, less, greater, and arithmetic expressions.
Expression units can be connected using the operators " and / && / or / || / not / ! " to form complex conditional expressions. Such as "host foo and not port ftp and not port ftp-data", which means that the filtered packets must satisfy "the host is foo and the port is not ftp (port 21) and ftp-data (port 20) Packets", commonly used ports The corresponding relationship with the name can be found in the /etc/service file in the Linux system.
In addition, the same modifier can be omitted. For example, "tcp dst port ftp or ftp-data or domain" has the same meaning as "tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain", which means that the protocol of the packet is tcp and the destination port is ftp or ftp-data or domain (port 53).
Use parentheses "()" to change the precedence of expressions, but it should be noted that the parentheses will be interpreted by the shell, so you should use the backslash "\" to escape to "\(\)", and when needed, also It needs to be enclosed in quotation marks.
1.3 tcpdump example
(1). Default start
tcpdump
By default, starting tcpdump directly will monitor all packets flowing on the first network interface (non-lo interface). In this way, the results of the fetch will be very large, and the scrolling will be very fast.
(2). Monitor the packets of the specified network interface
tcpdump -i eth1
If you do not specify a network card, by default tcpdump will only monitor the first network interface, such as eth0.
(3). Monitor the packets of the specified host, such as all packets entering or leaving longshuai
tcpdump host longshuai
(4). Print the data packets communicated between helios<-->hot or helios<-->ace
tcpdump host helios and \( hot or ace \)
(5) Print the IP packets communicated between ace and any other host, but not with helios
tcpdump ip host ace and not helios
(6). Intercept all data sent by the host hostname
tcpdump src host hostname
(7). Monitor all packets sent to the host hostname
tcpdump dst host hostname
(8). Monitor the packets of the specified host and port
tcpdump tcp port 22 and host hostname
(9). Monitor the udp 123 port of the machine (123 is the service port of ntp)
tcpdump udp port 123
(10). Monitor the data packets of the specified network, such as the data packets communicated between the local machine and the 192.168 network segment, "-c 10" means to capture only 10 packets
tcpdump -c 10 net 192.168
(11) Print all ftp packets that pass through the gateway snup (note that the expression is enclosed in single quotes, which prevents the shell from misinterpreting the brackets)
shell> tcpdump 'gateway snup and (port ftp or ftp-data)'
(12). Grab the ping packet
[root@server2 ~]# tcpdump -c 5 -nn -i eth0 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 12:11:23.273638 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16422, seq 10, length 64 12:11:23.273666 IP 192.168.100.62 > 192.168.100.70: ICMP echo reply, id 16422, seq 10, length 64 12:11:24.356915 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16422, seq 11, length 64 12:11:24.356936 IP 192.168.100.62 > 192.168.100.70: ICMP echo reply, id 16422, seq 11, length 64 12:11:25.440887 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16422, seq 12, length 64 5 packets captured 6 packets received by filter 0 packets dropped by kernel
If you want to capture the ping of the local machine from the host 192.168.100.70, use the and operator.
[root@server2 ~]# tcpdump -c 5 -nn -i eth0 icmp and src 192.168.100.62 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 12:09:29.957132 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16166, seq 1, length 64 12:09:31.041035 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16166, seq 2, length 64 12:09:32.124562 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16166, seq 3, length 64 12:09:33.208514 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16166, seq 4, length 64 12:09:34.292222 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16166, seq 5, length 64 5 packets captured 5 packets received by filter 0 packets dropped by kernel
Note that icmp src 192.168.100.70 cannot be written directly, because the icmp protocol does not support the direct application of the host type.
(13). Grab the local 22 port package
[root@server2 ~]# tcpdump -c 10 -nn -i eth0 tcp dst port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 12:06:57.574293 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 535528834, win 2053, length 0 12:06:57.629125 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 193, win 2052, length 0 12:06:57.684688 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 385, win 2051, length 0 12:06:57.738977 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 577, win 2050, length 0 12:06:57.794305 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 769, win 2050, length 0 12:06:57.848720 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 961, win 2049, length 0 12:06:57.904057 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 1153, win 2048, length 0 12:06:57.958477 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 1345, win 2047, length 0 12:06:58.014338 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 1537, win 2053, length 0 12:06:58.069361 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 1729, win 2052, length 0 10 packets captured 10 packets received by filter 0 packets dropped by kernel
(14). Parse packet data
[root@server2 ~]# tcpdump -c 2 -q -XX -vvv -nn -i eth0 tcp dst port 22
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:15:54.788812 IP (tos 0x0, ttl 64, id 19303, offset 0, flags [DF], proto TCP (6), length 40)
192.168.100.1.5788 > 192.168.100.62.22: tcp 0
0x0000: 000c 2908 9234 0050 56c0 0008 0800 4500 ..)..4.PV.....E.
0x0010: 0028 4b67 4000 4006 a5d8 c0a8 6401 c0a8 .(Kg@[email protected]...
0x0020: 643e 169c 0016 2426 5fd6 1fec 2b62 5010 d>....$&_...+bP.
0x0030: 0803 7844 0000 0000 0000 0000 ..xD........
12:15:54.842641 IP (tos 0x0, ttl 64, id 19304, offset 0, flags [DF], proto TCP (6), length 40)
192.168.100.1.5788 > 192.168.100.62.22: tcp 0
0x0000: 000c 2908 9234 0050 56c0 0008 0800 4500 ..)..4.PV.....E.
0x0010: 0028 4b68 4000 4006 a5d7 c0a8 6401 c0a8 .(Kh@[email protected]...
0x0020: 643e 169c 0016 2426 5fd6 1fec 2d62 5010 d>....$&_...-bP.
0x0030: 0801 7646 0000 0000 0000 0000 ..vF........
2 packets captured
2 packets received by filter
0 packets dropped by kernel