Example of using tcpdump to capture network packets in Linux
tcpdump is a commonly used packet capture tool under the Linux command line. Record the usual methods. The test machine system is ubuntu 12.04.
Command format of tcpdump
There are many parameters of tcpdump. You can view the detailed description of tcpdump through man tcpdump. Here are only some of the parameters commonly used by the author:
tcpdump [-i NIC] -nnAX 'expression'
Each parameter is described as follows:
- -i: The network card the interface is listening on.
- -nn: Indicates that the source host and destination host are displayed in the form of ip and port, instead of host name and service.
- -A: Display packets in ascii, useful when scraping web data.
- -X: Packets will be displayed in hexadecimal and ascii.
- Expression: There are many kinds of expressions, the common ones are: host host; port port; src host packet sending host; dst host packet receiving host. Multiple conditions can be combined with and, or, and negation can be used! For more uses, see man 7 pcap-filter.
Let's test some commands. If you don't have permission, you can switch to the root user first.
Monitor network card eth0
$ tcpdump -i eth0
This method is the simplest, but it is not very useful, because basically only the information of the data packet can be seen on the screen, and it is not clear at all. You can use ctrl+c to interrupt and exit. file for easier viewing.
Listen to the data of the specified protocol
$ tcpdump -i eth0 -nn 'icmp'
This is the data used to monitor the icmp protocol, which is the protocol used by the ping command. Similarly, if you want to monitor the tcp or udp protocol, you only need to modify the icmp in the above example. Ping the monitored machine, the output is as follows:
An example of linux using tcpdump to capture packets
The meaning of each data representation of each row:
The time when the packet was captured IP sending host and port > Received host and port packet content
Listen to the specified host
$ tcpdump -i eth0 -nn 'host 192.168.1.231'
In this case, the packets received and sent by the host 192.168.1.231 will be captured.
$ tcpdump -i eth0 -nn 'src host 192.168.1.231'
In this way, only the packets sent by the host 192.168.1.231 will be captured.
$ tcpdump -i eth0 -nn 'dst host 192.168.1.231'
In this way, only the packets received by the host 192.168.1.231 will be captured.
listen on specified port
$ tcpdump -i eth0 -nnA 'port 80'
The above example is used to monitor all packets received and sent by the host's port 80. Combined with the -A parameter, it is really useful in web development.
Listen on the specified host and port
$ tcpdump -i eth0 -nnA 'port 80 and src host 192.168.1.231'
Multiple conditions can be connected with and, or. The above example means listening for packets sent by the host 192.168.1.231 through port 80.
listen on a port other than a certain port
$ tcpdump -i eth0 -nnA '!port 22'
If you need to exclude a port or host, you can use the "!" symbol. The above example means to listen for packets other than port 22.
summary:
This function of tcpdump has many parameters, and there are also many options for expressions, which are very powerful, but there are not many commonly used functions. For details, you can view the system manual through man.
In addition, when crawling the web package, the content of the web page is sent with very strange characters. It is found that the gzip compression is turned on by apache, so it is enough to turn off the gzip compression. Under ubuntu 12.04, edit the vim /etc/apache2/mods-enabled/deflate.load file, comment out the statement to load the module deflate_module, and then restart apache and it will be OK