a command syntax
tcpdump [-AnnqX] [-i interface] [-w storage file name] [-c times] [-r file] [packet data format to be extracted]
Options and parameters:
-A: The content of the data packet is displayed in ASCII, which is usually used to capture the web data packet data of www
-e: use data link layer MAC packets to display
-nn: Display directly with IP and port number instead of host name and service name
-q: List relatively short packet information, the content of each line is relatively concise
-X: List hexadecimal and ASCII packet contents, useful for monitoring packet contents
-i: followed by the network interface to be monitored, such as eth0, lo, pppo, etc.
-w: If the packet data to be monitored is stored, use this parameter followed by the file name
-r: Read the packet data from the following file, this file is an existing file
-c: The number of packets monitored, if this parameter is not present, tcpdump will continue to monitor
Two tcpdump applications
1. Obtain the data packets on the network card and display them by IP and port number
2. Get the connection packet of port 21
Execute a command in a terminal to start capturing packets
Open another terminal to log in to an FTP server on the network. The packet capture process is shown in the screenshot above.
3. Capture packets for the SSH protocol
Execute a command in a terminal to start capturing packets
Open another terminal and execute the ssh login command. The packet capture process is shown in the screenshot above. From the packet capture result, we can see the process of the three-way handshake of the TCP connection.
