Table of contents
- safety technology
- Netfilter
- Introduction to firewall tools
- Overview of the composition of iptables
- Introduction to the four-table and five-chain structure of iptables
- iptables installation
- Command format of iptables
- Common Control Types for Packets
- Common management options for iptables commands
- add rule
- delete rule
- Modify rules (deprecated)
- show matches
- IP range matching
- Backup and restore iptables rule settings
- SNAT and DNAT
- Application of tcpdump packet capture tool
safety technology
- Intrusion Detection Systems (Intrusion Detection Systems):
It is characterized by not blocking any network access, quantifying and locating threats from internal and external networks, mainly providing alarms and post-event supervision, providing targeted guidance measures and security decision-making basis, Similar to the monitoring system, it generally adopts a bypass deployment (looking at you silently). - Intrusion Prevention System (Intrusion Prevention System):
Work in transparent mode, analyze the contents of data packets such as overflow attacks, denial of service attacks, Trojan horses, worms, system vulnerabilities, etc. for accurate analysis and judgment, and block them immediately after the attack is determined To actively and effectively protect the security of the network, online deployment is generally adopted. (the only way) - Firewall (FireWall):
Isolation function, working at the edge of the network or host, checking the data packets entering and leaving the network or host based on certain rules, and processing a set of functional components by the behavior defined by the rule when a rule is matched, basically The above implementations close all pass-through access by default, and only open the policies that allow access, and put hosts that want external network access in the DMZ (demilitarized zone) network. - Waterproof wall
Waterproof wall in a broad sense: Waterwall (Waterwall), as opposed to a firewall, is a security product that prevents internal information leakage.
Networks, peripheral interfaces, storage media, and printers constitute all pathways for information leakage. The waterproof wall provides comprehensive protection before, during and after the event against these four leaking channels. Together with anti-virus products and external security products, it forms a complete network security system.
(Huawei's ensp is similar to waterproof walls, opaque work, everything you do will be recorded, but you don't know it yourself!)
Transport layer port firewall
network layer ip router layer 3
data link layer mac switch
Divided by protection scope:
host firewall: the service scope is the current host;
network firewall: the service scope is the LAN on one side of the firewall
Divided by implementation method:
hardware firewall: a firewall that implements some functions at the dedicated hardware level; another part of the function is based on software implementation,
such as: Huawei, Hillstone, Tianrongxin, Venusstar,
NSFOCUS, Sangfor, PaloAlto, fortinet, Cisco, Checkpoint, NetScreen (acquired by Juniper for USD 4 billion in 2004), etc.
Software firewalls: application software for firewalls running on general-purpose hardware platforms, Windows Firewall
Divided by network protocol:
network layer firewall: four layers under the OSI model, also known as packet filtering firewall
Application layer firewall/proxy server: proxy proxy gateway, seven layers of the OSI model
Packet filtering firewall
The network layer selects data packets based on the filtering logic set in the system,
which is called the access control list (ACL), by checking the source address,
destination address, and port number of each data in the data stream and protocol state, or a combination of them to determine whether to allow the packet to pass
Advantages: transparent to users, fast processing speed and easy maintenance
Disadvantages: unable to check application layer data, such as viruses, etc.
Application layer firewall
Application layer firewall/proxy service firewall, also known as proxy server (Proxy Server),
divides all network communication links across the firewall into two sections.
The access of internal and external network users is through the "link" on the proxy server.
Realization advantage: check the data at the application layer, which is relatively safe
Disadvantage: increase the load of the firewall
Tip: the firewall used in the actual production environment is generally a combination of the two, that is, check the network data first, and then send it to the application layer after passing examine
Netfilter
The Linux firewall is provided by the Netfilter component. Netfilter works in the kernel space and is integrated in the Linux kernel.
Netfilter is a new generation of Linux firewall mechanism after Linux 2.4.x and is a subsystem of the Linux kernel.
Netfilter adopts modular design, has good scalability, and provides a structured underlying framework for expanding various network services.
Netfilter fits seamlessly with the IP protocol stack and allows operations such as filtering, address translation, and processing of datagrams.
Netfilter official website documentation: https://netfilter.org/documentation/
Introduction to firewall tools
iptables
The command-line tool provided by the software package iptables works in user space and is used to write rules, and the written rules are sent to netfilter to tell the kernel how to process information packets [root@localhost ~]# iptables --version
iptables
v1. 4.21
firewalld
A new front-end management tool
package has been introduced since CentOS 7:
firewalld
firewalld-config
Management tools:
firewall-cmd command line tool
firewall-config graphical work
nftables
This software is a new feature of CentOS 8, Nftables was originally published at Netfilter Workshop 2008 in Paris, France, and then released in March 2009 by long-time netfilter core team member and project leader Patrick McHardy. It was merged into the Linux kernel in late 2013 and has been available in kernel 3.13 since 2014.
It reuses many parts of the netfilter framework, such as connection tracking and NAT functionality. It also preserves the nomenclature and
several parts of the basic iptables design, such as tables, chains and rules. Just like iptables, tables act as containers for chains, and chains contain individual rules that
can perform actions such as dropping packets, moving to the next rule, or jumping to a new chain.
From a user perspective, nftables adds a new tool called nft, which replaces all other tools in iptables, arptables, and ebtables. From an architectural point of view, it also replaces those parts of the kernel that handle runtime evaluation of packet filtering rule sets.
Overview of the composition of iptables
The firewall system of Linux mainly works at the network layer, and implements filtering and restriction on data packets, which is a typical packet filtering firewall (or network layer firewall).
The firewall system of the Linux system is implemented based on kernel coding, which has very stable performance and high efficiency, and is therefore widely used.
netfilter/iptables: IP packet filtering system, which actually consists of two components netfilter and iptables.
The main work is at the network layer, for IP data packets, which is reflected in the processing of information such as IP addresses and ports in the packets.
Five elements of communication: Source/Destination Port Source/Destination IP Protocol: (tcp/udp)
SCTP: A protocol for simultaneously transmitting multiple data streams between two ends of a network connection. The services provided by SCTP are similar to UDP and TCP
Four elements of communication: source/destination port source/destination IP
The relationship between netfilter and iptables
netfilter:
A firewall function system that belongs to the "kernel state", also known as the kernel space (kernel space).
Many things in linux are in kernel mode and user mode,
so our operation and maintenance personnel focus on user mode, and
we don’t pay much attention to the kernel. The kernel
is basically what our developers care about. It is a part of the kernel and
consists of some packet filtering tables. These Tables contain sets of rules used by the kernel to control packet filtering processing.
iptables:
belongs to the firewall management system of "User Space" (User Space, also known as user space).
It is a command program used to manage Linux firewalls, which makes it easy to insert, modify and delete rules in the packet filtering table, usually located in the /sbin/iptables directory.
Netfilter/iptables is later referred to as iptables for short.
iptables is a kernel-based firewall, which has four built-in rule tables of raw, mangle, nat and filter.
After all the rules in the table are configured, they will take effect immediately without restarting the service.
Introduction to the four-table and five-chain structure of iptables
iptables consists of four table tables and five chain chains and some rules (SELinux is also a table, but it is independent and out of the scope of our discussion)
Four tables: table: filter, nat, mangle, raw
filter: filter rule table, filter qualified data packets according to predefined rules, default table nat:
network address translation address translation rule table
mangle: modify data marker bit rule table
raw: turn off the enabled connection tracking mechanism to speed up packet passing through the firewall speed
#security is also a table
security: used for Mandatory Access Control (MAC) network rules, implemented by Linux security modules (such as SELinux) #Understanding
The order of priority from high to low is:
security -->raw–>mangle–>nat–>filter
Four tables
iptables rules are divided into four tables:
Filter table: used to filter data packets, can control the entry and exit of data packets, and whether to accept or reject data packets.
NAT table: used for network address translation, which can change the source address and destination address of data packets to achieve different network connections.
Mangle table: It is used to modify the header information of the data packet, and can change the TTL, QoS and other information of the data packet.
Raw table: It is used to control the state tracking of data packets, and can decide whether to skip subsequent processing procedures.
In addition to the four tables, the five chains of iptables are:
PREROUTING chain: process the rules before the data packet enters the machine.
INPUT chain: rules for processing data packets entering the machine.
FORWARD chain: Handles the rules for forwarding packets to other hosts.
OUTPUT chain: The rules for processing data packets sent by the machine, generally not processed.
POSTROUTING chain: process the rules after the data packet leaves the machine.
In iptables, routing refers to routing and forwarding data packets to different network interfaces according to different destination addresses
These tables and chains can be compared to a checkpoint through which packets need to pass to be accepted or rejected.
These rules help us ensure the security and stability of the network.
The transmission process of data packets in the kernel
-
When a data packet enters the network card, the data packet first enters the PREROUTING chain, and the kernel judges whether it needs to be forwarded according to the destination IP of the data packet.
-
If the packet is coming into the machine, the packet will move down the graph to the INPUT chain.
After a packet reaches the INPUT chain, any process will receive it. Programs running on this machine can send packets, which go through the OUTPUT chain and then arrive at -
If the data packet is to be forwarded, and the kernel allows forwarding, the data packet will move to the right, pass through the FORWARD chain, and then reach the output of the POSTROUTING chain
Three message flow directions:
Inflow into the machine: PREROUTING --> INPUT–>user space process httpd service-purpose conversion-httpd
outflow of the machine: user space process -->OUTPUT–>POSTROUTING httpd service-out-source address
forwarding: PREROUTING --> FORWARD --> POSTROUTING -----FOR------
nat PREROUTING Destination address conversion, you need to replace other people’s public IP with your internal IP
nat POSTROUTING Source address conversion, you need to convert your internal network address to a public network address to access the Internet, generally used to publish internal network services
Matching order in the rules:
check in order from top to bottom, and stop when a matching rule is found (the exception is the LOG policy, which means recording related logs)
. The default policy processing (unmodified, the default policy is allow)
Summary:
Four tables and five chains
The function of the rule table: to accommodate various rule
chains The function of the rule chain: to accommodate various firewall rules
Summary: There are chains in the table and rules in the chain
iptables installation
CentOS7 uses firewalld firewall by default, without iptables installed, if you want to use iptables firewall. You must first close the firewalld firewall, and then install iptables.
1. Turn off the firewalld firewall
systemctl stop firewalld.service systemctl disable firewalld.service
2. Install iptables firewall
yum -y install iptables iptables-services
3. Set iptables to start at boot
systemctl start iptables.service
systemctl enable iptables.service
4. How to configure the iptables firewall:
1. Use the iptables command line.
2. Use system-config-firewall; centso7 can not use centos 6 can use
Command format of iptables
iptables [-t table name] management option [chain name] [matching condition] [-j control type]
-t: If not specified, the default is the filter
table name, and the chain name is used to specify the table and chain operated by the iptables command. When the table name is not specified, the filter table will be used by default;
Management option: indicates the operation mode of iptables rules, such as insert, add, delete, view, etc.;
matching condition: used to specify the characteristics of the data packet to be processed, and the data packet that does not meet the specified condition will not be processed; the
control type refers to It is the processing method of the data packet, such as allowing, denying, discarding, etc.
Note:
When the table name is not specified, it refers to the filter table by default.
When the chain name is not specified, it refers to all the chains in the table by default. Generally, this is not the case. Unless the
default policy of the chain is set, the matching condition
option, chain name, and control type must be specified Use uppercase letters, the rest are lowercase
Common Control Types for Packets
For firewalls, the control type of data packets is very critical, which is directly related to the release, blocking and corresponding logging of data packets.
In the iptables firewall system, the most commonly used types of control are as follows
ACCEPT: allow data packets to pass.
DROP: Drop the data packet directly without giving any response information.
REJECT: Reject the data packet to pass through, and will send a response message to the data sender if necessary.
SNAT: Modify the destination address of the data packet
DNAT: Modify the source address of the data packet
LOG: Record the log information in the /var/log/messages file, and then pass the data packet to the next rule.
Common management options for iptables commands
Example usage of admin options
-A Append an iptables at the end of the specified chain -A INPUT (operation)
-I Insert a new one in the specified chain, no serial number is specified as the first iptables -I INPUT (operation)
-P Specify the default rule iptables -P OUTPUT ACCEPT (operation)
-D delete iptables -t nat -D INPUT 2 (operation)
-R modify and replace a rule iptables -t nat -R INPUT (operation)
-L view iptables -t nat -L (view)
-n All fields are displayed in numeric form (such as any ip address is 0.0.0.0 instead of anywhere, such as displaying the protocol port number instead of the service name) iptables -L -n,iptables -nL,iptables -vnL (view) | -v when
viewing Display more detailed information, often used together with -L (view)
–line-numbers rule numbered iptables -t nat -L -n --line-number iptables -t nat -L --line-number
-F clear chain All rules iptables -F (operation)
-X clears the rules of the custom chain, does not affect other chains iptables -X
-Z clears the counter of the chain (the size and sum of the matched packets) iptables -Z
-S sees all the chains A rule or a chain of rules/a specific rule followed by a number
Conditional effect of matching
-p specifies the protocol type of the data packet to be matched
-s specifies the source IP address of the data packet to be matched
-d specifies the destination IP address of the data packet to be matched
-i specifies the network interface where the data packet enters the machine
-o specifies the network interface for the packet to leave the machine for use
–sport specifies the source port number
–dport specifies the destination port number
add rule
Two common options for adding rules:
-A, append rules at the end.
-I, insert the rule before the specified position. If not specified, when inserting
new firewall rules in the first line, use the management options "-A", "-I", the former is used to add rules, the latter is used to insert rules.
For example, to add a firewall rule at the end of the filter table INPUT chain, you can do the following (with "-p protocol name" as the matching condition).
iptables -F #Clear rules
If you do not write the table name and chain name, all rules in all chains in the filter table will be cleared by default
iptables -t filter -A INPUT -p icmp -j REJECT #Prohibit all hosts from pinging the machine
iptables -t filter - A INPUT -p icmp -j ACCEPT #Allow ping, -A adds
iptables -t filter after the previous rule -I INPUT 1 -p icmp -j ACCEPT #Specify the serial number to insert, insert into the first
iptables -t filter - A INPUT -p tcp -j REJECT #Allow any host tcp
iptables -I INPUT 1 -p udp -j ACCEPT #Allow any host udp
iptables -nL --line-number #View the location of line rules
iptables -t filter -A INPUT -s 192.168.154.11 -p icmp -j REJECT#Reject a certain host, others can
iptables -t filter -A INPUT -s 192.168.154.11,192.168.154.11 -p icmp -j REJECT#Reject multiple hosts
iptables - t filter -A OUTPUT -s 192.168.154.11 -p icmp -j REJECT#Do not allow 21 data packets to go out, others cannot be pinged
iptables -t filter -A INPUT -p tcp --dport 22 -j REJECT# specified port
iptables -t filter -A INPUT -s 192.168.154.11 -p tcp --dport 22 -j REJECT#Reject the service port of the specified IP address
iptables -t filter -A INPUT -s 192.168.154.11 -p tcp --dport 80 - j REJECT#Prohibit access to port 192.168.154.21:80
delete rule
D Delete:
1. Delete content according to serial number
[root@localhost ~]# iptables -D INPUT 1 #Delete the first rule in the specified INPUT chain
2. Content matching deletion (if there are two identical rules, it will act as deduplication) If there are two duplicate rules, delete the one with the smaller serial number
[root@localhost ~]# iptables -D INPUT -p icmp -j REJECT #Delete the one with a small serial number
Demonstration to delete the smaller sequence number
[root@localhost ~]# iptables -t filter -A INPUT -p icmp -j REJECT
[root@localhost ~]# iptables -t filter -A INPUT -p icmp -j ACCEPT
[root@localhost ~]# iptables -t filter -A INPUT -p icmp -j REJECT
[root@localhost ~]# iptables -nL INPUT --line-number
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 REJECT icmp – 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
2 ACCEPT icmp – 0.0.0.0/0 0.0.0.0/0
[root@localhost ~]# iptables -D INPUT -p icmp -j REJECT #第二次就时删除指定。
[root@localhost ~]# iptables -nL INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT icmp – 0.0.0.0/0 0.0.0.0/0
Note: According to content matching deletion rules, only rules with the same content and smaller sequence numbers can be deleted each time.
The rule cannot be cleared completely until the last one is deleted.
It must be reported to ensure that the matching content exists, and it can only be deleted if it completely matches the rules, otherwise an error will be reported.
Modify rules (deprecated)
-R Modify directly.
To be on the safe side, we can try to add a new rule first to ensure that the new rule will not have any adverse effects and then delete the old rule (it can also achieve the effect of replacement)
[root@localhost ~]# iptables -t filter -A INPUT -p icmp -j ACCEPT
[root@localhost ~]# iptables -nL INPUT --line-number #查看规则
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT icmp – 0.0.0.0/0 0.0.0.0/0
[root@localhost ~]# iptables -R INPUT 1 -p icmp -j REJECT #替换
[root@localhost ~]# iptables -nL INPUT --line-number #ACCEPT替换成了REJECT
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 REJECT icmp – 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Modify the default rules:
The default policy refers to the default policy of the four tables and five chains. The default value of the three chains of INPUT, FORWARD, OUTPUT, and filter is ACCEPT, just like setting a blacklist. By default, other protocol operations are allowed. , only those that are specified to join and declare permissions (DROP or REJECT) are prohibited objects.
[root@localhost ~]#iptables -P INPUT DROP
[root@localhost ~]# iptables -t filter -A INPUT -p ICMP -j ACCEPT #Configure a permission on the host, which is equivalent to setting a whitelist
1. -F just clears the rules in the chain, and does not affect the rules set by -P. The default rules need to be modified manually.
2. After setting DROP in -P, be careful when using -F!
#Prevent the host from being unable to connect remotely after clearing the relevant rules that allow remote connections. In this case, if the rules are not saved, restart the host to solve the problem
There are three solutions at this time:
the first one: my firewall settings are only temporary settings, and to save, just restart the server
The second method: operate the server and restart the iptables service
The third way: enter the computer room to operate the server (restore the settings, re-modify the rules) bomb!
DROP is the default in production
Universal matching:
network protocol, IP address, network interface and other conditions.
Protocol matching: -p protocol name
Address matching: -s source address, -d destination address
# can be IP, network segment, domain name, empty (any address)
interface matching: -i inbound NIC, -o outbound NIC
exclamation mark” !" means negation
Network protocol:
[root@localhost ~]# iptables -A INPUT ! -p icmp -j ACCEPT #Except icmp, all protocols can be entered
#This is false negation. The defined default policy is still executing ACCEPT. Only when the default policy is changed can it take effect
[root@localhost ~]#iptables -P INPUT DROP #This time can be reversed
#Other services will not be affected. At this time, clear the policy. All protocols will be DROP
[root@localhost ~]#iptables -F
#Only enter the virtual machine to restart
IP address:
[root@localhost ~]# iptables -A INPUT -s 192.168.233.22 -j DROP #Prohibit 22 data from entering
Network interface:
[root@localhost ~]# iptables -I INPUT 1 -i ens33 -s 192.168.233.0/24 -j DROP #Prohibit all network segments of the specified network device name ens33
#How to make the entire network segment unable to use the specified port
[root@localhost ~]# iptables -t filter -A INPUT -s 192.168.233.0/24 -p tcp --dport 80 -j REJECT #Prohibit the entire network segment from accessing port 80
The ICMP module
ICMP type can be a string, a numeric code:
ICMP Type Meaning
Echo-Request (code 8) means request
Echo-Reply (code 0) means echo #Reply information shows
Destination-Unreachable (code 3) means the target is unreachable
[root@localhost ~]# iptables -A INPUT -p icmp --icmp-type 8 -j REJECT #Reject the request that other hosts cannot ping this machine, this machine can still ping other hosts
[root@localhost ~]# iptables -A INPUT -p icmp --icmp-type 0 -j REJECT #Refused to echo, this machine cannot ping other hosts, and there is no display
#Other hosts still ping this machine, Because the incoming and outgoing data is not blocked, it is only for yourself.
[root@localhost ~]# iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT ##When the machine fails to ping other hosts, it prompts that the target is unreachable. It is necessary for other hosts to set REJECT and set rejection on 23
. Take effect, just understand
[root@localhost ~]# iptables -A INPUT -s 192.168.154.10 -p icmp -j REJECT
show matches
1. Multiport matching
It is required to clearly indicate the type in the form of "-m extension module", including multiport, MAC address, IP range, data packet status and other conditions
-m multiport --sport source port list
-m multiport --dport purpose Port list
[root@localhost ~]# iptables -A INPUT -p tcp -m multiport --dport 80,22,21,20,53 -j REJECT
multi-port matching, prohibiting port matching rules for multiple tcp network protocols at one time
[root@localhost ~]# iptables -A INPUT -p udp -m multiport --dport 53,54,55 -j ACCEP
multi-port matching, one-time release of port matching rules for multiple udp network protocols
IP range matching
-m iprange --src-range source IP range
-m iprange --dst-range destination IP range
[root@localhost ~]# iptables -A INPUT -p icmp -m iprange --src-range 192.168.233.20-192.168. 233.30 -j REJECT
#Prohibit the ip address in the network segment from pinging the host
Backup and restore iptables rule settings
Our settings in the iptables command line are all temporary settings. As long as the server is shut down or the service is restarted, all the settings will be cleared and restored to the original settings. For this reason, we can back up the firewall settings that have been tested and meet our needs, and restore them with one click when necessary
backup iptables settings
Format: iptables-save >/specified file
[root@localhost ~]# iptables-save >/opt/iptables.bak
One-click import, set to the current firewall settings
[root@localhost ~]#iptables-restore </opt/iptables.bak
Modify the default settings of iptables
The default configuration file of iptables exists in cat /etc/sysconfig/iptables
Directly import the configuration into the configuration file: cat /opt/iptables.bak >/etc/sysconfig/iptables
#It will take effect immediately. In the experimental environment, just understand it. don't try
[root@localhost opt]# systemctl restart iptables #After the restart, the content in the configuration file will take effect, the operation needs to be cautious, pay attention to taking snapshots, so that it is easy to restore
Custom chains
are added using custom chains: iptables -N custom (chain name) to create a chain
Rename the custom chain: iptables -E custom (original name) test (new name) rename the custom chain
Create a custom chain rule: iptables -t filter -I test -p icmp -j REJECT Create a custom rule,
add a corresponding to the custom chain in the iptables chain to take effect
iptabales creates the corresponding chain rules and then jumps to the custom chain web: iptables -t filter -I INPUT -p icmp -j custom
Delete the custom rule chain: first delete the corresponding relationship in the iptables INPUT chain, and then delete the rules in the custom chain.
iptables -D INPUT 1
iptables -D test 1
Then use iptables -X test to delete this chain
SNAT and DNAT
SNAT is also called source address translation.
Source address translation is when the internal network address accesses externally, the internal network ip address that initiates the access is converted to the specified ip address
(specific services and corresponding ports or port ranges can be specified), which can make the use of reserved ip addresses in the internal network hosts to access the external network,
that is, multiple hosts on the intranet can access the external network through a valid public IP address.
It is to convert the internal network address into a specified IP address, and this IP address can access the public network
DNAT: The function of destination address translation is to map a set of local internal addresses to a set of global addresses.
Generally speaking, the number of legal addresses is much smaller than the number of local internal addresses.
The private network address can only be used as the source address to access the public network IP, but cannot be accessed by other hosts as the target address. Therefore,
DNAT maps the web server in the private network to the public network IP, so that the public network IP can be used as the target address by the hosts in the public network. to visit
Application of tcpdump packet capture tool
The wireshark packet capture tool is only used in windows.
tcpdump can be used on Linux systems.
Tcpdump is a packet capture tool in the Linux system
[root@localhost opt]# tcpdump tcp -i ens33 -t -s0 -c 100 and dst port 80 and src net 192.168.154.0/24 -w ./target.cap
tcp: ip, icmp, arp, rarp and tcp, Options such as udp and icmp must be placed in the position of the first parameter to filter the type of datagram.
-i ens33: Only capture packets passing through interface ens33.
-t: do not display timestamp
-s0 : The default capture length is 68 bytes when capturing packets. After adding "-s0", you can capture the complete data packet.
-c 100 : Only grab 100 packets.
dst port ! 22 : Do not capture packets whose destination port is 22.
src net 192.168.154.0/24 : The source network address of the packet is 192.168.154.0/24. Net: network segment, host: host.
-w ./target.cap : Save it as a cap file for easy analysis with ethereal (ie wireshark).
Perform dynamic packet capture processing (once a specified data packet appears, it will start to run)
[root@localhost opt]# tcpdump -i ens33 -s0 -w ./ens33.cap