Use the tcpdump command to capture packets + detailed examples

Enterprise 2023-08-02 00:13:59 views: null

Use tcpdumpthe command to capture packets

What is the tcpdump command

  1. Tcpdump can completely intercept the "header" of the data packet transmitted in the network and provide analysis. It supports filtering for network layer, protocol, host, network or port, and provides logical statements such as and, or, not to help you remove useless information.
  2. Tcpdump can be understood as a command with the function of capturing packets.

how to use

The tcpdump command is similar to other Linux commands, and it needs to be used with parameters to reflect its powerful functions.

  1. tcpdump: Enabled by default, starting tcpdump directly will monitor all packets flowing on the first network interface.
  2. tcpdump -i eth1: -iYou can specify a network interface, anywhich means to monitor all network ports.
  3. tcpdump host 210.27.48.1: Grab the data packet of the specified IP
    1. tcpdump src host 210.27.48.1
    2. tcpdump dst host 210.27.48.1
  4. tcpdump tcp port 23 and host 210.27.48.1: Grab the data packets of the specified port and specified IP
    1. tcpdump udp port 123
  5. tcpdump -i any tcp port 9080 -A -s 0
  6. tcpdump -i any tcp port 9100 -w data.capCapture specified port packets to file

Introduction to tcpdump command parameters

  1. -A: Display each data packet in ASCII code (the link layer header information in the data packet will not be displayed). When capturing data packets containing web page data, it is convenient to view the data
  2. -c count: tcpdump will exit after receiving count packets
  3. -d: Prints the formatted packet match code on standard output in a human-readable form, then tcpdump stops
  4. -dd: Print out the packet matching code in the form of C language
  5. -ddd: Print out the packet matching code in decimal form
  6. -e: The data link layer header information of the packet will be included in the printout of each line
  7. -i interface: Specify the interface that tcpdump needs to monitor
  8. -s snaplen: Set the packet capture length of tcpdump to snaplen, if not set, the default will be 68 bytes (and the default minimum value in SunOS series operating systems that support network interface taps is also 96). 68 bytes for IP, ICMP, TCP and UDP protocol packets are sufficient, but for name service, NFS service-related data packets will cause packet truncation. If packet truncation occurs, the corresponding printout line of tcpdump will appear ''[ |proto]'' (proto will actually be displayed as the relevant protocol layer of the truncated data packet). It should be noted that using a long capture length (nt: snaplen is relatively large) will increase the processing time of the packet , and will reduce the number of data packets that tcpdump can cache, which will lead to packet loss. Therefore, on the premise that we can capture the packets we want, the smaller the capture length, the better. Setting snaplen to 0 means Let tcpdump automatically select the appropriate length to capture packets
  9. -v: When analyzing and printing, generate detailed output. For example, packet lifetime, identifier, total length and some options of IP packets. This will also enable some additional packet integrity checks, such as IP or ICMP packet headers checksum of
  10. -vv: Produce more verbose output than -v. For example, additional fields in NFS reply packets will be printed, and SMB packets will be fully decoded
  11. -vvv: Produce more verbose output than -vv. For example, the SB and SE options used by telnet will be printed, and if telnet uses a graphical interface at the same time, the corresponding graphical options will be printed in hexadecimal
  12. -w fileName: write packet data directly to file without parsing and printing output

Why

Packet capture is a very important ultimate weapon in troubleshooting problems!

reference example

Packet capture command:

# 抓所有的网口的tcp 端口是8080的包
 tcpdump -i any tcp port 8080 -A -s 0
# 抓所有的网口 端口是514 的包
tcpdump -i any port 514 -nnnvvvv
#  抓包保存到本地文件 syslog.pcap,可放到wireshark分析
tcpdump -i any port 514 -s0 -w./syslog.pcap -nnnvvvv   
# 抓取ping包【ping包即ICMP的包】
tcpdump -i any icmp and  host 192.168.1.1 -nn -vvv
# 抓取ip是 192.168.1.1的包
tcpdump -i any host  192.168.1.1 -nn -vvv
# 抓取ip是 192.168.1.1 或者端口是2500的包
tcpdump -i any host 192.168.1.1 or udp port 2500 -nn -vvv
# 抓所有的网口udp 端口是4500 的包
 tcpdump -i any udp port 4500 -nn -vvv

any Capture all network ports including localhost port
-A character
-s 0 Unrestricted
tcpdump -i any -w data.cap Capture all packets and analyze them through wireshark

Guess you like

Origin blog.csdn.net/sunrj_niu/article/details/129538418
Recommended
The “35-year-old curse” of Chinese coders
蘭雅 CorelDRAW 插件 2024.5.1 国际劳动节版,免费下载
Ranking
Methods and Practices of Manufacturing Data Quality Improvement
Serial port upgrade program for efficient transmission of large firmware
Use KITTI to run LIOSAM and complete the EVO evaluation
Calling methods on string literals (Java)
ActiveMQ and Spring integration (4)
You have to know the HTTPS! ! !
PAT whether Structures and Algorithms 7-4 with a binary search tree (40 rows streamlined structure)
el-upload brings request background
UVA - 1204 Fun Game-like pressure dp
2019-12-28
Daily
More
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)

Code World

© 2018 codetd.com