Table of contents
ifconfig ( network interfaces configuring )
- eth0 represents the network card
- UP means the network card is turned on
- RUNNING means that the network cable of the network card is connected
- mtu1500: MTU (Maximum Transmission Unit) refers to the maximum length of a single data packet when transmitting data in the network. The larger the value of MTU, the larger the maximum length of a single data packet, and the higher the network transmission efficiency.
- MULTICAST indicates support for multicast.
- ether 14:7d:da:df:43:24, mac physical address
- inet (IP address): 192.168.2.108. netmask (mask address): 0xffffff00. broadcast (broadcast address): 192.168.2.255.
- media: autoselect - network media type
- status: active - activation status
tcpdump command
NAME
tcpdump - dump traffic on a network
SYNOPSIS
tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ]
[ -c count ]
[ -C file_size ] [ -G rotate_seconds ] [ -F file ]
[ -i interface ] [ -j tstamp_type ] [ -k (metadata_arg) ]
[ -m module ] [ -M secret ]
[ --number ] [ -Q in|out|inout ]
[ -r file ] [ -V file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
[ -Q packet-metadata-filter ] [ -Q in|out|inout ]
[ --time-stamp-precision=tstamp_precision ]
[ --immediate-mode ] [ --version ]
[ expression ]
DESCRIPTION
Tcpdump prints out a description of the contents of packets on a network interface that match the boolean
expression; the description is preceded by a time stamp, printed, by default, as hours, minutes, seconds, and
fractions of a second since midnight. It can also be run with the -w flag, which causes it to save the packet
data to a file for later analysis, and/or with the -r flag, which causes it to read from a saved packet file
rather than to read packets from a network interface. It can also be run with the -V flag, which causes it to
read a list of saved packet files. In all cases, only packets that match expression will be processed by tcp-
dump.
Tcpdump will, if not run with the -c flag, continue capturing packets until it is interrupted by a SIGINT sig-
nal (generated, for example, by typing your interrupt character, typically control-C) or a SIGTERM signal
(typically generated with the kill(1) command); if run with the -c flag, it will capture packets until it is
interrupted by a SIGINT or SIGTERM signal or the specified number of packets have been processed.
Commonly used:
-nn, directly display IP and Port Number instead of host name and service name.
-i, followed by the network interface to be "listened", such as eth0, lo, ppp0 and so on.
-w, if you want to store the monitored packet data, use this parameter. followed by the filename.
-c, the number of data packets to monitor, if there is no such parameter, tcpdump will continue to monitor,
直到用户输入 [ctrl]-c 为止。
-A, the content of the packet is displayed in ASCII, usually used to capture WWW webpage packet information.
-e, use data link layer (OSI layer 2) MAC packet data to display.
-q, only list relatively brief packet information, and the content of each line is relatively concise.
-X, can list hexadecimal (hex) and ASCII data packet content, useful for monitoring data packet content.
-r, read the packet data from the following file. That "file" is the file that already exists, and this "file" was made by -w. The content of the data to be captured: We can capture data packets specifically for certain communication protocols or IP sources.
vv : output detailed message information
tcpdump&wireshark example
% nslookup baidu.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
Name: baidu.com
Address: 39.156.66.10
Name: baidu.com
Address: 110.242.68.66
tcp packet capture
% sudo tcpdump -i en0 -nnvv -w tmp.cap
tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C2415 packets captured
2415 packets received by filter
0 packets dropped by kernel
https to visit Baidu:
wireshark view