1 Introduction
To define tcpdump in simple words, it is: dump the traffic on a network, a packet analysis tool that intercepts data packets on the network according to the user's definition. tcpdump can completely intercept the "headers" of data packets transmitted on the network and provide analysis. It supports filtering for network layer, protocol, host, network or port, and provides logical statements such as and, or, not to help you remove useless information.
Something even simpler is: capture the data stream transmitted on the network card.
Even simpler: capture packets.
2 tcpdump and wireshark
Wireshark (formerly ethereal) is a very simple and easy-to-use packet capture tool under Windows. But it is difficult to find a useful graphical packet capture tool under Linux.
Fortunately we still have tcpdump. We can use the perfect combination of tcpdump + wireshark to achieve this: capture packets in Linux, and then analyze the data packets in Windows.
3 Use command
tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.cap
(1)tcp: ip icmp arp rarp and tcp, udp, icmp and other options must be placed in the first parameter to filter the type of datagrams
(2)-i eth1: Only capture packets passing through interface eth1
(3)-t: Do not display timestamp
(4)-s 0: The default capture length when capturing data packets is 68 bytes. After adding -S 0, you can capture the complete data packet
(5)-c 100: Only capture 100 packets
(6)dst port ! 22: Do not capture data packets with target port 22
(7)src net 192.168.1.0/24: The source network address of the data packet is 192.168.1.0/24
(8)-w ./target.cap: Save it as a cap file for easy analysis with ethereal (i.e. wireshark)