tcpdump packet capture command

Packet capture tools

1. Role:

(1) capture network protocol packet

(2) analysis of network protocol packet

2. Category:

(1) command-line tools, such as tcpdump

(2) the graphical interface tools, wireshark

Use 3.tcpdump command-line tool

3.1格式：tcpdump [ -DenNqvX ] [ -c count ] [ -F file ] [ -i interface ] [ -r file ] [ -s snaplen ] [ -w file ] [ expression ]

3.2 Options Category

Ethereal Options

-c : Specifies the number of packets to crawl

interface -i : Interface, later designated tcpdump -I need to listen directly to the card with the name, like this -I ens33

-n: digitally to address explicitly otherwise explicitly for the host name

-nN : In addition to the role -n, also a numerical display port

Output Options

-e: Each line of output will include the data link layer header information such as the source MAC and destination MAC.

-q: Fast printout. That is little agreement print-related information, so that the output row relatively brief.

-X: data output packet header, simultaneously in hexadecimal and ASCII output in two ways.

-XX: packet header of the data output, the output will also in hexadecimal and ASCII two ways, in more detail.

-v: When the analysis and when printed, produce detailed output.

-vv: generating more detailed output than -v.

-vvv: generating more detailed output than the -vv

Other options

-D: List interface may be used to capture

-F: read from the file capture expressions

-w: the capture data is output to the standard output file instead, such as -w node1.cap

-r: reading data from a given file in the data packet. As tcmdump -r node1.cap

4.tcpdump expression

tcpdump expression of one or more "units", each unit generally comprises a modifier ID and ID (number or name). There are three modifiers:

type: Specifies the type of ID.

Possible values are given host / net / port / portrange. For example, "host foo", "net 128.3", "port 20", "portrange 6000-6008". The default type for the host.

dir: direction specified ID.

Value can be given include src / dst / src or dst / src and dst, default src or dst. For example, "src foo" denotes the source host as a data packet foo, "dst net 128.3" 128.3 expressed target network packets, "src or dst port 22" represents a source or destination port of the packet 22.

proto: matching packet type defined by the given protocol.

There are common protocols tcp / udp / arp / ip / ether / icmp the like, if not given protocol type, to match all possible types. For example "tcp port 21", "udp portrange 7000-7009".

Therefore, a basic expression cell format "proto dir type ID"

tcpdump [ Options] [not] proto dir type Note the order can not be changed

In addition to the use of the expression unit composed of modifiers, and ID, as well as keyword expressions unit: gateway, broadcast, less, greater and arithmetic expressions.

Expression unit may be used between operators "and / && / or / || / not /!" Connected, thereby constituting a complex conditional expressions. The "host foo and not port ftp and not port ftp-data", which represents the filtered data packet to meet the "host foo and the port is not ftp (port 21) and ftp-data (port 20) of the package", common port and the name of the corresponding relationship can be found in / etc / service file system in linux.

Further, the same modifier can be omitted, such as "tcp dst port ftp or ftp-data or domain" and "tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain" same meaning, denotes the packet protocol and destination port tcp ftp or ftp-data or Domain (port 53).

Use brackets "()" can change the priority of expression, but it should be noted that the brackets will be interpreted by the shell, so you should use the backslash "\" escaped as "()", when needed, but also surrounded in quotation marks.

5.tcpdump use cases

5.1 gripping leave or enter the host data packet