tcpdump is a network for intercepting a packet, and outputs the contents of the packet tool. tcpdump with a powerful and flexible strategy interception, making it the tool of choice for network analysis and problem investigation of UNIX-like systems.
tcpdump provides the source code, open interfaces, and therefore have a strong scalability for network maintenance and intruders are very useful tools. tcpdump exist in the base of the Linux system, since it is necessary to set the network interface in promiscuous mode, the ordinary user can not perform normally, but the user is provided with root privileges may be performed directly to obtain information on the network. Therefore, there is a network analysis tool is not a major threat to the safety of the machine, but there is a threat to the safety of other computers on the network system.
7.1.1 Overview
As the name suggests, tcpdump may be "header" packet transmitted in the network to provide completely intercepted from analysis. It supports filtering for the network layer, protocol, host, network, or port, and provide and, or, not logic statements and other information to help you get rid of useless.
Quote
# tcpdump -vv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
11:53:21.444591 IP (tos 0x10, ttl 64, id 19324, offset 0, flags [DF], proto 6, length: 92) asptest.localdomain.ssh > 192.168.228.244.1858: P 3962132600:3962132652(52) ack 2726525936 win 1266
asptest.localdomain.1077 > 192.168.228.153.domain: [bad udp cksum 166e!] 325+ PTR? 244.228.168.192.in-addr.arpa. (46)
11:53:21.446929 IP (tos 0x0, ttl 64, id 42911, offset 0, flags [DF], proto 17, length: 151) 192.168.228.153.domain > asptest.localdomain.1077: 325 NXDomain q: PTR? 244.228.168.192.in-addr.arpa. 0/1/0 ns: 168.192.in-addr.arpa. (123)
11:53:21.447408 IP (tos 0x10, ttl 64, id 19328, offset 0, flags [DF], proto 6, length: 172) asptest.localdomain.ssh > 192.168.228.244.1858: P 168:300(132) ack 1 win 1266
347 packets captured
1474 packets received by filter
745 packets dropped by kernel
tcpdump collects network without parameters in all great header, the amount of data to be filtered.