Expression is a regular expression, tcpdump use it as a filter packets conditions, if a message expression conditions are met, then the message will be captured. If you do not give any conditions, then all packets on the network will be intercepted.
In the general expressions are several types of keywords:
Quote
The first type is a keyword on, including the host, net, port, e.g. host 210.27.48.2, 210.27.48.2 indicating a host, net 202.0.0.0 specifies a network address is 202.0.0.0, port 23 specified ports number is 23. If you do not specify the type of type, the default is the host.
The second key is to determine the direction of transmission, including src, dst, dst or src, dst and src, these keywords indicate the direction of transmission. Illustration, src 210.27.48.2, ip packet indicating the source address 210.27.48.2, dst net 202.0.0.0 is specified in a destination network address 202.0.0.0. If you do not specify the direction of the keyword, the default is src or dst keyword.
The third is the key agreements, including fddi, ip, arp, rarp, tcp, udp and other types. Fddi particular network protocol is specified in the FDDI (Fiber Distributed Data Interface Network), in fact it is the "ether" alias, and fddi ether have similar source and destination addresses, so it can be used as a protocol packet fddi ether packets for processing and analysis. Several other keywords that indicate the contents of the agreement listening package. If you do not specify any agreement, tcpdump will monitor packets for all protocols.
In addition to these three types of keywords, other important keywords as follows: gateway, broadcast, less, greater, there are three logical operations, operation is negation 'not' '', the operation is 'and',! '&&'; or operation is 'or', '& # 124; & # 124;'; these keywords may be combined to form a powerful combination of conditions to meet people's needs.
Fourth, the output presentation
Here we introduce some typical output of tcpdump command
(1) header information of the data link layer
Use the command:
#tcpdump --e host ICE
ICE is a computer with linux host. Its MAC address is 0: 90: 27: 58: AF: 1A H219 is a SUN workstation with the Solaris. Its MAC address is 8: 0: 20: 79: 5B: 46; the output of a command is as follows:
Quote
21:50:12.847509 eth0 < 8:0:20:79:5b:46 0:90:27:58:af:1a ip 60: h219.33357 > ICE. telne t 0:0(0) ack 22535 win 8760 (DF)
21:50:12 shows time, the ID number is 847509, eth0 <indicates that the packet received from the network interface eth0, eth0> represents a packet transmitted from the network interface device, 8: 0: 20: 79: 5b: 46 is the host H219 MAC address, it is sent to indicate that the packet from the source address H219 0:. 90: 27: 58: af: 1a ICE is the MAC address of the host, the destination address of the packet is ICE. ip indicates that the packet is an IP packet, 60 is a length of the packet, h219.33357> ICE. telnet indicates that the packet is (23) port from the port 33357 TELNET to the host PC host H219 the ICE. ack 22535 to indicate the sequence number response packet is to 222,535. win 8760 showed that the size of the send window is 8760.
tcpdump output (2) ARP packet information
Use the command:
#tcpdump arp
The output was:
Quote
22:32:42.802509 eth0 > arp who-has route tell ICE (0:90:27:58:af:1a)
22:32:42.802902 eth0 < arp reply route is-at 0:90:27:12:10:66 (0:90:27:58:af:1a)
Stamp is 22:32:42, the ID number is 802509, eth0> indicates that the packet is sent from the host, show ARP is an ARP request packet, who-has route tell ICE ICE show host is the MAC address of the requesting host route. 0: 90: 27: 58: af: 1a ICE is the MAC address of the host.
Output (3) TCP packet
Tcpdump TCP packet capture with a general output information:
Quote
src > dst: flags data-seqno ack window urgent options
".": Src> dst indicates that from the source address to the destination address, flags is a flag information TCP packets, S is the SYN flag, F (FIN), P (PUSH), R (RST) (not labeled); Data -seqno is a sequential number of the data packet, ack is the next expected sequence number, window receiving buffer window size, urgent pointer indicating whether an emergency message. Options are options.
Output (4) UDP packet
General information output by the UDP packet is captured tcpdump:
Quote
route.port1 > ICE.port2: udp lenth
UDP is very simple, the top line indicates an output UDP packets sent from port port2 port1 host route packets to the host port of the ICE type is UDP, the packet length is lenth.
Fifth, for example
(1) All hosts want to capture all packets received and sent by the 210.27.48.1:
#tcpdump host 210.27.48.1
(2) wants to capture the host and host communication 210.27.48.2 210.27.48.1 210.27.48.3 or using the command (Note: The backslash before the parentheses are necessary):
#tcpdump host 210.27.48.1 and \(210.27.48.2 or 210.27.48.3 \)
(3) If you want to get the host 210.27.48.1 210.27.48.2 ip than addition and Computers The packet communications, use the command:
#tcpdump ip host 210.27.48.1 and ! 210.27.48.2
(4) If you want access ssh packets sent to or from the host 192.168.228.246, and does not convert the host name using the following command:
#tcpdump -nn -n src host 192.168.228.246 and port 22 and tcp
(5) get the host sent or received packets ssh 192.168.228.246, and also displayed along with the mac address:
# tcpdump -e src host 192.168.228.246 and port 22 and tcp -n -nn
(6) is a filter for the source host and the destination network 192.168.0.1 192.168.0.0 header of:
tcpdump src host 192.168.0.1 and dst net 192.168.0.0/24
(7) Filter the source host physical address XXX header:
tcpdump ether src 00:50:04:BA:9B and dst……
(Why not host or ether behind src net? Of course there can be no physical network address myself).
(8) filtering the source host and destination ports are not telnet 192.168.0.1 header and introduced into tes.t.txt file:
Tcpdump src host 192.168.0.1 and dst port not telnet -l > test.txt
and ip icmp arp rarp tcp, udp, icmp these options should be placed in other positions of the first parameter, to the type of filtering data packets.