Usually when analyzing problems and client server network interaction, in many cases require packet capture analysis of the client and the server.
Ethereal under normal use WireShark to win, but in linux you need to use tcpdump, here are some of the instructions for use for tcpdump.
the tcpdump "header" packet network transmission can be intercepted from the analysis provided.
It supports filtering for the network layer, protocol, host, network, or port, and provide and, or, not and so logical statement to help you filter unwanted information.
A. Basic use
Type the keyword:
The first type is a keyword on, including the host, net, port, e.g. host 210.27.48.2, 210.27.48.2 indicating a host, net 202.0.0.0 specifies a network address is 202.0.0.0, port 23 specified ports number is 23. If you do not specify the type of type, the default is the host.
The second key is to determine the direction of transmission, including src, dst, dst or src, dst and src, these keywords indicate the direction of transmission. Illustration, src 210.27.48.2, ip packet indicating the source address 210.27.48.2, dst net 202.0.0.0 is specified in a destination network address 202.0.0.0. If you do not specify the direction of the keyword, the default is src or dst keyword.
The third is the key agreements, including fddi, ip, arp, rarp, tcp, udp and other types. Fddi particular network protocol is specified in the FDDI (Fiber Distributed Data Interface Network), in fact it is the "ether" alias, and fddi ether have similar source and destination addresses, so it can be used as a protocol packet fddi ether packets for processing and analysis. Several other keywords that indicate the contents of the agreement listening package. If you do not specify any agreement, tcpdump will monitor packets for all protocols.
•default
tcpdump
Monitoring the first network node to all packet flows.
• Monitor specified network interface
tcpdump -i eth1
• Monitor specified host packets
tcpdump host cas1
Monitors all packets to or from the cas1
tcpdump host 10.10.10.1
Of course, you can also specify the IP
tcpdump -i eth0 src host cas1
All data sent to intercept the host cas1
tcpdump -i eth0 dst host cas1
All monitoring data is sent to the host cas1
• Designated port
tcpdump tcp port 23 and host cas1
Cas1 host access and interact with all telnet packets
tcpdump udp port 123
Surveillance aircraft UDP port of ntp service
tcpdump -i eth0 -vnn src host 10.10.10.122 and not port 22
Ip is the source packet gripping 10.10.10.122 and the port 22 is not
tcpdump -i eth0 -vnn \( src host 10.10.10.2 and dst port 22 \) or \( src host 10.10.10.65 and dst port 80 \)
tcpdump -i eth0 -vnn 'src host 10.10.10.2 and dst port 22' or ' src host 10.10.10.65 and dst port 80 '
10.10.10.2 ip ripper is 22 and the destination port, source or ip is 10.10.10.65 and a destination port is a packet 80.
• specify the network segment
tcpdump -i eth0 -vnn net 10.10.10.0/24
10.10.10.0 fetch packet containing segment
Fetch packet protocol icmp
tcpdump -i eth0 -vnn icmp
• Capture packets saved to a file
tcpdump –i eth0 -vnn -w /tmp/fil1 -c 100
Recording the captured data packet saved to / tmp / fill file, when the fetch packet 100 after exiting the program.
tcpdump –i eth0 -vnn -r /tmp/fil1 tcp
Tcp protocol read from / tmp / fill recording packets
tcpdump –i eth0 -vnn -r /tmp/fil1 host 10.10.10.58
From / tmp / fill record read packet containing 10.10.10.58
II. Detailed parameters:
| -a |
The network and broadcast addresses into names |
| -d |
The code matches the packet is given to the people can understand assembly format |
| -dd |
Code matches the packet to c given language format program segment |
| -ddd |
The code matches the packet is given in decimal |
| -e |
In the line printing out the header information of the output data link layer, including a source mac and destination mac , and a network layer protocol. |
| -f |
The external Internet address printed in digital form |
| -l |
Make stdout line buffered |
| -n |
Specifies converts each intercepted packet domain names into IP displays the address, the network address is not converted into the name |
| -nn |
Specifies converting each of the monitored packet into the domain of the IP , the application name to the port switch port number from the display |
| -t |
Each line of output does not print a timestamp |
| -v |
The output of a slightly more information, for example, ip may comprise package ttl and service type information |
| -vv |
Output detailed packet information |
| -c |
Receipt of specified package number after, tcpdump will stop |
| -F |
It reads the expression from the specified file , ignoring other expressions |
| -i |
Specifies the listening network interface |
| -p |
The NIC installed non-promiscuous mode, can not be host or broadcast use with |
| -P |
Specifies grab bag is flowing into or out of the bag. Can be given is " in " , " OUT " and " INOUT " , the default is " INOUT " . |
| -r |
Read from the specified file package ( These packages typically by -w generating option ) |
| -w |
Packets directly written to the file , it is not printed and analysis |
| -T |
We will listen to the explanation of the packets directly to the specified types of messages, common types rpc (Remote Procedure Call) and snmp (SNMP) |
| -X |
Need to protocol headers and package content is displayed exactly ( tcpdump will be 16 hexadecimal and ASCII display form), when conducting this analysis protocol is an absolute weapon. |
| -XX |
When the analysis and printing , the tcpdump prints the data header of each packet , while will be 16 hexadecimal and ASCII code data is printed out in the form of each packet , including the header of the data link layer . This new analysis for packet protocol is very convenient . |