Tcpdump's packet capture tool

tcpdump official website ->  http://www.tcpdump.org

Step 1. Installation

Respectively in the official website to download Tcpdump, Libpcap these two packages link

Before installing Tcpdump, install Libpcap

To the latest version, for example, to find a suitable directory, download them back

wget http://www.tcpdump.org/release/libpcap-1.9.0.tar.gz
wget http://www.tcpdump.org/release/tcpdump-4.9.2.tar.gz

 

Then unzip respectively

tar -zxvf libpcap-1.9.0.tar.gz
tar -zxvf tcpdump-4.9.2.tar.gz

 

start installation

cd libpcap-1.9.0
./configure
make
make install

 

If ./configure compile time error, there Error information, look at it the error message, and then continue, the general error is typically less dependencies.

ex: configure: error: Neither flex nor lex was found.
Solution: yum install flex bison
then ./configure again

cd tcpdump-4.9.2
./configure
make
make install

 

Hopefully, come this far already completed the installation.

 

Be mounted directly or using yum

yum -y install tcpdump

 

2. Use

tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ] 
         [ -c count ] 
         [ -C file_size ] [ -G rotate_seconds ] [ -F file ] 
         [ -i interface ] [ -j tstamp_type ] [ -m module ] [ -M secret ] 
         [ --number ] [ -Q in|out|inout ] 
         [ -r file ] [ -V file ] [ -s snaplen ] [ -T type ] [ -w file ] 
         [ -W filecount ] 
         [ - E spi @ ipaddr algo: secret, ...]
         [ -y datalinktype ] [ -z postrotate-command ] [ -Z user ] 
         [ --time-stamp-precision=tstamp_precision ] 
         [ --immediate-mode ] [ --version ] 
         [ expression ]

 

Common Parameters (case-sensitive)

• -s setting data packet capture length. If -s is 0, then automatically select an appropriate length to capture packets.
• -w is used to capture export the results to a file, rather than analyze and print out the console.
• -i need to listen to specify the interface (NIC).
• -vvv for outputting detailed interaction data.
• expression is a regular expression used to filter messages. Mainly includes the following categories:
  • Specify the types of keywords: includes host (host), net (network) and port (port).
  • Keyword specified transmission direction: comprising the src (source), dst (target), dst or src (source or target), and dst and src (source and destination).
  • Keyword specifies the protocol include: icmp, ip, arp, rarp, tcp, udp and other protocol type.

More parameters and usage instructions, see  Manpage tcpdump of .

Common usage and sample output

• Crawl designated NIC designated interactive data port.

  • Operation instructions:
    tcpdump -s 0 -i eth0 port 22
    Sample output:
    
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    20:24:59.414951 IP 172.16.2.226.ssh > 42.120.74.107.43414: Flags [P.], seq     442372:442536, ack 53, win 141, length 164
    20:24:59.415002 IP 172.16.2.226.ssh > 42.120.74.107.43414: Flags [P.], seq   442536:442700, ack 53, win 141, length 164
    20:24:59.415052 IP 172.16.2.226.ssh > 42.120.74.107.43414: Flags [P.], seq   442700:442864, ack 53, win 141, length 164
    20:24:59.415103 IP 172.16.2.226.ssh > 42.120.74.107.43414: Flags [P.], seq 442864:443028, ack 53, win 141, length 164

     

• Grab the card sent to the designated interactive data specified port on the specified IP, and outputs the detailed interaction in the console.

  • Operation instructions:
    tcpdump -s 0 -i eth1 -vvv port 22
    Sample output:
    
    tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535   bytes
    20:24:20.991006 IP (tos 0x10, ttl 64, id 22747, offset 0, flags [DF], proto TCP (6), length 316)
    172.16.2.226.ssh > 42.120.74.107.43414: Flags [P.], cksum 0x2504 (incorrect -> 0x270d), seq 133624:133900, ack 1, win 141, length 276
    20:24:20.991033 IP (tos 0x0, ttl 53, id 2348, offset 0, flags [DF], proto TCP (6), length 92)
    42.120.74.107.43414 > 172.16.2.226.ssh: Flags [P.], cksum 0x4759 (correct), seq 1:53, ack 129036, win 15472, length 52
    20:24:20.991130 IP (tos 0x10, ttl 64, id 22748, offset 0, flags [DF], proto TCP (6), length 540)
    172.16.2.226.ssh > 42.120.74.107.43414: Flags [P.], cksum 0x25e4 (incorrect -> 0x5e78), seq 133900:134400, ack 53, win 141, length 500
    20:24:20.991162 IP (tos 0x0, ttl 53, id 2349, offset 0, flags [DF], proto TCP (6), length 40)
    42.120.74.107.43414 > 172.16.2.226.ssh: Flags [.], cksum 0xf39e (correct), seq 53, ack 129812, win 15278, length 0

     

• Gripping sent to a specified IP ping and interaction data, and outputs the detailed interaction data in the console.

  • Operation instructions:
    tcpdump -s 0 -i eth1 -vvv dst 223.5.5.5 and icmp
    Sample output:
    
    tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
    20:26:00.368958 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    172.16.2.226 > public1.alidns.com: ICMP echo request, id 55097, seq 341, length 64
    20:26:01.369996 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    172.16.2.226 > public1.alidns.com: ICMP echo request, id 55097, seq 342, length 64
    20:26:02.371058 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    172.16.2.226 > public1.alidns.com: ICMP echo request, id 55097, seq 343, length 64
    20:26:03.372181 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    172.16.2.226 > public1.alidns.com: ICMP echo request, id 55097, seq 344, length 64

     

• Grab all the interfaces within the system and saved to the specified file.

  • Operation instructions:
    tcpdump -i any -s 0 -w test.cap
    Sample output:
    
    tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes