[Make it clear, to say it! ] Tcpdump command-line network packet capture tools

Contents:
(a) tcpdump command
(two) tcpdump filter

---

(A) the tcpdump command
(1.1) tcpdump is a network for intercepting a packet, the packet contents of the output and the tool. With powerful and flexible strategy interception, making it the tool of choice for network analysis and problem investigation of Unix-like systems. tcpdump support for the network layer, protocol, host, network or port filtering, and to provide and, or, not such phrases to help you get rid of useless information.
(1.2) tcpdump default instruction fetch only the first 68 bytes of each packet, will be TCP / IP header information is complete, and Layer crawl normally, the content needs to be done if the complete packet analysis is enough, generally 68 bytes only contains the source address, destination address and port.
(1.3) First, we can use the "-i" parameter to specify the name of the NIC, use the "-s" to specify the size of the catch of the packet, use "-w" parameter indicates to save the data packets to the specified file. We specify vms001 host card is eno16777728, and then specify the packet size of 0 indicates catch all packets, use the -w information indicating the captured data packets stored in the a.cap file.
# Tcpdump -i eno16777728 -s 0 -w a.cap --- vms001 designated host NIC is eno16777728, then specify the size of the data packet is 0 for grasping the entire packet, it said it would use the -w captured packets a.cap information stored in the file


(1.4) if we want to view the contents of the grab bag, you can use the "-r" parameter of the data packet to view it.
# Tcpdump -r a.cap --- represents a read data packet content

(1.5) If we want in the form of ASCII code will be displayed the data packet, we can use the data packets by the parameter "-A" will be displayed.
# Tcpdump -A -r a.cap --- displayed in ASCII format

(1.6) if we want to display the contents of the packet by the hexadecimal form, then we can be viewed via the parameter "-X" is.
# Tcpdump -X -r a.cap --- displays the contents of the packet in hexadecimal form

---

(B) tcpdump filter
(2.1) tcpdump capture filter can also be used to filter information, if we want to catch some type of package or some ports, you can specify the network card or port number.
# Nc -nv 192.168.26.102 22 --- 22 attempts to connect vms002 host port on the host vms001
# tcpdump -i eno16777728 tcp port 80 --- grip on eno16777728 packet port on the card 80 the host vms001


(2.2) tcpdump instruction is achievable display filter function, we first create a http.cap file, and then use the "tcpdump -n -r" will be displayed all the information, "-n" said they did not resolve the host name, "- r "represents read the file, and use awk displays the first three information files, and finally to re-use the sort command, this time we get all the IP address and port number information.
# Tcpdump -i eno16777728 -w --- http.cap information collected and written to the card eno16777728 http.cap file
# tcpdump -n -r http.cap --- displays information http.cap file all records, "-n" said they did not resolve the hostname
# tcpdump -n -r http.cap | awk ' {print $ 3}' | sort -u --- using "tcpdump -n -r" will be displayed all the information and use awk displays the first three information files, last used command to re-sort, sort -u command attention and sort | uniq -c consistent with the same meaning


(2.3)如果我们想查询来源IP的主机名为192.168.26.101的所有的信息行，我们可以使用tcpdump -n src host来指定来源IP地址的信息，此时我们便得到了源IP是192.168.26.101的所有信息行（图1-10）。如果我们需要查询目标IP地址为192.168.26.102的所有信息行，则我们可以使用tcpdump -n dst host来指定目标IP地址的信息（图1-11）。
# tcpdump -n src host 192.168.26.101 -r http.cap---在vms002主机查询源地址为192.168.26.101主机的所有符合要求的行
# tcpdump -n dst host 192.168.26.102 -r http.cap---在vms002主机查询目标地址为192.168.26.102主机的所有符合要求的行


(2.4)我们也可以通过端口号来进行筛选，我们可以使用tcpdump -n tcp port来指定端口号，以此来查询对应的信息行。
# tcpdump -n tcp port 22 -r http.cap---指定抓取端口号为22的信息行

(2.5)如果希望以十六进制的形式将数据包的筛选信息显示出来，则可以使用-X参数。
# tcpdump -n -X port 22 -r http.cap---以十六进制的形式将数据包的筛选信息显示出来，“-n”表示不解析主机名

(2.6) tcpdump instructions may also perform many advanced filtering function, where each row represents one byte 8, each row represents a total of 4 bytes 32, wherein at the beginning of Section 5 Date Offset represents the offset data amount, which cwr, ece, urg, ack, psh, rst, ayn, fin represents the tag bits of TCP. For example, we wish to label psh and ack bit filter out all data 1, then we will add two-bit values can be obtained as a result of decimal 24. Where the "source port" and "Destination Port" line represents the numbers 0-3 of 4 bytes, in bytes beginning res.cwr represents the numbers 0-13 in the first 14 bytes, so we tcp the array using tcp [13] represents the tag information bits, we need only specify "tcp [13] = 24" , and can filter out the ack bit psh label information for all data lines 1. At this point we can achieve tcp package anywhere, screening, particle size is very refined any value.
# Tcpdump -A -n 'tcp [13 ] = 24' -r http.cap --- 0-13 tcp packets filtered out, i.e., the first 14 bytes of information line 24 and all of the ASCII code form display

------ This concludes the article, thanks for reading ------