Use tcpdump packet capture summary

 

tcpdump packet capture rule commonly used commands

The following example is based on a full crawl eth0 interface as an example, if not "-i eth0" is a grab for all interfaces, including lo

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43

# 172.16.1.122 fetch packet containing the tcpdump -i eth0 -vnn Host 172.16.1.122 # 172.16.1.0/24 packet network comprising gripping the tcpdump -i eth0 -vnn NET 172.16.1.0/24 # fetch comprising packet port 22 of the tcpdump -i eth0 -vnn 22 port # fetch packet protocol udp -i eth0 -vnn the tcpdump udp # fetch packet protocol icmp -i eth0 -vnn icmp tcpdump data arp # fetch protocol package the tcpdump -i eth0 -vnn ARP # ip protocol packets gripping the tcpdump -i eth0 -vnn ip # ripper ip is 172.16.1.122 packet. Host tcpdump -i eth0 -vnn src 172.16.1.122 # fetch packet 172.16.1.122 ip is the object of the tcpdump -i eth0 -vnn DST Host 172.16.1.122 # 22 crawl source port data packet tcpdump -i eth0 -vnn src 22 Port # ripper is 172.16.1.253 ip and ip is the object of the data packets 22 Host -i eth0 -vnn the src the tcpdump 172.16.1.253 22 and DST Port # ip is 172.16.1.122 ripper or a packet containing port 22 of the tcpdump -i eth0 -vnn 172.16.1.122 or the src Host Port 22 # ripper 172.16.1.122 ip is a packet and the port 22 is not the tcpdump -i eth0 -vnn 172.16.1.122 and the src Host port 22 not # ripper ip is 172.16.1.2 and the destination port 22, or the source and ip is 172.16.1.65 80 is the destination port of the packet. -i eth0 -vnn the tcpdump \ (the src Host Port 22 DST and 172.16.1.2 \) or \ (172.16.1.65 and the src Host Port 80 DST \) # fetch the source and destination port ip is 172.16.1.59 22, or source ip is 172.16.1.68 and destination port is a packet 80. -i eth0 -vnn the tcpdump 'and the src DST Port 22 is 172.16.1.59 Host' or 'the src Host Port 80 DST 172.16.1.68 and' # record the captured data packet saved to / tmp / fill file when crawling 100 packets after exiting the program. tcpdump -i eth0 -vnn -w / tmp / fil1 -c 100 # Tcp protocol read from / tmp / fill data packet recording the tcpdump -i eth0 -R & lt -vnn / tmp / FIL1 tcp # read from / tmp / fill record the data packet containing 172.16.1.58 tcpdump -i eth0 - -R & lt VNN / tmp / FIL1 Host 172.16.1.58 # 10 crawl destination address range segments is the tcpdump the any -nN -i 'IP [16] == 10' # fetch destination addresses is 192.168.1.10 ~ 192.168.1.100 -i the any -nN the tcpdump 'IP [16] == 192 and IP [. 17] == 168 and IP [18 is] ==. 1 and IP [. 19]>. 9 and IP [. 19] <101' # 10000 data stored packet filtering condition 443, and parsing the source of the IP the tcpdump -i the any -nN -C 10000 port 443> tcpdump.log CAT tcpdump.log | awk '{}. 3 Print $' | awk -F '.' '. 1 $ {Print " . "$ 2" "$ 3 " "$ 4} '|.. sort | uniq -c | sort -rn