The second type is keywords that determine the transmission direction, mainly including src, dst, dst or src, dst and src. These keywords indicate the direction of transmission. For example, src 210.27.48.2 indicates that the source address in the IP packet is 210.27.48.2, and dst net 202.0.0.0 indicates that the destination network address is 202.0.0.0. If there is no direction keyword specified, the default is src or dst keyword.
The third type is the keywords of the protocol, which mainly include fddi, ip, arp, rarp, tcp, udp and other types. Fddi indicates a specific network protocol on FDDI (Distributed Fiber Optical Data Interface Network). In fact, it is an alias for "ether". Fddi and ether have similar source and destination addresses, so the fddi protocol packet can be processed and analyzed as ether's packet. The other keywords indicate the protocol content of the listening package. If no protocol is specified, tcpdump will listen to all protocol packets.
In addition to these three types of keywords, other important keywords are as follows: gateway, broadcast, less, greater, and there are three logical operations. The non-operation is 'not' '! ', and operation is 'and', '&&'; or operation is 'or', '││'; these keywords can be combined to form powerful combination conditions to meet people's needs, and the following are some examples to illustrate.
In normal cases, directly starting tcpdump will monitor all flowing packets on the first network interface.
# tcpdump
tcpdump: listening on fxp0
11:58:47.873028 202.102.245.-ns > 202.102.245.-ns: udp 50
11:58:47.974331 0:10:7b:8:3a:56 > 1:80:c2:0:0:0 802.1d ui/C len=43
0000 0000 0080 0000 1007 cf08 0900 0000
0e80 0000 902b 4695 0980 8701 0014 0002
000f 0000 902b 4695 0008 00
11:58:48.373134 0:0:e8:5b:6d:85 > Broadcast sap e0 ui/C len=97
ffff 0060 0004 ffff ffff ffff ffff ffff
0452 ffff ffff 0000 e85b 6d85 4008 0002
0640 4d41 5354 4552 5f57 4542 0000 0000
0000 00
Use the -i parameter to specify the network interface for tcpdump to listen on, which is very useful when the computer has multiple network interfaces.
Use the -c parameter to specify the number of packets to be listened to,
Use the -w parameter to specify that the listened data packet is written to a file to save
A wants to intercept all packets received and issued by all 210.27.48.1 hosts:
#tcpdump host 210.27.48.1
B If you want to intercept communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, use the command: (When brackets are applied in the command line, you must
#tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)
C If you want to obtain IP packets for host 210.27.48.1 that communicate with all hosts except hosts 210.27.48.2, use the command:
#tcpdump ip host 210.27.48.1 and ! 210.27.48.2
D If you want to obtain the telnet packet received or issued by host 210.27.48.1, use the following command:
#tcpdump tcp port 23 host 210.27.48.1
E Monitor the udp 123 port of the machine. 123 is the service port of ntp
# tcpdump udp port 123
The F system will monitor only communication packets of the host named hostname. The host name can be the local host or any computer on the network. The following command can read all data sent by the hostname:
#tcpdump -i eth0 src host hostname
G The following command can monitor all packets sent to the hostname:
#tcpdump -i eth0 dst host hostname
H We can also monitor packets passing through the specified gateway:
#tcpdump -i eth0 gateway Gatewayname
I If you also want to monitor TCP or UDP packets addressed to the specified port, execute the following command:
#tcpdump -i eth0 host hostname and port 80
J If you want to obtain IP packets for host 210.27.48.1 that are all hosts that communicate with host 210.27.48.2
, use the command:
#tcpdump ip host 210.27.48.1 and ! 210.27.48.2
K If you want to intercept communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, use the command
: (When applying brackets on the command line, you must
#tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)
L If you want to obtain IP packets for host 210.27.48.1 that communicate with all hosts except hosts 210.27.48.2, use the command:
#tcpdump ip host 210.27.48.1 and ! 210.27.48.2
M If you want to obtain the telnet packet received or issued by host 210.27.48.1, use the following command:
#tcpdump tcp port 23 host 210.27.48.1
The third type is the keywords of the protocol, mainly including fddi, ip, arp, rarp, tcp, udp and other types.
In addition to these three types of keywords, other important keywords are as follows: gateway, broadcast, less, greater, and there are three logical operations. The non-operation is 'not' '! ', and operation is 'and', '&&'; or operation is 'or', '||';
The second type is to determine the transmission direction, mainly including src , dst , dst or src , dst and src ,
If we only need to list the packets sent to port 80, use dst port; if we only want to see packets returning port 80, use src port.
#tcpdump –i eth0 host hostname and dst port 80 The destination port is 80
or
#tcpdump –i eth0 host hostname and src port 80 The source port is 80. It is generally a host that provides http services.
If there are many conditions, add and or or not before the conditions
#tcpdump -i eth0 host ! 211.161.223.70 and ! 211.161.223.71 and dst port 80
If using promiscuous mode on ethernet, the system's logs will be logged
May 7 20:03:46 localhost kernel: eth0: Promiscuous mode enabled.
May 7 20:03:46 localhost kernel: device eth0 entered promiscuous mode
May 7 20:03:57 localhost kernel: device eth0 left promiscuous mode
tcpdump does not completely decode the intercepted data, and most of the contents in the data packet are printed directly in hexadecimal form. Obviously this is not conducive to analyzing network failures. The usual solution is to first use tcpdump with -w parameter to intercept the data and save it to a file, and then use other programs for decoding and analysis. Of course, filtering rules should also be defined to avoid the captured packets filling the entire hard disk.
Article entry: csh Editor in charge: csh