tcpdump

A sniffer tool, a packet capture tool and sniffer on Linux

Supplementary instructions

tcpdump command is a packet capture and sniffer tool. It can print the header information of all data packets passing through the network interface. You can also use the -w option to save the data packets to a file for later analysis. .

grammar

tcpdump(options)

Options

-a: Attempt to convert network and broadcast addresses into names;
-c <Number of data packets>: Stop dumping after receiving the specified number of data packets;
-d: Convert the compiled packet encoding into a readable format and dump it to standard output;
-dd: Convert the compiled data packet encoding into C language format and dump it to standard output;
-ddd: Convert the compiled packet encoding into decimal number format and dump it to standard output;
-e: Display the connection level file header on each column of dumped data;
-f: Display the Internet address numerically;
-F<expression file>: specifies the file containing the expression;
-i<network interface>: Use the specified network section to send data packets;
-l: Use the buffer of the standard output column;
-n: Do not convert the host's network address into a name;
-N: Do not list domain names;
-O: Do not optimize packet encoding;
-p: Do not let the network interface enter promiscuous mode;
-q: Quick output, only lists a few transmission protocol information;
-r<packet file>: Read packet data from the specified file;
-s<packet size>: Set the size of each packet;
-S: List TCP association numbers with absolute rather than relative values;
-t: Do not display timestamps on each column of dumped data;
-tt: Display unformatted timestamps on each column of dump data;
-T<packet type>: Force the packet specified by the expression to be translated into the set packet type;
-v: Display the instruction execution process in detail;
-vv: Display the instruction execution process in more detail;
-x: List packet information in hexadecimal characters;
-w<packet file>: Write the packet data to the specified file.

Example

Starting tcpdump directly will monitor all packets flowing on the first network interface

tcpdump

Monitor the packets of the specified network interface

tcpdump -i eth1

If you do not specify a network card, by default tcpdump will only monitor the first network interface, usually eth0. The following examples do not specify a network interface.

Monitor the data packets of the specified host

Print all packets entering or leaving sundown.

tcpdump host sundown

You can also specify IP, for example, intercept all data packets received and sent by all hosts of 210.27.48.1

tcpdump host 210.27.48.1

Print the data packets communicated between helios and hot or ace

tcpdump host helios and \( hot or ace \)

Intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3

tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)

Prints IP packets communicated between ace and any other host, but not with helios.

tcpdump ip host ace and not helios

If you want to obtain the IP packets of all hosts communicating with host 210.27.48.1 except host 210.27.48.2, use the command:

tcpdump ip host 210.27.48.1 and ! 210.27.48.2

To capture the packets on the eth0 network card, use:

sudo tcpdump -i eth0

Intercept all data sent by host hostname

tcpdump -i eth0 src host hostname

Monitor all packets sent to host hostname

tcpdump -i eth0 dst host hostname

Monitor packets for specified host and port

If you want to obtain the telnet packets received or sent by host 210.27.48.1, use the following command

tcpdump tcp port 23 and host 210.27.48.1

Monitor the local UDP port 123. 123 is the NTP service port.

tcpdump udp port 123

Monitor the data packets of the specified network

Print all communication packets between local host and hosts on the Berkeley network

tcpdump net ucb-ether

ucb-ether can be understood here as the network address of the "Berkeley network". The most original meaning of this expression can be expressed as: print all packets with the network address ucb-ether

Print all ftp packets passing through gateway snup

tcpdump 'gateway snup and (port ftp or ftp-data)'

Note: The expression is enclosed in single quotes, which prevents the shell from misparsing the parentheses.

Print all IP packets whose source or destination address is localhost

tcpdump ip and not net localnet

If the local network is connected to another network through a gateway, the other network does not count as the local network.

Capture HTTP messages from port 80 and display them in text form:

sudo tcpdump -i any port 80 -A