tcpdump of Linux commands

Posted by andynick on Sat, 01 Jan 2022 14:13:42 +0100

summary

  • tcpdump is a packet capture tool for intercepting network packets and outputting packet contents, similar to wireshark in window.
  • It is the preferred tool for network analysis and troubleshooting under Linux system
  • Ordinary users cannot execute. Only users with root permission can execute
  • We can use tcpdump to grab packets

principle

Completely intercept the "header" of data packets transmitted in the network to provide analysis, which is similar to packet filtering of firewall. It supports filtering for network layer, protocol, host, network or port, and provides and, or, not and other logical statements to help you remove useless information.

Note: tcpdump without parameters will collect all information packet headers in the network. The amount of data is huge and must be filtered.

option

-A with ASCII Print out all packets in the format and minimize the header of the link layer. 
-c After receiving the specified number of packets, tcpdump Will stop. 
-C Before writing an original packet to a file, check whether the current size of the file exceeds the parameter file_size The size specified in. If the specified size is exceeded, close the current file, and then open a new file. parameter file_size The unit of is megabytes (1),000,000 Bytes instead of 1,048,576 Bytes). 
-d The code matching the information package is given in an assembly format that people can understand. 
-dd Match the code of the packet to c The format of language program segment is given. 
-ddd The code matching the packet is given in decimal form. 
-D Print out all available information in the system tcpdump Network interface for packet interception. 
-e Print the header information of the data link layer on the output line. 
-E use spi@ipaddr algo:secret Decrypt those to addr As the address and contains the index value of the security parameter spi of IPsec ESP grouping. 
-f External Internet The address is printed out in digital form. 
-F Reads the expression from the specified file, ignoring the expression given on the command line. 
-i Specifies the network interface to listen on. 
-l The standard output is changed into buffered line form, and the data can be exported to a file. 
-L Lists known data links for network interfaces. 
-m From file module Import in SMI MIB Module definition. This parameter can be used multiple times to import multiple MIB modular. 
-M If tcp There is in the message TCP-MD5 Option, you need to use secret Used as a shared verification code for verification TCP-MD5 Summary of selected options (for details, please refer to RFC 2385).  
-b In data-Select protocols on the link layer, including ip,arp,rarp,ipx It's all on this floor.
-n Do not convert network addresses to names.
-nn Do not convert port names.
-N Do not output the domain name part of the host name. For example,'nic.ddn.mil'Output only'nic'.  
-t No time stamp is printed on each line of the output. 
-O Do not run group matching( packet-matching)Code optimizer. 
-P Do not set the network interface to hybrid mode. 
-q Fast output. Only less protocol information is output. 
-r Reads the package from the specified file(These packages generally pass-w Option generation).  
-S take tcp The serial number of is output as an absolute value rather than a relative value. 
-s Read the first from each packet snaplen Bytes instead of the default 68 bytes. 
-T The monitored packet is directly interpreted as a message of the specified type. The common types are rpc Remote procedure calls) and snmp(Simple network management protocol;). 
-t Do not output a timestamp in each row. 
-tt Output an unformatted timestamp in each line. 
-ttt The time difference between the output line and the previous line. 
-tttt Output in each line by date Timestamp of the default format for processing. 
-u Output uncoded NFS Handle. 
-v Output a slightly detailed information, such as in ip Packages can include ttl And service type information. 
-vv Output detailed message information. 
-w Write the group directly to the file instead of not analyzing and printing it out.

Related commands

  • rpm -qi tcpdump: query whether tcpdump is installed
  • tcpdump: each line will display the contents of the packet capture, and the eth0 network card will be monitored by default
  • tcpdump -c 10: grab the contents of only 10 packets. c,count
  • tcpdump -c 10 -w tcpdump.log: write the captured packet contents to tcpdump Log file. w,write. Note: the generated files can be read in any package capturing software, but can not be viewed directly using cat or more
  • tcpdump -r tcpdump.log: use "- w" above to write the packet to the file. You can use this command to view it. r,read
  • tcpdump -D: displays which network cards the current operating system has
  • tcpdump -i eth0: monitor eth0 network card and grab the traffic on it
  • tcpdump -v: displays more detailed packet capture information. If you need more details, add more v. For example: tcpdump -vv
  • tcpdump -n: the packet capture information is displayed in the form of IP instead of domain name
  • tcpdump udp: only the contents of udp protocol are retrieved
  • tcpdump src 192.168.1.1: only the request packets whose source address is 192.168.1.1 are fetched
  • tcpdump dst 192.168.1.105: only the request packets whose destination address is 192.168.1.105 are fetched
  • Logical combination of parameters
    • Logic and operation
      • Grab the tcp protocol from an IP and the port is 1000: tcpdump tcp and src 192.168.1.1 and port 80
    • Logical or operation
      • Grab packets from IP 192.168.0.1 or 192.168.0.2: tcpdump src 192.168.0.1 or 192.168.0.2
    • Logical non operation
      • Grab and exclude packets using port 80: tcpdump not port 80
    • The three can be combined at will
      • The fetching is a tcp protocol, and the source IP is 192.168.1.1, but the port is not 80: tcpdump tcp and src 192.168.1.1 and not port 80

Topics: Linux