tcpdump is a commonly used capture tool under the Linux command line, record the usual way, the test machine system is ubuntu 12.04. Tcpdump command format tcpdump parameters are numerous, you can view the detailed description of tcpdump through man tcpdump, here only some of the author's own commonly used parameters: tcpdump [-i NIC] -nnAX 'expression' parameters are as follows: -i: Interface The network card that is listening. -nn: Indicates that the source and destination hosts are displayed in ip and port mode instead of the host name and service. -A: Display data packets in ascii mode, useful when crawling web data. -X: The packet will be displayed in hexadecimal and ascii. Expressions: There are many types of expressions. Common ones are: host host; port port; src host to send host; dst host to receive host. Multiple conditions can be combined with and, or can be used! For more use, you can view man 7 pcap-filter. Let's test some commands. If you don't have permission, you can switch to the root user first. Listening network card eth0$ tcpdump -i eth0 This is the easiest way, but it is not very useful, because basically you can only see the information of the data packet, can not see clearly, you can use ctrl + c interrupt to exit, if there is demand, You can redirect the output to a file, which is also easier to see. Listening to the data of the specified protocol $ tcpdump -i eth0 -nn 'icmp' This is the data used to listen to the icmp protocol, which is the protocol used by the ping command. Similarly, if you want to listen to tcp or udp protocol, you only need to modify the icmp of the above example. The machine that listens under ping, the output is as follows: linux uses tcpdump to capture the packet example The meaning of each data in each line: Capture the time of the packet IP and the host and port of the packet> Receive the host and port packet content Listen to the specified host $ Tcpdump -i eth0 -nn 'host 192.168.1.231' In this case, the packets received by the host 192.168.1.231 and the packets sent will be crawled. $ tcpdump -i eth0 -nn 'src host 192.168.1.231' This will only be sent by the host sent by 192.168.1.231. $ tcpdump -i eth0 -nn 'dst host 192.168.1.231' So only the packets received by this host 192.168.1.231 will be crawled. Listening to the specified port $ tcpdump -i eth0 -nnA 'port 80' The above example is used to listen to all packets received and sent by the host's port 80. Combined with the -A parameter, it is very useful in web development. Listen to the specified host and port $ tcpdump -i eth0 -nnA 'port 80 and src host 192.168.1.231' Multiple conditions can be connected with and, or. The above example shows listening to packets sent by the 192.168.1.231 host through port 80. Listening to ports other than a port $ tcpdump -i eth0 -nnA '!port 22' If you need to exclude a port or host, you can use the “!” symbol, the above example means to listen to non-port 22 packets. Summary: tcpdump has a lot of function parameters, and the expression options are very many, very powerful, but there are not many commonly used functions. For details, you can check the system manual by man. In addition, when crawling the web package, the content of the web page is very strange characters. It is found that apache has opened gzip compression, and gzip compression can be turned off. Under ubuntu 12.04, edit the vim /etc/apache2/mods-enabled/deflate.load file, comment out the statement that loads the module deflate_module, and then restart apache.