Tcpdump -linux capture tool

The first type is about type keywords, mainly including host, net, port, such as host 210.27.48.2, indicating that 210.27.48.2 is a host, net 202.0.0.0 indicates that 202.0.0.0 is a network address, port 23 Indicates that the port number is 23. If no type is specified, the default type is host. The second is the keyword that determines the direction of the transfer, mainly including src, dst, dst or src, dst and src, which indicate the direction of the transfer. For example, src 210.27.48.2 indicates that the source address in the ip packet is 210.27.48.2 and dst net 202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified, the default is the src or dst keyword. The third type is the keyword of the protocol, mainly including fddi, ip, arp, rarp, tcp, udp and so on. Fddi specifies a specific network protocol on FDDI (Distributed Optical Data Interface Network). In fact, it is an alias for "ether", fddi and ether have similar source and destination addresses, so the fddi protocol package can be used. The ether package is processed and analyzed. The other few keywords are the protocol content that indicates the package being listened to. If no protocol is specified, tcpdump will listen for packets from all protocols. In addition to these three types of keywords, other important keywords are as follows: gateway, broadcast, less, greater, and three logical operations, the non-operation is 'not ' '! ', and the operation is 'and', '&&'; or the operation is 'or', '││'; these keywords can be combined to form powerful combination conditions to meet people's needs, the following examples illustrate. Under normal circumstances, starting tcpdump directly will monitor all packets flowing through the first network interface. # tcpdump tcpdump: listening on fxp011:58:47.873028 202.102.245.40.netbios-ns > 202.102.245.127.netbios-ns: udp 5011:58:47.974331 0:10:7b:8:3a:56 > 1:80 :c2:0:0:0 802.1d ui/C len=430000 0000 0080 0000 1007 cf08 0900 00000e80 0000 902b 4695 0980 8701 0014 0002000f 0000 902b 4695 0008 0011:58:48.373134 0:0:e8:5b:6d:85 > Broadcast sap e0 ui/C len=97ffff 0060 0004 ffff ffff ffff ffff ffff0452 ffff ffff 0000 e85b 6d85 4008 00020640 4d41 5354 4552 5f57 ​​4542 0000 00000000 00 Use the -i parameter to specify the network interface for tcpdump listening, which has multiple The web interface is very useful. Use the -c parameter to specify the number of packets to listen to. Use the -w parameter to specify the packets to be listened to in the file. Save A. You want to intercept all the packets received and sent by 210.27.48.1. All packets: #tcpdump host 210.27.48.1 B wants to intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, using the command: (When parentheses are applied to the command line, be sure to #tcpdump host 210.27. 48.1 and \\ (210.27.48.2 or 210.27.48.3 \\) C If you want to get the host 210.27.48.1 except for all the hosts communicating with the host 210.27.48.2, use the command: #tcpdump ip host 210.27.48.1 and ! 210.27.48.2D if you want to get the host 210.27.48.1 Receive or send the telnet package, use the following command: #tcpdump tcp port 23 host 210.27.48.1E Monitor the udp 123 port of the machine 123 ntp service port # tcpdump udp port 123 F system will only be named The communication packets of the host of hostname are monitored. The host name can be either the local host or any computer on the network. The following command can read all data sent by the host hostname: #tcpdump -i eth0 src host hostnameG The following command can monitor all packets sent to the host hostname: #tcpdump -i eth0 dst host hostnameH We can also monitor through the specified gateway Packets: #tcpdump -i eth0 gateway GatewaynameI If you want to monitor TCP or UDP packets addressed to the specified port, execute the following command: #tcpdump -i eth0 host hostname and port 80J If you want to get host 210.27. 48.1 In addition to the ip packet that communicates with all hosts except the host 210.27.48.2, use the command: #tcpdump ip host 210.27.48.1 and ! 210.27.48.2K Want to intercept the communication between the host 210.27.48.1 and the host 210.27.48.2 or 210.27.48.3 , use the command: (When the parentheses are applied to the command line, be sure to #tcpdump host 210.27.48.1 and \\ (210.27.48.2 or 210.27.48.3 \\)L if you want to get the host 210.27.48.1 in addition to the host 210.27.48.2 For all host communication ip packets, use the command: #tcpdump ip host 210.27.48.1 and ! 210.27.48.2M If you want to get the host 210.27.48.1 To receive or send the telnet package, use the following command: #tcpdump tcp port 23 host 210.27.48.1 The third type is the protocol keyword, mainly including fddi, ip, arp, rarp, tcp, udp and other types except these three types. In addition to keywords, other important keywords are as follows: gateway, broadcast, less, greater, and three logical operations. The non-operation is 'not ' '! ', and the operation is 'and', '&&' ; or the operation is 'or' , '