When Linux is used as a network server, especially as a router and gateway, data collection and analysis are essential. So, today we will take a look at the powerful network data collection and analysis tool in Linux - TcpDump.
As the name suggests, TcpDump can completely intercept the "head" of packets transmitted over the network for analysis. It supports filtering for network layers, protocols, hosts, networks, or ports, and provides logical statements such as and, or, not to help you remove useless information.
Like other software in the Linux terminal state, TcpDump also relies on parameters to work, this article will be combined with examples to illustrate.
Data Filtering
TcpDump without any parameters will search all the network interfaces in the system and display all the data it intercepts. These data are not necessarily all we need, and there is too much data. Not conducive to analysis. Therefore, we should first think about what data is needed. TcpDump provides the following parameters for us to select the data:
-b selects the protocol on the data-link layer, including ip, arp, rarp, ipx. Layered.
For example: tcpdump -b arp will only display the arp, ie address translation protocol information, in the network.
-i selects the filtered network interface. If it is a router with at least two network interfaces, this option allows you to filter only the data passed on the specified interface. For example:
tcpdump -i eth0 only displays all headers on the eth0 interface.
The options src, dst, port, host, net, ether, and gateway include additional options such as src, dst, port, host, net, and ehost. They are used to distinguish the source and destination of the packet. The src host 192.168.0.1 specifies that the source host IP address is 192.168.0.1, and the dst net 192.168.0.0/24 specifies that the destination is the network 192.168.0.0. By analogy, host is related to its designated host, whether it is source or destination, net is related to its designated network, ether is not followed by IP address but physical address, and gateway is used for gateway host. It may be a bit complicated, see the following example:
tcpdump src host 192.168.0.1 and dst net 192.168.0.0/24
The source host is 192.168.0.1 and the destination network is The header of 192.168.0.0.
tcpdump ether src 00:50:04:BA:9B and dst......
Filter the source host's physical address as XXX header (why there is no host or net behind ether src? Physical address of course There can be no network 喽).
Tcpdump src host 192.168.0.1 and dst port not telnet
Filter source host 192.168.0.1 and the destination port is not the telnet header.
ip icmp arp rarp and tcp, udp, icmp and other options must be placed in the first parameter location, used to filter the type of datagram. For example:
tcpdump ip src...
Filter only data - IP headers on the link layer.
tcpdump udp and src host 192.168.0.1
Filters only all udp headers of the source host 192.168.0.1.
Data Display /Input Output
TcpDump provides enough parameters to let us choose how to process the resulting data, as shown below:
-l can redirect data .
The data obtained by tcpdump -l>tcpcap.txt is stored in the tcpcap.txt file.
-n does not convert IP addresses to host names.
If you do not use this item, when there is a host name of a host in the system, TcpDump will convert the IP address to the host name display, like this: eth0 -nn No port name conversion. The above message becomes -eth0 -N does not print out the default domain name. or this information -N is: eth0 -O does not optimize the matching code. -t Does not print UNIX timestamps, that is, does not display time. -tt Prints the original, unformatted time. -v Detailed output, which is more than a normal TTL and service type. Ok, so much, do you think TcpDump is a good tool? It also has a good multi-function limited space can not be introduced one by one, read more "help" will have a great gain, this can be regarded as a shortcut into the Linux world.
How to uninstall the built-in JDK under Linux, many of us can find java under the operating system
under Windows we have the power management system is very familiar with, we can achieve STR, STD and
Format: printf("\\033[word background color; font color m string \\033[0m" ); printf("
CentOS modify IP address First turn off the firewall: service iptables stop# ifconfig eth0 192.168.1
Linux rsync command detailed finishing
Linux Security: Step by Step Defense (2)
Linux gcc and gdb simple operation command
Linux driver, when the probe function is called
Network Tutorial: Implementing Internet Filtering under Linux System
Three steps to teach you how to create a Linux flash drive
Considerations for using ssh to manage VPS under Linux
Optimization (configuration file) in nginx instructions
Linux remove garbled files and folders (support batch) method
The best solution for hard disk partitioning under Linux
Win7 computer sound can not open the solution
Win10 installation Lenovo lj1900 printer detailed tutorial
Win7's own exchange rate conversion widget is added to the desktop and simple setup tutorial
How to make Windows 7 only accessible to specified web pages
How to clear the software residual service item in Windows 7
How to add Windows Media Center to Win8
WindowsXP comes with system restore, you know how deep it is
Windows 7 system Aero effects can not be displayed solution
What happens when the Win7 system automatically shuts down when playing League of Legends?