Catalog

One 、tcpdump effect         

Two 、tcpdump Command options and capture host to host packets

        2.1、 Command options

        2.2、tcpdump expression

        About keywords for data types

        Keywords of data transmission direction

        Protocol keywords

        Other keywords

        2.3、tcpdump Capture mode

​ edit

One 、tcpdump effect         

        Linux As a network server , Especially as a router and gateway , Data collection and analysis are indispensable .TcpDump yes Linux One of the powerful network data acquisition and analysis tools in .

        tcpdump A packet capturing tool that can capture data packets transmitted on the network according to user needs ,windows Platform has wireshark Tools such as ,tcpdump It can transmit data packets in the network “ baotou ” All captured for analysis , It supports the network layer 、 Specific transport protocols 、 Host of data sending and receiving 、 Network card and port filtering , And provide and、or、not And other statements are logically combined to capture data packets or remove unused information .

Two 、tcpdump Command options and capture host to host packets

        2.1、 Command options

-a # Change network address and broadcast address into name 
-A # With ASCII Format print out all groups , And minimize the head of the link layer 
-b # Select the protocol on the data link layer , Include ip/arp/rarp/ipx It's all on this floor 
-c # Specify the number of times to receive packets , That is, exit after receiving a specified number of packets tcpdump
-d # Output the code matching the information package in an assembly format that people can understand 
-dd  # Will match the package's code to c Format output of language program segment 
-ddd # Output the code matching the packet in decimal form 
-D # Print all network interfaces that can be monitored in the system 
-e # Print out the header information of the data link layer in the output line 
-f # Put the external Internet The address is printed out as a number , That is, the hostname is not displayed 
-F # Read the expression from the specified file , Ignore other expressions 
-i # Specify the listening network interface 
-l # Make the standard output buffered , Data can be exported to a file 
-L # List the data links known to the network interface 
-n # Do not convert network addresses into names 
-N  Do not output the domain name part of the host name , for example www.baidu.com Only the output www
-nn # No conversion of port names 
-P # Do not set the network interface to hybrid mode 
-q # Fast output , That is, only a small amount of protocol information is output 
-r # Read data from the specified file , It's usually -w Saved files 
-w # Save the captured information to a file , And do not analyze and print on the screen 
-s # Read from each group at the beginning snaplen Bytes , Not the default 68 Bytes 
-S # take tcp The serial number of is output as an absolute value , Not relative value 
-T # Directly parse the monitored packet into a message of the specified type , Common types are rpc（ Remote procedure call ） and snmp（ Simple network management protocol ）
-t # Do not print time stamp on each line of output 
-tt # Output unformatted timestamps in each line 
-ttt # The time difference between the output line and the previous one 
-tttt # Output in each line data The timestamp of the default format processed 
-u # Output uncoded NFS Handle 
-v # Output slightly detailed information , For example, in ip The package can include ttl And service type information 
-vv# Output the trusted message information 

        2.2、tcpdump expression

        About keywords for data types

        Include host、port、net：

        host 192.168.130.1 Represents a host ,net 192.168.130.0 Represents a network segment ,port 80 Indicate that the port number is 80, If the data type is not specified here , So the default is host

        Keywords of data transmission direction

        Include src、dst、dst or src、dst and src, These keywords indicate the direction of transmission , such as src 192.168.130.1 The source address of the packet is 192.168.130.1.dst net 192.168.130.0 Indicate that the destination network address is 192.168.130.0, The default is to monitor host to host src and dst, That is, by default, listen to all data of the local machine and the target host .

        Protocol keywords

        Include ip、arp、rarp、udp

        Other keywords

        Arithmetic type ：or、and、not、！

        Auxiliary function type ：gateway、less、broadcast、greater

        2.3、tcpdump Capture mode

Format ：

#tcpdump [ Protocol type ] [ Source or target ] [ Host name or IP] [or/and/not/! Conditional combination ] [ Source or target ] [ Host name or IP] [or/and/not/! Conditional combination ] [ port ] [ Port number ] …… [or/and/not/! Conditional combination ] [ Conditions ]

tcpdump  ip dst 192.168.56.1 and src 192.168.56.210 and port 80 and host  ! www.baidu.com  

tcpdump

# The default listening is on the first network card , Monitor all packets passing through this network card

tcpdump  -i  ens33

# Monitor the specified network card ens33 All transmission packets  

tcpdump -i ens33 host 192.168.130.151

# Capture host 192.168.130.151 Via network card ens33 All the packets of （ It can also be a host name , But the requirements can be resolved IP Address ）

  Only detect 192.168.130.151 The package sent by this host , Other automatic filtering

tcpdump host 192.168.130.151 and  \(192.168.130.152 or 192.168.130.153\)

# Capture host 192.168.56.209 And host 192.168.56.210 or 192.168.56.211 All communication packets

tcpdump ip host node9 and not www.baidu.com

# Capture host node9 With other hosts （ barring www.baidu.com） communication ip Data packets

tcpdump ip host node9 and ! www.baidu.com

# Capture node9 Communication packets with all other hosts （ barring www.baidu.com）

tcpdump -i ens33 src node10

# Capture source host node10 All the process of sending ens33 All packets of the network card

tcpdump -i ens33 dst host www.baidu.com

# Capture all messages sent to the host www.baidu.com Data packets of

Monitor host 192.168.56.1 and 192.168.56.210 Between ip Agreed 80 Port and exclude www.baidu.com All packets of communication ：
tcpdump ip dst 192.168.56.1 and src 192.168.56.210 and port 80 and host ! baidu.com

# Or you could write it as tcpdump ip dst 192.168.56.1 and src 192.168.56.210 and port 80 and host not www.baidu.com, namely not and ！ They all mean the same opposite

tcpdump arp

# Monitor the communication packets of the specified host and 1.9.1 The same way

tcpdump tcp port 22 and host 192.168.56.210

# Capture host 192.168.56.210 Received and sent tcp Agreed ssh Data packets of

tcpdump udp port 53

# Monitor local udp Of 53 The packets on the port ,udp yes dns Protocol port , This is also a dns The whole process of domain name resolution

         You can grab data according to the actual use , When there is no data transmission, you can't catch it , So here are only some examples of packet capturing , Most people still need to know how to use it