Tcpdump command usage details

tcpdump Command to use detailed _ Crazy little penguin blog -CSDN Blog _tcpdump Detailed command The most detailed tcpdump Use guide - Wang Yibai - Blog Garden Tcpdump Practical tutorial of bag capturing tool , Let you know that a bag grabs the world ！_ Bili, Bili _bilibili

Generally, the following types of keywords ：

About keywords for data types ：
Include host、port、net, for example host 192.168.1.1 Indicates that this is a host ,net 192.168.0.0 It means this is a network address ,port 22 Indicates that the port number is 22, If no type is specified , The default type is host

Keywords of data transmission direction ：

Include src、dst、dst or src、dst and src, These keywords indicate the direction of transmission , such as src 192.168.1.1 The source address of the packet is 192.168.1.1,dst net 192.168.0.0 Indicate that the destination network address is 192.168.0.0, The default is to monitor host to host src and dst, That is, by default, listen to all data of the local machine and the target host

Protocol keywords ：

Include ip、arp、rarp、tcp、udp etc. ,

Other keywords ：
Operation type ：or、and、not、!
Auxiliary function ：gateway、less、broadcast、greater
 

There is a complete method of use , The following excerpts are some commonly used

tcpdump -i eth0 Monitor the specified network card eth0 All transmission packets ,    When there are multiple network cards, you must specify which one

tcpdump host 192.168.56.209 and ( 192.168.56.210 or 192.168.56.211 ) # Capture host 192.168.56.209 And host 192.168.56.210 or 192.168.56.211 All communication packets （ It can also be a host name , But the requirements can be resolved IP Address ）

tcpdump ip host node9 and ! www.baidu.com # Capture node9 Communication packets with all other hosts （ barring www.baidu.com）

tcpdump -i eth0 src node10 # Capture source host node10 All the process of sending eth0 All packets of the network card

• -nn： Don't convert protocol and port number to name , It's going to be a lot faster .

tcpdump icmp -w icmp.pcap   Use  -w  Is to write data to a file , While using  -r  Read data from file .

tcpdump -vvAls0 | grep 'POST'    Grab HTTP POST Request package

tcpdump -nn -A -s1500 -l | egrep -i 'User-Agent:|Host:'      from HTTP Extract... From the request header User-Agent And the host name

tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'      Grab 80 Port of HTTP Valid packets , exclude TCP The packets of the connection establishment process （SYN / FIN / ACK）

tcp Protocol message header  

Usually  Wireshark（ or tshark） Than tcpdump It's easier to analyze application layer protocols . The general practice is to use... On the remote server first  tcpdump  Grabbing data and writing it to a file , And then copy the file to the local workstation  Wireshark  analysis .

【 Common tools for network security 】Wireshark Tips for using packet capturing tools , From entry to mastery ！Wireshark install |Wireshark Grab the bag |Wireshark Tool use |_ Bili, Bili _bilibili