Of Stack

Detail tcpdump command example in Linux

  • 2020-06-12 11:39:44
  • OfStack

preface

tcpdump is a packet capture tool in Unix/Linux environment, which allows users to intercept and display network packets sent or received. tcpdump can intercept the "headers" of packets sent over the network for analysis. It supports filtering for network layers, protocols, hosts, networks, or ports, and provides logical statements like and, or, not to help you get rid of unwanted information. tcpdump is free software distributed under the BSD license.

The following article will give you a detailed introduction about Linux tcpdump command related content, share for your reference and study, the following words do not say much, let's look at the detailed introduction.

1. Command format 


tcpdump [ -AbdDefhlLnNOpqRStuUvxX ] [ -B buffer_size ] [ -c count ]
  [ -C file_size ] [ -F file ] [ -G rotate_seconds ]
  [ -i interface ] [ -m module ] [ -M secret ]
  [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
  [ -W filecount ]
  [ -E spi@ipaddr algo:secret,... ]
  [ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
  [ expression ]

2. Description of options 


-A: In order to ASCII Code mode to display each 1 A packet ( Link layer header information in the packet is not displayed ) . When fetching packets containing web page data ,  Easy to view data 

-b : Print the AS number in BGP packets in ASDOT notation rather than ASPLAIN notation

-B [buffer_size],--buffer-size=buffer_size : Sets the operating system capture buffer size, unit KB

-c [ Number of packets ] : The capture operation is stopped after the specified number of packets is received 

-C [file-size] And: -w [file] Options are used together. This option makes tcpdump Before saving the original packet directly to a file ,  Check that this file size is exceeded file-size . If exceeded, this file will be closed and created 1 Five files continue to save the original packet. Newly created file name and -w Option to specify the file name 1 to ,  But the filename is too long 1 A number, and that number is going to go from 1 Start to increase with the number of newly created files.  file-size The units are in megabytes (nt:  This refers to 1,000,000 bytes , Is not 1,048,576 bytes ,  The latter is 1024 bytes 1k, 1024k bytes 1M Calculate the ,  namely 1M=1024*1024  = 1,048,576)

-d : Converts the compiled packet encoding into a readable format and dumps it into standard output 

-dd : Converts the compiled packet encoding to C Language format and dump to standard output 

-ddd : Converts the compiled packet encoding to 10 Base number format and dump to standard output 

-D,--list-interfaces: All in the printing system tcpdump A network interface on which to capture packets. every 1 The interface will print out the number ,  The corresponding interface name ,  As well as 1 A description of a possible network interface. Where the network interface name and number can be used in tcpdump the -i [flag] options (nt: Replace names or Numbers flag),  To specify the network interface on which to capture packets. This option is useful on systems that do not support interface list commands (nt:  Such as , Windows  system ,  Or the lack of  ifconfig -a  the UNIX system );  The interface number is at windows 2000  Or later in the system ,  Because the interface names on these systems are complex ,  And not easy to use. if tcpdump What you depend on at compile time libpcap The library is too old ,-D  Options will not be supported ,  Because of the lack of  pcap_findalldevs() function 

-e : Each line of printout will include the packet's data link layer header information  

-f : Displays external IPv4 address (nt:foreign IPv4 addresses,  Can be understood as non-native ip address ),  Use Numbers instead of names. This option is used to deal with Sun The company's NIS Server defects (nt: NIS,  Network Information Service , tcpdump  The name service it provides is used to display the name of an external address ):  this NIS When a server looks up non-local address names, it often runs into an endless loop of queries )

 Because of the external (foreign)IPv4 The address test USES the local network interface (nt: tcpdump  The interface used to capture packets ) And its IPv4  Address and network mask .  If this address or network mask is not available ,  Or the interface does not have the appropriate network address and mask set at all (nt: linux  Under the  'any'  Network interfaces do not need to set addresses and masks ,  But this 'any' The interface can receive packets from all interfaces in the system ),  This option does not work properly. 

-F [file] :   use file File as input to the filter condition expression ,  Input on the command line is ignored 

-G [rotate_seconds] : similar to -C [file_size] Command options, -C Create a new file to store packets by file size, -G According to the specified period of time, the monitored packet will be written to a new file, the newly created file name by -w Option is specified, and the filename is followed by a time string, the format of which is specified by strftime(3) Specified. If the format of the time string is not specified, the new file overwrites the old one. 

 If the -C option If used together, the file name format will be file<count> . 

-h . --help : printing tcpdump Help information and libpcap Version information. ( nt : libpcap is unix/linux Network packet Capture function package under the platform 

--version : printing tcpdump and libpcap the version . 

-i [interface],--interface=interface :   The specified tcpdump  Interfaces that need to be listened to .  If not specified , tcpdump  The system interface list is searched for the smallest configured interface ( Do not include  loopback  interface ).1 But finding the first 1 Three qualified interfaces ,  The search is over. 

 When using 2.2 Version or later versions of the kernel Linux On the operating system , 'any' This virtual network interface can be used to receive all packets on the network interface (nt:  This includes those intended for the network interface , It also includes purposes other than the network interface ) . It is important to note that if the real network interface does not work in ' Mixed mode '(promiscuous) Under, can't be in 'any' Grab its packets on the virtual network interface. 

 if -D Flags are assigned , tcpdump The interface number in the system is printed, and that number is available here interface parameter 

-l : Row buffering of standard output (nt:  Enable standard output device encounters 1 A newline character immediately prints out the contents of the line )

-L : Lists the type of data link layer supported by the specified network interface and exits .(nt:  Specified interface through -i  To specify the )

-n : Does not convert a host's network address to a name 

-m [module]: through module The specified file loading SMI and MIB The module (nt: SMI . Structure of Management Information,  Management information structure; MIB, Management Information Base,  Manage the information base. Can be understood as , Both of these are used for SNMP(Simple Network Management Protoco) Protocol packet fetching. specific SNMP  How it works is unknown ,  Should be added another ) . 

 This option can be used multiple times ,  For the tcpdump Loaded differently MIB The module 

-M [secret] If: TCP The packet (TCP segments) There are TCP-MD5 options ( in RFC 2385 Related description ),  Specifies the validation of its summary 1 A public key secret

-n : Will not address ( Such as host address, port number, etc ) Convert to the corresponding name 

-N : Do not print the domain name qualification of the host name, such as print 'nic' Rather than 'nic.ddn.mil'

-O . --no-optimize : Does not enable the optimized code used for package matching .  When in doubt of some bug This is caused by optimizing the code ,  This option will be useful 

-p . --no-promiscuous-mode : Set the network interface to non ' mixed ' Mode. It is important to note, however, that in special cases the network interface will still end up with ' mixed ' Mode to work; Thus, -p Should not be used as a synonym for: 'ether host {local-hw-add}' or 'ether broadcast'(nt:  The former represents the Ethernet address matching only host The package ,  The latter represents the packet that matches the Ethernet address as the broadcast address 

-q  : Fast printout, that is, printing very little protocol-related information ,  So the output lines are shorter 

-r [file] : Reads the packet from the specified file, if file for '-' symbol ,  the tcpdump Packet data is read from standard input 

-R Setting: tcpdump right ESP/AH Packet parsing according to RFC1825 Rather than RFC1829(nt:AH : Authentication header, ESP : Secure load encapsulation, both of which will be used in IP In the secure transport mechanism of packets ) . If this option is set ,tcpdump It will not print ' Ban relay ' The domain (nt: relay prevention field) . In addition, since ESP/AH It's not in the specification ESP/AH Packets must have a protocol version number field, so tcpdump Cannot receive from ESP/AH The protocol version number is derived from the packet 

-s [snaplen] . --snapshot-length=snaplen :   Set up the tcpdump Is the capture length of the packet snaplen Not the default 262144 Bytes. If you have a packet truncation situation , tcpdump Will appear in the corresponding printout line ''[|proto]'' A sign of ( proto  The actual protocol hierarchy for the truncated packet is shown ).  One thing to note ,  Use long grab lengths (nt: snaplen The larger ),  Increases the processing time of the package ,  And it reduces tcpdump  The number of cacheable packets,   This can result in packet loss .  so ,  If we can grab the package we want ,  The smaller the grab length, the better. the snaplen  Set to 0 Mean letting tcpdump Automatically select the appropriate length to grab the packet 

-S . --absolute-tcp-sequence-numbers :   print TCP  The serial number of the packet ,  Use absolute sequence Numbers ,  It's not a relative sequence number .(nt:  Relative ordinal can be read as ,  Relative to the first 1 a TCP  Package sequence number difference , Such as ,  The receiving party receives a receipt 1 The absolute sequence number of the data packets is 232323,  For the later received one 2 a , The first 3 A packet , tcpdump Its serial number is printed 1, 2 And the 1 The gap of data packets is 1  and  2.  And if at this point -S  Options are set ,  For the later received one 2 a ,  The first 3 Data packets will print out their absolute sequence number :232324, 232325)

-t : Do not print a timestamp in each line of output 

-tt : The time per line of output is not formatted (nt:  This format 1 The eye may not see the meaning ,  Such as the time stamp printed as 1261798315)

-ttt : tcpdump When the output ,  There is a delay between every two lines of printing 1 A period of time in milliseconds 

-tttt : Adds a print date before the timestamp of each line print 

-ttttt : set per 1 The row is output relative to the row 1 Interval of rows, in milliseconds 

-T [type] : forced tcpdump According to the type The packet structure described by the specified protocol to analyze received packets. So far known type The preferred protocol is: 
 ( 1 ) aodv(Ad-hoc On-demand Distance Vector protocol,  On-demand distance vector routing protocol ,  in Ad hoc( Point to point mode ) In network use ) ; 
 ( 2 ) cnfp(Cisco NetFlow protocol) ; 
 ( 3 ) rpc(Remote Procedure Call) ; 
 ( 4 ) rtp(Real-Time Applications protocol) ; 
 ( 5 ) rtcp(Real-Time Applications con-trol protocol) ; 
 ( 6 ) snmp(Simple Network Management Protocol) ; 
 ( 7 ) tftp(Trivial File Transfer Protocol,  Broken file protocol ) ; 
 ( 8 ) vat(Visual Audio Tool Can be used in internet The application layer protocol for teleconferencing ),  As well as wb(distributed White Board , an application layer protocol for web conferencing )

-u : Print unencrypted NFS Handle ( nt : handle Can be understood as NFS Handle to the file used in ,  This will include folders and files in folders )

-U : make when tcpdump In the use of -w Option, whose file is written in sync with the save of the package. (nt : when each packet is saved ,  It will be written to the file in time , Rather than waiting for the output buffer of the file to be full before actually writing to the file ) . -U The logo is in the old version libpcap library (nt : tcpdump The message capture library on which it depends ) It doesn't work ,  Because of the lack of pcap_cump_flush() function 

-v : Produces detailed output. Such as the lifetime of the package, the logo, the total length, and IP The package 1 Some options. This will also open 1 Some additional package integrity checks,   Such as the IP or ICMP The checksum of the head 

-vv : than -v More detailed output. Such as NFS ( Network File System ) Additional fields in the response package will be printed, SMB ( Server Message Block The packet will also be fully decoded 

-vvv : More detailed output. For example, telent Used in the English language SB,SE The option will be printed ,  if telnet At the same time use -X Graphical interface options, whose corresponding graphical options will be 16 Print it out in base. 

-w [file] : Writes packet data directly to a file without analysis or printout, which can then be passed -r Option to reread and analyze and print 

-W [filecount] : This option and -C Use with options ,  This limits the number of files that can be opened ,  And when the file data exceeds the limit set here ,  In turn, the loop replaces the previous file ,  This is equivalent to 1 With a filecount  A file buffer pool of three files. At the same time , This option causes the beginning of each file name to be large enough to hold space 0 , which makes it easy for these files to be sorted correctly 

-x : Prints the header data for each package ,  At the same time to 16 Base prints out the data for each package ( But not the head of the connection layer ) , the total printed data size will not exceed the size of the entire packet snaplen  Is the minimum value of. It's important to note ,  If the high-level protocol data does not snaplen So long, and the data link layer ( Such as ,Ethernet layer ) Populated data ,  The populated data will also be printed 

-xx : Prints the header data for each package ,  At the same time to 16 Base prints out the data for each package ,  This includes the header of the data link layer 

-X : When analyzing and printing , tcpdump The header data for each packet will be printed while the 16 Into the system and ASCII The data for each package is printed out in code form ( But not the link layer header ) . This is important for analysis 1 Some packets of the new protocol are very convenient 

-XX : When analyzing and printing ,tcpdump The header data for each packet will be printed while the 16 Into the system and ASCII The data for each package is printed out in code form ,  This includes the header of the data link layer . This is important for analysis 1 Some packets of the new protocol are very convenient 

-y [datalinktype] . --linktype=datalinktype Set: tcpdump The captured data Link layer protocol type is datalinktype The packet 

-z [postrotate-command] And: -C or -G When used together, when each 1 Execute the command when the file is closed postrotate-command . For instance, -z gzip or -z bzip2 For each 1 The saved files are compressed 

-Z [user] . --relinquish-privileges=user : tcpdump Give up your super privileges ( If the root User starts tcpdump . tcpdump There will be superuser privileges ) And put the current tcpdump The user ID Set to user,  group ID Set to user Of the primary group ID

expression : The conditional expression is used to select the packet that meets the criteria. None expression , all packets between any two hosts on the network will be intercepted

3. Common examples

3.1 Monitor packets for the specified host

(1) Print all packets arriving or sending from host sunrise, which can be IP address or host name 


tcpdump host sunrise

(2) Print all packets between host A and B or C 


tcpdump host A and \( B or C \)

(3) Print IP packets for communication between ace and any other host, but not between helios. 


tcpdump ip host ace and not helios

3.2 Monitor packets for the specified network

(1) Print all communication packets between the local host and the host on the Berkeley network 


tcpdump net ucb-ether

(2) Print all ftp packets passing through the gateway snup. Note that the expression is enclosed in single quotes, which prevents shell from misparsing the parentheses 


tcpdump 'gateway snup and (port ftp or ftp-data)'

(3) Print packets that are not local network 


tcpdump ip and not net localnet

3.3 Monitor packets for the specified protocol

(1) Print the start and end packets in the TCP session, and the source or destination of the packets is not the host on the local network. (nt: localnet, the name of the network to which the cost is actually replaced in actual use) 


tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'

(2) Print IP packets with a length of more than 576 bytes and a gateway address of snup 


tcpdump 'gateway snup and ip[2:2] > 576'

ip[2:2] represents the length of the entire ip packet.

(3) Print ICMP packets other than 'echo request' or 'echo reply' (for example, this expression is available when you need to print all packets produced by non-ES83en programs. (nt: 'echo reuqest' and' echo reply' are two types of ICMP packets usually generated by the ping program) 


-A: In order to ASCII Code mode to display each 1 A packet ( Link layer header information in the packet is not displayed ) . When fetching packets containing web page data ,  Easy to view data 

-b : Print the AS number in BGP packets in ASDOT notation rather than ASPLAIN notation

-B [buffer_size],--buffer-size=buffer_size : Sets the operating system capture buffer size, unit KB

-c [ Number of packets ] : The capture operation is stopped after the specified number of packets is received 

-C [file-size] And: -w [file] Options are used together. This option makes tcpdump Before saving the original packet directly to a file ,  Check that this file size is exceeded file-size . If exceeded, this file will be closed and created 1 Five files continue to save the original packet. Newly created file name and -w Option to specify the file name 1 to ,  But the filename is too long 1 A number, and that number is going to go from 1 Start to increase with the number of newly created files.  file-size The units are in megabytes (nt:  This refers to 1,000,000 bytes , Is not 1,048,576 bytes ,  The latter is 1024 bytes 1k, 1024k bytes 1M Calculate the ,  namely 1M=1024*1024  = 1,048,576)

-d : Converts the compiled packet encoding into a readable format and dumps it into standard output 

-dd : Converts the compiled packet encoding to C Language format and dump to standard output 

-ddd : Converts the compiled packet encoding to 10 Base number format and dump to standard output 

-D,--list-interfaces: All in the printing system tcpdump A network interface on which to capture packets. every 1 The interface will print out the number ,  The corresponding interface name ,  As well as 1 A description of a possible network interface. Where the network interface name and number can be used in tcpdump the -i [flag] options (nt: Replace names or Numbers flag),  To specify the network interface on which to capture packets. This option is useful on systems that do not support interface list commands (nt:  Such as , Windows  system ,  Or the lack of  ifconfig -a  the UNIX system );  The interface number is at windows 2000  Or later in the system ,  Because the interface names on these systems are complex ,  And not easy to use. if tcpdump What you depend on at compile time libpcap The library is too old ,-D  Options will not be supported ,  Because of the lack of  pcap_findalldevs() function 

-e : Each line of printout will include the packet's data link layer header information  

-f : Displays external IPv4 address (nt:foreign IPv4 addresses,  Can be understood as non-native ip address ),  Use Numbers instead of names. This option is used to deal with Sun The company's NIS Server defects (nt: NIS,  Network Information Service , tcpdump  The name service it provides is used to display the name of an external address ):  this NIS When a server looks up non-local address names, it often runs into an endless loop of queries )

 Because of the external (foreign)IPv4 The address test USES the local network interface (nt: tcpdump  The interface used to capture packets ) And its IPv4  Address and network mask .  If this address or network mask is not available ,  Or the interface does not have the appropriate network address and mask set at all (nt: linux  Under the  'any'  Network interfaces do not need to set addresses and masks ,  But this 'any' The interface can receive packets from all interfaces in the system ),  This option does not work properly. 

-F [file] :   use file File as input to the filter condition expression ,  Input on the command line is ignored 

-G [rotate_seconds] : similar to -C [file_size] Command options, -C Create a new file to store packets by file size, -G According to the specified period of time, the monitored packet will be written to a new file, the newly created file name by -w Option is specified, and the filename is followed by a time string, the format of which is specified by strftime(3) Specified. If the format of the time string is not specified, the new file overwrites the old one. 

 If the -C option If used together, the file name format will be file<count> . 

-h . --help : printing tcpdump Help information and libpcap Version information. ( nt : libpcap is unix/linux Network packet Capture function package under the platform 

--version : printing tcpdump and libpcap the version . 

-i [interface],--interface=interface :   The specified tcpdump  Interfaces that need to be listened to .  If not specified , tcpdump  The system interface list is searched for the smallest configured interface ( Do not include  loopback  interface ).1 But finding the first 1 Three qualified interfaces ,  The search is over. 

 When using 2.2 Version or later versions of the kernel Linux On the operating system , 'any' This virtual network interface can be used to receive all packets on the network interface (nt:  This includes those intended for the network interface , It also includes purposes other than the network interface ) . It is important to note that if the real network interface does not work in ' Mixed mode '(promiscuous) Under, can't be in 'any' Grab its packets on the virtual network interface. 

 if -D Flags are assigned , tcpdump The interface number in the system is printed, and that number is available here interface parameter 

-l : Row buffering of standard output (nt:  Enable standard output device encounters 1 A newline character immediately prints out the contents of the line )

-L : Lists the type of data link layer supported by the specified network interface and exits .(nt:  Specified interface through -i  To specify the )

-n : Does not convert a host's network address to a name 

-m [module]: through module The specified file loading SMI and MIB The module (nt: SMI . Structure of Management Information,  Management information structure; MIB, Management Information Base,  Manage the information base. Can be understood as , Both of these are used for SNMP(Simple Network Management Protoco) Protocol packet fetching. specific SNMP  How it works is unknown ,  Should be added another ) . 

 This option can be used multiple times ,  For the tcpdump Loaded differently MIB The module 

-M [secret] If: TCP The packet (TCP segments) There are TCP-MD5 options ( in RFC 2385 Related description ),  Specifies the validation of its summary 1 A public key secret

-n : Will not address ( Such as host address, port number, etc ) Convert to the corresponding name 

-N : Do not print the domain name qualification of the host name, such as print 'nic' Rather than 'nic.ddn.mil'

-O . --no-optimize : Does not enable the optimized code used for package matching .  When in doubt of some bug This is caused by optimizing the code ,  This option will be useful 

-p . --no-promiscuous-mode : Set the network interface to non ' mixed ' Mode. It is important to note, however, that in special cases the network interface will still end up with ' mixed ' Mode to work; Thus, -p Should not be used as a synonym for: 'ether host {local-hw-add}' or 'ether broadcast'(nt:  The former represents the Ethernet address matching only host The package ,  The latter represents the packet that matches the Ethernet address as the broadcast address 

-q  : Fast printout, that is, printing very little protocol-related information ,  So the output lines are shorter 

-r [file] : Reads the packet from the specified file, if file for '-' symbol ,  the tcpdump Packet data is read from standard input 

-R Setting: tcpdump right ESP/AH Packet parsing according to RFC1825 Rather than RFC1829(nt:AH : Authentication header, ESP : Secure load encapsulation, both of which will be used in IP In the secure transport mechanism of packets ) . If this option is set ,tcpdump It will not print ' Ban relay ' The domain (nt: relay prevention field) . In addition, since ESP/AH It's not in the specification ESP/AH Packets must have a protocol version number field, so tcpdump Cannot receive from ESP/AH The protocol version number is derived from the packet 

-s [snaplen] . --snapshot-length=snaplen :   Set up the tcpdump Is the capture length of the packet snaplen Not the default 262144 Bytes. If you have a packet truncation situation , tcpdump Will appear in the corresponding printout line ''[|proto]'' A sign of ( proto  The actual protocol hierarchy for the truncated packet is shown ).  One thing to note ,  Use long grab lengths (nt: snaplen The larger ),  Increases the processing time of the package ,  And it reduces tcpdump  The number of cacheable packets,   This can result in packet loss .  so ,  If we can grab the package we want ,  The smaller the grab length, the better. the snaplen  Set to 0 Mean letting tcpdump Automatically select the appropriate length to grab the packet 

-S . --absolute-tcp-sequence-numbers :   print TCP  The serial number of the packet ,  Use absolute sequence Numbers ,  It's not a relative sequence number .(nt:  Relative ordinal can be read as ,  Relative to the first 1 a TCP  Package sequence number difference , Such as ,  The receiving party receives a receipt 1 The absolute sequence number of the data packets is 232323,  For the later received one 2 a , The first 3 A packet , tcpdump Its serial number is printed 1, 2 And the 1 The gap of data packets is 1  and  2.  And if at this point -S  Options are set ,  For the later received one 2 a ,  The first 3 Data packets will print out their absolute sequence number :232324, 232325)

-t : Do not print a timestamp in each line of output 

-tt : The time per line of output is not formatted (nt:  This format 1 The eye may not see the meaning ,  Such as the time stamp printed as 1261798315)

-ttt : tcpdump When the output ,  There is a delay between every two lines of printing 1 A period of time in milliseconds 

-tttt : Adds a print date before the timestamp of each line print 

-ttttt : set per 1 The row is output relative to the row 1 Interval of rows, in milliseconds 

-T [type] : forced tcpdump According to the type The packet structure described by the specified protocol to analyze received packets. So far known type The preferred protocol is: 
 ( 1 ) aodv(Ad-hoc On-demand Distance Vector protocol,  On-demand distance vector routing protocol ,  in Ad hoc( Point to point mode ) In network use ) ; 
 ( 2 ) cnfp(Cisco NetFlow protocol) ; 
 ( 3 ) rpc(Remote Procedure Call) ; 
 ( 4 ) rtp(Real-Time Applications protocol) ; 
 ( 5 ) rtcp(Real-Time Applications con-trol protocol) ; 
 ( 6 ) snmp(Simple Network Management Protocol) ; 
 ( 7 ) tftp(Trivial File Transfer Protocol,  Broken file protocol ) ; 
 ( 8 ) vat(Visual Audio Tool Can be used in internet The application layer protocol for teleconferencing ),  As well as wb(distributed White Board , an application layer protocol for web conferencing )

-u : Print unencrypted NFS Handle ( nt : handle Can be understood as NFS Handle to the file used in ,  This will include folders and files in folders )

-U : make when tcpdump In the use of -w Option, whose file is written in sync with the save of the package. (nt : when each packet is saved ,  It will be written to the file in time , Rather than waiting for the output buffer of the file to be full before actually writing to the file ) . -U The logo is in the old version libpcap library (nt : tcpdump The message capture library on which it depends ) It doesn't work ,  Because of the lack of pcap_cump_flush() function 

-v : Produces detailed output. Such as the lifetime of the package, the logo, the total length, and IP The package 1 Some options. This will also open 1 Some additional package integrity checks,   Such as the IP or ICMP The checksum of the head 

-vv : than -v More detailed output. Such as NFS ( Network File System ) Additional fields in the response package will be printed, SMB ( Server Message Block The packet will also be fully decoded 

-vvv : More detailed output. For example, telent Used in the English language SB,SE The option will be printed ,  if telnet At the same time use -X Graphical interface options, whose corresponding graphical options will be 16 Print it out in base. 

-w [file] : Writes packet data directly to a file without analysis or printout, which can then be passed -r Option to reread and analyze and print 

-W [filecount] : This option and -C Use with options ,  This limits the number of files that can be opened ,  And when the file data exceeds the limit set here ,  In turn, the loop replaces the previous file ,  This is equivalent to 1 With a filecount  A file buffer pool of three files. At the same time , This option causes the beginning of each file name to be large enough to hold space 0 , which makes it easy for these files to be sorted correctly 

-x : Prints the header data for each package ,  At the same time to 16 Base prints out the data for each package ( But not the head of the connection layer ) , the total printed data size will not exceed the size of the entire packet snaplen  Is the minimum value of. It's important to note ,  If the high-level protocol data does not snaplen So long, and the data link layer ( Such as ,Ethernet layer ) Populated data ,  The populated data will also be printed 

-xx : Prints the header data for each package ,  At the same time to 16 Base prints out the data for each package ,  This includes the header of the data link layer 

-X : When analyzing and printing , tcpdump The header data for each packet will be printed while the 16 Into the system and ASCII The data for each package is printed out in code form ( But not the link layer header ) . This is important for analysis 1 Some packets of the new protocol are very convenient 

-XX : When analyzing and printing ,tcpdump The header data for each packet will be printed while the 16 Into the system and ASCII The data for each package is printed out in code form ,  This includes the header of the data link layer . This is important for analysis 1 Some packets of the new protocol are very convenient 

-y [datalinktype] . --linktype=datalinktype Set: tcpdump The captured data Link layer protocol type is datalinktype The packet 

-z [postrotate-command] And: -C or -G When used together, when each 1 Execute the command when the file is closed postrotate-command . For instance, -z gzip or -z bzip2 For each 1 The saved files are compressed 

-Z [user] . --relinquish-privileges=user : tcpdump Give up your super privileges ( If the root User starts tcpdump . tcpdump There will be superuser privileges ) And put the current tcpdump The user ID Set to user,  group ID Set to user Of the primary group ID

expression : The conditional expression is used to select the packet that meets the criteria. None expression , all packets between any two hosts on the network will be intercepted
0

3.4 Monitors packets for the specified host and port

(1) Grab all packets received by host 100.94.138.110 via interface eth1, and the port number is 20700. 


-A: In order to ASCII Code mode to display each 1 A packet ( Link layer header information in the packet is not displayed ) . When fetching packets containing web page data ,  Easy to view data 

-b : Print the AS number in BGP packets in ASDOT notation rather than ASPLAIN notation

-B [buffer_size],--buffer-size=buffer_size : Sets the operating system capture buffer size, unit KB

-c [ Number of packets ] : The capture operation is stopped after the specified number of packets is received 

-C [file-size] And: -w [file] Options are used together. This option makes tcpdump Before saving the original packet directly to a file ,  Check that this file size is exceeded file-size . If exceeded, this file will be closed and created 1 Five files continue to save the original packet. Newly created file name and -w Option to specify the file name 1 to ,  But the filename is too long 1 A number, and that number is going to go from 1 Start to increase with the number of newly created files.  file-size The units are in megabytes (nt:  This refers to 1,000,000 bytes , Is not 1,048,576 bytes ,  The latter is 1024 bytes 1k, 1024k bytes 1M Calculate the ,  namely 1M=1024*1024  = 1,048,576)

-d : Converts the compiled packet encoding into a readable format and dumps it into standard output 

-dd : Converts the compiled packet encoding to C Language format and dump to standard output 

-ddd : Converts the compiled packet encoding to 10 Base number format and dump to standard output 

-D,--list-interfaces: All in the printing system tcpdump A network interface on which to capture packets. every 1 The interface will print out the number ,  The corresponding interface name ,  As well as 1 A description of a possible network interface. Where the network interface name and number can be used in tcpdump the -i [flag] options (nt: Replace names or Numbers flag),  To specify the network interface on which to capture packets. This option is useful on systems that do not support interface list commands (nt:  Such as , Windows  system ,  Or the lack of  ifconfig -a  the UNIX system );  The interface number is at windows 2000  Or later in the system ,  Because the interface names on these systems are complex ,  And not easy to use. if tcpdump What you depend on at compile time libpcap The library is too old ,-D  Options will not be supported ,  Because of the lack of  pcap_findalldevs() function 

-e : Each line of printout will include the packet's data link layer header information  

-f : Displays external IPv4 address (nt:foreign IPv4 addresses,  Can be understood as non-native ip address ),  Use Numbers instead of names. This option is used to deal with Sun The company's NIS Server defects (nt: NIS,  Network Information Service , tcpdump  The name service it provides is used to display the name of an external address ):  this NIS When a server looks up non-local address names, it often runs into an endless loop of queries )

 Because of the external (foreign)IPv4 The address test USES the local network interface (nt: tcpdump  The interface used to capture packets ) And its IPv4  Address and network mask .  If this address or network mask is not available ,  Or the interface does not have the appropriate network address and mask set at all (nt: linux  Under the  'any'  Network interfaces do not need to set addresses and masks ,  But this 'any' The interface can receive packets from all interfaces in the system ),  This option does not work properly. 

-F [file] :   use file File as input to the filter condition expression ,  Input on the command line is ignored 

-G [rotate_seconds] : similar to -C [file_size] Command options, -C Create a new file to store packets by file size, -G According to the specified period of time, the monitored packet will be written to a new file, the newly created file name by -w Option is specified, and the filename is followed by a time string, the format of which is specified by strftime(3) Specified. If the format of the time string is not specified, the new file overwrites the old one. 

 If the -C option If used together, the file name format will be file<count> . 

-h . --help : printing tcpdump Help information and libpcap Version information. ( nt : libpcap is unix/linux Network packet Capture function package under the platform 

--version : printing tcpdump and libpcap the version . 

-i [interface],--interface=interface :   The specified tcpdump  Interfaces that need to be listened to .  If not specified , tcpdump  The system interface list is searched for the smallest configured interface ( Do not include  loopback  interface ).1 But finding the first 1 Three qualified interfaces ,  The search is over. 

 When using 2.2 Version or later versions of the kernel Linux On the operating system , 'any' This virtual network interface can be used to receive all packets on the network interface (nt:  This includes those intended for the network interface , It also includes purposes other than the network interface ) . It is important to note that if the real network interface does not work in ' Mixed mode '(promiscuous) Under, can't be in 'any' Grab its packets on the virtual network interface. 

 if -D Flags are assigned , tcpdump The interface number in the system is printed, and that number is available here interface parameter 

-l : Row buffering of standard output (nt:  Enable standard output device encounters 1 A newline character immediately prints out the contents of the line )

-L : Lists the type of data link layer supported by the specified network interface and exits .(nt:  Specified interface through -i  To specify the )

-n : Does not convert a host's network address to a name 

-m [module]: through module The specified file loading SMI and MIB The module (nt: SMI . Structure of Management Information,  Management information structure; MIB, Management Information Base,  Manage the information base. Can be understood as , Both of these are used for SNMP(Simple Network Management Protoco) Protocol packet fetching. specific SNMP  How it works is unknown ,  Should be added another ) . 

 This option can be used multiple times ,  For the tcpdump Loaded differently MIB The module 

-M [secret] If: TCP The packet (TCP segments) There are TCP-MD5 options ( in RFC 2385 Related description ),  Specifies the validation of its summary 1 A public key secret

-n : Will not address ( Such as host address, port number, etc ) Convert to the corresponding name 

-N : Do not print the domain name qualification of the host name, such as print 'nic' Rather than 'nic.ddn.mil'

-O . --no-optimize : Does not enable the optimized code used for package matching .  When in doubt of some bug This is caused by optimizing the code ,  This option will be useful 

-p . --no-promiscuous-mode : Set the network interface to non ' mixed ' Mode. It is important to note, however, that in special cases the network interface will still end up with ' mixed ' Mode to work; Thus, -p Should not be used as a synonym for: 'ether host {local-hw-add}' or 'ether broadcast'(nt:  The former represents the Ethernet address matching only host The package ,  The latter represents the packet that matches the Ethernet address as the broadcast address 

-q  : Fast printout, that is, printing very little protocol-related information ,  So the output lines are shorter 

-r [file] : Reads the packet from the specified file, if file for '-' symbol ,  the tcpdump Packet data is read from standard input 

-R Setting: tcpdump right ESP/AH Packet parsing according to RFC1825 Rather than RFC1829(nt:AH : Authentication header, ESP : Secure load encapsulation, both of which will be used in IP In the secure transport mechanism of packets ) . If this option is set ,tcpdump It will not print ' Ban relay ' The domain (nt: relay prevention field) . In addition, since ESP/AH It's not in the specification ESP/AH Packets must have a protocol version number field, so tcpdump Cannot receive from ESP/AH The protocol version number is derived from the packet 

-s [snaplen] . --snapshot-length=snaplen :   Set up the tcpdump Is the capture length of the packet snaplen Not the default 262144 Bytes. If you have a packet truncation situation , tcpdump Will appear in the corresponding printout line ''[|proto]'' A sign of ( proto  The actual protocol hierarchy for the truncated packet is shown ).  One thing to note ,  Use long grab lengths (nt: snaplen The larger ),  Increases the processing time of the package ,  And it reduces tcpdump  The number of cacheable packets,   This can result in packet loss .  so ,  If we can grab the package we want ,  The smaller the grab length, the better. the snaplen  Set to 0 Mean letting tcpdump Automatically select the appropriate length to grab the packet 

-S . --absolute-tcp-sequence-numbers :   print TCP  The serial number of the packet ,  Use absolute sequence Numbers ,  It's not a relative sequence number .(nt:  Relative ordinal can be read as ,  Relative to the first 1 a TCP  Package sequence number difference , Such as ,  The receiving party receives a receipt 1 The absolute sequence number of the data packets is 232323,  For the later received one 2 a , The first 3 A packet , tcpdump Its serial number is printed 1, 2 And the 1 The gap of data packets is 1  and  2.  And if at this point -S  Options are set ,  For the later received one 2 a ,  The first 3 Data packets will print out their absolute sequence number :232324, 232325)

-t : Do not print a timestamp in each line of output 

-tt : The time per line of output is not formatted (nt:  This format 1 The eye may not see the meaning ,  Such as the time stamp printed as 1261798315)

-ttt : tcpdump When the output ,  There is a delay between every two lines of printing 1 A period of time in milliseconds 

-tttt : Adds a print date before the timestamp of each line print 

-ttttt : set per 1 The row is output relative to the row 1 Interval of rows, in milliseconds 

-T [type] : forced tcpdump According to the type The packet structure described by the specified protocol to analyze received packets. So far known type The preferred protocol is: 
 ( 1 ) aodv(Ad-hoc On-demand Distance Vector protocol,  On-demand distance vector routing protocol ,  in Ad hoc( Point to point mode ) In network use ) ; 
 ( 2 ) cnfp(Cisco NetFlow protocol) ; 
 ( 3 ) rpc(Remote Procedure Call) ; 
 ( 4 ) rtp(Real-Time Applications protocol) ; 
 ( 5 ) rtcp(Real-Time Applications con-trol protocol) ; 
 ( 6 ) snmp(Simple Network Management Protocol) ; 
 ( 7 ) tftp(Trivial File Transfer Protocol,  Broken file protocol ) ; 
 ( 8 ) vat(Visual Audio Tool Can be used in internet The application layer protocol for teleconferencing ),  As well as wb(distributed White Board , an application layer protocol for web conferencing )

-u : Print unencrypted NFS Handle ( nt : handle Can be understood as NFS Handle to the file used in ,  This will include folders and files in folders )

-U : make when tcpdump In the use of -w Option, whose file is written in sync with the save of the package. (nt : when each packet is saved ,  It will be written to the file in time , Rather than waiting for the output buffer of the file to be full before actually writing to the file ) . -U The logo is in the old version libpcap library (nt : tcpdump The message capture library on which it depends ) It doesn't work ,  Because of the lack of pcap_cump_flush() function 

-v : Produces detailed output. Such as the lifetime of the package, the logo, the total length, and IP The package 1 Some options. This will also open 1 Some additional package integrity checks,   Such as the IP or ICMP The checksum of the head 

-vv : than -v More detailed output. Such as NFS ( Network File System ) Additional fields in the response package will be printed, SMB ( Server Message Block The packet will also be fully decoded 

-vvv : More detailed output. For example, telent Used in the English language SB,SE The option will be printed ,  if telnet At the same time use -X Graphical interface options, whose corresponding graphical options will be 16 Print it out in base. 

-w [file] : Writes packet data directly to a file without analysis or printout, which can then be passed -r Option to reread and analyze and print 

-W [filecount] : This option and -C Use with options ,  This limits the number of files that can be opened ,  And when the file data exceeds the limit set here ,  In turn, the loop replaces the previous file ,  This is equivalent to 1 With a filecount  A file buffer pool of three files. At the same time , This option causes the beginning of each file name to be large enough to hold space 0 , which makes it easy for these files to be sorted correctly 

-x : Prints the header data for each package ,  At the same time to 16 Base prints out the data for each package ( But not the head of the connection layer ) , the total printed data size will not exceed the size of the entire packet snaplen  Is the minimum value of. It's important to note ,  If the high-level protocol data does not snaplen So long, and the data link layer ( Such as ,Ethernet layer ) Populated data ,  The populated data will also be printed 

-xx : Prints the header data for each package ,  At the same time to 16 Base prints out the data for each package ,  This includes the header of the data link layer 

-X : When analyzing and printing , tcpdump The header data for each packet will be printed while the 16 Into the system and ASCII The data for each package is printed out in code form ( But not the link layer header ) . This is important for analysis 1 Some packets of the new protocol are very convenient 

-XX : When analyzing and printing ,tcpdump The header data for each packet will be printed while the 16 Into the system and ASCII The data for each package is printed out in code form ,  This includes the header of the data link layer . This is important for analysis 1 Some packets of the new protocol are very convenient 

-y [datalinktype] . --linktype=datalinktype Set: tcpdump The captured data Link layer protocol type is datalinktype The packet 

-z [postrotate-command] And: -C or -G When used together, when each 1 Execute the command when the file is closed postrotate-command . For instance, -z gzip or -z bzip2 For each 1 The saved files are compressed 

-Z [user] . --relinquish-privileges=user : tcpdump Give up your super privileges ( If the root User starts tcpdump . tcpdump There will be superuser privileges ) And put the current tcpdump The user ID Set to user,  group ID Set to user Of the primary group ID

expression : The conditional expression is used to select the packet that meets the criteria. None expression , all packets between any two hosts on the network will be intercepted
1

Command option description: lnXps0 please refer to the command option above for a detailed explanation. -c 10 means only 10 packets are captured.

conclusion

Reference documentation

[1] Wikipedia.tcpdump

[2]tcpdump Official website

[3] Details of Linux tcpdump

Related articles: