tcpdump command example in Linux detail
- 2021-01-06 00:49:30
Use simple words to define tcpdump, be: dump the traffic on a network, according to the definition of users on the network data packets intercepted packet analysis tools. ES11en can completely intercept the "header" of the packet sent over the network for analysis. It supports filtering for network layer, protocol, host, network, or port, and provides and, or, not, and other logical statements to help you remove unwanted information.
Speaking of the tcpdump command, I have to mention that I participated in the development and implementation of the 3rd generation CRM system of China Mobile Inner Mongolia Branch. If I remember correctly, it should be 2016, when I was solely in charge of the overall transformation of the self-service channels of the 10086 customer service system. During the system pressure test phase, there is always a timeout phenomenon when the interface platform is called. Later, this problem became more and more serious, and the short hall channel and CBOSS channel also reported this problem. At this time, this problem was brought to the attention of the big BOSS, and then various experts consulted. In this kind of large-scale project, the expert consultation has one characteristic, that is, the expert directs, the younger brother does the work, and I was the younger brother at that time.
All right, the experts have spoken. Catch the bag first. This began my work on catching the bag, and began my full understanding of tcpdump.
First of all, tcpdump is a very powerful command. It is powerful, which means that it is very complicated to use, which means that I have a lot of things to tidy up. If you want to master the entire tcpdump command, you'll have to be a little patient to read the entire article. OK,Let's go!
Introduction of the command
tcpdump is a powerful network packet capture tool, running on the Linux platform. Familiarity with ES39en can help us analyze and debug network data. However, in order to have a good command of tcpdump, you must have some understanding of network packets (TCP/IP protocol). But for simple use, all you need is a network - based concept.
As the classic system administrator necessary tools on the Internet, tcpdump with its powerful functions, flexible interception strategy, become every senior system administrator analysis network, troubleshooting problems and other necessary tools of 1. In practice, this command needs to be executed with ES46en permissions.
tcpdump is a very complex commands, want to understand all aspects of it is very difficult, also not recommended, to be able to use it to solve problems in daily work is the key, so the following I will focus more on the end of the starting from the actual work, organize more often used in practical work of usage, for some less popular usage, 1 I basic not involved here, if in the work was used in the future, I will update in here.
The following is a summary of some common tcpdump1 options.
Although the tcpdump command has a large number of options, the above options are the only ones commonly used. I will focus more on using examples to learn the tcpdump command.
First for the use of detailed examples, it is necessary to master some basic theoretical knowledge of tcpdump1 use, first about the filter.
On the server of the network packet is abnormal, many times we only pay attention to and specific issues related to data packets, and the useful message 1 account for only a small part, in order to not let us lose yourself in the sea of message, we is very necessary to study 1 tcpdump provide flexible and powerful filters.
Filters can also be simply classified into three categories: type, dir, and proto.
type: It is mainly used to distinguish the source types of filtered messages, which are mainly composed of host host messages, net network segment messages and port specified port messages.
dir: Filters only source and destination addresses of packets, mainly including src source and dst destination addresses;
proto: Filters only the protocol type of packet, supports tcp, udp, icmp, etc. The proto keyword can be omitted when used:
tcpdump -i eth1 arp
tcpdump -i eth1 ip
tcpdump -i eth1 tcp
tcpdump -i eth1 udp
tcpdump -i eth1 icmp
These filters are necessary for the use of the tcpdump command.
In the vast network, want to find the network package that you want, still have a certain difficulty. In order to catch the network packet we want, the more restrictions we include in the packet capture command, the fewer irrelevant packets will be caught, so we can use the "and" (and, and, & & ), "or" (or, | |) and "not" (not,!) To combine multiple conditions. This is useful when we need to analyze network packets based on certain conditions.
Using the instance
tcpdump -i eth1
Description: Monitor packets for the specified network interface
tcpdump host 184.108.40.206
Description: Intercept all packets received and sent by host 220.127.116.11
tcpdump host 18.104.22.168 and (22.214.171.124 or 126.96.36.199)
Description: Intercept all packets of communication between host 188.8.131.52 and host 184.108.40.206 or host 220.127.116.11
tcpdump net 192.168.1.0/24
Description: Intercepted 192.168.1.0/24 whole network packets
tcpdump -i eth0 src host 18.104.22.168
Note: Monitor all network packets on eth0 network card whose source address is 22.214.171.124
tcpdump -i eth1 ip0
Note: Monitor all network packets with destination address 126.96.36.199 on eth0 network card
tcpdump tcp port 23 and host 188.8.131.52
Note: Get all TCP protocol packets sent and received by an application on port 23 on host 184.108.40.206
tcpdump udp port 123
Note: Get all UDP protocol packets sent and received on port 123 on the machine
tcpdump src host 10.126.1.222 and dst net 10.126.1.0/24
Description: The intercepted source master address is 10.126.1.222, the destination address is 10.126.1.0/24 network
tcpdump -i eth0 -s0 -G 60 -Z root -w %Y_%m%d_%H%M_%S.pcap
Instructions: Save the message according to the specified time interval after fetching the message; -G option is followed by time in seconds; The above command is to survive a file every 60 seconds
tcpdump -i eth0 -s0 -C 1 -Z root -w eth0Packet.pcap
Instructions: Save the specified message size after fetching the message; -C option is followed by file size in MB; The above command is to use a new file to save the captured packet every time the captured packet reaches 1MB
As mentioned above, tcpdump captures the packet and generates the corresponding file. How to analyze this file? Yes, there is a software called "Wireshark", which can be perfectly combined with tcpdump to provide a visual analysis interface. If you are interested, you can go to learn 1. If you have time later, I will also compile a "Wireshark" introductory series.
The delay time is relatively long, finally finished finishing! Of course, tcpdump is not a very complex command, but what I have compiled here will definitely not affect your use of tcpdump in your work. It is the same "28 rule". For complex commands, only 20% of common functions are used, while the remaining 80% are remote and cold functions, or functions rarely used in work.