tcpdump

tcpdump的語法：
tcpdump [options] [Protocol] [Direction] [Host(s)] [Value] [Logical Operations] [Other expression]

經常使用選項：

-i any : Listen on all interfaces just to see if you're seeing any traffic.
-n : Don't resolve hostnames.
-nn : Don't resolve hostnames or port names.
-X : Show the packet's contents in both hex and ASCII.
-XX : Same as -X, but also shows the ethernet header.
-v, -vv, -vvv : Increase the amount of packet information you get back.
-c # : Only get x number of packets and then stop.
-s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
-S : Print absolute sequence numbers.
-e : Get the ethernet header as well.
-q : Show less protocol information.
-E : Decrypt IPSEC traffic by providing an encryption key.
-A ：Display Captured Packets in ASCII
-w /path/to/some_file : Capture the packets and write into a file
-r /path/from/some_file : Reading the packets from a saved file
-tttt : Capture packets with proper readable timestamp

Protocol(協議):
Values(取值): ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp.
If no protocol is specified, all the protocols are used.

Direction(流向):
Values(取值): src, dst, src and dst, src or dst
If no source or destination is specified, the "src or dst" keywords are applied. (默認是src or dst)
For example, "host 10.2.2.2" is equivalent to "src or dst host 10.2.2.2".

Host(s)(主機):
Values(替代關鍵字): net, port, host, portrange.
If no host(s) is specified, the "host" keyword is used. 默認若是此段沒有指定關鍵字，默認即host。
For example, "src 10.1.1.1" is equivalent to "src host 10.1.1.1".

Logical Operations:
(1) AND
and or &&
(2) OR
or or ||
(3) EXCEPT
not or !

 

普通狀況下，直接啓動tcpdump將監視第一個網絡界面上全部流過的數據包。
# tcpdump
tcpdump: listening on fxp0
11:58:47.873028 202.102.245.40.netbios-ns > 202.102.245.127.netbios-ns: udp 50
11:58:47.974331 0:10:7b:8:3a:56 > 1:80:c2:0:0:0 802.1d ui/C len=43
0000 0000 0080 0000 1007 cf08 0900 0000
0e80 0000 902b 4695 0980 8701 0014 0002
000f 0000 902b 4695 0008 00
11:58:48.373134 0:0:e8:5b:6d:85 > Broadcast sap e0 ui/C len=97
ffff 0060 0004 ffff ffff ffff ffff ffff
0452 ffff ffff 0000 e85b 6d85 4008 0002
0640 4d41 5354 4552 5f57 4542 0000 0000
0000 00
使用-i參數指定tcpdump監聽的網絡界面，這在計算機具備多個網絡界面時很是有用，
使用-c參數指定要監聽的數據包數量，
使用-w參數指定將監聽到的數據包寫入文件中保存
A想要截獲全部210.27.48.1 的主機收到的和發出的全部的數據包：
#tcpdump host 210.27.48.1
B想要截獲主機210.27.48.1 和主機210.27.48.2 或210.27.48.3的通訊，使用命令：（在命令行中適用 括號時，必定要
#tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)
C若是想要獲取主機210.27.48.1除了和主機210.27.48.2以外全部主機通訊的ip包，使用命令：
#tcpdump ip host 210.27.48.1 and ! 210.27.48.2
D若是想要獲取主機210.27.48.1接收或發出的telnet包，使用以下命令：
#tcpdump tcp port 23 host 210.27.48.1
E 對本機的udp 123 端口進行監視 123 爲ntp的服務端口
# tcpdump udp port 123
F 系統將只對名爲hostname的主機的通訊數據包進行監視。主機名能夠是本地主機，也能夠是網絡上的任何一臺計算機。下面的命令能夠讀取主機hostname發送的全部數據：
#tcpdump -i eth0 src host hostname
G 下面的命令能夠監視全部送到主機hostname的數據包：
#tcpdump -i eth0 dst host hostname
H 咱們還能夠監視經過指定網關的數據包：
#tcpdump -i eth0 gateway Gatewayname
I 若是你還想監視編址到指定端口的TCP或UDP數據包，那麼執行如下命令：
#tcpdump -i eth0 host hostname and port 80
J 若是想要獲取主機210.27.48.1除了和主機210.27.48.2以外全部主機通訊的ip包
，使用命令：
#tcpdump ip host 210.27.48.1 and ! 210.27.48.2
K 想要截獲主機210.27.48.1 和主機210.27.48.2 或210.27.48.3的通訊，使用命令
：（在命令行中適用 括號時，必定要
#tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)
L 若是想要獲取主機210.27.48.1除了和主機210.27.48.2以外全部主機通訊的ip包，使用命令：
#tcpdump ip host 210.27.48.1 and ! 210.27.48.2
M 若是想要獲取主機210.27.48.1接收或發出的telnet包，使用以下命令：
#tcpdump tcp port 23 host 210.27.48.1