How to use tcpdump with examples
2013-12-23 16:34
1336 查看
tcpdump
1.What is tcpdump?
Tcpdump prints out a description ofthe contents of packets on a network interface that match the boolean expression.It can also be run with the -w(write) flag,which causes it to save the packet data to a file for later analysis,and/or with the -r(read) flag,which causes it to read from a saved packet file rather than to read packets from a network interface.In all cases,only packets that match the book expression will be processed by tcpdump.Tcpdump will,if not run with the -c(count) flag,continue capturing packets until it is interrupted by a SIGINIT signal(generated,for example,by typing your interrupt character,typically control-C) or a SIGTERM signal(typically generated with the kill command);if run with the -c flag,it will capture packets until it is interrupted by a SIGINT or SIGTERM signal or the specified number of packets have been processed.
When tcpdump finishes capturing packets,it will report counts of:
packets 'captured'(this is the number of packets that tcpdump has received and processed);
packets 'receieved by filter'(the meaning of this depends on the OS on which you're running tcpdump,and possibly on the way the OS was configured - if a filter was specified on the command line,on some OSes it counts packets regardless of whether they matched by the filter expression,regradless of whether tcpdump has read and processed them yet,on toher 0Ses it counts only packets that were matched by the filter expression regardless of whether tcpdump has read and processed them yet,and on other OSes it counts only packets that were matched by the filter expression and were processed by tcpdump);
packets 'dropped by kernel'(this is the number of packets that were dropped,due to a lack of buffer space,by the packet capture mechanism in the OS on which tcpdump is running,if the OS reports that information to applications;if not,it will be reported as 0).
Reading packets from a network interface may require that you have special privileges.Reading a saved packet file doesn't require special privileges.
2.Capture packets from a particular network interface using -i option
When you execute tcpdump command without any option,it will capture all the packets flowing throught all the interfaces.-i option with tcpdump command,allows you to filter on a particular network interface.In this example,tcpdump captured all the packets flows in the interface lo and displays in the standard output.
3.Capture only N number of packets using -c option
When you execute tcpdump command it gives packets until you cancel the tcpdump command.Using -c option you can specify the number of packets to capture.The above tcpdump command captured only 2 packets from interface lo.
4.Display captured packets in ASCII using -A option
The following tcpdump syntax prints the packet in ASCII.5.Display captured packets in HEX and ASCII using -XX option
Some users might want to analyse the packets in hex values.Tcpdump provides a way to print packets in both ASCII and HEX format.6.Capture the packets and write into a file using -w option
Tcpdump allows you to save the packets to a file,and later you can use the packet file for further analysis.-w option writes the packets into a given file.The file extension should be .pcap,which can be read by any network protocol analyzer.
7.Reading the packets from a saved file using -r option
You can read the captured pcap file and view the packets for anaysis,as shown below.8.Capture packets with IP address using -n option
In all the above examples,it prints packets with the DNS address,but not the ip address.The following example captures the packets and it will display the IP address of the machines involved.9.Capture packets with proper readable timestamp using -tttt option
10.Read packets longer than N bytes
You can receive only the packets greater than n number of bytes using a filter 'greater' throught tcpdump commandtcpdump -i lo greater 1024
相关文章推荐
- How To Use Ip Command In Linux with Examples
- How to use the cut command with examples
- 在线平互动台活动启动《Discover How to Make the Computer Easier to Use with Windows Vista》
- How to use GitHub with Android Studio
- How to use Django with uWSGI
- How to use Elasticsearch with MongoDB?
- How to Use WinUSB to Communicate with a USB Device
- How to use java logging with logging.properties
- how to use the mathmatical constant "e" in conjunction with a vector
- How to use Django with FastCGI, SCGI, or AJP¶
- How to use http cookies with Qt
- How to use WinSCP with public key authentication
- How To Use Linux epoll with Python
- examples on how to use Scrapy
- How to use Tornado GNU tools with Eclipse 3.2 / CDT 3.1
- [原] XAF How to use Signle() function in PersistentAlias with Many-To-Many scenario
- How to use http cookies with Qt
- How to use a CSV file with JMeter
- How to configure and use Git with visual studio 2012 and TFS
- how to use Wordnet with Java?