How to use tcpdump to capture packets in Linux system

Let me look at the example code first:

1. Common parameters tcpdump -i eth0 -nn -s0 -v port 80

-i Select the network card to monitor -nn Do not resolve host names and port numbers, capture a lot of data, name resolution will slow down the resolution -s0 Unlimited capture length -v Increase the amount of detailed information displayed in the output port 80 Port filter, only capture traffic on port 80, usually HTTP

2.

tcpdump -A -s0 port 80

-A outputs ASCII data -X outputs hexadecimal data and ASCII data 3.

tcpdump -i eth0 udp

udp filter, only capture udp data proto 17 protocol 17 is equivalent to udp

proto 6 is equivalent to tcp

4.

tcpdump -i eth0 host 10.10.1.1

host filter, filtering based on IP address 5.

tcpdump -i eth0 dst 10.105.38.204

dst filter, filter based on destination IP src filter, filter based on source IP 6.

tcpdump -i eth0 -s0 -w test.pcap

-w writes to a file that can be analyzed in Wireshark7.

tcpdump -i eth0 -s0 -l port 80 | grep 'Server:'

-l is used with some pipeline commands such as grep

8.

Combined filtering and or &&

or or ||

not or !

9.

Quickly extract HTTP UA

tcpdump -nn -A -s1500 -l | grep "User-Agent:"

Use egrep to match UA and Host

tcpdump -nn -A -s1500 -l | egrep -i 'User-Agent:|Host:'

10.

Match the GET packet tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'

Match POST packets. POST data may not be in the packet. tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'

11.

Match HTTP request header tcpdump -s 0 -v -n -l | egrep -i "POST /|GET /|Host:"

Match some POST data tcpdump -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host:"

Match some cookie information tcpdump -nn -A -s0 -l | egrep -i 'Set-Cookie|Host:|Cookie:'

12.

Capture DNS requests and responses tcpdump -i eth0 -s0 port 53

13.

Use tcpdump to capture and view in Wireshark Use ssh to remotely connect to the server to execute the tcpdump command and analyze it in the local wireshark ssh root@remotesystem 'tcpdump -s0 -c 1000 -nn -w - not port 22' | wireshark -k -i -

ssh [email protected] 'sudo tcpdump -s0 -c 1000 -nn -w - not port 22' | wireshark -k -i -

14.

Use shell to get the highest IP number: tcpdump -nnn -t -c 200 | cut -f 1,2,3,4 -d '.' | sort | uniq -c | sort -nr | head -n 20

15. Capture DHCP requests and responses tcpdump -v -n port 67 or 68

You may also be interested in:

Detailed explanation of tcpdump command examples in Linux
Some functions of using tcpdump to capture packets in the Linux command line
Detailed explanation of using tcpdump command to capture and analyze data packets in Linux
Linux basic learning using tcpdump to capture packet example code
Detailed explanation of tcpdump command examples in Linux
How to use tcpdump to capture packets in Linux
How to use tcpdump command to monitor specified network data packets in Linux
Detailed analysis of the usage of Linux tcpdump command
Detailed explanation of Linux tcpdump operation commands
Detailed analysis and usage of tcpdump command under Linux

<<: How to implement call, apply and bind in native js

>>: In-depth analysis of the slow query problem of MySQL Sending data