tcpdump
Abstract |
tcpdump |
Authors |
Walter Fan |
Status |
v1 |
Updated |
2024-08-21 |
简介
tcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ]
[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
[ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
[ -Q in|out|inout ]
[ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
[ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
[ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ]
[ -Z user ] [ expression ]
This dumps everything from eth0 into a file with details useful with wireshark.
tcpdump -i ens192 -Xvnp -s0 -w /tmp/tcpdump1116.pcap
To capture 10 instances of a particular mini-carousel:
tcpdump -i eth0 -Xvnp -c 10 -s 0 dst host 232.1.0.15
To capture all traffic to and from a particular QAM and save to a capture file:
tcpdump -i eth1 -Xvnp -s 0 host 172.16.4.45 -w /tmp/QAMLongCap.pcap
To see a particular port:
tcpdump -i eth0 port 677
To capture 10 - 5 M files for discovery services:
tcpdump -ni eth0 -s0 udp dst port 13819 -c5 -w10 -w /tmp/wireshark.pcap
-G # will also set the time for the recording in seconds
-S will not convert the port number to the most commonly used assignment (this means the host/dest will display as 10.18.11.20.995 instead of 10.18.11.20.pop3s)
Example
short examples:
tcpdump -i any # Capture from all interfaces
tcpdump -i eth0 # Capture from specific interface ( Ex Eth0)
tcpdump -i eth0 -c 10 # Capture first 10 packets and exit
tcpdump -D # Show available interfaces
tcpdump -i eth0 -A # Print in ASCII
tcpdump -i eth0 -w tcpdump.txt # To save capture to a file
tcpdump -r tcpdump.txt # Read and analyze saved capture file
tcpdump -n -i eth0 # Do not resolve host names
tcpdump -nn -i eth0 # Stop Domain name translation and lookups
tcpdump -i eth0 -c 10 -w tcpdump.pcap tcp # Capture TCP packets only
tcpdump -i eth0 port 80 # Capture traffic from a defined port only
tcpdump host 192.168.1.100 # Capture packets from specific host
tcpdump net 10.1.1.0/16 # Capture files from network subnet
tcpdump src 10.1.1.100 # Capture from a specific source address
tcpdump dst 10.1.1.100 # Capture from a specific destination address
tcpdump port 80 # Filter traffic based on a port
tcpdump portrange 21-125 # Filter based on port range
tcpdump IPV6 # Show only IPV6 packets
tcpdump -n src 192.168.1.1 and dst port 21 # Combine filtering options
tcpdump dst 10.1.1.1 or !icmp # Either of the condition can match
tcpdump dst 10.1.1.1 and not icmp # Negation of the condition
tcpdump <32 # Shows packets size less than 32
tcpdump >=32 # Shows packets size greater than 32