How to use tcpdump to capture network packets under CentOS

The following column of centos tutorial will introduce to you how to use tcpdump network packet capture under CentOS.

How to use tcpdump to capture network packets under CentOS

tcpdump is a tool for intercepting and analyzing network data packets under Linux. It has great reference value for optimizing system performance.


tcpdump is not installed by default. Install under CentOS:

yum install tcpdump

Install under Ubuntu:

apt-get install tcpdump
Start by default

Under normal circumstances, starting tcpdump directly will monitor all data packets flowing on the first network interface.

Monitor the data packets of the specified network interface (be sure to check the network card)

tcpdump -i eth1

If you do not specify a network card, by default tcpdump will only monitor the first network interface, usually eth0. The following examples are No network interface specified.

Monitor the data packets of the specified host

Print all the data packets entering or leaving sundown.

tcpdump host sundown

You can also specify the ip, for example, intercept all hosts receiving and all the data packets sent out

tcpdump host

Print the data packets communicated between helios and hot or with ace

tcpdump host helios and \( hot or ace \)

Intercepted host and host or Communication

tcpdump host and \ ( or \)

Print the IP packets communicated between ace and any other host, but not including the packets with helios.

tcpdump ip host ace and not helios

If you want to get the host except and For IP packets communicated by all hosts other than host, use the command:

tcpdump ip host and !

Intercept all data sent by host hostname

tcpdump -i eth0 src host hostname

Monitor all data packets sent to host hostname

tcpdump -i eth0 dst host hostname
Monitor the data packets of the specified host and port

If you want to obtain the telnet packets received or sent by the host, use the following command

tcpdump tcp port 23 and host

to monitor the udp 123 port of the local machine 123 is the service port of ntp

tcpdump udp port 123
Monitor the packets of the specified network

Print all communication packets between the local host and the host on the Berkeley network (nt: ucb-ether, here It can be understood as the network address of the 'Berkeley network'. The most original meaning of this expression can be expressed as: Print all packets with the network address ucb-ether)

tcpdump net ucb-ether

Print all ftp packets that pass through the gateway snup (Note that the expression is enclosed in single quotes, which prevents the shell from misparsing the parentheses)

tcpdump 'gateway snup and (port ftp or ftp-data)'

Print all IP packets whose source or destination address is the local host

(If the local network is connected to another network through a gateway, the other network cannot be counted as the local network. (nt: The translation of this sentence is confusing and needs to be supplemented). When localnet is actually used, it must be replaced with the name of the local network)

tcpdump ip and not net localnet
Monitor the packets of the specified protocol

Print the start and end packets in the TCP session, and the source or destination of the packet is not a host on the local network. (nt: localnet, actual use It must be replaced with the name of the local network))

tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'

Print all source or destination ports are 80, the network layer protocol is IPv4, and contain data, instead of SYN, FIN and ACK-only, which do not contain data. packet. (The expression of the ipv6 version can be used as an exercise)

tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

(nt: can be understood as, ip[2:2] represents the length of the entire ip packet, (ip[0]&0xf) <<2) Indicates the length of the ip data packet header (ip[0]&0xf represents the IHL field in the packet, and the unit of this field is 32 bits. To convert

into bytes, you need to multiply by 4 , that is, shift left by 2. (tcp[12]&0xf0)>>4 represents the length of the tcp header. The unit of this field is also 32 bits. The conversion to the number of bits is ((tcp[12]&0xf0) >> 4) <<2,
That is ((tcp[12]&0xf0)>>2). ((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0 means: the length of the entire ip packet minus the length of the ip header, and then minus the length of the
tcp header is not 0, which means Yes, there is indeed data in the ip packet. For the ipv6 version, you only need to consider the difference between the 'Payload Length' in the ipv6 header and the 'tcp header length', and the expression 'ip[]' needs to be replaced with 'ip6 []'.)

Print IP packets whose length exceeds 576 bytes, and whose gateway address is snup

tcpdump 'gateway snup and ip[2:2] > 576'

Print all IP layer broadcast or multicast packets, but not physical Ethernet Network layer broadcast or multicast datagram

tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'

Print ICMP data packets other than 'echo request' or 'echo reply' types (for example, you can use this when you need to print all data packets generated by non-ping programs) Expression.
(nt: 'echo reuqest' and 'echo reply' These two types of ICMP packets are usually generated by the ping program))

tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'
tcpdump and wireshark

Wireshark (formerly ethereal) is a very simple and easy-to-use packet capture tool under Windows. But it is difficult to find a useful graphical packet capture tool under Linux.
Fortunately, there is Tcpdump. We can use the perfect combination of Tcpdump and Wireshark to achieve this: capture packets in Linux, and then analyze the packets in Windows.

tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net -w ./target.cap
(1)tcp: ip icmp arp rarp 和 tcp、udp、icmp这些选项等都要放到第一个参数的位置,用来过滤数据报的类型
(2)-i eth1 : 只抓经过接口eth1的包
(3)-t : 不显示时间戳
(4)-s 0 : 抓取数据包时默认抓取长度为68字节。加上-S 0 后可以抓到完整的数据包
(5)-c 100 : 只抓取100个数据包
(6)dst port ! 22 : 不抓取目标端口是22的数据包
(7)src net : 数据包的源网络地址为192.168.1.0/24
(8)-w ./target.cap : 保存成cap文件,方便用ethereal(即wireshark)分析


tcpdump  -XvvennSs 0 -i eth0 tcp[20:2]=0x4745 or tcp[20:2]=0x4854
0x4745 为"GET"前两个字母"GE",0x4854 为"HTTP"前两个字母"HT"。

tcpdump 对截获的数据并没有进行彻底解码,数据包内的大部分内容是使用十六进制的形式直接打印输出的。显然这不利于分析网络故障,通常的解决办法是先使用带-w参数的tcpdump 截获数据并保存到文件中,然后再使用其他程序(如Wireshark)进行解码分析。当然也应该定义过滤规则,以避免捕获的数据包填满整个硬盘。

1、抓取回环网口的包:tcpdump -i lo

2、防止包截断:tcpdump -s0

3、以数字显示主机及端口:tcpdump -n

第一种是关于类型的关键字,主要包括host,net,port, 例如 host,指明是一台主机,net 指明是一个网络地址,port 23 指明端口号是23。如果没有指定类型,缺省的类型是host.

第二种是确定传输方向的关键字,主要包括src , dst ,dst or src, dst and src ,这些关键字指明了传输的方向。举例说明,src ,指明ip包中源地址是210.27.48.2 , dst net 指明目的网络地址是202.0.0.0 。如果没有指明方向关键字,则缺省是src or dst关键字。

第三种是协议的关键字,主要包括fddi,ip,arp,rarp,tcp,udp等类型。Fddi指明是在FDDI(分布式光纤数据接口网络)上的特定 的网络协议,实际上它是"ether"的别名,fddi和ether具有类似的源地址和目的地址,所以可以将fddi协议包当作ether的包进行处理和 分析。其他的几个关键字就是指明了监听的包的协议内容。如果没有指定任何协议,则tcpdump将会监听所有协议的信息包。

除了这三种类型的关键字之外,其他重要的关键字如下:gateway, broadcast,less,greater,还有三种逻辑运算,取非运算是 'not ' '! ', 与运算是'and','&&;或运算 是'or' ,'||';这些关键字可以组合起来构成强大的组合条件来满足人们的需要,下面举几个例子来说明。


# tcpdump 
tcpdump: listening on fxp0
11:58:47.873028 > udp 50
11:58:47.974331 0:10:7b:8:3a:56 > 1:80:c2:0:0:0 802.1d ui/C len=43
                       0000 0000 0080 0000 1007 cf08 0900 0000
                       0e80 0000 902b 4695 0980 8701 0014 0002
                       000f 0000 902b 4695 0008 00
11:58:48.373134 0:0:e8:5b:6d:85 > Broadcast sap e0 ui/C len=97
                       ffff 0060 0004 ffff ffff ffff ffff ffff
                       0452 ffff ffff 0000 e85b 6d85 4008 0002
                       0640 4d41 5354 4552 5f57 4542 0000 0000
                       0000 00

