In most cases you will need root permission to be able to capture packets on an interface. Using tcpdump (with root) to capture the packets and saving them to a file to analyze with Wireshark (using a regular account) is recommended over using Wireshark with a root account to capture packets on an "untrusted" interface. See the Wireshark security advisories for reasons why.

See the list of interfaces on which tcpdump can listen:

  1. tcpdump -D

Listen on interface eth0:

  1. tcpdump -i eth0

Listen on any available interface (cannot be done in promiscuous mode. Requires Linux kernel 2.2 or greater):

  1. tcpdump -i any

Be verbose while capturing packets:

  1. tcpdump -v

Be more verbose while capturing packets:

  1. tcpdump -vv

Be very verbose while capturing packets:

  1. tcpdump -vvv

Be verbose and print the data of each packet in both hex and ASCII, excluding the link level header:

  1. tcpdump -v -X

Be verbose and print the data of each packet in both hex and ASCII, also including the link level header:

  1. tcpdump -v -XX

Be less verbose (than the default) while capturing packets:

  1. tcpdump -q

Limit the capture to 100 packets:

  1. tcpdump -c 100

Record the packet capture to a file called capture.cap:

  1. tcpdump -w capture.cap

Record the packet capture to a file called capture.cap but display on-screen how many packets have been captured in real-time:

  1. tcpdump -v -w capture.cap

Display the packets of a file called capture.cap:

  1. tcpdump -r capture.cap

Display the packets using maximum detail of a file called capture.cap:

  1. tcpdump -vvv -r capture.cap

Display IP addresses and port numbers instead of domain and service names when capturing packets (note: on some systems you need to specify -nn to display port numbers):

  1. tcpdump -n

Capture any packets where the destination host is 192.168.1.1. Display IP addresses and port numbers:

  1. tcpdump -n dst host 192.168.1.1

Capture any packets where the source host is 192.168.1.1. Display IP addresses and port numbers:

  1. tcpdump -n src host 192.168.1.1

Capture any packets where the source or destination host is 192.168.1.1. Display IP addresses and port numbers:

  1. tcpdump -n host 192.168.1.1

Capture any packets where the destination network is 192.168.1.0/24. Display IP addresses and port numbers:

  1. tcpdump -n dst net 192.168.1.0/24

Capture any packets where the source network is 192.168.1.0/24. Display IP addresses and port numbers:

  1. tcpdump -n src net 192.168.1.0/24

Capture any packets where the source or destination network is 192.168.1.0/24. Display IP addresses and port numbers:

  1. tcpdump -n net 192.168.1.0/24

Capture any packets where the destination port is 23. Display IP addresses and port numbers:

  1. tcpdump -n dst port 23

Capture any packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

  1. tcpdump -n dst portrange 1-1023

Capture only TCP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

  1. tcpdump -n tcp dst portrange 1-1023

Capture only UDP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

  1. tcpdump -n udp dst portrange 1-1023

Capture any packets with destination IP 192.168.1.1 and destination port 23. Display IP addresses and port numbers:

  1. tcpdump -n "dst host 192.168.1.1 and dst port 23"

Capture any packets with destination IP 192.168.1.1 and destination port 80 or 443. Display IP addresses and port numbers:

  1. tcpdump -n "dst host 192.168.1.1 and (dst port 80 or dst port 443)"

Capture any ICMP packets:

  1. tcpdump -v icmp

Capture any ARP packets:

  1. tcpdump -v arp

Capture either ICMP or ARP packets:

  1. tcpdump -v "icmp or arp"

Capture any packets that are broadcast or multicast:

  1. tcpdump -n "broadcast or multicast"

Capture 500 bytes of data for each packet rather than the default of 68 bytes:

  1. tcpdump -s 500

Capture all bytes of data within the packet:

  1. tcpdump -s 0
  2.  
  3. http://www.rationallyparanoid.com/articles/tcpdump.html

======================================================================

tcpdump 的抓包保存到文件的命令参数是-w xxx.cap
 
抓eth1的包 
tcpdump -i eth1 -w /tmp/xxx.cap 
 
抓 192.168.1.123的包 
tcpdump -i eth1 host 192.168.1.123 -w /tmp/xxx.cap 
 
抓192.168.1.123的80端口的包 
tcpdump -i eth1 host 192.168.1.123 and port 80 -w /tmp/xxx.cap 
 
抓192.168.1.123的icmp的包 
tcpdump -i eth1 host 192.168.1.123 and icmp -w /tmp/xxx.cap 
 
抓192.168.1.123的80端口和110和25以外的其他端口的包 
tcpdump -i eth1 host 192.168.1.123 and ! port 80 and ! port 25 and ! port 110 -w /tmp/xxx.cap 
 
抓vlan 1的包 
tcpdump -i eth1 port 80 and vlan 1 -w /tmp/xxx.cap 
 
抓pppoe的密码 
tcpdump -i eth1 pppoes -w /tmp/xxx.cap 
 
 
以100m大小分割保存文件, 超过100m另开一个文件 -C 100m 
 
抓10000个包后退出 -c 10000 
 
后台抓包, 控制台退出也不会影响: 
nohup tcpdump -i eth1 port 110 -w /tmp/xxx.cap & 
 
抓下来的文件可以直接用ethereal 或者wireshark打开。
 
http://liuzhigong.blog.163.com/blog/static/1782723752012851043396/
========================================================================================================

linux下使用tcpdump抓包数据不完整问题解决方法

 linux下使用tcpdump抓包数据长度显示不全的问题,如图1所示,实际数据长度应该是76但只抓到了24字节的数据:
 
 
 
 
这是因为tcpdump命令默认捕获包总长度是96字节,如图所示,我们只要在抓包命令里加一个参数-s0即可捕获完整数据的数据包
 
 
 
命令:tmpdump -s0 -i any port 6024 -w /tmp/a.pcap
-s0, 表示取消抓包长度限制
-i any, 表示在所有网卡设备上抓包,也可单独指定某个网卡,如-i eth0
port 6024, 表示在哪个端口上抓包
-w /tmp/a.pcap, 表示抓包文件存储路径
  1. http://liuzhigong.blog.163.com/blog/static/1782723752012851043396/

Tcpdump usage examples的更多相关文章

  1. TCPDUMP Command Examples

    tcpdump command is also called as packet analyzer. tcpdump command will work on most flavors of unix ...

  2. Linux基础:用tcpdump抓包

    简介 网络数据包截获分析工具.支持针对网络层.协议.主机.网络或端口的过滤.并提供and.or.not等逻辑语句帮助去除无用的信息. tcpdump - dump traffic on a netwo ...

  3. Tcpdump使用常用9实例

    以下将给出9个使用tcpdump的例子,以说明tcpdump的具体使用方法. 1.针对特定网口抓包(-i选项) 当我们不加任何选项执行tcpdump时,tcpdump将抓取通过所有网口的包:使用-i选 ...

  4. 9个tcpdump使用实例

    tcpdump能帮助我们捕捉并保存网络包,保存下来的网络包可用于分析网络负载情况,包可通过tcpdump命令解析,也可以保存成后缀为pcap的文件,使用wireshark等软件进行查看. 以下将给出9 ...

  5. http://blog.csdn.net/zgl07/article/details/43491399

    转载申明:本文转载自http://www.brendangregg.com/perf.html   请大家看了之后如果要转载一定要注上这个地址!!! ========================= ...

  6. 18 Command Line Tools to Monitor Linux Performance

    By Ravi Saive Under: Linux Commands, Monitoring Tools On: December 26, 2013 http://www.tecmint.com/c ...

  7. man 手册--nc

    man 手册--nc NCAT(1) Ncat Reference Guide NCAT(1) NAME ncat - Concatenate and redirect sockets SYNOPSI ...

  8. Man手册--nmap

    目录 nmap使用手册 附录: nmap使用手册 附录: NMAP(1) Nmap Reference Guide NMAP(1) NAME nmap - Network exploration to ...

  9. Java多线程系列--“JUC锁”03之 公平锁(一)

    概要 本章对“公平锁”的获取锁机制进行介绍(本文的公平锁指的是互斥锁的公平锁),内容包括:基本概念ReentrantLock数据结构参考代码获取公平锁(基于JDK1.7.0_40)一. tryAcqu ...

随机推荐

  1. gym 100589A queries on the Tree 树状数组 + 分块

    题目传送门 题目大意: 给定一颗根节点为1的树,有两种操作,第一种操作是将与根节点距离为L的节点权值全部加上val,第二个操作是查询以x为根节点的子树的权重. 思路: 思考后发现,以dfs序建立树状数 ...

  2. POJ - 3764 01字典树+前缀异或和

    异或关于前缀的特性:[u,v]=[1,u]^[1,v] 注意是路径,假设1为根,prexor[1]不保留数值 /*H E A D*/ int to[maxn<<1],nxt[maxn< ...

  3. 文本编辑器 未完成 Treap

    #include<bits/stdc++.h> using namespace std; const int maxn = 2e6+1e5; unsigned int SEED = 17; ...

  4. .net core EF Cde First

    注意事项记录: public class StudentsModel { /// <summary> /// 一定需要id /// 一般用model名称+id作为表主键 /// 或者直接用 ...

  5. [jQuery] 在线引用地址

    百度静态资源公共库: http://libs.baidu.com/jquery/1.9.1/jquery.js jQuery网站: http://code.jquery.com/jquery-1.9. ...

  6. 转 Oracle]如何在Oracle中设置Event

    https://www.cnblogs.com/gaojian/p/7619960.html 为了调查Oracle 的故障,可以通过设置event ,来了解详细的状况.方法如下: ■ 如果使用 SPF ...

  7. SpringCloud---服务治理---Spring Cloud Eureka

    1.概述 1.1 Spring Cloud Eureka是Spring Cloud Netflix微服务套件中的一部分,基于Netflix Eureka做了二次封装,主要负责完成微服务架构中的服务治理 ...

  8. D. Match & Catch 后缀自动机 || 广义后缀自动机

    http://codeforces.com/contest/427/problem/D 题目是找出两个串的最短公共子串,并且在两个串中出现的次数只能是1次. 正解好像是dp啥的,但是用sam可以方便很 ...

  9. 02-使用注解配置spring

    1 准备工作 1.导包 4+2+spring-aop[新版本需要导入 spring-aop 包] 2.为主配置文件引入新的命名空间(约束) [context] 3.开启使用注解代理配置文件 4.在类中 ...

  10. Spring Security怎样不让默认的ProviderManager清除密码等信息

    <authentication-manager erase-credentials="false"> ... </authentication-manager&g ...