语法:
tcpdump [options] [Protocol] [Direction] [Host(s)] [Value] [Logical Operations] [Other expression]
Protocol(协议):
Values(取值):ether,fddi,ip,arp,rarp,decnet,lat,sca,moprc,mopdl,tcp and udp.
If no protocol is specified, all the prorocols are used
Direction(流向):
If no source of destination is specified,the "src or dst" keywords are applied.(默认是src or dst).
For example, "host 10.2.2.2" is equivalent to "src or dst host 10.2.2.2".
Host(s)(主机):
Values(替代关键字):net,port,host,portrange.
If no host(s) is specified, the "host" keyword is used.默认如果此段没有指定关键字,默认即host.
For example, "src 10.1.1.1" is equivalent ro "src host 10.1.1.1".
Logical Operations:
(1)AND
and or &&
(2)OR
or or ||
(3)EXCEPT
not or !
参数说明:
-i any:Listen on all interfaces just to see if you're seeing any traffic.(指定接口)
-n:Don't resolve hostnames.(不反解主机名)
-nn:Don't resolve hostnames or port name.(不反解主机名,也不反解端口号对应的服务名)
-X:Show the packets's contents in both hex and ASCII.(把报文内容转为ASCII方式显示)
-XX:Same as -X,but also shows the ethernet header.(包含-X,同时会显示以太网帧首部信息)
-v,-vv,-vvv:Increase the amount of packet information you get back.(显示详细信息)
-c #:Only get x number of packets and then stop.(制定抓包的个数)
-s:Define the snaplength(size) of the capture in bytes. Use -s0 to get everything,unless you are intentionally capturing less.()
-S:Print absolute sequence numbers.(显示报文的序列号)
-e:Get the ethernet header as well.(显示以太网首部信息)
-q:Show less protocol information.(显示更少的协议信息)
-E:Decrypt IPSEC traffic by providing an encryption key.(通过提供一个加密密钥解密IPSEC传输信息)
-A:Display Cpatured Packets in ASCII.(把报文内容转为ASCII方式显示)
-w /path/from/some_file:Capture the packets from a saved file.(捕获的数据包保存文件)
-r /path/from/some_file:Reading the packets from a saved file.(读取捕获的数据包文件信息)
-tttt:Capture packets with proper readable timestamp.(捕获数据包通过适当的可读的时间戳)
例子:
抓取eht1的所有报文信息,并以
tcpdump -i eth1 -nn -XX ip dst host 192.168.2.2 and tcp dst port 3306