tcpdump 示例
抓取包含192.168.5.1 的数据包
tcpdump -i eth0 -vnn host 192.168.5.1
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:36:24.160956 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.5.1 tell 192.168.5.2, length 46
11:36:30.217699 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.5.1 tell 192.168.5.224, length 46
抓取包含192.168.5.0/24网段的数据包
tcpdump -i eth0 -vnn net 192.168.5.0/24
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:37:35.841606 IP (tos 0x0, ttl 64, id 64005, offset 0, flags [DF], proto TCP (6), length 86)
抓取包含端口22的数据包
tcpdump -i eth0 -vnn port 22
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:38:54.606955 IP (tos 0x10, ttl 64, id 22286, offset 0, flags [DF], proto TCP (6), length 156)
192.168.5.222.22 > 192.168.5.44.53888: Flags [P.], cksum 0x8ce9 (incorrect -> 0xaa25), seq 3416103818:3416103934, ack 2794641981, win 255, length 116
抓取udp协议的数据包
tcpdump -i eth0 -vnn udp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:39:46.000102 IP (tos 0x0, ttl 255, id 17285, offset 0, flags [none], proto UDP (17), length 44)
192.168.6.251.21003 > 255.255.255.255.1234: UDP, length 16
Tcpdump命令参数详解_心静梵音的技术博客_51CTO博客
update:2021-9-17
5、抓取icmp协议的数据包
tcpdump -i eth0 -vnn icmp
6、抓取arp协议的数据包
tcpdump -i eth0 -vnn arp
7、抓取ip协议的数据包
tcpdump -i eth0 -vnn ip
8、抓取源ip是10.10.10.122数据包。
tcpdump -i eth0 -vnn src host 10.10.10.122
9、抓取目的ip是10.10.10.122数据包
tcpdump -i eth0 -vnn dst host 10.10.10.122
10、抓取源端口是22的数据包
tcpdump -i eth0 -vnn src port 22
11、抓取源ip是10.10.10.253且目的ip是22的数据包
tcpdump -i eth0 -vnn src host 10.10.10.253 and dst port 22
12、抓取源ip是10.10.10.122或者包含端口是22的数据包
tcpdump -i eth0 -vnn src host 10.10.10.122 or port 22
13、抓取源ip是10.10.10.122且端口不是22的数据包
tcpdump -i eth0 -vnn src host 10.10.10.122 and not port 22
14、抓取源ip是10.10.10.2且目的端口是22,或源ip是10.10.10.65且目的端口是80的数据包。
tcpdump -i eth0 -vnn ( src host 10.10.10.2 and dst port 22 ) or ( src host 10.10.10.65 and dst port 80 )
15、抓取源ip是10.10.10.59且目的端口是22,或源ip是10.10.10.68且目的端口是80的数据包。
tcpdump -i eth0 -vnn 'src host 10.10.10.59 and dst port 22' or ' src host 10.10.10.68 and dst port 80 '
16、把抓取的数据包记录存到/tmp/fill文件中,当抓取100个数据包后就退出程序。
tcpdump –i eth0 -vnn -w /tmp/fil1 -c 100
17、从/tmp/fill记录中读取tcp协议的数据包
tcpdump –i eth0 -vnn -r /tmp/fil1 tcp
18、从/tmp/fill记录中读取包含10.10.10.58的数据包
tcpdump –i eth0 -vnn -r /tmp/fil1 host 10.10.10.58
19、假如要抓vlan 1的包,命令格式如下:
tcpdump -i eth0 port 80 and vlan 1 -w /tmp/vlan.cap
20、在后台抓eth0在80端口的包,命令格式如下:
nohup tcpdump -i eth0 port 80 -w /tmp/temp.cap &
21、ARP包的tcpdump输出信息
tcpdump arp -nvv
22、使用tcpdump抓取与主机192.168.43.23或着与主机192.168.43.24通信报文,并且显示在控制台上
tcpdump -X -s 1024 -i eth0 host (192.168.43.23 or 192.168.43.24) and host 172.16.70.35
23、常用命令收藏
tcpdump -i eth0 -nn 'dst host 172.100.6.231'
tcpdump -i eth0 -nn 'src host 172.100.6.12'
tcpdump -i eth0 -nnA 'port 80'
tcpdump -i eth0 -XnnA 'port 22'
tcpdump -i eth0 -nnA 'port 80 and src host 192.168.1.231'
tcpdump -i eth0 -nnA '!port 22' and 'src host 172.100.6.230'
tcpdump -i eth0 -nnA '!port 22'
Referenced from:https://blog.51cto.com/masters/1870141