1. tcpdump用途
抓包
2. tcpdump用法
tcpdump [option] expression
3. option
-n: 进制反向解析,禁用将Ip地址转化为主机名字
大大缩短命令执行时间
-i: tcpdump抓取的网络接口,如果不指定,tcpdump查找系统接口列表,监听数字最小的接口, 不包含loopback
一般指定any, 可以监听所有的接口
-nn: Don’t convert protocol and port numbers etc. to names either
-s: Snarf snaplen bytes of data from each packet rather than the default of 65535 bytes
抓取整个包的 snaplen 字节的数据,而不是默认的65535字节
如果设置为0,则表面采用默认的65535字节
-Z: Drops privileges (if root) and changes user ID to user and the group ID to the primary group of user
更改用户id和groupid
-G If specified, rotates the dump file specified with the -w option every rotate_seconds seconds. Save files will have the name specified by -w which should include a time format as defined by strftime(3). If no time format is specified, each new file will overwrite the previous.
如果指定的话, 每rotate_seconds秒切换一下dump file
-w Write the raw packets to file rather than parsing and printing them out.
把raw packet写到文件中,而不是解析打印出来到标准输出
3. expression
- dst host [parm]
- src host [parm]
- host [parm]
- src port [parm]
- dst port [parm]
- port [parm]
- [proto]
tcp, dup, icmp
4. example
tcpdump -i any -nn port 41001 and host 10.13.32.244 and tcp
tcpdump -iany -nn -Z root -G 10 -w ./%Y_%m_%d-%H_%M_%S.cap tcp and port 41001
