今天gg到一个tcpdump使用宝典, 是个从入门到高级的教程, 例子丰富
http://acs.lbl.gov/~jason/tcpdump_advanced_filters.txt
包括:
tcp各种状态的抓取(syn,ack,fin,reset), HTTP协议(get,put), 还有mail协议的. 值得收藏.
转录如下:
1. Source sends SYN
2. Destination answers with SYN, ACK
3. Source sends ACK
- If we want to match packets with only the SYN flag set, the 14th byte would have a binary
value of 00000010 which equals 2 in decimal.
# tcpdump -i eth1 'tcp[13] = 2'
- Matching SYN, ACK (00010010 or 18 in decimal)
# tcpdump -i eth1 'tcp[13] = 18'
- Matching either SYN only or SYN-ACK datagrams
# tcpdump -i eth1 'tcp[13] & 2 = 2'
- Matching PSH-ACK packets
# tcpdump -i eth1 'tcp[13] = 24'
- Matching any combination containing FIN (FIN usually always comes with an ACK so we either
need to use a mask or match the combination ACK-FIN)
# tcpdump -i eth1 'tcp[13] & 1 = 1'
- Matching RST flag
# tcpdump -i eth1 'tcp[13] & 4 = 4'