Tcpdump

TcpDump可以将网络中传送的数据包完全截获下来提供分析。它支持针对网络层、协议、主机、网络或端口的过滤，并提供and、or、not等逻辑语句来帮助你去掉无用的信息。

man tcpdump
================================================================

tcpdump基本用法
# tcpdump -i eth0 -nnv
# tcpdump -i eth0 -nnv -c 100
# tcpdump -i eth0 -nnv -w /file1.tcpdump
# tcpdump -i eth0 -nnv -r /file1.tcpdump

条件：port , host , net
# tcpdump -i eth0 -nnv not port 80
# tcpdump -i eth0 -nnv port 22
# tcpdump -i eth0 -nnv port 80
# tcpdump -i eth0 -nnv net 192.168.0.0/24
# tcpdump -i eth0 -nnv host 192.168.0.15
# tcpdump -i eth0 -nnv dst port 22
# tcpdump -i eth0 -nnv src port 22

协议作为条件：
# tcpdump -i eth0 -nnv arp
# tcpdump -i eth0 -nnv icmp
# tcpdump -i eth0 -nnv udp
# tcpdump -i eth0 -nnv tcp
# tcpdump -i eth0 -nnv ip

# tcpdump -i eth0 -nnv vrrp

多个条件： 与关系 或关系 非关系
and or not
# tcpdump -i eth0 -nnv not net 192.168.0.0/24
# tcpdump -i eth0 -nnv not port 80
# tcpdump -i eth0 -nnv host 192.168.0.15 and port 22
# tcpdump -i eth0 -nnv host 192.168.0.15 and host 192.168.0.33
# tcpdump -i eth0 -nnv host 192.168.0.15 or host 192.168.0.33
# tcpdump -i eth0 -nnv 'host 192.168.0.15 and port 22' or 'host 192.168.0.33 and port 80'

# tcpdump -i eth0 -nnv host 192.168.0.110 and port 22 or port 80
# tcpdump -i eth0 -nnv host 192.168.0.110 and \( port 22 or port 80\)

# tcpdump -i eth0 -nnv host 192.168.0.110 and port 80
# tcpdump -i eth0 -nnv host 192.168.0.110 and ! port 80


条件是：TCP仅有SYN标记的
# man tcpdump
# tcpdump -i eth0 -nnv tcp[13]==2

|C|E|U|A|P|R|S|F|
|--------------- |
|0 0 0 0 0 0 1 0 |
|--------------- |
|7 6 5 4 3 2 1 0|
# tcpdump -i eth0 -nnv tcp[13]==2 and port 22 -w ssh-conn.tcpdump

条件是：TCP仅有SYN/ACK标记的
# tcpdump -i eth0 -nnv tcp[13]==18

|C|E|U|A|P|R|S|F|
|--------------- |
|0 0 0 1 0 0 1 0 |
|--------------- |
|7 6 5 4 3 2 1 0|

# tcpdump -i eth0 -nnv tcp[13]==17