tcpdump抓包实例

//IP过滤
tcpdump -i eth1 host 192.168.1.1
tcpdump -i eth1 src host 192.168.1.1
tcpdump -i eth1 dst host 192.168.1.1

//端口过滤
tcpdump -i eth1 port 25
tcpdump -i eth1 src port 25
tcpdump -i eth1 dst port 25

//网络过滤
tcpdump -i eth1 net 192.168
tcpdump -i eth1 src net 192.168
tcpdump -i eth1 dst net 192.168

//协议过滤
tcpdump -i eth1 arp
tcpdump -i eth1 ip
tcpdump -i eth1 tcp
tcpdump -i eth1 udp
tcpdump -i eth1 icmp

//抓取tcp并且是80端口,并且目标IP是192.168.1.254或者目标IP是192.168.1.200
tcpdump -i eth1 '((tcp) and (port 80) and ((dst host 192.168.1.254) or (dst host
192.168.1.200)))'

//抓取ICMP报并且目标MAC地址是00:01:02:03:04:05
tcpdump -i eth1 '((icmp) and ((ether dst host 00:01:02:03:04:05)))'

//抓取TCPO包并且网络段是192.168的,并且目标IP不是192.168.1.200
tcpdump -i eth1 '((tcp) and ((dst net 192.168) and (not dst host 192.168.1.200)))'

//只抓SYN包
tcpdump -i eth1 'tcp[tcpflags] = tcp-syn'

//抓取syn不等于0并且ack不等于0的包
tcpdump -i eth1 'tcp[tcpflags] & tcp-syn != 0 and tcp[tcpflags] & tcp-ack != 0'

//抓取SMTP包
tcpdump -i eth1 '((port 25) and (tcp[(tcp[12]>>2):4] = 0x4d41494c))'

//抓取HTTP GET包, "GET "的十六进制是 47455420
tcpdump -i eth1 'tcp[(tcp[12]>>2):4] = 0x47455420'

//抓取ssh返回包,"SSH-"的十六进制是 0x5353482D
tcpdump -i eth1 'tcp[(tcp[12]>>2):4] = 0x5353482D'

//抓取老版本的ssh返回包,SSH-1.99
 tcpdump -i eth1 '(tcp[(tcp[12]>>2):4] = 0x5353482D) and (tcp[((tcp[12]>>2)+4):2]
= 0x312E)'

//抓取DNS包
tcpdump -i eth1 udp dst port 53

//抓取8000端口的GET包,写入日志
tcpdump -i eth0 '((port 8000) and (tcp[(tcp[12]>>2):4]=0x47455420))' -nnAl -w /tmp/GET.log