一、背景
linux命令太多,肯定记不过来,所以需要熟练的使用--help或man。
学习help的内容从而学会如何使用指令。
通过 man(manual:手册)命令可以快速查询每个Linux 命令的详细描述和使用方法。
二、指令的基本格式和基本用法
基本格式:command [options] [arguments]
命令(command):必填,linux上的shell操作文件的可执行程序,分为内部命令和外部命令:
- 内部命令:shell自带程序,通过命令形式提供
- 外部命令:当前系统文件路径下有对应命令的可执行程序
选项(options):可选,用于启动或关闭命令特定功能
- 短选项: -c 例如: -l, -h 短选项可合并 -lh
- 长选项: --world 例如: --all,--human
参数(arguments):可选,命令的作用对象,可以是文本文件,目录,用户等各种文件
三、指令输入说明
1、指令, 选项, 参数等中间以空格来区分,不论空几格 shell 都视为一格。所以空格是很重要的特殊字符
2、按下[Enter]按键后,该指令就立即执行。[Enter]按键代表着一行指令的开始启动
3、[TAB]按键他具有“命令补全”与“文件补齐”的功能,在输入命令是按下两下Tab 会出现命令补全
4、[Ctrl]-c 按键:强制停止程序
四、
五、man命令
1、介绍
2、返回内容介绍
我们输入:man tcpflow
返回内容如下:主要有几部分:
- NAME:命令名称及功能简要说明
- SYNOPSIS:描述命令使用概要
- 注意:一般末尾会有个: [expression],这个有的帮助文档会详细描述,比如tcpdump,但是也有的不会描述,比如tcpflow,这种情况需要去官网看表达式的详细使用
- 比如:tcpdump -i eth0 dst port 6060这个抓包命令,里面的dst port就属于表达式,在man文档中不一定能看到
- DESCRIPTION:命令功能的详细说明
- OPTIONS:针对每个可选参数的详细说明
-
EXAMPLES:使用示例
-
SEE ALSO:另外参照的命令
tcpflow(1) tcpflow 1.4.5 tcpflow(1)
NAME
tcpflow - TCP flow recorder
SYNOPSIS
tcpflow [-aBcCDhpsvVZ] [-b max_bytes] [-d debug_level] [-[eE] scanner] [-f max_fds] [-F[ctTXMkmg]] [-i iface] [-L semlock] [-m min_bytes] [-o outdir] [-r file1.pcap] [-R file0.pcap] [-Sname=value] [-T[filename template]]
[-wfile] [-x scanner] [-X file.xml] [expression]
DESCRIPTION
tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. Rather than showing packet-by-packet information,
tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis. tcpflow understands TCP sequence numbers and will correctly reconstruct data streams regardless of retransmissions or
out-of-order delivery. tcpflow provides control over filenames for automatic binning of connections by protocol, IP adress or connection number, and has a sophisticated plug-in system for decompressing compressed HTTP con‐
nections, undoing MIME encoding, or calling user-provided programs for post-processing.
By default tcpflow stores all captured data in files that have names of the form:
192.168.101.102.02345-010.011.012.013.45103
...where the contents of the above file would be data transmitted from host 192.168.101.102 port 2345, to host 10.11.12.13 port 45103.
If you want to simply process a few hundred thousand packets and see what you have, try this:
tcpflow -a -o outdir -Fk -r packets.pcap
This will cause tcpflow to perform (-a) all processing, store the output in a directory called outdir, bin the output in directories of 1000 connections each, and read its input from the file packets.pcap. More sophistici‐
ated processing is possible, of course.
OPTIONS
-a Enable all processing. Same as -e all.
-B Force binary output even when printing to console with -C or -c.
-b max_bytes
Specifies the maximum size of a captured flow. Any bytes beyond max_bytes from the first byte captured will be discarded. The default is to store an unlimited number of bytes per flow. Note: previous versions of
tcpflow could only store a maximum of 4GiB per flow, but version 1.4 and above can really store an unlimited amount of bytes. Good thing that modern disks are so big, eh?
-c Console print. Print the contents of packets to stdout as they are received, without storing any captured data to files (implies
-C Console print without the packet source and destination details being printed. Print the contents of packets to stdout as they are received, without storing any captured data to files (implies -e When outputting to
the console each flow will be output in different colors (blue for client to server flows, red for server to client flows, green for undecided flows). -s ).
-D Console output should be in hex.
-d Debug level. Set the level of debugging messages printed to stderr to debug_level. Higher numbers produce more messages. -d 0 causes completely silent operation. -d 1 , the default, produces minimal status mes‐
sages. -d 10 produces verbose output equivalent to -v . Numbers higher than 10 can produce a large amount of debugging information useful only to developers.
-Z Don't decompress gzip-compressed streams.
EXAMPLES
To record all packets arriving at or departing from sundown and extract all of the HTTP attachments:
tcpflow -e scan_http -o outdir host sundown
To record traffic between helios and either hot or ace and bin the results into 1000 files per directory and calculate the MD5 of each flow:
tcpflow -X report.xml -e scan_md5 -o outdir -Fk host helios and \( hot or ace \)
BUGS
Please send bug reports to simsong@acm.org.
tcpflow currently does not understand IP fragments. Flows containing IP fragments will not be recorded correctly.
AUTHORS
Originally by Jeremy Elson <jelson@circlemud.org>. Substantially modified and maintained by Simson L. Garfinkel <simsong@acm.org>. Network visualization code by Michael Shick <mike@shick.in>
The current version of this software is available at
http://www.digitalcorpora.org/downloads/tcpflow/
An announcement mailing list for this program is at:
http://groups.google.com/group/tcpflow-users
SEE ALSO
tcpdump(1), nit(4P), bpf(4), pcap(3), pcap-savefile(5), pcap-filter(7)
tcpflow 1.4.5
3、 expression查看技巧
我们可能需要详细的看表达式具体的使用方式,但是man命令里面不一定提供,那么我们可以看下man命令中是否有提示expression文档的查询方式,比如下面这个是tcpdump命令,我们执行命令:man tcpdump,在返回内容中搜索expression关键字,有个提示:For the expression syntax, see pcap-filter(7).
意思是如果我们想看syntax语法,可以看pcap-filter(7)。
那么pcap-filter(7)怎么看呢?
其实是一样的,我们再输入命令即可:man 7 pcap-filter
- 注意序号哦,必须带上序号,否则默认是1。
下面就能看到我们熟悉的表达式了!