类型关键字
主要包括host,net,port, 例如 host 210.27.48.2,指明 210.27.48.2是一台主机,net 202.0.0.0 指明 202.0.0.0是一个网络地址,port 23 指明端口号是23。如果没有指定类型,缺省的类型是host.
传输方向关键字
主要包括src , dst ,dst or src, dst and src ,这些关键字指明了传输的方向。举例说明,src 210.27.48.2 ,指明ip包中源地址是210.27.48.2 , dst net 202.0.0.0 指明目的网络地址是202.0.0.0 。如果没有指明方向关键字,则缺省是src or dst关键字。
协议关键字
主要包括fddi,ip,arp,rarp,tcp,udp等类型。Fddi指明是在FDDI(分布式光纤数据接口网络)上的特定 的网络协议,实际上它是"ether"的别名,fddi和ether具有类似的源地址和目的地址,所以可以将fddi协议包当作ether的包进行处理和 分析。其他的几个关键字就是指明了监听的包的协议内容。如果没有指定任何协议,则tcpdump将会监听所有协议的信息包。
其他重要关键字
gateway, broadcast,less,greater
逻辑运算
取非运算是 'not ' '! ', 与运算是'and','&&或运算 是'or' ,'||';这些关键字可以组合起来构成强大的组合条件来满足人们的需要
18:29:46.118463 00:0c:29:cc:09:38 > 00:50:56:e1:1f:7f, ethertype IPv4 (0x0800), length 54: 192.168.130.254.44990 > 61.172.201.194.http: Flags [F.], seq 217, ack 75209, win 47124, length 0
0x0000: 0050 56e1 1f7f 000c 29cc 0938 0800 4500 .PV.....)..8..E.
0x0010: 0028 3219 4000 4006 bda1 c0a8 82fe 3dac .(2.@.@.......=.
0x0020: c9c2 afbe 0050 cc78 1a65 f92b 09d1 5011 .....P.x.e.+..P.
0x0030: b814 4b30 0000 ..K0..
18:29:46.118571 00:50:56:e1:1f:7f > 00:0c:29:cc:09:38, ethertype IPv4 (0x0800), length 60: 61.172.201.194.http > 192.168.130.254.44989: Flags [.], ack 158, win 64239, length 0
0x0000: 000c 29cc 0938 0050 56e1 1f7f 0800 4500 ..)..8.PV.....E.
0x0010: 0028 0895 0000 8006 e725 3dac c9c2 c0a8 .(.......%=.....
0x0020: 82fe 0050 afbd a224 e245 252b 7445 5010 ...P...$.E%+tEP.
0x0030: faef 9be6 0000 0000 0000 0000 ............
root@jlive:~#tcpdump ip src 192.168.130.1 and dst port ftp -i br0 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:50:44.700318 IP 192.168.130.1.55740 > 192.168.130.254.21: Flags [S], seq 517418878, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 838026521 ecr 0,sackOK,eol], length 0
18:50:44.700485 IP 192.168.130.1.55740 > 192.168.130.254.21: Flags [.], ack 2016969765, win 16471, options [nop,nop,TS val 838026521 ecr 12735436], length 0
18:50:44.703333 IP 192.168.130.1.55740 > 192.168.130.254.21: Flags [.], ack 21, win 16468, options [nop,nop,TS val 838026524 ecr 12735439], length 0
root@jlive:~#tcpdump tcp port 21 and host 192.168.130.254
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:17:53.555422 IP 192.168.130.1.56097 > jlive.example.com.ftp: Flags [S], seq 2505904008, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 839600626 ecr 0,sackOK,eol], length 0
其它示例
获取所有192.168.192.1主机收发的所有数据包
#tcpdump host 192.168.192.1
获取主机192.168.192.1接收或发出的telnet包
#tcpdump tcp port 23 host 192.168.192.1
获取本机udp 123端口的数据包
#tcpdump udp port 123
获取主机hostname发送的所有数据
#tcpdump -i eth0 src host hostname
获取发送到主机hostname的数据包
#tcpdump -i eth0 dst host hostname
获取通过指定网关的数据包
#tcpdump -i eth0 gateway Gatewayname
获取到指定端口的TCP或UDP数据包
#tcpdump -i eth0 host hostname and port 80
获取主机192.168.192.1和主机192.168.192.2或192.168.192.3的通信
#tcpdump host 192.168.192.1 and \(192.168.192.2 or 192.168.192.3\)
获取主机192.168.192.1和除了主机192.168.192.2之外所有主机通信的ip包
#tcpdump ip host 192.168.192.1 and ! 192.168.192.2
[foo@app08 ~]$ netstat -n|awk '/^tcp/ {++count[$NF]} END {for(state in count) print state,count[state]}'
TIME_WAIT 61
CLOSE_WAIT 79
FIN_WAIT2 3
ESTABLISHED 133
LAST_ACK 3
root@jlive:~#ss -t -o state time-wait|wc -l
39
root@jlive:~#ss -t -o state close-wait|wc -l
1
root@jlive:~#ss -t -o state fin-wait-1|wc -l
1
root@jlive:~#ss -t -o state fin-wait-2|wc -l
1
root@jlive:~#ss -t -o state established|wc -l
2
root@jlive:~#ss -t -o state last-ack|wc -l
1
root@jlive:~#ss -t -o state established sport = :3737|wc -l
2
root@jlive:~#ss -t -o state all sport = :3737|wc -l
4701
root@jlive:~#ss -t -o state time-wait sport = :3737|wc -l
4611
root@jlive:~#ss -t -o state time-wait '( sport = :3737 and dport = :9060 )'|wc -l
1
root@jlive:~#ss -t -o state time-wait '( sport = :3737 or dport = :9060 )'|wc -l
4901
通过本地随机端口查找是哪个应用生成的
ps -ef|grep $(ss -pt -o sport = :36845|awk -F, '/users/{print $2}')
或
ps -ef|grep -w $(netstat -anp 2>/dev/null|grep :64002 |awk '{print $NF}'|awk -F'/' '{print $1}')
find /foo/test -type f -name '*.bash' -exec rename .bash .sh {} \;
find foo.ear/ -type f -newermt '2016-05-31 00:00:00' -! -newermt '2016-06-01 05:30:00'|xargs ls -l
find . -regextype posix-egrep ! -regex '.*[0-9]{8}\.log$' -exec grep '/event/2015/1208/shopkeeper.html' {} \;|egrep '221.192.179.15|121.28.32.158' --color=auto
find . -regextype posix-egrep -regex '.*20170220.log$' -exec grep '/checkout/share/v3/shareInfoPage.do' {} \;|egrep '221.192.179.15|121.28.32.158' --color=auto
curl -u vadmin:123 ftp://192.168.8.254/elasticsearch.xz -O elasticsearch.xz
ip命令
http://lartc.org/
man ip
/sbin/ip link set lo up
/sbin/ip link set dev eth0 up
/sbin/ip addr add 172.24.137.219/24 dev eth0
/sbin/ip route add 172.24.139.0/24 via 172.24.137.1
/sbin/ip route add 172.24.210.0/24 via 172.24.137.1
/sbin/ip route add 172.24.166.0/24 via 172.24.137.1
/sbin/ip route add 172.24.138.0/24 via 172.24.137.1
/sbin/ip route add 172.24.0.0/16 via 172.24.137.1
/sbin/ip route add 172.25.0.0/16 via 172.24.137.1
/sbin/ip link set dev eth1 up
/sbin/ip addr add 172.24.154.219/24 dev eth1