[Linux 文章收集] Tcpdump Commands – A Network Sniffer Tool

Source From Here 
Preface 
In our previous article, we have seen 20 Netstat Commands to monitor or mange Linux network. This is our another ongoing series of packet sniffer tool called tcpdump. Here, we are going to show you how to install tcpdump and then we discuss and cover some useful commands with their practical examples. 

tcpdump is a most powerful and widely used command-line packets sniffer or package analyzer tool which is used to capture or filter TCP/IP packets that received or transferred over a network on a specific interface. It is available under most of the Linux/Unix based operating systems. tcpdump also gives us a option to save captured packets in a file for future analysis. It saves the file in a pcap format, that can be viewed by tcpdump command or a open source GUI based tool called Wireshark (Network Protocol Analyzier) that reads tcpdump pcap format files. 
 

How to Install tcpdump in Linux 
Many of Linux distributions already shipped with tcpdump tool, if in case you don’t have it on systems, you can install it using following Yum command. 

# yum install tcpdump

Once tcpdump tool is installed on systems, you can continue to browse following commands with their examples. 

tcpdump 的運算式(expression) 介紹: 
tcpdump 利用運算式作為過濾 packet 的條件，如果一個 packet 滿足表達式的條件，則這個 packet 將會被捕獲。如果沒有給出任何條件，則網路上所有的資訊包將會被截獲。 

在運算式中一般如下幾種類型的關鍵字，一種是關於類型的關鍵字，主要包括 host，net，port, 例如 host 210.27.48.2，指明 210.27.48.2是一台主機，net 202.0.0.0 指明 202.0.0.0 是一個網路位址，port 23 指明埠號是23。如果沒有指定類型，缺省的類型是 host. 

第二種是確定傳輸方向的關鍵字，主要包括 src , dst ,dst or src, dst and src, 這些關鍵字指明了傳輸的方向。舉例說明，src 210.27.48.2 ,指明 ip 包中源地址是 210.27.48.2 , dst net202.0.0.0 指明目的網路位址是 202.0.0.0 。如果沒有指明方向關鍵字，則缺省是 src or dst 關鍵字。 

第三種是協議的關鍵字，主要包括 fddi,ip ,arp ,rarp ,tcp ,udp 等類型。Fddi指明是在FDDI(分散式光纖資料介面網路)上的特定的網路協定，實際上它是 "ether" 的別名，fddi 和 ether 具有類似的源位址和目的地址，所以可以將 fddi 協議包當作 ether 的包進行處理和分析。其他的幾個關鍵字就是指明了監聽的包的協定內容。如果沒有指定任何協議，則 tcpdump 將會監聽所有協定的資訊包。 

除了這三種類型的關鍵字之外，其他重要的關鍵字如下：gateway, broadcast,less ,greater, 還有三種邏輯運算，取非運算是 'not ', '!', 與運算是 'and' , '&&'; 或運算 是'or' , '||'. 這些關鍵字可以組合起來構成強大的組合條件來滿足人們的需要. 下面舉幾個例子來說明: 

截獲所有210.27.48.1 的主機收到的和發出的所有的資料包 

# tcpdump host 210.27.48.1

截獲主機 210.27.48.1 和主機 210.27.48.2 或 210.27.48.3 的通信 

# tcpdump host 210.27.48.1 and (210.27.48.2 or 210.27.48.3)

獲取主機 210.27.48.1 除了和主機 210.27.48.2 之外所有主機通信的 ip 包 

# tcpdump ip host 210.27.48.1 and ! 210.27.48.2

獲取主機 210.27.48.1 接收或發出的 telnet packet 

# tcpdump tcp port 23 and host 210.27.48.1

Usage Example 
Capture Packets from Specific Interface 
The command screen will scroll up until you interrupt and when we execute tcpdump command it will captures from all the interfaces, however with -i switch only capture from desire interface. 

## -i :Listen on interface. If unspecified, tcpdump searches the system interface list for the lowest numbered, configured up interface (excluding loopback).
## Ties are broken by choosing the earliest match.
$ tcpdump -i eth0

Capture Only N Number of Packets 
When you run tcpdump command it will capture all the packets for specified interface, until you Hit cancel button. But using -c option, you can capture specified number of packets. The below example will only capture 5 packets. 

## -c : Exit after receiving packets.
$ tcpdump -i eth0 -c 5
...
5 packets captured
21 packets received by filter
0 packets dropped by kernel

Print Captured Packets in ASCII 
The below tcpdump command with option -A displays the package in ASCII format. It is a character-encoding scheme format. 

# -A: Print each packet (minus its link level header) in ASCII. Handy for capturing web pages.
$ tcpdump -A -i eth0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
09:31:31.347508 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 3329372346:3329372542, ack 4193416789, win 17688, length 196
M.r0...vUP.E.X.......~.%..>N..oFk.........KQ..)Eq.d.,....r^l......m\.oyE....-....g~m..Xy.6..1.....c.O.@...o_..J....i.*.....2f.mQH...Q.c...6....9.v.gb........;..4.)
...

3 packets captured
11 packets received by filter
0 packets dropped by kernel

Display Available Interfaces 
To list number of available interfaces on the system, run the following command with -D option. 

# -D: Print the list of the network interfaces available on the system and on which tcpdump can capture packets.
$ tcpdump -D
1.eth0
2.eth1
3.usbmon1 (USB bus number 1)
4.usbmon2 (USB bus number 2)
5.usbmon3 (USB bus number 3)
6.usbmon4 (USB bus number 4)
7.usbmon5 (USB bus number 5)
8.any (Pseudo-device that captures on all interfaces)
9.lo

Capture and Save Packets in a File 
As we said, that tcpdump has a feature to capture and save the file in a .pcap format, to do this just execute command with -w option. 

# -w: Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option.
$ tcpdump -w 0001.pcap -i eth0
...
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
4 packets captured
4 packets received by filter
0 packets dropped by kernel

Read Captured Packets File 
To read and analyze captured packet 0001.pcap file use the command with -r option, as shown below: 

# -r: Read packets from file (which was created with the -w option). Standard input is used if file is "-".
$ tcpdump -r 0001.pcap
reading from file 0001.pcap, link-type EN10MB (Ethernet)
18:10:56.356289 IP nlg5.csie.ntu.edu.tw.ssh > 101.12.117.218.58312: Flags [P.], seq 3883444051:3883444183, ack 522665754, win 78, length 132
18:10:56.371369 IP6 fe80::f402:7455:4a36:72f1.59642 > ff02::1:3.hostmon: UDP, length 30
18:10:56.371439 IP iori.csie.ntu.edu.tw.57870 > 224.0.0.252.hostmon: UDP, length 30
18:10:56.372231 IP6 fe80::f402:7455:4a36:72f1.54919 > ff02::1:3.hostmon: UDP, length 30
...

Capture IP address Packets 
To capture packets for a specific interface, run the following command with option -n. 

# -n: Don’t convert host addresses to names. This can be used to avoid DNS lookups.
# -nn: Don’t convert protocol and port numbers etc. to names either.
$ tcpdump -n -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:07:03.952358 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 3509512873:3509513069, ack 3652639034, win 18760, length 196
12:07:03.952602 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 196, win 64171, length 0
...

Capture only TCP Packets. 
To capture packets based on TCP port, run the following command with option tcp. 

$ tcpdump -i eth0 tcp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:10:36.216358 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 3509646029:3509646225, ack 3652640142, win 18760, length 196
12:10:36.216592 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 196, win 64687, length 0
...

Capture Packet from Specific Port 
Let’s say you want to capture packets for specific port 22, execute the below command by specifying port number 22 as shown below. 

# For more of expression syntax, see pcap-filter(7) 
$ tcpdump -i eth0 port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:37:49.056927 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 3364204694:3364204890, ack 4193655445, win 20904, length 196
10:37:49.196436 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 4294967244:196, ack 1, win 20904, length 248
...

Capture Packets from source IP 
To capture packets from source IP, say you want to capture packets for 192.168.0.2, use the command as follows. 

# For more of expression syntax, see pcap-filter(7) 
$ tcpdump -i eth0 src host 192.168.0.2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:49:15.746474 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 3364578842:3364579038, ack 4193668445, win 20904, length 196
10:49:15.748554 IP 192.168.0.2.56200 > b.resolvers.Level3.net.domain: 11289+ PTR? 1.0.168.192.in-addr.arpa. (42)
...

Capture Packets from destination IP 
To capture packets from destination IP, say you want to capture packets for 50.116.66.139, use the command as follows. 

# For more of expression syntax, see pcap-filter(7) 
$ tcpdump -i eth0 dst host 50.116.66.139
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:55:01.798591 IP 192.168.0.2.59896 > 50.116.66.139.http: Flags [.], ack 2480401451, win 318, options [nop,nop,TS val 7955710 ecr 804759402], length 0
10:55:05.527476 IP 192.168.0.2.59894 > 50.116.66.139.http: Flags [F.], ...
...

This article may help you to explore tcpdump command in depth and also to capture and analysis packets in future. There are number of options available, you can use the options as per your requirement. Please share if you find this article useful through our comment box. 

Supplement 
* Tsung's Blog - Tcpdump的使用