In most cases you will need root permission to be able to capture packets on an interface. Using tcpdump (with root) to capture the packets and saving them to a file to analyze with Wireshark (using a regular account) is recommended over using Wireshark with a root account to capture packets on an "untrusted" interface. See the Wireshark security advisories for reasons why.

See the list of interfaces on which tcpdump can listen:

tcpdump -D

Listen on interface eth0:

tcpdump -i eth0

Listen on any available interface (cannot be done in promiscuous mode. Requires Linux kernel 2.2 or greater):

tcpdump -i any

Be verbose while capturing packets:

tcpdump -v

Be more verbose while capturing packets:

tcpdump -vv

Be very verbose while capturing packets:

tcpdump -vvv

Be verbose and print the data of each packet in both hex and ASCII, excluding the link level header:

tcpdump -v -X

Be verbose and print the data of each packet in both hex and ASCII, also including the link level header:

tcpdump -v -XX

Be less verbose (than the default) while capturing packets:

tcpdump -q

Limit the capture to 100 packets:

tcpdump -c 100

Record the packet capture to a file called capture.cap:

tcpdump -w capture.cap

Record the packet capture to a file called capture.cap but display on-screen how many packets have been captured in real-time:

tcpdump -v -w capture.cap

Display the packets of a file called capture.cap:

tcpdump -r capture.cap

Display the packets using maximum detail of a file called capture.cap:

tcpdump -vvv -r capture.cap

Display IP addresses and port numbers instead of domain and service names when capturing packets (note: on some systems you need to specify -nn to display port numbers):

tcpdump -n

Capture any packets where the destination host is 192.168.1.1. Display IP addresses and port numbers:

tcpdump -n dst host 192.168.1.1

Capture any packets where the source host is 192.168.1.1. Display IP addresses and port numbers:

tcpdump -n src host 192.168.1.1

Capture any packets where the source or destination host is 192.168.1.1. Display IP addresses and port numbers:

tcpdump -n host 192.168.1.1

Capture any packets where the destination network is 192.168.1.0/24. Display IP addresses and port numbers:

tcpdump -n dst net 192.168.1.0/24

Capture any packets where the source network is 192.168.1.0/24. Display IP addresses and port numbers:

tcpdump -n src net 192.168.1.0/24

Capture any packets where the source or destination network is 192.168.1.0/24. Display IP addresses and port numbers:

tcpdump -n net 192.168.1.0/24

Capture any packets where the destination port is 23. Display IP addresses and port numbers:

tcpdump -n dst port 23

Capture any packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

tcpdump -n dst portrange 1-1023

Capture only TCP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

tcpdump -n tcp dst portrange 1-1023

Capture only UDP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

tcpdump -n udp dst portrange 1-1023

Capture any packets with destination IP 192.168.1.1 and destination port 23. Display IP addresses and port numbers:

tcpdump -n "dst host 192.168.1.1 and dst port 23"

Capture any packets with destination IP 192.168.1.1 and destination port 80 or 443. Display IP addresses and port numbers:

tcpdump -n "dst host 192.168.1.1 and (dst port 80 or dst port 443)"

Capture any ICMP packets:

tcpdump -v icmp

Capture any ARP packets:

tcpdump -v arp

Capture either ICMP or ARP packets:

tcpdump -v "icmp or arp"

Capture any packets that are broadcast or multicast:

tcpdump -n "broadcast or multicast"

Capture 500 bytes of data for each packet rather than the default of 68 bytes:

tcpdump -s 500

Capture all bytes of data within the packet:

tcpdump -s 0

http://www.rationallyparanoid.com/articles/tcpdump.html

======================================================================

tcpdump 的抓包保存到文件的命令参数是-w xxx.cap
 
抓eth1的包 
tcpdump -i eth1 -w /tmp/xxx.cap 
 
抓 192.168.1.123的包 
tcpdump -i eth1 host 192.168.1.123 -w /tmp/xxx.cap 
 
抓192.168.1.123的80端口的包 
tcpdump -i eth1 host 192.168.1.123 and port 80 -w /tmp/xxx.cap 
 
抓192.168.1.123的icmp的包 
tcpdump -i eth1 host 192.168.1.123 and icmp -w /tmp/xxx.cap 
 
抓192.168.1.123的80端口和110和25以外的其他端口的包 
tcpdump -i eth1 host 192.168.1.123 and ! port 80 and ! port 25 and ! port 110 -w /tmp/xxx.cap 
 
抓vlan 1的包 
tcpdump -i eth1 port 80 and vlan 1 -w /tmp/xxx.cap 
 
抓pppoe的密码 
tcpdump -i eth1 pppoes -w /tmp/xxx.cap 
 
 
以100m大小分割保存文件, 超过100m另开一个文件 -C 100m 
 
抓10000个包后退出 -c 10000 
 
后台抓包, 控制台退出也不会影响: 
nohup tcpdump -i eth1 port 110 -w /tmp/xxx.cap & 
 
抓下来的文件可以直接用ethereal 或者wireshark打开。
 
http://liuzhigong.blog.163.com/blog/static/1782723752012851043396/
========================================================================================================

linux下使用tcpdump抓包数据不完整问题解决方法

 linux下使用tcpdump抓包数据长度显示不全的问题,如图1所示,实际数据长度应该是76但只抓到了24字节的数据:
 
 
 
 
这是因为tcpdump命令默认捕获包总长度是96字节,如图所示,我们只要在抓包命令里加一个参数-s0即可捕获完整数据的数据包
 
 
 
命令:tmpdump -s0 -i any port 6024 -w /tmp/a.pcap
-s0, 表示取消抓包长度限制
-i any, 表示在所有网卡设备上抓包,也可单独指定某个网卡,如-i eth0
port 6024, 表示在哪个端口上抓包
-w /tmp/a.pcap, 表示抓包文件存储路径
http://liuzhigong.blog.163.com/blog/static/1782723752012851043396/

Tcpdump usage examples的更多相关文章

  1. TCPDUMP Command Examples

    tcpdump command is also called as packet analyzer. tcpdump command will work on most flavors of unix ...

  2. Linux基础:用tcpdump抓包

    简介 网络数据包截获分析工具.支持针对网络层.协议.主机.网络或端口的过滤.并提供and.or.not等逻辑语句帮助去除无用的信息. tcpdump - dump traffic on a netwo ...

  3. Tcpdump使用常用9实例

    以下将给出9个使用tcpdump的例子,以说明tcpdump的具体使用方法. 1.针对特定网口抓包(-i选项) 当我们不加任何选项执行tcpdump时,tcpdump将抓取通过所有网口的包:使用-i选 ...

  4. 9个tcpdump使用实例

    tcpdump能帮助我们捕捉并保存网络包,保存下来的网络包可用于分析网络负载情况,包可通过tcpdump命令解析,也可以保存成后缀为pcap的文件,使用wireshark等软件进行查看. 以下将给出9 ...

  5. http://blog.csdn.net/zgl07/article/details/43491399

    转载申明:本文转载自http://www.brendangregg.com/perf.html   请大家看了之后如果要转载一定要注上这个地址!!! ========================= ...

  6. 18 Command Line Tools to Monitor Linux Performance

    By Ravi Saive Under: Linux Commands, Monitoring Tools On: December 26, 2013 http://www.tecmint.com/c ...

  7. man 手册--nc

    man 手册--nc NCAT(1) Ncat Reference Guide NCAT(1) NAME ncat - Concatenate and redirect sockets SYNOPSI ...

  8. Man手册--nmap

    目录 nmap使用手册 附录: nmap使用手册 附录: NMAP(1) Nmap Reference Guide NMAP(1) NAME nmap - Network exploration to ...

  9. Java多线程系列--“JUC锁”03之 公平锁(一)

    概要 本章对“公平锁”的获取锁机制进行介绍(本文的公平锁指的是互斥锁的公平锁),内容包括:基本概念ReentrantLock数据结构参考代码获取公平锁(基于JDK1.7.0_40)一. tryAcqu ...

随机推荐

  1. MySql 碎片

    查看某个表所占空间,以及碎片大小. select table_name,engine,table_rows,data_length+index_length length,DATA_FREE from ...

  2. Kibana6.x.x源码分析--ngReact使用

    ngReact  GitHub地址:https://github.com/ngReact/ngReact

  3. request.getRequestDispatcher()跳转+中文乱码

    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, ...

  4. 最近研究了一个.NET的DHT网络搜索引擎,顺便重新整理了下引擎思路,供大家分享讨论下。

    最近研究了一个.NET的DHT网络搜索引擎,顺便重新整理了下引擎思路,供大家分享讨论下.

  5. P3332 [ZJOI2013]K大数查询

    传送门 注意操作 $1$ 是在区间的每个位置加入一个数,不是加上一个值 相当于每个位置维护的是一个集合 显然树套树 一开始想的是区间线段树套权值线段树 发现这样询问区间第 $K$ 大时就要先二分答案再 ...

  6. 软件测试作业——WordCount的测试

    一.代码提交 1.代码地址:https://gitee.com/zst1978805482/WordCount 2.作业地址:https://edu.cnblogs.com/campus/xnsy/T ...

  7. 企业DevOps构建 (一)

    一,环境: tomcat 7.0.92 jenkins 1.658 maven mysql 5.5.23 mongodb 2.6.11 redis 4.0.12   01, 安装jenkins wge ...

  8. 对象池3(方法功能)PoolManager(控制)PoolTimeObject(时间管理)text01(调用)Destorys(销毁)

    1.对象池PoolManager namespace kernal { public class PoolManager : MonoBehaviour { //“缓冲池”集合 public stat ...

  9. Linux 后台运行程序 和切换至前台

    fg 将后台中的命令调至前台继续运行 jobs查看当前有多少在后台运行的命令 ctrl + z可以将一个正在前台执行的命令放到后台,并且暂停

  10. 023-将表单序列化为json对象

    使用jQuery将表单序列化为json对象,其中serializeJson方法的名字任意,serializeArray()这个jQuery提供的方法.this指的就是谁调用了这个方法. $.fn.se ...