In most cases you will need root permission to be able to capture packets on an interface. Using tcpdump (with root) to capture the packets and saving them to a file to analyze with Wireshark (using a regular account) is recommended over using Wireshark with a root account to capture packets on an "untrusted" interface. See the Wireshark security advisories for reasons why.

See the list of interfaces on which tcpdump can listen:

tcpdump -D

Listen on interface eth0:

tcpdump -i eth0

Listen on any available interface (cannot be done in promiscuous mode. Requires Linux kernel 2.2 or greater):

tcpdump -i any

Be verbose while capturing packets:

tcpdump -v

Be more verbose while capturing packets:

tcpdump -vv

Be very verbose while capturing packets:

tcpdump -vvv

Be verbose and print the data of each packet in both hex and ASCII, excluding the link level header:

tcpdump -v -X

Be verbose and print the data of each packet in both hex and ASCII, also including the link level header:

tcpdump -v -XX

Be less verbose (than the default) while capturing packets:

tcpdump -q

Limit the capture to 100 packets:

tcpdump -c 100

Record the packet capture to a file called capture.cap:

tcpdump -w capture.cap

Record the packet capture to a file called capture.cap but display on-screen how many packets have been captured in real-time:

tcpdump -v -w capture.cap

Display the packets of a file called capture.cap:

tcpdump -r capture.cap

Display the packets using maximum detail of a file called capture.cap:

tcpdump -vvv -r capture.cap

Display IP addresses and port numbers instead of domain and service names when capturing packets (note: on some systems you need to specify -nn to display port numbers):

tcpdump -n

Capture any packets where the destination host is 192.168.1.1. Display IP addresses and port numbers:

tcpdump -n dst host 192.168.1.1

Capture any packets where the source host is 192.168.1.1. Display IP addresses and port numbers:

tcpdump -n src host 192.168.1.1

Capture any packets where the source or destination host is 192.168.1.1. Display IP addresses and port numbers:

tcpdump -n host 192.168.1.1

Capture any packets where the destination network is 192.168.1.0/24. Display IP addresses and port numbers:

tcpdump -n dst net 192.168.1.0/24

Capture any packets where the source network is 192.168.1.0/24. Display IP addresses and port numbers:

tcpdump -n src net 192.168.1.0/24

Capture any packets where the source or destination network is 192.168.1.0/24. Display IP addresses and port numbers:

tcpdump -n net 192.168.1.0/24

Capture any packets where the destination port is 23. Display IP addresses and port numbers:

tcpdump -n dst port 23

Capture any packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

tcpdump -n dst portrange 1-1023

Capture only TCP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

tcpdump -n tcp dst portrange 1-1023

Capture only UDP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

tcpdump -n udp dst portrange 1-1023

Capture any packets with destination IP 192.168.1.1 and destination port 23. Display IP addresses and port numbers:

tcpdump -n "dst host 192.168.1.1 and dst port 23"

Capture any packets with destination IP 192.168.1.1 and destination port 80 or 443. Display IP addresses and port numbers:

tcpdump -n "dst host 192.168.1.1 and (dst port 80 or dst port 443)"

Capture any ICMP packets:

tcpdump -v icmp

Capture any ARP packets:

tcpdump -v arp

Capture either ICMP or ARP packets:

tcpdump -v "icmp or arp"

Capture any packets that are broadcast or multicast:

tcpdump -n "broadcast or multicast"

Capture 500 bytes of data for each packet rather than the default of 68 bytes:

tcpdump -s 500

Capture all bytes of data within the packet:

tcpdump -s 0

http://www.rationallyparanoid.com/articles/tcpdump.html

======================================================================

tcpdump 的抓包保存到文件的命令参数是-w xxx.cap
 
抓eth1的包 
tcpdump -i eth1 -w /tmp/xxx.cap 
 
抓 192.168.1.123的包 
tcpdump -i eth1 host 192.168.1.123 -w /tmp/xxx.cap 
 
抓192.168.1.123的80端口的包 
tcpdump -i eth1 host 192.168.1.123 and port 80 -w /tmp/xxx.cap 
 
抓192.168.1.123的icmp的包 
tcpdump -i eth1 host 192.168.1.123 and icmp -w /tmp/xxx.cap 
 
抓192.168.1.123的80端口和110和25以外的其他端口的包 
tcpdump -i eth1 host 192.168.1.123 and ! port 80 and ! port 25 and ! port 110 -w /tmp/xxx.cap 
 
抓vlan 1的包 
tcpdump -i eth1 port 80 and vlan 1 -w /tmp/xxx.cap 
 
抓pppoe的密码 
tcpdump -i eth1 pppoes -w /tmp/xxx.cap 
 
 
以100m大小分割保存文件, 超过100m另开一个文件 -C 100m 
 
抓10000个包后退出 -c 10000 
 
后台抓包, 控制台退出也不会影响: 
nohup tcpdump -i eth1 port 110 -w /tmp/xxx.cap & 
 
抓下来的文件可以直接用ethereal 或者wireshark打开。
 
http://liuzhigong.blog.163.com/blog/static/1782723752012851043396/
========================================================================================================

linux下使用tcpdump抓包数据不完整问题解决方法

 linux下使用tcpdump抓包数据长度显示不全的问题,如图1所示,实际数据长度应该是76但只抓到了24字节的数据:
 
 
 
 
这是因为tcpdump命令默认捕获包总长度是96字节,如图所示,我们只要在抓包命令里加一个参数-s0即可捕获完整数据的数据包
 
 
 
命令:tmpdump -s0 -i any port 6024 -w /tmp/a.pcap
-s0, 表示取消抓包长度限制
-i any, 表示在所有网卡设备上抓包,也可单独指定某个网卡,如-i eth0
port 6024, 表示在哪个端口上抓包
-w /tmp/a.pcap, 表示抓包文件存储路径
http://liuzhigong.blog.163.com/blog/static/1782723752012851043396/

Tcpdump usage examples的更多相关文章

  1. TCPDUMP Command Examples

    tcpdump command is also called as packet analyzer. tcpdump command will work on most flavors of unix ...

  2. Linux基础:用tcpdump抓包

    简介 网络数据包截获分析工具.支持针对网络层.协议.主机.网络或端口的过滤.并提供and.or.not等逻辑语句帮助去除无用的信息. tcpdump - dump traffic on a netwo ...

  3. Tcpdump使用常用9实例

    以下将给出9个使用tcpdump的例子,以说明tcpdump的具体使用方法. 1.针对特定网口抓包(-i选项) 当我们不加任何选项执行tcpdump时,tcpdump将抓取通过所有网口的包:使用-i选 ...

  4. 9个tcpdump使用实例

    tcpdump能帮助我们捕捉并保存网络包,保存下来的网络包可用于分析网络负载情况,包可通过tcpdump命令解析,也可以保存成后缀为pcap的文件,使用wireshark等软件进行查看. 以下将给出9 ...

  5. http://blog.csdn.net/zgl07/article/details/43491399

    转载申明:本文转载自http://www.brendangregg.com/perf.html   请大家看了之后如果要转载一定要注上这个地址!!! ========================= ...

  6. 18 Command Line Tools to Monitor Linux Performance

    By Ravi Saive Under: Linux Commands, Monitoring Tools On: December 26, 2013 http://www.tecmint.com/c ...

  7. man 手册--nc

    man 手册--nc NCAT(1) Ncat Reference Guide NCAT(1) NAME ncat - Concatenate and redirect sockets SYNOPSI ...

  8. Man手册--nmap

    目录 nmap使用手册 附录: nmap使用手册 附录: NMAP(1) Nmap Reference Guide NMAP(1) NAME nmap - Network exploration to ...

  9. Java多线程系列--“JUC锁”03之 公平锁(一)

    概要 本章对“公平锁”的获取锁机制进行介绍(本文的公平锁指的是互斥锁的公平锁),内容包括:基本概念ReentrantLock数据结构参考代码获取公平锁(基于JDK1.7.0_40)一. tryAcqu ...

随机推荐

  1. P2056 [ZJOI2007]捉迷藏

    传送门 如果没有修改显然就直接点分治 有修改那就动态点分治 动态点分治就是在点分树上维护一些东西,查询时也在点分树上查 因为点分树深度是$log$的所以可以保证时间复杂度 此题我们需要在点分树上维护 ...

  2. Tensorlflow-解决非线性回归问题

    import tensorflow as tfimport numpy as npimport matplotlib.pyplot as plt #使用numpy生成200个随机点,范围从-0.5到0 ...

  3. jQuery常用的方法

    each() 以每一个匹配的元素作为上下文来执行一个函数. size()  jQuery 对象中元素的个数.

  4. pyquery的简单操作

    一.初始化 1.html初始化 html = ''' <div> <ul> <li class="item-0">first item</ ...

  5. 中间件使用之(UA,IP,selenium)的使用

    一.UA池:User-Agent池 - 作用:尽可能多的将scrapy工程中的请求伪装成不同类型的浏览器身份. - 操作流程: 1.在下载中间件中拦截请求 2.将拦截到的请求的请求头信息中的UA进行篡 ...

  6. C++指针传递和引用传递的区别 (转载整理)

    区别1:指针传递和引用传递是以不同的方式实现相同的效果,但是指针传递的本质还是值传递,只是传递的值是地址. 就拿 交换两个数的函数来举例: // 指针传递 void swap(int * val1, ...

  7. QWebView使用

      问题: 开始编译的时候在pro文件中要加上 QT += core gui webkitwidgets 文件使用部分加上 #include<QtWebKitWidgets/QWebView&g ...

  8. URL篇之URL

    URL(统一资源定位)是网络上使用的资源定位的方案,它是URI(由URL和URN组成)的子集. URL的通用格式 <scheme>://<user>:<password& ...

  9. storm中KafkaSpout的选择

    Storm最常用的消息源就是Kafka,在对接的时候大多需要使用KafkaSpout: 在网上大概有两种KafkaSpout,一种是只有几十行,一种却有一大啪啦类文件. 在kafka中,同一个part ...

  10. 016-hibernateutils模板

    package ${enclosing_package}; import org.hibernate.HibernateException; import org.hibernate.Session; ...