In most cases you will need root permission to be able to capture packets on an interface. Using tcpdump (with root) to capture the packets and saving them to a file to analyze with Wireshark (using a regular account) is recommended over using Wireshark with a root account to capture packets on an "untrusted" interface. See the Wireshark security advisories for reasons why.

See the list of interfaces on which tcpdump can listen:

tcpdump -D

Listen on interface eth0:

tcpdump -i eth0

Listen on any available interface (cannot be done in promiscuous mode. Requires Linux kernel 2.2 or greater):

tcpdump -i any

Be verbose while capturing packets:

tcpdump -v

Be more verbose while capturing packets:

tcpdump -vv

Be very verbose while capturing packets:

tcpdump -vvv

Be verbose and print the data of each packet in both hex and ASCII, excluding the link level header:

tcpdump -v -X

Be verbose and print the data of each packet in both hex and ASCII, also including the link level header:

tcpdump -v -XX

Be less verbose (than the default) while capturing packets:

tcpdump -q

Limit the capture to 100 packets:

tcpdump -c 100

Record the packet capture to a file called capture.cap:

tcpdump -w capture.cap

Record the packet capture to a file called capture.cap but display on-screen how many packets have been captured in real-time:

tcpdump -v -w capture.cap

Display the packets of a file called capture.cap:

tcpdump -r capture.cap

Display the packets using maximum detail of a file called capture.cap:

tcpdump -vvv -r capture.cap

Display IP addresses and port numbers instead of domain and service names when capturing packets (note: on some systems you need to specify -nn to display port numbers):

tcpdump -n

Capture any packets where the destination host is 192.168.1.1. Display IP addresses and port numbers:

tcpdump -n dst host 192.168.1.1

Capture any packets where the source host is 192.168.1.1. Display IP addresses and port numbers:

tcpdump -n src host 192.168.1.1

Capture any packets where the source or destination host is 192.168.1.1. Display IP addresses and port numbers:

tcpdump -n host 192.168.1.1

Capture any packets where the destination network is 192.168.1.0/24. Display IP addresses and port numbers:

tcpdump -n dst net 192.168.1.0/24

Capture any packets where the source network is 192.168.1.0/24. Display IP addresses and port numbers:

tcpdump -n src net 192.168.1.0/24

Capture any packets where the source or destination network is 192.168.1.0/24. Display IP addresses and port numbers:

tcpdump -n net 192.168.1.0/24

Capture any packets where the destination port is 23. Display IP addresses and port numbers:

tcpdump -n dst port 23

Capture any packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

tcpdump -n dst portrange 1-1023

Capture only TCP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

tcpdump -n tcp dst portrange 1-1023

Capture only UDP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

tcpdump -n udp dst portrange 1-1023

Capture any packets with destination IP 192.168.1.1 and destination port 23. Display IP addresses and port numbers:

tcpdump -n "dst host 192.168.1.1 and dst port 23"

Capture any packets with destination IP 192.168.1.1 and destination port 80 or 443. Display IP addresses and port numbers:

tcpdump -n "dst host 192.168.1.1 and (dst port 80 or dst port 443)"

Capture any ICMP packets:

tcpdump -v icmp

Capture any ARP packets:

tcpdump -v arp

Capture either ICMP or ARP packets:

tcpdump -v "icmp or arp"

Capture any packets that are broadcast or multicast:

tcpdump -n "broadcast or multicast"

Capture 500 bytes of data for each packet rather than the default of 68 bytes:

tcpdump -s 500

Capture all bytes of data within the packet:

tcpdump -s 0

http://www.rationallyparanoid.com/articles/tcpdump.html

======================================================================

tcpdump 的抓包保存到文件的命令参数是-w xxx.cap
 
抓eth1的包 
tcpdump -i eth1 -w /tmp/xxx.cap 
 
抓 192.168.1.123的包 
tcpdump -i eth1 host 192.168.1.123 -w /tmp/xxx.cap 
 
抓192.168.1.123的80端口的包 
tcpdump -i eth1 host 192.168.1.123 and port 80 -w /tmp/xxx.cap 
 
抓192.168.1.123的icmp的包 
tcpdump -i eth1 host 192.168.1.123 and icmp -w /tmp/xxx.cap 
 
抓192.168.1.123的80端口和110和25以外的其他端口的包 
tcpdump -i eth1 host 192.168.1.123 and ! port 80 and ! port 25 and ! port 110 -w /tmp/xxx.cap 
 
抓vlan 1的包 
tcpdump -i eth1 port 80 and vlan 1 -w /tmp/xxx.cap 
 
抓pppoe的密码 
tcpdump -i eth1 pppoes -w /tmp/xxx.cap 
 
 
以100m大小分割保存文件, 超过100m另开一个文件 -C 100m 
 
抓10000个包后退出 -c 10000 
 
后台抓包, 控制台退出也不会影响: 
nohup tcpdump -i eth1 port 110 -w /tmp/xxx.cap & 
 
抓下来的文件可以直接用ethereal 或者wireshark打开。
 
http://liuzhigong.blog.163.com/blog/static/1782723752012851043396/
========================================================================================================

linux下使用tcpdump抓包数据不完整问题解决方法

 linux下使用tcpdump抓包数据长度显示不全的问题,如图1所示,实际数据长度应该是76但只抓到了24字节的数据:
 
 
 
 
这是因为tcpdump命令默认捕获包总长度是96字节,如图所示,我们只要在抓包命令里加一个参数-s0即可捕获完整数据的数据包
 
 
 
命令:tmpdump -s0 -i any port 6024 -w /tmp/a.pcap
-s0, 表示取消抓包长度限制
-i any, 表示在所有网卡设备上抓包,也可单独指定某个网卡,如-i eth0
port 6024, 表示在哪个端口上抓包
-w /tmp/a.pcap, 表示抓包文件存储路径
http://liuzhigong.blog.163.com/blog/static/1782723752012851043396/

Tcpdump usage examples的更多相关文章

  1. TCPDUMP Command Examples

    tcpdump command is also called as packet analyzer. tcpdump command will work on most flavors of unix ...

  2. Linux基础:用tcpdump抓包

    简介 网络数据包截获分析工具.支持针对网络层.协议.主机.网络或端口的过滤.并提供and.or.not等逻辑语句帮助去除无用的信息. tcpdump - dump traffic on a netwo ...

  3. Tcpdump使用常用9实例

    以下将给出9个使用tcpdump的例子,以说明tcpdump的具体使用方法. 1.针对特定网口抓包(-i选项) 当我们不加任何选项执行tcpdump时,tcpdump将抓取通过所有网口的包:使用-i选 ...

  4. 9个tcpdump使用实例

    tcpdump能帮助我们捕捉并保存网络包,保存下来的网络包可用于分析网络负载情况,包可通过tcpdump命令解析,也可以保存成后缀为pcap的文件,使用wireshark等软件进行查看. 以下将给出9 ...

  5. http://blog.csdn.net/zgl07/article/details/43491399

    转载申明:本文转载自http://www.brendangregg.com/perf.html   请大家看了之后如果要转载一定要注上这个地址!!! ========================= ...

  6. 18 Command Line Tools to Monitor Linux Performance

    By Ravi Saive Under: Linux Commands, Monitoring Tools On: December 26, 2013 http://www.tecmint.com/c ...

  7. man 手册--nc

    man 手册--nc NCAT(1) Ncat Reference Guide NCAT(1) NAME ncat - Concatenate and redirect sockets SYNOPSI ...

  8. Man手册--nmap

    目录 nmap使用手册 附录: nmap使用手册 附录: NMAP(1) Nmap Reference Guide NMAP(1) NAME nmap - Network exploration to ...

  9. Java多线程系列--“JUC锁”03之 公平锁(一)

    概要 本章对“公平锁”的获取锁机制进行介绍(本文的公平锁指的是互斥锁的公平锁),内容包括:基本概念ReentrantLock数据结构参考代码获取公平锁(基于JDK1.7.0_40)一. tryAcqu ...

随机推荐

  1. .Net支持Redis哨兵模式

    csredis 博客 csRedisgit地址 csRedis3.2.1 Nuget地址 (在使用csredis3.2.1获取sentinel时产生运行时异常,调查问题最后发现是获取sentinel的 ...

  2. QQ互联 网站应用接入

    1.准备工作 接入qq登陆前,网站需要先进行申请,获得对应的appid和appkey, 以保证后续流程中可正确对网站与用户进行授权. 2.放置qq登陆按钮. 在网站页面上放置“qq登录”按钮,并为按钮 ...

  3. Python入门(2)

    变量补充 一:变量名的名称的大前提:应该能够反映出变量值所记录的状态 具体的,变量名命名规范如下: 1.变量名是由字母.数字.下划线组成 2.不能以数字开头 3.不能使用关键字命名变量名['and', ...

  4. Oracle 序列(自增ID)

    -- 创建序列CREATE SEQUENCE "JPADMIN"."SEQ_JP_BAS_USER_ID" MINVALUE 1 // 最小值MAXVALUE ...

  5. Mina初识

    1.概述 1.1 Apache的顶级项目,基于java NIO,支持TCP/IP.UDP/IP: 1.2 Mina对外屏蔽了java NIO使用的复杂性,并在性能上做了不少的优化: 1.3 Mina采 ...

  6. zookeeper JAVA API 简单操作

    package org.admln.program.Zoo_Test; import java.io.IOException; import java.security.NoSuchAlgorithm ...

  7. Linux软件安装的补充

    1 使用yum 命令查看软件提供的版本 yum list mysql* 然后比如说都需要安装我们就可以执行命令: yum install mysql* 然后就会安装所有的.会显示所有需要安装的包,和需 ...

  8. 【学习】Unity手游之路<十二>手游资源热更新策略探讨

    http://blog.csdn.net/janeky/article/details/17666409 =============================================== ...

  9. 【密码学】RSA算法原理

    RSA算法是一种非对称密码算法,所谓非对称,就是指该算法需要一对密钥,使用其中一个加密,则需要用另一个才能解密. RSA的算法涉及三个参数,n.e1.e2. 其中,n是两个大质数p.q的积,n的二进制 ...

  10. Python 递归返回树形菜单JSON串 <flask>

    需求:菜单管理功能(增.删.改),多级树形菜单展示 数据库表设计 create table if not exists Menu( id serial primary key , title ) no ...