tcpdump命令

1. tcpdump用途

抓包

2. tcpdump用法

tcpdump [option] expression

3. option

-n: 进制反向解析，禁用将Ip地址转化为主机名字
大大缩短命令执行时间

-i: tcpdump抓取的网络接口，如果不指定，tcpdump查找系统接口列表，监听数字最小的接口， 不包含loopback
一般指定any, 可以监听所有的接口

-nn: Don’t convert protocol and port numbers etc. to names either

-s: Snarf snaplen bytes of data from each packet rather than the default of 65535 bytes
抓取整个包的 snaplen 字节的数据，而不是默认的65535字节
如果设置为0，则表面采用默认的65535字节

-Z: Drops privileges (if root) and changes user ID to user and the group ID to the primary group of user
更改用户id和groupid

-G If specified, rotates the dump file specified with the -w option every rotate_seconds seconds. Save files will have the name specified by -w which should include a time format as defined by strftime(3). If no time format is specified, each new file will overwrite the previous.
如果指定的话， 每rotate_seconds秒切换一下dump file

-w Write the raw packets to file rather than parsing and printing them out.
把raw packet写到文件中，而不是解析打印出来到标准输出

3. expression

• dst host [parm]
• src host [parm]
• host [parm]
• src port [parm]
• dst port [parm]
• port [parm]
• [proto]
  tcp, dup, icmp

4. example

tcpdump -i any -nn port 41001 and host 10.13.32.244 and tcp
tcpdump -iany -nn -Z root -G 10 -w ./%Y_%m_%d-%H_%M_%S.cap tcp and port 41001