TCPDUMP使用教程.docx

Packet Analyzer: 15 TCPDUMP Command Examples by Sasikala on August 25, 2010 HYPERLINK /share Tweet tcpdump command is also called as packet analyzer. tcpdump command will work on most flavors of unix operating system. tcpdump allows us to save the packets that are captured, so that we can use it for future analysis. The saved file can be viewed by the same tcpdump command. We can also use open source software like wireshark to read the tcpdump pcap files. In this tcpdump tutorial, let us discuss some practical examples on how to use the tcpdump command. 1. Capture packets from a particular ethernet interface using tcpdump -i When you execute tcpdump command without any option, it will capture all the packets flowing through all the interfaces. -i option with tcpdump command, allows you to filter on a particular ethernet interface. $ tcpdump -i eth1 14:59:26.608728 IP .52497 .ssh: . ack 540 win 16554 14:59:26.610602 IP .domain .24151: 4278 1/0/0 (73) 14:59:26.611262 IP .38527 .domain: 26364+ PTR? 0.. (45) In this example, tcpdump captured all the packets flows in the interface eth1 and displays in the standard output. Note: HYPERLINK /2009/02/editcap-guide-11-examples-to-handle-network-packet-dumps-effectively/ Editcap utility is used to select or remove specific packets from dump file and translate them into a given format. 2. Capture only N number of packets using tcpdump -c When you execute tcpdump command it gives packets until you cancel the tcpdump command. Using -c option you can specify the number of packets to capture. $ tcpdump -c 2 -i eth0 listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 14:38:38.184913 IP .ssh .11006: P 1457255642:1457255758(116) ack 1561463966 win 63652 14:38:38.690919 IP .ssh .11006: P 116:232(116) ack 1 win 63652 2 packets captured 13 packets received by filter 0 packets dropped by kernel The above tcpdump command captured only 2 packets from interface eth0. Note: HYPERLINK /2009/03/mergecap-and-tshark-