使用 tcpdump 捕获网络数据报文

Question

捕获指定网卡

获取可用网卡列表

# tcpdump -D

捕获指定的网卡

# tcpdump -i <interface_name>

捕获的报文实时存储到文件

# tcpdump -w <file_name>

设定捕获时报文过滤器

# tcpdump -i <interface_name> -w <file_name> [ expression ]

如上[ expression ] 处填写报文过滤规则，规则定义如下：

TCPDUMP SYNTAX

Syntax:	Protocol	Direction	Host(s)	Value	Logical Operations	Other expression
Example:	tcp	dst	10.1.1.1	80	and	tcp dst 10.2.2.2 3128

• Protocol:

Values: ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp.

If no protocol is specified, all the protocols are used.

• Direction:

Values: src, dst, src and dst, src or dst

If no source or destination is specified, the "src or dst" keywords are applied.

For example, "host 10.2.2.2" is equivalent to "src or dst host 10.2.2.2".

• Host(s):

Values: net, port, host, portrange.

If no host(s) is specified, the "host" keyword is used.

For example, "src 10.1.1.1" is equivalent to "src host 10.1.1.1".

• Logical Operations:

Values: not, and, or.

Negation ("not") has highest precedence. Alternation ("or") and concatenation ("and") have equal precedence and associate left to right.

For example,

"not tcp port 3128 and tcp port 23" is equivalent to "(not tcp port 3128) and tcp port 23".
"not tcp port 3128 and tcp port 23" is NOT equivalent to "not (tcp port 3128 and tcp port 23)".