https://blog.zrj.me/tags/tcpdump/ Recent content in Tcpdump on ZRJ | 学习笔记 Hugo -- gohugo.io zh-CN Mon, 23 Nov 2015 11:50:39 +0800 https://blog.zrj.me/posts/2015-11-23-linux-tcpdump/ Mon, 23 Nov 2015 11:50:39 +0800 https://blog.zrj.me/posts/2015-11-23-linux-tcpdump/ <p>我一般用 tcpdump 有两种用法，一个是存盘，拿 wireshark 看，那么的话，就这么写</p> <pre tabindex="0"><code>tcpdump -s 0 -i any -p udp and src 10.170.7.40 -w `date +%s`.pcap </code></pre><p>或者实时打印到屏幕，就参考这里，<a class="link" href="http://www.askbjoernhansen.com/2007/07/12/how_to_dump_packets_with_tcpdump.html" target="_blank" rel="noopener" >http://www.askbjoernhansen.com/2007/07/12/how_to_dump_packets_with_tcpdump.html</a>，这么写</p> <blockquote> <p>I always forget the parameters for this and have to look them up in the man page, so enough of that:</p> <p>tcpdump -nnXSs 0 &lsquo;port 80&rsquo; &ldquo;-nn&rdquo; makes it not lookup hostnames in DNS and service names (in /etc/services) for respectively faster and cleaner output. &ldquo;-X&rdquo; makes it print each packet in hex and ascii; that&rsquo;s really the useful bit for tracking headers and such &ldquo;-S&rdquo; print absolute rather than relative TCP sequence numbers - If I remember right this is so you can compare tcpdump outputs from multiple users doing this at once &ldquo;-s 0&rdquo; by default tcpdump will only capture the beginning of each packet, using 0 here will make it capture the full packets. We are debugging, right? Instead of &ldquo;port 80&rdquo; you can make more complicated rules like &ldquo;port 80 and host 10.50.33.10&rdquo;.</p> </blockquote>