Tcpdump 的用法

发表于 更新于 分类于

yum安装:

1
yum install tcpdump

源码安装:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# flex
yum -y install flex
# bison
yum -y install bison
wget http://www.tcpdump.org/release/libpcap-1.5.3.tar.gz
wget http://www.tcpdump.org/release/tcpdump-4.5.1.tar.gz
tar -zxvf libpcap-1.5.3.tar.gz
cd libpcap-1.5.3
./configure
sudo make install
cd ..
tar -zxvf tcpdump-4.5.1.tar.gz
cd tcpdump-4.5.1
./configure
sudo make install
yum -y install bison

抓http包:

1
tcpdump -XvvennSs 0 -i eth0 tcp[20:2]=0x4745 or tcp[20:2]=0x4854 -w /tmp/capture.pcap

通过网卡eth1来监听端口80发出去的host包到192.168.109.8的报文:

1
tcpdump -i eth1 port 80 and dst host "192.168.109.8"

任意网卡目标是192.168.109.*的 80端口数据:

1
/usr/local/sbin/tcpdump -i any  port 80 and dst host "192.168.109.*" -w /tmp/capture.pcap

加上源地址IP:

1
tcpdump -i any -p -s 0 port 80 and dst host "192.168.109.*" and src host "10.70.32.**" -w /tmp/capture.pcap