捕获指定网卡
-
获取可用网卡列表
# tcpdump -D
-
捕获指定的网卡
# tcpdump -i <interface_name>
捕获的报文实时存储到文件
# tcpdump -w <file_name>
设定捕获时报文过滤器
# tcpdump -i <interface_name> -w <file_name> [ expression ]
如上[ expression ] 处填写报文过滤规则,规则定义如下:
TCPDUMP SYNTAX
| Syntax: | Protocol | Direction | Host(s) | Value | Logical Operations | Other expression |
| Example: | tcp | dst | 10.1.1.1 | 80 | and | tcp dst 10.2.2.2 3128 |
- Protocol:
Values: ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp.
If no protocol is specified, all the protocols are used.
- Direction:
Values: src, dst, src and dst, src or dst
If no source or destination is specified, the "src or dst" keywords are applied.
For example, "host 10.2.2.2" is equivalent to "src or dst host 10.2.2.2".
- Host(s):
Values: net, port, host, portrange.
If no host(s) is specified, the "host" keyword is used.
For example, "src 10.1.1.1" is equivalent to "src host 10.1.1.1".
- Logical Operations:
Values: not, and, or.
Negation ("not") has highest precedence. Alternation ("or") and concatenation ("and") have equal precedence and associate left to right.
For example,
"not tcp port 3128 and tcp port 23" is equivalent to "(not tcp port 3128) and tcp port 23". "not tcp port 3128 and tcp port 23" is NOT equivalent to "not (tcp port 3128 and tcp port 23)".