tcpdump

tcpdump -i 指定网卡

[root@rstx-53 ~]# tcpdump -i eth0 |head 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:37:02.451244 IP harbor.rongbiz.cn.ssh > 192.168.1.36.53030: Flags [P.], seq 2314108372:2314108584, ack 1927612083, win 274, length 212
09:37:02.451930 IP 192.168.1.36.53030 > harbor.rongbiz.cn.ssh: Flags [.], ack 212, win 8210, length 0
09:37:02.464063 IP6 fe80::41e7:678c:c4f1:534a.61063 > ff02::c.ssdp: UDP, length 146
09:37:02.472388 ARP, Request who-has 192.168.1.203 tell 192.168.1.202, length 46

tcpdump -i eth0 tcp port 80 指定tcp的80端口 也可以udp

[root@rstx-53 ~]# tcpdump -i eth0 port 80 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:38:12.937963 IP 192.168.1.36.53851 > harbor.rongbiz.cn.http: Flags [S], seq 2660181074, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
09:38:12.938021 IP harbor.rongbiz.cn.http > 192.168.1.36.53851: Flags [S.], seq 3832396717, ack 2660181075, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
09:38:12.938231 IP 192.168.1.36.53851 > harbor.rongbiz.cn.http: Flags [.], ack 1, win 8212, length 0
09:38:12.938466 IP 192.168.1.36.53851 > harbor.rongbiz.cn.http: Flags [P.], seq 1:517, ack 1, win 8212, length 516: HTTP: GET / HTTP/1.1
09:38:12.938493 IP harbor.rongbiz.cn.http > 192.168.1.36.53851: Flags [.], ack 517, win 237, length 0

tcpdump -i eth0 port 80 -n 不把ip解析成主机名 -c 5 抓取5次

[root@rstx-53 ~]# tcpdump -i eth0 port 80 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:46:47.847784 IP 192.168.1.36.53966 > 192.168.1.53.http: Flags [S], seq 3403842321, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
09:46:47.847848 IP 192.168.1.53.http > 192.168.1.36.53966: Flags [S.], seq 1289147910, ack 3403842322, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
09:46:47.848812 IP 192.168.1.36.53966 > 192.168.1.53.http: Flags [.], ack 1, win 1026, length 0
09:46:47.849057 IP 192.168.1.36.53966 > 192.168.1.53.http: Flags [P.], seq 1:517, ack 1, win 1026, length 516: HTTP: GET / HTTP/1.1
09:46:47.849083 IP 192.168.1.53.http > 192.168.1.36.53966: Flags [.], ack 517, win 237, length 0

tcpdump -i eth0 port 80 -nn 不把端口解析成应用协议

[root@rstx-53 ~]# tcpdump -i eth0 port 80 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:48:13.723863 IP 192.168.1.36.53990 > 192.168.1.53.80: Flags [S], seq 3568546736, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
09:48:13.723935 IP 192.168.1.53.80 > 192.168.1.36.53990: Flags [S.], seq 1815102753, ack 3568546737, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
09:48:13.724284 IP 192.168.1.36.53990 > 192.168.1.53.80: Flags [.], ack 1, win 8212, length 0
09:48:13.724539 IP 192.168.1.36.53990 > 192.168.1.53.80: Flags [P.], seq 1:517, ack 1, win 8212, length 516: HTTP: GET / HTTP/1.1
09:48:13.724580 IP 192.168.1.53.80 > 192.168.1.36.53990: Flags [.], ack 517, win 237, length 0
09:48:13.724773 IP 192.168.1.53.80 > 192.168.1.36.53990: Flags [.], seq 1:1461, ack 517, win 237, length 1460: HTTP: HTTP/1.1 200 OK
09:48:13.724843 IP 192.168.1.53.80 > 192.168.1.36.53990: Flags [P.], seq 1461:1999, ack 517, win 237, length 538: HTTP

tcpdump -i eth0 port 80 -nn -S 不把随机序列和确认序列解析成绝对值 tcp三次握手 seq ack 不解析绝对值

[root@rstx-53 ~]# tcpdump -i eth0 port 80 -nn -S
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:51:56.485521 IP 192.168.1.36.54023 > 192.168.1.53.80: Flags [S], seq 969278663, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
09:51:56.485581 IP 192.168.1.53.80 > 192.168.1.36.54023: Flags [S.], seq 2393512392, ack 969278664, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
09:51:56.485821 IP 192.168.1.36.54023 > 192.168.1.53.80: Flags [.], ack 2393512393, win 8212, length 0