tcpdump抓包实例

//IP过滤 tcpdump -i eth1 host 192.168.1.1 tcpdump -i eth1 src host 192.168.1.1 tcpdump -i eth1 dst host 192.168.1.1 //端口过滤 tcpdump -i eth1 port 25 tcpdump -i eth1 src port 25 tcpdump -i eth1 dst port 25 //网络过滤 tcpdump -i eth1 net 192.168 tcpdump -i eth1 src net 192.168 tcpdump -i eth1 dst net 192.168 //协议过滤 tcpdump -i eth1 arp tcpdump -i eth1 ip tcpdump -i eth1 tcp tcpdump -i eth1 udp tcpdump -i eth1 icmp //抓取tcp并且是80端口,并且目标IP是192.168.1.254或者目标IP是192.168.1.200 tcpdump -i eth1 '((tcp) and (port 80) and ((dst host 192.168.1.254) or (dst host 192.168.1.200)))' //抓取ICMP报并且目标MAC地址是00:01:02:03:04:05 tcpdump -i eth1 '((icmp) and ((ether dst host 00:01:02:03:04:05)))' //抓取TCPO包并且网络段是192.168的,并且目标IP不是192.168.1.200 tcpdump -i eth1 '((tcp) and ((dst net 192.168) and (not dst host 192.168.1.200)))' //只抓SYN包 tcpdump -i eth1 'tcp[tcpflags] = tcp-syn' //抓取syn不等于0并且ack不等于0的包 tcpdump -i eth1 'tcp[tcpflags] & tcp-syn != 0 and tcp[tcpflags] & tcp-ack != 0' //抓取SMTP包 tcpdump -i eth1 '((port 25) and (tcp[(tcp[12]>>2):4] = 0x4d41494c))' //抓取HTTP GET包, "GET "的十六进制是 47455420 tcpdump -i eth1 'tcp[(tcp[12]>>2):4] = 0x47455420' //抓取ssh返回包,"SSH-"的十六进制是 0x5353482D tcpdump -i eth1 'tcp[(tcp[12]>>2):4] = 0x5353482D' //抓取老版本的ssh返回包,SSH-1.99  tcpdump -i eth1 '(tcp[(tcp[12]>>2):4] = 0x5353482D) and (tcp[((tcp[12]>>2)+4):2] = 0x312E)' //抓取DNS包 tcpdump -i eth1 udp dst port 53 //抓取8000端口的GET包,写入日志 tcpdump -i eth0 '((port 8000) and (tcp[(tcp[12]>>2):4]=0x47455420))' -nnAl -w /tmp/GET.log