tcpdump packet capture and nmap scanning


Filter condition
Type: host, net, port, portal
Direction: src, dst
Protocols: tcp, dup, ip, wlan, arp
Multi condition combination: and, or, not

Introduction to tcpdump filter statement

You can pass a "filter expression" to tcpdump to filter network packets, and you can pass in a single or multiple filter expressions.

You can use the command man pcap filter to refer to the help document of the filter expression. The filter expression can be roughly divided into three filter conditions, "type", "direction" and "Protocol". The combination of these three conditions constitutes our filter expression.

Keywords for types mainly include host, net, and port. For example, host specifies host, net indicates that is a network address, and port 21 indicates that the port number is 21. If no type is specified, the default type is host

Keywords about transmission direction mainly include SRC, DST, DST or SRC, DST and Src,

These keywords indicate the direction of transmission. For example, src indicates that the source address in the ip packet is, and DST net indicates that the destination network address is If no direction keyword is specified, the default is srcor dst keyword.

The key words of the protocol mainly include ether,ip,ip6,arp,rarp,tcp,udp, etc. The protocol content of these packages. If no protocol is specified, tcpdump will listen for packets of all protocols.

In addition to these three types of keywords, other important keywords are as follows:

gateway, broadcast,less,greater, and three other logical operations. The non operation is' not ', And operation is' and ',' & & '; Or operation is' or ',' | ';

These keywords can be combined to form more powerful filtering conditions.

The following is an example

(1) I only want to check the network packets whose target machine port is 21 or 80. I don't pay attention to other ports:

sudo tcpdump -i eth0 -c 10 'dst port 21 or dst port 80'

(2) To intercept the communication between host and host or, use the command (note the use of parentheses):

sudo tcpdump -i eth0 -c 3 'host and ( or210.45.123.248)'

(3) Want to get the network package using ftp port and ftp data port

sudo tcpdump 'port ftp or ftp-data'

Which port does ftp and ftp data correspond to? The file / etc/services under linux system stores the correspondence between all well-known services and transport layer ports. If you directly change the port value corresponding to ftp in / etc/services from 21 to 3333, tcpdump will catch the network packet containing 3333 on the port.

(4) If you want to obtain the ip packets of all hosts except host and host, use the command:

sudo tcpdump ip 'host and !'

(5) Grab packets on ports 80 of and other ports other than 110 and 25

sudo tcpdump -i eth0 'host and! port 80 and ! port 25 and ! port 110'
[root@www ~]# tcpdump -i eth0 #Monitors packets for the specified network interface
[root@www ~]# tcpdump host webserver #Print all packets entering or leaving the web server
[root@www ~]# tcpdump host #You can also specify ip to intercept all 17218.0.67 All packets received and sent by the host
[root@www ~]# tcpdump host and \ ( or ) #Intercept host 21027.48.1 And host Or Communication
[root@www ~]# tcpdump host and ! #Get host 17218.0.67 In addition to and host All hosts except ip package
[root@www ~]# tcpdump -i eth0 src(Source) host webserver #Intercept all data sent by the host webserver
[root@www ~]# tcpdump -i eth0 dst(Target) host webserver #Monitor all packets sent to the host webserver
[root@www ~]# tcpdump tcp port 23 and host #Get host 21027.48.1 Received or sent telnet package
[root@www ~]# tcpdump udp port 123 #udp for native 123 Port for monitoring 123 by ntp Service port for
[root@www ~]# tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net -w ./target.cap

#(1) tcp: IP, icmp, ARP, RARP, tcp, udp, icmp and other options should be placed at the first parameter to filter datagram types

#(2)-i eth1: grab only packets passing through interface eth1

#(3)-t: do not display timestamp

#(4)-s 0: when fetching packets, the default fetching length is 68 bytes. After adding - S 0, you can catch the complete packet

#(5)-c 100: grab only 100 packets

#(6)dst port ! 22: do not grab packets whose target port is 22

#(7)src net the source network address of the packet is

#(8) - W. / target.cap: save it as a cap file for easy analysis with ethereal (i.e. wireshark)


nmap -sP #Perform ping scanning and print out the host responding to the scanning without further testing (such as port scanning or operating system detection)

nmap -sL #Only each host on the specified network is listed, and no message is sent to the target host

nmap -PS #To probe the open ports of the target host, you can specify a comma separated port list (e.g. - PS22,232580)
nmap -PS -p 80,3306,22,23,21

nmap -sV -p 22 -oN test6.txt //-oN Save as txt oX Save as xml format

nmap -PU #Probe host using UDP ping

nmap -sS #The most frequently used scanning option: SYN scanning, also known as semi open scanning, does not open a full TCP connection and performs quickly

nmap -sT #When SYN scanning is unavailable, TCP Connect() scanning is the default TCP scanning

nmap -sU #For UDP scanning-sU option,UDP Scan send empty(no data)UDP Header to each target port

nmap -sO #Determine which IP Protocols (TCP, ICMP, IGMP, etc.) the target supports
[root@ecs-62f4 ~]# nmap -sO

Starting Nmap 6.40 ( ) at 2020-06-25 19:07 CST
Nmap scan report for
Host is up (0.00028s latency).
Not shown: 252 open|filtered protocols
1 open icmp
6 open tcp
58 closed ipv6-icmp
112 closed vrrp
MAC Address: FA:16:3E:99:A5:D4 (Unknown)
nmap -O #Probe the operating system of the target host
nmap -A #Probe the operating system of the target host

nmap -v #This option scans all reserved TCP ports in the host Enable detail mode.

nmap -sS -O #Conduct a secret SYN scan on 255 hosts in the "class C" network segment where the host Saznme is located. At the same time, try to determine the operating system type of each working host. Because of SYN scan and operating system detection, this scan requires root permission.

nmap -sV -p 22531101434564 198.116.0-255.1-127 #Host enumeration and TCP scanning are performed for 255 8-bit subnets in class B 188.116 network segment. This test is used to determine whether the system is running sshd, DNS, imapd or 4564 ports. If these ports are open, version detection will be used to determine which application is running.

nmap -v -iR 100000 -P0 -p 80 #100000 hosts are randomly selected to scan whether the Web server is running (port 80). Sending detection messages at the initial stage to determine whether the host is working is a waste of time, and only one port of the host needs to be detected, so it is used-P0 Disable the host list.

nmap -P0 -p80 -oX logs/pb-port80scan.xml -oG logs/pb-port80scan.gnmap #Scan 4096 IP addresses, find the Web server (not ping), and save the results in Grep and XML formats.

host -l | cut -d -f 4 | nmap -v -iL - #Perform DNS zone transfer to discover the hosts in, and then provide the IP address to Nmap. The above commands are used for GNU/Linux - there are different commands for zone transfer in other systems

Tags: network

Posted on Tue, 23 Nov 2021 14:26:59 -0500 by Michdd