Type: host, net, port, portal
Direction: src, dst
Protocols: tcp, dup, ip, wlan, arp
Multi condition combination: and, or, not
Introduction to tcpdump filter statement
You can pass a "filter expression" to tcpdump to filter network packets, and you can pass in a single or multiple filter expressions.
You can use the command man pcap filter to refer to the help document of the filter expression. The filter expression can be roughly divided into three filter conditions, "type", "direction" and "Protocol". The combination of these three conditions constitutes our filter expression.
Keywords for types mainly include host, net, and port. For example, host 18.104.22.168 specifies host 22.214.171.124, net 126.96.36.199 indicates that 188.8.131.52 is a network address, and port 21 indicates that the port number is 21. If no type is specified, the default type is host
Keywords about transmission direction mainly include SRC, DST, DST or SRC, DST and Src,
These keywords indicate the direction of transmission. For example, src 184.108.40.206 indicates that the source address in the ip packet is 220.127.116.11, and DST net 18.104.22.168 indicates that the destination network address is 22.214.171.124. If no direction keyword is specified, the default is srcor dst keyword.
The key words of the protocol mainly include ether,ip,ip6,arp,rarp,tcp,udp, etc. The protocol content of these packages. If no protocol is specified, tcpdump will listen for packets of all protocols.
In addition to these three types of keywords, other important keywords are as follows:
gateway, broadcast,less,greater, and three other logical operations. The non operation is' not ', And operation is' and ',' & & '; Or operation is' or ',' | ';
These keywords can be combined to form more powerful filtering conditions.
The following is an example
(1) I only want to check the network packets whose target machine port is 21 or 80. I don't pay attention to other ports:
sudo tcpdump -i eth0 -c 10 'dst port 21 or dst port 80'
(2) To intercept the communication between host 172.16.0.11 and host 126.96.36.199 or 188.8.131.52, use the command (note the use of parentheses):
sudo tcpdump -i eth0 -c 3 'host 172.16.0.11 and (184.108.40.206 or220.127.116.11)'
(3) Want to get the network package using ftp port and ftp data port
sudo tcpdump 'port ftp or ftp-data'
Which port does ftp and ftp data correspond to? The file / etc/services under linux system stores the correspondence between all well-known services and transport layer ports. If you directly change the port value corresponding to ftp in / etc/services from 21 to 3333, tcpdump will catch the network packet containing 3333 on the port.
(4) If you want to obtain the ip packets of all hosts except host 172.16.0.11 and host 18.104.22.168, use the command:
sudo tcpdump ip 'host 172.16.0.11 and ! 22.214.171.124'
(5) Grab packets on ports 80 of 172.16.0.11 and other ports other than 110 and 25
sudo tcpdump -i eth0 'host 172.16.0.11 and! port 80 and ! port 25 and ! port 110'
[root@www ~]# tcpdump -i eth0 #Monitors packets for the specified network interface [root@www ~]# tcpdump host webserver #Print all packets entering or leaving the web server [root@www ~]# tcpdump host 172.18.0.67 #You can also specify ip to intercept all 17218.0.67 All packets received and sent by the host [root@www ~]# tcpdump host 126.96.36.199 and \ (188.8.131.52 or 184.108.40.206 ) #Intercept host 21027.48.1 And host 220.127.116.11 Or 18.104.22.168 Communication [root@www ~]# tcpdump host 172.18.0.67 and ! 172.18.60.129 #Get host 17218.0.67 In addition to and host 172.18.60.129 All hosts except ip package [root@www ~]# tcpdump -i eth0 src(Source) host webserver #Intercept all data sent by the host webserver [root@www ~]# tcpdump -i eth0 dst(Target) host webserver #Monitor all packets sent to the host webserver [root@www ~]# tcpdump tcp port 23 and host 22.214.171.124 #Get host 21027.48.1 Received or sent telnet package [root@www ~]# tcpdump udp port 123 #udp for native 123 Port for monitoring 123 by ntp Service port for [root@www ~]# tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.cap
#(1) tcp: IP, icmp, ARP, RARP, tcp, udp, icmp and other options should be placed at the first parameter to filter datagram types
#(2)-i eth1: grab only packets passing through interface eth1
#(3)-t: do not display timestamp
#(4)-s 0: when fetching packets, the default fetching length is 68 bytes. After adding - S 0, you can catch the complete packet
#(5)-c 100: grab only 100 packets
#(6)dst port ! 22: do not grab packets whose target port is 22
#(7)src net 192.168.1.0/24: the source network address of the packet is 192.168.1.0/24
#(8) - W. / target.cap: save it as a cap file for easy analysis with ethereal (i.e. wireshark)
nmap -sP 192.168.1.0/24 #Perform ping scanning and print out the host responding to the scanning without further testing (such as port scanning or operating system detection) nmap -sL 192.168.1.0/24 #Only each host on the specified network is listed, and no message is sent to the target host nmap -PS 192.168.1.234 #To probe the open ports of the target host, you can specify a comma separated port list (e.g. - PS22,23，25，80) nmap -PS -p 80,3306,22,23,21 172.18.0.69 nmap -sV 172.18.0.69 -p 22 -oN test6.txt //-oN Save as txt oX Save as xml format nmap -PU 192.168.1.0/24 #Probe host using UDP ping nmap -sS 192.168.1.0/24 #The most frequently used scanning option: SYN scanning, also known as semi open scanning, does not open a full TCP connection and performs quickly nmap -sT 192.168.1.0/24 #When SYN scanning is unavailable, TCP Connect() scanning is the default TCP scanning nmap -sU 192.168.1.0/24 #For UDP scanning-sU option,UDP Scan send empty(no data)UDP Header to each target port nmap -sO 192.168.1.19 #Determine which IP Protocols (TCP, ICMP, IGMP, etc.) the target supports
[root@ecs-62f4 ~]# nmap -sO 172.18.0.69 Starting Nmap 6.40 ( http://nmap.org ) at 2020-06-25 19:07 CST Nmap scan report for 172.18.0.69 Host is up (0.00028s latency). Not shown: 252 open|filtered protocols PROTOCOL STATE SERVICE 1 open icmp 6 open tcp 58 closed ipv6-icmp 112 closed vrrp MAC Address: FA:16:3E:99:A5:D4 (Unknown)
nmap -O 192.168.1.19 #Probe the operating system of the target host nmap -A 192.168.1.19 #Probe the operating system of the target host nmap -v scanme.nmap.org #This option scans all reserved TCP ports in the host scanme.nmap.org-v Enable detail mode. nmap -sS -O scanme.nmap.org/24 #Conduct a secret SYN scan on 255 hosts in the "class C" network segment where the host Saznme is located. At the same time, try to determine the operating system type of each working host. Because of SYN scan and operating system detection, this scan requires root permission. nmap -sV -p 22，53，110，143，4564 198.116.0-255.1-127 #Host enumeration and TCP scanning are performed for 255 8-bit subnets in class B 188.116 network segment. This test is used to determine whether the system is running sshd, DNS, imapd or 4564 ports. If these ports are open, version detection will be used to determine which application is running. nmap -v -iR 100000 -P0 -p 80 #100000 hosts are randomly selected to scan whether the Web server is running (port 80). Sending detection messages at the initial stage to determine whether the host is working is a waste of time, and only one port of the host needs to be detected, so it is used-P0 Disable the host list. nmap -P0 -p80 -oX logs/pb-port80scan.xml -oG logs/pb-port80scan.gnmap 126.96.36.199/20 #Scan 4096 IP addresses, find the Web server (not ping), and save the results in Grep and XML formats. host -l company.com | cut -d -f 4 | nmap -v -iL - #Perform DNS zone transfer to discover the hosts in company.com, and then provide the IP address to Nmap. The above commands are used for GNU/Linux - there are different commands for zone transfer in other systems