tcpdump-wiki
1 命令行参数
加 -S 据说会显示理详细的信息。 -nnvv可以默认开启, -xx 比较关键,
不管是小写还是大写。一个 x 的时候,数据链路层的头可能就不会显示出
来。建议都加上。
tcpdump -nnvvS -XX -i any icmp
2 vlan
tcpdump -i eth0 -en vlan
3 snmp
参考 这里 。
tcpdump -w troubleshoot.pcap -vv -A -T snmp -s 0 "(dst port 162) or (src port 161) or (dst port 161) and (host <SpectroSERVER IP>)"
4 dhcp
sudo tcpdump -n -i <interface> port 67 or port 68 -e
sudo tcpdump -n -i eth0 port 67 or port 68 -e
5 捕获所有接口的数据
interface弄成any就可以了:
sudo tcpdump -i any
6 http
Use TCPDUMP to Monitor HTTP Traffic
show detail
tcpdump -s 1024 -l -A -n -i eth0 port 80
show headers
tcpdump -s 1024 -l -A -n -i eth0 port 80
To monitor HTTP traffic including request and response headers and message body:
tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'To monitor HTTP traffic including request and response headers and message body from a particular source:
tcpdump -A -s 0 'src example.com and tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'To monitor HTTP traffic including request and response headers and message body from local host to local host:
tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -i lo
7 lldp
tcpdump -i eth0 -ne ether proto 0x88cc