Tcpdump describes how to use tcpdump

Tcpdump example tutorial

This document is translated from Tcpdump Examples.

Tcpdump is a powerful network packet capture tool. It uses the libpcap library, which is available on almost all Linux/Unix systems, to capture network packets. Being familiar with tcpdump can help you analyze and debug network data. This article describes how to use tcpdump in different scenarios through specific examples. Whether you’re a systems administrator, programmer, cloud native engineer, or YAML engineer, knowing how to use tcpdump can help you get a raise or a promotion.

1. Basic grammar and usage

Common parameters of tcpdump are as follows:

$ tcpdump -i eth0 -nn -s0 -v port 80Copy the code

-i: Selects the interface to capture, usually an Ethernet card or wireless card, but alsovlanOr other special interfaces. If the system has only one network interface, you do not need to specify this interface.
-nn: n indicates that the IP address is displayed without resolving the domain name. Two n’s indicate that the domain name and port are not resolved. This is not only easy to view IP and port numbers, but also very efficient when fetching large amounts of data, because domain name resolution slows down fetching speed.
-s0By default, tcpdump intercepts only the first part of the packet96To intercept all packets, you can use the-s number.numberThis is the number of bytes you want to intercept, if 0, the entire packet.
-vUse:-v.-vv 和 -vvvTo display more details, usually more protocol-specific information.
port 80: This is a common port filter that means fetch only80Traffic on a port, usually HTTP.

Here are a few more common parameters:

-p: Disables the network interface from entering promiscuous mode. By default, when packets are captured using tcpdump, network interfaces enter promiscuous mode. Generally, computer network cards work in unpromiscuous mode. In this case, the network card only accepts the data from the destination address of the network port. When the network adapter is operating in promiscuous mode, the network adapter captures all data from the interface and hands it to the corresponding driver. If the promiscuous mode is enabled on the switch connected to the device, run this command-pOptions filter noise effectively.
-e: Displays information about the data link layer. By default, tcpdump does not display data link layer information-eOption displays source MAC addresses, destination MAC addresses, and VLAN tag information. Such as:

$ tcpdump -n -e -c 5 not ip6 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on br-lan, link-type EN10MB (Ethernet), Capture Size 262144 bytes 18:27:53.619865 24:5E :be: 0C :17: AF > 00: E2:69:23: D3:3b, EtherType IPv4 (0x0800), Length 1162: 192.168.100.20.51410 > 180.176.26.193.58695: Flags [.], seq 2045333376:2045334484, ack 3398690514, win 751, Length 1108 18:27:53.626490 00: E2:69:23: D3:3b > 24:5E :be:0c:17: AF, etherType IPv4 (0x0800), Length 68: 220.173.179.66.36017 > 192.168.100.20.51410: UDP, length 26 18:27:53.626893 24:5E :be: 0C :17: AF > 00: E2:69:23: D3:3b, EtherType IPv4 (0x0800), Length 1444: 192.168.100.20.51410 > 220.173.179.66.36017: UDP, length 1402 18:27:53.628837 00: E2:69:23: D3:3b > 24:5E :be:0c:17: AF, etherType IPv4 (0x0800), length 1324: 46.97.169.182.6881 > 192.168.100.20.59145: Flags [P.], seq 3058450381:3058451651, ack 14349180, win 502, Length 1270 18:27:53.629096 24:5E :be: 0C :17: AF > 00: E2:69:23: D3:3b, EtherType IPv4 (0x0800), Length 54: 192.168.100.20.59145 > 192.168.100.1.12345: Flags [.], ACK 3058451651, WIN 6350, Length 05 Packets CapturedCopy the code

Display ASCII string

-A prints all data of packets using ASCII strings. This makes reading easier and enables you to use tools such as grep to parse the output. -x Prints all data of packets using both hexadecimal and ASCII characters. These two parameters cannot be used together. Such as:

$ tcpdump -A -s0 port 80Copy the code

Fetch protocol-specific data

You can filter the traffic of a specific protocol by following the protocol name. For example, you can add UDP or protocol 17. The two commands have the same meaning.

$ tcpdump -i eth0 udp
$ tcpdump -i eth0 proto 17Copy the code

Similarly, TCP has the same meaning as Protocol 6.

Fetch data for a specific host

Use the host filter to capture traffic to a specific destination and source IP address.

$tcpdump -i eth0 host 10.10.1.1Copy the code

You can also use SRC or DST to grab only the source or destination:

$tcpdump -i eth0 DST 10.10.1.20Copy the code

Writes captured data to a file

When you intercept data packets using tcpdump, the default output is displayed on the screen by default. Many lines of data flash quickly in the sequence and format, and you do not have time to see everything. However, tcpdump provides the ability to save captured data to a file for later analysis using other graphical tools such as Wireshark and Snort.

The -w option is used to output data packets to a file:

$ tcpdump -i eth0 -s0 -w test.pcapCopy the code

Row buffering mode

If you want to pipe captured data in real time to other tools for processing, use the -l option to turn on row buffering (or use the -c option to turn on packet buffering). Using the -l option, you can immediately send the output to other commands, which will immediately respond.

$ tcpdump -i eth0 -s0 -l port 80 | grep 'Server:'Copy the code

Combination filter

Filtering the real powerful in that you can combine them at will, AND connect their logic is commonly used with/AND / &&, AND/OR / | | AND no/not /! .

and or &&
or or ||
not or !Copy the code

Filter 2.

Filters for tcpdump are worth a separate description here.

The number of network packets on the machine is abnormally large, and most of the time we only deal with datagrams related to specific problems (such as data visiting a website, or ICMP timeout messages, etc.), and these data only account for a small percentage. It is no doubt a time-consuming and laborious job to intercept all the data and find the desired information from it. Tcpdump provides a flexible syntax to accurately intercept interested datagrams, simplifying the analysis effort. These statements that select packets are called filters!

The Host filter

The Host filter is used to filter data packets of a Host. Such as:

$tcpdump host. 2Copy the code

This command captures all traffic sent to or from host 1.2.3.4. If you want to capture only traffic from that host, you can use the following command:

$tcpdump SRC host 1.2.3.4Copy the code

The Network filter

Network filters are used to filter data on a certain Network segment, using CIDR mode. You can use quadruples (X.X.X.X), triples (X.X.X), tuples (x.x), and unary tuples (x). A quad is a specified host. A triad indicates that the subnet mask is 255.255.255.0, a binary group indicates that the subnet mask is 255.255.0.0, and a monary group indicates that the subnet mask is 255.0.0.0. For example,

Fetch all traffic destined for or from network segment 192.168.1.x:

$tcpdump.net 192.168.1Copy the code

Fetch all traffic destined for or from network segment 10.x.x.x:

$ tcpdump net 10Copy the code

As with the Host filter, you can specify the source and destination:

$ tcpdump src net 10Copy the code

CIDR format can also be used:

$tcpdump SRC net 172.16.0.0/12Copy the code

Proto filter

Proto filter is used to filter data of a protocol. The keyword is Proto and can be omitted. Proto can be followed by the protocol number or protocol name. The value can be ICMP, IGMP, IGRP, PIM, AH, ESP, CARP, VRRP, UDP, or TCP. Because the usual protocol names are reserved fields, the proto instructions used together must be escaped with one or two backslashes (/) depending on the shell type. The shell on Linux requires two backslashes to escape; MacOS requires only one.

For example, to capture ICMP packets:

$tcpdump -n proto \\icmp # or $tcpdump -n icmpCopy the code

The Port filter

Port filter is used to filter the data packets passing through a Port. The keyword is Port. Such as:

$ tcpdump port 389Copy the code

3. Understand the output of tcpdump

Capturing the data is only the first step. The second step is to understand the data. Here’s what each part of the tcpdump output means.

21:27:06.995846 IP (TOS 0x0, TTL 64, ID 45646, offset 0, flags [DF], PROto TCP (6), Length 64) 192.168.1.106.56166 > 124.192.132.54.80: Flags [S], cksum 0xa730 (correct), seq 992042666, win 65535, Options [MSS 1460, NOP,wscale 4, NOP, NOP,TS val 663433143 ECR 0,sackOK, eOL], length 0 21:27:07.030487 IP (TOS 0x0, TTL 51, ID 0, offset 0, flags [DF], PROto TCP (6), length 44) 124.192.132.54.80 > 192.168.1.106.56166: Flags [S.], cksum 0xedc0 (correct), seq 2147006684, ack 992042667, win 14600, options [mss 1440], Length 0 21:27:07.030527 IP (TOS 0x0, TTL 64, ID 59119, offset 0, flags [DF], PROto TCP (6), Length 40) 192.168.1.106.56166 > 124.192.132.54.80: Flags [.], cksum 0x3e72 (correct), ack 2147006685, win 65535, length 0Copy the code

The most basic and important information is the source address/port and destination address/port of the datagram. In the first example, the source IP address is 192.168.1.106, the source port is 56166, the destination IP address is 124.192.132.54, and the destination port is 80. The > symbol represents the direction of the data.

Flags [S] indicates the TCP three-way handshake. The first packet is a SYN packet. The following are common Flags for TCP packets:

[S]: SYN (start connection)
[.]: there is no Flag
[P]: PSH (push data)
[F]: FIN (End connection)
[R]: RST (reset connection)

[S.] of the second packet indicates syn-ack, which is the reply packet of a SYN packet.

Example 4.

Here are some concrete examples, each of which can use multiple methods to get the same output, depending on the desired output and the amount of traffic on the network. We usually just want to get what we want when we remove barriers, and we can do this with filters and ASCII output combined with pipes and grep, cut, awk, etc.

For example, when capturing HTTP request and response packets, noise can be filtered by removing the SYN/ACK/FIN flag, but there is an easier way to pipe it to grep. While achieving our goals, we must choose the simplest and most efficient method. Let’s look at an example.

Extract the HTTP user agent

Extract the HTTP user agent from the HTTP request header:

$ tcpdump -nn -A -s1500 -l | grep "User-Agent:"Copy the code

Using egrep, you can extract both the user agent and the host name (or other header file) :

$ tcpdump -nn -A -s1500 -l | egrep -i 'User-Agent:|Host:'Copy the code

Only HTTP GET and POST traffic is captured

Fetch HTTP GET traffic:

$ tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'Copy the code

You can also fetch HTTP POST request traffic:

$ tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'Copy the code

Note: This method does not guarantee capture of valid HTTP POST data traffic because a POST request is split into multiple TCP packets.

The hexadecimal in the above two expressions will match the ASCII strings for the GET and POST requests. For example, TCP [((TCP [12:1] & 0xf0) >> 2):4] first determines the position of the byte we are interested in (after the TCP header), and then selects the four bytes we want to match.

Extract the URL of the HTTP request

Extract the hostname and path of the HTTP request:

$ tcpdump -s 0 -v -n -l | egrep -i "POST /|GET /|Host:" tcpdump: Listening on ENp7s0, Link-type EN10MB (Ethernet), Capture Size 262144 bytes POST /wp-login. PHP HTTP/1.1 Host: Dev.example.com GET /wp-login. PHP HTTP/1.1 Host: dev.example.com GET /favicon.ico HTTP/1.1 Host: dev.example.com GET /favicon.ico HTTP/1.1 Host: Dev.example.com GET/HTTP/1.1 Host: dev.example.comCopy the code

Extract the password from the HTTP POST request

Extract password and hostname from HTTP POST request:

$ tcpdump -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host:" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp7s0, link-type EN10MB (Ethernet), Capture size 262144 bytes 11:25:54.799014 IP 10.10.1.30.39224 > 10.10.1.125.80: Flags [P.], seq 1458768667:1458770008, ack 2440130792, win 704, options [nop,nop,TS val 461552632 ecr 208900561], Length 1341: HTTP: POST /wp-login. PHP HTTP/1.1..... s.. POST /wp-login. PHP HTTP/1.1 Host: dev.example.com..... s.. log=admin&pwd=notmypassword&wp-submit=Log+In&redirect_to=http%3A%2F%2Fdev.example.com%2Fwp-admin%2F&testcookie=1Copy the code

Extract the Cookies

Extract set-cookie (server-side Cookie) and Cookie (client-side Cookie) :

$ tcpdump -nn -A -s0 -l | egrep -i 'Set-Cookie|Host:|Cookie:' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wlp58s0, link-type EN10MB (Ethernet), capture size 262144 bytes Host: dev.example.com Cookie: wordpress_86be02xxxxxxxxxxxxxxxxxxxc43=admin%7C152xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxfb3e15c744fdd6; _ga = GA1.2.21343434343421934; _gid = GA1.2.927343434349426; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_86be654654645645645654645653fc43=admin%7C15275102testtesttesttestab7a61e; wp-settings-time-1=1527337439Copy the code

Capturing ICMP Packets

View all ICMP packets on the network:

$ tcpdump -n icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:34:21.590380 IP 10.10.1.217 > 10.10.1.30: ICMP echo request, id 27948, seq 1, length 64
11:34:21.590434 IP 10.10.1.30 > 10.10.1.217: ICMP echo reply, id 27948, seq 1, length 64
11:34:27.680307 IP 10.10.1.159 > 10.10.1.1: ICMP 10.10.1.189 udp port 59619 unreachable, length 115Copy the code

ICMP packets that are not ECHO/REPLY packets are captured

By excluding echo and Reply packets, the captured packets do not include standard ping packets:

$ tcpdump 'icmp[icmptype] ! = icmp-echo and icmp[icmptype] ! = icmp-echoreply' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp7s0, link-type EN10MB (Ethernet), Capture size 262144 bytes 11:37:04.041037 IP 10.10.1.189 > 10.10.1.20: ICMP 10.10.1.189 UDP port 36078 Unreachable, Length 156Copy the code

Capture SMTP/POP3 mail

You can extract the body of an E-mail message and other data. For example, extract only the recipient of an E-mail message:

$ tcpdump -nn -l port 25 | grep -i 'MAIL FROM\|RCPT TO'Copy the code

Captures NTP service queries and responses

$ tcpdump dst port 123 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), Capture size 65535 bytes 21:02:19.112502 IP test33.ntp > 199.30.140.74. NTP: NTPv4, Client, length 48 21:02:19.113888 IP 216.239.35.0. NTP > test33.ntp: NTPv4, Server, length 48 21:02:20.150347 IP test33. NTP > 216.239.35.0.ntp: NTP: NTPv4, Server, length 48 21:02:20.150991 IP 216.239.35.0. NTP > test33Copy the code

Captures the queries and responses of the SNMP service

Penetration testers can access a large amount of device and system information through SNMP services. Among these information, system information is the most critical, such as operating system version and kernel version. Using the SNMP protocol fast scanner OnesixtyOne, you can see information about the target system:

$onesixtyone 10.10.1.10 public Scanning 1 hosts, Communities 10.10.1.10 [public] Linux test33 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64Copy the code

GetRequest and GetResponse can be captured using tcpdump:

$ tcpdump -n -s0 port 161 and udp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wlp58s0, link-type EN10MB (Ethernet), Capture size 262144 bytes 23:39:13.725522 IP 10.10.1.159.36826 > 10.10.1.20.161: GetRequest(28).1.3.6.1.2.1.1.1.0 23:39:13.728789 IP 10.10.1.20.161 > 10.10.1.159.36826: GetResponse(109).1.3.6.1.2.1.1.1.0="Linux testmachine 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64"Copy the code

Cut pCAP files

When a large amount of data is captured and written to a file, it can be automatically cut into multiple files of the same size. For example, the following command creates a new file every 3600 seconds: capture-(hour).pcap. Each file size does not exceed 200 x 1,000,000 bytes:

$ tcpdump  -w /tmp/capture-%H.pcap -G 3600 -C 200Copy the code

These files are named capture-{1-24}.pcap and will be overwritten after 24 hours.

Capturing IPv6 Traffic

Filter ip6 to capture IPv6 traffic and specify protocols such as TCP:

$ tcpdump -nn ip6 proto 6Copy the code

Read IPv6 UDP data packets from the saved file:

$ tcpdump -nr ipv6-test.pcap ip6 proto 17Copy the code

Detecting port scanning

In the following example, you can see that the source and destination of the captured packets remain the same, with flag bits [S] and [R] that match a series of seemingly random destination ports. After sending the SYN, a RESET is returned if the destination host port is not open. This is standard practice with port scanning tools such as Nmap.

$tcpdump-nn 21:46:19.693601 IP 10.10.1.10.60460 > 10.10.1.199.5432: Flags [S], seq 116466344, win 29200, options [mss 1460,sackOK,TS val 3547090332 ecr 0,nop,wscale 7], Length 0 21:46:19.693626 IP 10.10.1.10.35470 > 10.10.1.199.513: Flags [S], seq 3400074709, win 29200, options [mss 1460,sackOK,TS val 3547090332 ecr 0,nop,wscale 7], Length 0 21:46:19.693762 IP 10.10.1.10.44244 > 10.10.1.199.389: Flags [S], seq 2214070267, win 29200, options [mss 1460,sackOK,TS val 3547090333 ecr 0,nop,wscale 7], Length 0 21:46:19.693772 IP 10.10.1.199.389 > 10.10.1.10.44244: Flags [R.], SEq 0, ACK 2214070268, win 0, LENGTH 0 21:46:19.693783 IP 10.10.1.10.35172 > 10.10.1.199.1433: Flags [S], seq 2358257571, win 29200, options [mss 1460,sackOK,TS val 3547090333 ecr 0,nop,wscale 7], Length 0 21:46:19.693826 IP 10.10.1.10.33022 > 10.10.1.199.49153: Flags [S], seq 2406028551, win 29200, options [mss 1460,sackOK,TS val 3547090333 ecr 0,nop,wscale 7], Length 0 21:46:19.695567 IP 10.10.1.10.55130 > 10.10.1.199.49154: Flags [S], seq 3230403372, win 29200, options [mss 1460,sackOK,TS val 3547090334 ecr 0,nop,wscale 7], Length 0 21:46:19.695590 IP 10.10.1.199.49154 > 10.10.1.10.55130: Flags [R.], SEq 0, ACK 3230403373, win 0, length 0 21:46:19.695608 IP 10.10.1.10.33460 > 10.10.1.199.49152: Flags [S], seq 3289070068, win 29200, options [mss 1460,sackOK,TS val 3547090335 ecr 0,nop,wscale 7], Length 0 21:46:19.695622 IP 10.10.1.199.49152 > 10.10.1.10.33460: Flags [R.], SEq 0, ACK 3289070069, win 0, length 0 21:46:19.695637 IP 10.10.1.10.34940 > 10.10.1.199.1029: Flags [S], seq 140319147, win 29200, options [mss 1460,sackOK,TS val 3547090335 ecr 0,nop,wscale 7], Length 0 21:46:19.695650 IP 10.10.1.199.1029 > 10.10.1.10.34940: Flags [R.], SEq 0, ACK 140319148, win 0, length 0 21:46:19.695664 IP 10.10.1.10.45648 > 10.10.1.199.5060: Flags [S], seq 2203629201, win 29200, options [mss 1460,sackOK,TS val 3547090335 ecr 0,nop,wscale 7], Length 0 21:46:19.695775 IP 10.10.1.10.49028 > 10.10.1.199.2000: Flags [S], seq 635990431, win 29200, options [mss 1460,sackOK,TS val 3547090335 ecr 0,nop,wscale 7], Length 0 21:46:19.695790 IP 10.10.1.199.2000 > 10.10.1.10.49028: Flags [R.], SEQ 0, ACK 635990432, win 0, length 0Copy the code

Filter Nmap NSE script test results

In this example, the Nmap NSE test script http-enum. NSE is used to check the valid URL of the HTTP service.

On the host where the script tests are executed:

$ nmap -p 80 --script=http-enum.nse targetipCopy the code

On the target host:

$tcpdump - nn port 80 | grep "GET/GET/w3perl HTTP / 1.1 / GET/w - agora HTTP / 1.1 / GET/way - board/HTTP / 1.1 a GET /web800fo/ HTTP/1.1 GET/webAccess/HTTP/1.1 GET /webadmin/ HTTP/1.1 GET /webadmin/ HTTP/1.1Copy the code

Fetch DNS requests and responses

Outbound DNS requests to Google public DNS and A record responses can be captured using tcpdump:

$ tcpdump -i wlp58s0 -s0 port 53

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlp58s0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:19:06.879799 IP test.53852 > google-public-dns-a.google.com.domain: 26977+ [1au] A? play.google.com. (44)
14:19:07.022618 IP google-public-dns-a.google.com.domain > test.53852: 26977 1/0/1 A 216.58.203.110 (60)Copy the code

Capture valid HTTP packets

Capture valid HTTP packets on port 80 and exclude packets during TCP connection establishment (SYN/FIN/ACK) :

$ tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) ! = 0) 'Copy the code

Redirect the output to the Wireshark

In general, Wireshark (or Tshark) can analyze application layer protocols more easily than tcpdump. In common cases, the remote server uses tcpdump to capture data, write files to the remote server, and then copy the files to the local workstation for Wireshark analysis.

A more efficient way is to send captured data in real time to Wireshark for analysis over an SSH connection. For MacOS, brew Cask install Wireshark can be used to install the wireshark, and then the following command can be used to analyze:

$ ssh root@remotesystem 'tcpdump -s0 -c 1000 -nn -w - not port 22' | /Applications/Wireshark.app/Contents/MacOS/Wireshark -k -i -Copy the code

For example, if you want to analyze the DNS protocol, you can use the following command:

$ ssh root@remotesystem 'tcpdump -s0 -c 1000 -nn -w - port 53' | /Applications/Wireshark.app/Contents/MacOS/Wireshark -k  -i -Copy the code

Captured data:

The -c option is used to limit the size of the captured data. If you do not limit the size, you can only stop fetching by ctrl-C, which disables not only tcpdump but also the Wireshark.

Find the IP that sends the most packets

To find out the IP addresses that send the most packets within a period of time, or from a pile of packets, you can use the following command:

$tcpdump NNN - t - 200 c | the cut - f 1, 2, 3, 4 - d '. '| sort | uniq -c | sort - nr | head - 20 tcpdump n: verbose output suppressed, use -v or -vv for full protocol decode listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes 200 packets captured 261 packets received by filter 0 packets dropped by kernel 108 IP 10.10.211.181 91 IP 10.10.1.30 1 IP 10.10.1.50Copy the code

Cut -f 1,2,3, 4-d ‘.’To:.For delimiters, prints the first four columns of each row. The IP address.
Sort | uniq -c: sorting and counting
Sort-nr: sorts by value in reverse order

Grab user name and password

This example focuses on the standard plain text protocol to filter packets based on user names and passwords:

$ tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user 'Copy the code

Capturing DHCP Packets

For the last example, capture request and response packets of the DHCP service, 67 is the DHCP port and 68 is the client port.

$ tcpdump -v -n port 67 or 68 tcpdump: Listening on ENp7s0, Link-type EN10MB (Ethernet), Capture Size 262144 bytes 14:37:50.059662 IP (TOS 0x10, TTL 128, Id 0, offset 0, flags [none], PROto UDP (17), LENGTH 328) 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:xx:xx:xx:d5, length 300, xid 0xc9779c2a, Flags [none] Client-Ethernet-Address 00:0c:xx:xx:xx:d5 Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message Option 53, length 1: Request requested-ip Option 50, length 4: 10.10.1.163 Hostname Option 12, length 14: "test-ubuntu" Parameter-Request Option 55, length 16: Subnet-Mask, BR, Time-Zone, Default-Gateway Domain-Name, Domain-Name-Server, Option 119, Hostname Netbios-Name-Server, Netbios-Scope, MTU, Classless-Static-Route NTP, Classless-Static-Route-Microsoft, Static-Route, Option 252 14:37:50.059667 IP (TOS 0x10, TTL 128, ID 0, offset 0, flags [None], PROto UDP (17), Length 328) 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:xx:xx:xx:d5, length 300, xid 0xc9779c2a, Flags [none] Client-Ethernet-Address 00:0c:xx:xx:xx:d5 Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message Option 53, length 1: Request requested-ip Option 50, length 4: 10.10.1.163 Hostname Option 12, length 14: "test-ubuntu" Parameter-Request Option 55, length 16: Subnet-Mask, BR, Time-Zone, Default-Gateway Domain-Name, Domain-Name-Server, Option 119, Hostname Netbios-Name-Server, Netbios-Scope, MTU, Classless-Static-Route NTP, Classless-Static-Route-Microsoft, Static-Route, Option 252 14:37:50.060780 IP (TOS 0x0, TTL 64, ID 53564, offset 0, flags [none], proto UDP (17), Length 339) 10.10.1.1.67 > 10.10.1.163.68: BOOTP/DHCP, Reply, length 311, xid 0xc9779c2a, Flags [none] your-ip 10.10.1.163 server-ip 10.10.1.1 client-ethernet-address 00:0 C :xx:xx:xx: D5 Vendor-Rfc1048 Extensions  Magic Cookie 0x63825363 DHCP-Message Option 53, length 1: ACK Server-ID Option 54, length 4: 10.10.1.1 Lease-Time Option 51, length 4: 86400 RN Option 58, length 4: 43200 RB Option 59, length 4: 75600 subnet-mask Option 1, length 4: 255.255.255.0 BR Option 28, length 4: 10.10.1.255 domain-name-server Option 6, length 4: 10.10.1.1 Hostname Option 12, length 14: 10.10.1.255 domain-name-server Option 6, length 4: 10.10.1.1 Hostname Option 12, length 14: "Test-ubuntu" T252 Option 252, length 1: 10 default-gateway Option 3, length 4: 10.10.1.1Copy the code

5. To summarize

This article mainly introduces the basic syntax and usage of tcpdump, and uses some examples to show its powerful filtering functions. Tcpdump is even more powerful when combined with Wireshark, and this article shows how to combine tcpdump and Wireshark gracefully and smoothly. For more details, check out the MAN manual for tcpdump.

Wechat official account

Scan the following QR code to follow the wechat public account, in the public account reply ◉ plus group ◉ to join our cloud native communication group, and Sun Hongliang, Zhang Curator, Yang Ming and other leaders to discuss cloud native technology