安裝

yum -y install tcpdump

　　基本用法

#抓取網口eth0流量包
# tcpdump -i eth0 -nnv
#指定抓取100個包
# tcpdump -i eth0 -nnv -c 100
#把抓包輸出寫入檔案
# tcpdump -i eth0 -nnv -w /file1.tcpdump
#讀取
# tcpdump -nnv -r /file1.tcpdump

　　注意：使用w引數寫入的是二進位制檔案，無法直接讀取使用tcpdump -r讀取 也可以下載使用抓包工具wireshark讀取

　　條件 port，host，net

# tcpdump -i eth0 -nnv not port 80
# tcpdump -i eth0 -nnv port 22
# tcpdump -i eth0 -nnv port 80
# tcpdump -i eth0 -nnv net 192.168.0.0/24
# tcpdump -i eth0 -nnv host 192.168.0.15
# tcpdump -i eth0 -nnv dst port 22
# tcpdump -i eth0 -nnv src port 22

　　協議作為條件

# tcpdump -i eth0 -nnv arp
# tcpdump -i eth0 -nnv icmp
# tcpdump -i eth0 -nnv udp #udp協議
# tcpdump -i eth0 -nnv tcp #tcp協議，三次握手及四次斷開
# tcpdump -i eth0 -nnv ip #ip協議
# tcpdump -i eth0 -nnv vrrp #keepalived使用協議

　　多條件：與或非 and or not

# tcpdump -i eth0 -nnv not net 192.168.0.0/24
# tcpdump -i eth0 -nnv not port 80
# tcpdump -i eth0 -nnv host 192.168.0.15 and port 22
# tcpdump -i eth0 -nnv host 192.168.0.15 and host 192.168.0.33
# tcpdump -i eth0 -nnv host 192.168.0.15 or host 192.168.0.33
# tcpdump -i eth0 -nnv \( host 192.168.0.15 and port 22 \) or \( host
192.168.0.33 and port 80 \)
# tcpdump -i eth0 -nnv host 192.168.0.110 and port 22 or port 80
# tcpdump -i eth0 -nnv host 192.168.0.110 and \( port 22 or port 80\)
# tcpdump -i eth0 -nnv host 192.168.0.110 and port 80
# tcpdump -i eth0 -nnv host 192.168.0.110 and ! port 80

　　tcp資料報頭，有8位標識位部分
　　CWR | ECE | URG | ACK | PSH | RST | SYN | FIN

# man tcpdump
#條件為TCP僅有SYN標記的


# tcpdump -i eth0 -nnv tcp[13]==2
|C|E|U|A|P|R|S|F|
|--------------- |
|0 0 0 0 0 0 1 0 |
|--------------- |
|7 6 5 4 3 2 1 0|
# tcpdump -i eth0 -nnv tcp[13]==2 and port 22 -w ssh-conn.tcpdump
條件是：TCP僅有SYN/ACK標記的
# tcpdump -i eth0 -nnv tcp[13]==18
|C|E|U|A|P|R|S|F|
|--------------- |
|0 0 0 1 0 0 1 0 |
|--------------- |
|7 6 5 4 3 2 1 0|
# tcpdump -i eth0 -nnv tcp[13]==17