Linux抓包工具：tcpdump简单使用

简单用法，可以分析soap数据包。

 

this is probably the easiest way to monitor SOAP messages.

simply use

#tcpdump -i eth0 -A -s 1024 port 80 | tee dump.log

to log all the packet sent to port 80 to dump.log

 

***********************************************************

 

今天在尝试TTserver的Http协议接口，为了确定走的协议是否为Http，需要抓包确定一下，
在windows下有很多工具很方便的抓包，linux下只能通过命令行来操作了，下面简单记录一下
tcpdump工具的使用：

//抓包，
tcpdump -nX -s 0 -w cap.raw host 123.123.123.123 and port 2978
//读包
tcpdump -r cap.raw -A

 

tcpdump有很多参数选项，man就可看到，

-----------------------------------------------------------------------------------   

EXAMPLES

To print all packets arriving at or departing from sundown:

tcpdump host sundown

 

To print traffic between helios and either hot or ace:

tcpdump host helios and \( hot or ace \)

 

To print all IP packets between ace and any host except helios:

tcpdump ip host ace and not helios

 

To print all traffic between local hosts and hosts at Berkeley:

tcpdump net ucb-ether

 

To print all ftp traffic through internet gateway snup: (note that the

expression is quoted to prevent the shell from (mis-)interpreting the

parentheses):

tcpdump 'gateway snup and (port ftp or ftp-data)'

 

To print traffic neither sourced from nor destined for local hosts (if

you gateway to one other net, this stuff should never make it onto your

local net).

tcpdump ip and not net localnet

 

To print the start and end packets (the SYN and FIN packets) of each

TCP conversation that involves a non-local host.

tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'

 

To print all IPv4 HTTP packets to and from port 80, i.e. print only

packets that contain data, not, for example, SYN and FIN packets and

ACK-only packets. (IPv6 is left as an exercise for the reader.)

tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<>2)) != 0)'

 

To print IP packets longer than 576 bytes sent through gateway snup:

tcpdump 'gateway snup and ip[2:2] > 576'

 

To print IP broadcast or multicast packets that were not sent via Eth-

ernet broadcast or multicast:

tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'

 

To print all ICMP packets that are not echo requests/replies (i.e., not

ping packets):

tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'

------------------------------------------------------------------------------------ 

 

 注：需要root的权限才能运行tcpdump命令
说实话，tcpdump虽然强大，但是毕竟操作起来不如windows下一些图形软件方便。