Introduction to the
Network packet capture analysis tool. Supports filtering at the network layer, protocol, host, network, or port. And, OR, not and other logical statements are provided to help remove useless information.
tcpdump – dump traffic on a network
example
No arguments are specified
Listen for packets passing through the first nic. Hosts may have more than one network adapter, so you often need to specify a network adapter.
tcpdump
Copy the codeListening for specific network cards
tcpdump -i en0
Copy the codeListening for a specific host
Example: Listen for communication packets between the host and host 182.254.38.55.
Note: Incoming and outgoing packets are monitored.
Tcpdump host 182.254.38.55Copy the codeTraffic from a specific source, destination address
A particular source
tcpdump src host hostname
Copy the codeSpecific target address
tcpdump dst host hostname
Copy the codeIf SRC and DST are not specified, communications from the source or target hostname will be listened on
tcpdump host hostname
Copy the codeA specific port
tcpdump port 3000
Copy the codeTo monitor TCP/UDP
Different services on the server use TCP and UDP as the transport layer respectively, if only want to listen to TCP packets
tcpdump tcp
Copy the codeSource host + port +TCP
Listen for TCP packets from host 123.207.116.169 on port 22
Tcpdump TCP port 22 and SRC host 123.207.116.169Copy the codeListen for communication between specific hosts
tcpdump ip host 210.27.48.1 and 210.27.48.2
Copy the code210.27.48.1 Communication between hosts other than 210.27.48.2
Tcpdump IP host 210.27.48.1 and! 210.27.48.2Copy the codeA slightly more detailed example
tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.cap
Copy the code(1) TCP: IP ICMP ARP RARP and TCP, UDP, and ICMP must be placed in the first parameter to filter the type of datagrams. (2) -I eth1: captures only the packets that pass through interface eth1. (3)-t: does not display the timestamp. The default packet capture length is 68 bytes. -s 0 is used to capture the entire packet (5). -C 100: only 100 packets (6). SRC net 192.168.1.0/24: indicates that the source network address of the packet is 192.168.1.0/24 (8). -w. /target.cap: indicates that the source network address of the packet is 192.168.1.0/24 (8). Save as a CAP file for easy analysis using Ethereal (wireshark)
Grasp the HTTP packet
TODO
Limit the number of captured packets
After 1000 packets are captured, the system automatically exits
tcpdump -c 1000
Copy the codeSave to a local directory
Note: Tcpdump writes output to the buffer by default. The output is written to the local disk only when the buffer reaches a certain size or the tcpdump exits
tcpdump -n -vvv -c 1000 -w /tmp/tcpdump_save.cap
Copy the codeYou can also add -u to force immediate write to the local disk (generally not recommended, poor performance).
Practical example
The following is a common deployment where nodeJS Server is deployed on the server, listening on port 3000. The nginx reverse proxy listens on port 80 and forwards requests to the NodeJS Server (127.0.0.1:3000).
Browser -> Nginx reverse proxy -> NodeJS Server
Question: Suppose the user (183.14.132.117) visits the browser and finds that the request is not returned. How can I troubleshoot the problem?
Step 1: Check whether the request reaches the NodeJS server.
Step 2: Check whether nginx forwards requests to nodeJS Server.
tcpdump port 8383
Copy the codeYou will find that there is no output, even though the NodeJS Server has received the request. Because nginx is forwarding to 127.0.0.1 instead of using the default interface, you need to display the specified interface
tcpdump port 8383 -i lo
Copy the codeNote: Configure nginx to include a SRC host on the request side, otherwise the NodeJS server will not be able to obtain SRC host, that is, the following listener is invalid, because SRC host is 127.0.0.1 for the nodejs server at this point
Tcpdump port 8383 -I LO and SRC host 183.14.132.117Copy the codeStep 3: Check whether the request reached the server
Tcpdump -n TCP port 8383 -I LO and SRC host 183.14.132.117Copy the codeA link to the
Tcpdump very detailed at http://blog.chinaunix.net/uid-11242066-id-4084382.html
http://www.cnblogs.com/ggjucheng/archive/2012/01/14/2322659.html Linux tcpdump command explanation
Tcpdump usage examples (recommended) http://www.rationallyparanoid.com/articles/tcpdump.html
Use TCPDUMP to grab the HTTP status header information http://blog.sina.com.cn/s/blog_7475811f0101f6j5.html