# Tcpdump ## 常用格式 ``` $ tcpdump -vvvnn -i bond0 tcp 'src host x.x.x.x and src port xx' or 'dst host x.x.x.x and dst port xx' ``` ## 关键字类型 ### 1、host、net、port 第一类关键字为host、net、port三个。 比如,监听主机的IP为x.x.x.x的数据包 ``` $ tcpdump host x.x.x.x ``` 比如,监听网络为x.x.x.x/24的数据包 ``` $ tcpdump net x.x.x.x/24 ``` 比如,监听端口为xx的数据包 ``` $ tcpdump port xx ``` ### 2、src、dst 第二类关键字表示数据包的流向,它们用来修饰第一类关键字 比如,监听源主机为x.x.x.x的数据包 ``` $ tcpdump src host x.x.x.x ``` 如果第一类关键字(host、net、port)没有指定src或dst修饰,则默认为src(待验证) ### 3、逻辑关键字: and、or、not 比如 ``` $ tcpdump dst host x.x.x.x and dst port xx $ tcpdump 'src host x.x.x.x and src port xx' or 'dst host y.y.y.y and dst port yy' $ tcpdump dst host x.x.x.x and not dst port xx ``` ### 4、协议关键字:tcp、udp、icmp等 比如,监听协议为tcp的包 ``` $ tcpdump tcp ``` ## 选项(Options) ### 1、 -i bond0 `-i`可以指定监听特定网卡的数据包,比如监听网卡bond0的数据包 ``` $ tcpdump -i bond0 ``` **注意:如果该选项没有指定,则默认监听第一个网卡(一般以字母开头升序排序)的数据包** ## Reference * * --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pshizhsysu.gitbook.io/linux/wang-luo-xiang-guan/tcpdump.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.