Ubuntu下tcpdump命令（一）选项

Ubuntu默认是安装好了tcpdump工具的，如果没有安装的话使用sudo apt-get install tcpdump即可安装。

（如果遇到tcpdump: no suitable device found的问题，检查一下是不是在用root权限运行tcpdump，tcpdump只能在root权限下工作）

使用方法

       tcpdump [ -AbdDefhHIJKlLnNOpqRStuUvxX ] [ -B buffer_size ] [ -c count ]
               [ -C file_size ] [ -G rotate_seconds ] [ -F file ]
               [ -i interface ] [ -j tstamp_type ] [ -m module ] [ -M secret ]
               [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
               [ -W filecount ]
               [ -E spi@ipaddr algo:secret,...  ]
               [ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
               [ expression ]

描述

tcpdump打印网络接口上符合布尔表达是expression的包的内容的描述。也可以使用-w选项将包保存到文件中，和／或者-r选项从文件而不是网络接口获取包。在任何情况下，tcpdump都只会处理匹配表达式的包。
tcpdump将一直抓包直到接收到SIGINT或者SIGTERM信号，或者接收到-c选项指定个数的包。
当tcp完成抓包后，它将报告：抓包个数（captured）、过滤器接收到包的个数（received by filter）、内核丢弃包的个数（dropped  by kernel）。
在支持SIGINFO信号的平台，tcpdump若接收到该信息将报告抓包信息，然后继续抓包。

选项（我只翻译了常用的部分选项，为保证完整性，其他选项我原文贴出）
       -A     Print each packet (minus its link level header) in ASCII.  Handy for capturing web pages.

       -b     Print the AS number in BGP packets in ASDOT notation rather than ASPLAIN notation.

       -B     设定系统的抓包缓冲区

       -c     指定抓包个数

       -C     在将原始包保存到文件前，检查文件大小是否超过file_size。如果是，则打开一个新文件用于保存数据。新文件的名字为-w指定的名字后加数字

       -d     以可读格式显示编译了的包匹配代码

       -dd    以C程序段格式显示编译了的包匹配代码

       -ddd   以十进制数字格式显示编译了的包匹配代码

       -D     显示系统中可用的并且tcpdump可在其上进行抓包的网络接口列表

       -e     所截取的每个包都显示链路层报头：源MAC地址>目的MAC地址，以太类型 IPV4 (0X0800), 包数据长度。

       -E     Use spi@ipaddr algo:secret for decrypting IPsec ESP packets that are addressed to addr and contain  Security  Parameter  Index
              value spi. This combination may be repeated with comma or newline separation.

              Note that setting the secret for IPv4 ESP packets is supported at this time.

              Algorithms  may  be  des-cbc,  3des-cbc, blowfish-cbc, rc3-cbc, cast128-cbc, or none.  The default is des-cbc.  The ability to
              decrypt packets is only present if tcpdump was compiled with cryptography enabled.

              secret is the ASCII text for ESP secret key.  If preceded by 0x, then a hex value will be read.

              The option assumes RFC2406 ESP, not RFC1827 ESP.  The option is only for debugging purposes, and the use of this option with a
              true  `secret'  key is discouraged.  By presenting IPsec secret key onto command line you make it visible to others, via ps(1)
              and other occasions.

              In addition to the above syntax, the syntax file name may be used to have tcpdump read the  provided  file  in.  The  file  is
              opened  upon  receiving  the first ESP packet, so any special permissions that tcpdump may have been given should already have
              been given up.

       -f     Print `foreign' IPv4 addresses numerically rather than symbolically (this option is intended to get around serious brain  dam‐
              age in Sun's NIS server — usually it hangs forever translating non-local internet numbers).

              The  test  for  `foreign' IPv4 addresses is done using the IPv4 address and netmask of the interface on which capture is being
              done.  If that address or netmask are not available, available, either because the interface on which capture  is  being  done
              has  no  address  or netmask or because the capture is being done on the Linux "any" interface, which can capture on more than
              one interface, this option will not work correctly.

       -F     从文件中读取过滤表达式

       -G     If specified, rotates the dump file specified with the -w option every rotate_seconds seconds.  Savefiles will have  the  name
              specified  by  -w which should include a time format as defined by strftime(3).  If no time format is specified, each new file
              will overwrite the previous.

              If used in conjunction with the -C option, filenames will take the form of `file'.

       -h     打印tcpdump和libpcap的版本信息，打印tcpdump使用方法

       -H     Attempt to detect 802.11s draft mesh headers.

       -i     指定要监听的网络接口。

       -I     将接口设为monitor模式

       -j     Set  the  time stamp type for the capture to tstamp_type.  The names to use for the time stamp types are given in pcap-tstamp-
              type(7); not all the types listed there will necessarily be valid for any given interface.

       -J     List the supported time stamp types for the interface and exit.  If the time stamp type cannot be set for  the  interface,  no
              time stamp types are listed.

       -K     不要尝试验证IP, TCP, 或 UDP的校验和（checksums）

       -l     Make stdout line buffered.  Useful if you want to see the data while capturing it.  E.g.,
              ``tcpdump  -l  |  tee dat'' or ``tcpdump  -l   > dat  &  tail  -f  dat''.

       -L     在指定模式下列出接口已知的数据链路类型

       -m     Load SMI MIB module definitions from file module.  This option can be used several times to load several MIB modules into tcp‐
              dump.

       -M     Use secret as a shared secret for validating the digests found in TCP segments with the TCP-MD5 option (RFC 2385), if present.

       -n     别把地址转换成名字：显示ip地址，而非主机名称

       -N     Don't  print  domain name qualification of host names.  E.g., if you give this flag then tcpdump will print ``nic'' instead of
              ``nic.ddn.mil''.

       -O     不运行包匹配代码优化器

       -p     不将接口设为混杂模式

       -q     Quick (quiet?) output.  Print less protocol information so output lines are shorter.

       -R     Assume ESP/AH packets to be based on old specification (RFC1825 to RFC1829).  If specified, tcpdump will not print replay pre‐
              vention field.  Since there is no protocol version field in ESP/AH specification, tcpdump cannot deduce the version of  ESP/AH
              protocol.

       -r     从文件中读取报文

       -S     显示绝对的为不是相对的TCP序列号

       -s     Snarf  snaplen  bytes of data from each packet rather than the default of 65535 bytes.  Packets truncated because of a limited
              snapshot are indicated in the output with ``[|proto]'', where proto is the name of the protocol level at which the  truncation
              has  occurred.   Note  that  taking larger snapshots both increases the amount of time it takes to process packets and, effec‐
              tively, decreases the amount of packet buffering.  This may cause packets to be lost.  You should limit snaplen to the  small‐
              est  number  that  will capture the protocol information you're interested in.  Setting snaplen to 0 sets it to the default of
              65535, for backwards compatibility with recent older versions of tcpdump.

       -T     Force packets selected by "expression" to be interpreted the specified type.  Currently known types are aodv (Ad-hoc On-demand
              Distance  Vector protocol), cnfp (Cisco NetFlow protocol), rpc (Remote Procedure Call), rtp (Real-Time Applications protocol),
              rtcp (Real-Time Applications control protocol), snmp (Simple Network Management Protocol), tftp (Trivial File Transfer  Proto‐
              col), vat (Visual Audio Tool), and wb (distributed White Board).

       -t     不显示时间戳

       -tt    显示未格式化的时间戳

       -ttt   显示各个包之间的时间间隔

       -tttt  以日期+时间的形式显示时间

       -ttttt 显示各个包之间的时间间隔

       -u     Print undecoded NFS handles.

       -U     Make output saved via the -w option ``packet-buffered''; i.e., as each packet is saved, it will be written to the output file,
              rather than being written only when the output buffer fills.

              The -U flag will not be supported if tcpdump was built with an older version of libpcap that lacks the pcap_dump_flush() func‐
              tion.

       -v     详细模式

       -vv    更详细

       -vvv   更更详细

       -w     将原始包（raw packets）写入文件而不是分析并打印出来

       -W     Used in conjunction with the -C option, this will limit the number of files created to the specified number, and  begin  over‐
              writing  files from the beginning, thus creating a 'rotating' buffer.  In addition, it will name the files with enough leading
              0s to support the maximum number of files, allowing them to sort correctly.

              Used in conjunction with the -G option, this will limit the number of rotated dump files that get created, exiting with status
              0 when reaching the limit. If used with -C as well, the behavior will result in cyclical files per timeslice.

       -x     以16进制数形式显示每一个报文(去掉链路层报头后) . 可以显示较小的完整报文

       -xx    以16 进制数形式显示每一个报文(包含链路层报头)

       -X     以16 进制数形式显示每一个报文(不包含链路层报头)，同时显示ASCII码。

       -XX    以16 进制数形式显示每一个报文(包含链路层报头)，同时显示ASCII码。

       -y     设置抓包时使用的数据链路类型

       -z     Used  in  conjunction  with the -C or -G options, this will make tcpdump run " command file " where file is the savefile being
              closed after each rotation. For example, specifying -z gzip or -z bzip2 will compress each savefile using gzip or bzip2.

              Note that tcpdump will run the command in parallel to the capture, using the lowest priority so that this doesn't disturb  the
              capture process.

              And  in  case  you  would  like  to use a command that itself takes flags or different arguments, you can always write a shell
              script that will take the savefile name as the only argument, make the flags & arguments arrangements and execute the  command
              that you want.

       -Z     如果tcpdump以root身份运行，在打开捕捉设备或输入文件后，打开任何文件作为输出前，将进程的用户ID设为指定的用户，组ID设为指定用户的主组。

        expression
              指定要转储的包。如果没有给定expression，所有包将被转储。expression语法参见pcap-filter(7)，多个expression使用空格分割