Table of Contents:


An introduction to using tcpdump at the Linux command line

1. Installation on Linux

2. Capturing packets with tcpdump

use the command tcpdump -D to see which interfaces are available for capture

# -c 数量   -nn不进行域名解析
tcpdump -i any -c5 -nn

3. Understanding the output format

[R] :RST,表示重启连接

4. Filtering packets


tcpdump -i any -c5 icmp

Host Port

tcpdump -i any -c5 -nn host   port 80
tcpdump -i any -c5 -nn "port 80 and (src or dst"

5. Checking packet content

tcpdump provides two additional flags: -X to print content in hex, and ASCII or -A to print the content in ASCII
This is helpful for troubleshooting issues with API calls, assuming the calls are using plain HTTP. For encrypted connections, this output is less useful.

6. Saving captures to a file

# 写入 -w
tcpdump -i any -c10 -nn -w webserver.pcap port 80
# 查看  -r
tcpdump -nn -r tcpdump.txt

This command saves the output in a file named webserver.pcap. The .pcap extension stands for "packet capture" and is the convention for this file format.
You can also use any of the filters we've discussed to filter the content from the file, just as you would with real-time data