List interfaces that tcpdump can listen on
tcpdump -D
Turn on "verbose" key in TCPDUMP to see IP and TCP header information
tcpdump -vi eth0
Turn off hostname and port lookup in TCPDUMP
tcpdump -vnni eth0
Tcpdump filter only icmp traffic
tcpdump -nni eth0 icmp
Tcpdump command to filter on ICMP type - capture only ICMP echo request
# tcpdump -nni vlan111 -e icmp[icmptype] == 8
Tcpdump command to filter on ICMP type - capture only ICMP echo reply
# tcpdump -nni vlan111 -e icmp[icmptype] == 0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan111, link-type EN10MB (Ethernet), capture size 65535 bytes
12:40:52.569668 00:10:db:ff:10:02 > 00:07:e9:a5:9b:fa, ethertype IPv4 (0x0800), length 98: 10.0.0.4 > 10.1.111.10: ICMP echo reply, id 24907, seq 414, length 64
12:40:53.570530 00:10:db:ff:10:02 > 00:07:e9:a5:9b:fa, ethertype IPv4 (0x0800), length 98: 10.0.0.4 > 10.1.111.10: ICMP echo reply, id 24907, seq 415, length 64
Tcpdump filter packets with specified ip identification in ip header
# tcpdump -nr /tmp/tcpdump.pcap -v 'ip[4:2] == 24332'
reading from file /tmp/tcpdump.pcap, link-type EN10MB (Ethernet)
capability mode sandbox enabled
23:58:50.090759 IP (tos 0x10, ttl 128, id 24332, offset 0, flags [DF], proto TCP (6), length 204)
10.1.1.1.22 > 192.168.0.109.53989: Flags [P.], seq 3661036793:3661036957, ack 2364476704, win 4106, length 164
reading from file /tmp/tcpdump.pcap, link-type EN10MB (Ethernet)
capability mode sandbox enabled
23:58:50.090759 IP (tos 0x10, ttl 128, id 24332, offset 0, flags [DF], proto TCP (6), length 204)
10.1.1.1.22 > 192.168.0.109.53989: Flags [P.], seq 3661036793:3661036957, ack 2364476704, win 4106, length 164
更容內容請參考 https://forum.ivorde.com/tcpdump-how-to-to-capture-only-icmp-ping-echo-requests-t15191.html 謝謝.
全站熱搜
留言列表
Banana-Pi, 樹梅派應用 
