今天gg到一个tcpdump使用宝典, 是个从入门到高级的教程, 例子丰富
http://acs.lbl.gov/~jason/tcpdump_advanced_filters.txt
包括:
tcp各种状态的抓取(syn,ack,fin,reset), HTTP协议(get,put), 还有mail协议的. 值得收藏.
转录如下:
1. Source sends SYN 2. Destination answers with SYN, ACK 3. Source sends ACK - If we want to match packets with only the SYN flag set, the 14th byte would have a binary value of 00000010 which equals 2 in decimal. # tcpdump -i eth1 'tcp[13] = 2' - Matching SYN, ACK (00010010 or 18 in decimal) # tcpdump -i eth1 'tcp[13] = 18' - Matching either SYN only or SYN-ACK datagrams # tcpdump -i eth1 'tcp[13] & 2 = 2' - Matching PSH-ACK packets # tcpdump -i eth1 'tcp[13] = 24' - Matching any combination containing FIN (FIN usually always comes with an ACK so we either need to use a mask or match the combination ACK-FIN) # tcpdump -i eth1 'tcp[13] & 1 = 1' - Matching RST flag # tcpdump -i eth1 'tcp[13] & 4 = 4'
