��ϸTcpdump ��÷�-��Linuxϵͳ�Ż�

��һ��ǹ��͵Ĺؼ��֣��Ҫ��host��net��port, �� host 210.27.48.2��ָ�� 210.27.48.2��һ̨��net 202.0.0.0 ָ�� 202.0.0.0��һ��ַ��port 23 ָ��˿ں��23��û��ָ��ͣ�ȱʡ��host.

�ڶ��ȷ��䷽��Ĺؼ��֣��Ҫ��src , dst ,dst or src, dst and src ,��Щ�ؼ��ָ��˴��ķ��򡣾��˵��src 210.27.48.2 ,ָ��ip��Դ��ַ��210.27.48.2 , dst net 202.0.0.0 ָ��Ŀ��ַ��202.0.0.0 ��û��ָ��ؼ��֣��ȱʡ��src or dst�ؼ��֡�

��Э��Ĺؼ��֣��Ҫ��fddi,ip,arp,rarp,tcp,udp��͡�Fddiָ��FDDI(�ֲ�ʽ��ݽӿ��)�ϵ��ض� ��Э�飬ʵ��"ether"�ı��fddi��ether��Ƶ�Դ��ַ��Ŀ�ĵ�ַ��Կ��Խ�fddiЭ��ether�İ��д�� ļ��ؼ��־��ָ��˼��İ��Э��ݡ��û��ָ��κ�Э�飬��tcpdump��Э��Ϣ��
��͵Ĺؼ��֮�⣬��Ҫ�Ĺؼ��£�gateway, broadcast,less,greater,��߼��㣬ȡ�� 'not ' '! ', ��'and','&&';�� 'or' ,'��'��Щ�ؼ��ֿ��ǿ��ǵ��Ҫ��ټ��˵��
��ͨ��£�ֱ��tcpdump��ӵ�һ��ݰ��
# tcpdump
tcpdump: listening on fxp0
11:58:47.873028 202.102.245.40.netbios-ns > 202.102.245.127.netbios-ns: udp 50
11:58:47.974331 0:10:7b:8:3a:56 > 1:80:c2:0:0:0 802.1d ui/C len=43
0000 0000 0080 0000 1007 cf08 0900 0000
0e80 0000 902b 4695 0980 8701 0014 0002
000f 0000 902b 4695 0008 00
11:58:48.373134 0:0:e8:5b:6d:85 > Broadcast sap e0 ui/C len=97
ffff 0060 0004 ffff ffff ffff ffff ffff
0452 ffff ffff 0000 e85b 6d85 4008 0002
0640 4d41 5354 4552 5f57 4542 0000 0000
0000 00
ʹ��-i��ָ��tcpdump��棬��ڼ��ж��ʱ�ǳ��ã�
ʹ��-c��ָ��Ҫ��ݰ��
ʹ��-w��ָ��ݰ�д��ļ��б��

A��Ҫ�ػ��210.27.48.1 ��յ��ĺͷ��е��ݰ��
#tcpdump host 210.27.48.1

B��Ҫ�ػ��210.27.48.1 ��210.27.48.2 ��210.27.48.3��ͨ�ţ�ʹ����á��ʱ��һ��Ҫ
#tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)

C��Ҫ��ȡ��210.27.48.1��˺��210.27.48.2֮��ͨ�ŵ�ip��ʹ��
#tcpdump ip host 210.27.48.1 and ! 210.27.48.2

D��Ҫ��ȡ��210.27.48.1��ջ򷢳��telnet��ʹ��
#tcpdump tcp port 23 host 210.27.48.1

E �Ա��udp 123 �˿ڽ��м�� 123 Ϊntp�ķ��˿�
# tcpdump udp port 123

F ϵͳ��ֻ��Ϊhostname��ͨ��ݰ��м��ӡ��Ǳ��Ҳ��ϵ��κ�һ̨��Զ�ȡ��hostname��͵��ݣ�
#tcpdump -i eth0 src host hostname

G ��Լ��͵��hostname��ݰ��
#tcpdump -i eth0 dst host hostname

H ��ǻ��Լ��ͨ��ָ��ص��ݰ��
#tcpdump -i eth0 gateway Gatewayname

I ��㻹��ӱ�ַ��ָ��˿ڵ�TCP��UDP��ݰ��ôִ��
#tcpdump -i eth0 host hostname and port 80

J ��Ҫ��ȡ��210.27.48.1��˺��210.27.48.2֮��ͨ�ŵ�ip��
��ʹ��
#tcpdump ip host 210.27.48.1 and ! 210.27.48.2

K ��Ҫ�ػ��210.27.48.1 ��210.27.48.2 ��210.27.48.3��ͨ�ţ�ʹ��
��á��ʱ��һ��Ҫ
#tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)

L ��Ҫ��ȡ��210.27.48.1��˺��210.27.48.2֮��ͨ�ŵ�ip��ʹ��
��#tcpdump ip host 210.27.48.1 and ! 210.27.48.2

M ��Ҫ��ȡ��210.27.48.1��ջ򷢳��telnet��ʹ��
��#tcpdump tcp port 23 host 210.27.48.1

��Э��Ĺؼ��֣��Ҫ��fddi,ip ,arp,rarp,tcp,udp��
��͵Ĺؼ��֮�⣬��Ҫ�Ĺؼ��£�gateway, broadcast,less,
greater,��߼��㣬ȡ�� 'not ' '! ', ��'and','&&';�� 'o
r' ,'||'��
�ڶ��ȷ��䷽��Ĺؼ��֣��Ҫ��src , dst ,dst or src, dst and src ,
��ֻ��Ҫ�г��͵�80�˿ڵ��ݰ��dst port��ֻϣ��80�˿ڵ��ݰ��src port��
#tcpdump -i eth0 host hostname and dst port 80 Ŀ�Ķ˿��80
��
#tcpdump -i eth0 host hostname and src port 80 Դ�˿��80 һ��ṩhttp�ķ��
��ܶ�Ļ� Ҫ��֮ǰ��and �� or �� not
#tcpdump -i eth0 host ! 211.161.223.70 and ! 211.161.223.71 and dst port 80

��ethernet ʹ�û��ģʽ ϵͳ��־��¼

May 7 20:03:46 localhost kernel: eth0: Promiscuous mode enabled.
May 7 20:03:46 localhost kernel: device eth0 entered promiscuous mode
May 7 20:03:57 localhost kernel: device eth0 left promiscuous mode

tcpdump�Խػ��ݲ�û�н��г��׽��룬��ݰ��ڵĴ󲿷��ʹ��ʮ��Ƶ��ʽֱ�Ӵ�ӡ��ġ��Ȼ�ⲻ��ڷ��ϣ�ͨ��Ľ��취��ʹ�ô�-w��tcpdump �ػ��ݲ��浽�ļ��У�Ȼ��ʹ��н��ȻҲӦ�ö��˹��Ա��Ⲷ��ݰ��Ӳ�̡�

��ϸTcpdump ��÷�

�� 2 ��

Ƶ��

��½̳�

��Ƽ�

������ϸTcpdump ���÷�

���� 2 ������

Ƶ������

���½̳�

����Ƽ�

��ϸTcpdump ��÷�

�� 2 ��

Ƶ��

��½̳�

��Ƽ�