tcpdump命令大全

最新推荐文章于 2025-09-26 15:26:28 发布
翻译 最新推荐文章于 2025-09-26 15:26:28 发布 · 1.1k 阅读 · 3 ·
CC 4.0 BY-SA版权
原文链接:https://www.howtouselinux.com/post/20-tcpdump-advanced-examples-on-linux
文章标签:

#tcpdump #linux #tcp/ip

how-to-use-tcpdump

Tcpdump command is a famous network packet analyzing tool that is used to display TCP IP & other network packets being transmitted over the network attached to the system on which tcpdump has been installed. Tcpdump uses libpcap library to capture the network packets & is available on almost all Linux/Unix flavors.

Linux Tcpdump: Filter ipv6 ntp ping packets

Tcpdump: capture DHCP & DHCPv6 packets

20 Advanced Tcpdump Examples On Linux

10 Useful tcpdump command examples

TCPDUMP

README

Tcpdump is one of the best network analysis-tools ever for information security professionals.
Tcpdump is for everyone for hackers and people who have less of TCP/IP understanding.

OPTIONS

Below are some tcpdump options (with useful examples) that will help you working with the tool. They’re very easy to forget and/or confuse with other types of filters, i.e. ethereal, so hopefully this article can serve as a reference for you, as it does me:)
  • The first of these is -n, which requests that names are not resolved, resulting in the IPs themselves.
  • The second is -X, which displays both hex and ascii content within the packet.
  • The final one is -S, which changes the display of sequence numbers to absolute rather than relative.

Show the packet’s contents in both hex and ascii.

tcpdump -X ....

Same as -X, but also shows the ethernet header.

tcpdump -XX

Show the list of available interfaces

tcpdump -D

Line-readable output (for viewing as you save, or sending to other commands)

tcpdump -l

Be less verbose (more quiet) with your output.

tcpdump -q

Give human-readable timestamp output.

tcpdump -t :

Give maximally human-readable timestamp output.

tcpdump -tttt :

Listen on the eth0 interface.

tcpdump -i eth0

Verbose output (more v’s gives more output).

tcpdump -vv

Only get x number of packets and then stop.

tcpdump -c

Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.

tcpdump -s

Print absolute sequence numbers.

tcpdump -S

Get the ethernet header as well.

tcpdump -e

Decrypt IPSEC traffic by providing an encryption key.

tcpdump -E

For more options, read manual:

BASIC USAGE

Display Available Interfaces

tcpdump -D
tcpdump --list-interfaces

Let’s start with a basic command that will get us HTTPS traffic:

tcpdump -nnSX port 443

Find Traffic by IP

tcpdump host 1.1.1.1

Filtering by Source and/or Destination

tcpdump src 1.1.1.1 
tcpdump dst 1.0.0.1

Finding Packets by Network

tcpdump net 1.2.3.0/24
Low Output:
tcpdump -nnvvS
Medium Output:
tcpdump -nnvvXS
Heavy Output:
tcpdump -nnvvXSs 1514

Getting Creative

  • Expressions are very nice, but the real magic of tcpdump comes from the ability to combine them in creative ways in order to isolate exactly what you’re looking for.

There are three ways to do combination:

AND

and or &&

OR

or or ||

EXCEPT

not or !

Usage Example:

Traffic that’s from 192.168.1.1 AND destined for ports 3389 or 22

tcpdump 'src 192.168.1.1 and (dst port 3389 or 22)'

Advanced

Show me all URG packets:

tcpdump 'tcp[13] & 32 != 0'

Show me all ACK packets:

tcpdump 'tcp[13] & 16 != 0'

Show me all PSH packets:

tcpdump 'tcp[13] & 8 != 0'

Show me all RST packets:

tcpdump 'tcp[13] & 4 != 0'

Show me all SYN packets:

tcpdump 'tcp[13] & 2 != 0'

Show me all FIN packets:

tcpdump 'tcp[13] & 1 != 0'

Show me all SYN-ACK packets:

tcpdump 'tcp[13] = 18'

Show all traffic with both SYN and RST flags set: (that should never happen)

tcpdump 'tcp[13] = 6'

Show all traffic with the “evil bit” set:

tcpdump 'ip[6] & 128 != 0'

Display all IPv6 Traffic:

tcpdump ip6

Print Captured Packets in ASCII

tcpdump -A -i eth0

Display Captured Packets in HEX and ASCII

tcpdump -XX -i eth0

Capture and Save Packets in a File

tcpdump -w 0001.pcap -i eth0

Read Captured Packets File

tcpdump -r 0001.pcap

Capture IP address Packets

tcpdump -n -i eth0

Capture only TCP Packets.

tcpdump -i eth0 tcp

Capture Packet from Specific Port

tcpdump -i eth0 port 22

Capture Packets from source IP

tcpdump -i eth0 src 192.168.0.2

Capture Packets from destination IP

tcpdump -i eth0 dst 50.116.66.139

Capture any packed coming from x.x.x.x

tcpdump -n src host x.x.x.x

Capture any packet coming from or going to x.x.x.x

tcpdump -n host x.x.x.x

Capture any packet going to x.x.x.x

tcpdump -n dst host x.x.x.x

Capture any packed coming from x.x.x.x

tcpdump -n src host x.x.x.x

Capture any packet going to network x.x.x.0/24

tcpdump -n dst net x.x.x.0/24

Capture any packet coming from network x.x.x.0/24

tcpdump -n src net x.x.x.0/24

Capture any packet with destination port x

tcpdump -n dst port x

Capture any packet coming from port x

tcpdump -n src port x

Capture any packets from or to port range x to y

tcpdump -n dst(or src) portrange x-y

Capture any tcp or udp port range x to y

tcpdump -n tcp(or udp) dst(or src) portrange x-y

Capture any packets with dst ip x.x.x.x and port y

tcpdump -n "dst host x.x.x.x and dst port y"

Capture any packets with dst ip x.x.x.x and dst ports x, z

tcpdump -n "dst host x.x.x.x and (dst port x or dst port z)"

Capture ICMP , ARP

tcpdump -v icmp(or arp)

Capture packets on interface eth0 and dump to cap.txt file

tcpdump -i eth0 -w cap.txt

Get Packet Contents with Hex Output

tcpdump -c 1 -X icmp

Show Traffic Related to a Specific Port

tcpdump port 3389 
tcpdump src port 1025

Show Traffic of One Protocol

tcpdump icmp

Find Traffic by IP

tcpdump host 1.1.1.1

Filtering by Source and/or Destination

tcpdump src 1.1.1.1 
tcpdump dst 1.0.0.1

Finding Packets by Network

tcpdump net 1.2.3.0/24

Get Packet Contents with Hex Output

tcpdump -c 1 -X icmp

Show Traffic Related to a Specific Port

tcpdump port 3389 
tcpdump src port 1025

Show Traffic of One Protocol

tcpdump icmp

Show only IP6 Traffic

tcpdump ip6

Find Traffic Using Port Ranges

tcpdump portrange 21-23

Find Traffic Based on Packet Size

 tcpdump less 32 
 tcpdump greater 64 
 tcpdump <= 128
 tcpdump => 128

Reading / Writing Captures to a File (pcap)

tcpdump port 80 -w capture_file
tcpdump -r capture_file

It’s All About the Combinations

Raw Output View

tcpdump -ttnnvvS

Here are some examples of combined commands.

From specific IP and destined for a specific Port

tcpdump -nnvvS src 10.5.2.3 and dst port 3389

From One Network to Another

tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16

Non ICMP Traffic Going to a Specific IP

tcpdump dst 192.168.0.2 and src net and not icmp

Traffic From a Host That Isn’t on a Specific Port

tcpdump -vv src mars and not dst port 22

Isolate TCP RST flags.

tcpdump 'tcp[13] & 4!=0'
tcpdump 'tcp[tcpflags] == tcp-rst'

Isolate TCP SYN flags.

tcpdump 'tcp[13] & 2!=0'
tcpdump 'tcp[tcpflags] == tcp-syn'

Isolate packets that have both the SYN and ACK flags set.

tcpdump 'tcp[13]=18'

Isolate TCP URG flags.

tcpdump 'tcp[13] & 32!=0'
tcpdump 'tcp[tcpflags] == tcp-urg'

Isolate TCP ACK flags.

tcpdump 'tcp[13] & 16!=0'
tcpdump 'tcp[tcpflags] == tcp-ack'

Isolate TCP PSH flags.

tcpdump 'tcp[13] & 8!=0'
tcpdump 'tcp[tcpflags] == tcp-psh'

Isolate TCP FIN flags.

tcpdump 'tcp[13] & 1!=0'
tcpdump 'tcp[tcpflags] == tcp-fin'

Commands that I using almost daily

Both SYN and RST Set

tcpdump 'tcp[13] = 6'

Find HTTP User Agents

tcpdump -vvAls0 | grep 'User-Agent:'
tcpdump -nn -A -s1500 -l | grep "User-Agent:"

By using egrep and multiple matches we can get the User Agent and the Host (or any other header) from the request.

tcpdump -nn -A -s1500 -l | egrep -i 'User-Agent:|Host:'

Capture only HTTP GET and POST packets only packets that match GET.

tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'
tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'

Extract HTTP Request URL’s

tcpdump -s 0 -v -n -l | egrep -i "POST /|GET /|Host:"

Extract HTTP Passwords in POST Requests

tcpdump -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host:"

Capture Cookies from Server and from Client

tcpdump -nn -A -s0 -l | egrep -i 'Set-Cookie|Host:|Cookie:'

Capture all ICMP packets

tcpdump -n icmp

Show ICMP Packets that are not ECHO/REPLY (standard ping)

tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'

Capture SMTP / POP3 Email

tcpdump -nn -l port 25 | grep -i 'MAIL FROM\|RCPT TO'

Troubleshooting NTP Query and Response

tcpdump dst port 123

Capture FTP Credentials and Commands

tcpdump -nn -v port ftp or ftp-data

Rotate Capture Files

tcpdump  -w /tmp/capture-%H.pcap -G 3600 -C 200

Capture IPv6 Traffic

tcpdump -nn ip6 proto 6

IPv6 with UDP and reading from a previously saved capture file.

tcpdump -nr ipv6-test.pcap ip6 proto 17

Detect Port Scan in Network Traffic

tcpdump -nn

USAGE EXAMPLE

Example Filter Showing Nmap NSE Script Testing

  • On Target:

    nmap -p 80 --script=http-enum.nse targetip

  • On Server:

    tcpdump -nn port 80 | grep "GET /"
  
     GET /w3perl/ HTTP/1.1
     GET /w-agora/ HTTP/1.1
     GET /way-board/ HTTP/1.1
     GET /web800fo/ HTTP/1.1
     GET /webaccess/ HTTP/1.1
     GET /webadmin/ HTTP/1.1
     GET /webAdmin/ HTTP/1.1

Capture Start and End Packets of every non-local host

tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'

Capture DNS Request and Response

Filtering DNS with Tcpdump

tcpdump -i wlp58s0 -s0 port 53

Capture HTTP data packets

tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

Top Hosts by Packets

tcpdump -nnn -t -c 200 | cut -f 1,2,3,4 -d '.' | sort | uniq -c | sort -nr | head -n 20

Capture all the plaintext passwords

tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '

tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd= |password=|pass:|user:|username:|password:|login:|pass |user '

DHCP Example

tcpdump -v -n port 67 or 68

Cleartext GET Requests

tcpdump -vvAls0 | grep 'GET'

Find HTTP Host Headers

tcpdump -vvAls0 | grep 'Host:'

Find HTTP Cookies

tcpdump -vvAls0 | grep 'Set-Cookie|Host:|Cookie:'

Find SSH Connections

tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D'

Find DNS Traffic

tcpdump -vvAs0 port 53

Find FTP Traffic

tcpdump -vvAs0 port ftp or ftp-data

Find NTP Traffic

tcpdump -vvAs0 port 123

Capture SMTP / POP3 Email

tcpdump -nn -l port 25 | grep -i 'MAIL FROM\|RCPT TO'

Line Buffered Mode

tcpdump -i eth0 -s0 -l port 80 | grep 'Server:'

Find traffic with evil bit

tcpdump 'ip[6] & 128 != 0'

Filter on protocol (ICMP) and protocol-specific fields (ICMP type)

Tcpdump: Filter Packets with Tcp Flags

tcpdump -n icmp and ‘icmp[0] != 8 and icmp[0] != 0’

Same command can be used with predefined header field offset (icmptype) and ICMP type field values (icmp-echo and icmp-echoreply):

tcpdump -n icmp and icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply

Filter on TOS field

tcpdump -v -n ip and ip[1]!=0

Filter on TTL field

tcpdump -v ip and 'ip[8]<2'

Filter on TCP flags (SYN/ACK)

tcpdump -n tcp and port 80 and 'tcp[tcpflags] & tcp-syn == tcp-syn'

In the example above, all packets with TCP SYN flag set are captured. Other flags (ACK, for example) might be set also. Packets which have only TCP SYN flags set, can be captured

tcpdump tcp and port 80 and 'tcp[tcpflags] == tcp-syn'

Catch TCP SYN/ACK packets (typically, responses from servers):

tcpdump -n tcp and 'tcp[tcpflags] & (tcp-syn|tcp-ack) == (tcp-syn|tcp-ack)'
tcpdump -n tcp and 'tcp[tcpflags] & tcp-syn == tcp-syn' and 'tcp[tcpflags] & tcp-ack == tcp-ack'

Catch ARP packets

tcpdump -vv -e -nn ether proto 0x0806

Filter on IP packet length

tcpdump -l icmp and '(ip[2:2]>50)' -w - |tcpdump -r - -v ip and '(ip[2:2]<60)'

Remark: due to some bug in tcpdump, the following command doesn’t catch packets as expected:

tcpdump -v -n icmp and '(ip[2:2]>50)' and '(ip[2:2]<60)'

Filter on encapsulated content (ICMP within PPPoE)

tcpdump -v -n icmp

filter

tcpdump -q -i eth0
tcpdump -t -i eth0
tcpdump -A -n -q -i eth0 'port 80'
tcpdump -A -n -q -t -i eth0 'port 80'

Print only useful packets from the HTTP traffic

tcpdump -A -s 0 -q -t -i eth0 'port 80 and ( ((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12:2]&0xf0)>>2)) != 0)'

Dump SIP Traffic

tcpdump -nq -s 0 -A -vvv port 5060 and host 1.2.3.4

Checking packet content

tcpdump -i any -c10 -nn -A port 80

Checking packet content

sudo tcpdump -i any -c10 -nn -A port 80

References & Awesome wikis

Capture ICMP Packets With Tcpdump

Debugging SSH Packets with Tcpdump

Using Tcpdump to Filter DNS Packets

Learn tcpdump Quick Guide

Filtering DNS with Tcpdump

Filtering CDP LLDP packets with Tcpdump

Tcpdump Cheat Sheet (Basic Advanced Examples)

END!
曹大卫779
关注
运维系列:tcpdump命令详解
weixin_54626591的博客
01-04 7426
tcpdump命令详解
DHCP抓包-Wireshark分析
小时候很牛、的博客
01-19 7748
DHCP原理、DHCP抓包分析
tcpdump--详解
JonSnow
07-04 1922
1. tcpdump介绍 1.1 官方man手册 帮助手册 1.2 维基百科 tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和显示发送或收到过网络连接到该计算机的TCP/IP和其他数据包。tcpdump 是一个在BSD许可证下发布的自由软件。 tcpdump 适用于大多数的类Unix系统 操作系统:包括Linux、Solaris、BSD、Mac OS X、HP-UX和AIX 等等。在这些系统中,tcpdump 需要使用libpcap这个捕捉数据的库。其在Windows下的版本...
tcpdump 使用详解
最新发布
cozil的专栏
09-26 1211
`tcpdump` 是 Linux/Unix 系统中最强大、最常用的**网络抓包和分析工具**,它可以捕获经过网络接口的数据包,并以可读格式显示,用于网络调试、安全分析、性能排查等。
t-tcpdump
天行健,地势坤
10-15 478
文章目录写入和读取数据包抓取数据包抓取指定网卡流量指定数据的输出格式数据包抓取的方向输出信息的详细程度的可控选项抓取指定协议的数据包表达式介绍逻辑连接符的使用type的确定 写入和读取数据包 在工作或者生活中的网络故障排除时最有力的方式就是抓包分析网络状况,从而找到网络故障的原因。所以将数据包保存到文件中,可以方便得进行分析取证。 数据包的写入命令 tcpdump -w test1.txt 数据包...
tcpdump
yangjinjingbj的博客
02-18 759
-i 网络接口 ] [ -r 文件名] [ -s snaplen ] [ -T 类型 ] [ -w 文件名 ] [表达式 ]-T 将监听到的包直接解释为指定的类型的报文,常见的类型有rpc (远程过程调用)和snmp(简单网络管理协议);-X 需要把协议头和包内容都显示出来(tcpdump会以16进制和ASCII的形式显示),便于协议分析;-e 在输出行打印出数据链路层的头部信息,包括源mac和目的mac,以及网络层的协议;-c Count 在收到指定的包的数目后,tcpdump就会停止;
Linuxtcpdump命令解析及使用详解
01-09
默认情况下,执行`tcpdump`命令将监听第一个网络接口(通常是eth0)上的所有数据包。如果想监听特定接口,如eth1,可以使用`tcpdump -i eth1`。 **主机过滤** - `tcpdump host sundown`:将显示所有进出sundown主机...
Linux tcpdump命令用法详解
01-09
Linux tcpdump命令 Linux tcpdump命令用于倾倒网络传输数据。 执行tcpdump指令可列出经过指定网络界面的数据包文件头,在Linux操作系统中,你必须是系统管理员。 语法tcpdump [-adeflnNOpqStvx][-c][-dd][-ddd][-F]...
Linux tcpdump命令详解大全
09-15
### Linux tcpdump命令详解 #### 一、简介 tcpdump是一款功能强大的网络数据包抓取工具,主要用于在Linux系统上捕获和分析网络流量。它能够根据用户设定的过滤条件来截取网络上的数据包,并对其进行详细的分析。该...
tcpdump命令使用文档
06-06
内容概要:本文档详细介绍了tcpdump命令的使用方法及其主要参数。tcpdump是一个强大的网络抓包工具,允许用户监听网络接口并捕获符合条件的数据包。文档首先列举了基本参数,如-i(指定监听的网络接口)、-e(打印...
tcpdump 命令
weixin_41565755的博客
03-04 529
tcpdump
Tcpdump实例分析 .
mm624531604的专栏
05-22 598
命令使用 tcpdump采用命令行方式,它的命令格式为: tcpdump [ -AdDeflLnNOpqRStuUvxX ] [ -c count ] [ -C file_size ] [ -F file ] [ -i interface ] [ -m module ] [ -M secret ] [ -r fil
tcpdump抓包看TCP/IP协议
weixin_34072637的博客
05-26 3440
因为最近要解析 TCP 报文中 option 段的一块数据,所以不得不详细了解下 TCP/IP 报文。虽然之前看过,很长时间没这么细致地用过,导致了健忘,借着这个机会,通过 tcpdump 抓包分析,详细捋一遍 TCP/IP 报文。 报文获取 如果那样干巴巴地讲这个东西比较晕,而且网上的文章一大堆,没有什么创新。我选择换一个角度来切入 T...
tcpdump参数用法详解
07-09 1053
一直在linux下开发的人一定会用到tcpdump,下面就是关于tcpdump的使用方法说明 (1). tcpdump的选项 -a 将网络地址和广播地址转变成名字; -d 将匹配信息包的代码以人们能够理解的汇编格式给出; -dd 将匹配信息包的代码以c语言程序段的格式给出; -ddd 将匹配信息包的代码以十进制的形式给出; -e 在
tcpdump命令使用详解
热门推荐
lza20001103的博客
10-30 2万+
tcpdump命令使用详解
Linuxtcpdump命令用法详解
manonghouyiming的博客
04-14 538
LinuxLinux tcpdump是最重要的技术之一,今天就带大家学习一下Linux tcpdump的表达式、Linux tcpdump的输出结果等方面。tcpdump采用命令行方式,它的命令格式为:tcpdump[-adeflnNOpqStvx][-c数量][-F 文件名][-i网络接口][-r文件名][-ssnaplen][-T类型][-w文件名][表达式]Linux tcpdump的选...
tcpdump命令以及简单使用
super_m@n的博客
09-11 1275
0*00首先给出参数: root@kali:~# tcpdump -h tcpdump version 4.9.2 libpcap version 1.9.0 (with TPACKET_V3) OpenSSL 1.1.1c 28 May 2019 Usage: tcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ] ...
tcpdump 工具简单使用介绍
郭耀今 -- 蓝天白云
03-19 948
tcpdump采用命令行方式,它的命令格式为:tcpdump [ -adeflnNOpqStvx ] [ -c 数量 ] [ -F 文件名 ]        [ -i 网络接口 ] [ -r 文件名] [ -s snaplen ]        [ -T 类型 ] [ -w 文件名 ] [表达式 ]tcpdump的选项介绍--------------------------------------
安卓 Linuxtcpdump命令规则大全
09-20
<think> 根据用户需求,需要查找安卓Linux系统下tcpdump命令规则的完整内容。用户特别强调了命令规则的完整性,因此需要详细列出tcpdump的所有命令选项和用法。 结合引用信息: - 引用[1]说明在Android上使用tcpdump需要root权限 - 引用[2]提供了tcpdump的基本命令格式和常用选项 - 引用[3][4][5]提供了Linux系统相关信息,但用户需求聚焦于tcpdump命令本身 我将整理完整的tcpdump命令规则,包括: 1. 命令基本格式 2. 所有常用选项详解 3. 表达式语法(过滤规则) 4. Android系统下的特殊注意事项 特别注意:由于Android基于Linux内核,tcpdump命令规则通用,但需注意权限问题。 </think> 以下是安卓Linux系统中`tcpdump`命令的完整规则详解,结合Android系统特性整理: ### 📜 tcpdump命令规则大全 **基本格式**(引用[2]): ```bash tcpdump [选项] [表达式] ``` #### 🔧 核心选项详解 1. **接口控制** ```bash -i <接口> # 指定监听网卡(Android常用接口:wlan0/eth0/rmnet_data0) -i any # 监听所有接口 ``` > 💡 Android需root权限访问原始套接字,否则提示`You don't have permission to capture`[^1] 2. **输出控制** ```bash -w <文件>.pcap # 保存原始数据包到文件(Android优先使用/sdcard路径) -r <文件>.pcap # 读取保存的数据包文件 -v/-vv/-vvv # 递增详细程度(显示IP头/TCP标志位等) -n # 禁用域名解析(加速显示) -q # 简化输出(短格式) ``` 3. **抓包限制** ```bash -c <数量> # 捕获指定数量包后退出 -s <字节数> # 设置快照长度(默认262144字节,Android建议-s0完整捕获) -G <秒数> # 每N秒轮转输出文件(需配合-w使用) ``` 4. **过滤表达式**(核心功能) ```bash host 192.168.1.1 # 过滤特定IP port 443 # 过滤端口 net 192.168.1.0/24 # 过滤网段 icmp # 仅抓ICMP包 tcp[tcpflags] & (syn|ack) != 0 # 抓SYN/ACK包 ``` #### ⚠️ Android特殊注意事项 1. **权限问题** ```bash adb shell su # 必须获取root权限 /data/local/tmp/tcpdump -i wlan0 # 通常需将二进制文件推送到设备 ``` > 未root设备可使用`adb shell tcpdump`但功能受限[^1] 2. **内核优化**(引用[4]) 编辑`/etc/sysctl.conf`提升抓包性能: ```bash net.core.rmem_max=16777216 # 增大接收缓冲区 net.ipv4.tcp_tw_reuse=1 # 重用TIME_WAIT连接 ``` #### ️ 常用组合示例 1. 抓取HTTP流量: ```bash tcpdump -i wlan0 -s0 -w /sdcard/http.pcap port 80 ``` 2. 实时分析DNS请求: ```bash tcpdump -i any -nn -q 'udp port 53' ``` 3. 排除本地流量: ```bash tcpdump -i wlan0 not net 192.168.1.0/24 ``` #### 📚 表达式语法速查 | 类型 | 示例 | 说明 | |------------|-----------------------|-------------------------------| | 方向限定 | `src host 10.0.0.5` | 源地址 | | 协议过滤 | `tcp`/`udp`/`icmp` | 传输层协议 | | 逻辑运算 | `and`/`or`/`not` | 组合条件(如`port 80 and not host 192.168.1.1`) | | 位操作 | `tcp[13] & 0x02 != 0` | 匹配TCP SYN标志位 | > ✅ 完整文档参考:`man tcpdump`(需通过`adb shell`访问Android的Busybox环境) --- ### 📌 相关问题 1. Android 11+ 如何在未root设备上捕获TCP流量? 2. tcpdump表达式如何过滤HTTPS的Server Name Indication (SNI)? 3. Android系统抓包时如何避免丢包? [^1]: Android需要root权限执行tcpdump,存在保修失效风险 [^2]: tcpdump命令行格式与核心选项说明 [^4]: Linux内核参数优化可提升抓包稳定性
评论
成就一亿技术人!
拼手气红包6.0元
还能输入1000个字符
 
红包 添加红包
表情包 插入表情
表情包 代码片
 条评论被折叠 查看
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值