tcpdump  linux unix下的抓包工具。

默认只抓68个字节

tcpdump -i eth0 -s 0 -w file.pcap

tcpdump -i eth0 port 22

读取抓包文件

tcpdump -r file.pcap

tcpdump 筛选

tcpdump -n -r http.cap | awk '{print $3}' | sort | uniq

tcpdump -n src host ip -r http.cap

tcpdump -n dst host ip -r http.cap

tcpdump -n port 53 -r http.cap

tcpdump -n -X udp port -r http.cap

tcpdump 高级筛选

tcpdump -A -n 'tcp[13]=24' -r http.cap