yum install tcpdump //tcpdump安装
捕获及停止条件
• -D 列举所有网卡设备
• -i 选择网卡设备
• -c 抓取多少条报文
• --time-stamp-precision 指定捕获时的时间精度,默认毫秒 micro,可选纳秒 nano
• -s 指定每条报文的最大字节数,默认 262144 字节
$ tcpdump -i en0 host www.baidu.com and port 443 -c 10 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes 07:09:43.197939 IP 172.19.108.85.55723 > 180.101.49.12.https: Flags [.], seq 3256827061:3256828513, ack 1682365603, win 4096, length 1452 07:09:43.197943 IP 172.19.108.85.55723 > 180.101.49.12.https: Flags [P.], seq 1452:2180, ack 1, win 4096, length 728 07:09:43.211985 IP 180.101.49.12.https > 172.19.108.85.55723: Flags [.], ack 1452, win 1220, length 0 07:09:43.211992 IP 180.101.49.12.https > 172.19.108.85.55723: Flags [.], ack 2180, win 1312, length 0 07:09:43.702570 IP 180.101.49.12.https > 172.19.108.85.55723: Flags [.], seq 1:1461, ack 2180, win 1312, length 1460 07:09:43.702574 IP 180.101.49.12.https > 172.19.108.85.55723: Flags [P.], seq 1461:1700, ack 2180, win 1312, length 239 07:09:43.702577 IP 180.101.49.12.https > 172.19.108.85.55723: Flags [.], seq 1700:3160, ack 2180, win 1312, length 1460 07:09:43.702578 IP 180.101.49.12.https > 172.19.108.85.55723: Flags [.], seq 3160:4620, ack 2180, win 1312, length 1460 07:09:43.702581 IP 180.101.49.12.https > 172.19.108.85.55723: Flags [P.], seq 4620:4684, ack 2180, win 1312, length 64 07:09:43.702582 IP 180.101.49.12.https > 172.19.108.85.55723: Flags [.], seq 4684:6144, ack 2180, win 1312, length 1460 10 packets captured 205 packets received by filter 0 packets dropped by kernel
tcpdump -i en0 -C 1 -W 3 -w a.pcap //-C表示1M大小就换文件 -W 指定最大数量
tcpdump -i en0 -G 3 -w file%M-%S //-G 表示每隔3秒输出一个文件 后面的%M-%S 格式表示动态的文件 以分钟-秒来显示