指定网卡
tcpdump -i lo
指定IP
tcpdump host 192.168.1.101
指定通讯双方IP
tcpdump host 192.168.1.101 and \(192.168.1.102 or 192.168.1.103\)
排除IP
tcpdump host 192.168.1.102 and not 192.168.1.103
来源IP
tcpdump src host 192.168.1.102
目标IP
tcpdump dst host 192.168.1.102
指定端口
tcpdump port 80
TCP数据
tcpdump tcp
UDP数据
tcpdump udp
打印数据包内容
tcpdump -A
写入文件
tcpdump -w data.pcap
读取文件
tcpdump -r data.pcap
显示IP不显示域名
tcpdump -n
HTTP请求
sudo tcpdump -Xs 0 \(tcp[20:4]=0x47455420 or tcp[20:4]=0x504f5354 or tcp[20:4]=0x48545450\) and host 192.168.1.120 and port 80
sudo tcpdump -Xs 0 -i lo0 \(tcp[20:4]=0x47455420 or tcp[20:4]=0x504f5354 or tcp[20:4]=0x48545450\)
GUI工具
CocoaPacketAnalyzer
SmartSniff
Wireshark
更多参考
http://drops.wooyun.org/%E8%BF%90%E7%BB%B4%E5%AE%89%E5%85%A8/8885