tcpdump和tcpflow使用

 1 -i 是interface含义，监听的网卡
 2 -nn 当遇到端口协议号或端口号的时候不要转换为对应的协议名称或端口名称
 3 -X 把协议头和包内容都原原本本的显示出来
 4 ‘port 53‘ 只有源端口和目的端口为53的才会被显示
 5 -t 不打印时间戳
 6 -v  在原有输出的基础之上，你还会看到tos值、ttl值、ID值、总长度、校验值等。
 7 -F  指定过滤表达式所在的文件，例如可以把4向中的port 53写到文件中去，在tcpdump时加-F后面接文件名称
 8 tcpdump -i eth0 -w flowdata；-w  将流量保存到文件中去；存储的都是（raw packets）二进制的无法直接查看，需要用-r命令来查看
 9 tcpdump -r flowdata；-r 读取用-w保存的数据
10 tcpdump -i eth0 -c 10 \‘udp\‘ 只获取udp协议的包
11 tcpdump -i eth0 \‘dst 8.8.8.8\‘ 查看源地址和目的地址之间的网络包；src 和dst；
12 tcpdump -i eth0 -c 3 \‘dst port 53 or dst port 80\‘ 只查看目标机器端口是53或80的网络包，其它端口不关注；除了端口还支持host，net（指定网络段）、portrange：指定端口区域
13 tcpdump ‘port ftp or ftp-data‘; tcpdump会根据 /etc/services中协议对应的端口信息去找需要过滤端口条件
14 tcpdump ‘ip[2:2] ＞　５７６‘;打印包长超过576字节的网络包

 1 [root@test ~]$  tcpflow -h
 2 TCPFLOW version 1.4.5
 3 
 4 usage: tcpflow [-aBcCDhJpsvVZ] [-b max_bytes] [-d debug_level] 
 5      [-[eE] scanner] [-f max_fds] [-F[ctTXMkmg]] [-i iface] [-L semlock]
 6      [-m min_bytes] [-o outdir] [-r file] [-R file] 
 7      [-S name=value] [-T template] [-w file] [-x scanner] [-X xmlfile]
 8       [expression]
 9 
10    -a: do ALL post-processing.
11    -b max_bytes: max number of bytes per flow to save
12    -d debug_level: debug level; default is 1
13    -f: maximum number of file descriptors to use
14    -h: print this help message (-hh for more help)
15    -H: print detailed information about each scanner
16    -i: network interface on which to listen
17    -I: generate temporal packet-> byte index files for each flow (.findex)
18    -g: output each flow in alternating colors (note change!)
19    -l: treat non-flag arguments as input files rather than a pcap expression
20    -L  semlock - specifies that writes are locked using a named semaphore
21    -p: don‘t use promiscuous mode    ---开启混杂模式
22    -q: quiet mode - do not print warnings
23    -r file: read packets from tcpdump pcap file (may be repeated)
24    -R file: read packets from tcpdump pcap file TO FINISH CONNECTIONS
25    -v: verbose operation equivalent to -d 10
26    -V: print version number and exit
27    -w file: write packets not processed to file
28    -o  outdir   : specify output directory (default ‘.‘)
29    -X  filename : DFXML output to filename
30    -m  bytes    : specifies skip that starts a new stream (default 16777216).
31    -F{p} : filename prefix/suffix (-hh for options)
32    -T{t} : filename template (-hh for options; default %A.%a-%B.%b%V%v%C%c)
33    -Z: do not decompress gzip-compressed HTTP transactions
34 
35 Control of Scanners:
36    -E scanner   - turn off all scanners except scanner
37    -S name=value  Set a configuration parameter (-hh for info)
38 
39 Settable Options (and their defaults): 
40    -S enable_report=YES    Enable report.xml ()
41    -S http_cmd=    Command to execute on each HTTP attachment (http)
42    -S http_alert_fd=-1    File descriptor to send information about completed HTTP attachments (http)
43    -S netviz_histogram_dump=0    Dumps the histogram (netviz)
44    -S netviz_histogram_size=1000    Maximum histogram size (netviz)
45    -S tcp_timeout=0    Timeout for TCP connections (tcpdemux)
46    -S check_fcs=YES    Require valid Frame Check Sum (FCS) (wifiviz)
47 
48    -e http - enable scanner http
49    -e md5 - enable scanner md5
50    -e netviz - enable scanner netviz
51    -e wifiviz - enable scanner wifiviz
52 
53    -x tcpdemux - disable scanner tcpdemux
54 Console output options:
55    -B: binary output, even with -c or -C (normally -c or -C turn it off)
56    -c: console print only (don‘t create files)
57    -C: console print only, but without the display of source/dest header
58    -0: don‘t print newlines after packets when printing to console   -s: strip non-printable characters (change to ‘.‘)
59    -D: output in hex (useful to combine with -c or -C)
60 
61 expression: tcpdump-like filtering expression  ---可以和tcpdump一样配置一定规则
62 
63 See the man page for additional information.