tcpdump

截获所有192.168.10.126的主机收到和发出的数据包，命令如下

tcpdump  host 192.168.10.126

截获主机192.168.10.126和主机192.168.10.127或192.168.10.128的通信，使用如下命令（在命令行使用括号时，要用转义符\来对括号进行转已）:

tcpdump host 192.168.10.126 and \(192.168.10.127 or 192.168.10.128\)

截获主机192.168.10.126 和所有主机（除了192.168.10.127）通信的ip包，使用命令如下：

tcpdump ip host 192.168.10.126 and ! 192.168.10.127

截获主机192.168.10.126接收或发出的smtp包

tcpdump tcp port 25 and host 192.168.10.126

 

-n Don’t convert host addresses to names. This
can be used to avoid DNS lookups.

 

如果怀疑系统正受到拒绝服务攻击，网络往管理可以通过截获发往本机所有icmp包，来判断是否有大量的ping指令流向服务器

tcpdump icmp -n -i eth0

 

                             源地址             目的地址              标志信息                          下次期望的序列号          接收缓存的窗口大小
15:47:32.485049 IP localhost.ssh > localhost.52684: Flags [P.], seq 248:300, ack 105, win 562, length 52
15:47:32.532568 IP localhost.52684 > localhost.ssh: Flags [.], ack 300, win 252, length 0
15:47:32.811724 IP localhost.52684 > localhost.ssh: Flags [P.], seq 105:157, ack 300, win 252, length 52
15:47:32.813628 IP localhost.ssh > localhost.52684: Flags [P.], seq 300:352, ack 157, win 562, length 52
15:47:32.863882 IP localhost.52684 > localhost.ssh: Flags [.], ack 352, win 252, length 0
15:47:33.123672 IP localhost.52684 > localhost.ssh: Flags [P.], seq 157:209, ack 352, win 252, length 52
15:47:33.125097 IP localhost.ssh > localhost.52684: Flags [P.], seq 352:404, ack 209, win 562, length 52
15:47:33.173320 IP localhost.52684 > localhost.ssh: Flags [.], ack 404, win 252, length 0
15:47:34.844265 IP localhost.52684 > localhost.ssh: Flags [P.], seq 209:261, ack 404, win 252, lengt

localhost.ssh > localhost.52684:

Flags [P.],tcp包中的标志信息，s代表syn标志，f代表fin，p代表push，r代表rst .表示没有标记 

ack 105,下次期望的序列号

win 562,接收缓存的窗口大小