Linux basic command introduction 6: Network


This article will talk about network related commands. The author assumes that the reader has the basic knowledge of TCP / IP protocol stack. For related commands and their output, only its basic usage and general description are introduced, and the specific protocol will not be explained in detail.

Nowadays, the network is undoubtedly very important. Linux system provides a wealth of network test and management commands. Let’s see them together.

1、pingSend TCMP echo request message and wait for TCMP echo response.

ping [OPTIONS]... destination

The goal heredestinationCan be destination IP address or domain / host name

option-cSpecify the number of times to send the request message. When Ping has no option, it will send the request message until it is terminated manually by default in Linux.

[[email protected] ~]# ping -c 3
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=52 time=1.35 ms
64 bytes from icmp_seq=2 ttl=52 time=1.32 ms
64 bytes from icmp_seq=3 ttl=52 time=1.22 ms

--- ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.225/1.303/1.359/0.064 ms

First, the ping program sends a request to the domain name server (DNS) to resolve the domain IP address of.DNSReturn an alias of the domain namewww.a.shifen.comAnd the corresponding IP address61.135.169.121。 After that, the ping program starts to send request message to this address, and sends one every 1s. Ping receives TCMP echo response and displays the result on the terminal, including ICMP ﹣ SEQ, TTL and time of packet round-trip. Finally, the summary information is given, including the total message sending and receiving situation, total time, minimum, average, maximum and average deviation of round-trip time (the larger the network is, the more unstable the network is).

[[email protected] ~]# ping
ping: unknown host

When the destination domain name fails to resolve the IP address, an unknown host error will be reported

[[email protected] ~]# ping
PING ( 56(84) bytes of data.
^Press Ctrl + C here to terminate the process manually
--- ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 4999ms

No ICMP echo message will be received when the destination IP address is not routed

[[email protected] ~]# ping -c2
PING ( 56(84) bytes of data.
From icmp_seq=1 Destination Host Unreachable
From icmp_seq=2 Destination Host Unreachable

--- ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 999ms
pipe 2

The destination host unreachable error is displayed when the destination IP route is unreachable.
ICMPEcho response also includes request time out and other types.

2、hostnameDisplay or set system host name

hostname [OPTIONS]... [NAME]

Direct command executionhostnameThe host name is displayed:

[[email protected] temp]# hostname
[[email protected] temp]#

This hostname is returned by the gethostname (2) function of the system.
You can execute commands byhostname NAMETo change the host name temporarily:

[[email protected] temp]# hostname NAME
[[email protected] temp]# hostname

This temporary modification is actually to modify one of the Linux kernelhostname, which is stored in the/proc/sys/kernel/hostnameMedium. If you need to make permanent changes, you need to modify the configuration file/etc/sysconfig/network, centos7 needs to be modified/etc/hostname。 Note that if the hostname in the configuration file islocalhostorlocalhost.localdomainThe system will obtain the IP address of the network interface and use this address to find out/etc/hostsThe corresponding host name in the file, and then set it to the finalhostname

3、hostDNS query

host name

hostCommand through profile/etc/resolv.confDNS server query specified innameIP address of:

[[email protected] temp]# host is an alias for has address has address

4、digDNS query

digandhostThe syntax of the commands is consistent, but more details and options are provided:

[[email protected] ~]# dig

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.2 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22125
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;                 IN      A

;; ANSWER SECTION:          113     IN      CNAME       113     IN      A       113     IN      A

;; Query time: 2 msec
; when: April 10 12:31:20 CST 2016
;; MSG SIZE  rcvd: 90

[[email protected] ~]#

If only a record of domain name is queried and displayed in short format:

[[email protected] ~]# dig A +short
[[email protected] ~]# 


[[email protected] ~]# dig +nocmd A +noall +answer          252     IN      CNAME       252     IN      A       252     IN      A

It can also be used.@serverTo specify the DNS server:

[[email protected] ~]# dig +noall +answer A @          21      IN      CNAME       263     IN      A       263     IN      A

More commands and options

5、tracerouteortracepathRoute tracking

[[email protected] ~]# tracepath
 1?: [LOCALHOST]                                         pmtu 1500
 1:                                            0.396ms 
 1:                                            0.350ms 
 2:                                          1.187ms asymm  3 
 3:                                          8.186ms 
 4:                                         1.117ms 
 5:                                         8.554ms asymm 12 
 6:                                         1.694ms asymm 12 
 7:                                         3.934ms asymm 10 
 8:                                         2.703ms asymm 10

Only part of the output is listed here, indicating the route traced to the destination address, and each hop returns.

6、ifconfigConfigure network interface

Display the information of all network interfaces when the command has no parameters:

[[email protected] ~]# ifconfig
ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet  netmask  broadcast
        inet6 fe80::250:56ff:fea4:fe34  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:a4:fe:34  txqueuelen 1000  (Ethernet)
        RX packets 11996157  bytes 775368588 (739.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 12  bytes 888 (888.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet  netmask  broadcast
        inet6 fe80::250:56ff:fea4:a09  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:a4:0a:09  txqueuelen 1000  (Ethernet)
        RX packets 20941185  bytes 1307830447 (1.2 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 147552  bytes 11833605 (11.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet  netmask
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[[email protected] ~]#

Two network cards are shown in this exampleens32andens33And loopbackloThe information includes MTU, IP address, mask, MAC address, transmission and reception data, etc.
option-sShow condensed information:

[[email protected] ~]# ifconfig -s ens32
ens32     1500 11996951      0      0 0            12      0      0      0 BMRU

For example, add a new address to ens33:

[[email protected] ~]# ifconfig ens33:0 up
[[email protected] ~]# ifconfig ens33:0   
ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet  netmask  broadcast
        ether 00:50:56:a4:0a:09  txqueuelen 1000  (Ethernet)

In command/24Mask indicating the address of the interface,upIndicates that this interface is enabled. Note that if the IP address has been used, it will still be set successfully, but there may be conflicts when this address is accessed.
Disable an interface:

[[email protected] ~]# ifconfig ens33:0 down

If you need to permanently add or modify the address of the current interface, it is better to edit the network card configuration file directly/etc/sysconfig/network-scripts/ifcfg-ens33(replace other systems with corresponding documents)IPADDRField and restart the networksystemctl restart networkorservice network restartTake effect.


commandarpDisplay system ARP cache, commandarpingSend ARP request to neighbor host.

[[email protected] ~]# arp -a
? ( at 68:8f:84:01:f1:ff [ether] on ens33
? ( at 00:50:56:a4:18:9a [ether] on ens33
? ( at 00:50:56:a4:a9:16 [ether] on ens33
? ( at 00:50:56:a4:d2:e4 [ether] on ens33
? ( at 00:50:56:a4:37:a7 [ether] on ens33

?Indicates the unknown domain name, and the last network card name indicates the network interface corresponding to the ARP table item
If an address is found to be unstable, arping can be used to test whether the address is a MAC address conflict:

[[email protected] ~]# arping -I ens33
ARPING from ens33
Unicast reply from [00:50:56:A4:65:71]  0.843ms
Unicast reply from [00:50:56:A4:0A:09]  1.034ms

The MAC addresses in the two returned messages are different, indicating that two network cards are configured with the same IP address. option-ISpecifies the network interface to send ARP requests.
If you have just changed the IP address of the network card, but the ARP table entry of the upstream device (such as the switch) is still old, you can use thearpingTo force a refresh:

[[email protected] ~]# arping -c3 -I ens33 -s
ARPING from ens33
Unicast reply from [68:8F:84:01:F1:FF]  19.466ms
Unicast reply from [68:8F:84:01:F1:FF]  2.358ms
Unicast reply from [68:8F:84:01:F1:FF]  24.305ms
Sent 3 probes (1 broadcast(s))
Received 3 response(s)

-cSpecify the number of ARP requests sent,-sSpecify the source address, and the last IP indicates the sending destination (here is the gateway address).

8、routeShow or change routing table

[[email protected] ~]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface   U     0      0        0 ens33
link-local     U     1002   0        0 ens32
link-local     U     1003   0        0 ens33   U     0      0        0 ens32   UG    0      0        0 ens33

amongDestinationRepresents the destination network segment or target host;GatewayRepresents the gateway address;GenmaskIndicates the mask of the destination network segment;FlagsIndicates the route flag: u indicates that the route is up enabled and G indicates gateway;MetricRepresents the target distance, usually expressed by hops;RefIndicates the number of references to the route;UseIndicates the route lookup count;IfaceIndicates the exit of this route.
option-nIndicates that the destination network segment is displayed in digital form
optionaddanddelIndicates to add or remove a route.
option-netandnetmaskIndicates the specified destination segment and mask.
optiongwIndicates the specified gateway.
optiondev IFIndicates the specified exit network card

If a route to 192.56.76. X is added, its exit is ens32:

route add -net netmask dev ens32

If a default route is added, it indicates that its gateway is

route add default gw

If a route to is added, the gateway is

route add -net gw

If you delete the default route

route del default

9、telnetProvide remote login function

Because telnet protocol uses clear text transmission, it is not applicable in the environment requiring secure login. Now it is commonly used for port testing of network services:

[[email protected] ~]# telnet 80
Connected to
Escape character is '^]'.
^]Click Ctrl +] or press Ctrl + C to exit.
telnet> quit
Connection closed.

Port 80 of the other side is open and allows communication.
When the opposite port is not open:

[[email protected] ~]# telnet 81
telnet: connect to address No route to host

When the peer rejects the connection:

[[email protected] ~]# telnet 8085
telnet: connect to address Connection refused

10、sshRemote login program

ssh [OPTIONS]... [[email protected]]hostname [command]

sshThe full name of is secure shell, which provides secure and encrypted communication between insecure network hosts, aiming to replace other remote login protocols.

[[email protected] ~]# ssh
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is 96:bd:a3:a7:87:09:1b:53:44:4c:9b:b9:5f:b2:97:89.
Are you sure you want to continue connecting (yes / no)? Yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
Root @'s password: enter password here
Last login: Fri Nov 11 09:04:01 2016 from
[root @ idc-v-71253 ~], logged in

When ordersshWhen directly following the host IP, the default user is usedrootLog in. If it is the first time to log in, you need to confirm to add the authentication key of the host. When you enter yes, it will be on the local machine/root/.ssh/known_hostsA record of the host is added in. The next time you log in, you do not need to confirm again. Then we need to enter the user password. After verification, we get a shell of the target host, and we can execute commands in this shell.
Type in the new shellexitYou can return to the original shell.
If you need to log in to a host frequently, but do not want to enter a password every time, you can set password free login:

[[email protected] ~]# ssh-keygen -t rsa       
Generating public/private rsa key pair.
Enter file in which to save the key (/ root /. SSH / idrsa): ාenter
Enter passphrase (empty for no passphrase): (enter)
Enter same passphrase again: Enter
Your identification has been saved in / root /. SSH / ID ﹐ RSA. ﹐ private key
Your public key has been saved in / root /. SSH / ID ﹐ ﹐ public key
The key fingerprint is:
be:c3:d0:02:50:35:35:fe:60:d6:2f:26:96:f0:e1:e6 [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
|   ...o.o        |
|  .    o o       |
|   .  . * .      |
|    .  * = .     |
|     . .S + .    |
|      o=.o .     |
|       +E        |
|        o.       |
|        ..       |
[[email protected] ~]# 
[[email protected] ~]# ssh-copy-id
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh ''"
and check to make sure that only the key(s) you wanted were added.

[[email protected] ~]#

Which commandssh-keygenUsed to generate public key and private key, options-tIndicates the key type. Use command afterssh-copy-idSend the public key to the target host, where you need to enter the target host user password. Then you can log in without password:

[[email protected] ~]# ssh
Last login: Fri Nov 11 11:08:37 2016 from
[[email protected] ~]# 

You can also execute commands remotely through SSH:

[[email protected] ~]# ssh "hostname"
Root @'s password:
Idc-v-71252 - display command results
[root @ centos7 ~] (do not log in)

Or manually copy the public key to the target host:

[[email protected] ~]# cat /root/.ssh/ | ssh "cat - >> /root/.ssh/authorized_keys"
Root @'s password:
[root @ centos7 ~] (SSH password free login
Last login: Thu Nov 10 14:42:11 2016 from
[[email protected] ~]#

option-pSpecify port for login:

[[email protected] temp]# ssh -p22
Last login: Fri Nov 11 11:44:31 2016 from
[[email protected] ~]# 

Port setting in server configuration file/etc/ssh/sshd_configThe default port number is 22. If you want to change#Port 22Remove the comment and change 22 to the required port, then restart the sshd serviceservice sshd restartorsystemctl restart sshd
If you need to use another user to log in to the system, executessh [email protected]
We can usetarCommand integrationsshAnd pipes, backing up local (remote) files to remote (local):

Tar ZC / home / temp | SSH user @ host "tar XZ" ා local temp directory backup to remote
SSH user @ host "tar CZ / home / temp" | tar XZ ා remote temp directory backup to local

option-L [bind_address:]port:host:hostportSet local port forwarding

[[email protected] ~]# ssh -L 2222:
Last login: Mon Nov 14 10:34:43 2016 from
[root @ idc-v-71253 ~] ාාාාා񖓿ා񖓿񖓿񖓿񖓿设设设设设设.

This command means to bind the local port2222, and send all data sent to this port through the intermediate host10.0.1.253Forward to target host10.0.1.252Of22Port, if usedsshIf you log in to port 2222 of this computer, you are actually logging in to the host10.0.1.252

[[email protected] ~]# ssh -p 2222
Last login: Mon Nov 14 10:34:56 2016 from
[[email protected] ~]# 

The default binding here is the local loopback127.0.0.1, if bound to another address, set according to the syntaxbind_address
option-NIndicates that the command is not executed, which is only useful when setting port forwarding
Because of the above port forwarding commandssh -L 2222: will log in to the intermediate host, and the port forwarding will be terminated after exiting-NOption will not log in, and it will be a good choice to set port forwarding with shell background execution (note that password free login is required for intermediate host):

[[email protected] ~]# ssh -N -L 2222: &
[1] 12432
[[email protected] ~]#

Last symbol of command&Indicates that this command will be executed in the background. In the returned information[1]Indicates the background command number,12432Represents the PID of the command. (shell background commands will be described in later articles)
option-R [bind_address:]port:host:hostportSet remote port forwarding
If we are in10.0.1.253Implementation:

ssh -R 2222:

Then in10.0.1.254Login:

[[email protected] ~]# ssh -p 2222 localhost
Last login: Mon Nov 14 10:40:44 2016 from
[[email protected] ~]#

The meaning here is to make the remote host10.0.1.254(relative to listening port2222, and then forward all data sent to this port to the target host10.0.1.252Port22。 And then on10.0.1.254Log in to the local2222Port, actually through the intermediate host10.0.1.253Log in to the target host10.0.1.252
option-o OPTIONSpecify the profile (for example/etc/ssh/sshd_configInternal options
To avoid typing the first time you log inyesConfirm, can be added-o StrictHostKeyChecking=no

11、scpRemote copy files

scp [OPTIONS]... [[[email protected]]host1:]file1 ... [[[email protected]]host2:]file2

scpCommand passedsshThe protocol transmits data encrypted, andsshSimilar to logging in, you need to enter the remote host user password.
If the remote host10.0.1.251Copy the file / root / a.txt to the local current directory:

[[email protected] ~]# scp [email protected]:/root/a.txt ./
[email protected]'s password: 
a.txt                                       100%  125     0.1KB/s   00:00    
[[email protected] ~]# 

The command displays the transmission status (transmission percentage, size, speed, time).
Copying a local file to a remote location is nothing more than swapping the source and destination locations.
option-PSpecify the remote connection port (SSH service port),-o ssh_optionUse the SSH option.
option-l limitTransmission speed limit,limitThe unit is kbit / s.
And commandcpSimilar, options-rRepresents a replication directory,-pIndicates the retention time of file permission, etc

12、netstatPrint network information

option-aDisplay all port information:

[[email protected] ~]# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0   *               LISTEN     
tcp        0      0 localhost:smtp*               LISTEN     
tcp        0     52    ESTABLISHED
tcp6       0      0 [::]:commplex-main      [::]:*                  LISTEN     
tcp6       0      0 [::]:4243               [::]:*                  LISTEN     
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
tcp6       0      0 localhost:smtp          [::]:*                  LISTEN     
raw6       0      0 [::]:ipv6-icmp          [::]:*                  7          
raw6       0      0 [::]:ipv6-icmp          [::]:*                  7          
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     STREAM     LISTENING     12807    /run/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     12815    /run/lvm/lvmpolld.socket
unix  2      [ ]         DGRAM                    12818    /run/systemd/shutdownd
unix  2      [ ACC ]     STREAM     LISTENING     16403    /var/run/dbus/system_bus_socket

Only part of the information is shown here
option-tShow TCP connection information
option-nDisplay IP address without domain name conversion
option-pDisplay PID and program name

[[email protected] ~]# netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0    *               LISTEN      1358/sshd           
tcp        0      0  *               LISTEN      2162/master         
tcp        0     52     ESTABLISHED 12044/sshd: [email protected] 
tcp6       0      0 :::5000                 :::*                    LISTEN      17222/docker-proxy  
tcp6       0      0 :::4243                 :::*                    LISTEN      16983/docker        
tcp6       0      0 :::22                   :::*                    LISTEN      1358/sshd           
tcp6       0      0 ::1:25                  :::*                    LISTEN      2162/master         
[[email protected] ~]# 

amongProtoPresentation protocol (including TCP, UDP, etc.);Recv-QandSend-QIndicates the receiving and sending queues, which are generally 0. If it is not 0, it indicates that there is data waiting to be processed in the local receiving or sending cache;Local AddressandForeign AddressLocal address and remote address respectively;StateIndicates the connection state, corresponding to various connection states of TCP;PID/Program nameRepresents the process number and program name.
option-lIndicates only the status isLISTENConnection

[[email protected] ~]# netstat -ntl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0    *               LISTEN     
tcp        0      0  *               LISTEN     
tcp6       0      0 :::5000                 :::*                    LISTEN     
tcp6       0      0 :::4243                 :::*                    LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 ::1:25                  :::*                    LISTEN     
[[email protected] ~]#

option-uIndicates that UDP connection information is displayed
option-rShow route information

[[email protected] ~]# netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         UG        0 0          0 ens33   U         0 0          0 ens33   U         0 0          0 ens32   UG        0 0          0 ens33

option-iDisplay interface information

[[email protected] ~]# netstat -i
Kernel Interface table
ens32     1500 13196107      0     77 0          3246      0      0      0 BMRU
ens33     1500 25312388      0     88 0       2516050      0      0      0 BMRU
lo       65536  2503589      0      0 0       2503589      0      0      0 LRU

13、tcpdumpNetwork packet capturing tool

commandtcpdumpCapture a network interface conformance expressionexpressionAnd print out the description information of the package content.
option-iSpecify network card:

[[email protected] ~]# tcpdump -i ens33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 65535 bytes
15:41:59.121948 IP > UDP, length 58
15:41:59.122191 IP > UDP, length 57
15:41:59.128282 IP > Flags [P.], seq 749565300:749565496, ack 3522345564, win 255, length 196
15:41:59.134127 IP > Flags [.], ack 196, win 3977, length 0
15:41:59.140319 ARP, Request who-has tell, length 46
15:41:59.168328 ARP, Request who-has tell, length 46
15:41:59.262235 ARP, Request who-has tell, length 46
15:41:59.622090 IP > UDP, length 58
15:41:59.622178 IP > UDP, length 57

After starting the command, it is displayed that you can use the-vor-vvShow more details and start capturing packets from the ens33. The output shows the header information of each packet sent or received (including ARP, IP, TCP, UDP, etc.). This command does not specifyexpression, so all packets are captured by default.
If you need to capture packets and then analyze them through other programs, such as Wireshark, you can use the option-w fileWrite data to a file, using the options-s 0Specifies that the packet size that can be captured is 65535 bytes to avoid the packet being truncated and unable to be analyzed.
In the real environment, the amount of packets flowing through the network card is huge. You can use expressions to filter packets. For each packet, you need to filter through expressions. Only when the value of the expression is true, it will be output.
expressionCan contain conditions specified by one or more keywords, and can useand(or&&)、or(or||)、not(or!And brackets()Represents the logical relationship between keywords. You can use the><Represents a comparison and can be calculated. The keywords include:
typeType keywords, such ashostnetportandportrange, indicating host, network segment, port number and port segment respectively.
directionDirection keywords, such assrcdstRepresent source and destination respectively.
protoAgreement keywords, such asfddiarpiptcpudpEtc. respectively represent various network protocols.
Due to the limited space, the following example will only describe the function of options and expressions, and will not explain the output content any more:

tcpdump -i ens33 dst host 
#Monitor all packets sent from port ens33 to host The host can also be the host name
tcpdump -i eth0 host ! and ! and dst port 80 
#Listen to port eth0, grab packets not from or to hosts and, and the target port is 80
tcpdump tcp port 23 host 
#Get the telnet packets received or sent by the host
tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0) and src net (183.60.190 or 122.13.220)' -s0 -i eth0 -w ipdump
#The grab source or destination port is 80, and the source network is ( or / 24), and contains data, rather than TCP packets without data such as syn, fin and ACK only, which are written to the file ipdump
#Note that expressions here are enclosed in single quotes to avoid syntax errors caused by special characters being parsed by the shell
tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and ! src and dst net 10.0.0'
#Only the start and end packets (syn and fin tags) of TCP are printed, and the source and target network segments are not
tcpdump 'gateway and ip[2:2] > 576' 
#Indicates to grab IP packets sent to gateway and larger than 576 bytes

There are many network related commands, which will be introduced in the next article.