This article will talk about network related commands. The author assumes that the reader has the basic knowledge of TCP / IP protocol stack. For related commands and their output, only its basic usage and general description are introduced, and the specific protocol will not be explained in detail.
Nowadays, the network is undoubtedly very important. Linux system provides a wealth of network test and management commands. Let’s see them together.
pingSend TCMP echo request message and wait for TCMP echo response.
ping [OPTIONS]... destination
The goal here
destinationCan be destination IP address or domain / host name
-cSpecify the number of times to send the request message. When Ping has no option, it will send the request message until it is terminated manually by default in Linux.
[[email protected] ~]# ping -c 3 www.baidu.com PING www.a.shifen.com (22.214.171.124) 56(84) bytes of data. 64 bytes from 126.96.36.199: icmp_seq=1 ttl=52 time=1.35 ms 64 bytes from 188.8.131.52: icmp_seq=2 ttl=52 time=1.32 ms 64 bytes from 184.108.40.206: icmp_seq=3 ttl=52 time=1.22 ms --- www.a.shifen.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 1.225/1.303/1.359/0.064 ms
First, the ping program sends a request to the domain name server (DNS) to resolve the domain name
www.baidu.comThe IP address of.
DNSReturn an alias of the domain name
www.a.shifen.comAnd the corresponding IP address
220.127.116.11。 After that, the ping program starts to send request message to this address, and sends one every 1s. Ping receives TCMP echo response and displays the result on the terminal, including ICMP ﹣ SEQ, TTL and time of packet round-trip. Finally, the summary information is given, including the total message sending and receiving situation, total time, minimum, average, maximum and average deviation of round-trip time (the larger the network is, the more unstable the network is).
[[email protected] ~]# ping www.a.com ping: unknown host www.a.com
When the destination domain name fails to resolve the IP address, an unknown host error will be reported
[[email protected] ~]# ping 192.168.0.1 PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data. ^Press Ctrl + C here to terminate the process manually --- 192.168.0.1 ping statistics --- 6 packets transmitted, 0 received, 100% packet loss, time 4999ms
No ICMP echo message will be received when the destination IP address is not routed
[[email protected] ~]# ping -c2 10.0.1.2 PING 10.0.1.2 (10.0.1.2) 56(84) bytes of data. From 10.0.1.254 icmp_seq=1 Destination Host Unreachable From 10.0.1.254 icmp_seq=2 Destination Host Unreachable --- 10.0.1.2 ping statistics --- 2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 999ms pipe 2
The destination host unreachable error is displayed when the destination IP route is unreachable.
ICMPEcho response also includes request time out and other types.
hostnameDisplay or set system host name
hostname [OPTIONS]... [NAME]
Direct command execution
hostnameThe host name is displayed:
[[email protected] temp]# hostname centos7 [[email protected] temp]#
This hostname is returned by the gethostname (2) function of the system.
You can execute commands by
hostname NAMETo change the host name temporarily:
[[email protected] temp]# hostname NAME [[email protected] temp]# hostname NAME
This temporary modification is actually to modify one of the Linux kernel
hostname, which is stored in the
/proc/sys/kernel/hostnameMedium. If you need to make permanent changes, you need to modify the configuration file
/etc/sysconfig/network, centos7 needs to be modified
/etc/hostname。 Note that if the hostname in the configuration file is
localhost.localdomainThe system will obtain the IP address of the network interface and use this address to find out
/etc/hostsThe corresponding host name in the file, and then set it to the final
hostCommand through profile
/etc/resolv.confDNS server query specified in
nameIP address of:
[[email protected] temp]# host www.baidu.com www.baidu.com is an alias for www.a.shifen.com. www.a.shifen.com has address 18.104.22.168 www.a.shifen.com has address 22.214.171.124
hostThe syntax of the commands is consistent, but more details and options are provided:
[[email protected] ~]# dig www.baidu.com ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.2 <<>> www.baidu.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22125 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.baidu.com. IN A ;; ANSWER SECTION: www.baidu.com. 113 IN CNAME www.a.shifen.com. www.a.shifen.com. 113 IN A 126.96.36.199 www.a.shifen.com. 113 IN A 188.8.131.52 ;; Query time: 2 msec ;; SERVER: 184.108.40.206#53(220.127.116.11) ; when: April 10 12:31:20 CST 2016 ;; MSG SIZE rcvd: 90 [[email protected] ~]#
If only a record of domain name is queried and displayed in short format:
[[email protected] ~]# dig www.baidu.com A +short www.a.shifen.com. 18.104.22.168 22.214.171.124 [[email protected] ~]#
[[email protected] ~]# dig +nocmd www.baidu.com A +noall +answer www.baidu.com. 252 IN CNAME www.a.shifen.com. www.a.shifen.com. 252 IN A 126.96.36.199 www.a.shifen.com. 252 IN A 188.8.131.52
It can also be used.
@serverTo specify the DNS server:
[[email protected] ~]# dig +noall +answer www.baidu.com A @184.108.40.206 www.baidu.com. 21 IN CNAME www.a.shifen.com. www.a.shifen.com. 263 IN A 220.127.116.11 www.a.shifen.com. 263 IN A 18.104.22.168
More commands and options
[[email protected] ~]# tracepath www.baidu.com 1?: [LOCALHOST] pmtu 1500 1: 10.0.1.103 0.396ms 1: 10.0.1.103 0.350ms 2: 22.214.171.124 1.187ms asymm 3 3: 126.96.36.199 8.186ms 4: 188.8.131.52 1.117ms 5: 184.108.40.206 8.554ms asymm 12 6: 220.127.116.11 1.694ms asymm 12 7: 18.104.22.168 3.934ms asymm 10 8: 22.214.171.124 2.703ms asymm 10 ....
Only part of the output is listed here, indicating the route traced to the destination address, and each hop returns.
ifconfigConfigure network interface
Display the information of all network interfaces when the command has no parameters:
[[email protected] ~]# ifconfig ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 172.20.71.254 netmask 255.255.255.0 broadcast 172.20.71.255 inet6 fe80::250:56ff:fea4:fe34 prefixlen 64 scopeid 0x20<link> ether 00:50:56:a4:fe:34 txqueuelen 1000 (Ethernet) RX packets 11996157 bytes 775368588 (739.4 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 12 bytes 888 (888.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.0.1.254 netmask 255.255.255.0 broadcast 10.0.1.255 inet6 fe80::250:56ff:fea4:a09 prefixlen 64 scopeid 0x20<link> ether 00:50:56:a4:0a:09 txqueuelen 1000 (Ethernet) RX packets 20941185 bytes 1307830447 (1.2 GiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 147552 bytes 11833605 (11.2 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [[email protected] ~]#
Two network cards are shown in this example
loThe information includes MTU, IP address, mask, MAC address, transmission and reception data, etc.
-sShow condensed information:
[[email protected] ~]# ifconfig -s ens32 Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg ens32 1500 11996951 0 0 0 12 0 0 0 BMRU
For example, add a new address 10.0.1.4 to ens33:
[[email protected] ~]# ifconfig ens33:0 10.0.1.4/24 up [[email protected] ~]# ifconfig ens33:0 ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.0.1.4 netmask 255.255.255.0 broadcast 10.0.1.255 ether 00:50:56:a4:0a:09 txqueuelen 1000 (Ethernet)
/24Mask indicating the address of the interface,
upIndicates that this interface is enabled. Note that if the IP address has been used, it will still be set successfully, but there may be conflicts when this address is accessed.
Disable an interface:
[[email protected] ~]# ifconfig ens33:0 down
If you need to permanently add or modify the address of the current interface, it is better to edit the network card configuration file directly
/etc/sysconfig/network-scripts/ifcfg-ens33(replace other systems with corresponding documents)
IPADDRField and restart the network
systemctl restart networkor
service network restartTake effect.
arpDisplay system ARP cache, command
arpingSend ARP request to neighbor host.
[[email protected] ~]# arp -a ? (10.0.1.1) at 68:8f:84:01:f1:ff [ether] on ens33 ? (10.0.1.102) at 00:50:56:a4:18:9a [ether] on ens33 ? (10.0.1.254) at 00:50:56:a4:a9:16 [ether] on ens33 ? (10.0.1.10) at 00:50:56:a4:d2:e4 [ether] on ens33 ? (10.0.1.104) at 00:50:56:a4:37:a7 [ether] on ens33
?Indicates the unknown domain name, and the last network card name indicates the network interface corresponding to the ARP table item
If an address is found to be unstable, arping can be used to test whether the address is a MAC address conflict:
[[email protected] ~]# arping 10.0.1.252 -I ens33 ARPING 10.0.1.252 from 10.0.1.254 ens33 Unicast reply from 10.0.1.252 [00:50:56:A4:65:71] 0.843ms Unicast reply from 10.0.1.252 [00:50:56:A4:0A:09] 1.034ms
The MAC addresses in the two returned messages are different, indicating that two network cards are configured with the same IP address. option
-ISpecifies the network interface to send ARP requests.
If you have just changed the IP address of the network card, but the ARP table entry of the upstream device (such as the switch) is still old, you can use the
arpingTo force a refresh:
[[email protected] ~]# arping -c3 -I ens33 -s 10.0.1.254 10.0.1.1 ARPING 10.0.1.1 from 10.0.1.254 ens33 Unicast reply from 10.0.1.1 [68:8F:84:01:F1:FF] 19.466ms Unicast reply from 10.0.1.1 [68:8F:84:01:F1:FF] 2.358ms Unicast reply from 10.0.1.1 [68:8F:84:01:F1:FF] 24.305ms Sent 3 probes (1 broadcast(s)) Received 3 response(s)
-cSpecify the number of ARP requests sent,
-sSpecify the source address, and the last IP indicates the sending destination (here is the gateway address).
routeShow or change routing table
[[email protected] ~]# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ens33 link-local 0.0.0.0 255.255.0.0 U 1002 0 0 ens32 link-local 0.0.0.0 255.255.0.0 U 1003 0 0 ens33 172.20.71.0 0.0.0.0 255.255.255.0 U 0 0 0 ens32 192.168.78.0 10.0.1.104 255.255.255.0 UG 0 0 0 ens33
DestinationRepresents the destination network segment or target host;
GatewayRepresents the gateway address;
GenmaskIndicates the mask of the destination network segment;
FlagsIndicates the route flag: u indicates that the route is up enabled and G indicates gateway;
MetricRepresents the target distance, usually expressed by hops;
RefIndicates the number of references to the route;
UseIndicates the route lookup count;
IfaceIndicates the exit of this route.
-nIndicates that the destination network segment is displayed in digital form
delIndicates to add or remove a route.
netmaskIndicates the specified destination segment and mask.
gwIndicates the specified gateway.
dev IFIndicates the specified exit network card
If a route to 192.56.76. X is added, its exit is ens32:
route add -net 126.96.36.199 netmask 255.255.255.0 dev ens32
If a default route is added, it indicates that its gateway is 10.0.1.1
route add default gw 10.0.1.1
If a route to 172.20.70.0 is added, the gateway is 10.0.1.2
route add -net 172.20.70.0/24 gw 10.0.1.2
If you delete the default route
route del default
telnetProvide remote login function
Because telnet protocol uses clear text transmission, it is not applicable in the environment requiring secure login. Now it is commonly used for port testing of network services:
[[email protected] ~]# telnet 10.0.1.251 80 Trying 10.0.1.251... Connected to 10.0.1.251. Escape character is '^]'. ^]Click Ctrl +] or press Ctrl + C to exit. telnet> quit Connection closed.
Port 80 of the other side is open and allows communication.
When the opposite port is not open:
[[email protected] ~]# telnet 10.0.1.251 81 Trying 10.0.1.251... telnet: connect to address 10.0.1.251: No route to host
When the peer rejects the connection:
[[email protected] ~]# telnet 10.0.1.251 8085 Trying 10.0.1.251... telnet: connect to address 10.0.1.251: Connection refused
sshRemote login program
ssh [OPTIONS]... [[email protected]]hostname [command]
sshThe full name of is secure shell, which provides secure and encrypted communication between insecure network hosts, aiming to replace other remote login protocols.
[[email protected] ~]# ssh 10.0.1.253 The authenticity of host '10.0.1.253 (10.0.1.253)' can't be established. ECDSA key fingerprint is 96:bd:a3:a7:87:09:1b:53:44:4c:9b:b9:5f:b2:97:89. Are you sure you want to continue connecting (yes / no)? Yes Warning: Permanently added '10.0.1.253' (ECDSA) to the list of known hosts. Root @ 10.0.1.253's password: enter password here Last login: Fri Nov 11 09:04:01 2016 from 192.168.78.137 [root @ idc-v-71253 ~], logged in
sshWhen directly following the host IP, the default user is used
rootLog in. If it is the first time to log in, you need to confirm to add the authentication key of the host. When you enter yes, it will be on the local machine
/root/.ssh/known_hostsA record of the host is added in. The next time you log in, you do not need to confirm again. Then we need to enter the user password. After verification, we get a shell of the target host, and we can execute commands in this shell.
Type in the new shell
exitYou can return to the original shell.
If you need to log in to a host frequently, but do not want to enter a password every time, you can set password free login:
[[email protected] ~]# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/ root /. SSH / idrsa): ාenter Enter passphrase (empty for no passphrase): (enter) Enter same passphrase again: Enter Your identification has been saved in / root /. SSH / ID ﹐ RSA. ﹐ private key Your public key has been saved in / root /. SSH / ID ﹐ rsa.pub. ﹐ public key The key fingerprint is: be:c3:d0:02:50:35:35:fe:60:d6:2f:26:96:f0:e1:e6 [email protected] The key's randomart image is: +--[ RSA 2048]----+ | ...o.o | | . o o | | . . * . | | . * = . | | . .S + . | | o=.o . | | +E | | o. | | .. | +-----------------+ [[email protected] ~]# [[email protected] ~]# ssh-copy-id 10.0.1.253 /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys [email protected]'s password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh '10.0.1.253'" and check to make sure that only the key(s) you wanted were added. [[email protected] ~]#
ssh-keygenUsed to generate public key and private key, options
-tIndicates the key type. Use command after
ssh-copy-idSend the public key to the target host, where you need to enter the target host user password. Then you can log in without password:
[[email protected] ~]# ssh 10.0.1.253 Last login: Fri Nov 11 11:08:37 2016 from 10.0.1.254 [[email protected] ~]#
You can also execute commands remotely through SSH:
[[email protected] ~]# ssh 10.0.1.252 "hostname" Root @ 10.0.1.252's password: Idc-v-71252 - display command results [root @ centos7 ~] (do not log in)
Or manually copy the public key to the target host:
[[email protected] ~]# cat /root/.ssh/id_rsa.pub | ssh 10.0.1.252 "cat - >> /root/.ssh/authorized_keys" Root @ 10.0.1.252's password: [root @ centos7 ~] (SSH 10.0.1.252) password free login Last login: Thu Nov 10 14:42:11 2016 from 192.168.78.135 [[email protected] ~]#
-pSpecify port for login:
[[email protected] temp]# ssh -p22 10.0.1.252 Last login: Fri Nov 11 11:44:31 2016 from 10.0.1.254 [[email protected] ~]#
Port setting in server configuration file
/etc/ssh/sshd_configThe default port number is 22. If you want to change
#Port 22Remove the comment and change 22 to the required port, then restart the sshd service
service sshd restartor
systemctl restart sshd。
If you need to use another user to log in to the system, execute
ssh [email protected]
We can use
sshAnd pipes, backing up local (remote) files to remote (local):
Tar ZC / home / temp | SSH user @ host "tar XZ" ා local temp directory backup to remote SSH user @ host "tar CZ / home / temp" | tar XZ ා remote temp directory backup to local
-L [bind_address:]port:host:hostportSet local port forwarding
[[email protected] ~]# ssh -L 2222:10.0.1.252:22 10.0.1.253 Last login: Mon Nov 14 10:34:43 2016 from 10.0.1.254 [root @ idc-v-71253 ~] ාාාාාා设设设设设设.
This command means to bind the local port
2222, and send all data sent to this port through the intermediate host
10.0.1.253Forward to target host
22Port, if used
sshIf you log in to port 2222 of this computer, you are actually logging in to the host
[[email protected] ~]# ssh -p 2222 127.0.0.1 Last login: Mon Nov 14 10:34:56 2016 from 10.0.1.253 [[email protected] ~]#
The default binding here is the local loopback
127.0.0.1, if bound to another address, set according to the syntax
-NIndicates that the command is not executed, which is only useful when setting port forwarding
Because of the above port forwarding command
ssh -L 2222:10.0.1.252:22 10.0.1.253It will log in to the intermediate host, and the port forwarding will be terminated after exiting
-NOption will not log in, and it will be a good choice to set port forwarding with shell background execution (note that password free login is required for intermediate host):
[[email protected] ~]# ssh -N -L 2222:10.0.1.252:22 10.0.1.253 &  12432 [[email protected] ~]#
Last symbol of command
&Indicates that this command will be executed in the background. In the returned information
Indicates the background command number,
12432Represents the PID of the command. (shell background commands will be described in later articles)
-R [bind_address:]port:host:hostportSet remote port forwarding
If we are in
ssh -R 2222:10.0.1.252:22 10.0.1.254
[[email protected] ~]# ssh -p 2222 localhost Last login: Mon Nov 14 10:40:44 2016 from 10.0.1.253 [[email protected] ~]#
The meaning here is to make the remote host
10.0.1.254(relative to 10.0.1.253) listening port
2222, and then forward all data sent to this port to the target host
22。 And then on
10.0.1.254Log in to the local
2222Port, actually through the intermediate host
10.0.1.253Log in to the target host
-o OPTIONSpecify the profile (for example
To avoid typing the first time you log in
yesConfirm, can be added
scpRemote copy files
scp [OPTIONS]... [[[email protected]]host1:]file1 ... [[[email protected]]host2:]file2
sshThe protocol transmits data encrypted, and
sshSimilar to logging in, you need to enter the remote host user password.
If the remote host
10.0.1.251Copy the file / root / a.txt to the local current directory:
[[email protected] ~]# scp [email protected]:/root/a.txt ./ [email protected]'s password: a.txt 100% 125 0.1KB/s 00:00 [[email protected] ~]#
The command displays the transmission status (transmission percentage, size, speed, time).
Copying a local file to a remote location is nothing more than swapping the source and destination locations.
-PSpecify the remote connection port (SSH service port),
-o ssh_optionUse the SSH option.
-l limitTransmission speed limit,
limitThe unit is kbit / s.
-rRepresents a replication directory,
-pIndicates the retention time of file permission, etc
netstatPrint network information
-aDisplay all port information:
[[email protected] ~]# netstat -a Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN tcp 0 52 10.0.1.254:ssh 192.168.78.143:49583 ESTABLISHED tcp6 0 0 [::]:commplex-main [::]:* LISTEN tcp6 0 0 [::]:4243 [::]:* LISTEN tcp6 0 0 [::]:ssh [::]:* LISTEN tcp6 0 0 localhost:smtp [::]:* LISTEN raw6 0 0 [::]:ipv6-icmp [::]:* 7 raw6 0 0 [::]:ipv6-icmp [::]:* 7 Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 12807 /run/systemd/private unix 2 [ ACC ] STREAM LISTENING 12815 /run/lvm/lvmpolld.socket unix 2 [ ] DGRAM 12818 /run/systemd/shutdownd unix 2 [ ACC ] STREAM LISTENING 16403 /var/run/dbus/system_bus_socket ....
Only part of the information is shown here
-tShow TCP connection information
-nDisplay IP address without domain name conversion
-pDisplay PID and program name
[[email protected] ~]# netstat -antp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1358/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2162/master tcp 0 52 10.0.1.254:22 192.168.78.143:49583 ESTABLISHED 12044/sshd: [email protected] tcp6 0 0 :::5000 :::* LISTEN 17222/docker-proxy tcp6 0 0 :::4243 :::* LISTEN 16983/docker tcp6 0 0 :::22 :::* LISTEN 1358/sshd tcp6 0 0 ::1:25 :::* LISTEN 2162/master [[email protected] ~]#
ProtoPresentation protocol (including TCP, UDP, etc.);
Send-QIndicates the receiving and sending queues, which are generally 0. If it is not 0, it indicates that there is data waiting to be processed in the local receiving or sending cache;
Foreign AddressLocal address and remote address respectively;
StateIndicates the connection state, corresponding to various connection states of TCP;
PID/Program nameRepresents the process number and program name.
-lIndicates only the status is
[[email protected] ~]# netstat -ntl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp6 0 0 :::5000 :::* LISTEN tcp6 0 0 :::4243 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 ::1:25 :::* LISTEN [[email protected] ~]#
-uIndicates that UDP connection information is displayed
-rShow route information
[[email protected] ~]# netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface default 10.0.1.103 0.0.0.0 UG 0 0 0 ens33 10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ens33 172.20.71.0 0.0.0.0 255.255.255.0 U 0 0 0 ens32 192.168.78.0 10.0.1.104 255.255.255.0 UG 0 0 0 ens33
-iDisplay interface information
[[email protected] ~]# netstat -i Kernel Interface table Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg ens32 1500 13196107 0 77 0 3246 0 0 0 BMRU ens33 1500 25312388 0 88 0 2516050 0 0 0 BMRU lo 65536 2503589 0 0 0 2503589 0 0 0 LRU
tcpdumpNetwork packet capturing tool
tcpdumpCapture a network interface conformance expression
expressionAnd print out the description information of the package content.
-iSpecify network card:
[[email protected] ~]# tcpdump -i ens33 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 65535 bytes 15:41:59.121948 IP 10.0.1.108.3693 > 188.8.131.52.websm: UDP, length 58 15:41:59.122191 IP 10.0.1.109.35673 > 184.108.40.206.websm: UDP, length 57 15:41:59.128282 IP 10.0.1.253.ssh > 192.168.78.143.51694: Flags [P.], seq 749565300:749565496, ack 3522345564, win 255, length 196 15:41:59.134127 IP 192.168.78.143.51694 > 10.0.1.253.ssh: Flags [.], ack 196, win 3977, length 0 15:41:59.140319 ARP, Request who-has 10.0.1.31 tell 10.0.1.102, length 46 15:41:59.168328 ARP, Request who-has 10.0.1.37 tell 10.0.1.102, length 46 15:41:59.262235 ARP, Request who-has 192.168.10.150 tell 192.168.10.151, length 46 15:41:59.622090 IP 10.0.1.108.3693 > 220.127.116.11.websm: UDP, length 58 15:41:59.622178 IP 10.0.1.109.35673 > 18.104.22.168.websm: UDP, length 57 ....
After starting the command, it is displayed that you can use the
-vvShow more details and start capturing packets from the ens33. The output shows the header information of each packet sent or received (including ARP, IP, TCP, UDP, etc.). This command does not specify
expression, so all packets are captured by default.
If you need to capture packets and then analyze them through other programs, such as Wireshark, you can use the option
-w fileWrite data to a file, using the options
-s 0Specifies that the packet size that can be captured is 65535 bytes to avoid the packet being truncated and unable to be analyzed.
In the real environment, the amount of packets flowing through the network card is huge. You can use expressions to filter packets. For each packet, you need to filter through expressions. Only when the value of the expression is true, it will be output.
expressionCan contain conditions specified by one or more keywords, and can use
()Represents the logical relationship between keywords. You can use the
<Represents a comparison and can be calculated. The keywords include:
typeType keywords, such as
portrange, indicating host, network segment, port number and port segment respectively.
directionDirection keywords, such as
dstRepresent source and destination respectively.
protoAgreement keywords, such as
udpEtc. respectively represent various network protocols.
Due to the limited space, the following example will only describe the function of options and expressions, and will not explain the output content any more:
tcpdump -i ens33 dst host 10.0.1.251 #Monitor all packets sent from port ens33 to host 10.0.1.251. The host can also be the host name tcpdump -i eth0 host ! 22.214.171.124 and ! 126.96.36.199 and dst port 80 #Listen to port eth0, grab packets not from or to hosts 188.8.131.52 and 184.108.40.206, and the target port is 80 tcpdump tcp port 23 host 220.127.116.11 #Get the telnet packets received or sent by the host 18.104.22.168 tcpdump 'tcp port 80 and (((ip[2:2] - ((ip&0xf)<<2)) - ((tcp&0xf0)>>2)) != 0) and src net (183.60.190 or 122.13.220)' -s0 -i eth0 -w ipdump #The grab source or destination port is 80, and the source network is (22.214.171.124/24 or 126.96.36.199 / 24), and contains data, rather than TCP packets without data such as syn, fin and ACK only, which are written to the file ipdump #Note that expressions here are enclosed in single quotes to avoid syntax errors caused by special characters being parsed by the shell tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and ! src and dst net 10.0.0' #Only the start and end packets (syn and fin tags) of TCP are printed, and the source and target network segments are not 10.0.0.0/24 tcpdump 'gateway 10.0.1.1 and ip[2:2] > 576' #Indicates to grab IP packets sent to gateway 10.0.1.1 and larger than 576 bytes
There are many network related commands, which will be introduced in the next article.