用到的tcpdump

…

# tcpdump option proto dir type

# proto: tcp/udp/icmp, ip/ip6, arp/rarp, ether/wlan
# dir: src/dst/src or dst
# type: host/net/port/protrange

tcpdump host 11.11.11.11
tcpdump net 11.11.11.0/24
tcpdump src net 11.11

tcpdump port 8080 or port 80
tcpdump port 8080 or 80
tcpdump portrange 8000-8800
tcpdump port http
tcpdump http

tcpdump proto[expr:size] 取某个协议从expr开始的size字节

tcpdump "tcp[13] & 2 != 0"
tcpdump "tcp[tcpflags] & tcp-syn != 0"

tcpdump -r input.file host xxx and port xxx -w single.pcap
-w 写入文件
-r 从文件读

---

wireshark 二进制匹配

从第5位开始，匹配2个字节
tcp.payload[4:2] == 15:50

获取tcp payload >0 的数据包(实际有数据的数据包)

• 过滤数据包负载>0
  tcpdump ‘tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)’

• 过滤数据包负载在 [4,6] bytes
  tcpdump -n -s0 -p -i eth0 ‘ip and tcp and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) >= 4) and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) <= 6)’