引用一下百度的话:

    用简单的话来定义tcpdump就是"dump the traffic on a network";tcpdump可以将网络中传送的数据包的“头”完全截获下来提供分析,它是Linux中强大的网络数据采集分析工具之一;它支持针对网络层、协议、主机、网络或端口的过滤,并提供and、or、not等逻辑语句来帮助你去掉无用的信息。


tcpdump的语法:

    tcpdump [options] [Protocol] [Direction] [Host(s)] [Value] [Logical Operations] [Other expression]


解析:

    Options:更多的请自行man tcpdump

        -i any:指定在哪个网卡接口上进行抓包

        -n:不反向解析主机名

        -nn:不反向解析主机名及端口号

        -X:以16进制和ASCII码的格式显示报文内容

        -XX:跟-X相同,并且显示以太网首部

        -v, -vv, -vvv:显示详细信息

        -c #:Only get x number of packets and then stop.

        -s: Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.

        -S:Print absolute sequence numbers.

        -e:Get the ethernet header as well.

        -q:Show less protocol information.

        -E:Decrypt IPSEC traffic by providing an encryption key.

        -A :Display Captured Packets in ASCII.

        -w file:Capture the packets and write into a file.

        -r file:Reading the packets from a saved file.

        -tttt:Capture packets with proper readable timestamp.

    

    Protocol(协议):

    Values(取值):ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp.

    If no protocol is specified, all the protocols are used. 


    Direction(流向):

    Values(取值):src, dst, src and dst, src or dst

    If no source or destination is specified, the "src or dst" keywords are applied. (默认是src or dst)

    For example, "host 10.2.2.2" is equivalent to "src or dst host 10.2.2.2".


    Host(s)(主机):

    Values(替代关键字): net, port, host, portrange.

    If no host(s) is specified, the "host" keyword is used. 默认如果此段没有指定关键字,默认即host

    For example, "src 10.1.1.1" is equivalent to "src host 10.1.1.1". 

    

    Logical Operations:

    (1) and

    and 或 &&

    (2) or

    or 或 ||

    (3) except 

    not 或 !


    Example:抓取主机192.168.101.168 eth0接口上监听端口为110的tcp包。

        tcpdump -i eth0 -X -nn -vv tcp port 110 and ip host 192.168.101.168