0x0800 ipv4
0x0806 arp
0x8100 tags vlan
0x8137 ipx
0x8808 flow control
0x86dd ipv6
0x8863 pppoe discovery 发现帧
0x8864 pppoe session 会话帧
0x8870 巨帧
# mac 过滤
tcpdump '((icmp) and ((ether dst host 00:01:02:03:04:05)))'
# tcpdump -i eth0 ether proto 0x0800
抓vlan包:
# tcpdump -i eth0 ether proto 0x8100
抓pppoe包:
# tcpdump -i eth0 -n ether proto 0x8863 '||' ether proto 0x8864
tshark -d tcp.port==8888:3,http
tshark -d tcp.port==8888:3,http will decode any traffic running over TCP ports 8888, 8889 or 8890 as HTTP
tshark -d tcp.port==8888-8890,http will decode any traffic running over TCP ports 8888, 8889 or 8890 as HTTP
tshark -d ethertype==0x0800 ptp.v2.flags.unicast == 0
tshark -e frame.number
tshark -i eth0 -Y "ip.addr==192.168.1.1"
-O <protocols> shows packet details of listed protocol(s), comma-separated
-P show packet summary even when writing to a file
-V shows the packet tree (Packet Details window information)
-S <separator> add a line separator between packets
-t ad flag to TShark will add timestamps to the beginning of each packet capture
https://danielmiessler.com/study/tcpdump/