{"id":7719,"date":"2026-05-08T16:25:50","date_gmt":"2026-05-08T08:25:50","guid":{"rendered":"https:\/\/www.5x44.cn\/?p=7719"},"modified":"2026-05-08T16:28:41","modified_gmt":"2026-05-08T08:28:41","slug":"tcpdump%e8%bf%87%e6%bb%a4%e5%99%a8","status":"publish","type":"post","link":"https:\/\/www.5x44.cn\/?p=7719","title":{"rendered":"tcpdump\u8fc7\u6ee4\u5668"},"content":{"rendered":"\n

tcpdump\u4e3b\u8981\u5206\u4e3a\u4e24\u4e2a\u90e8\u5206\uff0c\u4e00\u662ftcpdump\u672c\u8eab\uff0c\u4e8c\u662f\u8fc7\u6ee4\u5668\uff08pcap-filter\uff09,\u672c\u6587\u4e3b\u8981\u8bb2\u8fc7\u6ee4\u5668\u7528\u6cd5\uff1a<\/p>\n\n\n\n

https:\/\/www.tcpdump.org\/manpages\/pcap-filter.7.html<\/a><\/p>\n\n\n\n

\n

The filter expression<\/em> consists of one or more primitives<\/em>. Primitives usually consist of an id<\/em> (a name, a number or something slightly more complex, such as a CIDR prefix) preceded by one or more qualifiers. There are three different kinds of qualifier:<\/p>\n\n\n\n

proto<\/em><\/p>\n\n\n\n

proto<\/em> qualifiers restrict the match to a particular protocol. (This should not be confused with the proto<\/strong> type qualifier below.) Possible protocols are: ether<\/strong>, link<\/strong>, wlan<\/strong>, ip<\/strong>, ip6<\/strong>, arp<\/strong>, tcp<\/strong>, udp<\/strong>, sctp<\/strong>, iso<\/strong>, isis<\/strong>, rarp<\/strong>, decnet<\/strong>, fddi<\/strong>, tr<\/strong>, ppp<\/strong> and slip<\/strong>. E.g., `ether src<\/strong> foo’, `arp net<\/strong> 128.3′, `tcp port<\/strong> 21′, `ip proto<\/strong> ospf’, `ether proto<\/strong> 0x88CC’, `udp portrange<\/strong> 7000-7009′, `wlan addr2<\/strong> 0:2:3:4:5:6′. If there is no proto<\/em> qualifier, all protocols consistent with the type are assumed. E.g., `src<\/strong> foo’ means `(ip6 or ip or arp or rarp) src<\/strong> foo’, `proto<\/strong> tcp’ means `(ip6 or ip) proto<\/strong> tcp’ `net<\/strong> bar’ means `(ip6 or ip or arp or rarp) net<\/strong> bar’ and `port<\/strong> 53′ means `(tcp or udp or sctp) port<\/strong> 53′ (note that these examples use invalid syntax to illustrate the principle).<\/p>\n\n\n\n

dir<\/em><\/p>\n\n\n\n

dir<\/em> qualifiers specify a particular transfer direction to and\/or from id<\/em>. Possible directions are src<\/strong>, dst<\/strong>, src or dst<\/strong>, src and dst<\/strong>, ra<\/strong>, ta<\/strong>, addr1<\/strong>, addr2<\/strong>, addr3<\/strong>, and addr4<\/strong>. E.g., `src<\/strong> foo’, `dst net<\/strong> 128.3′, `src or dst port<\/strong> ftp-data’. If there is no dir qualifier, `src or dst<\/strong>‘ is assumed. The ra<\/strong>, ta<\/strong>, addr1<\/strong>, addr2<\/strong>, addr3<\/strong>, and addr4<\/strong> qualifiers are only valid for IEEE 802.11 Wireless LAN link layers.<\/p>\n\n\n\n

type<\/em><\/p>\n\n\n\n

type<\/em> qualifiers say what kind of thing the id name or number refers to. Possible types are host<\/strong>, net<\/strong>, proto<\/strong>, port<\/strong>, portrange<\/strong>, protochain<\/strong> and gateway.<\/strong> E.g., `host<\/strong> foo’, `net<\/strong> 128.3′, `port<\/strong> 20′, `portrange<\/strong> 6000-6008′, `proto <\/strong>17′. If there is no type qualifier, host<\/strong> is assumed.<\/p>\n<\/blockquote>\n\n\n\n

\u4e3b\u8981\u662f\u8bf4\u8fc7\u6ee4\u5668\u8868\u8fbe\u5f0f\u7531\u4e00\u4e2a\u6216\u591a\u4e2a\u57fa\u5143\u7ec4\u6210\u3002\u57fa\u5143\u901a\u5e38\u662f\u7531\u4e00\u4e2a\u6216\u591a\u4e2a\u4fee\u9970\u7b26\u524d\u5bfc\u7684id(\u53ef\u4ee5\u662f\u540d\u5b57\u3001\u6570\u5b57\u6216\u662f\u4e00\u4e9b\u66f4\u590d\u6742\u7684\u5185\u5bb9\uff0c\u5982\uff1aCIDR\u524d\u7f00)\u7ec4\u6210\u3002<\/p>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

tcpdump\u4e3b\u8981\u5206\u4e3a\u4e24\u4e2a\u90e8\u5206\uff0c\u4e00\u662ftcpdump\u672c\u8eab\uff0c\u4e8c\u662f\u8fc7\u6ee4\u5668\uff08pcap-filter\uff09,\u672c\u6587\u4e3b\u8981\u8bb2\u8fc7\u6ee4\u5668\u7528\u6cd5\uff1a https:\/\/www.tcpdump.o…<\/p>\n

Read More Read More<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,25],"tags":[],"class_list":["post-7719","post","type-post","status-publish","format-standard","hentry","category-it","category-25"],"_links":{"self":[{"href":"https:\/\/www.5x44.cn\/index.php?rest_route=\/wp\/v2\/posts\/7719","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.5x44.cn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.5x44.cn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.5x44.cn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.5x44.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7719"}],"version-history":[{"count":6,"href":"https:\/\/www.5x44.cn\/index.php?rest_route=\/wp\/v2\/posts\/7719\/revisions"}],"predecessor-version":[{"id":7725,"href":"https:\/\/www.5x44.cn\/index.php?rest_route=\/wp\/v2\/posts\/7719\/revisions\/7725"}],"wp:attachment":[{"href":"https:\/\/www.5x44.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7719"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.5x44.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7719"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.5x44.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7719"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}