IP Header

IP Header len=5*4=20 bytes, and for each line there’s 16 bytes units started from 0 unit. so the ip data starts from 0035 after 20 bytes header.

TCP Header

TCP Header starts after the IP Header in a IP packet, so if the first bytes stand 45 which means IPv4 and 5*4=20 bytes header, then we should count TCP header after first 20 bytes in a IP packet.


tcpdump -s 0 : -s zero will capture entire ethernet header and ip packet.

tcpdump -xX : -x will show ip packet data including link layers in hex;
-X will show ip data in hex and ascii;
so if you want to show data in hex and ascii, just use X is enough.

-n: Don’t convert addresses (i.e., host addresses, port numbers, etc.) to names.

-r: Read packets from file (which was created with the -w option).  Standard input is used if file is “-”.

tcpdump filter syntax expression:

<protocol header>[offset:length]<relation><value>
if there’s nothing with the value of length, it means 1 bit [9:1]=[9];
<value> is Dec unit, so normally we need to first convert original Hex to Dec to fit, if you want to use Hex, please input as type as 0x0f;
ip[9]=6 embedded protocol is TCP
tcp[2:2]=80 destination port is 80
upd[6:2]!=0 udp checksum not zero
icmp[0]=8 echo packet

if you want to pick up any of one offset byte’s bit set, just use ip[8]$128=128, which means 128(Dec)=10000000 & ? =10000000.
The symbol of & means and, which stands for:
0 and 0 = 0
0 and 1 = 0
1 and 0 = 0
1 and 1 = 1
just like a multiply function.
so if we use 1111 to and any byte, we would be able to pick up any bit set we want. e.g: ip[0]&0xf=0x5, or ip[0]&0xf!=5


在F5上,如果所要DUMP的分区不是原始分区,即rdsh 不是0,则必须指定分区/INT,如下:

tcpdump -ni /Orange/Vlan_207 -f “ip host”

tcpdump -ni /Orange/Vlan_215 -f “port 8905”

config # openssl verify -purpose sslclient -CAfile /config/filestore/files_d/Orange_d/certificate_d/:\:Orange\:Self_BSAPartnerSolutionOrder.crt_1 /tmp/Self_BSAPartnerSolutionOrder.cer

Capture on ACE



  1. 创建一个兴趣流量的ACL。access-list lulu line 8 extended permit tcp host any
    access-list lulu line 16 extended permit tcp host any
  2. 定义CAPTURE和ACL的相关性。capture test interface vlan 264 access-list lulu bufsize 5000
  3. 开启CAPTURE。capture test start
By Ctrl | Alt | Del Posted in Linux Tagged

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s