[root@ok Desktop]# yum search tcpdumpLoaded plugins: fastestmirror, refresh-packagekit, securityLoading mirror speeds from cached hostfile * base: mirrors.yun-idc.com * extras: mirrors.yun-idc.com * updates: mirrors.yun-idc.com======================================================================= N/S Matched: tcpdump ========================================================================tcpdump.x86_64 : A network traffic monitoring tool  Name and summary matches only, use "search all" for everything.[root@ok Desktop]# which tcpdump/usr/sbin/tcpdump[root@ok Desktop]# tcpdump -htcpdump version 4.1-PRE-CVS_2015_07_23libpcap version 1.4.0Usage: tcpdump [-aAdDefhIJKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]        [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]        [ -i interface ] [ -j tstamptype ] [ -M secret ]        [ -P in|out|inout ]        [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]        [ -W filecount ] [ -y datalinktype ] [ -z command ]        [ -Z user ] [ expression ]

[root@ok Desktop]# yum search wiresharkLoaded plugins: fastestmirror, refresh-packagekit, securityLoading mirror speeds from cached hostfile * base: mirrors.yun-idc.com * extras: mirrors.yun-idc.com * updates: mirrors.yun-idc.com================================================ N/S Matched: wireshark ================================================wireshark-devel.i686 : Development headers and libraries for wiresharkwireshark-devel.x86_64 : Development headers and libraries for wiresharkwireshark-gnome.x86_64 : Gnome desktop integration for wireshark and wireshark-usermodewireshark.i686 : Network traffic analyzerwireshark.x86_64 : Network traffic analyzer  Name and summary matches only, use "search all" for everything.

安装：

[root@ok Desktop]# yum install wireshark* -y[root@ok Desktop]# which wireshark /usr/sbin/wireshark [root@ok Desktop]# rpm -qa|grep wireshark wireshark-devel-1.8.10-17.el6.x86_64 wireshark-1.8.10-17.el6.x86_64 wireshark-gnome-1.8.10-17.el6.x86_64

 保存tcpdump抓包结果

[root@bass Desktop]# tcpdump -i eth0 -w dump.pcap-i #是指定要抓取的网卡-w #指定结果保存的位置[root@bass Desktop]# tcpdump -i eth0 -w dump.pcap -vtcpdump: WARNING: eth0: no IPv4 address assignedtcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes^C189 packets captured189 packets received by filter0 packets dropped by kernel－v＃主要是为了得到Got 15这个数，当想要停止的时候，按下ctrl + c[root@bass Desktop]# ll -h dump.pcap -rw-r--r--. 1 tcpdump tcpdump 18K Aug 30 13:19 dump.pcap

在wireshark中打开：

[root@bass Desktop]# wireshark dump.pcap ＃linux下查看

我们用tcpdump抓包的时候，默认是显示这样的：

上图中标出三快区域，红色框内，是用来显示简单的数据包信息，我们用tcpdump抓包如时候，默认情况是显示成这样的；深蓝框内，是用来显示选中的数据包的详细信息，是按照TCP/IP四层结构显示的，第一行是数据链路层的信息，第二行是网络层信息（IP协议），第三行是传输层信息（TCP协议），第四层是应用层信息（HTTP协议），可以展开第一行用来观察具体的内容；最后一个区域淡蓝色框中，是用来显示此数据包的真实面目。（下图列清楚）

 ------------------------------------------------------------------------------------------------------------------------------------------------------

sh-4.1# tcpdump -i eth0 -c 20 -w 20gebao -v tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes20 packets captured20 packets received by filter0 packets dropped by kernel

使用-c参数指定要监听到的数据包数量