tcpdump使用说明

port 5060 or port 2727:
//只抓5060和2727端口的包
5000
//表示最大5000个封包
/home/lishilin/0713001.cap
//表示封包保存到/home/lishilin/路径下名称叫0713001.cap
若抓服务器上的所有包：
tcpdump host 192.168.0.228 -s 0 -c 5000 -w /home/lishilin/0713001.cap
254:
tcpdump host 192.168.0.254 and \(port 5060 or port 2727\) -s 0 -c 5000 -w /home/lishilin/14449_An.cap
22：
tcpdump -n host 218.242.214.22 -s 0 -c 5000 -w /root/001.cap
tcpdump src 218.242.214.23 and dst 211.152.65.127 -s 0 -c 500 -w /tmp/logsipfxs.cap
23:
tcpdump host 218.242.214.23 and \(port 5060 or port 5080 or port 80\)  -s 0 -c 1000 -w /tmp/lishilin/231222003.cap

tcpdump host 211.152.65.127 and port 5080 -s 0 -c 5000 -w /tmp/li/sz2005.cap
tcpdump使用示例：
抓取192.168.0.202与192.168.0.235的2427端口通讯的包，如下
[root]#tcpdump \(host 192.168.0.235 and port 2427\) and host 192.168.0.202 -c 30 -w /home/zhou/log.cap
-c 30 表示抓30个包就停止 -w表示写入的文件，之后/home/zong/log.cap可以用ethereal打开查看

在202上测试抓包：抓254和202
tcpdump \(host 192.168.0.202 \) and host 192.168.0.254 -c 3000 -w /home/zhou/log.cap 

callback21:
tcpdump host 218.242.214.21 and \(port 5060 or port 2727\) -s 0 -c 5000 -w /tmp/lishilin/001.cap

172:
tcpdump host 61.220.76.172 and \(port 5060 or port 5080\) -s 0 -c 5000 -w /home/lishilin/0708001.cap
21:
tcpdump host 218.242.214.21 and \(port 5060 or port 2727\) -s 0 -c 5000 -w /tmp/lishilin/0708001.cap

tcpdump host 218.242.214.21 and \(port 5060 or port 2727\) -s 0 -c 5000 -w /tmp/lishilin/0709101.cap
tcpdump host 192.168.0.228 and \(port 5060 or port 2727\) -s 0 -c 5000 -w /tmp/lishilin/0708001.cap
249:
tcpdump host 192.168.0.249 and \(port 5060 or port 2727\) -s 0 -c 60000 -w /home/lishilin/001.cap

233:
tcpdump host 192.168.0.233 and \(port 5060 or port 2727\) -s 0 -c 500 -w /home/lishilin/Asterisk_An.cap
248:
tcpdump host 192.168.0.58 and \(port 5060 or port 2727\) -s 0 -c 500 -w /tmp/li/58001.cap
228:

tcpdump host 192.168.0.228 and \(port 5060 or port 2727\) -s 0 -c 5000 -w /home/lishilin/0713001.cap

使用 : tcpdump -i eth0 host 192.168.10.233 and port 80 -s 0 -c 1000 -w /home/ecsc/sz2005.cap