Sniffer in Linux

Article Title: sniffer in Linux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

In Linux, the sniffer includes tcpdump, Nmap, linSniffer, LinuxSniffer, hunt, and sniffit. Next we will only introduce tcpdump, an excellent sniffer in Linux.

The installation of tcpdump in Linux is very simple. Generally, there are two installation methods. An rpm package is used for installation. In addition, it is installed in the form of a source program. Here we will discuss how to install the rpm package. This form of installation is the simplest installation method. The rpm package is compiled and packaged into a binary format. It can be directly installed using the rpm command without any modification.

Use the following command to log on as a Super User:

# Rpm-ivh tcpdump-3_4a5.rpm

In this way, tcpdump is successfully installed in Linux.

Tcpdump is a multi-purpose network communication monitor that can capture and display packets and their content. It can be used as a protocol analyzer to provide an optimal channel between systems and network devices to detect communication and/or connectivity issues. Most of the time, network problems are concentrated on network configuration problems and hardware-related faults diagnosis. However, users will often face protocol-related problems and are forced to study the mechanisms of specific protocols to solve the problems. When tcpdump is used, the message to be checked is displayed in long or short format (based on the command line options used. Tcpdump has a powerful filtering mechanism that can be used to find packets that match a specified string or rule.

Tcpdump provides two main capture modes: garbage collection and non-garbage collection. In the pooled mode, each packet transmitted on the network is captured, regardless of whether the packet is sent to the system that executes tcpdump. For example, this mode is used by the RMON detector to monitor network communication. Probe listens on the network and collects protocol information and statistics. Because the LAN protocol (such as Ethernet) is broadcast-based, each transmitted frame can be obtained by any network interface connected to the LAN. Any device can read each transmitted frame, as long as the device chooses this method and configures it to read. When a device or interface reads each frame from the network, it indicates that it is in the garbage collection mode. In practice, the interface must be configured for the pooled operation and used only for special scenarios requiring network diagnosis. For this reason, only the root user can enable the garbage collection mode on an interface. This is the main reason that non-root users are not allowed to call tcpdump. The tcpdump tool provides many command line options to select the capture mode, control the output, specify filtering rules, and specify other operation features. These options are grouped based on their features and include the following types: operation mode, display options, packet filtering options.

The operation mode option controls how tcpdump captures and displays network communication parameters. The meanings of each option are as follows:

-C capture a specified number of packets;

-F use a file as the filter expression source;

-I use optional network interfaces to capture packets;

-P cannot be captured in pooled mode;

-R: reads captured files rather than network interfaces;

-W saves the original packet to the file.

Example:

1. pdump arp captures and displays all IP Address Resolution Protocol (ARP) packets. Capture includes requests and responses.

2. pdump host red and tcp will capture and display all transmission control protocol packets from (sent to) red host.

3. pdump hos red1 and port 23 will capture and display all packets sent to red1 or from red1 using port 23. Used to check the Telnet packets sent from other systems to the system on the network. Port 23 is the Telnet service port for all incoming packets.

[1] [2] [3] Next page