Linux packet capture Summary

Linux packet capture Summary
I. Port Information

Method: Use netstat to learn the listening port of the process you are concerned about, or the usage of a port.

[Root @ imsv-test mpf] # netstat-pan | grep csmtcp 0 0 0.0.0.0: 6801 0.0.0.0: * LISTEN 7417/csm --- listening port tcp 0 0 192.168.12.223: 33004 192.168.5.186: 3311 ESTABLISHED 7417/csm --- database link tcp 0 0 192.168.12.223: 33003 192.168.5.186: 3311 ESTABLISHED 7417/csm tcp 0 0 192.168.12.223: 33002 192.168.5.186: 3311 ESTABLISHED 7417/csm tcp 0 0 192.168.12.223: 6801 192.168.5.220: 2845 ESTABLISHED 7417/csm --- link with the im Client tcp 0 0 127.0.0.1: 32994 127.0.0.1: 6847 ESTABLISHED 7417/csm --- link with the rooter tcp 0 127.0.0.1: 32998 127.0.0.1: 6872 ESTABLISHED 7417/csm --- connection with online tcp 0 0 192.168.12.223: 6801 192.168.5.220: 2812 ESTABLISHED 7417/csm --- link to the im Client [root @ imsv-test mpf] # netstat-pan | grep mucsvrtcp 0 0 127.0.0.1: 32989 127.0.0.1: 6847 ESTABLISHED 7416/mucsvr -- connection with the rooter tcp 0 127.0.0.1: 32988 127.0.0.1: 6847 ESTABLISHED 7416/mucsvr -- link with the rooter [root @ imsv-test mpf] # netstat-pan | grep onlinetcp 0 0 0.0.0.0: 6872 0.0.0.0: * LISTEN 7413/online -- listening port tcp 0 0 192.168.12.223: 33005 192.168.5.186: 3311 ESTABLISHED 7413/online -- database link tcp 0 0 127.0.0.1: 6872 127.0.0.1: 32998 ESTABLISHED 7413/online -- connection to csm

Note:

1) among them, mucsvr and rooter establish two links, it is unclear why. Listen to 32989 to get the communication package. 32988 no data communication is found on this port.

2) The above information is obtained from the ImServer 12.223 test and serves as a reference only.

Ii. packet capture

Method: Use tcpdump to get the data packet that cares about the port and output it to the file.

Run the command: tcpdump port 6801-I eth0-p-vv-s 0-w csm. cap

Note:

Port: port-I eth0 of the service process you are concerned with: Specify the network interface of the listener. You can use ifconfig to obtain network configurations. The local communication network configuration is-I lo. -S 0: Get all data packets

By default, tcpdump only displays some data packets.

The-s snaplen parameter controls this. The default value is 68 bytes.

If it is set to 0, all data packets are displayed.

-W: output file

Reference: http://tcpdump.anheng.com.cn/news/22/591.html

Iii. View

Method: Upload the package file to the window machine and use EtherDetect to view the package file.

Procedure: Enable the sniffer.

Iv. Appendix

12.223 packet capture statement: tcpdump port 6872-I lo-p-vv-s 0-w online. cap tcpdump port 6847-I lo-p-vv-s 0-w router. captcpdump port 6801-I eth0-p-vv-s 0-w csm. captcpdump port 32989-I lo-p-vv-s 0-w mucsvr. cap ***** packet capture record: tcpdump host 218.28.15.98-I eth1-p-vv-s 0-w fengyang. cap uses SecureCRT to transmit the communication package to the sz csm on the window machine. cap mucsvr. cap online. cap router. cap