Lab Environment:
VMware Workstation 11
Under the centos6.7 system
ip:192.168.244.129 Firewall off Setenforce 0
Putty (SSH remote connection software)
Software Introduction:
What is cheat?
Cheat is an interactive cheat sheet application that is distributed to Linux command line users under the GNU General Public License. It provides a display of Linux command use cases, including all of the options and short but understandable features of the command.
Experimental process:
' Cheat ' has two main dependencies-' Python ' and ' pip ', before installing ' Cheat ', make sure your system has Python and Pip installed.
First, install Pip
[email protected] ~]# Yum install python-pip-y
Second, installation cheat
[[email protected] ~]# pip install cheatcollecting cheat/usr/lib/python2.6 /site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: insecureplatformwarning: a true sslcontext object is not available. this prevents urllib3 from configuring ssl appropriately and may cause certain ssl connections to fail. for more information, see https:// Urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. insecureplatformwarning Downloading cheat-2.1.25.tar.gz (43kB) 100% | ████████████████████████████████| 45kb 111kb/scollecting docopt>=0.6.1 (from cheat ) Downloading docopt-0.6.2.tar.gzCollecting pygments>=1.6.0 (From cheat) downloading pygments-2.1.3-py2.py3-none-any.whl (755kB) 100% |████████████████████████████████| 757kB 172kb/sinstalling collected packages: docopt, pygments, cheat running setup.py install for docopt Running setup.py install for cheatsuccessfully installed cheat-2.1.25 docopt-0.6.2 pygments-2.1.3
Third, how to use the software
[[email protected] ~]# cheat tcpdump# tcpdump is a packet analyzer. it allows the user to intercept and display tcp/ip# and other packets being transmitted or received over a network. (Cf wikipedia). # note: 173.194.40.120 => google.com# intercepts all packets on eth0tcpdump -i eth0# Intercepts all packets from/to 173.194.40.120tcpdump host 173.194.40.120# intercepts all packets on all interfaces from / to 173.194.40.120 port 80# -nn = > Disables name resolution for IP addresses and port Numbers.tcpdump -nn -i any host 173.194.40.120 and port 80# make a grep on tcpdump (ASCII) # -a => show only ascii in packets.# -s0 = > by default, tcpdump only captures 68 bytes.tcpdump -i -a any host 173.194.40.120 and port 80 | grep ' User-agent ' # with ngrep# -d eth0 => to force eth0 (else ngrep work on all interfaces) # -s0 => force ngrep to look at the entire packet. (default snaplen: 65536 bytes) ngrep ' User-Agent ' Host 173.194.40.120 and port 80# intercepts all packets on all interfaces from / to 8.8.8.8 or 173.194.40.127 on port 80tcpdump ' host ( 8.8.8.8 or 173.194.40.127 ) and port 80 ' - i any# intercepts all packets syn and fin of each tcp session.tcpdump ' tcp[ tcpflags] & (Tcp-syn|tcp-fin) != 0 ' # to display syn and fin packets of each tcp session to a host that is not on our networktcpdump ' tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net local_addr ' # to display all ipv4 http packets that come or arrive on port 80 and that contain only data (no syn, fin no, no packet containing an ack) tcpdump ' tcp port 80 and (((ip[2:2] - (IP[0]&0XF) <<2) - ((tcp[12]&0xf0) >>2)) != 0) ' # saving captured Datatcpdump -w file.cap# rEading from capture filetcpdump -r file.cap# show content in hexa # change -x to -xx => show extra header (Ethernet). tcpdump -x# show content in hexa and ascii# change -x to -xx => show extra header (Ethernet). Tcpdump -x# note on packet maching:# port matching:# - portrange 22-23# - not port 22# - port ssh# - dst port 22# - src port 22## host matching:# - dst host 8.8.8.8# - not dst host 8.8.8.8# - src net 67.207.148.0 mask 255.255.255.0# - src net 67.207.148.0/24
You can see that the output is easy to understand and use clearly.
Reference article link: http://os.51cto.com/art/201409/450709.htm
This article from "A few" blog, declined reprint!
A better command than man, help the software.