A tutorial on the use of network data storage Tools command tcpdump in Linux systems

A powerful network data acquisition and Analysis tool in Linux--tcpdump
Tcpdump takes the command line, and its command format is:
tcpdump [-ADEFLNNOPQSTVX] [-C Quantity] [-f filename]
[-I Network interface] [-R FileName] [-S Snaplen]
[-T type] [-W filename] [Expression]

1. Introduction to Tcpdump Options
-A converts the network address and broadcast address into a name;
-D gives the code of the matching packet in an assembly format that people can understand;
-DD the code of the matching packet in the format of the C language program;
-DDD the code of the matching packet is given in decimal form;
-e Prints the header information of the data link layer on the output line;
-F prints out the external Internet address in digital form;
-L changes the standard output to a buffer row form;
-N does not convert the network address into a name;
-T print timestamp on each line of output;
-V output A slightly detailed information, such as the TTL and service type information in an IP packet;
-VV output detailed message information;
-C The tcpdump will stop after receiving the specified number of packages;
-F reads the expression from the specified file, ignoring the other expressions;
-i specifies the network interface for listening;
-R reads packages from the specified file (these packages are typically generated by the-w option);
-W directly writes the package to the file and does not parse and print it;
-T interprets the packets that are heard directly as the specified type of message, and the common types are RPC (remote procedure
Call) and SNMP (Simple Network Management Protocol;)

2. Introduction to Tcpdump expressions
An expression is a regular expression that tcpdump use as a condition for filtering messages if a message satisfies the table
Up to the condition, then this message will be captured. If no conditions are given, all packets on the network will be
was intercepted.
In an expression, there are several types of keywords, one is about the type of keywords, mainly including host,
Net,port, such as host 210.27.48.2, indicates that 210.27.48.2 is a host, and net 202.0.0.0 indicates
202.0.0.0 is a network address, port 23 indicates that the port number is 23. If no type is specified, the default type is
Host.
The second is to determine the direction of the transfer of keywords, mainly including SRC, DST, DST or SRC, DST and SRC,
These keywords indicate the direction of the transfer. For example, SRC 210.27.48.2 indicates that the source address in the IP packet is 210.27.
48.2, DST net 202.0.0.0 indicates the destination network address is 202.0.0.0. If the direction keyword is not indicated, the
The default is src or DST keywords.
The third is the key words of the protocol, including FDDI,IP, ARP,RARP,TCP,UDP and other types. FDDI indicates that the
A specific network protocol on FDDI (Distributed Optical Data Interface Network), in fact it is the alias of "Ether", FDDI and E
The ther has a similar source address and destination address, so the FDDI protocol package can be treated and analyzed as a ether package.
Several other keywords refer to the protocol content of the packet being monitored. If no protocol is specified, tcpdump will
Monitor packets for all protocols.
In addition to these three types of keywords, other important keywords are as follows: Gateway, broadcast,less,
Greater, there are three kinds of logical operations, the negation is ' not '! ', and the operation is ' and ', ' && ', or operation is ' O
R ', ' | | ' ；
These keywords can be combined to form a powerful combination of conditions to meet people's needs, here are a few examples to
Description
(1) want to intercept all 210.27.48.1 host received and sent all the packets:

The code is as follows:

#tcpdump Host 210.27.48.1

(2) want to intercept the host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3 communication, use the command
: (When applying parentheses to the command line, be sure to

The code is as follows:

#tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)

(3) If you want to obtain the host 210.27.48.1, in addition to and host 210.27.48.2 all host communication IP packets
, use the command:

The code is as follows:

#tcpdump IP host 210.27.48.1 and! 210.27.48.2

(4) If you want to obtain a Telnet package received or issued by the host 210.27.48.1, use the following command:

The code is as follows:

#tcpdump TCP Port Host 210.27.48.1

3. Tcpdump output of the results of the introduction
Here we introduce the output information of several typical tcpdump commands
(1) Data Link Layer header information
Using the command #tcpdump--E host ice
Ice is a mainframe with Linux, and her MAC address is 0:90:27:58:af:1a.
H219 is a Sun workstation equipped with Solaric, its MAC address is 8:0:20:79:5b:46;
The output of the command looks like the following:
21:50:12.847509 eth0 < 8:0:20:79:5b:46 0:90:27:58:af:1a IP 60:h219.33357 > ice.
Telne
T 0:0 (0) Ack 22535 win 8760 (DF)
Analysis: 21:50:12 is displayed at the time, 847509 is the ID number, eth0 < representation from the network interface eth0 accept the
Packet, eth0 > means to send packets from the network interface device, 8:0:20:79:5B:46 is the MAC address of the host H219, it
Indicates a packet sent from the source address H219. 0:90:27:58:AF:1A is the MAC address of the host ice that represents the packet's
The destination address is ice. IP is an indication that the packet is an IP packet, 60 is the length of the packet, h219.33357 > ice.
Telnet indicates that the packet is a telnet (23) port from the host H219 33357 port to the host ice. Ack 22535
Indicates a response to a packet with a serial number of 222535. Win 8760 indicates that the size of the Send window is 8760.
(2) Tcpdump output information of ARP packet
#tcpdump ARP with command
The resulting output is:
22:32:42.802509 eth0 > arp who-has route tell Ice (0:90:27:58:AF:1A)
22:32:42.802902 Eth0 < ARP reply route is-at 0:90:27:12:10:66 (0:90:27:58:AF
: 1a)
Analysis: 22:32:42 is the timestamp, 802509 is the ID number, eth0 > indicates that the packet is emitted from the host, ARP indicates that it is
The ARP request package, Who-has route tell Ice, is the MAC address of the host ice request host route. 0:90:27:5
8:AF:1A is the MAC address of the host ice.
(3) The output information of the TCP packet
The general output information for TCP packets captured with Tcpdump is:
src > Dst:flags data-seqno ack window urgent options
src > DST: Indicates that from the source address to the destination address, flags is the flag information in the TCP packet, S is the SYN flag, F (f
IN), P (PUSH), R (RST) "." (without marking); Data-seqno is the ordinal number of the data in the packet, and the ACK is
The next expected Sequence number, window is the size of the received cache, and urgent indicates whether there is an emergency pointer in the packet.
Options is an option.
(4) The output information of the UDP packet
The general output information for UDP packets captured with Tcpdump is:
Route.port1 > Ice.port2:udp lenth
UDP is very simple, the output line above indicates a UDP packet sent from the PORT1 port of the host route to the host
The Port2 port of ice, the type is UDP, the length of the packet is Lenth

4. Examples

The code is as follows:

[Root@www ~]# tcpdump-i eth1 #监视指定网络接口的数据包

The code is as follows:

[Root@www ~]# tcpdump host webserver #打印所有进入或离开webserver的数据包.

The code is as follows:

[Root@www ~]# tcpdump host 210.27.48.1 #也可以指定ip, such as intercepting all packets received and emitted by all 210.27.48.1 hosts

The code is as follows:

[Root@www ~]# tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \) #截获主机210.27.48.1 and host 210.27.48.2 or 210.27.48.3 pass Letter

The code is as follows:

[root@www ~]# tcpdump IP host 210.27.48.1 and! 210.27.48.2 #获取主机210.27.48.1 IP packets that communicate with all hosts except the host 210.27.48.2

The code is as follows:

[root@www ~]# tcpdump-i eth0 src host webserver #截获主机webserver发送的所有数据

The code is as follows:

[Root@www ~]# tcpdump-i eth0 DST host webserver #监视所有送到主机webserver的数据包

The code is as follows:

[Root@www ~]# tcpdump TCP port host 210.27.48.1 #获取主机210.27.48.1 received or issued a telnet package

The code is as follows:

[root@www ~]# tcpdump UDP port 123 #对本机的udp 123 port for monitoring 123 service ports for NTP

The code is as follows:

[Root@www ~]# tcpdump net Ucb-ether #打印本地主机与Berkeley网络上的主机之间的所有通信数据包 (Nt:ucb-ether, which can be understood as the network address of the ' Berkeley Network '), The most original meaning of this expression can be expressed as: print all packets with network address of Ucb-ether

The code is as follows:

[Root@www ~]# tcpdump ' Gateway Snup and (port ftp or Ftp-data) ' #打印所有通过网关snup的ftp数据包 (note that the expression is enclosed in quotation marks, which prevents the shell from making errors in its parentheses Resolution

The code is as follows:

[root@www ~]# tcpdump IP and not net LocalNet #打印所有源地址或目标地址是本地主机的IP数据包

The code is as follows:

[Root@www ~]# tcpdump ' tcp[tcpflags] & (Tcp-syn|tcp-fin)!= 0 and not SRC and DST net localnet ' #打印TCP会话中的的开始和结束数据包, and and the source or destination of the packet is not a host on the local network. (Nt:localnet, when actually used to replace the cost of the network name))

The code is as follows:

[Root@www ~]# tcpdump ' TCP port and ((Ip[2:2)-((ip[0]&0xf) <<2-= "" tcp= "" 12= "" 0xf0= "" >>2))!= 0) ' #打印所有源或目的端口是80, the Network layer protocol is IPV4 and contains data, rather than Syn,fin and ack-only packets without data.

The code is as follows:

[Root@www ~]# tcpdump ' Gateway Snup and Ip[2:2] > 576 ' #打印长度超过576字节, and gateway address is Snup IP packet

The code is as follows:

[Root@www ~]# tcpdump ' ether[0] & 1 = 0 and ip[16] >= 224 ' #打印所有IP层广播或多播的数据包, but not a broadcast or multicast datagram of the physical Ethernet layer

The code is as follows:

[Root@www ~]# tcpdump ' icmp[icmptype]!= Icmp-echo and Icmp[icmptype]!= icmp-echoreply ' #打印除 ' echo request ' or ' echo Reply ' class ICMP packets outside of type

The code is as follows:

[Root@www ~]# tcpdump tcp-i eth1-t-S 0-c and DST Port! and src net 192.168.1.0/24-w./target.cap

# (1) tcp:ip icmp arp rarp and TCP, UDP, ICMP these options, etc., are placed in the position of the first parameter to filter the type of datagram
# (2)-I eth1: only grab packets passing through the interface eth1
# (3)-T: Do not show time stamp
# (4)-S 0: The default crawl length is 68 bytes when fetching packets. Plus-S 0 to capture the full packet
# (5)-C 100: Crawl only 100 packets
# (6) DST Port! 22: Do not crawl the destination port is 22 packets
# (7) src net 192.168.1.0/24: The source network address of the packet is 192.168.1.0/24
# (8)-W./target.cap: Save as cap file for easy ethereal (i.e. Wireshark) analysis

The code is as follows:

[Root@www ~]# tcpdump-xvvennss 0-i eth0 tcp[20:2]=0x4745 or tcp[20:2]=0x4854 #使用tcpdump抓取HTTP包