Advanced application of tcpdump grasping bag tool

Tcpdump-xvvennss 0-i eth0 tcp[20:2]=0x4745 or tcp[20:2]=0x4854

0x4745 for "get" first two letters "GE"

0x4854 is "HT" with the first two letters "HTTP"

Description: Normally: A normal TCP connection, there will be three stages: 1, TCP three handshake; 2, data transmission; 3, TCP four times wave

Several concepts inside: SYN: (Sync sequence number, Synchronize Sequence Numbers) ACK: (Confirmation number, acknowledgement numbers) FIN: (end mark, finish)TCP Three-time handshake (create OPEN)The client initiates a request to create a TCP link with the service. This is SYN. (j) When the server accepts the creation request to the client, it returns two messages: Syn (K) + ACK (j+1) client returns a message after the validation of the ACK information received to the server (J and J+1), return a information: ACK (k + 1 service side at this time to accept the client's ACK information after the successful verification (K and K+1), no longer return information, back into the data communication stageData CommunicationClient/server-side Read/write packetsTCP Four-time handshake (close finish)The client initiates a shutdown request, sending a message that the FIN (M) server receives the information, first returns an ACK (M+1), indicating that it has received the message. The server ends up sending a FIN (N) message to the client before it is ready to close, asking the client if it is ready to close the message sent by the client to the server and returns a confirmation: ACK (n+1) Finally, when both the server and the client are confirmed, Each shuts down or reclaims the corresponding TCP link. Detailed status descriptions (and Linux related parameter tuning) The Syn_send client attempts to link the service side through the open method. That is, the 1th step in the TCP three handshake, note that the client state sysctl-w net.ipv4.tcp_syn_retries = 2, as the client can set the number of SYN packets to retry, the default 5 times (about 180s) quotes the principal's words: just try 2 times, The modern network is enough. Syn_received Services accept the creation of a request for SYN, that is, TCP three handshake in the 2nd step, send ACK packets before the note is the service side state, generally 15 or so normal, if very large, suspected of suffering Syn_flood attack sysctl-w net.ipv4.tcp_max_syn_backlog=4096, set the number of waiting queues for this state, default 1024, and Syn-flood can be appropriately prevented when the size is adjusted, see Man 7 tcp sysctl-w NET.IPV4.TCP_ Syncookies=1, open Syncookie, when the SYN backlog queue is insufficient, provide a mechanism to temporarily swap the SYN link out sysctl-w net.ipv4.tcp_synack_retries = 2, As a service-side return ACK packet number of retries, the default 5 times (about 180s) quote The principal's words: Just retry 2 times, modern network enough established client received to the service side of the ACK packet after the state, the server in the issue of an ACK after a certain time is established Sysctl-w net.ipv4.tcp_keepalive_time = 1200, the default is 7,200 seconds (2 hours), the system for the free link will be heartbeat check, if more than Net.ipv4.tcp_keepalive_probes * NET.IPV4.TCP_KEEPALIVE_INTVL = Default 11 points, terminate the corresponding TCP link, you can adjust the heartbeat frequency of the current online monitoring waring:600, critial:800 fin_wait1 active shutdown side, After the fin request, that is, in the TCP four handshake 1th step close_wait passive shutdown side, after receiving the client fin, that is, TCP four handshake 2nd step fin_wait2 active shutdown side, after receiving the passive closed side of the ACK, That is, TCP four handshake 2nd step sysctl-w net.ipv4.tcp_fin_timeout=30, you can set the passive shutdown to return the fin after the timeout, effective recycling links to avoid SYN-flood. Lask_ack a side that is passively closed, and then initiates a fin request after a period of time after the ACK is sent (ensure that the client has received it). That is, TCP four handshake 3rd step time_wait active shutdown side, after receiving passively closed fin packet, send ack. That is, the 4th step of the TCP four handshake sysctl-w net.ipv4.tcp_tw_recycle = 1, open the Quick recycle time_wait,enabling This option isn't recommended since this Causes problems when working with NAT (Network address translation) Sysctl-w Net.ipv4.tcp_tw_reuse = 1, quick recycle and reuse time_wait chain Connect,  seemingly and tw_recycle have conflict, can't reuse on recycle? Net.ipv4.tcp_max_tw_buckets: The maximum number of links in the Time_wait state, the default is 180000.

relevant instructions the active close party receives the passive close side's fin request, sends succeeds to the other party after an ACK, will change own state from Fin_wait2 to time_wait, but must wait twice times the MSL (Maximum Segment LIFETIME,MSL is the time that a datagram can exist in internetwork the two sides can change the status to closed to close the connection. At present, the time of maintaining time_wait state in Rhel is 60 seconds keepalive strategy can effectively avoid three handshake and four shutdown actions.

other network-critical parameters Net.ipv4.tcp_rmem ParametersDefault value: min=4096 default=87380 max=4194304

net.ipv4.tcp_wmem parameter default value: min=4096 default=16384 max=4194304

tcpdump

Tcpdump is a Linux system with a grab tool, mainly through the command line, more suitable for online on the server to carry out the bag operation, if it is windows or Ubuntu can choose some graphical tools, Ubuntu comparison recommended using Wireshark, Installation method is very simple sudo apt can.

command-line format:

tcpdump [-ADEFLNNOPQSTVX] [-C Quantity] [-f filename] [-I network interface] [-r FileName] [-s snaplen] [-t-type] [-w filename] [expression]

Common parameters:

-L changes the standard output to a buffer row form;
-N does not convert the network address into a name;

-C The tcpdump will stop after receiving the specified number of packages;
-i specifies the network interface for listening;
-W directly writes the package to the file and does not parse and print it;
-s Specifies the size of the record package, common-s 0, representing a maximum value of 65535, half of the Linux transmission minimum Unit MTU is 1500, enough

-X Direct output package data, default is not set, only through-w specified file output

Common expressions: keywords about types, mainly include keywords for host,net,port transmission direction, mainly including SRC, DST, DST or SRC, keywords for DST and SRC protocols, mainly including FDDI,IP, ARP,RARP,TC P,UDP and other types of logical operations, the negation operation is ' not '! ', with operations is ' and ', ' && ', or operation is ' or ', ' | | ' Other important keywords are as follows: Gateway, Broadcast,less,greater
Actual Example: 1. HTTP packet crawl (directly in the terminal output package data)

Tcpdump TCP port 80-n-x-s 0 Specify 80 port for output

2. Grab HTTP packet data specify file for output package

Tcpdump TCP port 80-n-S 0-w/tmp/tcp.cap

The corresponding/tmp/tcp.cap can already look at the information by the naked eye, such as HTTP Header, content information, etc.

3. Combined Pipe Flow

Tcpdump TCP port 80-n-S 0-x-l | grep xxxx

This allows string-matching filtering of packets in real time

4. Mod_proxy Reverse Agent Grab bag

Online server Apache+jetty, via Apache mod_proxy for a reverse proxy, Apache port, 7001 Jetty Port

Apache Port Data capture: Tcpdump TCP 80-n-S 0-x-i eth0 Note: Specify Eth0 network interface

Jetty Port Data grabbing packet: Tcpdump TCP port 7001-n-S 0-x-i lo Note: Specify Loopback network interface

5. Only monitor specific IP hosts

Tcpdump TCP host 10.16.2.85 and Port 2100-s 0-x

You need to use a combination of TCP expressions, which is the host indicating that only the IP is listening

Small tips: 1. Can combine tcpdump (command) + Wireshark (graphical)

Action: tcpdump-w/tmp/tcp.cap Specify output external file scp/tmp/tcp.cap copy file to your local Wireshark & boot Wireshark open via file-> Open A copy of the file, so you can use the data packet analysis of the rest of the matter is very convenient 2. Direct installation of Wireshark + X11 protocol on the server reverse output to native

Note: Wireshark If you want to open network monitoring, you need to start by root, otherwise you can not directly through the network card to carry out the data grab packet X11 reverse output, the need for client Support X11 protocol, if it is Ubuntu innate support is very convenient, if it is windows need to install a software You may also like: