Advanced tcpdump usage

Advanced tcpdump usage

Author: Lin Haifeng

Http://blog.csdn.net/linyt

[*] For reprinting, please indicate the author. Please refer to this document for commercial purposes.

Enter man tcpdump in Linux and the following content will be displayed at the beginning of manual:

Tcpdump [-addefllnnopqrstuuvxx] [-c count]

[-C file_size] [-F file]

[-I interface] [-M module] [-M secret]

[-R file] [-s snaplen] [-T type] [-W file]

[-W filecount]

[-E SPI @ ipaddr algo: Secret,...]

[-Y datalinktype] [-Z user]

[Expression]

This is an introduction to the tcpdump format. This article only analyzes the Writing Method of [expression] And how to write strict matching conditions. In a large network, the number of data packets is very large. If strict matching is not performed, the protocol analysis may be greatly affected. The options before expression are not discussed here, so it has a comprehensive introduction in the manual. The following describes expression.

[Expression] usage:

Expression is the most useful advanced usage of tcpdump. It can be used to match some special packages. The following describes the usage of expression, mainly how to write the expressions that meet the requirements most strictly. If no expression exists in tcpdump, tcpdump will output all data packets on the NIC; otherwise, it will be output by the expression matching package.

Expression is composed of one or more [primitives], and [primitives] are composed of one or more [qualitifer] and one ID (name) or number, their structure can be expressed:

Expression = ([qualitifer] + (ID | number) +

In turn, expression is a complex conditional expression. [qualitifer] + (ID | Number) is a relatively basic condition. qualitifer expresses some names (items, variables ), ID or number indicates a value (or constant ).

Qualitifer has three types:

Type indicates the types involved in ID name or number. These words include host, nest, port, portrange, and so on.

Example:

Host foo is a simple primitive, host is qualitifer, foo is ID name

Net128.3. NET is qualitifer and 128.3 is number.

Port20

And so on.

Each privimtive must have a type word. If the expression does not exist, the default value is host.

Dir specifies the direction of data transmission. These words include SRC, DST, SRC or DST, Src and DST.

Example:

DST net 128.3; this is a relatively complex primitive with the structure of Dir type number, indicating the condition for the target network to be 128.3.

SRC or DST port FTP-data this is a relatively simple structure than the previous one. SRC or DST indicates the source or target, ftp-data indicates the ID, and FTP indicates the data transmission port in the FTP protocol, therefore, the data packet indicating the source or target port FTP-data matches.

If there is no dir word in a primitive, the default value is SRC or DST. For example, if host foo is used, data packets whose source or target host is foo match.

Proto is used to match a specific protocol. These terms include ether, FDDI, TR, WLAN, IP, ip6, ARP, RARP, decnet, TCP, and UDP. In fact, these words are often used to match a protocol, which is the most frequently used word group.

The above three qualitifer and ID name or number form a primitive, which is usually the following method:

PROTO dir type ID (number), that is, primitive = proto dir type (ID | number)

For example:

Tcp src port 80

Ip dst host 192.168.1.1

If type appears, the ID or num will appear.

If dir appears, type is also displayed. If not, the default value is host.

The proto can appear separately, such as tcpdump 'tcp'

Based on the three qualitifer mentioned above, we can quickly write a primitive. Next I will use only one primitive as the expression to match the data packet.

(1) matching ether package

A packet that matches a specific MAC address.

Tcpdump 'ether SRC 00: 19: 21: 1D: 75: E6'

In the packet that matches the source MAC for 00: 19: 21: 1D: 75: E6, Src can be changed to DST, SRC or DST to change the condition.

Match the ether broadcast package. The ether broadcast package features Mac full 1. Therefore, it can be matched as follows:

Tcpdump 'ether dstff: FF'

Ylin @ ylin :~ $ Sudo tcpdump-C 1 'ether dst ff: FF'

Tcpdump: verbose output suppressed, use-V or-VV for full protocol decode

Listening On eth0, link-type en10mb (Ethernet), capture size 96 bytes

10:47:57. 784099 ARP who-has 192.168.240.77 tell 192.168.240.189

In this example, only one package is matched and the package exits. The first one is the ARP request packet. The ARP request packet is sent in broadcast mode and matched.

The ether multicast packet matches the ether multicast packet. The feature of the ether multicast packet is that the highest bit of Mac is 1, and the other bit is used to represent the multicast group number. If you want to match the multicast group, you only need to know the MAC address of the group. For example

Tcpdump 'ether DST <mac_adrress> 'Mac _ Address indicates the address. Enter the appropriate address. If you want to match all the ether multicast data packets, put them down for now. Next, we will continue to explain more advanced applications for you.

(2) matching ARP packets

An ARP packet is a protocol used to convert IP addresses to MAC addresses, including ARP requests and ARP requests. arp request packets are sent through the ether broadcast method, that is, the MAC address of the ARP request packet is 1, so ether DST ff; FF can be used to match the ARP request packet, but cannot match the promised packet. Therefore, to match the ARP communication process, only ARP is used to specify the protocol.

Tcpdump 'Arp 'can match ARP packets on the network.

Ylin @ ylin :~ $ Arping-C 4 192.168.240.1>/dev/null & sudo tcpdump-P 'Arp'

[1] 9293

Warning: interface is ignored: operation not permitted

Tcpdump: verbose output suppressed, use-V or-VV for full protocol decode

Listening On eth0, link-type en10mb (Ethernet), capture size 96 bytes

11:09:25. 042479 ARP who-has 192.168.240.1 (00: 03: D2: 20: 04: 28 (Oui unknown) Tell ylin. Local

11:09:25. 042702 ARP reply 192.168.240.1 is-at 00: 03: D2: 20: 04: 28 (Oui unknown)

11:09:26. 050452 ARP who-has 192.168.240.1 (00: 03: D2: 20: 04: 28 (Oui unknown) Tell ylin. Local

11:09:26. 050765 ARP reply 192.168.240.1 is-at 00: 03: D2: 20: 04: 28 (Oui unknown)

11:09:27. 058459 ARP who-has 192.168.240.1 (00: 03: D2: 20: 04: 28 (Oui unknown) Tell ylin. Local

11:09:27. 058701 ARP reply 192.168.240.1 is-at 00: 03: D2: 20: 04: 28 (Oui unknown)

11:09:33. 646514 ARP who-has ylin. Local tell 192.168.240.1

11:09:33. 646532 ARP reply ylin. Local is-at 00: 19: 21: 1D: 75: E6 (Oui unknown)

In this example, arping-C 4 192.168.240.1 is used to generate ARP requests and receive the promised packets, while tcpdump-P 'Arp 'is matched. Here, the-P option enables the network to work in normal mode (non-mixed mode), so that you can conveniently view the matching results.

(3) matching IP Packets

As we all know, the IP protocol is one of the most important protocols in TCP/IP. It is precisely because it can connect the Internet. It is essential that the expression matching the IP packet is analyzed below.

Matching IP addresses

Tcpdump 'IP SRC 192.168.240.69'

Ylin @ ylin :~ $ Sudo tcpdump-C 3 'IP SRC 192.168.240.69'

Tcpdump: verbose output suppressed, use-V or-VV for full protocol decode

Listening On eth0, link-type en10mb (Ethernet), capture size 96 bytes

11:20:00. 973605 IP ylin. local.51486> walnut.crossbeamsys.com. Ssh: s 2706301341: 2706301341 (0) Win 5840 <MSS 1460, sackok, timestamp 1687608 0, NOP, wscale 5>

11:20:00. 974328 IP ylin. local.32849> 192.168.200.150.domain: 5858 + PTR? 2017200.168.192.in-ADDR. ARPA. (45)

11:20:01. 243490 IP ylin. local.51486> walnut.crossbeamsys.com. Ssh:. Ack 2762262674 win 183 <NOP, NOP, timestamp 1687676 4155416897>

IP broadcast multicast packet match: you only need to specify the broadcast or multicast address.

Tcpdump 'IP DST 240.168.240.255'

Ylin @ ylin :~ $ Sudo tcpdump 'IP DST 192.168.240.255'

Tcpdump: verbose output suppressed, use-V or-VV for full protocol decode

Listening On eth0, link-type en10mb (Ethernet), capture size 96 bytes

11:25:29. 690658 IP dd. Local> 192.168.240.255: ICMP echo request, Id 10022, seq 1, length 64

11:25:30. 694989 IP dd. Local> 192.168.240.255: ICMP echo request, Id 10022, seq 2, length 64

11:25:31. 697954 IP dd. Local> 192.168.240.255: ICMP echo request, Id 10022, seq 3, length 64

11:25:32. 697970 IP dd. Local> 192.168.240.255: ICMP echo request, Id 10022, seq 4, length 64

11:25:33. 697970 IP dd. Local> 192.168.240.255: ICMP echo request, Id 10022, seq 5, length 64

11:25:34. 697982 IP dd. Local> 192.168.240.255: ICMP echo request, Id 10022, seq 6, length 64

The packet matches the ICMP broadcast packet. to generate this packet, you only need to run Ping-B 192.168.240.255 on another host in the same LAN. Of course, you can also generate multicast packets, there is no suitable software for simulation, so we will not give an example here.

(4) TCP packet matching

TCP is also one of the most important protocols in the TCP/IP protocol stack. It provides end-to-end reliable data streams. At the same time, many application layer protocols use TCP as the underlying communication protocol, because TCP matching is very important.

If you want to match the HTTP Communication Data, you only need to specify a condition that matches port 80.

Tcpdump 'tcp DST port 80'

Ylin @ ylin :~ $ Wget http://www.baidu.com 2> 1>/dev/null & sudo tcpdump-C 5 'tcp port 80'

[1] 10762

Tcpdump: verbose output suppressed, use-V or-VV for full protocol decode

Listening On eth0, link-type en10mb (Ethernet), capture size 96 bytes

12:02:47. 549056 IP xd-22-43-a8.bta.net.cn.www> ylin. local.47945: s 1202130469: 1202130469 (0) ack 1132882351 win 2896 <MSS 1460, sackok, timestamp 3497190920 2329221, NOP, wscale 2>

12:02:47. 549085 IP ylin. local.47945> xd-22-43-a8.bta.net.cn.www:. Ack 1 win 183 <NOP, NOP, timestamp 2329258>

12:02:47. 549226 IP ylin. local.47945> xd-22-43-a8.bta.net.cn.www: P (101) ack 1 win 183 <NOP, NOP, timestamp 2329258>

12:02:47. 688978 IP xd-22-43-a8.bta.net.cn.www> ylin. local.47945:. Ack 102 win 698 <NOP, NOP, timestamp 3497190956>

12:02:47. 693897 IP xd-22-43-a8.bta.net.cn.www> ylin. local.47945:. 1409 (1408) ack 102 win 724 <NOP, NOP, timestamp 3497190957>

(5) UDP packet matching

UDP is a connectionless and unreliable user datagram. Therefore, the main feature of UDP is also a port. You can use the following method to match a Port:

Tcpdump 'upd port 53 'to view DNS data packets

Ylin @ ylin :~ $ Ping-C 1 www.baidu.com>/dev/null & sudo tcpdump-p udp port 53

[1] 11424

Tcpdump: verbose output suppressed, use-V or-VV for full protocol decode

Listening On eth0, link-type en10mb (Ethernet), capture size 96 bytes

12:28:09. 221950 IP ylin. local.32853> 192.168.200.150.domain: 63228 + PTR? 43.22.108.202.in-ADDR. ARPA. (44)

12:28:09. 222607 IP ylin. local.32854> 192.168.200.150.domain: 5114 + PTR? 150.200.168.192.in-ADDR. ARPA. (46)

12:28:09. 487017 IP 192.168.200.150.domain> ylin. local.32853: 63228 1/0/0 (80)

12:28:09. 487232 IP 192.168.200.150.domain> ylin. local.32854: 5114 nxdomain * 0/1/0 (140)

12:28:14. 488054 IP ylin. local.32854> 192.168.200.150.domain: 60693 + PTR? 69.240.168.192.in-ADDR. ARPA. (45)

12:28:14. 755072 IP 192.168.200.150.domain> ylin. local.32854: 60693 nxdomain 0/1/0 (122)

Ping www.baidu.com to generate DNS requests and promises. 53 is the DNS port number.

In addition, there are many qualitifer that have not been mentioned. Below are other valid primitive which can be directly used in tcpdump.

Gateway host

Match the data packet that uses the host as the gateway, that is, the MAC address (source or destination) in the data packet is the host, but the Source and Destination addresses reported by the IP are not the data packets of the host.

DST net

SRC net

Net

Net net mask netmask

Net net/Len

Match the IPv4/v6 address as the net network datagram.

Net can be 192.168.0.0 or 192.168. For example, net 192.168 or net 192.168.0.0

Net net mask netmask is only valid for IPv4 packets, such as net 192.168.0.0 mask 255.255.255.0.0

Net net/Len is only valid for IPv4 packets, such as net 192.168.0.0/16.

DST portrange port1-port2

SRC portrange port1-port2

Portrange port1-port2

IP/tcp, IP/UPD, ip6/TCP and ip6/UDP packets that match the port within the port1-port2 range. DST and SRC indicate the source or target respectively. If not, it indicates SRC or DST.

The less length matches packets whose length is less than or equal to the length.

Greater length matches packets whose length is greater than or equal to length.

The IP protochain protocol matches the IP packet whose protocol field value is protocol.

The ip6 protochain protocol matches the packet whose protocol field value is protocol in the IPv6 packet.

For example, tcpdump 'IP protochain 6 matches the TCP packet in the IPv4 network and is used in the same way as tcpdump 'IP & TCP '. Here, two primitive messages are connected. 6 is the number of the TCP protocol in the IP Message.

Ether Broadcast

Matching Ethernet broadcast packets

Ether Multicast

Match multiple Ethernet broadcasts

IP Broadcast

Matches IPv4 broadcast packets. That is, IPv4 packets whose host number is all 0 or all 1 in the IP address.

IP Multicast

Match IPv4 multicast packets, that is, packets with IP addresses that are multicast addresses.