Analysis and comparison of Wireshark and tcpdump clutch

Common packet-capture analysis tools are: Microsoft's Network Monitor and message Analyzer, Sniff,wsexplorer,SpyNet,iptools, Tools such as Winnetcap, WinSock Expert,Wireshark, and Linux tcpdump

Today, did the experimental Test on the comparative analysis of two of them, others can be Baidu Google test a ha ^_^

1. Wireshark and tcpdump Introduction

Wireshark is a network protocol detection tool, supporting the Windows Platform and UNIX platform, I generally only use the Windows platform under the Wireshark, if it is Linux, I directly use the tcpdump, Because I work in the environment of Linux generally only the character interface, and generally Linux comes with the tcpdump, or with the Tcpdump grab packet after using Wireshark open analysis.

Under the Windows platform, Wireshark through the WinPcap to grab the package, the package is very good, easy to use, it is easy to formulate a catch filter or display filter, specifically described below. Wireshark is a free tool, and it's easy to find a place to download as soon as Google does it.

Tcpdump is a command-line packet sniffing tool based on UNIX systems. If you want to use tcpdump to crawl other host MAC address packets, you must turn on the network card promiscuous mode, the so-called promiscuous mode, in the simplest language is to let the network card crawl any of its packets, whether the packet is sent to it or it issued, click "HTTP/ En.wikipedia.org/wiki/promiscuous_mode "Get more information about promiscuous mode. In general, UNIX does not let ordinary users set up promiscuous mode, because this can see other people's information, such as Telnet username and password, which can cause some security problems, so only the root user can turn on promiscuous mode, the command to turn on promiscuous mode is: Ifconfig eth0 Promisc, Eth0 is the NIC you want to turn on promiscuous mode. There must be someone to ask. If you want to open promiscuous mode under Windows, there is no promiscuous mode in Windows NIC without promiscuous mode, in the application itself, If you use Wireshark to grab a packet, you can set it to grab the packet in promiscuous mode (which is why the damned ARP spoofing virus can be rampant). Tcpdump Of course can also specify the capture filter, and its filter language is very famous, called Berkeley Packet Filter, referred to as the BPF language.

2. A simple example

We look at the results of the capture package by visiting the WWW.GOOGLE.COM.HK website.

2.1 tcpdump

As mentioned earlier, Linux has its own tcpdump, but if there is a small probability event, found that there is no tcpdump, you can download the source code to http://www.tcpdump.org, compile and install.

Log in with the root user and run the tcpdump command to start grabbing the package. Here, if you use SSH login to remote Linux, and then directly run tcpdump, you will find a large number of packets, speed is not clear, this is because tcpdump caught packets to remote terminal display, at the same time grabbed the package, and then display, and then crawl, resulting in a cyclic crawl. Of course, it doesn't make any sense to grab a bag, except to prove that your network is a pass.

Because there is no promiscuous mode to open the network card, so if the computer does not have any process access to the network, is not able to catch the package, if the character interface, with wgethttp://www.google.com.hk access to the URL, if there is a GUI, you can open the Firefox browser access http:/ /www.google.com.hk.

By default, Tcpdump selects the first NIC, which is eth0, to grab the packet, displaying a FETCH packet per line, such as:

0.003183 192.168.21.137 72.14.203.147 TCP 38039 > http [SYN] seq=0 win=5840 len=0 mss=1460 SAC K_perm=1 tsv=36941509 tser=0 ws=6

0.011707 72.14.203.147 192.168.21.137 TCP http > 38039 [SYN, ACK] seq=0 ack=1 win=64240 len=0 mss=1460

0.011770 192.168.21.137 72.14.203.147 TCP 38039 > http [ACK] seq=1 ack=1 win=5840 len=0

The above three packets are the famous TCP three handshake packet, where 38039 is the TCP port of the client, the default port of HTTP is 80, if tcpdump found the port corresponding service name in/etc/services, then it will be automatically changed to the name, So this will be shown as HTTP. Represents the 38039 port of the client and the server-side HTTP port for TCP three-time handshake.

Mentioned earlier tcpdump by default Select the first network card to grab packets, we can use the-i parameter to specify which network card to grab packets, such as (#表示我输入的命令, Linux root user's prompt is #):

# tcpdump–i Eth1

Or

#tcpdump –i any

If you want to know which network adapters we can grab, you can use the-d parameter, such as:

# tcpdump–d

1.eth0

2.any

3.lo

Because I only have a network card on the machine, so only eth0, if there are more than one network card activity, there will be eth1,eth2 in turn. Any means that the packet is grabbed by any one of the network cards and the LO is the loopback interface. (for network issues such as TCP three-time handshake and loopback interface, refer to the TCP/IP protocol details).

By default, the Tcpdump capture results are displayed on the screen (strictly, the professional is supposed to be the standard output), which is obviously not conducive to further data analysis, so we need to store the capture results in a file. However, use the-w command to save the results in a file, such as:

#tcpdump –w Google.cap

This command holds the result of the capture in the Google.cap file and can be opened for viewing after the end of the Wireshark. Colleague, tcpdump out the grab packet, you can also use the-R parameter to develop the packet capture data file, combined with the filter to the packet capture data analysis, such as:

#tcpdump –r Google.cap http

This command means let tcpdump read the Google.cap file and filter out the packets of the HTTP protocol. About filters are described in detail below.

2.2 Wireshark

I use Wireshark in the Windows system, first familiar with the interface, Figure 1 is the use of Wireshark open Google.cap file interface,

Figure 1 Wireshark interface

Figure 1 shows three fast areas, the R1 area is used to display simple packet information, when we use tcpdump to capture the packet, by default it is also shown as such; the R2 area is used to display the details of the selected packet, and it is very careful to see that he is shown in the TCP/IP four layer structure, The first line is the data Link layer information, the second line is the network layer information (IP protocol), the third line is the Transport Layer Information (TCP protocol), the fourth line is the Application Layer information (HTTP protocol), you can expand each line to observe the specific content; The R3 area is used to show the true face of this packet. The information we see in the R1 and R2 areas is wireshark to us, and the real data of the clutch is actually a bunch of binary sequences, with the UltraEdit opening the Google.cap file you can see is some number, 2 shows.

Figure 2 How to grab the package file look like

Using Wireshark to grab the bag is very easy, just click on the button (the third button of the toolbar) and start to grab the bag, you will find that as long as a click on this button, immediately show caught bag, this is because wireshark default in promiscuous mode to grab the packet, As long as the packet through the network card is grabbed down (of course, the machine to be connected to the network, if no data flow, of course, no bag to scratch), click on the button to stop the capture package.

If more than one network card is installed on the machine, wireshark default to select the first network card grab packet, if the clutch is finished, this is found to choose the wrong NIC is a very depressing thing. Click the button to select which net card to pick before you grab the bag.

Figure 3 Selecting the NIC

I have only one card on the machine, the other two is the virtual network card when installing VMware, you can see that although the packets above already has the data, actually need to click Start to start grasping the package.

After solving the problem of choosing a NIC, consider the interface to create a catch rule by clicking on "Capture" > "Options" on the menu bar, as shown in 4, if you filter the contents of the packet capture.

Figure 4 Developing the rules for grasping packets

Figure 4 shows the caputre packets in promiscuous mode, which is selected by default, which means that Wireshark catches the packet by default in promiscuous mode. You can also choose which net card to grab the bag, but these are not the focus, the most important thing is Caupture fileter here, click the button, you can see pop up some pre-defined filters. For example, select "HTTP TCP port (80)", below filter string:tcp port HTTP is the expression of the filter. Represents a packet that catches the TCP protocol with a port of 80 (the default port for the HTTP protocol is 80).

3. Use of filters (BPF language)

The main introduction of the filter in the tcpdump use, because understand this can be handy to use Wireshark.

from the simplest of beginnings, the BPF language consists mainly of a symbol or number and qualifier, with three qualifiers:

First: Specify the type of

Host, a packet that defines which IP address to fetch (and can give it a MAC address, the format is 00:00:00:00:00:00), for example, I want to catch a packet of 192.168.0.148 this IP address, then write Tcpdump host 192.168.0.148, host is a qualifier, 192.168.0.148 is a sign. This command crawls packets sent from or to 192.168.0.148.

NET, the definition of crawling a network of packets, give the network number on the line, it is based on the number of bytes to the network number is a Class A address, Class B address or Class C address, such as tcpdump net 10.1.1, it is considered to be a class C address.

Port, specify ports, such as Tcpdump host and Port 22, which is the catch port of 22 packets, whether TCP or UDP, here I slightly earlier to give a logical operation, and J, if only want to catch TCP, then can write tcpdump host 192.168.0.148 and TCP port 22.

Portrange, as the name implies, this is the specified port range, with the hyphen "-" specified range, such as Tcpdump Port 1025-8080

Second Type: Specify the direction

Our previous orders were to say "This command will crawl from the 192.168.0.148 or send to 192.168.0.148", so if you point to a packet that can be caught from the emitted packets, use the qualifier src, command: tcpdump SRC host 192.168.0.148, in turn, wants to catch packets sent to 192.168.0.148, using the qualifier DST, command: tcpdump DST host 192.168.0.148.

The third type: Specify the Protocol

We know that there are n kinds of network protocols ... I listed a few commonly used, the other can go to Google J

Ether and FDDI, Ethernet protocol

TR, TR protocol

IP, IP protocol

IP6, IPV6 protocol

ARP, ARP protocol

Well, finally we need to pay attention to the logical operation, and, or, not (and, or, non), there is already an example, there is no longer wordy, and the normal programming language is no different.

In addition, there are more cow B functions, such as specifying a certain identifier in TCP, this application I rarely use, no longer wordy.

------------------------------------------------------background * Information------------------------------------------------------

Are you a network administrator? Have you ever had this kind of experience: in the morning of one day you suddenly found that the network performance dropped sharply, the network service is not available, the server access speed is very slow or even inaccessible, the network switch port indicator is flashing wildly, the router at the exit of the network is at full load working state, The router CPU has reached the load of 100% ... No more than a few minutes after the restart. What's the problem? Is the device broken? It is impossible to have several devices at the same time. There must be a big flow of data files, exhausted the resources of network equipment, what are they? How do you see them? At this time the experienced network management staff will think of using the LAN Capture Kit tool to analyze. You must have heard of the notorious cyber killers of Red Code, (Nimda) Nimda, Shockwave, and shock waves. Is that they have created all these evils. They are menacing, blocking networks, infecting hosts, and making network administrators miserable. When the network virus appears, how can the infected host be found in time? Then start learning to grab a packet to carry out network analysis of various protocols!

Analysis and comparison of Wireshark and tcpdump clutch