Tcpdump is a tool for intercepting network groupings and outputting grouped content, which is simply the packet capture tool. With its powerful capabilities and flexible interception strategy, tcpdump is the preferred tool for network analysis and troubleshooting in Linux systems.
Tcpdump provides source code, exposes interfaces, and is therefore highly extensible, and is a useful tool for network maintenance and intruders. Tcpdump exists in the basic Linux system, because it needs to set the network interface to promiscuous mode, the normal user can not execute normally, but the user with the root authority may directly execute it to obtain the information on the network. Therefore, the existence of network analysis tools in the system is not a threat to native security, but a threat to the security of other computers on the network.
I. Overview
As the name implies, Tcpdump can intercept the "head" of packets transmitted in the network to provide analysis. It supports filtering on the network layer, protocol, host, network, or port, and provides logical statements such as and, or, not, to help you get rid of useless information.
# TCPDUMP-VV
tcpdump:listening on eth0, Link-type EN10MB (Ethernet), capture size bytes
11:53:21.4 44591 IP (Tos 0x10, TTL 64, id 19324, offset 0, flags [DF], Proto 6, length:92) asptest.localdomain.ssh > 192.16 8.228.244.1858:p 3962132600:3962132652 (*) Ack 2726525936 win 1266
asptest.localdomain.1077 > 192.168.228.153. Domain: [bad udp cksum 166e!] 325+ PTR? 244.228.168.192.in-addr.arpa. (46)
11:53:21.446929 IP (tos 0x0, TTL 64, id 42911, offset 0, flags [DF], Proto, length:151) 192.168.228.153.doma In > asptest.localdomain.1077: 325 NXDomain q:ptr? 244.228.168.192.in-addr.arpa. 0/1/0 Ns:168.192.in-addr.arpa. (123)
11:53:21.447408 IP (tos 0x10, TTL 64, id 19328, offset 0, flags [DF], Proto 6, length:172) Asptest.localdomain. SSH > 192.168.228.244.1858:p 168:300 () Ack 1 win 1266
347 packets captured
1474 packets received by FILTER
745 packets dropped by kernel
The tcpdump without parameters collects all the information headers in the network, the volume of data is huge and must be filtered.
Ii. Introduction of options
-A prints out all the groupings in ASCII format and minimizes the head of the link layer.
-C Tcpdump will stop after receiving the specified number of packets.
-C checks whether the current size of the file exceeds the size specified in the parameter file_size before writing an original grouping to the file. If the specified size is exceeded, the current file is closed, and then a new file is opened. The units of the parameter file_size are megabytes (1,000,000 bytes, not 1,048,576 bytes).
-D gives the code for matching packets in a compiled format that people can understand.
-DD the code for matching packets in the format of the C program segment.
The code for matching packets is given in decimal form-ddd.
-D prints out all network interfaces in the system that can be truncated with tcpdump.
-e Prints the header information of the data link layer on the output line.
-E uses the [email protected] Algo:secret to decrypt the IPSec ESP groupings with addr as the address and contains the Security parameter index value SPI.
-F Prints the external Internet address as a digital form.
-F reads an expression from the specified file, ignoring the expression given in the command line.
-i specifies the network interface to listen on.
-L causes the standard output to become a buffered line and can export data to a file.
-l lists the known data links for the network interface.
-M imports the SMI MIB module definition from the file module. This parameter can be used multiple times to import multiple MIB modules.
-M if the TCP-MD5 option exists in the TCP message, you need to use secret as the shared verification code to verify the summary of the TCP-MD5 selection option (refer to RFC 2385 for details).
-B Select Protocols on the data-link layer, including IP, ARP, RARP, and IPX.
-N does not convert the network address into a name.
-nn does not perform a conversion of port names.
-N does not output the domain name portion of the hostname. For example, ' nic.ddn.mil ' only outputs ' NIC '.
-T does not print a timestamp on each line of the output.
-O does not run the grouping grouping matching (packet-matching) code optimizer.
-P does not set the network interface to promiscuous mode.
-Q fast output. Only less protocol information is output.
-R reads the package from the specified file (these packages are typically generated through the-w option).
-S outputs the serial number of TCP as absolute value, not relative.
-S reads the first Snaplen bytes from each packet, rather than the default of 68 bytes.
-T directly interprets the heard packet as a specified type of message, the common type has RPC remote procedure call) and SNMP (Simple Network Management Protocol;).
-T does not output a timestamp in each row.
-TT output a non-formatted timestamp in each row.
-TTT outputs the time difference between the line and the previous row.
-TTTT prints the timestamp of the default format processed by date in each row.
-U outputs an NFS handle that is not decoded.
-V outputs a slightly more detailed information, such as the TTL and the type of service that can be included in the IP packet.
The-VV outputs detailed message information.
-W directly writes the groupings to the file instead of parsing and printing them out.
Introduction to the expression of tcpdump
An expression is a regular expression that Tcpdump uses as a condition for filtering messages that will be captured if a message satisfies the conditions of the expression. If no conditions are given, all packets on the network will be intercepted.
In an expression, there are several types of keywords in general:
The first is about the type of keywords, mainly including host,net,port, such as host 210.27.48.2, which indicates that 210.27.48.2 is a host, net 202.0.0.0 indicates that the 202.0.0.0 is a network address, port 23 indicates that the port number is 23. If no type is specified, the default type is host.
The second is a keyword that determines the direction of transmission, mainly including src,dst,dst or SRC,DST and SRC, which indicate the direction of the transmission. For example, SRC 210.27.48.2, which indicates that the source address in the IP packet is 210.27.48.2, DST net 202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is indicated, the default is the src or DST keyword.
The third is the key word of the agreement, mainly including FDDI,IP,ARP,RARP,TCP,UDP and other types. FDDI indicates that it is a specific network protocol on FDDI (Distributed Optical Data Interface Network), in fact it is "ether" Alias, FDDI and Ether have similar source address and destination address, so the FDDI protocol packet can be treated and analyzed as a ether packet. The other key words are the protocol content of the listening packet. If no protocol is specified, tcpdump will listen for all protocol packets.
In addition to these three types of keywords, other important keywords are as follows: Gateway, broadcast,less, greater, and three logical operations, take non-op is ' not '! ', and the operation is ' and ', ' && ', or the operation is ' or ', ' & #124;& #124; ' These keywords can be combined to form a powerful combination of conditions to meet people's needs.
Iv. Introduction of output results
Below we describe the output information of several typical tcpdump commands
(1) Data Link Layer header information
Use the command:
#tcpdump --e host ICE
ICE is a host with Linux installed. Its MAC address is 0:90:27:58:af:1a H219 is a Sun workstation equipped with Solaris. Its MAC address is 8:0:20:79:5b:46; the output from the previous command is as follows:
21:50:12.847509 eth0 < 8:0:20:79:5b:46 0:90:27:58:af:1a ip 60: h219.33357 > ICE. telne t 0:0(0) ack 22535 win 8760 (DF)
21:50:12 is the displayed time, 847509 is the ID number, eth0 < represents the packet received from the network interface eth0, Eth0 > represents the packet sent from the network interface device, 8:0:20:79:5B:46 is the host H219 MAC address, It indicates a grouping that is sent from the source address H219. 0:90:27:58:AF:1A is the MAC address of the host ice, which indicates that the destination address for the group is ice. IP is an indication that the grouping is IP grouping, 60 is the length of the packet, h219.33357 > ICE. Telnet indicates that the group is a Telnet (23) port destined for host ice from Port 33357 of the host H219. An ACK of 22535 indicates a response to a packet with a sequence number of 222535. Win 8760 indicates that the size of the Send window is 8760.
(2) Tcpdump output information for ARP packets
Use the command:
#tcpdump arp
The resulting output is:
22:32:42.802509 eth0 > arp who-has route tell ICE (0:90:27:58:af:1a)
22:32:42.802902 eth0 < arp reply route is-at 0:90:27:12:10:66 (0:90:27:58:af:1a)
22:32:42 is the timestamp, 802509 is the ID number, eth0 > indicates that the packet is emitted from the host, ARP indicates that it is the ARP request packet, and Who-has route tell ice indicates that it is the MAC address of the host ice request host route. 0:90:27:58:AF:1A is the MAC address of the host ice.
(3) Output information for TCP packets
The general output information for TCP packets captured with Tcpdump is:
src > dst: flags data-seqno ack window urgent options
src > DST: Indicates from the source address to the destination address, flags is the flag information in the TCP message, S is the SYN flag, F (FIN), P (PUSH), R (RST) "." (not marked); Data-seqno is the sequence number of the data in the message, the ACK is the next expected order number, window is the size of the receiving cache, and urgent indicates whether there is an emergency pointer in the message. Options is the option.
(4) Output information for UDP packets
The general output information for UDP packets captured with Tcpdump is:
route.port1 > ICE.port2: udp lenth
UDP is very simple, the above output line indicates a UDP message from the PORT1 port of the host route to the PORT2 port of the host ice, the type is UDP, the packet length is lenth.
V. Examples
(1) to intercept all packets received and sent by all 210.27.48.1 hosts:
#tcpdump host 210.27.48.1
(2) to intercept host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3 communication, use the command (note: The backslash before the parentheses is required):
#tcpdump host 210.27.48.1 and (210.27.48.2 or 210.27.48.3 )
(3) If you want to get host 210.27.48.1 in addition to the IP packets that communicate with all hosts except host 210.27.48.2, use the command:
#tcpdump ip host 210.27.48.1 and ! 210.27.48.2
(4) If you want to get the SSH packets received or issued by the host 192.168.228.246, and do not convert the host name using the following command:
#tcpdump -nn -n src host 192.168.228.246 and port 22 and tcp
(5) Obtain the SSH packet received or issued by the host 192.168.228.246, and display the MAC address together:
# tcpdump -e src host 192.168.228.246 and port 22 and tcp -n -nn
(6) The filter is the header of the source host for the 192.168.0.1 with the destination network for 192.168.0.0:
tcpdump src host 192.168.0.1 and dst net 192.168.0.0/24
(7) Filter the source host physical address is the header of XXX:
tcpdump ether src 00:50:04:BA:9B and dst……
(Why is there no host or net behind ether src?) Physical address of course there is no network.
(8) Filter the source host 192.168.0.1 and destination port is not the Telnet header, and import into the Tes.t.txt file:
Tcpdump src host 192.168.0.1 and dst port not telnet -l > test.txt
IP icmp arp rarp and TCP, UDP, ICMP and so on are all put to the position of the first parameter, to filter the type of datagram.
Example: How to use tcpdump to monitor the packet data from the ETH0 adapter with the communication protocol port 22 and the target source 192.168.1.100?
Answer: tcpdump-i eth0-nn port and SRC host 192.168.1.100
Example: How do I use the tcpdump crawl to access the ETH0 adapter card and the access port is TCP 9080?
Answer: tcpdump-i eth0 DST 172.168.70.35 and TCP port 9080
Example: How to use tcpdump crawl with host 192.168.43.23 or host 192.168.43.24 communication message, and display on the console
Tcpdump-x-S 1024-i eth0 host (192.168.43.23 or 192.168.43.24) and host 172.16.70.35
This article from reprint, the original link: http://www.cnblogs.com/wangkangluo1/archive/2012/05/08/2490560.html
Linux Grab Kit tcpdump detailed