Network Analysis tools in Linux

Source: Internet
Author: User

Data collection and analysis is essential when Linux is a network server, especially a router or gateway. So, let's take a look at TcpDump, a powerful network data collection and analysis tool in Linux.

As the name suggests, TcpDump can completely intercept the "Header" of the packets transmitted in the network for analysis. It supports filtering network layer, protocol, host, network or port, and provides logical statements such as and, or, not to help you remove useless information.

Like other software in Linux, TcpDump relies on parameters.

Data Filtering

Without any parameters, TcpDump searches all network interfaces in the system and displays all the data it intercepts. This data is not necessarily all required for us, and too much data is not conducive to analysis. Therefore, we should first think about what data is needed. TcpDump provides the following parameters for us to select data:

-B selects the protocol on the data-link layer, including ip, arp, rarp, and ipx.

For example, tcpdump-B arp only displays arp in the network, that is, address translation protocol information.

-I: select the network interface to be filtered. If a router has at least two network interfaces, you can use this option to filter only the data passed through the specified interface. For example:

Tcpdump-I eth0 only displays all headers on the eth0 interface.

The options src, dst, port, host, net, ether, and gateway include additional options such as src, dst, port, host, net, and ehost. They are used to identify the source and destination of data packets. src host 192.168.0.1 specifies that the source host IP address is 192.168.0.1, and dst net 192.168.0.0/24 specifies that the destination is 192.168.0.0. Similarly, the host is related to the specified host, whether it is the source or the target, and the net is related to the specified network. The ether is followed by a physical address instead of an IP address, while the gateway is used for the gateway host. It may be a bit complicated. Let's see the following example:

Tcpdump src host 192.168.0.1 and dst net 192.168.0.0/24

Filters the headers whose source host is 192.168.0.1 and whose destination network is 192.168.0.0.

Tcpdump ether src 00: 50: 04: BA: 9B and dst ......

Filter the header with the physical address of the source host being XXX (why is there no host or net behind ether src? Of course, the physical address cannot have a network ).

Tcpdump src host 192.168.0.1 and dst port not telnet

Filter the source host 192.168.0.1 and the target port are not the telnet header.

Ip icmp arp rarp, tcp, udp, icmp, and other options must be placed at the first parameter to filter the data type. For example:

Tcpdump ip src ......

Only filter data-IP headers on the link layer.

Tcpdump udp and src host 192.168.0.1

Only filter all udp headers of the source host 192.168.0.1.

Data Display/Input/Output

TcpDump provides enough parameters for us to choose how to process the data, as shown below:

-L can redirect data.

For example, tcpdump-l> tcpcap.txt stores the obtained data in the tcpcap.txt file.

-N does not convert the IP address to the host name.

If you do not use this option, TcpDump will convert the IP address to the host name display when a host's host name exists in the system, just like this: eth0 <ntc9.1165> router.domain.net. telnet: eth0 <192.168.0.9.1165> 192.168.0.1.telnet.

-Nn does not convert the port name.

After using-nn, the above information becomes: eth0 <ntc9.1165> router.domain.net. 23.

-N does not print the default domain name.

After N, It is eth0 <ntc9.1165> router. telnet.

-O does not optimize the matching code.

-T does not print the UNIX timestamp, that is, the time is not displayed.

-Tt prints the original, unformatted time.

-V has a more detailed output than a common TTL and service type.

Well, after talking so much, do you think TcpDump is a good tool? It has many other functions, which cannot be described in length. Reading more and reading "help" can be a great achievement. This is also a shortcut to the Linux World.


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.