Data collection and analysis is essential when Linux is a network server, especially a router or gateway. So, let's take a look at TcpDump, a powerful network data collection and analysis tool in Linux.
As the name suggests, TcpDump can completely intercept the "Header" of the packets transmitted in the network for analysis. It supports filtering network layer, protocol, host, network or port, and provides logical statements such as and, or, not to help you remove useless information.
Like other software in Linux, TcpDump relies on parameters.
Data Filtering
Without any parameters, TcpDump searches all network interfaces in the system and displays all the data it intercepts. This data is not necessarily all required for us, and too much data is not conducive to analysis. Therefore, we should first think about what data is needed. TcpDump provides the following parameters for us to select data:
-B selects the protocol on the data-link layer, including ip, arp, rarp, and ipx.
For example, tcpdump-B arp only displays arp in the network, that is, address translation protocol information.
-I: select the network interface to be filtered. If a router has at least two network interfaces, you can use this option to filter only the data passed through the specified interface. For example:
Tcpdump-I eth0 only displays all headers on the eth0 interface.
The options src, dst, port, host, net, ether, and gateway include additional options such as src, dst, port, host, net, and ehost. They are used to identify the source and destination of data packets. src host 192.168.0.1 specifies that the source host IP address is 192.168.0.1, and dst net 192.168.0.0/24 specifies that the destination is 192.168.0.0. Similarly, the host is related to the specified host, whether it is the source or the target, and the net is related to the specified network. The ether is followed by a physical address instead of an IP address, while the gateway is used for the gateway host. It may be a bit complicated. Let's see the following example:
Tcpdump src host 192.168.0.1 and dst net 192.168.0.0/24
Filters the headers whose source host is 192.168.0.1 and whose destination network is 192.168.0.0.
Tcpdump ether src 00: 50: 04: BA: 9B and dst ......
Filter the header with the physical address of the source host being XXX (why is there no host or net behind ether src? Of course, the physical address cannot have a network ).
Tcpdump src host 192.168.0.1 and dst port not telnet
Filter the source host 192.168.0.1 and the target port are not the telnet header.
Ip icmp arp rarp, tcp, udp, icmp, and other options must be placed at the first parameter to filter the data type. For example:
Tcpdump ip src ......
Only filter data-IP headers on the link layer.
Tcpdump udp and src host 192.168.0.1
Only filter all udp headers of the source host 192.168.0.1.
Data Display/Input/Output
TcpDump provides enough parameters for us to choose how to process the data, as shown below:
-L can redirect data.
For example, tcpdump-l> tcpcap.txt stores the obtained data in the tcpcap.txt file.
-N does not convert the IP address to the host name.
If you do not use this option, TcpDump will convert the IP address to the host name display when a host's host name exists in the system, just like this: eth0 <ntc9.1165> router.domain.net. telnet: eth0 <192.168.0.9.1165> 192.168.0.1.telnet.
-Nn does not convert the port name.
After using-nn, the above information becomes: eth0 <ntc9.1165> router.domain.net. 23.
-N does not print the default domain name.
After N, It is eth0 <ntc9.1165> router. telnet.
-O does not optimize the matching code.
-T does not print the UNIX timestamp, that is, the time is not displayed.
-Tt prints the original, unformatted time.
-V has a more detailed output than a common TTL and service type.
Well, after talking so much, do you think TcpDump is a good tool? It has many other functions, which cannot be described in length. Reading more and reading "help" can be a great achievement. This is also a shortcut to the Linux World.