Tcpdump and tcpdump
Directory:
1.1 tcpdump options
1.2 tcpdump expression
1.3 tcpdump example
Tcpdump uses the command line method to filter and capture interface data packets. Its rich features are manifested in flexible expressions.
Tcpdump without any options will capture the first network interface by default and stop packet capture only when the tcpdump process is terminated.
For example:
shell> tcpdump -nn -i eth0 icmp
The following describes the usage of tcpdump.
1.1 tcpdump options
Its command format is:
Tcpdump [-DenNqvX] [-c count] [-F file] [-I interface] [-r file] [-s snaplen] [-w file] [expression] packet capture Option: -c: specify the number of packages to be captured. Note that it is finally necessary to obtain so many packages. For example, if "-c 10" is specified, 10 packages will be obtained, but 100 packages may have been processed, but only 10 are eligible packages. -I interface: Specifies the interface that tcpdump needs to listen. If this option is not specified, the system interface list will be used to search for the configured interface with the smallest number (excluding the loopback interface, and tcpdump-I lo is used to capture the loopback interface ),
: Once the first qualified API is found, the search will end immediately. You can use the 'any' keyword to indicate all network interfaces. -N: The address is displayed as a number. Otherwise, the address is displayed as the host name, that is, the-n option does not parse the host name. -Nn: in addition to the function of-n, the port is also displayed as a numerical value; otherwise, the port service name is displayed. -N: do not print the Domain Name of the host. For example, tcpdump will print 'nics 'instead of 'nic .ddn.mil '. -P: Specifies whether the package to be crawled is inbound or outbound. The value can be "in", "out", and "inout". The default value is "inout ". -S len: sets the capture length of tcpdump data packets to len. If this parameter is not set, it will be 65535 bytes by default. If the packet to be captured is large, packet truncation may occur if the length is not enough. If packet truncation occurs,
: The "[| proto]" flag will appear in the output line (proto is actually displayed as the protocol name ). However, the longer the len capture, the longer the packet processing time, and the smaller the number of tcpdump cacheable data packets,
: This will cause packet loss. Therefore, the smaller the capture length, the better, if we can capture the desired packet. Output option:-e: the data link layer header information is included in each output line, such as the source MAC and target MAC. -Q: print the output quickly. That is, print a small amount of protocol-related information, so that the output rows are relatively short. -X: the header data of the output package, which is output in both hexadecimal and ASCII Formats. -XX: the header data of the output package, which is output in both hexadecimal and ASCII Formats. For more details, see. -V: Detailed output is generated when analysis and printing are performed. -Vv: generates more detailed output than-v. -Vvv: generates more detailed output than-vv. Other functional options:-D: list the interfaces that can be used to capture packets. The interface numerical numbers and interface names are listed. They can be used after "-I. -F: the expression used to read packets from a file. If this option is used, all other expressions specified in the command line are invalid. -W: Output packet capture data to a file instead of a standard output. The "-G time" option can be used together to automatically switch the output file to another file every time second. You can use the "-r" option to load these files for analysis and printing. -R: reads data from a given data packet file. Use "-" to read from the standard input.
The common options are as follows:
- Tcpdump-D
- Tcpdump-c num-I int-nn-XX-vvv
1.2 tcpdump expression
The expression is used to filter the types of data packets that are output. If no expression is given, all data packets are output. Otherwise, only packets whose expression is true are output. We recommend that you enclose shell metacharacters in single quotes.
A tcpdump expression is composed of one or more "units". Each unit generally contains an ID modifier and an ID (number or name ). There are three modifiers:
(1). type: Specifies the ID type.
The value can be host/net/port/portrange. For example, "host foo", "net 128.3", "port 20", "portrange 6000-6008 ". The default type is host.
(2). dir: Specify the ID direction.
The values that can be given include src/dst/src or dst/src and dst. The default value is src or dst. For example, "src foo" indicates a packet whose source host is foo, and "dst net 128.3" indicates a packet whose destination network is 128.3, "src or dst port 22" indicates the data packet whose source or destination port is 22.
(3). proto: limits the type of matched data packets through the given protocol.
Common protocols include tcp, udp, arp, ip, ether, and icmp. If no protocol type is specified, all possible types are matched. For example, "tcp port 21" and "udp portrange 7000-7009 ".
Therefore, the basic expression unit format is "proto dir type ID"
In addition to expression units consisting of modifiers and IDs, there are also key expression units: gateway, broadcast, less, greater, and arithmetic expressions.
The expression unit can use the operator "and/&/or/|/not /! To form a complex conditional expression. For example, "host foo and not port ftp-data" indicates that the filtered data packet must meet "host is foo and port is not ftp (port 21) and ftp-data (Port 20) package ", the relationship between common ports and names can be found in the/etc/service file in linux.
In addition, the same modifier can be omitted, for example, "tcp dst port ftp or ftp-data or domain" and "tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain" have the same meaning, indicates that the packet protocol is tcp and the destination port is ftp, ftp-data, or domain (port 53 ).
Brackets "()" can be used to change the priority of expressions, but note that parentheses are interpreted by shell. Therefore, Backslash "\" should be used to escape "\(\)", when necessary, it must be enclosed in quotation marks.
1.3 tcpdump example
(1). Started by default
tcpdump
By default, directly starting tcpdump will monitor all data packets circulating on the first network interface (non-lo port. In this way, a large number of results are captured and the scrolling speed is very fast.
(2) monitor data packets of a specified network interface
tcpdump -i eth1
If no Nic is specified, the default tcpdump only monitors the first network interface, such as eth0.
(3). Monitor the data packets of the specified host, such as all data packets entering or leaving longshuai.
tcpdump host longshuai
(4). Print the packets that helios <--> hot or helios <--> ace communicates with each other.
tcpdump host helios and \( hot or ace \)
(5). Print the IP packet that the ace communicates with any other host, but does not include the packet with helios.
tcpdump ip host ace and not helios
(6) intercept all data sent by host hostname
tcpdump src host hostname
(7) monitor all data packets sent to the host hostname
tcpdump dst host hostname
(8) monitor data packets on the specified host and Port
tcpdump tcp port 22 and host hostname
(9). Monitor the udp 123 port of the Local Machine (123 is the ntp service port)
tcpdump udp port 123
(10). Monitor the data packets of a specified network, such as the data packets that the local machine communicates with the 192.168 network segment. "-c 10" indicates that only 10 packets are captured.
tcpdump -c 10 net 192.168
(11). Print all ftp data packets through the gateway snup (note that the expression is enclosed in single quotes, which can prevent shell from parsing the parentheses in it incorrectly)
shell> tcpdump 'gateway snup and (port ftp or ftp-data)'
(12). Capture ping packets
[root@server2 ~]# tcpdump -c 5 -nn -i eth0 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes12:11:23.273638 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16422, seq 10, length 6412:11:23.273666 IP 192.168.100.62 > 192.168.100.70: ICMP echo reply, id 16422, seq 10, length 6412:11:24.356915 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16422, seq 11, length 6412:11:24.356936 IP 192.168.100.62 > 192.168.100.70: ICMP echo reply, id 16422, seq 11, length 6412:11:25.440887 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16422, seq 12, length 645 packets captured6 packets received by filter0 packets dropped by kernel
If you explicitly want to capture the ping from the host at 192.168.100.70, use the and operator.
[root@server2 ~]# tcpdump -c 5 -nn -i eth0 icmp and src 192.168.100.62tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes12:09:29.957132 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16166, seq 1, length 6412:09:31.041035 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16166, seq 2, length 6412:09:32.124562 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16166, seq 3, length 6412:09:33.208514 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16166, seq 4, length 6412:09:34.292222 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16166, seq 5, length 645 packets captured5 packets received by filter0 packets dropped by kernel
Note that you cannot directly write icmp src 192.168.100.70 because the icmp protocol does not support directly using the host type.
(13). Capture the port 22 package on the local machine
[root@server2 ~]# tcpdump -c 10 -nn -i eth0 tcp dst port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes12:06:57.574293 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 535528834, win 2053, length 012:06:57.629125 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 193, win 2052, length 012:06:57.684688 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 385, win 2051, length 012:06:57.738977 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 577, win 2050, length 012:06:57.794305 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 769, win 2050, length 012:06:57.848720 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 961, win 2049, length 012:06:57.904057 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 1153, win 2048, length 012:06:57.958477 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 1345, win 2047, length 012:06:58.014338 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 1537, win 2053, length 012:06:58.069361 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 1729, win 2052, length 010 packets captured10 packets received by filter0 packets dropped by kernel
(14). parse package data
[root@server2 ~]# tcpdump -c 2 -q -XX -vvv -nn -i eth0 tcp dst port 22tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes12:15:54.788812 IP (tos 0x0, ttl 64, id 19303, offset 0, flags [DF], proto TCP (6), length 40) 192.168.100.1.5788 > 192.168.100.62.22: tcp 0 0x0000: 000c 2908 9234 0050 56c0 0008 0800 4500 ..)..4.PV.....E. 0x0010: 0028 4b67 4000 4006 a5d8 c0a8 6401 c0a8 .(Kg@.@.....d... 0x0020: 643e 169c 0016 2426 5fd6 1fec 2b62 5010 d>....$&_...+bP. 0x0030: 0803 7844 0000 0000 0000 0000 ..xD........12:15:54.842641 IP (tos 0x0, ttl 64, id 19304, offset 0, flags [DF], proto TCP (6), length 40) 192.168.100.1.5788 > 192.168.100.62.22: tcp 0 0x0000: 000c 2908 9234 0050 56c0 0008 0800 4500 ..)..4.PV.....E. 0x0010: 0028 4b68 4000 4006 a5d7 c0a8 6401 c0a8 .(Kh@.@.....d... 0x0020: 643e 169c 0016 2426 5fd6 1fec 2d62 5010 d>....$&_...-bP. 0x0030: 0801 7646 0000 0000 0000 0000 ..vF........2 packets captured2 packets received by filter0 packets dropped by kernel
In general, tcpdump is relatively simple for Basic Data Packet Capturing methods. You only need to know a few limited options (-nn-XX-vvv-I-c-q) and then combine the expressions.
Companion article: network scanning tool nmap
Back to series article outline: http://www.cnblogs.com/f-ck-need-u/p/7048359.html
Reprinted please indicate the source: http://www.cnblogs.com/f-ck-need-u/p/7064286.html