tcpdump VS Tshark Usage (RPM)

Tcpdump is the basic tool for network protocol analysis. Tshark is a command-line version of the famous Open Source Network protocol analysis tool Wireshark (formerly called ethereal), Wireshark can decode and analyze up to thousands of network protocols. Wireshark and tcpdump Use the Libpcap library (see Libpcap Programming Tutorial) for network truncation.

TCPDUMP

For more manpage see the tcpdump website.

Basic Usage

The tcpdump parameters are basically divided into two blocks: options and filter Expressions (filter_expression).

# tcpdump [Options] [filter_expression]

For example

# tcpdump-c 100-i eth0-w Log TCP DST port 50000

Where options are part of the parameters:

-C 100 Specifies the number of packets intercepted
-I eth0 specifies which network port to listen on
-W log output to a file named log (libpcap format)

The filter_expression parameter is TCP DST Port 50000, which is the only TCP packet that listens on the target port of 50000.

For more examples:


# tcpdump DST Net not 192.168.3.0/24


# Tcpdump-n-nn Port notWwor or wwwor22or110
Or
# Tcpdump-n-NN Port!Wwor or wwwor22or110


# tcpdump ether src 00:50:04:ba:9b


# tcpdump SRC host 192.168.0.1 and DST Port not telnet

IP icmp arp rarp and TCP, UDP, ICMP and so on are all put to the position of the first parameter, to filter the type of datagram. For example:
# tcpdump IP src ...//filter data only-IP header on link layer
# tcpdump UDP and SRC host 192.168.0.1//filter all UDP headers for source host 192.168.0.1 only

Tcpdump provides a number of options parameters to let us choose how to process the resulting data as follows:

-l redirects the data. such as Tcpdump-l > tcpcap.txt the resulting data into the Tcpcap.txt file.
-N Do not convert IP address to host name. If this is not the case, when the host name of a host is present in the system, Tcpdump will convert the IP address to host name display, like this: eth0 ntc9.1165> router.domain.net.telnet, using-N has become: eth0 192.168.0.9.1165 > 192.168.0.1.telnet.
-nn does not perform a conversion of port names. The above message was used-nn and became: eth0 ntc9.1165 > router.domain.net.23.
-N does not print out the default domain name. Or is this message-N after: eth0 ntc9.1165 > router.telnet.
-O do not optimize for matching code.
-T does not print the Unix timestamp, that is, the time is not displayed.
-tt prints the original, unformatted time.
-v verbose output, which is more than the normal TTL and service type.

Detailed Parameters

The tcpdump takes the command line, and its command format is:
tcpdump [-ADEFLNNOPQSTVX] [-C Quantity] [-f filename]
[-I Network interface] [-R FileName] [-S Snaplen]
[-T type] [-w file name] [Expression]

-A converts the network address and broadcast address into a name;
-D gives the code of the matching packets in a compiled format that people can understand;
-DD the code of the matching packet is given in the format of the C Language Program section;
-DDD the code for matching packets is given in decimal form;
-e Prints the header information of the data link layer in the output line;
-F Print out the external Internet address in digital form;
-L causes the standard output to become the buffer line form;
-N Do not convert the network address into a name;
-T does not print timestamps on each line of the output;
-V outputs a slightly more detailed information, such as the TTL and the type of service that can be included in the IP packet;
-VV output detailed message information;
-C After receiving the specified number of packets, the tcpdump will stop;
-F reads an expression from the specified file, ignoring other expressions;
-i specifies the network interface for listening;
-R reads packets from the specified file (these packages are typically generated via the-w option);
-W writes the package directly to the file and does not parse and print it;
-T interprets the heard packet directly as a specified type of message, with the common type of RPC (remote procedure
Call) and SNMP (Simple Network Management Protocol;)

An Introduction to Tcpdump expressions
An expression is a regular expression that Tcpdump uses as a condition for filtering messages if a message satisfies the table
The message will be captured when the condition is reached. If no conditions are given, all packets on the network will be
Be intercepted.
In expressions, there are generally several types of keywords, one for the type of keywords, mainly including host,
Net,port, such as host 210.27.48.2, indicates that 210.27.48.2 is a host, and net 202.0.0.0 indicates
202.0.0.0 is a network address, port 23 indicates that the port number is 23. If no type is specified, the default type is
Host.
The second is to determine the transmission direction of the keywords, mainly including SRC, DST, DST or SRC, DST and SRC,
These keywords indicate the direction of the transmission. For example, SRC 210.27.48.2 indicates that the source address in the IP packet is 210.27.
48.2, DST net 202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified, the
The default is src or DST keywords.
The third is the agreement of the key words, mainly including Fddi,ip, ARP,RARP,TCP,UDP and other types. FDDI indicates that the
The specific network protocol on FDDI (Distributed Optical Data Interface Network), in fact it is the alias of "Ether", FDDI and E
Ther has a similar source address and destination address, so the FDDI protocol packet can be treated and analyzed as a ether packet.
The other key words are the protocol content of the listening packet. If no protocol is specified, tcpdump will
Listen for all protocol packets.
In addition to these three types of keywords, other important keywords are as follows: Gateway, broadcast,less,
Greater, there are three kinds of logic operations, take non-operation is ' not '! ', and the operation is ' and ', ' && '; or the operation is ' O
R ', ' | | ' ；
These keywords can be combined to form a powerful combination of conditions to meet people's needs, here are a few examples to
Description
(1) to intercept all packets received and sent by all 210.27.48.1 hosts:
#tcpdump Host 210.27.48.1
(2) to intercept host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3 communication, use the command
: (When applying parentheses in the command line, be sure to
#tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)
(3) If you want to get host 210.27.48.1 except for the IP packets that communicate with all hosts outside the host 210.27.48.2
, use the command:
#tcpdump IP host 210.27.48.1 and! 210.27.48.2
(4) If you want to get the Telnet packet received or issued by the host 210.27.48.1, use the following command:
#tcpdump TCP port, host 210.27.48.1

Introduction to the output of tcpdump
Below we describe the output information of several typical tcpdump commands
(1) Data Link Layer header information
Use the command #tcpdump--E host ice
Ice is a Linux-equipped host and her MAC address is 0:90:27:58:af:1a
H219 is a sun workstation with Solaric, and its MAC address is 8:0:20:79:5b:46;
The output of the command is as follows:
21:50:12.847509 eth0 < 8:0:20:79:5b:46 0:90:27:58:af:1a IP 60:h219.33357 > ice.
Telne
T 0:0 (0) Ack 22535 win 8760 (DF)
Analysis: 21:50:12 is the displayed time, 847509 is the ID number, eth0 < represents from the network interface eth0 accept the
Packet, Eth0 > represents a packet sent from a network interface device, 8:0:20:79:5B:46 is the MAC address of the host H219, and it
Indicates that the packet was sent from the source address H219. 0:90:27:58:AF:1A is the MAC address of the host ice, which indicates that the packet
The destination address is ice. IP is an indication that the packet is an IP packet, and 60 is the length of the packet, h219.33357 > ice.
Telnet indicates that the packet is a telnet (23) port destined for host ice from Port 33357 of the host H219. Ack 22535
Indicates a response to a package with a sequence number of 222535. Win 8760 indicates that the size of the Send window is 8760.

(2) Tcpdump output information for ARP packets
Using the command #tcpdump ARP
The resulting output is:
22:32:42.802509 eth0 > arp who-has route tell Ice (0:90:27:58:AF:1A)
22:32:42.802902 Eth0 < ARP reply route is-at 0:90:27:12:10:66 (0:90:27:58:AF
: 1a)
Analysis: 22:32:42 is a timestamp, 802509 is the ID number, eth0 > indicates that the packet was emitted from the host, and ARP indicates that it is
The ARP Request packet, Who-has route tell Ice, indicates the MAC address of the host ice request host route. 0:90:27:5
8:AF:1A is the MAC address of the host ice.

(3) Output information for TCP packets
The general output information for TCP packets captured with Tcpdump is:
src > Dst:flags data-seqno ack window urgent options
src > DST: Indicates from the source address to the destination address, flags is the flag information in the TCP packet, S is the SYN flag, F (f
IN), P (PUSH), R (RST) "." (not marked); Data-seqno is the sequence number of the data in the packet, and the ACK is
The next expected order number, window is the size of the windows that receives the cache, and urgent indicates whether there is an emergency pointer in the packet.
Options is the option.

(4) Output information for UDP packets
The general output information for UDP packets captured with Tcpdump is:
Route.port1 > Ice.port2:udp lenth
UDP is very simple, the above output line indicates a UDP packet from the PORT1 port of the host route to the PORT2 port of the host ice, the type is UDP, the packet length is lenth



Tshark

For detailed parameters see Tshark manpage.

Lists the list of network interfaces that can listen for traffic. Tshark Use,... and other numbers to identify eth0,eth1 ...
# tshark-d

Listen for UDP port 1234 traffic on the interface eth0
# tshark-f "UDP port 1234"-I 1

Tshark's strong point is that the protocol is fully decoded, even the fragmented TCP packets are reorganized and then decoded, for example

Listen for HTTP traffic on the target port of 80 on the interface eth0, and print the host and location of the HTTP request header
# tshark-f "DST Port"-T fields-e http.host-e http.location-i 1
Where the-f parameter specifies the filter expression (that is, the filter_expression equivalent of tcpdump)
-T fields specifies that the screen output information type is the specified protocol field (add the specified field with-e) and is supported only after the 0.99.6 version of Wireshark.
-I 1 The network interface for the specified listener is number 1th

Listens for HTTP traffic, filters only get requests, listens for 10 seconds, prints out HTTP host and URL
C:\Program Files\wireshark\tshark.exe-i 4-n-F "tcp[((Tcp[12:1] & 0xf0) >> 2): 4] = 0x47455420"-T FIELDS-E HT TP.HOST-E http.request.uri-a Duration:10

Transferred from: http://blog.sina.com.cn/s/blog_81fe9f940100zbu7.html

Http://www.cnblogs.com/followyourheart/articles/2770453.html

tcpdump VS Tshark Usage (RPM)