Wireshark and TcpDump packet capture Analysis and Comparison
Common packet capture analysis tools include Microsoft's Network Monitor and Message Analyzer, Sniff, WSExplorer, SpyNet, iptools, WinNetCap, WinSock Expert, Wireshark, and linux tcpdump.
Today, we conducted an experimental test to compare and analyze two of them. Other users can use Baidu Google to test yiha ^_^.
1. Wireshark and tcpdump Introduction
Wireshark is a network protocol detection tool that supports Windows and Unix platforms. I generally only use Wireshark on Windows platforms. If it is Linux, I directly use tcpdump, in my work environment, Linux generally only has a character interface. Generally, Linux uses tcpdump, or uses tcpdump to capture packets and then use Wireshark to open the analysis.
On Windows, Wireshark uses WinPcap to capture packets, which is encapsulated well and easy to use. It can easily create a packet capture filter or display filter. The details are described below. Wireshark is a free tool. You can easily find the download location by google.
Tcpdump is a command-line Packet sniffing Tool Based on Unix systems. If you want to use tcpdump to capture packets from MAC addresses of other hosts, you must enable the NIC hybrid mode. The so-called hybrid mode allows the NIC to capture any packets passing through it in the simplest language, no matter whether the packet is sent to it or not, click [http://en.wikipedia.org/wiki/promiscuous_mode.pdf to obtain more information with different types of information. In general, Unix does not allow common users to set the mixed mode, because this allows users to see other people's information, such as the telnet user name and password, which may cause some security problems, therefore, only the root user can enable the hybrid mode. The command to enable the hybrid mode is ifconfig eth0 promisc, and eth0 is the NIC to enable the hybrid mode. Someone must ask if you want to enable the hybrid mode in windows. In windows, there is no hybrid mode and no non-hybrid mode for the NIC, because the application itself, for example, when using Wireshark to capture packets, you can set it to capture packets in hybrid mode (that is why the damn ARP spoofing virus is rampant ). Tcpdump can also specify a packet capture filter, which is well-known as the Berkeley Packet filtering language (BPF.
2. Simple Example
Visit www.google.com.hk to check the packet capture results.
Previously said that the general Linux has built-in tcpdump, but if a small probability event, found that no tcpdump, you can download the source code to the http://www.tcpdump.org, compile and install.
Log on as the root user and run the tcpdump command to capture packets. If you use SSH to log on to remote Linux and run tcpdump directly, you will find that a large number of packets are captured, and the speed is not clear clearly, this is because the packet captured by tcpdump is sent to the remote terminal for display. At the same time, the packet is captured, then displayed, and then captured, resulting in loop capturing. Of course, it makes no sense to capture packets, except to prove that your network is connected.
Because the network adapter is not enabled in the hybrid mode, if the local machine does not have any process to access the network, it cannot catch the package. If you access the website using wgethttp: // www.google.com.hk on the Character interface, if there is a GUI, you can open the firefox browser to access http://www.google.com.hk.
By default, tcpdump will select the first network card, that is, eth0, to capture packets. Each line displays a captured packet, for example:
0.003183 192.168.21.20.22.214.171.124 TCP 38039> http [SYN] Seq = 0 Win = 5840 Len = 0 MSS = 1460 SACK_PERM = 1 TSV = 36941509 TSER = 0 WS = 6
0.011707 126.96.36.199 192.168.21.20.tcp http> 38039 [SYN, ACK] Seq = 0 Ack = 1 Win = 64240 Len = 0 MSS = 1460
0.011770 192.168.21.20.188.8.131.52 TCP 38039> http [ACK] Seq = 1 Ack = 1 Win = 5840 Len = 0
The preceding three data packets are the well-known TCP three-way handshake data packets. 38039 indicates the TCP port of the client, and the default http port is 80, if tcpdump finds the service name corresponding to the port in/etc/services, it is automatically converted to the name, so http is displayed here. TCP three-way handshake between the client port 38039 and the http port on the server.
As mentioned above, tcpdump uses the first network card for packet capture by default. We can use the-I parameter to specify which network card to capture packets. For example, (# indicates the command I entered, in Linux, the root user prompt is #):
# Tcpdump-I eth1
# Tcpdump-I any
If you want to know which network adapters can be used to capture packets, you can use the-D parameter, for example:
Because my machine only has one Nic, so there is only eth0. If there are multiple NICs active, there will be eth1 and eth2 in turn. Any means to capture packets through any network card, and lo is the loopback interface. (For network problems such as TCP three-way handshake and loopback interface, please refer to "TCP/IP protocol details").
By default, the tcpdump packet capture result is displayed on the screen (strict, professional, or standard output). Obviously, this is not conducive to further data analysis, therefore, we need to store the packet capture results in the file. However, use the-w command to save the result to a file, for example:
# Tcpdump-w google. cap
This command stores the packet capture results in the google. cap file. You can use Wireshark to open and view the results. Colleagues, tcpdump out of the packet capture, you can also use the-r parameter to develop the packet capture data file, combined with the filter for packet capture data analysis, such:
# Tcpdump-r google. cap http
This command allows tcpdump to read the google. cap file and filter out all http data packets. Filters are described in detail below.
I used Wireshark in windows. First, I got familiar with the interface. Figure 1 shows how to use Wireshark to open the google. cap file interface,
Figure 1 Wireshark Interface
Figure 1 shows the three fast regions. The R1 region is used to display simple packet information. When we use tcpdump to capture packets, this is also shown by default; the R2 area is used to display the detailed information of the selected data packet. You will find that it is displayed in the layer-4 Structure of TCP/IP. The first line is the information of the data link layer, the second line is the network layer information (IP protocol), the third line is the transport layer information (TCP protocol), and the fourth line is the application layer information (HTTP protocol). You can expand each line to observe the specific content; the R3 region is used to show the true face of this data packet. The information we see in R1 and R2 is what Wireshark will show us. The actual data of Packet Capturing is actually a bunch of binary sequences. Use ultraedit to Open google. the cap file shows numbers, as shown in figure 2.
Figure 2 How the captured file looks long
It is very easy to use Wireshark to capture packets. click the button (the third button in the toolbar) (the first button in the toolbar) to start packet capture. You will find that you only need to click this button, the packet is captured immediately. This is because Wireshark captures packets in hybrid mode by default, as long as all packets pass through the network card are captured (of course, this machine must be connected to the network, if there is no data flow, there is no packet to capture), click the button to stop the packet capture.
If multiple NICs are installed on the machine, Wireshark selects the first Nic to capture packets by default. If packet capture is complete, it is extremely depressing to find that the NIC is selected incorrectly. Click the button to select the network card to be captured before packet capture.
Figure 3 network card selection
I only have one network card on my machine, and the other two are the virtual network card when Vmware is installed. You can see that although data already exists in Packets, you actually need to click Start to Start packet capture.
After the problem of selecting the NIC is solved, if you want to filter the packet Capture content, click "Capture"> "Options" on the menu bar to view the page for setting packet Capture rules, as shown in figure 4.
Figure 4 configure packet capture rules
Figure 4 shows Caputre packets in promiscuous mode, which is selected by default, indicating that Wireshark captures packets in hybrid mode by default. You can also select which Nic to capture packets, but these are not important. The most important thing is Caupture Fileter. Click this button to see some predefined filters. For example, if "http tcp port (80)" is selected, the following Filter string: tcp port http indicates the Filter. Indicates the packet that captures the tcp protocol and port is 80 (the default port of the http protocol is 80 ).
3. Use of filters (bpf language)
This article mainly introduces the use of filters in tcpdump, because you can use wireshark with ease.
From the very beginning, BPF mainly consists of a flag, number, and qualified word. There are three types of qualified words:
First: specify the type
Host, which defines the IP address to capture (or the mac address of it, in the format of 00: 00: 00: 00: 00: 00: 00) data packets, for example, if I want to capture data packets related to the IP address 192.168.0.148, I will write it as tcpdump host 192.168.0.148, host is a qualified word, and 192.168.0.148 is a flag. This command captures the packets sent from or to 192.168.0.148.
Net, which defines to capture packets from A network and gives the network number. It determines the Class A address based on the number of bytes given to the network number, which is 1, 2, and 3, class B address or Class C address, such as tcpdump net 10.1.1, it is considered as a class C address.
Port: Specifies the port, such as tcpdump host and port 22. This is the packet that captures port 22, whether it is TCP or UDP. Here I provide logical operations a little earlier, and J, if you only want to capture TCP, you can write tcpdump host 192.168.0.148 and tcp port 22.
Portrange, as its name implies, specifies the port range, with a hyphen (-), for example, tcpdump port 1025-8080.
Type 2: Specify the direction
In our previous commands, "This command will capture packets sent from 192.168.0.148 or sent to 192.168.0.148". Therefore, if you point to the packets sent from the capture, you can use the qualified term src. command: tcpdump src host 192.168.0.148, in turn, to capture the packet sent to 192.168.0.148, use the qualifier dst, command: tcpdump dst host 192.168.0.148.
Third: Specify the Protocol
We know that there are N kinds of network protocols... I will list several common types of items. Others can go to google J.
Ether and fddi, Ethernet protocol
Tr, TR Protocol
Ip, ip protocol
Ip6, IPv6 protocol
Arp and ARP protocols
Well, we also need to pay attention to the logic operation, and, or, not (and, or, rather). There is already an example above, and we will not be so arrogant here, it is no different from a common programming language.
In addition, there are more cool-B functions, such as specifying a flag in TCP. I generally seldom use such applications and will not be so arrogant.
------------------------------------------------------ Background * Information ------------------------------------------------------
Are you a network administrator? Have you ever experienced a sudden decline in network performance, failure to provide network services, slow server access, or even access, the network switch port indicator lights are flashing like crazy, the router at the network exit is already working at full capacity, and the router CPU has reached of the load ...... After the restart, the problem appeared again in a few minutes. What's the problem? Is the device broken? It is impossible for several devices to have problems at the same time. What are the large-volume data files that consume resources of network devices? How can we see them? At this time, experienced network administrators will think of using the LAN packet capture tool for analysis. You must have heard of the red code, Nimda, shock wave, and shock waves, and these notorious network killers. That is, they have created the above evil actions. These attacks block networks and infect hosts, making network administrators miserable. How can we detect infected hosts in time when a network virus occurs? Now let's start learning packet capture for network analysis of various protocols!