1. Wireshark and tcpdump Introduction
? Wireshark is a network protocolDetectionToolsIt supports windows and UNIX platforms. I generally only use Wireshark on Windows platforms. If it is Linux, I directly use tcpdump, because Linux in my work environment generally only has a character interface, generally, Linux uses tcpdump, or uses tcpdump to capture packets and then use Wireshark to open the analysis.
On Windows, Wireshark uses Winpcap to capture packets, which is encapsulated well and easy to use. It can easily create a packet capture filter or display filter. The details are described below. Wireshark is a freeToolsGoogle can easily find the download location.
Tcpdump is a command-line Packet sniffing Based on UNIX systems.Tools. If you want to use tcpdump to capture packets from MAC addresses of other hosts, you must enable the NIC hybrid mode. The so-called hybrid mode allows the NIC to capture any packets passing through it in the simplest language, no matter whether the packet is sent to it or not, click [http://en.wikipedia.org/wiki/promiscuous_mode.pdf to obtain more information with different types of information. In general, Unix does not allow common users to set the mixed mode, because this allows users to see other people's information, such as the Telnet user name and password, which may cause some security problems, so only the root user can enable the hybrid mode. The command to enable the hybrid mode is ifconfig eth0 promisc, and eth0 is the NIC to enable the hybrid mode. Someone must ask if you want to enable the hybrid mode in windows. In Windows, there is no hybrid mode and no non-hybrid mode for the NIC, because the application itself, for example, when using Wireshark to capture packets, you can set it to capture packets in hybrid mode (that is why the damn ARP spoofing virus is rampant ). Tcpdump can also specify a packet capture filter, which is well-known as the Berkeley Packet filtering language (BPF.
2. Simple Example
Visit www.google.com.hk to check the packet capture results.
As mentioned earlierLinuxTcpdump, but if there is a small probability event, found that no tcpdump, you can download the source code to the http://www.tcpdump.org, compile and install.
Log on as the root user and run the tcpdump command to capture packets. If you use SSH to log on to remote Linux and run tcpdump directly, you will find that a large number of packets are captured, and the speed is not clear clearly, this is because the packet captured by tcpdump is sent to the remote terminal for display. At the same time, the packet is captured, then displayed, and then captured, resulting in loop capturing. Of course, it makes no sense to capture packets, except to prove that your network is connected.
Because no Nic mixed mode is enabled, if the machine does not have any process to access the network, it cannot catch the package, if in the character interface, access the web site with wget http://www.google.com.hk, if there is a GUI, you can open the Firefox browser to access http://www.google.com.hk.
By default, tcpdump will select the first network card, that is, eth0, to capture packets. Each line displays a captured packet, for example:
0.003183 ????????????? 192.168.21.20? 220.127.116.11 ???? TCP ??????? 38039> HTTP [SYN] seq = 0 win = 5840 Len = 0 mss = 1460 sack_perm = 1 TSV = 36941509 tser = 0 Ws = 6
0.011707 ????????????? 18.104.22.168 ???? 192.168.21.20? TCP ??????? HTTP> 38039 [SYN, ack] seq = 0 ACK = 1 win = 64240 Len = 0 mss = 1460
0.011770 ????????????? 192.168.21.20? 22.214.171.124 ???? TCP ??????? 38039> HTTP [ack] seq = 1 ACK = 1 win = 5840 Len = 0
The preceding three data packets are the well-known TCP three-way handshake data packets. 38039 indicates the TCP port of the client, and the default http port is 80, if tcpdump finds the service name corresponding to the port in/etc/services, it is automatically converted to the name, so HTTP is displayed here. TCP three-way handshake between the client port 38039 and the http port on the server.
As mentioned above, tcpdump uses the first network card for packet capture by default. We can use the-I parameter to specify which network card to capture packets. For example, (# indicates the command I entered, in Linux, the root user prompt is #):
# Tcpdump-I eth1
# Tcpdump-I any
If you want to know which network adapters can be used to capture packets, you can use the-D parameter, for example:
Because my machine only has one Nic, so there is only eth0. If there are multiple NICs active, there will be eth1 and eth2 in turn. Any means to capture packets through any network card, and lo is the loopback interface. (For network problems such as TCP three-way handshake and loopback interface, please refer to "TCP/IP protocol details").
By default, the tcpdump packet capture result is displayed on the screen (strict, professional, or standard output). Obviously, this is not conducive to further data analysis, therefore, we need to store the packet capture results in the file. However, use the-W command to save the result to a file, for example:
# Tcpdump-W Google. Cap
This command stores the packet capture results in the Google. Cap file. You can use Wireshark to open and view the results. Colleagues, tcpdump out of the packet capture, you can also use the-R parameter to develop the packet capture data file, combined with the filter for packet capture data analysis, such:
# Tcpdump-r Google. Cap HTTP
This command allows tcpdump to read the Google. Cap file and filter out all HTTP data packets. Filters are described in detail below.
I used Wireshark in windows. First, I got familiar with the interface. Figure 1 shows how to use Wireshark to open the Google. Cap file interface,
Figure 1 ?? Wireshark Interface
Figure 1 shows the three fast regions. The R1 region is used to display simple packet information. When we use tcpdump to capture packets, this is also shown by default; the R2 area is used to display the detailed information of the selected data packet. You will find that it is displayed in the layer-4 Structure of TCP/IP. The first line is the information of the data link layer, the second line is the network layer information (IP protocol), the third line is the transport layer information (TCP protocol), and the fourth line is the application layer information (HTTP protocol). You can expand each line to observe the specific content; the R3 region is used to show the true face of this data packet. The information we see in R1 and R2 is what Wireshark will show us. The actual data of Packet Capturing is actually a bunch of binary sequences. Use ultraedit to Open google. the CAP file shows numbers, as shown in figure 2.
Figure 2? The length of the captured File
It is very easy to use Wireshark to capture packets. click the button (ToolsThe third button in the column )(ToolsThe first button in the box), and you will find that if you click this button, the packet is captured immediately. This is because Wireshark captures packets in hybrid mode by default, as long as the packets pass through the network adapter are captured (of course, this machine is connected to the network, if there is no data flow, of course, no packet can be captured), click the button to stop the packet capture.
If multiple NICs are installed on the machine, Wireshark selects the first Nic to capture packets by default. If packet capture is complete, it is extremely depressing to find that the NIC is selected incorrectly. Click the button to select the network card to be captured before packet capture.
Figure 3? Select Nic
I only have one network card on my machine, and the other two are the virtual network card when VMware is installed. You can see that although data already exists in packets, you actually need to click Start to start packet capture.
After the problem of selecting the NIC is solved, if you want to filter the packet capture content, click "capture"> "options" on the menu bar to view the page for setting packet capture rules, as shown in figure 4.
Figure 4? Develop packet capture rules
Figure 4 shows caputre packets in promiscuous mode, which is selected by default, indicating that Wireshark captures packets in hybrid mode by default. You can also select which Nic to capture packets, but these are not important. The most important thing is caupture fileter. Click this button to see some predefined filters. For example, if "http tcp port (80)" is selected, the following filter string: TCP port HTTP indicates the filter. Indicates the packet that captures the TCP protocol and port is 80 (the default port of the HTTP protocol is 80 ).
3. Use of filters (bpf language)
???????? This article mainly introduces the use of filters in tcpdump, because you can use Wireshark with ease.
???????? From the very beginning, BPF mainly consists of a flag, number, and qualified word. There are three types of qualified words:
????????? First: specify the type
????????? Host, which defines the IP address to capture (or the MAC address of it, in the format of 00: 00: 00: 00: 00: 00: 00) data packets, for example, if I want to capture data packets related to the IP address 192.168.0.148, I will write it as tcpdump host 192.168.0.148, host is a qualified word, and 192.168.0.148 is a flag. This command captures the packets sent from or to 192.168.0.148.
????????? Net, which defines to capture packets from a network and gives the network number. It determines the Class A address based on the number of bytes given to the network number, which is 1, 2, and 3, class B address or Class C address, such as tcpdump net 10.1.1, it is considered as a class C address.
Port: Specifies the port, such as tcpdump host and port 22. This is the packet that captures port 22, whether it is TCP or UDP. Here I provide logical operations a little earlier, and J, if you only want to capture TCP, you can write tcpdump host 192.168.0.148 and TCP port 22.
Portrange, as its name implies, specifies the port range, with a hyphen (-), for example, tcpdump port 1025-8080.
???????? Type 2: Specify the direction
In our previous commands, "This command will capture packets sent from 192.168.0.148 or sent to 192.168.0.148". Therefore, if you point to the packets sent from the capture, you can use the qualified term SRC. command: tcpdump SRC host 192.168.0.148, in turn, to capture the packet sent to 192.168.0.148, use the qualifier DST, command: tcpdump dst host 192.168.0.148.
??????? Third: Specify the Protocol
We know that there are n kinds of network protocols... I will list several common types of items. Others can go to Google J.
Ether and FDDI, Ethernet protocol
Tr, TR Protocol
IP, IP protocol
Ip6, IPv6 protocol
Arp ,? ARP Protocol
Well, we also need to pay attention to the logic operation, and, or, not (and, Or, rather). There is already an example above, and we will not be so arrogant here, it is no different from a common programming language. In addition, there are more cool x functions, such as specifying the Identification Position in TCP. I usually seldom use such applications, so I will not be arrogant any more.
Selected from: http://www.spasvo.com/news/html/2013116111527.html
Wireshark and tcpdump packet capture analysis experiences