Traceroute and tcpdump commands

Detailed description of the linuxtraceroute command: displays the path from the data packet to the host. Syntax: traceroute [-dFlnrvx] [-f] [-g...] [-I] [-m] [-p] [-s] [-t] [-w] [host name or IP address] [packet size] supplementary instructions: the traceroute command allows you to track the route of network data packets. the default data packet size is 40 Bytes.

Linux traceroute command details

Function description: displays the path from the data packet to the host.

Syntax:

Traceroute

[-DFlnrvx] [-f] [-g...] [-I] [-m] [-p] [-s] [-t] [-w] [host

Name or IP address] [packet size]

Note: The traceroute command allows you to track the route of network data packets. the default data packet size is 40 Bytes, which can be set separately.

Parameters:

-D uses the Socket-level troubleshooting function.

-F sets the TTL value of the first detected data packet.

-F: Do not disconnect the bits.

-G: You can set up to eight source route gateways.

-I uses the specified network interface to send data packets.

-I replace UDP data with ICMP response.

-M: sets the maximum TTL value of the packet to be detected.

-N directly uses the IP address rather than the host name.

-P: Set the communication port of UDP transmission protocol.

-R ignores common Routing tables and directly sends data packets to the remote host.

-S sets the IP address of the data packet sent from the local host.

-T sets the TOS value of the detection data packet.

-V displays the instruction execution process in detail.

-W: Set the time to wait for the return of the remote host.

-X enables or disables the packet correctness test.

TcpdumpCommand details

Tcpdump adopts the command line method. its command format is:

Tcpdump [-adeflnNOpqStvx] [-c quantity] [-F file name] [-I network interface] [-r file name] [-s snaplen] [-T type] [-w file name] [expression]

1. Introduction to tcpdump options

-A converts a network address and broadcast address into a name;

-D. give the code that matches the information package in an assembly format that people can understand;

-Dd provides the code that matches the information package in the format of the C program segment;

-Ddd provides the matching information package code in decimal format;

-E prints the header information of the data link layer in the output line;

-F print the Internet address in numbers;

-L changes the standard output to the buffer row format;

-N does not convert the network address into a name;

-T no timestamp is printed on each output line;

-V outputs a slightly detailed information. for example, the IP package can contain ttl and service type information;

-Vv: output detailed message information;

-C. after receiving the specified number of packages, tcpdump stops;

-F read the expression from the specified file and ignore other expressions;

-I indicates the network interface of the listener;

-R reads packets from a specified file (these packets are generally generated using the-w option );

-W directly writes the package into the file and does not analyze or print it out;

-T directly interpret the packet to be listened to as a specified type of message. Common types include rpc

(Remote call) and snmp (Simple Network Management Protocol ;)

Introduction to tcpdump expressions

The expression is a regular expression. tcpdump uses it as a condition for filtering packets. if a packet meets the expression conditions, the packet will be captured. If no conditions are provided, all information packets on the network will be intercepted.

In an expression, the following types of keywords are generally used. one is about the types of keywords, including host, net, port, such as host

210.27.48.2 indicates that 210.27.48.2 is a host, net202.0.0.0 indicates that 202.0.0.0 is a network address, port

23 indicates that the port number is 23. If no type is specified, the default type is host.

The second type is the key words for determining the transmission direction, including src, dst, dst orsrc, dst and src,

These keywords indicate the transmission direction. For example, src 210.27.48.2 indicates that the source address in the IP package is 210.27.

48.2, dst net 202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified

The default value is the src or dst keyword.

The third type is the protocol keyword, which mainly includes fddi, ip, arp, rarp, tcp, udp, and other types. Fddi indicates that

The specific network protocol on FDDI (distributed optical fiber data interface network) is actually an alias of "ether". fddi and ether have similar source addresses and destination addresses, therefore, the fddi protocol package can be processed and analyzed as the ether package.

The other keywords indicate the protocol content of the listener package. If no protocol is specified, tcpdump listens to the information packages of all protocols.

In addition to the three types of keywords, other important keywords are as follows: gateway, broadcast, less,

Greater, there are three logical operations. The non-operation is 'not ''! ', And the operation is 'and',' & '; or the operation is 'or',' | '; these keywords can be combined to form a powerful combination condition to meet people's needs. The following are several examples.

(1) all packets received and sent by all hosts 210.27.48.1 are to be intercepted:

# Tcpdump host 210.27.48.1

(2) to intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, run the following command: (when parentheses are applied in the command line, be sure

# Tcpdump host 210.27.48.1 and (210.27.48.2 or 210.27.48.3)

(3) to obtain an IP packet for all hosts except 210.27.48.1 and 210.27.48.2, run the following command:

# Tcpdump ip host 210.27.48.1 and! 210.27.48.2

(4) to obtain the telnet packet received or sent by the host 210.27.48.1, run the following command:

# Tcpdump tcp port 23 host210.27.48.1

3. Introduction to output results of tcpdump

Below we will introduce the output information of several typical tcpdump commands.

(1) data link layer header information

Run the command # tcpdump -- e host ice

Ice is a linux host. her MAC address is 0: 90: 27: 58: AF: 1A.

H219 is a SUN workstation with SOLARIC installed. its MAC address is 8: 0: 20: 79: 5B: 46. the output result of the previous command is as follows: 21: 50:

12.847509 eth0 ice.

Telnet 0: 0 (0) ack 22535 win 8760 (DF)

Analysis: when 21: 50: 12 is displayed

The value 847509 indicates the ID number, and eth0 indicates that data packets are sent from the network interface device,

8: 0: 20: 79: 5b: 46 is the MAC address of the host H219, which indicates that it is a packet sent from the source address H219.

0: 90: 27: 58: af: 1a is the MAC address of the host ICE, indicating that the destination address of the packet is ICE. ip indicates that the packet is an IP packet, 60

Is the packet length, h219.33357> ice. telnet

Indicates that the packet is sent from Port 33357 of host H219 to port. ack of TELNET (23) of host ICE.

22535 indicates to respond to a packet whose serial number is 222535. win8760 indicates that the size of the sending window is 8760.

(2) TCPDUMP output information of ARP packets

Run the command # tcpdump arp

The output result is:

22:32:42. 802509 eth0> arp who-hasroute tell ice (0: 90: 27: 58: af: 1a)

22:32:42. 802902 eth0 indicates that the packet is sent from the host, arp indicates that the packet is an ARP Request packet,

Who-has route tellice indicates that it is the MAC address of the host ROUTE requested by the host ICE.

0: 90: 27: 58: af: 1a is the MAC address of the host ICE.

(3) TCP packet output information

The common output information of TCP packets captured with TCPDUMP is:

Src> dst: flags data-seqno ackwindow urgent options

Src> dst: Indicates from the source address to the destination address. flags indicates the flag information in the TCP packet, S indicates the SYN mark, and F (F

IN), P (PUSH), R (RST) "." (not marked); data-seqno is the sequence number of data IN the data packet, and ack is

The sequence number expected next time. window indicates the size of the window that receives the cache, and urgent indicates whether there is an emergency pointer in the data packet. Options is an option.

(4) UDP packet output information

The general output information of the UDP packet captured with TCPDUMP is:

Route. port1> ice. port2: udplenth

UDP is very simple. the output line above indicates a UDP packet sent from the port1 port of the host ROUTE to the port2 port of the host ICE. the type is UDP and the package length is lenth.

Note: You can run the tcpdump command to list the packet headers that pass through the specified network. in Linux, you must be a system administrator.

Parameters:

-A tries to convert the network and broadcast address to a name.

-C stops dumping after receiving the specified number of data packets.

-D converts compiled data packet encoding into a readable format and dumps it to standard output.

-Dd converts the compiled data packet encoding to the C language format and dumps it to the standard output.

-Ddd converts the compiled data packet encoding to a decimal number format and dumps it to the standard output.

-E displays the connection level file header on each column of dumped data.

-F displays the internet address in numbers.

-F indicates the file containing the expression.

-I sends data packets using the specified network section.

-L use the buffer of the standard output column.

-N does not convert the network address of the host into a name.

-N does not list domain names.

-O does not optimize packet encoding.

-P prevents the network interface from entering the hybrid mode.

-Q: fast output. only a few transmission protocol information are listed.

-R reads data from a specified file.

-S sets the size of each packet.

-S: use absolute rather than relative values to list the number of TCP connections.

-T the time stamp is not displayed on the dumped data in each column.

-Tt displays unformatted timestamps on the dumped data in each column.

-T forcibly translates the data packet specified by the expression into the set data packet type.

-V displays the instruction execution process in detail.

-Vv: displays the instruction execution process in detail.

-X uses a hexadecimal code to list data packets.

-W writes the data packet to the specified file.