Go Linux operating system tcpdump grasping packet analysis detailed

Ps:tcpdump is a tool for intercepting network groupings and outputting grouped content, which is simply the packet capture tool. With its powerful capabilities and flexible interception strategy, tcpdump is the preferred tool for network analysis and troubleshooting in Linux systems.

Tcpdump provides source code, exposes interfaces, and is therefore highly extensible, and is a useful tool for network maintenance and intruders. Tcpdump exists in the basic Linux system, because it needs to set the network interface to promiscuous mode, the normal user can not execute normally, but the user with the root authority may directly execute it to obtain the information on the network. Therefore, the existence of network analysis tools in the system is not a threat to native security, but a threat to the security of other computers on the network.

I. Overview

As the name implies, Tcpdump can intercept the "head" of packets transmitted in the network to provide analysis. It supports filtering on the network layer, protocol, host, network, or port, and provides logical statements such as and, or, not, to help you get rid of useless information.

# TCPDUMP-VV

Tcpdump:listening on eth0, Link-type EN10MB (Ethernet), capture size bytes

11:53:21.444591 IP (Tos 0x10, TTL +, id 19324, offset 0, flags [DF], Proto 6, length:92) asptest.localdomain.ssh > 1 92.168.228.244.1858:p 3962132600:3962132652 () Ack 2726525936 win 1266

asptest.localdomain.1077 > 192.168.228.153.domain: [Bad UDP cksum 166e!] 325+ PTR? 244.228.168.192.in-addr.arpa. (46)

11:53:21.446929 IP (Tos 0x0, TTL, id 42911, offset 0, flags [DF], Proto, length:151) 192.168.228.153.domain > A sptest.localdomain.1077:325 NXDomain q:ptr? 244.228.168.192.in-addr.arpa. 0/1/0 Ns:168.192.in-addr.arpa. (123)

11:53:21.447408 IP (Tos 0x10, TTL, id 19328, offset 0, flags [DF], Proto 6, length:172) asptest.localdomain.ssh > 192.168.228.244.1858:p 168:300 () Ack 1 win 1266

347 Packets Captured

1474 Packets received by filter

745 packets dropped by kernel

The tcpdump without parameters collects all the information headers in the network, the volume of data is huge and must be filtered.

Ii. Introduction of options

-A prints out all the groupings in ASCII format and minimizes the head of the link layer.

-C Tcpdump will stop after receiving the specified number of packets.

-C checks whether the current size of the file exceeds the size specified in the parameter file_size before writing an original grouping to the file. If the specified size is exceeded, the current file is closed, and then a new file is opened. The units of the parameter file_size are megabytes (1,000,000 bytes, not 1,048,576 bytes).

-D gives the code for matching packets in a compiled format that people can understand.

-DD the code for matching packets in the format of the C program segment.

The code for matching packets is given in decimal form-ddd.

-D prints out all network interfaces in the system that can be truncated with tcpdump.

-e Prints the header information of the data link layer on the output line.

-E uses the [email protected] Algo:secret to decrypt the IPSec ESP groupings with addr as the address and contains the Security parameter index value SPI.

-F Prints the external Internet address as a digital form.

-F reads an expression from the specified file, ignoring the expression given in the command line.

-i specifies the network interface to listen on.

-L causes the standard output to become a buffered line and can export data to a file.

-l lists the known data links for the network interface.

-M imports the SMI MIB module definition from the file module. This parameter can be used multiple times to import multiple MIB modules.

-M if the TCP-MD5 option exists in the TCP message, you need to use secret as the shared verification code to verify the summary of the TCP-MD5 selection option (refer to RFC 2385 for details).

-B Select Protocols on the data-link layer, including IP, ARP, RARP, and IPX.

-N does not convert the network address into a name.

The-NN is displayed directly on the IP and port numbers, not the host and server names.

-N does not output the domain name portion of the hostname. For example, ' nic.ddn.mil ' only outputs ' NIC '.

-T does not print a timestamp on each line of the output. (-TT-TTT)

-O does not run the grouping grouping matching (packet-matching) code optimizer.

-P does not set the network interface to promiscuous mode.

-Q fast output. Only less protocol information is output.

-R reads the package from the specified file (these packages are typically generated through the-w option).

-S outputs the serial number of TCP as absolute value, not relative.

-S reads the first Snaplen bytes from each packet, rather than the default of 68 bytes. -S 0 means that the entire package is output without limiting the length.

-T directly interprets the heard packet as a specified type of message, the common type has RPC remote procedure call) and SNMP (Simple Network Management Protocol;).

-T does not output a timestamp in each row.

-TT output a non-formatted timestamp in each row.

-TTT outputs the time difference between the line and the previous row.

-TTTT prints the timestamp of the default format processed by date in each row.

-U outputs an NFS handle that is not decoded.

-V outputs a slightly more detailed information, such as the TTL and the type of service that can be included in the IP packet.

-VV output for more detailed information.

The-VV outputs detailed message information.

-W directly writes the groupings to the file instead of parsing and printing them out. (The output. pcap file can be opened in Windows with Wireshark for further analysis)

To allow Wireshark to analyze the tcpdump package, the key is the-s parameter, and the output file is saved for-W.

-X and-XX, with 16 binary and ASCII output, can read the display of data packets, suitable for HTTP, memcached ASCII, such as plaintext transmission protocol, you see the content;

Introduction to the expression of tcpdump

An expression is a regular expression that Tcpdump uses as a condition for filtering messages that will be captured if a message satisfies the conditions of the expression. If no conditions are given, all packets on the network will be intercepted.

In an expression, there are several types of keywords in general:

The first is about the type of keywords, primarily including host,net,port, such as host 210.27.48.2, which indicates that 210.27.48.2 is a host, and that net 202.0.0.0 indicates that 202.0.0.0 is a network address, Port 23 Indicates that the port number is 23. If no type is specified, the default type is host.

The second is a keyword that determines the direction of transmission, mainly including src,dst,dst or SRC,DST and SRC, which indicate the direction of the transmission. For example, SRC 210.27.48.2, which indicates that the source address in the IP packet is 210.27.48.2, DST net 202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is indicated, the default is the src or DST keyword.

The third is the key word of the agreement, mainly including FDDI,IP,ARP,RARP,TCP,UDP and other types. FDDI indicates that it is a specific network protocol on FDDI (Distributed Optical Data Interface Network), in fact it is "ether" Alias, FDDI and Ether have similar source address and destination address, so the FDDI protocol packet can be treated and analyzed as a ether packet. The other key words are the protocol content of the listening packet. If no protocol is specified, tcpdump will listen for all protocol packets.

In addition to these three types of keywords, other important keywords are as follows: Gateway, broadcast,less, greater, and three logical operations, take non-op is ' not '! ', and the operation is ' and ', ' && ', or the operation is ' or ', ' & #124;& #124; ' These keywords can be combined to form a powerful combination of conditions to meet people's needs.

Cases:

Tcpdump-i Lo-nn-a-S 0 tcp-w/home/open/1.txt Port 3306 and SRC host 112.142.34.24 and DST host 192.168.1.33

Tcpdump-x-n-s 0 TCP port 8033-i Lo

Tcpdump-a-n-x-S 0 TCP port 7430 and host 192.168.3.143

Tcpdump-x-n-s 0 TCP port 9024 or 9021 or 9023 or 9020

Iv. Introduction of output results

Below we describe the output information of several typical tcpdump commands

(1) Data Link Layer header information

Use the command:

#tcpdump--E Host ICE

ICE is a host with Linux installed. Its MAC address is 0:90:27:58:af:1a H219 is a Sun workstation equipped with Solaris. Its MAC address is 8:0:20:79:5b:46; the output from the previous command is as follows:

21:50:12.847509 eth0 < 8:0:20:79:5b:46 0:90:27:58:af:1a IP 60:h219.33357 > ICE. Telne T 0:0 (0) Ack 22535 win 8760 (DF)

21:50:12 is the displayed time, 847509 is the ID number, eth0 < represents the packet received from the network interface eth0, Eth0 > represents the packet sent from the network interface device, 8:0:20:79:5B:46 is the host H219 MAC address, It indicates a grouping that is sent from the source address H219. 0:90:27:58:AF:1A is the MAC address of the host ice, which indicates that the destination address for the group is ice. IP is an indication that the grouping is IP grouping, 60 is the length of the packet, h219.33357 > ICE. Telnet indicates that the group is a Telnet (23) port destined for host ice from Port 33357 of the host H219. An ACK of 22535 indicates a response to a packet with a sequence number of 222535. Win 8760 indicates that the size of the Send window is 8760.

(2) Tcpdump output information for ARP packets

Use the command:

#tcpdump ARP

The resulting output is:

22:32:42.802509 eth0 > arp who-has route tell ICE (0:90:27:58:AF:1A)

22:32:42.802902 Eth0 < ARP reply route is-at 0:90:27:12:10:66 (0:90:27:58:AF:1A)

22:32:42 is the timestamp, 802509 is the ID number, eth0 > indicates that the packet is emitted from the host, ARP indicates that it is the ARP request packet, and Who-has route tell ice indicates that it is the MAC address of the host ice request host route. 0:90:27:58:AF:1A is the MAC address of the host ice.

(3) Output information for TCP packets

The general output information for TCP packets captured with Tcpdump is:

src > Dst:flags data-seqno ack window urgent options

src > DST: Indicates from the source address to the destination address, flags is the flag information in the TCP message, S is the SYN flag, F (FIN), P (PUSH), R (RST) "." (not marked); Data-seqno is the sequence number of the data in the message, the ACK is the next expected order number, window is the size of the receiving cache, and urgent indicates whether there is an emergency pointer in the message. Options is the option.

(4) Output information for UDP packets

The general output information for UDP packets captured with Tcpdump is:

Route.port1 > ICE.port2:udp lenth

UDP is very simple, the above output line indicates a UDP message from the PORT1 port of the host route to the PORT2 port of the host ice, the type is UDP, the packet length is lenth.

V. Examples

(1) to intercept all packets received and sent by all 210.27.48.1 hosts:

#tcpdump Host 210.27.48.1

(2) to intercept host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3 communication, use the command (note: The backslash before the parentheses is required):

#tcpdump host 210.27.48.1 and (210.27.48.2 or 210.27.48.3)

(3) If you want to get host 210.27.48.1 in addition to the IP packets that communicate with all hosts except host 210.27.48.2, use the command:

#tcpdump IP host 210.27.48.1 and! 210.27.48.2

(4) If you want to get the SSH packets received or issued by the host 192.168.228.246, and do not convert the host name using the following command:

#tcpdump-nn-n SRC host 192.168.228.246 and port and TCP

(5) Obtain the SSH packet received or issued by the host 192.168.228.246, and display the MAC address together:

# tcpdump-e SRC host 192.168.228.246 and port and Tcp-n-nn

(6) The filter is the header of the source host for the 192.168.0.1 with the destination network for 192.168.0.0:

tcpdump SRC host 192.168.0.1 and DST net 192.168.0.0/24

(7) Filter the source host physical address is the header of XXX:

tcpdump ether src 00:50:04:ba:9b and dst ...

(Why is there no host or net behind ether src?) The physical address of course cannot have a network).

(8) Filter the source host 192.168.0.1 and destination port is not the Telnet header, and import into the Tes.t.txt file:

Tcpdump SRC host 192.168.0.1 and DST port not telnet-l > Test.txt

IP icmp arp rarp and TCP, UDP, ICMP and so on are all put to the position of the first parameter, to filter the type of datagram.

Example: How to use tcpdump to monitor the packet data from the ETH0 adapter with the communication protocol port 22 and the target source 192.168.1.100?

Answer: tcpdump-i eth0-nn port and SRC host 192.168.1.100

Example: How do I use the tcpdump crawl to access the ETH0 adapter card and the access port is TCP 9080?

Answer: tcpdump-i eth0 DST 172.168.70.35 and TCP port 9080

Example: How to use tcpdump crawl with host 192.168.43.23 or host 192.168.43.24 communication message, and display on the console

Tcpdump-x-S 1024-i eth0 host (192.168.43.23 or 192.168.43.24) and host 172.16.70.35
---------------------------------------------------------------------------------
Add:

Synopsis

tcpdump [-ADDEFLLNNOPQRSTUUVXX] [-c Count]

[-C File_size] [-F file]

[-I. Interface] [-M module] [-M secret]

[-R File] [-S Snaplen] [-T type] [-W File

]

[-W FileCount]

[-e [email protected] Algo:secret,...]

[-y Datalinktype] [-Z User]

[Expression]

C Set the number of packets caught automatically stop

s specifies how many bytes before each packet is caught (default 56 bytes)

W Save to a file

R Read File

V Show more detail

n Do not display host name, display IP

NN also displays the port as a numeric value, otherwise the port service name is displayed

I specify which NIC

Host specifies one of the hosts

Port to specify one of the ports

NET Specifies a network

TCP Specified catch TCP packet

UDP Specifies the catch UDP packet

IP-specified catch IP packet

ICMP specified catch ICMP packet

SRC host Specifies the source master

DST host Specifies destination hosts

DST Port Specifies destination ports

Instance grab 164 access to local 22-port package, one-way

[[email protected] ~]# tcpdump-i eth0-n src host 192.168.0.164 and DST Port 22

Grab 164ping of local package

[Email protected] ~]# tcpdump-i eth0-n ICMP and src host 192.168.0.164

When the NIC is working in promiscuous mode

[[email protected] ~]# tcpdump-i eth0-n DST Port $ or DST Port 80

Could have caught someone else's bag.

There is a package to solve ... Later said

Two conditions to catch together

[[email protected] ~]# tcpdump-i eth0-n ' src host 192.168.0.164 and DST Port ' or ' src host 192.168.0.4 and DST Port 8 0 ' is equivalent

[[email protected] ~]# tcpdump-i eth0-n \ (src host 192.168.0.164 and DST Port 22\) or \ (src host 192.168.0.4 and DST por T 80\)

Teacher Notes

Tcpdump-i eth0

Tcpdump-i eth0-v-N

-V shows more detailed information including ttl,tos values, etc.

-N Do not do IP resolution to host name

-NN does not do name parsing and port parsing

More targeted Grab bags:

For IP, network segment, port, protocol

[Email protected] ftp]# tcpdump-i ETH0-VNN host 192.168.0.154

[Email protected] ftp]# tcpdump-i eth0-vnn net 192.168.0.0/24

[Email protected] ftp]# tcpdump-i ETH0-VNN Port 22

[[email protected] ftp]# tcpdump-i eth0-vnn UDP

[[email protected] ftp]# tcpdump-i eth0-vnn ICMP

[[email protected] ftp]# tcpdump-i eth0-vnn ARP

[[email protected] ftp]# tcpdump-i ETH0-VNN IP

[Email protected] ftp]# tcpdump-i eth0-vnn src host 192.168.0.154

[Email protected] ftp]# tcpdump-i ETH0-VNN DST host 192.168.0.154

[Email protected] ftp]# tcpdump-i eth0-vnn src Port 22

[[email protected] ftp]# tcpdump-i eth0-vnn src host 202.106.0.254 and DST Port 22

[[email protected] ftp]# tcpdump-i eth0-vnn src host 192.168.0.154 or Port 22

[Email protected] ftp]# tcpdump-i eth0-vnn src host 192.168.0.154 and not port 22

[[email protected] ftp]# tcpdump-i eth0-vnn \ (src host 192.168.0.2 and DST port \) or \ (src host 192.168.0.65 and DST Port 80 \)

[[email protected] ~]# tcpdump-ieth0-vnn-r/tmp/fil1 TCP

[Email protected] ~]# tcpdump-ieth0-vnn-r/TMP/FIL1 host 202.106.0.258

[[email protected] ~]# tcpdump-ieth0-vnn-r/tmp/fil1 TCP

[Email protected] ~]# tcpdump-ieth0-vnn-w/tmp/fil1-c 100