How to use tcpdump to detect network port data

Source: Internet
Author: User
Tcpdump detects network port data using the command line method. the command format is: tcpdump [-adeflnNOpqStvx] [-c quantity] [-F file name] [-I network interface] [-r file name] [-ssnaplen] [-T type] [-w file name] [expression] 1. introduction to tcpdump options-a Sets the network address and broadcast

TcpdumpNetwork port data detection

Tcpdump adopts the command line method. its command format is:
Tcpdump [-adeflnNOpqStvx] [-c quantity] [-F file name]
[-I network interface] [-r file name] [-s snaplen]
[-T type] [-w file name] [expression]

1. Introduction to tcpdump options
-A converts a network address and broadcast address into a name;
-D. give the code that matches the information package in an assembly format that people can understand;
-Dd provides the code that matches the information package in the format of the C program segment;
-Ddd provides the matching information package code in decimal format;
-E prints the header information of the data link layer in the output line;
-F print the Internet address in numbers;
-L changes the standard output to the buffer row format;
-N does not convert the network address into a name;
-T no timestamp is printed on each output line;
-V outputs a slightly detailed information. for example, the IP package can contain ttl and service type information;
-Vv: output detailed message information;
-C. after receiving the specified number of packages, tcpdump stops;
-F read the expression from the specified file and ignore other expressions;
-I indicates the network interface of the listener;
-R reads packets from a specified file (these packets are generally generated using the-w option );
-W directly writes the package into the file and does not analyze or print it out;
-T directly interpret the listening packet as a specified type of message. Common types include rpc (remote process call) and snmp (Simple Network Management Protocol ;)

For example:
Command:
For example, tcpdump port 25889 and host192.168.26.55

Tcpdump-X-s1600-I eth1 dst port 20072-wdump. dat

Tcpdump-X-s1600-I eth0 port 25889 [-X printed as hexadecimal and ASCII code,-I specified interface]

2. Introduction to tcpdump expressions
A regular expression is used by tcpdump to filter packets.
The packet will be captured. If no conditions are provided, all information packages on the network will
Intercepted.
In an expression, the following types of keywords are generally used. one is about the types of keywords, including host,
Net, port, for example, host 210.27.48.2, indicating that 210.27.48.2 is a host, and net 202.0.0.0 indicates
202.0.0.0 is a network address and port 23 indicates that the port number is 23. If no type is specified, the default type is
Host.
The second type is the key words for determining the transmission direction, including src, dst, dst or src, dst and src,
These keywords indicate the transmission direction. For example, src 210.27.48.2 indicates that the source address in the IP package is 210.27.
48.2, dst net 202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified
The default value is the src or dst keyword.
The third type is the protocol keyword, which mainly includes fddi, ip, arp, rarp, tcp, udp, and other types. Fddi indicates that
The specific network protocol on FDDI (distributed optical fiber data interface network) is actually the alias of "ether", fddi and e
Ther has a similar source address and destination address, so you can use the fddi protocol package as the ether package for processing and analysis.
The other keywords indicate the protocol content of the listener package. If no protocol is specified, tcpdump will
Listen to the information packages of all protocols.
In addition to the three types of keywords, other important keywords are as follows: gateway, broadcast, less,
Greater, there are three logical operations. The non-operation is 'not ''! ', And the operation is 'and',' & '; or the operation is 'o
R', '| ';
These keywords can be combined to form a powerful combination condition to meet people's needs. The following are several examples:
Description.
(1) all packets received and sent by all hosts 210.27.48.1 are to be intercepted:
# Tcpdump host 210.27.48.1
(2) to intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, run the following command:
(When using parentheses in the command line, be sure
# Tcpdump host 210.27.48.1 and/(210.27.48.2 or 210.27.48.3 /)
(3) If you want to obtain an IP packet for all hosts except 210.27.48.1 and 210.27.48.2
, Run the following command:
# Tcpdump ip host 210.27.48.1 and! 210.27.48.2
(4) to obtain the telnet packet received or sent by the host 210.27.48.1, run the following command:
# Tcpdump tcp port 23 host 210.27.48.1

3. Introduction to output results of tcpdump
Below we will introduce the output information of several typical tcpdump commands.
(1) data link layer header information
Run the command # tcpdump -- e host ice
Ice is a linux host. her MAC address is 0: 90: 27: 58: AF: 1A.
H219 is a SUN workstation with SOLARIC installed. its MAC address is 8: 0: 20: 79: 5B: 46; the previous one
Command output is as follows:
21:50:12. 847509 eth0 <8: 0: 20: 79: 5b: 46 0: 90: 27: 58: af: 1a ip 60: h219.33357> ice. telnet 0: 0 (0) ack 22535 win 8760 (DF)

Analysis: 21: 50: 12 indicates the display time, 847509 indicates the ID number, and eth0 indicates the display time. <表示从网络接口eth0 接受该
The packet. eth0> indicates that the packet is sent from the network interface device. 8: 0: 20: 79: 5b: 46 is the MAC address of the host H219.
Indicates that the data packet is sent from the source address H219. 0: 90: 27: 58: af: 1a is the MAC address of the host ICE, indicating
The destination address is ICE. ip indicates that the data packet is an IP packet, 60 indicates the length of the data packet, and h219.33357> ice.
Telnet indicates that the packet is sent from Port 33357 of host H219 to port. ack 22535 of TELNET (23) of host ICE
Indicates to respond to a packet whose serial number is 222535. win 8760 indicates that the size of the sending window is 8760.

(2) TCPDUMP output information of ARP packets
Run the command # tcpdump arp
The output result is:
22:32:42. 802509 eth0> arp who-has route tell ice (0: 90: 27: 58: af: 1a)
22:32:42. 802902 eth0 <arp reply route is-at 0: 90: 27: 12: 10: 66 (0: 90: 27: 58: af: 1a)

Analysis: 22:32:42 is the timestamp, 802509 is the ID number, eth0> indicates that the packet is sent from the host, arp indicates that the packet is
ARP Request packet. who-has route tell ice indicates the MAC address of the host's ROUTE request by the host ICE. 0: 90: 27: 5
8: af: 1a is the MAC address of the host ICE.

(3) TCP packet output information
The common output information of TCP packets captured with TCPDUMP is:
Src> dst: flags data-seqno ack window urgentoptions
Src> dst: Indicates from the source address to the destination address. flags indicates the flag information in the TCP packet, S indicates the SYN mark, F (FIN), P (PUSH), R (RST )". "(not marked); data-seqno is the sequence number of data in the data packet, ack is the sequence number expected next time, window is the size of the window that receives the cache, and urgent indicates whether there is an emergency pointer in the data packet. options is an option.

(4) UDP packet output information
The general output information of the UDP packet captured with TCPDUMP is:
Route. port1> ice. port2: udp lenth
UDP is very simple. the output line above indicates a UDP packet sent from the port1 port of the host ROUTE to the port2 port of the host ICE. the type is UDP and the package length is lenth.

========================================================== ======================================

In traditional network analysis and testing technologies, sniffer is the most common and important technology. Sniffer is designed for network analysis by network administrators and network programmers. Network administrators can keep abreast of the actual network conditions by using the sniffer. when network performance drops sharply, you can use the sniffer tool to analyze the causes and find out the source of network congestion. For network programmers, the sniffer tool is used to debug programs.

Anyone who has used the sniffer tool on windows (for example, netxray and snifferpro) may know that in a shared Lan, using the sniffer tool can provide a clear view of all the traffic in the network! The Sniffer tool is actually a packet capture tool on the network. It can also analyze captured packets. In a shared network, information packets are the network interfaces of all hosts in the network, but before the sniffer tool is used, the network device of the host determines whether the information packet should be received, so that it will discard the information packet that should not be received. the sniffer tool allows the network device of the host to receive all the information packets that have arrived, this achieves the effect of network listening.

Data collection and analysis is essential when Linux is a network server, especially a router or gateway. So, let's take a look at TcpDump, a powerful network data collection and analysis tool in Linux.

To define tcpdump in a simple way, dump the traffice on anetwork is a packet analysis tool that intercepts packets on the network according to the user's definition.

As an essential tool for system administrators on the Internet, tcpdump, with its powerful functions and flexible interception policies, becomes one of the essential tools for every senior system administrator to analyze the network and troubleshoot problems.

As the name suggests, TcpDump can completely intercept the "header" of the packets transmitted in the network for analysis. It supports filtering network layer, protocol, host, network or port, and provides logical statements such as and, or, not to help you remove useless information.

Tcpdump provides source code and open interfaces, so it has high scalability and is a very useful tool for network maintenance and intruders. Tcpdump exists in the basic FreeBSD System. because it needs to set the network interface to the mixed mode, normal users cannot execute normally, however, users with root permissions can directly execute the command to obtain information on the network. Therefore, the network analysis tools in the system are not a threat to the security of the local machine, but a threat to the security of other computers on the network.

Under normal circumstances, directly starting tcpdump will monitor all the data packets flowing through the first network interface.
-----------------------
Bash-2.02 # tcpdump
Tcpdump: listening on eth0
11:58:47. 873028 202.102.245.40.netbios-ns> 202.102.245.127.netbios-ns: udp 50
11:58:47. 974331 0: 10: 7b: 8: 3a: 56> 1: 80: c2: 0: 0: 0 802.1d ui/Clen = 43
0000 0000 0080 0000 1007 cf08 0900 0000
0e80 0000 902b 4695 0980 8701 0014
000f 0000 902b 4695 0008 00
11:58:48. 373134 0: 0: e8: 5b: 6d: 85> Broadcast sap e0 ui/Clen = 97
Ffff 0060 0004 ffff
0452 ffff 0000 e85b 6d85 4008 0002
0640 4d41 5354 4552 5f57 4542 0000 0000
00, 0000
^ C
------------------------

First, we should pay attention to the following output: the output format of tcpdump is: System time source host. Port> target host. Port data packet parameter.

Parameter support for TcpDump
 

Tcpdump supports many different parameters. for example, you can use the-I parameter to specify the network interface of the tcpdump listener, which is useful when the computer has multiple network interfaces, use the-c parameter to specify the number of data packets to be monitored, and use the-w parameter to specify to write the data packets to the file for storage, and so on.

However, the more complex tcpdump parameter is used for filtering, because the traffic in the network is large. If no difference is added, all data packets are intercepted, and the data volume is too large, instead, it is difficult to find the required data packets. Filter rules defined by these parameters can be used to intercept specific data packets to narrow down the target so as to better analyze problems in the network. Tcpdump uses parameters to specify the type, address, and port of the data packet to be monitored. based on specific network problems, making full use of these filtering rules can quickly locate faults. Use mantcpdump to view the specific usage of these filter rules.

Obviously, this type of network analysis software should not be run on computers that are not used for network management. to shield them, we can shield bpfilter pseudo devices in the kernel. Generally, network hardware and TCP/IP stacks do not support receiving or sending data packets unrelated to the computer. to receive these data packets, you must use the network adapter's hybrid mode, and bypass the standard TCP/IP stack. In FreeBSD, the kernel must support bpfilter, a pseudo-device. Therefore, network analysis tools such as tcpdump can be shielded by canceling bpfilter in the kernel.

When the NIC is set to the hybrid mode, the system will leave a record in the console and log files, reminding the administrator to check whether the system is used as a springboard to attack other computers on the same network.

May 15 16:27:20 host1/kernel: fxp0: promiscuous modeenabled

Although the network analysis tool can record the data transmitted over the network, the data traffic in the network is quite large, how to analyze, classify, and collect statistics on the data, and discover and report errors is more critical. Data packets in the network belong to different protocols, and the formats of data packets in different protocols are also different. Therefore, decoding captured data and displaying packet information as much as possible is more important for protocol analysis tools. The advantage of expensive commercial analysis tools is that they support many types of application layer protocols, not only tcp, udp and other low-layer protocols.

According to the output of tcpdump, tcpdump does not thoroughly decode the intercepted data. most of the content in the data packet is printed in hexadecimal format. Obviously, this is not conducive to the analysis of network faults. The common solution is to first use tcpdump with The-w parameter to capture data and save it to the file, and then use other programs for decoding and analysis. Of course, filter rules should also be defined to prevent the captured data packets from filling the entire hard disk.

TCP function data filtering

Without any parameters, TcpDump searches all network interfaces in the system and displays all the data it intercepts. this data is not necessarily all required for us, and too much data is not conducive to analysis. Therefore, we should first think about what data is needed. TcpDump provides the following parameters for us to select data:

-B selects the protocol on the data-link layer, including ip, arp, rarp, and ipx.

For example, tcpdump-B arp only displays arp in the network, that is, address translation protocol information.

-I: Select the network interface to be filtered. if a router has at least two network interfaces, you can use this option to filter only the data passed through the specified interface. For example:

Tcpdump-I eth0 only displays all headers on the eth0 interface.

The options src, dst, port, host, net, ether, and gateway include additional options such as src, dst, port, host, net, and ehost. They are used to identify the source and destination of data packets. src host192.168.0.1 specifies that the source host IP address is 192.168.0.1, and dst net192.168.0.0/24 specifies that the destination is 192.168.0.0. Similarly, the host is related to the specified host, whether it is the source or the target, and the net is related to the specified network. The ether is followed by a physical address instead of an IP address, while the gateway is used for the gateway host. It may be a bit complicated. let's see the following example:

Tcpdump src host 192.168.0.1 and dst net 192.168.0.0/24

Filters the headers whose source host is 192.168.0.1 and whose destination network is 192.168.0.0.

Tcpdump ether src 00: 50: 04: BA: 9B and dst ......

Filter the header with the physical address of the source host being XXX (why is there no host or net behind ether src? Of course, the physical address cannot have a network ).

Tcpdump src host 192.168.0.1 and dst port not telnet

Filter the source host 192.168.0.1 and the target Port are not the telnet header.

Ip icmp arp rarp, tcp, udp, icmp, and other options must be placed at the first parameter to filter the data type.
For example:

Tcpdump ip src ......

Only filter data-IP headers on the link layer.

Tcpdump udp and src host 192.168.0.1

Only filter all udp headers of the source host 192.168.0.1.

Data Display/input/output

TcpDump provides enough parameters for us to choose how to process the data, as shown below:

-L can redirect data.

For example, tcpdump-l> tcpcap.txt stores the obtained data in the tcpcap.txt file.

-N does not convert the IP address to the host name.

If you do not use this option, TcpDump will convert the IP address to the host name display when a host's host name exists in the system, just like this: eth0 <ntc9.1165> router.domain.net. telnet: eth0 <192.168.0.9.1165> 192.168.0.1.telnet.

-Nn does not convert the port name.

After using-nn, the above information becomes: eth0 <ntc9.1165> router.domain.net. 23.

-N does not print the default domain name.

After N, it is eth0 <ntc9.1165> router. telnet.

-O does not optimize the matching code.
-T does not print the UNIX timestamp, that is, the time is not displayed.
-Tt prints the original, unformatted time.
-V has a more detailed output than a common TTL and service type.

**************************************** **************************************** *****************
TCPDUMP installation

In linux, the installation of tcpdump is very simple. Generally, there are two installation methods. An rpm Package is used for installation. In addition, it is installed in the form of a source program.
1. rpm Package installation
# Rpm-ivh tcpdump-3_4a5.rpm
In this way, tcpdump is successfully installed on your linux system. It's easy.
2. installation of the source program
# Tar xvfz tcpdump-3_4a5.tar.Z
Run the following command to install the rpm Package:
# Rpm-ivh tcpdump-3_4a5.src.rpm
In this way, extract the source code of tcpdump to the/usr/src/redhat/SOURCES Directory.

Step 2 Prepare the source program for compilation

Before compiling the source program, you are advised to confirm that the library file libpcap has been installed. this library file is the library file required by tcpdump software. Similarly, you also need a standard C language compiler. In linux, the standard c language compiler is generally gcc. In the tcpdump source program directory. One file is Makefile. in. the configure command automatically generates the Makefile file from the Makefile. in file. In the Makefile. in file, you can modify the BINDEST and MANDEST macro definitions according to the system configuration. the default value is
BINDEST = @ sbindir @
MANDEST = @ mandir @
 
The first macro value indicates the path name of the binary file where tcpdump is installed, and the second macro value indicates the path name of the tcpdump man help page. you can modify them to meet system requirements.

Step 3 compile the source program
 
Use the configure script in the source program directory to read various required attributes from the system. The Makefile file is automatically generated according to the Makefile. in file, so that the. make command can be used to compile the tcpdump source program according to the rules in the Makefile file. Run the makeinstall command to install the compiled binary file tcpdump.
 
Summary:
 
# Tar xvfz tcpdump-3_4a5.tar.Z
# Vi Makefile. in
#./Configure
# Make
# Make install

For more information about tcpdump, see Man tcpdump.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.