The second type is the key words for determining the transmission direction, including src, dst, dst or src, dst and src, which indicate the transmission direction. For example, src 210.27.48.2 indicates that the source address in the IP package is 210.27.48.2, and dstnet 202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified, the src ordst keyword is used by default.
The third type is the protocol keyword, which mainly includes fddi, ip, arp, rarp, tcp, udp, and other types. Fddi indicates a specific network protocol on FDDI (distributed optical fiber data interface network). In fact, it is an alias of "ether". fddi and ether have similar source and destination addresses, therefore, the fddi protocol package can be processed and analyzed as the ether package. The other keywords indicate the protocol content of the listener package. If no protocol is specifiedTcpdumpThe system listens to the information packages of all protocols.
In addition to these three types of keywords, other important keywords include gateway, broadcast, less, greater, and three logical operations. The non-operation type is 'not ''! ', And the operation is 'and',' & '; or the operation is 'or',' │ '; these keywords can be combined to form a powerful combination condition to meet people's needs. The following are several examples.
Under normal circumstances, directly starting tcpdump will monitor all the data packets flowing through the first network interface.
# Tcpdump
Tcpdump: listening on fxp0
11:58:47. 873028 202.102.245.40.netbios-ns> 202.102.245.127.netbios-ns: udp 50
11:58:47. 974331 0: 10: 7b: 8: 3a: 56> 1: 80: c2: 0: 0: 0 802.1d ui/Clen = 43
0000 0000 0080 0000 1007 cf08 0900 0000
0e80 0000 902b 4695 0980 8701 0014
000f 0000 902b 4695 0008 00
11:58:48. 373134 0: 0: e8: 5b: 6d: 85> Broadcast sap e0 ui/Clen = 97
Ffff 0060 0004 ffff
0452 ffff 0000 e85b 6d85 4008 0002
0640 4d41 5354 4552 5f57 4542 0000 0000
00, 0000
Use the-I parameter to specify the network interface of the tcpdump listener, which is useful when the computer has multiple network interfaces,
Use the-c parameter to specify the number of data packets to be monitored,
Use the-w parameter to specify to write the listening data packet to the file and save it
A wants to intercept all packets received and sent by all 210.27.48.1 hosts:
# Tcpdump host 210.27.48.1
B. to intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, run the following command: (when parentheses are applied in the command line, be sure
# Tcpdump host 210.27.48.1 and (210.27.48.2 or 210.27.48.3)
C if you want to obtain the IP package for all hosts except 210.27.48.1 and 210.27.48.2, run the following command:
# Tcpdump ip host 210.27.48.1 and! 210.27.48.2
D. to obtain the telnet packet received or sent by the host 210.27.48.1, run the following command:
# Tcpdump tcp port 23 host 210.27.48.1
E. monitor the udp port 123 of the local machine. Port 123 is the ntp service port.
# Tcpdump udp port 123
The F system only monitors the communication data packets of the host named hostname. The host name can be a local host or any computer on the network. The following command reads all data sent by the host hostname:
# Tcpdump-I eth0 src host hostname
The command below G can monitor all data packets sent to the host hostname:
# Tcpdump-I eth0 dst host hostname
H we can also monitor the data packets through the specified Gateway:
# Tcpdump-I eth0 gateway Gatewayname
If you want to monitor the TCP or UDP data packets destined for the specified port, run the following command:
# Tcpdump-I eth0 host hostname and port 80
J. if you want to obtain an IP packet for all hosts except 210.27.48.1 and 210.27.48.2
, Run the following command:
# Tcpdump ip host 210.27.48.1 and! 210.27.48.2
K. to intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, run the following command:
(When using parentheses in the command line, be sure
# Tcpdump host 210.27.48.1 and (210.27.48.2 or 210.27.48.3)
L If you want to obtain an IP packet for all hosts except 210.27.48.1 and 210.27.48.2, run the following command:
# Tcpdump ip host 210.27.48.1 and! 210.27.48.2
M to obtain the telnet packet received or sent by the host 210.27.48.1, run the following command:
# Tcpdump tcp port 23 host 210.27.48.1
The third type is the protocol keyword, which mainly includes fddi, ip, arp, rarp, tcp, udp, and other types.
In addition to the three types of keywords, other important keywords are as follows: gateway, broadcast, less,
Greater, there are three logical operations. The non-operation is 'not ''! ', And the operation is 'and',' & '; or the operation is 'o
R', '| ';
The second type is the key words for determining the transmission direction, including src, dst, dst or src, dst and src,
If we only need to list the data packets sent to port 80, use dst port; if we only want to see the data packets returned to port 80, use src port.
# Tcpdump Ci eth0 host hostname and dst port 80 the destination port is 80
Or
# Tcpdump Ci eth0 host hostname and src port 80 the source port is 80. generally, it is the host that provides http services.
If there are many conditions, add and or not before the conditions.
# Tcpdump-I eth0 host! 211.161.223.70 and! 211.161.223.71 and dstport 80
Logs in the ethernet mixed mode system are recorded.
May 7 20:03:46 localhost kernel: eth0: Promiscuous modeenabled.
May 7 20:03:46 localhost kernel: device eth0 entered promiscuousmode
May 7 20:03:57 localhost kernel: device eth0 left promiscuousmode
Tcpdump does not thoroughly decode the intercepted data. most of the content in the data packet is printed in hexadecimal format. Obviously, this is not conducive to the analysis of network faults. The common solution is to first use tcpdump with The-w parameter to capture data and save it to the file, and then use other programs for decoding and analysis. Of course, filter rules should also be defined to prevent the captured data packets from filling the entire hard disk.
In fact, LZ only describes the usage of the filter statement and does not specify another parameter. that is to say, if this parameter is not set correctly, packet data will be lost!
It is the-s parameter, snaplen, that is, the interception length of the data packet. man will understand it carefully! The intercepted length is 60 bytes by default, but generally ethernetMTU is 1500 bytes. Therefore, when you want to capture packets larger than 60 bytes, using the default parameters will cause packet data loss!
You only need to use-s 0 to capture data by the package length!
If you are interested, let me talk more.
The format mentioned by LZ has an industry standard called the bpf (Berkeley PacketFilter) package filtering language. Many packet capture tools now support this standard. The capture filter of ethereal is expanded. Note that it is not displayfilter, because the display filter of ethereal uses another expression similar to the C/C expression.
In fact, if you have used libpcap, you will know that all libpcap requires the snaplen parameter to capture the entire package data. What should I do if I am not familiar with C/C ?, It doesn't matter. you can also use the tcpdump-xls 0 command line and pipeline to guide the Awk program to parse the IP data packets and analyze the data at the application layer. If tcpdumpPerl is used, it can be reconstructed through simple package data to easily form the packet data that can be automatically recognized by the NetPacket module, the off-the-shelf NetPacket module automatically parses and analyzes the underlying IP and TCP/UDP layer packets. However, you only need to understand gawk, nawk, or Perl, and you can simply program your own to parse non-standard application layer data. Note: here I didn't use perl's libpcap compatibility module, but instead directly replaced it with tcpdump. In this way, the requirements for the Perl module are reduced to a relatively low level. if a non-standard protocol is encountered, the perl module will not be C/C, and the package is not loaded, you can also program your own to parse the number of drama packages!
Currently, the packet capture tool cannot correctly display Chinese characters. However, in actual work, it can be compensated by other methods. If you really need to do this, you need to unpack it yourself. If you want to view what is in the HTTP protocol, you can install an HTTP protocol viewing tool plug-in IE on the client. in this way, you can view the protocol header and content. Either install a proxy that supports the corresponding encoding on the server side and then dump the data.
To zenith518:
Fortunately, you can use hex value to check Chinese characters in the package. I first dumped the complete packagedata in tcpdump on linux, and then used ethereal to view the file down to windows.
I don't quite understand what you said: either install a proxy that supports the corresponding encoding on the server side, and then dump the data.
I think the code proxy is related to the charset of the entire web page. It may be different charset, gb2312, unicode, or gbk. It's hard to understand what the code proxy is?
I think ethereal does not analyze what charset should be used for displaying each package, so it is displayed in ascii. Therefore, Chinese characters cannot be displayed.
If you want ethereal to know what kind of charset display to use, you need to contact the charset settings in other packages for display. it seems that ethereal has not done so yet, it is just a simple display of ascii.
Your answer is very good, and you have come up with a broad mind. In addition, perl is really a good stuff.
For the HTTP protocol, there are many ways to view data packets,
1. you can use tcpdump-Xls 0 (note that X is upcase) to view both ASCII and HexDump. This is similar to the solaris snoop command line. This can avoid the trouble of migrating data packets!
2. you can also use the self-compiled Proxy (there are a lot of OpenSource winter and winter on the market, you can use it with a slight modification, you should try to find a cross-platform winter as well), block in front of the real server, intercept conversations between the client and the server while performing forwarding. And press the correct charset (the correct charset definition should be obtained from the HTTP header) to output the request and response data Log.
Ethereal supports many application-layer protocols. it seems that there are more than one thousand types on the website, so we don't worry about it. ethereal will automatically recognize it.
You can also analyze the transmission protocols of msn messenger and qq.
I found that after the-X parameter is added through tcpdump, it is directly converted into an ascii file. then you can select the appropriate tool to view the file. In this way, you can simply search for Chinese characters.
There is no problem with reading gb2312 in Notepad. of course, it is more convenient to read the carriage returns on LINUX in ULTRAEDIT.
Do you agree with me !?
Thanks again to ZENITH518! In fact, this work can be done perfectly at will through PERL! Just be lazy and try to be as simple as possible!
I need to take a look at the help of TCPDUMP, which is very good! In addition, tomorrow we will see if we can intercept characters from MSN. if the client is encrypted, nothing will happen.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
