PS: tcpdump is a tool used to intercept network groups and output group content. it is simply a packet capture tool. Tcpdump is the preferred tool for network analysis and troubleshooting in Linux based on its powerful functions and flexible interception policies. Tcpdump provides source code and exposes interfaces, so it is highly scalable.
PS:TcpdumpIt is a tool used to intercept network groups and output group content. In short, it is a packet capture tool.TcpdumpWith powerful functions and flexible interception policies, it becomes the preferred tool for network analysis and troubleshooting in Linux. Tcpdump provides source code and open interfaces, so it has high scalability and is a very useful tool for network maintenance and intruders. Tcpdump exists in the basic Linux system. because it needs to set the network interface to the mixed mode, normal users cannot execute normally, however, users with root permissions can directly execute the command to obtain information on the network. Therefore, the network analysis tools in the system are not a threat to the security of the local machine, but a threat to the security of other computers on the network.
I. Overview As the name suggests, tcpdump can completely intercept the "header" of the packets transmitted in the network for analysis. It supports filtering network layer, protocol, host, network or port, and provides logical statements such as and, or, not to help you remove useless information.
# Tcpdump-vv
Tcpdump: listening on eth0, link-type EN10MB (Ethernet), capturesize 96 bytes
11:53:21. 444591 IP (tos 0x10, ttl 64, id 19324, offset 0, flags [DF], proto 6, length: 92) asptest. localdomain. ssh> 192.168.228.244.1858: P 3962132600: 3962132652 (52) ack 2726525936win 1266
Asptest. localdomain.1077> 192.168.228.153.domain: [bad udpcksum 166e!] 325 + PTR? 244.228.168.192.in-addr. arpa. (46)
11:53:21. 446929 IP (tos 0x0, ttl 64, id 42911, offset 0, flags [DF], proto 17, length: 151) 192.168.228.153.domain> asptest. localdomain.1077: 325 NXDomain q: PTR? 244.228.168.192.in-addr. arpa. 0/1/0 ns: 168.192.in-addr. arpa. (123)
11:53:21. 447408 IP (tos 0x10, ttl 64, id 19328, offset 0, flags [DF], proto 6, length: 172) asptest. localdomain. ssh> 192.168.228.244.1858: P 168: 300 (132) ack 1 win 1266
347 packets captured
1474 packets partitioned ed by filter
745 packets dropped by kernel
Tcpdump without parameters collects all information headers in the network. the data volume is huge and must be filtered out.
II. options -A prints all groups in ASCII format and minimizes the link layer header.
-C. after receiving a specified number of groups, tcpdump stops.
-C check whether the current file size exceeds the file_size parameter before writing an original group to a file
. If the size exceeds the specified size, close the current file and open a new file. Parameter file_size
The unit is mb (1,000,000 bytes, not 1,048,576 bytes ).
-D provides the code that matches the information package in an assembly format that people can understand.
-Dd provides the code that matches the information package in the format of the C program segment.
-Ddd provides the matching information package code in decimal format.
-D: print out all network interfaces in the system that can use tcpdump to capture packets.
-E prints the header information of the data link layer in the output line.
-E use spi @ ipaddr algo: secret to decrypt the IPsec that uses addr as the address and contains the security parameter index value spi
ESP Group.
-F print the Internet address in numbers.
-F reads the expression from the specified file and ignores the expression given in the command line.
-I indicates the network interface of the listener.
-L changes the standard output to the buffer row format. you can export data to a file.
-L list the known data links of network interfaces.
-M: import the smi mib module definition from the file module. This parameter can be used multiple times to import multiple MIB modules.
-M
If the TCP-MD5 option exists in the tcp message, you need to use secret as the shared verification code to verify the TCP-MD5 selection option Digest (for details, refer to RFC
2385 ).
-B selects the protocol on the data-link layer, including ip, arp, rarp, and ipx.
-N does not convert the network address into a name.
-Nn is directly displayed by IP address and port number, rather than the host and server name.
-N does not output the domain name section in the host name. For example, 'Nic .ddn.mil 'only outputs 'en '.
-T no timestamp is printed on each output line. (-Tt-ttt)
-O does not run the packet-matching code optimization program.
-P does not set network interfaces to the hybrid mode.
-Q: Quick output. Only a small amount of protocol information is output.
-R reads packages from a specified file (these packages are generally generated using the-w option ).
-S outputs the serial number of tcp in the absolute value form, rather than the relative value.
-S reads the initial snaplen bytes from each group, instead of the default 68 bytes. -S 0 indicates that the length is not limited and the entire package is output.
-T directly interpret the packets to be listened to as specified types of packets. Common types include rpc remote process calls and snmp (Simple Network Management Protocol ;).
-T does not output the timestamp in each row.
-Tt outputs a non-formatted timestamp in each row.
-The time difference between the ttt output line and the previous line.
-Tttt outputs the default timestamp format processed by date in each row.
-U outputs undecoded NFS handle.
-V outputs a slightly detailed information. for example, the IP package can contain ttl and service type information.
-Vv: output more detailed information.
-Vv: output detailed message information.
-W directly writes the group to the file, instead of printing it out without analysis.
(The output. pcap file can be opened with wireshark in windows for further analysis)
To enable wireshark to analyze tcpdump packages, the key is the-s parameter and the output file must be saved for-w.
-X and-XX are output in hexadecimal and ASCII formats, and data packets can be displayed in read mode,
Memcached Ascii and other plain text transmission protocols, you can see the content;
III. Introduction to tcpdump expressions The expression is a regular expression. tcpdump uses it as a condition for filtering packets. if a packet meets the expression conditions, the packet will be captured. If no conditions are provided, all information packets on the network will be intercepted.
The expressions generally have the following types of keywords:
FirstIs a type keyword, mainly including host, net, port, such as host210.27.48.2, specifying 210.27.48.2 is a host, net202.0.0.0 specifying 202.0.0.0 is a network address, port 23 specifying port number is 23. If no type is specified, the default type is host.
SecondIt is a key word used to determine the transmission direction, mainly including src, dst, dst or src, dst andsrc, which specifies the transmission direction. For example, src 210.27.48.2 indicates that the source address in the IP package is 210.27.48.2, and dst net 202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified, the src ordst keyword is used by default.
ThirdIs the protocol keyword, mainly including fddi, ip, arp, rarp, tcp, udp and other types. Fddi indicates a specific network protocol on FDDI (distributed optical fiber data interface network). In fact, it is an alias of "ether". fddi and ether have similar source and destination addresses, therefore, the fddi protocol package can be processed and analyzed as the ether package. The other keywords indicate the protocol content of the listener package. If no protocol is specified, tcpdump listens to the information packages of all protocols.
In addition to these three types of keywords, other important keywords include gateway, broadcast, less, greater, and three logical operations. The non-operation type is 'not ''! ', And the operation is 'and',' & '; or the operation is 'or',' | '; these keywords can be combined to form a powerful combination of conditions to meet people's needs.
Example:
Tcpdump-I lo-nn-A-s 0 tcp-w/home/open/1.txt port 3306 and src host112.142.34.24 and dst host 192.168.1.33
Tcpdump-X-n-s 0 tcp port 8033-I lo
Tcpdump-A-n-x-s 0 tcp port 7430 and host 192.168.3.143
Tcpdump-x-n-s 0 tcp port 9024 or 9021 or 9023 or9020
IV. output results Below we will introduce the output information of several typical tcpdump commands.
(1) data link layer header information Run the following command:
# Tcpdump -- e host ICE
ICE is a linux host. Its MAC address is 0: 90: 27: 58: AF: 1AH219 is a SUN workstation with Solaris installed. Its MAC address is 8: 0: 20: 79: 5B: 46. the output result of the previous command is as follows:
21:50:12. 847509 eth0 <8: 0: 20: 79: 5b: 46 0: 90: 27: 58: af: 1a ip60: h219.33357> ICE. telne t 0: 0 (0) ack 22535 win 8760 (DF)
21:50:12 is the displayed time, 847509 is the ID, eth0 <表示从网络接口eth0接收该分组, eth0> Indicates the sending group from the network interface device. 8: 0: 20: 79: 5b: 46 indicates the MAC address of the host H219, which indicates the group sent from the source address H219. 0: 90: 27: 58: af: 1a is the MAC address of the host ICE, indicating that the destination address of the group is ICE. Ip indicates that the group is an IP Group, and 60 indicates the group length. h219.33357> ICE. telnet indicates that the group is the TELNET (23) Port sent from Port 33357 of host H219 to host ICE. Ack 22535 indicates to respond to a packet whose serial number is 222535. Win 8760 indicates that the size of the sending window is 8760.
(2) tcpdump output information of ARP packets Run the following command:
# Tcpdump arp
The output result is:
22:32:42. 802509 eth0> arp who-has route tell ICE (0: 90: 27: 58: af: 1a)
22:32:42. 802902 eth0 <arp reply route is-at 0: 90: 27: 12: 10: 66 (0: 90: 27: 58: af: 1a)
22:32:42 is the timestamp, 802509 is the ID, eth0> indicates that the group is sent from the host, arp indicates that it is the ARP Request packet, who-has route tell ICE indicates that it is the MAC address of the host route requested by the host ICE. 0: 90: 27: 58: af: 1a is the MAC address of the host ICE.
(3) TCP packet output information The common output information of TCP packets captured with tcpdump is:
Src> dst: flags data-seqno ack window urgent options
Src> dst: Indicates from the source address to the destination address. flags indicates the flag information in the TCP packet, S indicates the SYN mark, F (FIN), P (PUSH), R (RST) ". "(not marked); data-seqno is the sequence number of the data in the message, ack is the sequence number expected next time, window is the size of the window receiving the cache, and urgent indicates whether there is an emergency pointer in the message. Options is an option.
(4) UDP packet output information The general output information of the UDP packet captured with tcpdump is:
Route. port1> ICE. port2: udp lenth
UDP is very simple. the output line above indicates a UDP packet sent from the port1 port of the host route to the port2 port of the host ICE. the type is UDP and the package length is lenth.
V. example (1) all groups received and sent by all hosts 210.27.48.1 are to be intercepted:
# Tcpdump host 210.27.48.1
(2) to intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, run the following command (note: the backslash before parentheses is required ):
# Tcpdump host 210.27.48.1 and (210.27.48.2 or 210.27.48.3)
(3) to obtain an IP packet for all hosts except 210.27.48.1 and 210.27.48.2, run the following command:
# Tcpdump ip host 210.27.48.1 and! 210.27.48.2
(4) If you want to obtain the ssh package received or sent by host 192.168.228.246 and do not convert the host name, run the following command:
# Tcpdump-nn-n src host 192.168.228.246 and port 22 and tcp
(5) obtain the ssh package received or sent by the host 192.168.228.246, and display the mac address together:
# Tcpdump-e src host 192.168.228.246 and port 22 and tcp-n-nn
(6) filter the headers whose source host is 192.168.0.1 and whose destination network is 192.168.0.0:
Tcpdump src host 192.168.0.1 and dst net 192.168.0.0/24
(7) filter the header with the physical address of the source host being XXX:
Tcpdump ether src 00: 50: 04: BA: 9B and dst ......
(Why is there no host or net behind ether src? Of course, the physical address cannot have a network ).
(8) the filters 192.168.0.1and the destination port are not the header of telnetand are imported to the tes.t.txt file:
Tcpdump src host 192.168.0.1 and dst port not telnet-l> test.txt
Ip icmp arp rarp, tcp, udp, icmp, and other options must be placed at the first parameter to filter the data type. Example: how to use tcpdump to listen for data packets from eth0 adapter and the communication protocol is port22 and the target source is 192.168.1.100? A: tcpdump-I eth0-nn port 22 and src host 192.168.1.100
Example: how to use tcpdump to capture and access the eth0 adapter card and the access port is tcp 9080? A: tcpdump-I eth0 dst 172.1670.35 and tcp port 9080
Example: how to use tcpdump to capture packets that communicate with host 192.168.43.23 or host 192.168.43.24 and display them on the console Tcpdump-X-s 1024-I eth0 host (192.168.43.23 or 192.168.43.24) and host 172.16.70.35
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.