Introduction to tcpdump commands in Linux

The installation and use of the sniffer tool Tcpdump in Linux is one of the most common and important technologies among today's many hacker technologies. Friends who have used sniffer tools on windows (for example, netxray and snifferpro) may know that using sniffer in a shared Lan is simply enough.

Install and use the sniffer tool Tcpdump in Linux

Among today's many hacking technologies, sniffer is the most common and important technology. Windows platform used

Friends of the sniffer tool (such as netxray and sniffer pro software) on the platform may know that

Using the sniffer tool, you can see all the traffic in the network at a glance! The Sniffer tool is actually a network

The packet capture tool can also analyze the captured packets. In a shared network, information packets are broadcast to the network.

Network interfaces of all hosts in the network, except that the network device of the host determines the information before the sniffer tool is used.

Whether the packet should be received, so that it will discard the information packet that should not be received, but the sniffer tool will make the network device of the host receive

All arriving information packages achieve the effect of network listening. In fact, the sniffer tool can be used by hackers

It is also beneficial to network administrators and network programmers. Network administrators can use the sniffer tool to keep abreast of the problem.

When the network performance drops sharply, you can use the sniffer tool to analyze the cause and find out the cause.

The source of network congestion. For network programmers, the sniffer tool is used to debug programs.
Next we will introduce an excellent sniffer in linux -------Tcpdump. (The operations below are all in

Redhat 6.2 linux 2.2.14 has been tested .)

1. installation of Tcpdump
In linux, the installation of tcpdump is very simple. Generally, there are two installation methods. One is to install the rpm Package

Installation. In addition, it is installed in the form of a source program.
1. rpm Package installation
This form of installation is the simplest installation method. The rpm package is to compile the software and package it into a binary format.

Command can be directly installed without modifying anything. Use the following command to log on as a super user:
# Rpm-ivh tcpdump-3_4a5.rpm
In this way, tcpdump is successfully installed on your linux system. It's easy.
2. installation of the source program
Since the rpm Package is easy to install, why should we use a complex source program for installation? In fact, linux is the largest

The attractive thing is that there are a lot of software on her that provides source programs. people can modify the source program to meet their special needs.

Yes. Therefore, I especially recommend that you install the source program.
· The first step is to obtain the source program. in the installation method of the source program, we must first obtain the tcpdump source program distribution package,

The distribution package has two forms: tarcompressed package (tcpdump-3_4a5.tar. Z) and rpm distribution package

Tcpdump-3_4a5.src.rpm ). These two types of content are identical, and different types of content are compressed.

To uncompress a package, run the following command:
# Tar xvfz tcpdump-3_4a5.tar.Z
Run the following command to install the rpm Package:
# Rpm-ivh tcpdump-3_4a5.src.rpm
In this way, extract the source code of tcpdump to the/usr/src/redhat/SOURCES Directory.

· Step 2 Prepare the source program for compilation
Before compiling the source program, it is best to confirm that the library file libpcap has been installed. the library file is tcpdump.

Library files required by the software. Similarly, you also need a standard C language compiler. Compile standard C language in linux

Is usually gcc. In the tcpdump source program directory. One file is Makefile. in, and the configure command is from

Makefile. in files automatically generate Makefile FILES. In the Makefile. in file, you can modify it according to the system configuration.

The two macros BINDEST and MANDEST are defined. the default value is
BINDEST = @ sbindir @
MANDEST = @ mandir @
The first macro value indicates the path name of the binary file where tcpdump is installed, and the second macro indicates the man help page of tcpdump.

You can modify them to meet system requirements.

· Step 3 compile the source program
Use the configure script in the source program directory to read various required attributes from the system. And according

Makefile. in files automatically generate Makefile files for compilation and use the. make command according to the rules in the Makefile file

Compile the tcpdump source program. Run the make install command to install the compiled binary file tcpdump.
Summary:
# Tar xvfz tcpdump-3_4a5.tar.Z
# Vi Makefile. in
#./Configure
# Make
# Make install

II. Use of Tcpdump

Tcpdump adopts the command line method. its command format is:
Tcpdump [-adeflnNOpqStvx] [-c quantity] [-F file name] [-I network interface] [-r file

Name] [-s snaplen] [-T type] [-w file name] [expression]

1. Introduction to tcpdump options
-A converts a network address and broadcast address into a name;
-D. give the code that matches the information package in an assembly format that people can understand;
-Dd provides the code that matches the information package in the format of the C program segment;
-Ddd provides the matching information package code in decimal format;
-E prints the header information of the data link layer in the output line;
-F print the Internet address in numbers;
-L changes the standard output to the buffer row format;
-N does not convert the network address into a name;
-T no timestamp is printed on each output line;
-V outputs a slightly detailed information. for example, the IP package can contain ttl and service type information;
-Vv: output detailed message information;
-C. after receiving the specified number of packages, tcpdump stops;
-F read the expression from the specified file and ignore other expressions;
-I indicates the network interface of the listener;
-R reads packets from a specified file (these packets are generally generated using the-w option );
-W directly writes the package into the file and does not analyze or print it out;
-T directly interpret the packet to be listened to as a specified type of message. Common types include rpc (remote process call)

And snmp (Simple Network Management Protocol );

2. Introduction to tcpdump expressions

A regular expression is used by tcpdump to filter packets.

The packet will be captured. If no conditions are provided, all information packets on the network will be intercepted.

.
In expressions, the following types of keywords are generally used. one is about the types of keywords, including host, net

, Port, for example, host 210.27.48.2, indicating that 210.27.48.2 is a host, and net 202.0.0.0 indicates

202.0.0.0 is a network address and port 23 indicates that the port number is 23. If no type is specified, the default type is host.
The second type is the key words for determining the transmission direction, including src, dst, dst or src, dst and src.

Keyword indicates the transmission direction. For example, src 210.27.48.2 indicates that the source address in the IP package is 210.27.48.2,

Dst net 202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified, the default value is src.

Or dst keyword.
The third type is the protocol keyword, which mainly includes fddi, ip, arp, rarp, tcp, udp, and other types. Fddi indicates that

The specific network protocol on FDDI (distributed optical fiber data interface network) is actually the alias of "ether", fddi and ether

The fddi protocol package can be treated as an ether package for processing and analysis. Other

Several keywords indicate the protocol content of the listener package. If no protocol is specified, tcpdump listens to all

Protocol information package.
In addition to the three types of keywords, other important keywords are as follows: gateway,

Broadcast, less, greater, and three other logical operations are available. The non-calculation is 'not ''! ', And the operation is 'and ','&&';

Or is 'or', '| ';

These keywords can be combined to form a powerful combination condition to meet people's needs. The following are several examples.

(1) all packets received and sent by all hosts 210.27.48.1 are to be intercepted:
# Tcpdump host 210.27.48.1

(2) to intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, run the following command:

When using parentheses in the command line, be sure
# Tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)

(3) If you want to obtain an IP packet for all hosts except 210.27.48.1

Run the following command:
# Tcpdump ip host 210.27.48.1 and! 210.27.48.2

(4) to obtain the telnet packet received or sent by the host 210.27.48.1, run the following command:
# Tcpdump tcp port 23 host 210.27.48.1

3. Introduction to output results of tcpdump

Below we will introduce the output information of several typical tcpdump commands.

(1) data link layer header information
Run the command # tcpdump -- e host ice
Ice is a linux host. her MAC address is 0: 90: 27: 58: AF: 1A.
H219 is a SUN workstation with SOLARIC. its MAC address is 8: 0: 20: 79: 5B: 46;

The output result is as follows:
21:50:12. 847509 eth0 <8: 0: 20: 79: 5b: 46 0: 90: 27: 58: af: 1a ip 60: h219.33357>

Ice. telnet 0: 0 (0) ack 22535 win 8760 (DF)
Analysis: 21: 50: 12 indicates the display time, 847509 indicates the ID number, and eth0 indicates the display time. <表示从网络接口eth0 接受该数据< p>

Packet, eth0> indicates the packet sent from the network interface device. 8: 0: 20: 79: 5b: 46 is the MAC address of host H219, which indicates

The data packet sent from the source address H219. 0: 90: 27: 58: af: 1a is the MAC address of the host ICE, indicating the destination address of the data packet.

Is ICE. ip indicates that the data packet is an IP data packet, 60 indicates the length of the data packet, and h219.33357> ice. telnet indicates

The packet is sent from Port 33357 of host H219 to Port TELNET (23) of host ICE. ack 22535 indicates that the serial number is

222535 of the packets respond. win 8760 indicates that the size of the sending window is 8760.

(2) TCPDUMP output information of ARP packets
Run the command # tcpdump arp
The output result is:
22:32:42. 802509 eth0> arp who-has route tell ice (0: 90: 27: 58: af: 1a)
22:32:42. 802902 eth0 <arp reply route is-at 0: 90: 27: 12: 10: 66 (0: 90: 27: 58: af: 1a)
Analysis: 22:32:42 is the time stamp, 802509 is the ID number, eth0> indicates that the packet is sent from the host, arp indicates that the packet is ARP

Request package. who-has route tell ice indicates the MAC address of the host ROUTE requested by the host ICE. 0: 90: 27: 58: af: 1a

Is the MAC address of the host ICE.

(3) TCP packet output information
The common output information of TCP packets captured with TCPDUMP is:
Src> dst: flags data-seqno ack window urgent options
Src> dst: Indicates from the source address to the destination address. flags indicates the flag information in the TCP packet, S indicates the SYN mark, F (FIN ),

P (PUSH), R (RST) "." (not marked); data-seqno is the sequence number of data in the data packet, and ack is the expected

Window indicates the size of the window that receives the cache, and urgent indicates whether there is an emergency pointer in the data packet. Options is optional.

Item.

(4) UDP packet output information
The general output information of the UDP packet captured with TCPDUMP is:
Route. port1> ice. port2: udp lenth
UDP is very simple. the output line above indicates a UDP packet sent from the port1 port of the host ROUTE to the host ICE

The port2 port of UDP, and the package length is lenth.

As mentioned above, I have introduced in detail the installation and use of TCPDUMP, hoping to help you. If you want to use it skillfully

TCPDUMP, a SNIFFER tool in LINUX, also requires you to sum up your experience in practice and give full play to its power.