Linux Basic Tutorial 29-tcpdump command-1

What is tcpdump

? ? Enter the command in Linux the definition given by man tcpdump is as follows:

tcpdump - 转储网络上的数据流

Does it feel like a rip? We use the popular, the image, the academic expression way to describe tcpdump comprehensively:

• In layman's terms, tcpdump is a grab bag tool for crawling packets that are transmitted over the network
• The image of the tcpdump, like the national Customs, all the entry and exit of the goods, customs have to check the sample, to see what the specific goods
• Academically, Tcpdump is a sniffer (sniffer) that leverages the Ethernet features to get packets transmitted over the network by placing network devices in promiscuous mode

在使用tcpdump需要了解以下的知识点：1、了解和使用过Linux系统2、学习OSI七层协议和作用3、熟悉网络协议，特别是IP/TCP/UDP4、了解交换机、路由器所对应的协议层且知道两者的差异

Basic syntax

tcpdump [选项] [网络接口]

The common options are as follows:

Options	Description
-A	Only show packet contents in ASCII format
-C	is the meaning of count, which means to exit after receiving a specified number of packet packets, simply to allow the capture of several packets
-D	Displays the encoding of the matching packets in a format that people can understand and exits
-dd	Displays the encoding of the matching packets in the format of the C program segment
-ddd	Displays the encoding of the matching packet in decimal form
-D	List all the grab objects you can select
-E	Adding header information to the Data link layer
-F	Specify the file where the filter expression resides
-I.	That is, interface, specifies the network interface for listening
-L	Change output to row buffer mode
-N	Do not convert the host address to a name
-nn	Do not convert the protocol and port number, when Tcpdump encountered the protocol number or port number, do not need to convert these numbers to the corresponding protocol name or name, such as 22 port SSH port, we want to display 22, not SSH
-P	Set the network interface to non-promiscuous mode
-Q	Fast output, only less protocol information is output
-R	The original packet is read from the file, and the file is generated by the option-W
-T	Do not output timestamps in each row
-tt	Output a non-formatted timestamp in each row
-ttt	Outputs the time difference between the line and the previous row in MS
-tttt	Prints the timestamp of the default format processed by date in each row
-ttttt	Output the difference between the line and the first line in each row, in MS
-V	Show more detailed information
-W	To save the original packet information to a file
-X	The protocol header and package contents are displayed

Example

如果要使用tcpdump抓包，一定要切换到root账户中。

1. Example of first grab bag

[[email protected] ~]# tcpdump-i ens5f1-nn-x ' Port '-c 1tcpdump:verbose output suppressed, use-v or-vv for F ULL protocol decodelistening on ENS5F1, Link-type EN10MB (Ethernet), capture size 262144 bytes22:34:11.334916 IP 192.168.8 .8.22 > 112.64.61.186.37035:flags [P.], seq 3341229570:3341229782, Ack 1999159071, win 31152, length 212 0x0000:4 510 00FC 7e99 4000 4006 44a8 c0a8 0808 [email protected]@.    D..... 0x0010:7040 3dba 0016 90ab c727 1e02 7728 bf1f [email protected]= ...]    W (..    0x0020:5018 79b0 7799 0000 0000 00b0 823d 4CF1 p.y.w........=l. 0x0030:1108 58fc 3686 2bd2 5220 fe37 85ab 74cc.. x.6.+. R..    7..t. 0X0040:BFB1 8831 7d1c 3b57 52ae aa91 28a2 67d8 ... 1}.; WR ...    (. G. 0X0050:08FB a257 7fc8 7186 39dc d266 3d32 Cce8 ... W.. q.9.    f=2. 0x0060:3eb7 130b a7d3 833b 59c9 bdf8 2141 6863 >......; Y...! AHC 0x0070:7cae 25ff 459e c94a a635 7098 6925 db48 |. %. E.. j.5p.i%. H 0x0080:a9b0 32ab 5393 737f cf8c f2ed b47a 7d8B..    2.S.S......Z}. 0x0090:346c 39df 3ecc d2b0 E0AD 5104 272d 6513 4l9.>    Q. '-E. 0x00a0:4b8d 5ee6 6c7d 9477 e40b 8637 996a bb5a k.^.l}.w ... 7.j.z 0x00b0:471a 2ac4 3335 266d 0485 2e52 b2c2 f6e8 g.*.35&m ...    R.... 0x00c0:0549 5ae0 9c7b ad45 da0a eef2 1CCB b2ac. IZ. {.    E........ 0X00D0:A4A2 0a96 cc5f 238c 9570 0d15 984e 6f58 ..... _#. P... NoX 0x00e0:d8ff 8034 1165 cf44 02e4 ed6b 631e 2548 ... 4.e.d...kc.%h 0x00f0:56fd 4c8a 664c e5ee d845 2e50 v.l.fl ... E.P1 Packet captured1 packet received by FILTER0 packets dropped by kernel

-I: Specifies the network interface used to grab the packet, which is very effective when the server has multiple network cards
-NN: Do not convert the protocol and port number, when tcpdump encounter protocol number or port number, do not need to convert these numbers to the corresponding protocol name or name, such as 22 port SSH port, we want to display 22, not SSH
-X: The protocol header and package contents are displayed in the same way, the tcpdump will be displayed in 16 and ASCII, which is very useful in protocol analysis.
' Port 22 ': Tell Tcpdump to have a selected display of the captured package, in which only the source port or destination port is 22 packets are displayed, and the other packets are not displayed.
-C: Used to specify the number of grab packets, the number of example settings is 1, that is, to crawl only one package after the exit no longer grab the package.

2,-e Increase the header information of the Data link layer

• Grab bag without-e

[[email protected] ~]# tcpdump -i ens5f1 -c 1tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on ens5f1, link-type EN10MB (Ethernet), capture size 262144 bytes23:44:06.918259 IP localhost.localdomain.ssh > 112.64.61.186.37035: Flags [P.], seq 3341233794:3341234006, ack 1999165283, win 31152, length 2121 packet captured6 packets received by filter0 packets dropped by kernel

• Grab bag with-e

[[email protected] ~]# tcpdump -i ens5f1 -c 1 -etcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on ens5f1, link-type EN10MB (Ethernet), capture size 262144 bytes23:45:51.114314 dc:fe:18:65:76:f2 (oui Unknown) > 34:97:f6:5a:50:e0 (oui Unknown), ethertype IPv4 (0x0800), length 82: 112.85.42.197.20263 > localhost.localdomain.ssh: Flags [P.], seq 254675888:254675904, ack 306708143, win 155, options [nop,nop,TS val 3668622988 ecr 391712180], length 161 packet captured8 packets received by filter0 packets dropped by kernel

? ? With the output comparison of the two commands, you can see that the MAC address information is added to the output results after the-e option is added. And in the output content will have oui Unknown, oui that is organizationally unique identifier (organization unique identifier), in any piece of network card burning 6-byte MAC address, the first 3 bytes embodied Oui, It indicates the manufacturing organization of the NIC, which is typically unique. In this example, because the manufacturer of the NIC is not recognized, it is displayed as unknown.

3.-L changes output to row buffer mode

? ? The function of-L is to change the output behavior of the tcpdump into a row buffer , which ensures that the tcpdump encounters a newline character and immediately outputs the buffered content to the standard output (stdout), allowing for subsequent processing using a pipeline or redirection without causing delays.
? ? full buffering , row buffering , unbuffered three buffering methods are provided in standard I/O for Linux. Standard errors are non-buffered, while end-devices are usually row-buffered, while others are fully buffered by default.

[[email protected] ~]# tcpdump -i ens5f1 -l -c 5 | awk ‘{print $5}‘tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on ens5f1, link-type EN10MB (Ethernet), capture size 262144 bytes112.64.61.186.37035:gateway.domain:localhost.localdomain.49348:gateway.domain:localhost.localdomain.ssh:5 packets captured13 packets received by filter0 packets dropped by kernel

? ? In this example, the contents of the tcpdump output are fetched through the pipeline with the 5th column, which can be used to view detailed connection information. If you do not add the-l option, tcpdump will output the contents of the buffer only when the buffer is full, which may cause the output to be discontinuous, and will affect the integrity of the next line if it is forced to end.

4,-t output no time stamp

[[email protected] ~]# tcpdump -i ens5f1 -c 1tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on ens5f1, link-type EN10MB (Ethernet), capture size 262144 bytes23:48:03.193526 IP localhost.localdomain.ssh > 112.64.60.194.19101: Flags [P.], seq 3091447763:3091447975, ack 4113666212, win 251, length 2121 packet captured6 packets received by filter0 packets dropped by kernel[[email protected] ~]# tcpdump -i ens5f1 -c 1 -ttcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on ens5f1, link-type EN10MB (Ethernet), capture size 262144 bytesIP localhost.localdomain.ssh > 112.64.60.194.19101: Flags [P.], seq 3091448643:3091448855, ack 4113666488, win 251, length 2121 packet captured6 packets received by filter0 packets dropped by kernel

? ? When the option- t option is added, the time 23:48:03.193526 disappears. Tcpdump is timed in microseconds by default, so the most accurate time is the 6th digit.

5,-V Show details

[[email protected] ~]# tcpdump -i ens5f1 -c 1 -vtcpdump: listening on ens5f1, link-type EN10MB (Ethernet), capture size 262144 bytes23:53:13.252748 IP (tos 0x10, ttl 64, id 24820, offset 0, flags [DF], proto TCP (6), length 188)    localhost.localdomain.ssh > 112.64.60.194.19101: Flags [P.], cksum 0x7661 (incorrect -> 0x2474), seq 3091449471:3091449619, ack 4113666972, win 251, length 1481 packet captured7 packets received by filter0 packets dropped by kernel

? ? When the -v option is added, tos,ttl,ID,offset, protocol number , total length , etc. are added to the output content. If you need to understand this information, you need to understand the specific definition of the header in the TCP/IP protocol.

6,-f Specifies the file where the filter expression resides
? ? In the first example, the command line adds ' Port ', which is called the filter condition , and if the filter condition is set, then tcpdump only fetches packets that meet the filter criteria. If you need to set more complex filter conditions or reuse filters, you can save the filter to a file and then load the filter file through-F.

[[email protected] ~]# cat tcpdumpFilter.txtport 22[[email protected] ~]# tcpdump -i ens5f1 -c 1  -v  -F ~/tcpdumpFilter.txt tcpdump: listening on ens5f1, link-type EN10MB (Ethernet), capture size 262144 bytes00:05:52.685555 IP (tos 0x10, ttl 64, id 25291, offset 0, flags [DF], proto TCP (6), length 188)    localhost.localdomain.ssh > 112.64.60.194.19101: Flags [P.], cksum 0x7661 (incorrect -> 0x827b), seq 3091492507:3091492655, ack 4113685300, win 251, length 1481 packet captured3 packets received by filter0 packets dropped by kernel

7.-W Saves the original packet information to a file

[[email protected] ~]# tcpdump -i ens5f1 -c 1  -v  -F ~/tcpdumpFilter.txt -w ~/tcpdumpRAWtcpdump: listening on ens5f1, link-type EN10MB (Ethernet), capture size 262144 bytes1 packet captured1 packet received by filter0 packets dropped by kernel[[email protected] ~]# cat tcpdumpRAW ?2?ˉOW[?        ˊ?ev??ZE?c&@@[email protected]<J?Du???P???W?.[?OG??F ??C?>{d6toв?w厸§Ng}???O?6I}+/l??                                                                          G?Z?°}_`a5±?z寂Y凢

? ? When we look at the saved file, there is garbled. is not directly viewable, most likely a binary file. So how to view the saved files? Take a look at the next example.

[[email protected] ~]# file tcpdumpRAWtcpdumpRAW: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 262144)

7.-R reads the original packet from the file

[[email protected] ~]# tcpdump -r ~/tcpdumpRAWreading from file /root/tcpdumpRAW, link-type EN10MB (Ethernet)00:11:27.838878 IP localhost.localdomain.ssh > 112.64.60.194.19101: Flags [P.], seq 3091494399:3091494547, ack 4113686720, win 251, length 148

? ? The-W and-R options enable recording and playback of the capture package.

This article is posted on the subscription number, such as your friends like my article, you can also follow my subscription number: Woaitest, or scan the following QR code to add attention:

Linux Basic Tutorial 29-tcpdump command-1