Document directory
- TCP Packets
- UDP Packets
- UDP name server responses
Tcpdump: Dump traffic on a network is used to intercept data packets on the network. Different data packets can be intercepted based on specified network interfaces. It will output the description of the report content that matches the matching expression on a network interface. After tcpdump completes packet capture, the content similar to the following will be printed: 9 packets captured
56 packets partitioned ed by filter
17 packets dropped by kernel, of course, requires privileges when reading packets on the network. For example, the Super User tcpdump on Linux uses tcpdump-a to print each packet information in ASCII format, this makes it easy for tcpdump-D to print out the available network interfaces of the current system. You can use the-I option to specify the specific interface tcpdump-F to use the file as the input filter expression tcpdump-I to listen on the specified interface. If this parameter is not specified, tcpdump searches the interface list for the lowest number as the listening interface tcpdump-L to make the standard output a buffer. If you want to view data while intercepting data packets, you can run the following command tcpdump-L> dat & tail-F dattcpdump-s to print the absolute TCP serial number tcpdump-W and write the intercepted packets to a file without an expression, in this example, all packets on the network will be intercepted. In TCP packets, the following is the TCP packet format SRC> DST: Flags data-segno ack window urgent options (MSS, timestamp, window size options)
1. TCP packet to intercept a specific flag:
In TCP Header, there are eight control bits
CWR | ECE | URG | ACK | PSH | RST | SYN | fin with TCP Header 0 15 31
-------------------------------------------------------------------------
| Source port | destination port |
-------------------------------------------------------------------------
| Sequence number |
-------------------------------------------------------------------------
| Acknowledgment number | --------------------------------------------------------------------------
| HL | rsvd | c | E | u | A | p | r | S | f | window size |
--------------------------------------------------------------------------
| TCP checksum | Urgent Pointer |
-------------------------------------------------------------------------- The control bit of 8 is the 13th 8-bits group in the TCP Header |
| ------------------------ |
| C | E | u | A | p | r | S | f |
| ------------------------ |
| 7 5 3 0 | when the SYN bit is 1, the binary representation of the 8-bits group is: 00000010-> 2. Therefore, only the tcpdump-I 2 TCP [13] = 2 TCP [13] = 2 is used to intercept TCP datagram. the value of the 13th 8bits group in is 22. if the TCP packet has a SYN-ACK, we think it is a packet with SYN, then how to intercept it |
| ------------------------ |
| C | E | u | A | p | r | S | f |
| ------------------------ |
| 7 5 3 0 | at this time the 8bits group's binary representation is 00010010-> 18 at this time should not be TCP [13] = 18, this can only intercept the ACK-SYN packet, instead, we can no longer intercept Syn packets. In this case, we should maintain the value of the SYN bit. We can use the logic and operation, that is, 'tcp [13] & 2 = 2 ', note: The second flag of the following TCP packet [S.] the format of UDP packetsudp is actibude. who> broadcast. WHO: UDP 84who is the port number, artinide, and broadcast are the network addresses of the host, and 84 are the UDP datagram size.
The format of the UDP name server requests request message is SRC> DST: Id op? Flags qtype qclass name (LEN) h2opolo. 1538> Helios. Domain: 3 +? Ucbvax.berkeley.edu (37) host hopolo queries the domain service address record (qtype = A) on the Helios host. the ID of the query associated with the EDU is 3, '+' indicates that the recursion-desired flag is set, and the query length is 37 bytes, UDP name server responsessrc> DST: Id op RCODE flags a/n/Au type class data (LEN) Helios. domain> h2opolo. 1538: 3 3/3/7 A 128.32.137.3 (273) the message is that the query ID from h2opolo In the Helios response is 3 with three answer records, the first answer record of three name server records and seven additional records is type A, and its data size is 273 bytes, including UDP and IP packet headers.
