Linux packet capture tool tcpdump

Original article link

Tcpdump is a tool used to intercept network groups and output group content. It is simply a packet capture tool. Tcpdump is the preferred tool for Network Analysis and troubleshooting in Linux based on its powerful functions and flexible interception policies.

Tcpdump providesSource codeOpen interfaces, which are highly scalable and useful for network maintenance and intruders. Tcpdump exists in the basic Linux system. Because it needs to set the network interface to the mixed mode, normal users cannot execute normally, however, users with root permissions can directly execute the command to obtain information on the network. Therefore, the network analysis tools in the system are not a threat to the security of the local machine, but a threat to the security of other computers on the network.

I. Overview
As the name suggests, tcpdump can completely intercept the "Header" of the packets transmitted in the network for analysis. It supports filtering network layer, protocol, host, network or port, and provides logical statements such as and, or, not to help you remove useless information.


# tcpdump-VV
tcpdump: listening on eth0, link-type en10mb (Ethernet), capture size 96 bytes
11:53:21. 444591 IP (TOS 0x10, TTL 64, Id 19324, offset 0, flags [DF], proto 6, Length: 92) asptest. localdomain. SSH> 192.168.228.244.1858: P 3962132600: 3962132652 (52) ack 2726525936 win 1266
asptest. localdomain.1077> 192.168.228.153.domain: [Bad UDP cksum 166e!] 325 + PTR? 244.228.168.192.in-ADDR. ARPA. (46)
11:53:21. 446929 IP (TOS 0x0, TTL 64, Id 42911, offset 0, flags [DF], proto 17, Length: 151) 192.168.228.153.domain> asptest. localdomain.1077: 325 nxdomain Q: PTR? 244.228.168.192.in-ADDR. ARPA. 0/1/0 ns: 168.192.in-ADDR. ARPA. (123)
11:53:21. 447408 IP (TOS 0x10, TTL 64, Id 19328, offset 0, flags [DF], proto 6, Length: 172) asptest. localdomain. SSH> 192.168.228.244.1858: P 168: 300 (132) ack 1 win 1266
347 packets captured
1474 packets partitioned ed by filter
745 packets dropped by kernel


Tcpdump without parameters collects all information headers in the network. The data volume is huge and must be filtered out.

Ii. Options

 

-A prints all groups in ASCII format and minimizes the link layer header.

-C. After receiving a specified number of groups, tcpdump stops.

-C check whether the current file size exceeds the size specified in the file_size parameter before writing an original group to a file. If the size exceeds the specified size, close the current file and open a new file. The file_size parameter is measured in megabytes (1,000,000 bytes, not 1,048,576 bytes ).

-D: matchCodeIt is presented in an understandable Assembly format.

-Dd matches the information package codeC LanguageProgramSegment format.

-DDD provides the matching information package code in decimal format.

-D: print out all network interfaces in the system that can use tcpdump to capture packets.

-E prints the header information of the data link layer in the output line.

-E uses SPI @ ipaddr algo: secret to decrypt the IPSec ESP groups that use ADDR as the address and contain the security parameter index value SPI.

-F print the Internet address in numbers.

-F reads the expression from the specified file and ignores the expression given in the command line.

-I indicates the network interface of the listener.

-L changes the standard output to the buffer row format. You can export data to a file.

-L list the known data links of network interfaces.

-M: import the smi mib module definition from the file module. This parameter can be used multiple times to import multiple MIB modules.

-M if there is a TCP-MD5 option in the TCP Message, you need to use secret as the shared verification code to verify the TCP-MD5 selection option Digest (For details, refer to RFC 2385 ).

-B selects the protocol on the data-link layer, including IP, ARP, RARP, and IPX.

-N does not convert the network address into a name.

-Nn does not convert the port name.

-N does not output the domain name section in the host name. For example, 'nic .ddn.mil 'only outputs 'en '.

-T no timestamp is printed on each output line.

-O does not run the packet-matching code optimization program.

-P does not set network interfaces to the hybrid mode.

-Q: Quick output. Only a small amount of protocol information is output.

-R reads packages from a specified file (these packages are generally generated using the-W option ).

-S outputs the serial number of TCP in the absolute value form, rather than the relative value.

-S reads the initial snaplen bytes from each group, instead of the default 68 bytes.

-T directly interpret the packets to be listened to as specified types of packets. Common types include RPC Remote Process calls and SNMP (Simple Network Management Protocol ;).

-T does not output the timestamp in each row.

-TT outputs a non-formatted timestamp in each row.

-The time difference between the TTT output line and the previous line.

-Tttt outputs the default timestamp format processed by date in each row.

-U outputs undecoded NFS handle.

-V outputs a slightly detailed information. For example, the IP package can contain TTL and service type information.

-VV: Output detailed message information.

-W directly writes the group to the file, instead of printing it out without analysis.

Iii. Introduction to tcpdump expressions

The expression is a regular expression. tcpdump uses it as a condition for filtering packets. If a packet meets the expressive conditions, the packet will be captured. If no conditions are provided, all information packets on the network will be intercepted.

The Expressions generally have the following types of keywords:

FirstIs a type keyword, mainly including host, net, port, such as host 210.27.48.2, specifying 210.27.48.2 is a host, net 202.0.0.0 specifying 202.0.0.0 is a network address, port 23 specifying port number is 23. If no type is specified, the default type is host.

SecondIt is a key word used to determine the transmission direction. It mainly includes SRC, DST, DST or SRC, DST and SRC, which indicate the transmission direction. For example, Src 210.27.48.2 indicates that the source address in the IP package is 210.27.48.2, and DST net 202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified, the SRC or DST keyword is used by default.

ThirdIs the Protocol keyword, mainly including FDDI, IP, ARP, RARP, TCP, UDP and other types. FDDI indicates a specific network protocol on FDDI (Distributed Optical Fiber Data Interface Network). In fact, it is an alias of "Ether". FDDI and ether have similar source and destination addresses, therefore, the FDDI protocol package can be processed and analyzed as the ether package. The other keywords indicate the Protocol content of the listener package. If no protocol is specified, tcpdump listens to the information packages of all protocols.

In addition to these three types of keywords, other important keywords include gateway, broadcast, less, greater, and three logical operations. The non-operation type is 'not ''! ', And the operation is 'and',' & '; or the operation is 'or',' & #124; & #124 ;'; these keywords can be combined to form a powerful combination of conditions to meet people's needs.

Iv. output results

Below we will introduce the output information of several typical tcpdump commands.

(1) data link layer header information
Run the following command:
# Tcpdump -- e HOST ice
Ice is a Linux host. Its MAC address is 0: 90: 27: 58: AF: 1A h219 is a Sun Workstation With Solaris installed. Its MAC address is 8: 0: 20: 79: 5b: 46. The output result of the previous command is as follows:

21:50:12. 847509 eth0 <8: 0: 20: 79: 5b: 46 0: 90: 27: 58: AF: 1A IP 60: h219.33357> ice. telne T 0: 0 (0) ack 22535 win 8760 (DF)

21:50:12 is the displayed time, 847509 is the ID number, eth0 <indicates receiving the group from the network interface eth0, eth0> indicates sending the group from the network interface device, 8: 0: 20: 79: 5b: 46 indicates the MAC address of host h219, which indicates the Group sent from source address h219. 0: 90: 27: 58: AF: 1A is the MAC address of the host ice, indicating that the destination address of the group is ice. IP indicates that the group is an IP group, and 60 indicates the group length. h219.33357> ice. Telnet indicates that the group is the telnet (23) port sent from Port 33357 of host h219 to host ice. Ack 22535 indicates to respond to a packet whose serial number is 222535. Win 8760 indicates that the size of the sending window is 8760.

(2) tcpdump output information of ARP packets

Run the following command:
# Tcpdump ARP

The output result is:

22:32:42. 802509 eth0> ARP who-has route tell ice (0: 90: 27: 58: AF: 1a)
22:32:42. 802902 eth0 <ARP reply route is-at 0: 90: 27: 12: 10: 66 (0: 90: 27: 58: AF: 1a)

22:32:42 is the timestamp, 802509 is the ID, eth0> indicates that the group is sent from the host, ARP indicates that it is the ARP request packet, who-has route tell ice indicates that it is the MAC address of the host route requested by the host ice. 0: 90: 27: 58: AF: 1A is the MAC address of the host ice.

(3) TCP packet output information

The common output information of TCP packets captured with tcpdump is:

SRC> DST: Flags data-seqno ack window urgent options

SRC> DST: indicates from the source address to the destination address. Flags indicates the Flag Information in the TCP packet, s indicates the SYN mark, F (FIN), P (push), R (RST) ". "(not marked); data-seqno is the sequence number of the data in the message, Ack is the sequence number expected next time, window is the size of the window receiving the cache, and urgent indicates whether there is an emergency pointer in the message. Options is an option.

(4) UDP packet output information

The general output information of the UDP packet captured with tcpdump is:

Route. port1> ice. port2: UDP lenth

UDP is very simple. The output line above indicates a UDP packet sent from the port1 port of the host route to the port2 port of the host ice. The type is UDP and the package length is lenth.

V. Example

(1) All groups received and sent by all hosts 210.27.48.1 are to be intercepted:
# Tcpdump host 210.27.48.1

(2) to intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, run the following command (Note: The backslash before parentheses is required ):
# Tcpdump host 210.27.48.1 and (210.27.48.2 or 210.27.48.3)

(3) To obtain an IP packet for all hosts except 210.27.48.1 and 210.27.48.2, run the following command:
# Tcpdump IP host 210.27.48.1 and! 210.27.48.2

(4) If you want to obtain the SSH package received or sent by host 192.168.228.246 and do not convert the host name, run the following command:
# Tcpdump-nn-n src host 192.168.228.246 and port 22 and TCP

(5) obtain the SSH package received or sent by the host 192.168.228.246, and display the MAC address together:
# Tcpdump-e SRC host 192.168.228.246 and port 22 and TCP-n-nn

(6) filter the headers whose source host is 192.168.0.1 and whose destination network is 192.168.0.0:
Tcpdump SRC host 192.168.0.1 and DST net 192.168.0.0/24

(7) filter the header with the physical address of the source host being XXX:
Tcpdump ether SRC 00: 50: 04: BA: 9B and DST ......
(Why is there no host or net behind ether SRC? Of course, the physical address cannot have a network ).

(8) The filters 192.168.0.1and the destination port are not the header of telnetand are imported to the tes.t.txt file:
Tcpdump SRC host 192.168.0.1 and DST port not telnet-L> test.txt

Ip icmp arp rarp, TCP, UDP, ICMP, and other options must be placed at the first parameter to filter the data type.

Example: How to Use tcpdump to listen for data packets from eth0 adapter and the communication protocol is port 22 and the target source is 192.168.1.100?

A: TCPDUMP-I eth0-nn port 22 and SRC host 192.168.1.100

Example: How to Use tcpdump to capture and access the eth0 adapter card and the access port is TCP 9080?

A: TCPDUMP-I eth0 DST 172.1670.35 and TCP port 9080

Example: How to Use tcpdump to capture packets that communicate with host 192.168.43.23 or host 192.168.43.24 and display them on the console

Tcpdump-X-s 1024-I eth0 host (192.168.43.23 or 192.168.43.24) and host 172.16.70.35

End