First, port information
method: Use Netstat to know the listening port of the process you are interested in, or the use of a certain port
[[email protected] mpf]# Netstat-pan | grep csmtcp 0 0 0.0.0.0:6801 0.0.0.0:* LISTEN 7417/CSM---listening port TCP 0 0 192.168.12.223:33004 192.168.5.186:3311 established 7417/CSM---database link tcp 0 0 192.168.12.223:33003 192.168.5.186:3311 established 7417/CSM TCP 0 0 192.1 68.12.223:33002 192.168.5.186:3311 established 7417/CSM TCP 0 0 192.168.12.223:6801 192.168.5.220:2845 established 7417/CSM---links to im clients TCP 0 0 127.0.0.1:32994 127.0.0.1:6847 established 7417/CSM---links to rooter tcp 0 0 127.0.0.1:32998 127.0.0.1:6872 established 7417/CSM---Link to online TCP 0 0 192.168.12.223:6801 192.168.5.220:2812 established 7417/CSM---links to im clients [[email protected] MPf]# Netstat-pan | grep mucsvrtcp 0 0 127.0.0.1:32989 127.0.0.1:6847 established 7416/mucsvr--with Rooter's Link TCP 0 0 127.0.0.1:32988 127.0.0.1:6847 established 7416/mucsvr--links to Rooter [[email protected] mpf]# Netstat-pan | grep onlinetcp 0 0 0.0.0.0:6872 0.0.0.0:* LISTEN 7413/online--Listening port TCP 0 0 192.168.12.223:33005 192.168.5.186:3311 established 7413/online--Database link TCP 0 0 127.0.0.1:6872 127.0.0.1:32998 established 7413/online-links to CSM
Note:
1), of which, MUCSVR and Rooter established two links, not clear why. Listening 32989 can obtain a communication packet, 32988 this port does not find data communication.
2), the above information is obtained from the 12.223 test Imserver, only as a reference.
second, grab the bag
method: Use Tcpdump to get the packet of the care port and output to the file
Execute command: tcpdump port 6801-i eth0-p-vv-s 0-w csm.cap
Comments:
- Port: The ports of the service process you care about
- -I eth0: Specifies the network interface to listen on. You can use Ifconfig to obtain a network configuration, and the native communication network configuration is-i lo.
- -S 0: Get all Packets
By default, tcpdump only shows some packets
Parameter-S Snaplen controls this. The default is 68 bytes
When you set it to 0, all the packets are displayed.
Reference URL: http://tcpdump.anheng.com.cn/news/22/591.html
Third, view
method: Upload the package file to the window machine and use Etherdetect to view the communication package file
Operation steps: Sniffer--open
Iv. Appendices
12.223 packet Capture statement: Tcpdump Port 6872-i lo-p-vv-s 0-w online.cap tcpdump Port 6847-i lo-p-vv-s 0-w router.captcpdump Port 6801-i eth0-p-vv-s 0-w csm.captcpdump Port 32989-i lo-p-vv-s 0-w mucsvr.cap
Capture packet record: Tcpdump host 218.28.15.98-i eth1-p-vv-s 0-w fengyang.cap
Using SECURECRT, transmit the communication packet to window machine sz csm.cap mucsvr.cap online.cap Router.cap
Linux Grab Wrap Summary