Linux tcpdump command Usage detailed resolution _unix Linux

The English original intention is the dump traffic on a network, namely intercepts the network the datagram, may intercept the different datagram according to the specified network interface . It outputs a description of the content of the report that conforms to a matching expression on a network interface. When tcpdump finishes grasping the package, it prints something similar to the following:

9 Packets captured
Packets Received by filter
Packets dropped by kernel

Of course, when reading packets on the network, you need privileges, such as Superuser on Linux.

tcpdump Usage

Tcpdump-a prints out each packet information in ASCII, which is handy for intercepting web pages
Tcpdump-d print out the available network interfaces for the current system. You can use the-I option to specify a specific interface

Tcpdump-f A filter expression that uses a file as input

Tcpdump-i is listening on the specified interface. If not specified, tcpdump will look for the lowest number as the listening interface from the interface list

Tcpdump-l makes standard output a buffer, and if you want to view data while intercepting the packet, you can use the following command
Tcpdump-l > Dat & tail-f dat
Tcpdump-s to print out TCP absolute serial number
Tcpdump-w writes intercepted packets to a file
If no expression is present, all packets on the network are intercepted

Example TCP Packets

The following is the format of the TCP message

src > Dst:flags data-segno ack window urgent options (MSS, timestamp, window sizing option)
1. TCP packets to intercept a particular flag bit: in the TCP header, 8 bits are the control bit

CWR | ECE | URG | ACK | PSH | RST | SYN | FIN

In a structure with a TCP header

0 15 31
-------------------------------------------------------------------------
|       SOURCE Port | Destination Port |
-------------------------------------------------------------------------
| Sequence Number |
-------------------------------------------------------------------------
| Acknowledgment number |

--------------------------------------------------------------------------
| HL | RSVD | c| e| u| a| p| r| s|        F| Window Size |
--------------------------------------------------------------------------
|       TCP Checksum | Urgent pointer |
--------------------------------------------------------------------------

8 is the control bit is the 13th 8-bits group in the TCP header

| |
|------------------------|
| c| e| u| a| p| r| s| F|
|------------------------|
|7 5 3 0|

When the SYN bit is 1 o'clock

The binary representation of the 8-bits group is: 00000010-> 2
So only the expression that intercepts the flag bit of syn=1 in TCP is
Tcpdump-i 2 tcp[13]==2
The tcp[13]==2 is to have the 13th 8bits group in the TCP datagram have a value of 2

2. If there is a syn-ack in the TCP packet, we think he is a packet with SYN, then how to intercept it?

| |
|------------------------|
| c| e| u| a| p| r| s| F|
|------------------------|
|7 5 3 0|

The binary of the 8bits group is now represented as 00010010->18

At this time should not be tcp[13] = = 18, this can only intercept the Ack-syn message, and can not intercept the SYN message, then we should maintain the value of SYN in the reign, you can use the logic and operation, namely the following

' tcp[13] & 2 = 2 ', that's fine.

Note: The following screenshot of the TCP message in the second section of the logo bit [S.]

UDP Packets

The format of the UDP message is

actibude.who > BROADCAST.WHO:UDP 84

Who is the port number, Artinide,broadcast is the network address of the host, 84 is the size of the UDP datagram

UDP name Server Requests

The format of the request message is

src > Dst:id op? Flags Qtype qclass name (len)

h2opolo.1538 > helios.domain:3+ A? Ucbvax.berkeley.edu (37)

Host Hopolo asks the address record (qtype=a) of the domain service on the host Helios, which is associated with the ucbvax.berkeley,edu

Query ID 3, ' + ' indicates recursion-desired flag is set, query length is 37 bytes, not including UDP and IP head length

UDP Name Server Responses
src > Dst:id op rcode Flags A/n/au type class data (len)
Helios.domain > H2opolo.1538:3 3/3/7 A 128.32.137.3 (273)

The message is Helios response from H2opolo with a query ID of 3, with 3 answer record,3 name server records and 7 additional records

The first answer record is type A, which has a data size of 273 bytes, including UDP and IP headers