Linux tcpdump packet capture analysis

Linux operating system tcpdump packet capture analysis explanation PS: tcpdump is a tool used to intercept network groups and output group content. In short, it is a packet capture tool. Tcpdump is used for network analysis and troubleshooting in Linux with powerful functions and flexible interception policies... linux operating system tcpdump packet capture analysis explanation PS: tcpdump is a tool used to intercept network groups and output group content. In short, it is a packet capture tool. Tcpdump is the preferred tool for network analysis and troubleshooting in Linux based on its powerful functions and flexible interception policies. Tcpdump provides source code and open interfaces, so it has high scalability and is a very useful tool for network maintenance and intruders. Tcpdump exists in the basic Linux system. because it needs to set the network interface to the mixed mode, normal users cannot execute normally, however, users with root permissions can directly execute the command to obtain information on the network. Therefore, the network analysis tools in the system are not a threat to the security of the local machine, but a threat to the security of other computers on the network. I. Overview as the name implies, tcpdump can completely intercept the "header" of the packets transmitted in the network for analysis. It supports filtering network layer, protocol, host, network or port, and provides logical statements such as and, or, not to help you remove useless information. # Tcpdump-vvtcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes11: 53: 21.444591 IP (tos 0x10, ttl 64, id 19324, offset 0, flags [DF], proto 6, length: 92) asptest. localdomain. ssh> 192.168.228.244.1858: P 3962132600: 3962132652 (52) ack 2726525936 win 1266asptest. localdomain.1077> 192.168.228.153.domain: [bad udp cksum 166e!] 325 + PTR? 244.228.168.192.in-addr. arpa. (46) 11:53:21. 446929 IP (tos 0x0, ttl 64, id 42911, offset 0, flags [DF], proto 17, length: 151) 192.168.228.153.domain> asptest. localdomain.1077: 325 NXDomain q: PTR? 244.228.168.192.in-addr. arpa. 0/1/0 ns: 168.192.in-addr. arpa. (123) 11:53:21. 447408 IP (tos 0x10, ttl 64, id 19328, offset 0, flags [DF], proto 6, length: 172) asptest. localdomain. ssh> 192.168.228.244.1858: P 168: 300 (132) ack 1 win 1266347 packets captured1474 packets partitioned ed by filter745 packets dropped by kernel tcpdump without parameters collects all information headers in the network, the data volume is huge and must be filtered out. II. option introduction-A prints all groups in ASCII format and minimizes the link layer header. -C. after receiving a specified number of groups, tcpdump stops. -C check whether the current file size exceeds the size specified in the file_size parameter before writing an original group to a file. If the size exceeds the specified size, close the current file and open a new file. The file_size parameter is measured in megabytes (1,000,000 bytes, not 1,048,576 bytes ). -D provides the code that matches the information package in an assembly format that people can understand. -Dd provides the code that matches the information package in the format of the C program segment. -Ddd provides the matching information package code in decimal format. -D: print out all network interfaces in the system that can use tcpdump to capture packets. -E prints the header information of the data link layer in the output line. -E uses spi @ ipaddr algo: secret to decrypt the IPsec ESP groups that use addr as the address and contain the security parameter index value spi. -F print the Internet address in numbers. -F reads the expression from the specified file and ignores the expression given in the command line. -I indicates the network interface of the listener. -L changes the standard output to the buffer row format. you can export data to a file. -L list the known data links of network interfaces. -M: import the smi mib module definition from the file module. This parameter can be used multiple times to import multiple MIB modules. -M if there is a TCP-MD5 option in the tcp message, you need to use secret as the shared verification code to verify the TCP-MD5 selection option Digest (for details, refer to RFC 2385 ). -B selects the protocol on the data-link layer, including ip, arp, rarp, and ipx. -N does not convert the network address into a name. -Nn is directly displayed by IP address and port number, rather than the host and server name. -N does not output the domain name section in the host name. For example, 'Nic .ddn.mil 'only outputs 'en '. -T no timestamp is printed on each output line. (-Tt-ttt)-O does not run the packet-matching code optimizer. -P does not set network interfaces to the hybrid mode. -Q: Quick output. Only a small amount of protocol information is output. -R reads packages from a specified file (these packages are generally generated using the-w option ). -S outputs the serial number of tcp in the absolute value form, rather than the relative value. -S reads the initial snaplen bytes from each group, instead of the default 68 bytes. -S 0 indicates that the length is not limited and the entire package is output. -T directly interpret the packets to be listened to as specified types of packets. Common types include rpc remote process calls and snmp (Simple Network Management Protocol ;). -T does not output the timestamp in each row. -Tt outputs a non-formatted timestamp in each row. -The time difference between the ttt output line and the previous line. -Tttt outputs the default timestamp format processed by date in each row. -U outputs undecoded NFS handle. -V outputs a slightly detailed information. for example, the IP package can contain ttl and service type information. -Vv: output more detailed information. -Vv: output detailed message information. -W directly writes the group to the file, instead of printing it out without analysis. (Output. pcap files can be opened in wireshark in windows for further analysis) to enable wireshark to analyze tcpdump packages, the key is the-s parameter, and the output file must be saved for-w. -X and-XX are output in hexadecimal and ASCII formats, and data packets can be displayed in read mode. they are suitable for http, memcached ascii, and other plain text transmission protocols and can be seen; III. Introduction to the tcpdump expression the expression is a regular expression. tcpdump uses it as a condition for filtering packets. if a packet meets the expressive conditions, the packet will be captured. If no conditions are provided, all information packets on the network will be intercepted. There are several types of keywords in the expression: The first is about the type keyword, mainly including host, net, port, such as host 210.27.48.2, specifying 210.27.48.2 as a host, net 202.0.0.0 indicates that 202.0.0.0 is a network address, port 23 indicates that the port number is 23. If no type is specified, the default type is host. The second type is the key words for determining the transmission direction, including src, dst, dst or src, dst and src, which indicate the transmission direction. For example, src 210.27.48.2 indicates that the source address in the IP package is 210.27.48.2, and dst net 202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified, the src or dst keyword is used by default. The third type is the protocol keyword, which mainly includes fddi, ip, arp, rarp, tcp, udp, and other types. Fddi indicates a specific network protocol on FDDI (distributed optical fiber data interface network). In fact, it is an alias of "ether". fddi and ether have similar source and destination addresses, therefore, the fddi protocol package can be processed and analyzed as the ether package. The other keywords indicate the protocol content of the listener package. If no protocol is specified, tcpdump listens to the information packages of all protocols. In addition to these three types of keywords, other important keywords include gateway, broadcast, less, greater, and three logical operations. The non-operation type is 'not ''! ', And the operation is 'and',' & '; or the operation is 'or',' | '; these keywords can be combined to form a powerful combination of conditions to meet people's needs. Example: tcpdump-I lo-nn-A-s 0 tcp-w/home/open/1.txt port 3306 and src host 112.142.34.24 and dst host 192.168.1.33tcpdump-X-n-s 0 tcp port 8033 -I lotcpdump-A-n-x-s 0 tcp port 7430 and host 192.168.3.143tcpdump-x-n-s 0 tcp port 9024 or 9021 or 9023 or 9020 4. the output results are described below we will introduce the output information of several typical tcpdump commands (1) command # tcpdump -- e host ICEICE is a linux host. Its MAC address is 0: 90: 27: 58: AF: 1A H219 is a SUN workstation with Solaris installed. Its MAC address is 8: 0: 20: 79: 5B: 46; the output result of the previous command is as follows: 21: 50: 12.847509 eth0 <8: 0: 20: 79: 5b: 46 0: 90: 27: 58: af: 1a ip address 60: h219.33357> ICE. telne t 0: 0 (0) ack 22535 win 8760 (DF) 21:50:12 is the displayed time, 847509 is the ID number, eth0 <表示从网络接口eth0接收该分组， eth0> Indicates the sending group from the network interface device. 8: 0: 20: 79: 5b: 46 indicates the MAC address of the host H219, which indicates the group sent from the source address H219. 0: 90: 27: 58: af: 1a is the MAC address of the host ICE, indicating that the destination address of the group is ICE. Ip indicates that the group is an IP Group, and 60 indicates the group length. h219.33357> ICE. telnet indicates that the group is the TELNET (23) Port sent from Port 33357 of host H219 to host ICE. Ack 22535 indicates to respond to a packet whose serial number is 222535. Win 8760 indicates that the size of the sending window is 8760. (2) run the command # tcpdump ARP to output the tcpdump packet. the output result is: 22: 32: 42.802509 eth0> arp who-has route tell ICE (0: 90: 27: 58: af: 1a) 22:32:42. 802902 eth0 <arp reply route is-at 0: 90: 27: 12: 10: 66 (0: 90: 27: 58: af: 1a) 22:32:42 is the timestamp, 802509 indicates the ID, eth0> indicates that the group is sent from the host, arp indicates the ARP Request packet, and who-has route tell ICE indicates that it is the MAC address of the host ICE requesting the host route. 0: 90: 27: 58: af: 1a is the MAC address of the host ICE. (3) the TCP packet output information captured by tcpdump is: src> dst: flags data-seqno ack window urgent optionssrc> dst: indicates from the source address to the target address. flags indicates the flag information in TCP packets, S indicates the SYN mark, F (FIN), P (PUSH), R (RST) ". "(not marked); data-seqno is the sequence number of the data in the message, ack is the sequence number expected next time, window is the size of the window receiving the cache, and urgent indicates whether there is an emergency pointer in the message. Options is an option. (4) the general output information of the UDP packet captured by tcpdump is: route. port1> ICE. port2: udp lenthUDP is very simple. the output line above indicates a UDP packet sent from the port1 port of the host route to the port2 port of the host ICE. the type is UDP and the package length is lenth. 5. for example (1) to intercept all groups received and sent by all hosts 210.27.48.1: # tcpdump host 210.27.48.1 (2) to intercept communication between hosts 210.27.48.1 and 210.27.48.2 or 210.27.48.3, use the command (note: the backslash before the parentheses is required): # tcpdump host 210.27.48.1 and (210.27.48.2 or 210.27.48.3) (3) if you want to obtain the ip package for all hosts except 210.27.48.1 and 210.27.48.2, run the command: # tcpdump ip host 210.27.48.1 and! 210.27.48.2 (4) If you want to obtain the ssh package received or sent by the host 192.168.228.246 without converting the host name, run the following command: # tcpdump-nn-n src host 192.168.228.246 and port 22 and tcp (5) obtain the ssh packet received or sent by the host 192.168.228.246, and display the mac address together: # tcpdump-e src host 192.168.228.246 and port 22 and tcp-n-nn (6) filter the headers whose source host is 192.168.0.1 and whose destination network is 192.168.0.0: tcpdump src host 192.168.0.1 and dst net 192.168.0.0/24 (7) filter the header where the physical address of the source host is XXX: tcpdump ether src 00: 50: 04: BA: 9B and dst ...... (Why is there no host or net behind ether src? Of course, the physical address cannot have a network ). (8) the filters 192.168.0.1and the destination port are not the header of telnetand are imported to the tes.t.txt file: tcpdump src host 192.168.0.1 and dst port not telnet-l> test.txt ip icmp arp rarp and tcp, udp, icmp and other options must be placed at the first parameter, the type used to filter the datagram. Example: how to use tcpdump to listen for data packets from eth0 adapter and the communication protocol is port 22 and the target source is 192.168.1.100? A: tcpdump-I eth0-nn port 22 and src host 192.168.1.100 example: how to use tcpdump to capture and access the eth0 adapter card and the access port is tcp 9080? A: tcpdump-I eth0 dst 172.1670.35 and tcp port 9080 example: how to use tcpdump to capture packets that communicate with host 192.168.43.23 or host 192.168.43.24, in addition, tcpdump-X-s 1024-I eth0 host (192.168.43.23 or 192.168.43.24) and host 172.16.70.35 are displayed on the console.