Linux---TCPdump tools

First, TCPdump

TCPdump "dump the traffic on anetwork", based on the user's definition of the packet interception of packets on the Web analysis tool. Tcpdump can intercept the "head" of the packets that are transmitted in the network to provide analysis. It supports filtering on the network layer, protocol, host, network, or port, and provides logical statements such as and, or, not, to help remove useless information.

TC Pdump use parameters to specify the type, address, port, etc. of the packet to be monitored, and make full use of these filtering rules to quickly locate the fault, depending on the network problem.

Ii. usage of TCPdump

under normal circumstances, direct start tcpdump will monitor all packets flowing through the first network interface.

tcpdump Command-line mode, command format:
 #  tcpdump [ -ADEFLNNOPQSTVX] [-C Quantity] [-f filename]
[-I Network interface] [-R FileName] [-S Snaplen]
[-T type] [-w file name] [Expression]

(1). Introduction to Tcpdump Options

      tcpdump stops;
-F reads an expression from the specified file, Ignore other expressions;
-i specifies the network interface to listen on;
-R reads the packets from the specified file (these packages are typically generated through the-w option);
-W directly writes the package to the file and does not parse and print it;
-T Heard packets are interpreted directly as a specified type of message, common types are RPC (remote Procedure Call) and SNMP (Simple Network Management Protocol;)

Common representations are: ' host foo ', ' host 127.0.0.1 ': Packet interception ' net 192.168 ' for a single host: packet interception for a domain ' src host 127.0.0.1 ' DST n ET 192.168 ': plus source (SRC) or target (DST) limit ' TCP port 21 ': Also can be used for communication protocol detection, such as TCP, UDP, ARP, ether, etc. can also use and and or to the integration of packet data display!

(2). Introduction to Tcpdump expressions

An expression is a regular expression that Tcpdump uses as a condition for filtering messages that will be captured if a message satisfies the conditions of the expression. If no conditions are given, all packets on the network will be intercepted. There are generally several types of keywords in an expression.

The first is about the type of keywords , primarily including host,net,port, such as host 210.27.48.2, which indicates that 210.27.48.2 is a host, and that net 202.0.0.0 indicates that 202.0.0.0 is a network address, Port 23 indicates that the port number is 23. If no type is specified, the default type is host.

The second is to determine the transmission direction of the keywords, mainly including SRC, DST, DST or SRC, DST and src, these keywords indicate the direction of transmission. For example, SRC 210.27.48.2, which indicates that the source address in the IP packet is 210.27.48.2, DST net202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is indicated, the default is the src or DST keyword.

The third is the key word of the agreement , mainly including fddi,ip,arp,rarp,tcp,udp and other types. FDDI indicates that it is a specific network protocol on FDDI (Distributed Optical Data Interface Network), in fact it is "ether" Alias, FDDI and Ether have similar source address and destination address, so the FDDI protocol packet can be treated and analyzed as a ether packet. The other key words are the protocol content of the listening packet. If no protocol is specified, tcpdump will listen for all protocol packets.

In addition to these three types of keywords, other important keywords are as follows: Gateway,broadcast,less,greater, there are three kinds of logic operations, take the non-operation is ' not '! ', and the operation is ' and ', ' && ', or the operation is ' or ', ' ││ '; These keywords can be combined to form a powerful combination of conditions to meet people's needs.

A want to intercept all packets received and sent by all 210.27.48.1 hosts:

#tcpdump Host 210.27.48.1

b want to intercept host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3 communication, use command: (when using parentheses in the command line, be sure to add ' \ ')

#tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)

c If you want to get host 210.27.48.1 in addition to the IP packets that communicate with all hosts except host 210.27.48.2, use the command:

#tcpdump IP host 210.27.48.1 and! 210.27.48.2

D If you want to get the Telnet packet received or issued by the host 210.27.48.1, use the following command:

#tcpdump TCP port, host 210.27.48.1

E Monitor the UDP 123 port on this computer 123 service port for NTP

# tcpdump UDP port 123

The F system will only monitor communications packets for the host named hostname. The hostname can be a local host, or it can be any computer on the network. The following command can read all data sent by the host hostname:

#tcpdump-i eth0 SRC host hostname

G The following command can monitor all packets sent to the host hostname:

#tcpdump-I eth0 DST host hostname

H we can also monitor packets by specifying the gateway:

#tcpdump-I eth0 Gateway Gatewayname

If you also want to monitor TCP or UDP packets addressed to the specified port, execute the following command:

#tcpdump-I eth0 host hostname and port 80

J If you want to get host 210.27.48.1 in addition to the IP packets that communicate with all hosts except host 210.27.48.2, use the command:

#tcpdump IP host 210.27.48.1 and! 210.27.48.2

K to intercept host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3 communication, use the command:

#tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)

If you want to get host 210.27.48.1 in addition to the IP packets that communicate with all hosts except host 210.27.48.2, use the command:

#tcpdump IP host 210.27.48.1 and! 210.27.48.2

M If you want to get the Telnet packet received or issued by the host 210.27.48.1, use the following command:

#tcpdump TCP port, host 210.27.48.1

(3). Introduction of output results of tcpdump

The output information of several typical tcpdump commands:

A, Data Link layer header information
Use command: #tcpdump--E host Ice
Ice is a Linux-equipped host with a MAC address of 0:90:27:58:af:1a
H219 is a sun workstation with Solaric, whose MAC address is 8:0:20:79:5b:46; the output from the previous command is as follows:
21:50:12.847509 eth0 < 8:0:20:79:5b:46 0:90:27:58:af:1a IP 60:h219.33357 > Ice.telne
T 0:0 (0) Ack 22535 win 8760 (DF)

Analysis: 21:50:12 is the displayed time, 847509 is the ID number, eth0 < represents from the network interface eth0 accepts the packet,eth0> represents the packet sent from the network interface device, 8:0:20:79:5B:46 is the host H219 MAC address, It indicates that the packet was sent from the source address H219.0:90:27:58:AF:1A is the MAC address of the host ice, which indicates that the destination address of the packet is ice. IP is to indicate that the packet is an IP packet, and 60 is the length of the packet, h219.33357 > ice.telnet indicates that the packet was sent from the host H219 33357 port to the host ice Telnet (23) port. An ACK of 22535 indicates a response to a packet with a sequence number of 222535. Win 8760 indicates that the size of the Send window is 8760.

B,tcpdump output information for ARP packets

Use command: #tcpdump ARP

The resulting output is:
22:32:42.802509 eth0 > arp who-has route tell Ice (0:90:27:58:AF:1A)
22:32:42.802902 Eth0 < ARP reply route is-at 0:90:27:12:10:66 (0:90:27:58:AF:1A)
Analysis: 22:32:42 is the timestamp, 802509 is the ID number, eth0 > indicates that the packet was emitted from the host, ARP indicates that it is the ARP Request packet, Who-has route tell ice indicates the MAC address of the host ice request host route. 0:90:27:58:AF:1A is the MAC address of the host ice.

C,output information for TCP packets

The general output information for TCP packets captured with Tcpdump is:

src > Dst:flags data-seqno ack window urgent options
Src> DST: Indicates from the source address to the destination address, flags is the flag information in the TCP packet, S is the SYN flag, F (FIN), P (PUSH), R (RST) "." (not marked); Data-seqno is the sequence number of the data in the packet, the ACK is the next expected order number, window is the size of the received cache, and urgent indicates whether there is an emergency pointer in the packet. Options is the option.

D,output information for UDP packets

The general output information for UDP packets captured with Tcpdump is:

Route.port1 > Ice.port2:udp lenth
UDP is very simple, the above output line indicates a UDP packet from the PORT1 port of the host route to the PORT2 port of the host ice, the type is UDP, the packet length is lenth

3. Auxiliary Tools

(1) To view TCP or UDP port usage, use NETSTAT-ANP
If some processes are not visible, such as show only "-", you can try
sudo netstat-anp
If you want to see information about a port, use the lsof command, such as:
sudo lsof-i: 631

-bash-3.00# netstat-tln

The NETSTAT-TLN command is used to view the port usage of Linux

/etc/init.d/vsftp start is used to start the FTP port!

See File/etc/services

Netstat

To view connected service ports (established)

Netstat-a

View all service ports (listen,established)

sudo netstat-ap

View all service ports and display the corresponding service program name

Nmap Scan type >< scan parameters

For example:

Nmap localhost

Nmap-p 1024-65535 localhost

Nmap-pt 192.168.1.127-245

When we use NETSTAT-APN to view the network connection, we find a lot of things like the following:

Proto recv-q send-q Local address Foreign address State Pid/program Name

TCP 0 218.104.81.152:7710 211.100.39.250:29488 established 6111/1

Shows that this server has 7710 ports open, so which program does this port belong to? We can use the Lsof-i: 7710 command to query:

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME

SSHD 1990 Root 3u IPv4 4836 TCP *:7710 (LISTEN)

In this way, we know that the 7710 port belongs to the SSHD program.

(2) error message exclusion from running tcpdump command

Tcpdump:no suitable device found
Tcpdump:no devices found/dev/bpf4:a file or directory in the path name does not exist.
Solution 2 reasons:
1. Insufficient authority, generally not processed, only with the root user can use Tcpdump
2. The default can only use 4 tcpdump at the same time, if run out, then report such errors. Need to stop the extra tcpdump.

This article is from the "Flower Open Shore" blog, please be sure to keep this source http://zxtong.blog.51cto.com/10697148/1794707

Linux---TCPdump tools