Linuxtcpdump command usage (more content)

Source: Internet
Author: User
This article describes in detail how to use the tcpdump command in linux. a packet analysis tool that intercepts packets on the network according to the user's definition. For more information, see

Tcpdump command: dump the traffic on a network, a packet analysis tool that intercepts packets on the network according to the user's definition.

Tcpdump can completely intercept the "header" of the packets transmitted in the network for analysis. It supports filtering network layer, protocol, host, network or port, and provides logical statements such as and, or, not to help you remove useless information.

Practical command instance

Start by default
Tcpdump
Under normal circumstances, directly starting tcpdump will monitor all the data packets flowing through the first network interface.

Monitors data packets of a specified network interface
 


Copy codeThe code is as follows:
Tcpdump-I eth1

If no Nic is specified, the default tcpdump only monitors the first network interface, which is usually eth0. in the following example, no network interface is specified.

Monitor data packets of a specified host

Print all data packets that enter or exit sundown.
 


Copy codeThe code is as follows:
Tcpdump host sundown

You can also specify an ip address, for example, intercepting all packets received and sent by all 210.27.48.1 hosts.
 


Copy codeThe code is as follows:
Tcpdump host 210.27.48.1

Print the packets that helios communicates with hot or ace.
 


Copy codeThe code is as follows:
Tcpdump host helios and \ (hot or ace \)

Intercept communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3
 


Copy codeThe code is as follows:
Tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)
Print the IP packet that ace communicates with any other host, but does not include the packet with helios.


Copy codeThe code is as follows:
Tcpdump ip host ace and not helios

To obtain an IP packet for all hosts except 210.27.48.1 and 210.27.48.2, run the following command:
 


Copy codeThe code is as follows:
Tcpdump ip host 210.27.48.1 and! 210.27.48.2

Intercept all data sent by host hostname
 


Copy codeThe code is as follows:
Tcpdump-I eth0 src host hostname

Monitor all data packets sent to host hostname
 


Copy codeThe code is as follows:
Tcpdump-I eth0 dst host hostname

Monitors data packets of the specified host and port

To obtain the telnet packet received or sent by the host 210.27.48.1, run the following command:
 


Copy codeThe code is as follows:
Tcpdump tcp port 23 host 210.27.48.1

Monitors udp port 123 of the local machine. Port 123 is the ntp service port.
 


Copy codeThe code is as follows:
Tcpdump udp port 123

Monitor data packets of a specified network

Print all communication packets (nt: ucb-ether) between the local host and the host on the Berkeley network, which can be understood as the network address of the 'Berkeley network, the original meaning of this expression can be expressed as: print all data packets whose network address is ucb-ether)
 


Copy codeThe code is as follows:
Tcpdump net ucb-ether

Print All ftp data packets through the Gateway snup (note that the expression is enclosed in single quotes, which can prevent shell from parsing the brackets)
 


Copy codeThe code is as follows:
Tcpdump 'gateway snup and (port ftp or ftp-data )'

Print all IP data packets whose source address or target address is the IP address of the local host.
(If the local network is connected to another network through the gateway, the other network cannot be counted as a local network. (nt: translation twists and turns, need to be supplemented ). localnet must replace the local network name in actual use)
 


Copy codeThe code is as follows:
Tcpdump ip and not net localnet

Monitor data packets of a specified protocol
Print the start and end packets in the TCP session, and the source or destination of the packets is not the host on the local network. (nt: localnet, the name of the local network must be replaced in actual use ))
 


Copy codeThe code is as follows:
Tcpdump 'tcp [tcpflags] & (tcp-syn | tcp-fin )! = 0 and not src and dst net localnet'

Print all source or destination ports that are 80, the network layer protocol is IPv4, and contain data, rather than SYN, FIN, ACK-only, and other non-data packets. (expressions of ipv6 versions can be used as exercises)
 


Copy codeThe code is as follows:
Tcpdump 'tcp port 80 and (ip [2]-(ip [0] & 0xf) <2)-(tcp [12] & 0xf0)> 2 ))! = 0 )'

(Nt: ip [2] indicates the length of the entire ip packet, (ip [0] & 0xf) <2) the length of the ip packet header (ip [0] & 0xf indicates the IHL domain in the package, and the unit of this domain is 32bit, which must be converted
The number of nodes must be multiplied by 4, that is, 2 is left. (tcp [12] & 0xf0)> 4 indicates the length of the tcp header. the unit of this field is also 32bit, which is converted to the number of bits (tcp [12] & 0xf0)> 4) <2,
(Tcp [12] & 0xf0)> 2 ). (ip [2: 2]-(ip [0] & 0xf) <2)-(tcp [12] & 0xf0)> 2 ))! = 0 indicates the length of the entire ip packet minus the length of the ip header, and then minus
The length of the tcp header is not 0, which means that data exists in the ip packet. for the ipv6 version, you only need to consider the difference between 'payload length' and 'tcp header length' in the ipv6 header, and the expression 'IP [] 'must be changed to 'ip6 []'.)

Print an IP packet whose gateway address is snup and exceeds 576 bytes
 


Copy codeThe code is as follows:
Tcpdump 'gateway snup and ip [2]> 100'

Print all IP layer broadcast or multicast data packets, but not physical Ethernet layer broadcast or multicast data packets
 


Copy codeThe code is as follows:
Tcpdump 'Ether [0] & 1 = 0 and ip [16]> = 100'

Print ICMP data packets other than 'echo request' or 'Echo reply' (for example, this expression can be used to print all data packets generated by non-ping programs.
(Nt: 'Echo reuqest 'and 'Echo reply' ICMP data packets are usually generated by the ping program ))
 


Copy codeThe code is as follows:
Tcpdump 'icmp [icmptype]! = Icmp-echo and icmp [icmptype]! = Icmp-echoreply'

Tcpdump and wireshark

Wireshark (previously ethereal) is an easy-to-use packet capture tool in Windows. However, in Linux, it is difficult to find a good graphical packet capture tool.
Fortunately, Tcpdump is available. We can use the perfect combination of Tcpdump and Wireshark: capture packets in Linux and analyze the packets in Windows.

Tcpdump tcp-I eth1-t-s 0-c 100 and dst port! 22 and src net 192.168.1.0/24-w./target. cap
(1) tcp: ip icmp arp rarp, tcp, udp, icmp, and other options must be placed at the first parameter to filter the datagram type.
(2)-I eth1: only capture packets passing through the eth1 interface
(3)-t: Do not display the timestamp
(4)-s 0: The capture length is 68 bytes by default during packet capture. After-S 0 is added, the complete data packet can be captured.
(5)-c 100: only capture 100 packets
(6) dst port! 22: do not capture data packets whose destination port is 22
(7) src net 192.168.1.0/24: The source network address of the packet is 192.168.1.0/24.
(8)-w./target. cap: save it as a cap file for convenient analysis using ethereal (wireshark)

Capture HTTP packets using tcpdump
 


Copy codeThe code is as follows:
Tcpdump-XvvennSs 0-I eth0 tcp [20:2] = 0x4745 or tcp [20:2] = 0x4854

 
0x4745 is the first two letters of "GET" "GE", and 0x4854 is the first two letters of "HTTP" "HT ".

Tcpdump does not thoroughly decode the intercepted data. most of the content in the data packet is printed in hexadecimal format. Obviously, this is not conducive to network failure analysis. The common solution is to first use tcpdump with The-w parameter to capture data and save it to the file, and then use other programs (such as Wireshark) perform decoding analysis. Of course, filter rules should also be defined to prevent the captured data packets from filling the entire hard disk.

Output information meaning
The output format of tcpdump is: System time source host. Port> target host. Port data packet parameter.

The output format of tcpdump is related to the protocol. most common formats and related examples are briefly described below.

Link layer header
For FDDI networks, '-E' enables tcpdump to print the 'frame control' domain, source and destination address of the specified data packet, and the package length. (frame control domain
Control the resolution of other domains in the package). general packets (for example, IP queue Rams) are data packets with 'async' (asynchronous flag) and have a priority of 0 to 7;
For example, 'async4' indicates that this packet is an asynchronous packet with a priority level of 4. Generally, these packets contain an LLC package (logical link control package ).
If it is not an ISO datax or a so-called SNAP package, its LLC header will be printed (nt: it should be the header of the LLC package included in this package ).

For a Token Ring Network (a Token Ring network), '-E' enables tcpdump to print the 'frame control' and 'access control' fields of the specified data packet, as well as the source and destination addresses,
Length of the package. similar to the FDDI network, this packet usually contains an LLC packet. whether the '-E' option exists or not. for 'Source-routed' data packets on this network (nt:
The source route information of the source address is always printed.

For a 802.11 network (WLAN, or wireless local area network), '-E' causes tcpdump to print the 'frame control domain of the specified data packet,
All the addresses in the packet header and the packet length. similar to the FDDI network, this packet usually contains an LLC packet.

(Note: The following description assumes that you are familiar with the SLIP compression algorithm (nt: SLIP is Serial Line Internet Protocol.), this algorithm can find the relevant clues in the RFC-1144 .)

For a SLIP Network (nt: SLIP links can be understood as a network, that is, a connection established through a serial line, and a simple connection can also be regarded as a network ), the 'direction indicator' ('direction indicator sign') ("I" indicates inbound, "O" indicates) of the data packet. the type and compression information are printed. the package type is printed first.

Types include ip, utcp, and ctcp (nt: unknown, need to be supplemented ). for an IP packet, the connection information will not be printed (nt: SLIP connection, the connection information of the IP packet may be useless or not defined.
Reconfirm). For TCP packets, the connection id is followed by the type to indicate that the packet is printed. if the packet is compressed, the encoded header is printed.
The following figure shows the special compressed packages:
* S + n or * SA + n, where n represents the number of packages (sequential number or (sequential number and response number) increased or decreased (nt | rt: S, SA serial port, need to translate ).
For non-special compressed packages, 0 or more 'change' will be printed. 'change' will be printed in the following format:
'Flag' +/-/= n packet data length: the compressed header length.
The 'Flag 'can take the following values:
U (representing the emergency pointer), W (indicating the buffer window), A (response), S (serial number), I (packet ID ), the incremental expression '= n' indicates that the value is assigned with a new value, +/-indicates that the value is increased or decreased.

For example, the following shows the printing of an outbound compressed TCP packet, which implies a connection identifier (connection identifier); the number of replies increases by 6 and the number of sequential numbers increases by 49, the package ID is increased by 6. the package data length is 3 bytes (octect), and the compression header is 6 bytes. (nt: It seems that this is not a special compressed data packet ).

ARP/RARP packets

The output information of the tcpdump Arp/rarp packet includes the request type and corresponding parameters of the request. the display format is concise and clear. The following is the 'rlogin' from the host rtsg to the host csam'
(Remote logon) sample data packets at the beginning of the process:
 


Copy codeThe code is as follows:
Arp who-has csam tell rtsg
Arp reply csam is-at CSAM

The first line indicates that rtsg sends an arp packet (nt: Sends an arp packet to the entire network segment) to ask csam's Ethernet address.
Csam (nt: as can be seen below, it is Csam) responded with her own Ethernet address (in this example, the Ethernet address is identified by an uppercase name, while the internet
The IP address (that is, the IP address) is identified by all lowercase names ).

If tcpdump-n is used, you can clearly see the Ethernet and IP address, rather than the name ID:
 


Copy codeThe code is as follows:
Arp who-has 128.3.254.6 tell 128.3.254.68
Arp reply 128.3.254.6 is-at 02: 07: 01: 00: 01: c4

If we use tcpdump-e, we can clearly see that the first packet is broadcast across the network, and the second packet is point-to-point:
 

RTSG Broadcast 0806 64: arp who-has csam tell rtsg
Csam rtsg 0806 64: arp reply csam is-at CSAM
The first packet indicates that the source Ethernet address of the arp packet is RTSG, the destination address is the full Ethernet segment, and the type field value is hexadecimal 0806 (indicating ETHER_ARP (nt: arp packet type )),
The total package length is 64 bytes.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.