The following describes the usage of the tcpdump command in Linux. For more information, see dumptrafficonanetwork, different data packets can be intercepted based on the specified network interface. It will output the description of the report content that matches the matching expression on a network interface. After tcpdump
TcpdumpThe command usage is described in detail. if you need a friend, please refer to it.
Dump traffic on a network is used to intercept data packets on the network. different data packets can be intercepted based on the specified network interface. It will output the description of the report content that matches the matching expression on a network interface. After tcpdump completes packet capture, it prints content similar to the following:
9 packets captured
56 packets partitioned ed by filter
17 packets dropped by kernel
Of course, when reading data packets on the network, you must have the privilege, such as a linux Super User.
Tcpdump usage Tcpdump-A prints the information of each packet using ascii, which is convenient for intercepting webpages.
Tcpdump-D prints the available network interfaces of the current system. You can use the-I option to specify a specific interface.
Tcpdump-F uses a file as the input filter expression
Tcpdump-I listens on the specified interface. If this parameter is not specified, tcpdump searches for the lowest number in the interface list as the listener interface.
Tcpdump-l makes the standard output a buffer. if you want to view data while intercepting data packets, you can use the following command
Tcpdump-l> dat & tail-f dat
Tcpdump-S prints the absolute TCP serial number
Tcpdump-w writes intercepted packets to a file
If no expression exists, all packets on the network will be intercepted.
Example: TCP Packets The following figure shows the TCP message format.
Src> dst: flags data-segno ack window urgentoptions (MSS, timestamp, window size options)
1. TCP packet to intercept specific flag bits: in TCP header, eight are control bits
CWR | ECE | URG | ACK | PSH | RST | SYN | FIN
In a structure with a TCP header
0 1531
-------------------------------------------------------------------------
| Source port | destination port |
-------------------------------------------------------------------------
| Sequence number |
-------------------------------------------------------------------------
| Acknowledgment number |
--------------------------------------------------------------------------
| HL | rsvd | C | E | U | A | P | R | S | F | window size |
--------------------------------------------------------------------------
| TCPchecksum | urgent pointer |
--------------------------------------------------------------------------
8 indicates that the control bit is the 13th 8-bits in the TCP header.
|
| ------------------------ |
| C | E | U | A | P | R | S | F |
| ------------------------ |
| 7 5 3 0 |
When the SYN bit is 1
The binary value of the 8-bits Group is 00000010-> 2.
Therefore, only the expression with the flag position of SYN = 1 in TCP is intercepted.
Tcpdump-I 2 tcp [13] = 2
Tcp [13] = 2 is to set the value of the 13th 8bits group in the TCP datagram to 2.
2. if the TCP packet contains a SYN-ACK, we think it is a packet with SYN, then how should we intercept it |
| ------------------------ |
| C | E | U | A | P | R | S | F |
| ------------------------ |
| 7 5 3 0 |
In this case, the 8bits binary is 00010010-> 18.
This should not be tcp [13] = 18, so only can intercept the ACK-SYN packet, and can not intercept the SYN packet, then we should maintain the value of the SYN bit, you can use the following logic and operations:
'Tcp [13] & 2 = 2 '.
Note: The second flag of the following TCP packet [S.]
UDP Packets
The UDP packet format is Actibude. who> broadcast. who: udp 84
Who indicates the port number, artinide, and broadcast indicates the network address of the host, and 84 indicates the UDP datagram size.
UDP name Server Requests
The request message format is Src> dst: id op? Flags qtype qclass name (len)
H2opolo. 1538> helios. domain: 3 +? Ucbvax.berkeley.edu (37)
The host hopolo queries the domain service address record (qtype = A) on the host helios. the route is associated with ucbvax. berkeley and edu.
The query id is 3, '+' indicates that the recursion-desired flag is set, the query length is 37 bytes, and does not include the Header Length of UDP and IP addresses.
UDP Name Server Responses
Src> dst: id op rcode flags a/n/au type class data (len)
Helios. domain> h2opolo. 1538: 3 3/3/7 A 128.32.137.3 (273) the message is that the helios response from h2opolo has A query id of 3 with 3 answer record, 3 nameserver records, and 7 additional records.
The first answer record is type A, and its data size is 273 bytes, including UDP and IP packet headers.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
