Network protocol analysis tools under Linux: Getting Started with tcpdump

tcpdump Introduction

In traditional network analysis and testing techniques, sniffer (sniffer) is one of the most common and important techniques. The sniffer tool is designed primarily for network analysis by network administrators and network programmers. For network managers, the use of sniffer can grasp the actual situation of the network at any time, when the network performance drops dramatically, you can analyze the reasons through sniffer tools to find out the source of network congestion. For web programmers, the sniffer tool is used to debug programs.

Friends who have used sniffer tools on Windows platforms (for example, NetXRay and sniffer pro software) may know that in a shared LAN, using the Sniffer tool can be a glance at all traffic in the network! The sniffer tool is actually a grab tool on the web and can also be analyzed for captured packets. Because in a shared network, the packet is a network interface that broadcasts to all hosts on the network, but before the sniffer tool is used, the host's network device determines whether the packet should be received, so it discards packets that should not be received. The sniffer tool enables the host's network device to receive all incoming packets, thus achieving the network monitoring effect.

Linux as a network server, especially as routers and gateways, data acquisition and analysis is essential. So today we're going to look at Linux's powerful network data acquisition and Analysis tool--tcpdump.

The simplest way to define tcpdump is: Dump the traffice on a network, the packet analysis tool that intercepts packets on the network according to the user's definition.

As the Internet Classic system administrator necessary tools, tcpdump with its powerful function, flexible interception strategy, become each Senior system Administrator analysis Network, troubleshooting problems, such as one of the necessary dongdong.

As its name suggests, tcpdump can intercept the "head" of packets transmitted in the network to provide analysis. It supports filtering for network layers, protocols, hosts, networks, or ports, and provides logical statements such as and, or, not to help you get rid of useless information.

Tcpdump provides source code, exposes interfaces, and is highly scalable, and is a useful tool for network maintenance and intruders. Tcpdump exist in the basic FreeBSD system, because it needs to set the network interface to promiscuous mode, ordinary users can not perform normally, but the user with root permission to execute it directly to obtain information on the network. Therefore, the existence of network analysis tools in the system is not primarily a threat to native security, but to the security of other computers on the network.

Under normal circumstances, direct start tcpdump will monitor all packets flowing through the first network interface.

－－－－－－－－－－－－－－－－－－－－－－－
bash-2.02# tcpdump
tcpdump: listening on eth0
11:58:47.873028 202.102.245.40.netbios-ns > 202.102.245.127.netbios-ns: udp 50
11:58:47.974331 0:10:7b:8:3a:56 > 1:80:c2:0:0:0 802.1d ui/C len=43
0000 0000 0080 0000 1007 cf08 0900 0000
0e80 0000 902b 4695 0980 8701 0014 0002
000f 0000 902b 4695 0008 00
11:58:48.373134 0:0:e8:5b:6d:85 > Broadcast sap e0 ui/C len=97
ffff 0060 0004 ffff ffff ffff ffff ffff
0452 ffff ffff 0000 e85b 6d85 4008 0002
0640 4d41 5354 4552 5f57 4542 0000 0000
0000 00
^C
－－－－－－－－－－－－－－－－－－－－－－－－

First of all, we note that from the above output can be seen, basically tcpdump the total output format: System time source host. port > Target host. Port packet parameters