[O & M personnel? Why? 06] Using sniffer to diagnose Linux network faults? Why? 05] system security inspection tool-nmaphttp: // www.2cto.com/ OS /201304/200744.htmlfu O & M personnel are also known as sniffer in network security. [in O & M? Why? 06] Using sniffer to diagnose Linux network faults
[O & M personnel? Why? 05) system security inspection tool-nmap
Http://www.2cto.com/ OS /201304/200744.html
O & M personnel, good or false, such as sniffer)
Sniffer is a double-edged sword in the field of network security. it can be used as a network attack tool by hackers or helps O & M to diagnose network faults.
This article takes three common network sniffer Tcpdump, Ethereal and EtherApe on Linux as an example.
Describes how to use sniffer to diagnose network faults to ensure efficient and secure network operation.
However, because sniffer is too powerful, this article is just an introductory introduction. if you are interested, you can learn more.
● Tcpdump is a command line network traffic monitoring tool. It was born earlier and is the prototype of many graphical sniffing devices.
● Ethereal is a graphical network traffic monitoring tool, which is much more user-friendly than command line Tcpdump and allows you to view the capture process in real time.
● EtherApe is also a graphical network traffic monitoring tool. Unlike Ethereal, EtherApe can detect connections between hosts.
(I) Tcpdump
When the network performance drops sharply, you can use Tcpdump to analyze the cause and find out the root cause of network congestion.
Tcpdump can intercept packets received by the network card and help the network administrator analyze the contents.
It is a basic skill for O & M personnel to understand how to use Tcpdump to capture data packets of interest.
(1) Tcpdump installation
GNU/Linux distributions are installed by default, if not available to: http://www.tcpdump.org download
(2) Tcpdump command line options
Tcpdump is a command line network sniffer. if it is not filtered out, too many packages will make it difficult for O & M personnel to clarify the clues.
Tcpdump common command line options:
-A: converts network addresses and broadcast addresses into easily identifiable names.
-D: outputs the intercepted data packet code in a format that is easy to understand.
-Dd: outputs the intercepted data packet code in the C program format.
-Ddd: outputs the intercepted data packet code in decimal format.
-E: outputs the header information of the data link layer.
-F: outputs internet addresses in numbers.
-L: changes the standard output to the row buffer mode.
-N: do not convert the network address to a host name that is easy to recognize. only host addresses (such as IP addresses) are listed in numbers. This avoids DNS queries.
-T: No timestamp output
-V: outputs more detailed information, such as the TTL and service type information in the IP package.
-Vv: outputs detailed message information.
-C: exit after capturing a specified number of data packets
-F: Read the filtering rules from the specified file and ignore other filtering rules specified in the command line.
-I: network interface of the listener
-R: reads data packets from a specified file (this file is generally generated using the-w option)
-W: write the intercepted data packets directly to the specified file and do not analyze or output the data packets.
-T: The intercepted packets are directly interpreted as packets of the specified type.
(3) example
① Intercept five ARP packets from the specified network interface, and do not convert the network address to the host name [plain] [root @ Rocky ~] # Tcpdump arp-I eth0-c 5-n
Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode
Listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:59:46. 728425 arp who-has 192.168.1.1 tell 192.168.1.110
11:00:17. 315719 arp who-has 192.168.1.1 tell 192.168.1.111
11:00:17. 317911 arp who-has 192.168.1.1 tell 192.168.1.111
11:00:17. 418271 arp who-has 192.168.1.1 tell 192.168.1.111
11:00:17. 418980 arp who-has 192.168.1.1 tell 192.168.1.111
5 packets captured
5 packets partitioned ed by filter
0 packets dropped by kernel
10: 59: 46: indicates the time when data packets are intercepted.
728425: the number of milliseconds
Arp: ARP request for this packet
Who-has 192.168.1.1 tell 192.168.1.110: indicates the MAC address of 110 Request 1
② Intercept all packets received and sent by the host "9.185.10.57"
Tcpdump host 9.185.10.57
③ Intercept data packets transmitted between the host "9.185.10.57" and the host "9.185.10.58" or "9.185.10.59"
Tcpdump host 9.185.10.57 and \> \ (9.185.10.58 or 9.185.10.59 \)
④ Intercept IP packets transmitted between the host "9.185.10.57" and all hosts except the host "9.186.10.58"
Tcpdump ip host 9.185.10.57 and! 9.185.10.58
⑤ Intercept FTP (Port: 21) packets received or sent by the host "9.185.10.57"
Tcpdump tcp port 21 host 9.185.10.57
⑥ If the system is suspected to be under (DoS) attacks, you can intercept all ICMP packets sent to the local machine to determine whether there are a large number of ping requests to the server.
Tcpdump icmp-n-I eth0
(Ii) Ethereal
(1) Download and Install
* ** Verify that the libpcap package has been installed ****
# Cp ethereal-0.9.9.tar.bz2/usr/local/src/
# Cd/usr/local/src/
# Bzip2-d ethereal-0.9.9.tar.bz2
# Tar xvf ethereal-0.9.9.tar
# Cd ethereal-0.9.9
#./Configure
# Make
# Make install
(2) simple capture process
It can be divided into two steps:
I. click "filter". you can select the filter directly from the preset conditions or create a filter by yourself. for example:
Filter name: Rocky
Filter string: host 124.127.185.106
II. click "capture" and fill in the filter conditions in the "capture filter" option box.
(Iii) EtherApe
(1) installation
# Gunzip etherape-0.9.11.tar.gz
# Tar vxf etherape-0.9.11.tar
# Cd etherape-0.9.11
#./Configure
# Make
# Make install
(2) simple capture process
It is roughly as follows:
I. click the "Pref." button to open "Preferences". on the "Capture" property page, click "Capture filter"
II if you are interested in IP data packets, you can switch EtherApe to IP mode. Click the "Capture" menu and select the "Mode" menu item