One Linux command per day---tcpdump

The simple definition of tcpdump is: The dump the traffic on a network, based on the user's definition of the packet interception of packets on the Data Packet Analysis tool. Tcpdump can intercept the "head" of the packets that are transmitted in the network to provide analysis. It supports filtering on the network layer, protocol, host, network, or port, and provides logical statements such as and, or, not, to help you get rid of useless information.

The MMS service sends a request to the cloud service IP for 221.226.48.130 Port 4710, and the request message is placed in Cal.cap.

0 221.226. 48.130 4710 -w cal.cap

Cal.cap files are as follows

User-agent:jakarta commons-httpclient/3.1Content-type:application/json;charset=utf-8accept:application/Jsoncache-control:no-Cachepragma:no-Cachehost:221.226.48.130:5613Connection:keep-alivecontent-length:573        {"publishevents":[{"JobId":"98abac78-ea96-4d74-b8ab-c801460bf751","Receivertype":" Account","Receiverid":"+8618718513091","Excludedresource":"NULL","Eventkey":"8618718513091","ChannelName":"Event","Eventdatas":["<eventid>14</eventid><data><?xml version=\ "1.0\" encoding=\ "UTF-8\"? >\r\n<CS: Notification xmlns:cs=\ "http://calendarserver.org/ns/\" xmlns:d=\ "Dav:\" ><cs:dtstamp>20160107t140457z </cs:dtstamp><cs:resource-change><cs:collection-changes><d:href>/dav/user/ 8618718513091/calendar</d:href></cs:collection-changes></cs:resource-change></cs: Notification>\r\n</data>"]}]} TP/1.1  $okcontent-type:application/Jsondate:thu, -Jan .  .: $: -gmtcontent-length: theServer:jetty (7.4.5. v20110725) {"Publishresult":{"Result":{"Code":0,"Desc":"operation success."}}}

Tcpdump does not completely decode the intercepted data, and most of the content in the packet is printed directly out in hexadecimal form. Obviously this is not conducive to analyzing network failures, the usual solution is to use the tcpdump with the-w parameter to intercept the data and save to the file, and then use other programs (such as Wireshark) for decoding analysis. Of course, you should also define filtering rules to avoid capturing packets that fill the entire hard disk.

Tcpdump Parameters:

tcpdump [-ADDEFLLNNOPQRSTUUVXX] [-c Count]           file  ]           -I interface] [-M module] [-< C5>m Secret]           file ] [-S snaplen] [-t type] [-wfile            ]-w fil Ecount]           -E [email protected] algo:secret,...  ]            -y Datalinktype] [-Z user]           [expression]

-a displays each packet in ASCII mode (does not display the link-Layer header information in the packet). When crawling a packet containing web page data, it is easy to view the data (NT: Handy forcapturing Web pages).-C Count Tcpdump will exit after receiving count packets.-Cfile-size (NT: This option is used for mates-W fileoption) This option allows tcpdump to check if the file size exceeds file before saving the original packet directly-size. If it is exceeded, the file will be closed, and another file continues to be used for the original packet's record. The newly created file name and-Woption specifies the same file name, but has a number after the file name. This number starts at 1 and increases as the newly created file grows.fileThe-size unit is in million bytes (NT: This means 1, the, 000 bytes, not 1,048, 576 bytes, which is calculated with 1024 bytes of 1k and 1024k bytes 1M, i.e. 1m=1024x768＊1024x768=1,048,576)-D prints the programmed packet Match code on the standard output in an easy-to-read format, and then tcpdump stops. (NT | Rt:human readable, easy to read, usually refers to the ASCII code to print some information. compiled, choreographed. packet-matching code, package matching code, meaning unknown, need to add)-DDprint out the package matching code in C language form.The-DDD prints the package match code in decimal numbers (it is preceded by a package match code with an additional'Count'prefix).-d The network interface on which all tcpdump in the print system can grab packets. Each interface will print out a numeric number, the corresponding interface name, and possibly a description of the network interface. Where the network interface name and number can be used in the tcpdump-I flag option (NT: Replace the name or number with flag) to specify the network interface on which to grab the packet. This option is useful on systems that do not support interface list commands (NT: For example, Windows systems, or lackifconfig-a UNIX system); The numeric number of the interface is in Windows -or subsequent systems, because the interface names on these systems are complex and not easy to use. If the Libpcap library on which Tcpdump is compiled is too old,-The D option is not supported because of the lack of the Pcap_findalldevs () function.-e The Data Link layer header information for the packet will be included in the printout of each row-E [email protected] Algo:secret,... The IPSec ESP package can be decrypted via [email protected] Algo:secret (NT|rt:ipsec Encapsulating Security payload,ipsec encapsulating the secure payload, IPSEC can be understood as a set of cryptographic protocols for IP packets, ESP for the entire IP packet or its pelagic protocol partially encrypted data, The former mode of operation is called tunnel mode; The latter's mode of operation is called transfer mode.    Working principle, need to be supplemented separately).    It is important to note that you can set the key (secret) for IPV4 ESP packets when the terminal starts tcpdump. Algorithms that can be used for encryption include Des-CBC, 3DES-CBC, BLOWFISH-CBC, RC3-CBC, CAST128-CBC, or not (none). The default is des-CBC (nt:des, data Encryption standard, encryption standards, cryptographic algorithms unknown, additional). The secret is used as a key for ESP and is expressed as an ASCII string. If you start with 0x, the key will be 16 binary    Read-in. The definition of ESP in this option follows RFC2406, not RFC1827.    Also, this option is only for debugging, and it is not recommended to use this option with a real key (secret) because it is unsafe: The secret entered on the command line can be viewed by other people through commands such as PS. In addition to the syntax format above (NT: refers to [email protected] algo:secret), you can also add a grammar input file name for tcpdump use (NT: that is, the [email protected] Algo:secret,... In ... Change to a syntax file name). This file will open this file when it is accepted to the first ESP package, so it is best to cancel some of the privileges given to tcpdump at this time (NT: This is understood so that, when the file is maliciously written, it does not cause too much damage).-F Displays the external IPv4 address (nt:foreign IPV4 addresses, which can be understood as a non-native IP address), in the form of a digital instead of a name.    (this option is used to deal with the bug of Sun's NIS server (Nt:nis, the Network Information service, which uses the name service she provides when tcpdump displays the name of the external address): This NIS server often falls into an endless query loop when querying for non-local address names. Because testing of an external (foreign) IPV4 address requires a local network interface (the interface used to nt:tcpdump the packet) and its IPV4 address and netmask. If this address or netmask is not available, or if the interface does not have the appropriate network address and netmask set (the Nt:linux' any'The network interface does not need to set the address and the mask, but this' any'interface can receive packets for all interfaces in the system, this option does not work correctly.-FfileThe input to the filter expression is used as the input to the file files, which is ignored at the command line.-I interface specifies the interface that the tcpdump needs to listen on.    If not specified, Tcpdump will search the System interface list for the configured interface with the smallest number (excluding the loopback interface). Once you find the first qualifying interface, the search ends immediately. On Linux operating systems with version 2.2 or later kernels,' any'This virtual network interface can be used to receive packets on all network interfaces (NT: This includes the purpose of the network interface, and also includes the destination is not the network interface). It is important to note that if the real network interface does not work'Mixed'Mode (promiscuous), you cannot' any'This virtual network interface crawls its packets. If-The D flag is specified, and the tcpdump prints the interface number in the system, which can be used for the interface parameter here.-l buffer the standard output (NT: The standard output device encounters a newline character and prints the contents of the line immediately). Useful when you need to observe both the capture and the capture record. For example, you can do this with the following command combination: ' Tcpdump-L |TeeDat"'or ' Tcpdump-l > Dat &Tail-F Dat"'. (NT: The former uses tee to put the output of the tcpdump in both the file dat and the standard output, the latter through the redirection operation'>', put the output of tcpdump into Dat file, and put the contents of DAT file into standard output by tail .-l lists the type of data link layer supported by the specified network interface and exits. (NT: Specifies that the interface passes-i to specify)-the M module loads the SMI MIB module via the file specified by the module (Nt:smi,structure of Management information, management information structure MIB, Management Informat Ion base, managing information base. It is understood that both are used for fetching SNMP (simple Network Management protoco) protocol packets.    The specific SNMP operation principle is unknown, need to add additional). This option can be used multiple times to load different MIB modules for tcpdump.-M secret If the TCP packet (TCP segments) has tcp-MD5 option (described in RFC 2385), a public key secret is specified for the validation of its digest.-n No address (for example, host address, port number) is a numeric representation of the conversion to a name.-N does not print out the domain name portion of host. For example, if this option is set, Tcpdump will print'Nic'Instead of'Nic.ddn.mil'.-O The optimization code used for package matching is not enabled. This option is useful when you suspect that some bugs are caused by optimized code .-P Generally, the network interface is set to non-'Mixed'Mode. However, it is important to note that in special cases this network interface will still be'Mixed'mode to work;'- P'cannot be used as a synonym for the following selections:'ether Host {local-hw-add}'Or'ether Broadcast'(NT: The former represents a package that matches only the Ethernet address of host, which represents a packet that matches the Ethernet address as the broadcast address).-Q Fast (perhaps with'Quiet'Better?) Print output. That is, print fewer protocol-related information, and the output lines are relatively short.-R Setting Tcpdump the parsing of Esp/ah packets is encapsulated by RFC1825 instead of RFC1829 (Nt:ah, Authentication Header, ESP, security payload, both of which are used in the secure transport mechanism of IP packets). If this option is set, tcpdump will not print out'Disable Relaying'Field (Nt:relay prevention field). In addition, because the ESP/AH specification does not stipulate that the ESP/AH packet must have a protocol version number field, Tcpdump cannot receive the esp/The protocol version number is deduced in the AH packet.-Rfilereads the package data from file files. If the file field is'-'symbol, Tcpdump reads the packet data from the standard input.-s prints the sequence number of the TCP packet, using the absolute sequential number instead of the relative sequential number. (NT: Relative sequence number can be understood as, relative to the first TCP packet sequence number of the gap, for example, the recipient receives the first packet's absolute order number is 232323, for the subsequent received 2nd, 3rd packet, tcpdump will print its serial number 1, 2 indicates a gap of 1 and the first packet, respectively.2. And if the-s option is set at this point, the 3rd packet will print out its absolute order number for the 2nd received later:232324,232325).-s Snaplen set tcpdump packet fetch length of Snaplen, if not set by default will be 68 bytes (while the Support network interface sub-connector (nt:nit, described above, can be searched'Network Interface sub-connector'Keywords found there) the default and minimum value for the SunOS series operating system is 96). 68 bytes for IP, ICMP (nt:internet control message Protocol, Internet Control Message Protocol), TCP and UDP packets are sufficient, However, for name Services (NT: Services that can be understood as DNS, NIS, and so on), the packet truncation is generated by the NFS service-related packets. If the packet truncation occurs, the corresponding printout line in the Tcpdump"'[|proto]"'(Proto is actually shown as the relevant protocol hierarchy for truncated packets). It is important to note that the long fetch length (nt:snaplen) increases the processing time of the packet and reduces the number of packets that can be cached by tcpdump, which can result in packet loss. So, with the ability to grab the package we want, the smaller the crawl length, the better. Setting Snaplen to 0 means that tcpdump automatically chooses the appropriate length to crawl the packet.-The T type forces tcpdump to parse the received packet by the package structure described by the protocol specified by type. The currently known type desirable protocol is: AODV (Ad-hoc on-demand Distance vector protocol, on-demand distance vector routing protocol, used in ad hoc (point-to-point mode) networks, CNFP (Cisco NetFlow protocol), RPC (Remote Pro Cedure call), RTP (Real-Time Applications Protocol), RTCP (Real-time Applications con-Trol Protocol), SNMP (Simple Network Management Protocol), TFTP (Trivial file Transfer Protocol, shredding File protocol), VAT (Visua L Audio Tool, which can be used for the application layer protocol for teleconferencing on the internet, and WB (distributed white Board, Application layer protocol for web conferencing).-T does not print timestamps in each line of output-TT does not format the time per line of output (NT: This format may not see its meaning at one glance, such as timestamps printed into 1261798315)-when TTT tcpdump output, a period of time (in milliseconds) is delayed between each two lines of printing-tttt Printing of a date before the timestamp of each row is printed-u print out an unencrypted NFS handle (Nt:handle can be understood as a file handle used in NFS, which will include files in folders and folders)-U makes when tcpdump in use-Woption, its file writes are synchronized with the save of the package. (NT: That is, when each packet is saved, it will be written to the file in a timely manner, not when the output buffer of the file is full)-the U flag does not work on the old version of the Libcap library (Nt:tcpdump relies on the message capture library) because it lacks the pcap_cump_flush () function.-v when analyzing and printing, produce detailed output. For example, the lifetime of the package, the identity, the total length, and some options for the IP packet. This also opens some additional package integrity checks, such as the checksum of the IP or ICMP packet headers.-VV Production Ratio-v more detailed output. For example, the additional domain in the NFS response package will be printed and the SMB packet will be fully decoded.-VVV Production Ratio-VV more detailed output. For example, the telent used by the SB, SE option will be printed, if Telnet is also using a graphical interface, the corresponding graphics options will be printed in 16 binary mode (Nt:telnet the meaning of the SB,SE option is not known, the other needs to fill Charging).-WWrites package data directly to a file without parsing and printing output. These packet data can then be passed through-r option to re-read in and analyze and print.-W filecount this option with-The C option works together, which limits the number of files that can be opened and, when the file data exceeds the limit set here, loops over the previous file, which is equivalent to a file buffer pool with filecount files. At the same time, This option causes the beginning of each file name to appear as much as 0 of the placeholder, which makes it easier for these files to be sorted correctly.-X when analyzing and printing, tcpdump prints the header data for each packet, and prints the data for each package (but not the header of the connection layer) in 16. The total printed data size does not exceed the size of the entire packet and the minimum value in Snaplen. It is important to note that if the high-level protocol data is not snaplen so long, and the data link layer (for example, the Ethernet layer) has padding data, the fill data will also be printed. (Nt:so forlink layers that pad, does not connect understanding and translation, need to add)-xx tcpdump Prints the header data for each packet, and prints the data for each package in 16, including the header of the data link layer.-X when analyzing and printing, tcpdump prints the header data for each packet, and the data for each package is printed in 16 binary and ASCII format (excluding the header of the connection layer). This is convenient for analyzing packets of some new protocol .-XX when analyzing and printing, tcpdump prints the header data for each packet, and prints the data for each package in 16 and ASCII format, including the header of the data link layer. This is convenient for analyzing packets of some new protocol.-y Datalinktype set tcpdump only capture Data Link layer protocol type is Datalinktype packet-Z user causes Tcpdump to abandon its super privilege (if the root user starts tcpdump, tcpdump will have superuser privileges), and the user ID of the current tcpdump is set to users, the group ID is set to the ID of the user's primary owning group (n T:tcpdump can be understood here as the corresponding process after the tcpdump run) This option can also be set to open by default at compile time. (NT: User's value is unknown at this time, need to add)

One Linux command per day---tcpdump