Packet Capture analysis tool-tcpdump
Tcpdump (dump the traffic on a network) is a more practical tool for analyzing data packets in Unix, it supports filtering at the network layer, protocol, host, network or port, and provides logical statements such as and, or, not, and boolean expressions for packet header matching, in Linux, you can use yum to install yum if it is not installed. However, you need the following permissions to use yum:
For the nit or bpf interface of SunOS: To Run tcpdump, you must have
/dev/nit
Or
/dev/bpf
;
For Solaris dlpi: A network pseudo device must be available, as shown in figure
/dev/le
;
For dlpi of HP-UX, snoop of IRIX, Linux: It must be root, or install it as the root set uid program;
For Ultrix and Digital UNIX: Once a superuser uses promiscuous-mode, any user can run tcpdump;
For BSD: Required
/dev/bpf
.
The common options of tcpdump are as follows:
-The content of A data packet is displayed in ASCII, which is usually used to capture the data packet of the webpage.
-A tries to convert the network and broadcast address into a name.
-C: Number of listening packets. If tcpdump is not included, it will continuously listen and exit after receiving the count message.
-D converts compiled data packet encoding into a readable format and dumps it to standard output.
-
dd
The compiled data packet encoding is converted to the C language format and dumped to the standard output.
-Ddd converts the compiled data packet encoding to a decimal number format and dumps it to the standard output.
-E: displays data packets at the data link layer.
-F use a number to display the Internet address.
-F indicates the file containing the expression.
-I network interface of the listener.
-L use the buffer of the standard output column.
-N does not convert the network address of the host to an ip address.
-N does not list domain names.
-O does not optimize data packet encoding. This option is only useful when you suspect that the optimizer has a bug.
-P prevents the network interface from entering the hybrid mode.
-Q: Fast output. Only a few transmission protocol information are listed.
-R reads data from a specified file.
-S sets the size of each data packet.
-T forcibly translates the data packet specified by the expression into the set data packet type. Currently, known data types include rpc (Remote Procedure Call), rtp
(Real-Time Applications protocol), rtcp (Real-Time Applications control protocol), and vat
Visual Audio Tool, and wb (distributed whiteboard distributed White Board ).
-S: use absolute rather than relative values to list the number of TCP connections.
-T indicates that the timestamp cannot be displayed.
-Tt: displays unformatted timestamp.
-
v
The Command Execution Process is displayed in detail. For example, the life cycle and service type in the IP datagram are displayed.
-Vv: displays the instruction execution process in more detail. For example, displays the additional domain of the NFS response message.
-W writes the data packet to the specified file.
-X indicates each packet in hexadecimal format (after removing the link layer header). A smaller complete packet is displayed. Otherwise, only snaplen bytes are displayed.
Expression:
Select the datagram to be dump. If no expression is specified, all packets of the network will be dump. Otherwise, only the packets whose expression is logically true will be dump.
Expression is composed of one or more primitives (primitive). A primitive usually consists of one identifier (
id
, Name or number), and one or more modifiers before the identifier (qualifier). modifier has three different types:
type
The Type modifier specifies the identifier name or number that represents the type. The available types include host, net, and port. For example, 'host foo
', `net128.3'
, 'Port 20'. If the type modifier is not specified, the default host is used.
dir
The direction modifier specifies the transmission direction (whether the data is passed in or out) relative to the identifier. The available directions include src, dst, src or dst and src and dst.
For example, 'src foo
', `dst net 128.3'
, `src or dst port
ftp
-data
'. If you do not specify the direction modifier, use the default src or dst. For 'null'
Link Layer (A Point-to-Point Protocol such as slip). Use inbound and outbound to modify the sub-object to specify the required transmission direction.
The proto protocol modifier must match the specified protocol. The available protocols include ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp, and udp.
For example, 'ether src foo
', `arp net 128.3'
, `tcp port 21
'. If no protocol modifier is specified, all protocols that conform to the type are used. For example, 'src foo'
Indicates '(ip, arp, or rarp) src foo
'(Note that the latter does not conform to the syntax), 'net bar'
Indicates '(ip, arp, or rarp) net bar
', `port 53'
Indicates '(tcp or udp)
port 53'.
More complex filter expressions can be formed through the and, or and not connection primitives. For example, 'host foo and not port
ftp
and not port
ftp
-data'.
Allowed primitives include:
dst host host
If the IP address in the message is a host, the logic is true. The host can be either an address or a host name.
src host host
If the source IP address of the packet is host, the logic is true.
host host
If the source or destination address domain of the IP address in the message is host, the logic is true. all the above host expressions can be prefixed with ip, arp, or rarp keywords, just like: ip host
It is equivalent:
ether proto \ip and host host
If the host is a host name with multiple IP addresses, each of its addresses will be checked.
ether dst ehost
If the Ethernet destination address of the packet is ehost, the logic is true. Ehost can be either the name (
/etc/ethers
Or a number.
ether src ehost
If the Ethernet Source Address of the packet is ehost, the logic is true.
ether host ehost
If the Ethernet source address or destination address of the message is ehost, the logic is true.
gateway host
If the message uses the host as the gateway, the logic is true.
dst net net
If the IP address of the packet belongs to the network ID net, the logic is true.
src net net
If the IP address of the packet belongs to the network ID net, the logic is true.
net net
If the source or destination IP address of the packet belongs to the network ID net, the logic is true.
net net mask mask
If the IP address matches the net of the specified netmask, the logic is true. The primitive language can be modified using src or dst.
net net
/len
If the IP address matches the net with the specified network mask, the logic is true.
dst port port
If the packet is an ip address
/tcp
Or ip
/udp
And the destination port is port, the logic is true.
src port port
If the source port number of the message is port, the logic is true.
port port
If the source port or destination port of the packet is port, the logic is true.
less
length
If the message length is less than or equal to length, the logic is true. It is equivalent to: len <= length.
greater length
If the length of a message is greater than or equal to length, the logic is true. It is equivalent to: len> = length.
ip proto protocol
If the packet is an IP datagram and its protocol type is protocol, the logic is true.
ether broadcast
If the message is an Ethernet broadcast message, the logic is true. The keyword ether is optional.
ip broadcast
If the packet is an IP broadcast packet, the logic is true. Tcpdump checks all 0 and all 1 Broadcast conventions, and checks the local subnet mask.
ether multicast
If the message is sent with too many entries (multicast), the logic is true. The keyword ether is optional.
ip multicast
The logic is true if the IP address sends messages to multiple targets.
In short, the use of tcpdump can still meet the needs of daily data packet analysis, the following examples:
Listen to data packets from the eth0 Nic and the communication protocol is ssh (default port 22) from 192.168.2.100
[root@localhost ~]
# tcpdump -i eth0 -nn 'port 22 and src host 192.168.2.100'
Intercept communication between host 192.168.1.100 and host 192.168.2.100 or 192.168.0.100
[root@localhost ~]
# tcpdump host 192.168.1.100 and \(192.168.1.100 or 192.168.0.100\)
Intercept the local udp protocol ntp (default port 123)
[root@localhost ~]
# tcpdump udp port 123
In short, tcpdump can be used to analyze various data packets in daily use. Here we will not describe it too much. For more tcpdump usage, see the man help manual, of course, tcpdump is not used to completely decode the data on layer-7. Therefore, you can also write captured data packets to a file and then use wireshark for further analysis.