Packet Capture analysis tool-tcpdump

Packet Capture analysis tool-tcpdump

Tcpdump (dump the traffic on a network) is a more practical tool for analyzing data packets in Unix, it supports filtering at the network layer, protocol, host, network or port, and provides logical statements such as and, or, not, and boolean expressions for packet header matching, in Linux, you can use yum to install yum if it is not installed. However, you need the following permissions to use yum:

For the nit or bpf interface of SunOS: To Run tcpdump, you must have /dev/nit Or /dev/bpf ; For Solaris dlpi: A network pseudo device must be available, as shown in figure /dev/le ; For dlpi of HP-UX, snoop of IRIX, Linux: It must be root, or install it as the root set uid program; For Ultrix and Digital UNIX: Once a superuser uses promiscuous-mode, any user can run tcpdump; For BSD: Required /dev/bpf .

The common options of tcpdump are as follows:

        -The content of A data packet is displayed in ASCII, which is usually used to capture the data packet of the webpage.         -A tries to convert the network and broadcast address into a name.         -C: Number of listening packets. If tcpdump is not included, it will continuously listen and exit after receiving the count message.         -D converts compiled data packet encoding into a readable format and dumps it to standard output.         - dd The compiled data packet encoding is converted to the C language format and dumped to the standard output.         -Ddd converts the compiled data packet encoding to a decimal number format and dumps it to the standard output.         -E: displays data packets at the data link layer.         -F use a number to display the Internet address.         -F indicates the file containing the expression.         -I network interface of the listener.         -L use the buffer of the standard output column.         -N does not convert the network address of the host to an ip address.         -N does not list domain names.         -O does not optimize data packet encoding. This option is only useful when you suspect that the optimizer has a bug.         -P prevents the network interface from entering the hybrid mode.         -Q: Fast output. Only a few transmission protocol information are listed.         -R reads data from a specified file.         -S sets the size of each data packet.         -T forcibly translates the data packet specified by the expression into the set data packet type. Currently, known data types include rpc (Remote Procedure Call), rtp               (Real-Time Applications protocol), rtcp (Real-Time Applications control protocol), and vat               Visual Audio Tool, and wb (distributed whiteboard distributed White Board ).         -S: use absolute rather than relative values to list the number of TCP connections.         -T indicates that the timestamp cannot be displayed.         -Tt: displays unformatted timestamp.         - v The Command Execution Process is displayed in detail. For example, the life cycle and service type in the IP datagram are displayed.         -Vv: displays the instruction execution process in more detail. For example, displays the additional domain of the NFS response message.         -W writes the data packet to the specified file.         -X indicates each packet in hexadecimal format (after removing the link layer header). A smaller complete packet is displayed. Otherwise, only snaplen bytes are displayed.         Expression:               Select the datagram to be dump. If no expression is specified, all packets of the network will be dump. Otherwise, only the packets whose expression is logically true will be dump.                  Expression is composed of one or more primitives (primitive). A primitive usually consists of one identifier ( id , Name or number), and one or more modifiers before the identifier (qualifier). modifier has three different types:                  type The Type modifier specifies the identifier name or number that represents the type. The available types include host, net, and port. For example, 'host foo ', `net128.3' , 'Port 20'. If the type modifier is not specified, the default host is used.               dir The direction modifier specifies the transmission direction (whether the data is passed in or out) relative to the identifier. The available directions include src, dst, src or dst and src and dst.                       For example, 'src foo ', `dst net 128.3' , `src or dst port  ftp -data '. If you do not specify the direction modifier, use the default src or dst. For 'null'                       Link Layer (A Point-to-Point Protocol such as slip). Use inbound and outbound to modify the sub-object to specify the required transmission direction.               The proto protocol modifier must match the specified protocol. The available protocols include ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp, and udp.                       For example, 'ether src foo ', `arp net 128.3' , `tcp port 21 '. If no protocol modifier is specified, all protocols that conform to the type are used. For example, 'src foo'                       Indicates '(ip, arp, or rarp) src foo '(Note that the latter does not conform to the syntax), 'net bar'  Indicates '(ip, arp, or rarp) net bar ',  `port 53'  Indicates '(tcp or udp)                       port 53'.                More complex filter expressions can be formed through the and, or and not connection primitives. For example, 'host foo and not port ftp and  not  port  ftp -data'.               Allowed primitives include:               dst host host                       If the IP address in the message is a host, the logic is true. The host can be either an address or a host name.                  src host host                       If the source IP address of the packet is host, the logic is true.                  host host                       If the source or destination address domain of the IP address in the message is host, the logic is true. all the above host expressions can be prefixed with ip, arp, or rarp keywords, just like: ip host                       It is equivalent:                           ether proto \ip and host host                       If the host is a host name with multiple IP addresses, each of its addresses will be checked.                  ether dst ehost                       If the Ethernet destination address of the packet is ehost, the logic is true. Ehost can be either the name ( /etc/ethers  Or a number.                  ether src ehost                       If the Ethernet Source Address of the packet is ehost, the logic is true.                  ether host ehost                       If the Ethernet source address or destination address of the message is ehost, the logic is true.                  gateway host                       If the message uses the host as the gateway, the logic is true.                                      dst net net                       If the IP address of the packet belongs to the network ID net, the logic is true.                  src net net                       If the IP address of the packet belongs to the network ID net, the logic is true.                  net net                       If the source or destination IP address of the packet belongs to the network ID net, the logic is true.                  net net mask mask                       If the IP address matches the net of the specified netmask, the logic is true. The primitive language can be modified using src or dst.                  net net /len                       If the IP address matches the net with the specified network mask, the logic is true.                  dst port port                       If the packet is an ip address /tcp Or ip /udp And the destination port is port, the logic is true.                  src port port                       If the source port number of the message is port, the logic is true.                  port port                       If the source port or destination port of the packet is port, the logic is true.                  less  length                       If the message length is less than or equal to length, the logic is true. It is equivalent to: len <= length.                  greater length                       If the length of a message is greater than or equal to length, the logic is true. It is equivalent to: len> = length.                  ip proto protocol                       If the packet is an IP datagram and its protocol type is protocol, the logic is true.                  ether broadcast                       If the message is an Ethernet broadcast message, the logic is true. The keyword ether is optional.                  ip broadcast                       If the packet is an IP broadcast packet, the logic is true. Tcpdump checks all 0 and all 1 Broadcast conventions, and checks the local subnet mask.                  ether multicast                       If the message is sent with too many entries (multicast), the logic is true. The keyword ether is optional.                  ip multicast                       The logic is true if the IP address sends messages to multiple targets.

In short, the use of tcpdump can still meet the needs of daily data packet analysis, the following examples:

Listen to data packets from the eth0 Nic and the communication protocol is ssh (default port 22) from 192.168.2.100

[root@localhost ~] # tcpdump -i eth0 -nn 'port 22 and src host 192.168.2.100'

Intercept communication between host 192.168.1.100 and host 192.168.2.100 or 192.168.0.100

[root@localhost ~] # tcpdump host 192.168.1.100 and \(192.168.1.100 or 192.168.0.100\)

Intercept the local udp protocol ntp (default port 123)

[root@localhost ~] # tcpdump udp port 123

In short, tcpdump can be used to analyze various data packets in daily use. Here we will not describe it too much. For more tcpdump usage, see the man help manual, of course, tcpdump is not used to completely decode the data on layer-7. Therefore, you can also write captured data packets to a file and then use wireshark for further analysis.