Simple packet capture Analysis in linux and packet capture in linux

Source: Internet
Author: User

Simple packet capture Analysis in linux and packet capture in linux

Sometimes we may encounter some problems that require packet capture analysis. When there is no professional packet capture tool at hand, we can use tcpdump instead (this tool is provided in general releases)

For example, we need to analyze the packet sending status of port 22 of the destination IP address 192.168.7.188 under the eth0 interface.

Tcpdump-I eth0 dst 192.168.7.188 and port 22



Tcpdump-I eth0 dst 192.168.7.188 and port 22
Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode
Listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:51:55. 861670 IP 192.168.7.26.ssh> 192.168.7.188.37540: Flags [P.], seq 2209699250: 2209699442, ack 582840950, win 249, options [nop, nop, TS val 428468844 ecr 517889], length 192
16:51:55. 868590 IP 192.168.7.26.ssh> 192.168.7.188.37540: Flags [P.], seq 192: 416, ack 1, win 249, options [nop, nop, TS val 428468851 ecr 517897], length 224
16:51:55. 870577 IP 192.168.7.26.ssh> 192.168.7.188.37540: Flags [P.], seq 416: 624, ack 1, win 249, options [nop, nop, TS val 428468853 ecr 517899], length 208
16:51:55. 872602 IP 192.168.7.26.ssh> 192.168.7.188.37540: Flags [P.], seq 624: 832, ack 1, win 249, options [nop, nop, TS val 428468855 ecr 517899], length 208
16:51:55. 874576 IP 192.168.7.26.ssh> 192.168.7.188.37540: Flags [P.], seq 832: 1040, ack 1, win 249, options [nop, nop, TS val 428468857 ecr 517900], length 208
16:51:55. 876573 IP 192.168.7.26.ssh> 192.168.7.188.37540: Flags [P.], seq 1040: 1248, ack 1, win 249, options [nop, nop, TS val 428468859 ecr 517900], length 208
16:51:55. 878574 IP 192.168.7.26.ssh> 192.168.7.188.37540: Flags [P.], seq 1248: 1456, ack 1, win 249, options [nop, nop, TS val 428468861 ecr 517901], length 208
16:51:55. 880574 IP 192.168.7.26.ssh> 192.168.7.188.37540: Flags [P.], seq 1456: 1664, ack 1, win 249, options [nop, nop, TS val 428468863 ecr 517901], length 208



How to Write a packet capture program in linux

You create the original socket in SOCK_RAW mode and then receive the packet.
The rest is about content analysis .... You can use multiple threads at most.

Use the most basic knowledge of socket programming in linux and understand the details of network protocols. The former is very detailed when you look for a socket programming book, and you should understand the latter.

------
For example, you need to include the following headers:
Stdio. h, stdlib. h, unistd. h, sys/socket. h, sys/types. h, netinet/if_ether.h, netinet/in. h,

Use
Socket (PF_PACKET, SOCK_RAW, htons (ETH_P_IP), you can use this socket to listen to Ethernet packets.
Then, call the recvfrom function cyclically to listen to the data received by the socket, and then analyze the data.

If you want to sniff packets from other machines, ARP spoofing is required .. Haha

Packet capture software for Linux

TcpDump, a powerful network data collection and analysis tool in Linux
 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.