This is the case with the introduction of software with many parameters and few instances.
Most of the time, we have the software parameter usage method, but we still don't quite understand it. Today, when I was using the Internet job Monitoring Service, I saw that only some common network server forms, such as 80, mail, FTP, and feature downloading were monitored. This monitoring of Internet content is fine. It is powerless to analyze some network events.
As a result, I think that Trojans, viruses, spam packets, and network congestion are common concerns in the LAN. So I thought of using tcpdump to try it. After all, many software is monitored by him. I have tried the ox knife.
Tcpdump first. There is too much information. After thinking about what I want to do, I mainly want to see what I want to do. What I want to do is access the internet in the LAN and connect to those machines, and I want to detect unknown links. In this way, you can find out if there are Trojans, and viruses are being blamed!
Tcpdump DST net not 192.168.123.0/24 does not monitor links with machines in the network, filtering out a lot of information. Quickly enter the topic and do not want to check the email. Generally, 80 web pages are accessed, domain access is required, and some ports of existing servers in the network must be excluded.
Tcpdump DST net not 192.168.123.0/24 and DST port not/(WWW or 25 or 110 or 5000 or domain/) and SRC port! /(4011, 4010, or 4009 /)
In this way, we can see a lot of less information. At this time, we can see some uncommon links, which will be helpful for discovering Trojans and viruses.
I believe you have read the usage of tcpdump, and it is difficult to understand the filter expression.
Let me explain it. You don't have to read it.
DST net not 192.168.123.0/24 does not monitor connections with machines in the Network
DST port not/(WWW or 25 or 110 or 5000 or domain/) filters connections to the target port running on the Internet. Access webpages, emails, and DNS connections are not displayed.
SRC port! /(4011 or 4010 or 4009/) This is mainly because the virtual LAN software is installed, and the connection between the Intranet server and the external branch does not need to be displayed. Of course, the port here can be changed according to the actual situation.
Next, I (written one day later) found a frequent external 5050 connection from the information I saw, and Google searched for port 5050, it was found that it was related to a software in dudu.com. Then I opened another term, tcpdump DST port 5050, so that we can see the specific machines connecting to port 5050 outside. During the process, I found that only one machine was connected to me. At last, we found that a previously installed Dudu record software service was running in the background.
Through this experience, we found that tcpdump is really powerful. It can be used flexibly. Although the post I wrote is not profound, it is also very simple. The reason for writing this is not to explain anything, but to inspire some brothers who want to know but do not understand it. Let's look at the opposite.
Network analysis example in Linux
Data collection and analysis is essential when Linux is a network server, especially a router or gateway. So, let's take a look at tcpdump, a powerful network data collection and analysis tool in Linux.
As the name suggests, tcpdump can completely intercept the "Header" of the packets transmitted in the network for analysis. It supports filtering network layer, protocol, host, network or port, and provides logical statements such as and, or, not to help you remove useless information. Like other software in Linux, tcpdump relies on parameters. Tcpdump with no parameters for data filtering searches all network interfaces in the system and displays all the data it intercepts. This data is not necessarily all required for us, and too much data is not conducive to analysis. Therefore, we should first think about what data is needed. tcpdump provides the following parameters for us to select data:
-B selects the protocol on the data-link layer, including IP, ARP, RARP, and IPX.
For example, tcpdump-B ARP only displays ARP in the network, that is, address translation protocol information.
-I: select the network interface to be filtered. If a router has at least two network interfaces, you can use this option to filter only the data passed through the specified interface. For example, tcpdump-I eth0 only displays all headers on the eth0 interface.
The options SRC, DST, port, host, net, ether, and gateway include additional options such as SRC, DST, port, host, net, and ehost. They are used to identify the source and destination of data packets. SRC host 192.168.0.1 specifies that the source host IP address is 192.168.0.1, and DST net 192.168.0.0/24 specifies that the destination is 192.168.0.0. Similarly, the host is related to the specified host, whether it is the source or the target, and the net is related to the specified network. The ether is followed by a physical address instead of an IP address, while the gateway is used for the gateway host. It may be a bit complicated. Let's see the following example: tcpdump src host 192.168.0.1 and DST net 192.168.0.0/24 filters the headers whose source host is 192.168.0.1 and whose destination network is 192.168.0.0. Tcpdump ether SRC 00: 50: 04: BA: 9B and DST ...... Filter the header with the physical address of the source host being XXX (why is there no host or net behind ether SRC? Of course, the physical address cannot have a network ). Tcpdump SRC host 192.168.0.1 and DST port not Telnet filter source host 192.168.0.1 and destination port is not the Telnet header. Ip icmp arp rarp, TCP, UDP, ICMP, and other options must be placed at the first parameter to filter the data type. For example, tcpdump ip src ...... Only filter data-IP headers on the link layer. Tcpdump UDP and SRC host 192.168.0.1 only filters all UDP headers of the source host 192.168.0.1. The data display/input/output tcpdump provides enough parameters for us to choose how to process the obtained data, as shown below:
-L can redirect data. For example, tcpdump-L> tcpcap.txt stores the obtained data in the tcpcap.txt file.
-N does not convert the IP address to the host name. If you do not use this option, tcpdump will convert the IP address to the host name display when a host's host name exists in the system, just like this: eth0 <ntc9.1165> router.domain.net. TELNET: eth0 <192.168.0.9.1165> 192.168.0.1.telnet.
-Nn does not convert the port name. After using-nn, the above information becomes: eth0 <ntc9.1165> router.domain.net. 23.
-N does not print the default domain name. After N, It is eth0 <ntc9.1165> router. Telnet. -O does not optimize the matching code.
-T does not print the Unix timestamp, that is, the time is not displayed.
-TT prints the original, unformatted time.
-V has a more detailed output than a common TTL and service type. Well, after talking so much, do you think tcpdump is a good tool? It has many other functions, which cannot be described in length. Reading more and reading "help" can be a great achievement. This is also a shortcut to the Linux World.