Enter mantcpdump in linux. the following content is displayed at the beginning of manual: tcpdump [-AdDeflLnNOpqRStuUvxX] [-ccount] [-Cfile_size] [-Ffile] [-iinterface] [-mmodule] [-Msecret] [-rfile] [-ssnaplen] [-Ttype] [-
Enter man in linuxTcpdumpYou can see the following content at the beginning of manual:
Tcpdump [-AdDeflLnNOpqRStuUvxX] [-c count]
[-C file_size] [-F file]
[-I interface] [-m module] [-M secret]
[-R file] [-s snaplen] [-T type] [-w file]
[-W filecount]
[-E spi @ ipaddr algo: secret,...]
[-Y datalinktype] [-Z user]
[Expression]
This is an introduction to the tcpdump format. This article only analyzes the writing method of [expression] and how to write strict matching conditions. In a large network, the number of data packets is very large. if strict matching is not performed, the protocol analysis may be greatly affected. The options before expression are not discussed here, so it has a comprehensive introduction in the manual. The following describes expression.
[Expression]Usage:
Expression is the most usefulAdvancedUsageYou can use it to match some special packages. The following describes the expressionUsageIs mainly about how to write the most strict expression that meets the requirements. If no expression exists in tcpdump, tcpdump will output all data packets on the NIC; otherwise, it will be output by the expression matching package.
Expression is composed of one or more [primitives], and [primitives] are composed of one or more [qualitifer] and one id (name) or number, their structure can be expressed:
Expression = ([qualitifer] + (id | number) +
In turn, expression is a complex conditional expression. [qualitifer] + (id | number) is a relatively basic condition. qualitifer expresses some names (items, variables ), id or number indicates a value (or constant ).
Qualitifer has three types:
Type indicates the types involved in id name or number. these words include host, nest, port, portrange, and so on.
Example:
Host foo is a simple primitive, host is qualitifer, foo is id name
Net 128.3 net is qualitifer, and 128.3 is number
Port 20
And so on.
Each privimtive must have a type word. if the expression does not exist, the default value is host.
Dir specifies the direction of data transmission. these words include src, dst, src or dst, src and dst.
Example:
Dst net 128.3; this is a relatively complex primitive with the structure of dir typenumber, indicating the condition for the target network to be 128.3.
Src or dst port ftp-data this is a relatively simple structure than the previous one. src ordst indicates the source or target, ftp-data indicates the id, and ftp indicates the data transmission port in the ftp protocol, therefore, the data packet indicating the source or target Port ftp-data matches.
If there is no dir word in a primitive, the default value is src or dst. for example, hostfoo indicates that all data packets whose source or target host is foo match.
Proto is used to match a specific protocol. these terms include ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp, and udp. In fact, these words are often used to match a protocol, which is the most frequently used word group.
The above three qualitifer and id name or number form a primitive, which is usually the following method:
Proto dir type id (number), that is, primitive = proto dir type (id | number)
For example:
Tcp src port 80
Ip dst host 192.168.1.1
If type appears, the id or num will appear.
If dir appears, type is also displayed. if not, the default value is host.
The proto can appear separately, such as tcpdump 'tcp'
Based on the three qualitifer mentioned above, we can quickly write a primitive. next I will use only one primitive as the expression to match the data packet.
(1) matching ether package
A packet that matches a specific mac address.
Tcpdump 'Ether src 00: 19: 21: 1D: 75: E6'
In the packet that matches the source mac for 00: 19: 21: 1D: 75: E6, src can be changed to dst, src or dst to change the condition.
Match the ether broadcast package. The ether broadcast package features mac full 1. Therefore, it can be matched as follows:
Tcpdump 'Ether dst ff: ff'
Ylin @ ylin :~ $ Sudo tcpdump-c 1 'ether dst ff: ff'
Tcpdump: verbose output suppressed, use-v or-vv for fullprotocol decode
Listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:47:57. 784099 arp who-has 192.168.240.77 tell192.168.240.189
In this example, only one package is matched and the package exits. The first one is the arp Request packet. the arp Request packet is sent in broadcast mode and matched.
The ether multicast packet matches the ether multicast packet. the feature of the ether multicast packet is that the highest bit of mac is 1, and the other bit is used to represent the multicast group number. if you want to match the multicast group, you only need to know the MAC address of the group. For example
Tcpdump 'Ether dst 'Mac _ Address indicates the Address. enter the appropriate Address. If you want to match all the ether multicast data packets, please put them down for now. the following will continue to explain more Advanced.
(2) matching arp packets
An arp packet is a protocol used to convert IP addresses to Mac addresses, including arp requests and arp requests. arp request packets are sent through the ether broadcast method, that is, the mac address of the arp Request packet is 1, so ether dstFF; FF can match the arp Request packet, but cannot match the promised packet. Therefore, to match the arp communication process, only arp is used to specify the protocol.
Tcpdump 'arp 'can match arp packets on the network.
Ylin @ ylin :~ $ Arping-c 4 192.168.240.1>/dev/null & sudotcpdump-p 'arp'
[1] 9293
WARNING: interface is ignored: Operation not permitted
Tcpdump: verbose output suppressed, use-v or-vv for fullprotocol decode
Listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
11:09:25. 042479 arp who-has 192.168.240.1 (00: 03: d2: 20: 04: 28 (oui Unknown) tell ylin. local
11:09:25. 042702 arp reply 192.168.240.1 is-at 00: 03: d2: 20: 04: 28 (oui Unknown)
11:09:26. 050452 arp who-has 192.168.240.1 (00: 03: d2: 20: 04: 28 (oui Unknown) tell ylin. local
11:09:26. 050765 arp reply 192.168.240.1 is-at 00: 03: d2: 20: 04: 28 (oui Unknown)
11:09:27. 058459 arp who-has 192.168.240.1 (00: 03: d2: 20: 04: 28 (oui Unknown) tell ylin. local
11:09:27. 058701 arp reply 192.168.240.1 is-at 00: 03: d2: 20: 04: 28 (oui Unknown)
11:09:33. 646514 arp who-has ylin. local tell 192.168.240.1
11:09:33. 646532 arp reply ylin. local is-at 00: 19: 21: 1d: 75: e6 (oui Unknown)
In this example, arping-c 4 192.168.240.1 is used to generate arp requests and receive the promised packets, while tcpdump-p 'arp 'is matched. Here, The-p option enables the network to work in normal mode (non-mixed mode), so that you can conveniently view the matching results.
(3) matching IP packets
As we all know, the IP protocol is one of the most important protocols in TCP/IP. it is precisely because it can connect the Internet. it is essential that the expression matching the IP packet is analyzed below.
Matching IP addresses
Tcpdump 'IP src 192.168.240.69'
Ylin @ ylin :~ $ Sudo tcpdump-c 3 'IP src 192.168.240.69'
Tcpdump: verbose output suppressed, use-v or-vv for fullprotocol decode
Listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
11:20:00. 973605 IP ylin. local.51486> walnut.crossbeamsys.com. ssh: S 2706301341: 2706301341 (0) win 5840
11:20:00. 974328 IP ylin. local.32849> 192.168.200.150.domain: 5858 + PTR? 2017200.168.192.in-addr. arpa. (45)
11:20:01. 243490 IP ylin. local.51486> walnut.crossbeamsys.com. ssh:. ack 2762262674 win 183
IP broadcast multicast packet match: you only need to specify the broadcast or multicast address.
Tcpdump 'IP dst 240.168.240.255'
Ylin @ ylin :~ $ Sudo tcpdump 'IP dst 192.168.240.255'
Tcpdump: verbose output suppressed, use-v or-vv for fullprotocol decode
Listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
11:25:29. 690658 IP dd. local> 192.168.240.255: ICMP echorequest, id 10022, seq 1, length 64
11:25:30. 694989 IP dd. local> 192.168.240.255: ICMP echorequest, id 10022, seq 2, length 64
11:25:31. 697954 IP dd. local> 192.168.240.255: ICMP echorequest, id 10022, seq 3, length 64
11:25:32. 697970 IP dd. local> 192.168.240.255: ICMP echorequest, id 10022, seq 4, length 64
11:25:33. 697970 IP dd. local> 192.168.240.255: ICMP echorequest, id 10022, seq 5, length 64
11:25:34. 697982 IP dd. local> 192.168.240.255: ICMP echorequest, id 10022, seq 6, length 64
The packet matches the ICMP broadcast packet. to generate this packet, you only need to run ping-b192.168.240.255 on another host in the same LAN. of course, you can also generate multicast packets, there is no suitable software for simulation, so we will not give an example here.
(4) TCP packet matching
TCP is also one of the most important protocols in the TCP/IP protocol stack. It provides end-to-end reliable data streams. at the same time, many application layer protocols use TCP as the underlying communication protocol, because TCP matching is very important.
If you want to match the HTTP communication data, you only need to specify a condition that matches port 80.
Tcpdump 'tcp dst port 80'
Ylin @ ylin :~ $ Wget http://www.baidu.com 2> 1>/dev/null & sudo tcpdump-c 5 'tcp port 80'
[1] 10762
Tcpdump: verbose output suppressed, use-v or-vv for fullprotocol decode
Listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
12:02:47. 549056 IP xd-22-43-a8.bta.net.cn.www> ylin. local.47945: S 1202130469: 1202130469 (0) ack 1132882351 win2896
12:02:47. 549085 IP ylin. local.47945> xd-22-43-a8.bta.net.cn.www:. ack 1 win 183
12:02:47. 549226 IP ylin. local.47945> xd-22-43-a8.bta.net.cn.www: P (101) ack 1 win 183
12:02:47. 688978 IP xd-22-43-a8.bta.net.cn.www> ylin. local.47945:. ack 102 win 698
12:02:47. 693897 IP xd-22-43-a8.bta.net.cn.www> ylin. local.47945:. 1409 (1408) ack 102 win 724
(5) udp packet matching
Udp is a connectionless and unreliable user datagram. Therefore, the main feature of udp is also a port. you can use the following method to match a Port:
Tcpdump 'upd port 53 'to view DNS data packets
Ylin @ ylin :~ $ Ping-c 1 www.baidu.com>/dev/null & sudotcpdump-p udp port 53
[1] 11424
Tcpdump: verbose output suppressed, use-v or-vv for fullprotocol decode
Listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
12:28:09. 221950 IP ylin. local.32853> 192.168.200.150.domain: 63228 + PTR? 43.22.108.202.in-addr. arpa. (44)
12:28:09. 222607 IP ylin. local.32854> 192.168.200.150.domain: 5114 + PTR? 150.200.168.192.in-addr. arpa. (46)
12:28:09. 487017 IP 192.168.200.150.domain> ylin. local.32853: 63228 1/0/0 (80)
12:28:09. 487232 IP 192.168.200.150.domain> ylin. local.32854: 5114 NXDomain * 0/1/0 (140)
12:28:14. 488054 IP ylin. local.32854> 192.168.200.150.domain: 60693 + PTR? 69.240.168.192.in-addr. arpa. (45)
12:28:14. 755072 IP 192.168.200.150.domain> ylin. local.32854: 60693 NXDomain 0/1/0 (122)
Ping www.baidu.com to generate DNS requests and promises. 53 is the DNS port number.
In addition, there are many qualitifer that have not been mentioned. Below are other valid primitive which can be directly used in tcpdump.
Gateway host
Match the data packet that uses the host as the gateway, that is, the mac address (source or destination) in the data packet is the host, but the source and destination addresses reported by the IP are not the data packets of the host.
Dst net
Src net
Net
Net mask netmask
Net/len
Match the IPv4/v6 address as the net network datagram.
Net can be 192.168.0.0 or 192.168. For example, net 192.168 or net192.168.0.0
Net mask netmask is only valid for IPv4 packets, such as net 192.168.0.0 mask1_255.0.0
Net/len is only valid for IPv4 packets, such as net 192.168.0.0/16.
Dst portrange port1-port2
Src portrange port1-port2
Portrange port1-port2
Ip/tcp, ip/upd, ip6/tcp and ip6/udp packets that match the port within the port1-port2 range. Dst and src indicate the source or target respectively. If not, it indicates src or dst.
The less length matches packets whose length is less than or equal to the length.
Greater length matches packets whose length is greater than or equal to length.
The ip protochain protocol matches the ip packet whose protocol field value is protocol.
The ip6 protochain protocol matches the packet whose protocol field value is protocol in the ipv6 packet.
For example, tcpdump 'IP protochain 6 matches TCP packets in ipv4 networks'UsageSimilarly, here we connect two primitive. 6 is the number of the TCP protocol in the IP message.
Ether broadcast
Matching Ethernet broadcast packets
Ether multicast
Match multiple Ethernet broadcasts
Ip broadcast
Matches IPv4 broadcast packets. That is, IPv4 packets whose host number is all 0 or all 1 in the IP address.
Ip multicast
Match IPv4 multicast packets, that is, packets with IP addresses that are multicast addresses.
Ip6 multicast
Match IPv6 multicast packets, that is, packets with IP addresses that are multicast addresses.
Vlan ID
Packets that match vlan packets and whose vlan is vlan_id
For this reason, we have been introducing how primitive is used, that is, expression has only one primitive. By learning to write each primtive, we can easily combine multiple primitive into an expression. the method is simple and can be connected by logical operators. logical operators include the following three:
"&" Or "and"
"|" Or "or"
"!" Or "not"
Complex join operations can be performed through.
For example, tcpdump 'IP & tcp'
Tcpdump 'host 192.168.240.3 & (tcp port 80 | tcp port443 )'
Through the above various primitive, we can write a lot of conditions, such as ip, tcp, udp, vlan, and so on. For example, IP addresses can be matched by address, and tcp/udp can be matched by Port. But what if I want to match more detailed conditions? For example, what if tcp only contains syn and fin packets? The above primitive may be powerless. Don't worry, tcpdump provides you with the most powerful primitive for the last function. remember to use primitive instead of expression. You can use multiple primitive to form a more complex expression.
The last primitive form is expr relop expr.
If you mark this form as A, you can write tcpdump 'A1 & A2 & ip src192.168.200.1 'and so on.
Next, let's analyze the form of A to see how powerful it is. if you think it is messy, we suggest you use the above knowledge to perform the operations several times, or else it will be messy, because expression is too complex.
Form: expr relop expr
Relop indicates the relational operator, which can be >,<,>=, <=, = ,! = One,
Expr is an arithmetic expression consisting of integers and binary operators (+,-, *,/, &, |, <,>), length operations, and packet data access sub. All integers are unsigned, that is, 0x80000000 and 0 xffffffff> 0. To access data in packets, you can use the following method:
Proto [expr: size]
Proto indicates the message to be asked. The expr result indicates the offset of the message. The size is optional, indicating the szie bytes starting from the expr offset. the entire expression is in the proto message, the content of the szie byte starting from expr (unsigned integer)
The following is an example of primitive in the form of expr relop expr:
'Ether [0] & 1! = 0 'Ether the first bit in the message is 1, that is, the primtive of Ethernet broadcast or multicast.
In this way, we can match any byte of the message, so its function is very powerful.
The first byte in the 'IP [0] = 4' ip packet is version, that is, the packet that matches IPv4,
If we want to match a syn packet, we can use: 'tcp [13] = 2' because the tcp flag is 13th bytes of the tcp packet, the syn is 1 bit lower in this byte, so it matches packets with only the syn sign. the above conditions are sufficient and strict.
If you want to match the request message of the ping command, you can use 'icmp [0] = 8' because the 0th characters of the icmp message indicate the type, if the type value is 8, the request is displayed.
For common TCP and ICMP bytes, such as the flag in TCP and the type in ICMP, this offset is sometimes forgotten. However, tcpdump provides you with more convenientUsageYou do not need to remember these numbers. you can replace them with characters.
For ICMP packets, the type byte can be icmptype to indicate its partial weighing. the above primitive can be changed to 'icmp [icmptype] = 8'. what if 8 cannot be remembered? Tcpdump also provides character representation for the value of this byte, for example, 'icmp [icmptype] = icmp-echo '.
The following is the character offset provided by tcpdump:
Icmptype: the offset of the byte in the icmp message.
Icmpcode: the offset of the encoded byte in the icmp message.
Tcpflags: the offset of the flag byte in the TCP message.
In addition, many values are provided to correspond to the above offset bytes:
The value of type bytes in ICMP can be:
Icmp-echoreply, icmp-unreach, icmp-sourcequench, icmp-redi? Rect, icmp-echo, icmp-routeradvert, icmp-routersolicit,
Icmp-timxceed, icmp-paramprob, icmp-tstamp, icmp-tstam? Preply, icmp-ireq, icmp-ireqreply, icmp-maskreq, icmp-maskreply.
The value of the flag byte in TCP can be:
Tcp-fin, tcp-syn, tcp-rst, tcp-push, tcp-ack, tcp-urg.
With the above characters, we can write the following primitive
'Tcp [tcpflags] = tcp-sync' matches tcp packets whose syn flag is set to 1.
'Tcp [tcpflags] & (tcp-syn | tcp-ack | tcp-fin )! = 0' match TCP packets containing syn, ack, or fin flag
For IP packets, no character support is provided. if you want to match more detailed conditions, you can use the numeric offset directly. However, you must have a deeper understanding of IP packets.
After learning to write primitive, expression is a piece of cake, composed of one or more primitive, and logical connector composition:
Tcpdump 'host 192.168.240.91 & icmp [icmptype] = icmp-echo'
Tcpdump 'host 192.168.1.100 & vrrp'
Tcpdump 'Ether src 00: 00: 00: 00: 02 & ether [0] & 1! = 0'
It allows you to use tcpdump as you like, and you no longer need to pick packets from complicated output!
In this way, we can write more complex expressions to match packets, such as the IP address or the packet id in TCP, the IP address is the segment mark in ICMP, and the type and code in ICMP.