Tcpdump Advanced Usage

Tcpdump Advanced Usage

Author: Linhai Maple

Http://blog.csdn.net/linyt

[*] Reprint please indicate the author, please haste for commercial use.

Enter man tcpdump under Linux and at the beginning of manual you will see the following:

tcpdump [-ADDEFLLNNOPQRSTUUVXX] [-c Count]

[-C File_size] [-F file]

[I. Interface] [-M module] [M secret]

[-R File] [-S Snaplen] [-T type] [-W file]

[-W FileCount]

[-E spi@ipaddr Algo:secret,...]

[Y Datalinktype] [-Z User]

[Expression]

This is the format of the tcpdump, this article only analyzes [expression] 's writing, how to write strict matching conditions. Because in a large network, the number of packets is very much, if not a strict match, may have a significant impact on the analysis of the Protocol. The previous option in expression is not discussed here, so it has a more comprehensive description in the manual, which is described in expression below.

usage of [expression]:

Expression is the most useful advanced usage of tcpdump, and it can be used to match some special packages. The following describes the use of expression, mainly is how to write the most stringent requirements expression. If there is no expression in the tcpdump, then tcpdump will output all packets on the network card, otherwise the packets will be expression matched.

expression consists of one or more [primitives], and [primitives] consists of one or more [Qualitifer] plus one ID (name) or number, and their structure, as with regular expressions, can be expressed as:

expression = ([Qualitifer]+ (id|number)) +

In turn, expression is a complex conditional expression in which [qualitifer]+ (Id|number) is a relatively basic condition, qualitifer to express some name (item, variable), ID or number to represent a value (or constant).

There are three kinds of qualitifer, respectively:

Type represents the types that are involved in ID name or number, such as host, Nest, Port, Portrange, and so on.

Example:

Host Foo This is a simple primitive,host for Qualitifer, Foo is ID name

NET 128.3 net is Qualitifer, 128.3 is number

Port 20

Wait a minute

Each privimtive must have a type word, and if not in the expression, the default is host.

DIR Specifies the direction of the data transfer, which has SRC, DST, src or DST, SRC and DST

Example:

DST net 128.3; This is a relatively complex primitive, with a structure of dir type number, which represents the condition that the target network is 128.3.

src or DST Port Ftp-data This is a relatively simple structure, SRC or DST represents the source or target, Ftp-data is the ID, represents the data transfer port in the FTP protocol, so the whole represents the source or destination port Ftp-data packets match.

If there is no dir word in a primitive, this defaults to SRC or DST. If host Foo indicates that the source or destination host has a matching packet for Foo.

Proto These words are used to match a particular protocol, including: ether, FDDI, TR, WLAN, IP, IP6, ARP, RARP, DECNET,TCP, and UDP. In fact, these words are often used to match some kind of agreement, is the highest usage of a group of words.

The above three kinds of Qualitifer and ID name or number form a primitive is usually the following way:

Proto dir type ID (number), that is, Primitive=proto dir type (id | number)

Such as:

TCP src Port 80

IP DST host 192.168.1.1

If type is present, ID or num must appear

If Dir appears, the type also appears, and if not, the default is host

And Proto can appear alone, such as tcpdump ' TCP '

With the three kinds of qualitifer described above, we can quickly write a primitive, and I'll just use one primitive as the expression matching packet.

(1) matching ether package

A packet that matches a particular MAC address.

Tcpdump ' ether src 00:19:21:1d:75:e6 '

Matching source Mac to 00:19:21:1d:75:e6 packets where SRC can be changed to DST, SRC or DST to change conditions

Matches the ether broadcast packet. The ether broadcast packet is characterized by a Mac full 1. Therefore, the following can be matched:

Tcpdump ' ether DST ff:ff:ff:ff:ff:ff '

ylin@ylin:~$ sudo tcpdump-c 1 ' ether DST ff:ff:ff:ff:ff:ff '

Tcpdump:verbose output suppressed, use-v OR-VV for full protocol decode

Listening on eth0, Link-type EN10MB (Ethernet), capture size bytes

10:47:57.784099 ARP Who-has 192.168.240.77 tell 192.168.240.189

In this case, only 1 packages are matched to exit. The first is the ARP request package, the ARP Request package is sent in a broadcast manner, and it is deserved to be matched.

Matching ether multicast packets, the ether packet is characterized by a Mac's highest bit of 1, and the other bits are used to indicate the multicast group number, and if you want to match its multicast group, know its group MAC address. Such as

Tcpdump ' ether DST <Mac_Adrress> ' mac_address address, fill in the appropriate. If you want to match all the ether multicast packets, please drop them for now and continue to explain the more advanced applications.

(2) Matching ARP packets

ARP packet for IP to MAC address conversion of a protocol, including ARP request and ARP consent to two kinds of messages, ARP request message is ether broadcast way out, also namely ARP Request message MAC address is all 1, so use ether DST FF; FF; FF; FF; FF; FF can match the ARP request message, but cannot match the consent message. Therefore, to match the communication process of ARP, only ARP is used to specify the protocol.

Tcpdump ' ARP ' can match ARP messages on the network.

ylin@ylin:~$ arping-c 4 192.168.240.1>/dev/null& sudo tcpdump-p ' arp '

[1] 9293

Warning:interface is ignored:operation not permitted

Tcpdump:verbose output suppressed, use-v OR-VV for full protocol decode

Listening on eth0, Link-type EN10MB (Ethernet), capture size bytes

11:09:25.042479 ARP Who-has 192.168.240.1 (00:03:d2:20:04:28 (oui Unknown)) Tell Ylin.local

11:09:25.042702 ARP reply 192.168.240.1 is-at 00:03:d2:20:04:28 (Oui Unknown)

11:09:26.050452 ARP Who-has 192.168.240.1 (00:03:d2:20:04:28 (oui Unknown)) Tell Ylin.local

11:09:26.050765 ARP reply 192.168.240.1 is-at 00:03:d2:20:04:28 (Oui Unknown)

11:09:27.058459 ARP Who-has 192.168.240.1 (00:03:d2:20:04:28 (oui Unknown)) Tell Ylin.local

11:09:27.058701 ARP reply 192.168.240.1 is-at 00:03:d2:20:04:28 (Oui Unknown)

11:09:33.646514 ARP Who-has ylin.local tell 192.168.240.1

11:09:33.646532 ARP reply ylin.local is-at 00:19:21:1d:75:e6 (Oui Unknown)