Tcpdump command usage and example-linux network analysis

Source: Internet
Author: User
Article title: Tcpdump command usage and example-linux network analysis. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
As the name suggests, TcpDump can completely intercept the "header" of the packets transmitted in the network for analysis. It supports filtering network layer, protocol, host, network or port, and provides logical statements such as and, or, not to help you remove useless information. Tcpdump is a free network analysis tool. It provides the source code and open interfaces. Therefore, tcpdump is highly scalable and useful for network maintenance and intruders. Tcpdump exists in the basic FreeBSD System. because it needs to set the network interface to the mixed mode, normal users cannot execute normally, however, users with root permissions can directly execute the command to obtain information on the network. Therefore, the network analysis tools in the system are not a threat to the security of the local machine, but a threat to the security of other computers on the network.
  
Tcpdump is defined as simple as possible: dump the traffice on a network. it is a packet analysis tool that intercepts packets on the network according to the user's definition. As an essential tool for system administrators on the Internet, tcpdump, with its powerful functions, uses live interception policies to become an analysis network for every senior system administrator, troubleshooting is one of the essential things. Tcpdump provides source code and open interfaces, so it has high scalability and is a very useful tool for network maintenance and intruders. Tcpdump exists in the basic FreeBSD System. because it needs to set the network interface to the mixed mode, normal users cannot execute normally, however, users with root permissions can directly execute the command to obtain information on the network. Therefore, the network analysis tools in the system are not a threat to the security of the local computer, but a threat to the security of other computers on the network.
  
   Installation of network data collection and analysis tool TcpDump
  
In linux, the installation of tcpdump is very simple. Generally, there are two installation methods. An rpm Package is used for installation. In addition, it is installed in the form of a source program.
  
Rpm Package installation: the simplest installation method is to compile the software and package it into a binary format. you can directly install the rpm package through the rpm command, you do not need to modify anything. Use the following command to log on as a super user:
# Rpm-ivh tcpdump-3_4a5.rpm
  
In this way, tcpdump is successfully installed on your linux system. It's easy.
  
SOURCE program installation: Since the rpm Package installation is very simple, why should we use a more complex source program installation? In fact, the biggest attraction of linux is that there are a lot of software on it that provides the source program. people can modify the source program to meet their special needs. Therefore, I especially recommend that you install the source program.
  
The first step is to obtain the source program. in the installation method of the source program, we first need to obtain the tcpdump source program distribution package. this distribution package has two forms: one is the tar compressed package (tcpdump-3_4a5.tar.Z ), the other is the rpm distribution package (tcpdump-3_4a5.src.rpm ). The two forms of content are the same, but the difference is that the compressed file is compressed. Tar. you can use the following command to unbind it:
# Tar xvfz tcpdump-3_4a5.tar.Z
  
Run the following command to install the rpm Package:
# Rpm-ivh tcpdump-3_4a5.src.rpm
  
In this way, extract the source code of tcpdump to the/usr/src/redhat/SOURCES Directory.
  
Step 2 Prepare the source program for compilation
  
Before compiling the source program, you are advised to confirm that the library file libpcap has been installed. this library file is the library file required by tcpdump software. Similarly, you also need a standard C language compiler. In linux, the standard c language compiler is generally gcc. In the tcpdump source program directory. One file is Makefile. in. the configure command automatically generates the Makefile file from the Makefile. in file. In the Makefile. in file, you can modify the BINDEST and MANDEST macro definitions according to the system configuration. the default value is
BINDEST = @ sbindir @
MANDEST = @ mandir @
  
The first macro value indicates the path name of the binary file where tcpdump is installed, and the second macro value indicates the path name of the tcpdump man help page. you can modify them to meet system requirements.
  
Step 3 compile the source program
  
Use the configure script in the source program directory to read various required attributes from the system. According to the Makefile. in file, the Makefile file is generated automatically, so that the. make command can be used to compile the tcpdump source program according to the rules in the Makefile file. Run the make install command to install the compiled binary file tcpdump.
  
Summary:
# Tar xvfz tcpdump-3_4a5.tar.Z
# Vi Makefile. in
#./Configure
# Make
# Make install
3 Use of network data collection and analysis tool TcpDump
  
Under normal circumstances, directly starting tcpdump will monitor all the data packets flowing through the first network interface.
  
# Tcpdump
Tcpdump: listening on fxp0
11:58:47. 873028 202.102.245.40.netbios-ns> 202.102.245.127.netbios-ns: udp 50
11:58:47. 974331 0: 10: 7b: 8: 3a: 56> 1: 80: c2: 0: 0: 0 802.1d ui/C len = 43
0000 0000 0080 0000 1007 cf08 0900 0000
0e80 0000 902b 4695 0980 8701 0014
000f 0000 902b 4695 0008 00
11:58:48. 373134 0: 0: e8: 5b: 6d: 85> Broadcast sap e0 ui/C len = 97
Ffff 0060 0004 ffff
0452 ffff 0000 e85b 6d85 4008 0002
0640 4d41 5354 4552 5f57 4542 0000 0000
00, 0000
^ C
  
Tcpdump supports many different parameters. for example, you can use the-I parameter to specify the network interface of the tcpdump listener, which is useful when the computer has multiple network interfaces, use the-c parameter to specify the number of data packets to be monitored, and use the-w parameter to specify to write the data packets to the file for storage, and so on.
  
However, the more complex tcpdump parameter is used for filtering, because the traffic in the network is large. If no difference is added, all data packets are intercepted, and the data volume is too large, instead, it is difficult to find the required data packages. Filter rules defined by these parameters can be used to intercept specific data packets to narrow down the target so as to better analyze problems in the network. Tcpdump uses parameters to specify the types, addresses, ports, and other data packets to be monitored. based on specific network problems, making full use of these filtering rules can quickly locate faults. Use man tcpdump to view the specific usage of these filter rules.
  
Obviously, this type of network analysis software should not be run on computers that are not used for network management. to shield them, we can shield bpfilter pseudo devices in the kernel. Generally, the network hardware and TCP/IP stack do not support receiving or sending data packets irrelevant to the computer. to receive these data packets, you must use the network adapter's hybrid mode, and bypass the standard TCP/IP stack. In FreeBSD, the kernel must support bpfilter, a pseudo-device. Therefore, network analysis tools such as tcpdump can be shielded by canceling bpfilter in the kernel.
  
When the NIC is set to the hybrid mode, the system will leave a record in the console and log files, reminding the administrator to check whether the system is used as a springboard to attack other computers on the same network.
  
May 15 16:27:20 host1/kernel: fxp0: promiscuous mode enabled
  
Although the network analysis tool can record the data transmitted over the network, the data traffic in the network is quite large, how to analyze, classify, and collect statistics on the data, and discover and report errors is more critical. Data packets in the network belong to different protocols, and the formats of data packets in different protocols are also different. Therefore, decoding captured data and displaying packet information as much as possible is more important for protocol analysis tools. The advantage of anggui's commercial analysis tools is that they support many types of application layer protocols, not only tcp, udp and other low-layer protocols.
  
According to the output of tcpdump, tcpdump does not thoroughly decode the intercepted data. most of the content in the data packet is printed in hexadecimal format. Obviously, this is not conducive to the analysis of network faults. The common solution is to first use tcpdump with The-w parameter to capture data and save it to the file, and then use other programs for decoding and analysis. Of course, filter rules should also be defined to prevent the captured data packets from filling the entire hard disk. A valid decoding program provided by FreeBSD is tcpshow, which can be installed through Packages Collection.
# Pkg_add/cdrom/packages/security/tcpshow *
# Tcpdump-c 3-w tcpdump. out
Tcpdump: listening on fxp0
# Tcpshow <tcpdump. out
---------------------------------------------------------------------------
Packet 1
TIME: 12: 00: 59.984829
LINK: 00: 10: 7B: 08: 3A: 56-> 01: 80: C2: 00: 00: 00 type = 0026
<*** No decode support for encapsulated protocol ***>
---------------------------------------------------------------------------
Packet 2
TIME: 12: 01: 01.074513 (1.089684)
LINK: 00: A0: C9: AB: 3C: DF-> FF: FF type = ARP
ARP: htype = Ethernet ptype = IP hlen = 6 plen = 4 op = request
Sender-MAC-addr = 00: A0: C9: AB: 3C: DF sender-IP-address = 202.102.245.3
Target-MAC-addr = 00: 00: 00: 00: 00 target-IP-address = 202.102.245.3
---------------------------------------------------------------------------
Packet 3
TIME: 12: 01: 01.985023 (0.910510)
LINK: 00: 10: 7B: 08: 3A: 56-> 01: 80: C2: 00: 00: 00 type = 0026
<*** No decode support for encapsulated protocol ***>
  
Tcpshow can decode data packets in different ways and display the decoded data in different ways. you can select the most suitable parameter based on the manual to analyze the intercepted data packets. As shown in the preceding example, tcpshow does not support many protocols and cannot decode protocols that it does not support.
  
In addition to tcpdump, FreeBSD Packages Collecion provides two network analysis tools, Ethereal and Sniffit, and other security tools based on network analysis. Ethereal runs in X Window and has a good graphic interface. Sniffit uses character Window format and is also easy to operate. However, since tcpdump has more powerful support for filtering rules, system administrators still prefer to use it. For experienced network administrators, use

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.