Tcpdump command usage

I have been using tcpdump during my work, and it is very convenient. today, I have tried tcpdump to find that I don't know such powerful functions. it's called a sweat.

Work is always in useTcpdumpIt is very convenient. Today, Baidu is on a whim.TcpdumpOnly then can we find that there are so many powerful functions that we don't know. it's called a sweat.

This document serves as a backup to record some newly known usage. if any of you have any new usage, you can tell me how to add it in time to enrich it. haha!

Ylin@linuxso.com :~ $ Sudo tcpdump-c 1 'ether dstff: ff'

Tcpdump: verbose output suppressed, use-v or-vv for fullprotocol decode

Listening on eth0, link-type EN10MB (Ethernet), capture size96 bytes

10:47:57. 784099 arp who-has 192.168.240.77 tell192.168.240.189

In this example, only one package is matched and the package exits. The first one is the arp Request packet. the arp Request packet is sent in broadcast mode and matched.

The ether multicast packet matches the ether multicast packet. the feature of the ether multicast packet is that the highest bit of mac is 1, and the other bit is used to represent the multicast group number. if you want to match the multicast group, you only need to know the MAC address of the group. For example

Tcpdump 'Ether dst 'Mac _ Address indicates the Address. enter the appropriate Address. If you want to match all the ether multicast data packets, put them down for now. Next, we will continue to explain more advanced applications for you.

(2) matching arp packets

An arp packet is a protocol used to convert IP addresses to Mac addresses, including arp requests and arp requests. arp request packets are sent through the ether broadcast method, that is, the mac address of the arp Request packet is 1, so ether dstFF; FF can match the arp Request packet, but cannot match the promised packet. Therefore, to match the arp communication process, only arp is used to specify the protocol.

Tcpdump 'arp 'can match arp packets on the network.

Ylin@linuxso.com :~ $ Arping-c 4192.168.240.1>/dev/null & sudo tcpdump-p 'arp'

[1] 9293

WARNING: interface is ignored: Operation not permitted

Tcpdump: verbose output suppressed, use-v or-vv for fullprotocol decode

Listening on eth0, link-type EN10MB (Ethernet), capture size96 bytes

11:09:25. 042479 arp who-has 192.168.240.1 (00: 03: d2: 20: 04: 28 (oui Unknown) tell ylin. local

11:09:25. 042702 arp reply 192.168.240.1 is-at00: 03: d2: 20: 04: 28 (oui Unknown)

11:09:26. 050452 arp who-has 192.168.240.1 (00: 03: d2: 20: 04: 28 (oui Unknown) tell ylin. local

11:09:26. 050765 arp reply 192.168.240.1 is-at00: 03: d2: 20: 04: 28 (oui Unknown)

11:09:27. 058459 arp who-has 192.168.240.1 (00: 03: d2: 20: 04: 28 (oui Unknown) tell ylin. local

11:09:27. 058701 arp reply 192.168.240.1 is-at00: 03: d2: 20: 04: 28 (oui Unknown)

11:09:33. 646514 arp who-has ylin. local tell 192.168.240.1

11:09:33. 646532 arp reply ylin. local is-at 00: 19: 21: 1d: 75: e6 (oui Unknown)

In this example, arping-c 4 192.168.240.1 is used to generate arp requests and receive the promised packets, while tcpdump-p 'arp 'is matched. Here, The-p option enables the network to work in normal mode (non-mixed mode), so that you can conveniently view the matching results.

(3) matching IP packets

As we all know, the IP protocol is one of the most important protocols in TCP/IP. it is precisely because it can connect the Internet. it is essential that the expression matching the IP packet is analyzed below.

Matching IP addresses

Tcpdump 'IP src 192.168.240.69'

Ylin@linuxso.com :~ $ Sudo tcpdump-c 3 'IP src192.168.240.69'

Tcpdump: verbose output suppressed, use-v or-vv for fullprotocol decode

Listening on eth0, link-type EN10MB (Ethernet), capture size96 bytes

11:20:00. 973605 IP ylin. local.51486> walnut.crossbeamsys.com. ssh: S 2706301341: 2706301341 (0) win 5840

11:20:00. 974328 IP ylin. local.32849> 192.168.200.150.domain: 5858 + PTR? 2017200.168.192.in-addr. arpa. (45)

11:20:01. 243490 IP ylin. local.51486> walnut.crossbeamsys.com. ssh:. ack 2762262674 win 183

IP broadcast multicast packet match: you only need to specify the broadcast or multicast address.

Tcpdump 'IP dst 240.168.240.255'

Ylin@linuxso.com :~ $ Sudo tcpdump 'IP dst 192.168.240.255'

Tcpdump: verbose output suppressed, use-v or-vv for fullprotocol decode

Listening on eth0, link-type EN10MB (Ethernet), capture size96 bytes

11:25:29. 690658 IP dd. local> 192.168.240.255: ICMP echorequest, id 10022, seq 1, length 64

11:25:30. 694989 IP dd. local> 192.168.240.255: ICMP echorequest, id 10022, seq 2, length 64

11:25:31. 697954 IP dd. local> 192.168.240.255: ICMP echorequest, id 10022, seq 3, length 64

11:25:32. 697970 IP dd. local> 192.168.240.255: ICMP echorequest, id 10022, seq 4, length 64

11:25:33. 697970 IP dd. local> 192.168.240.255: ICMP echorequest, id 10022, seq 5, length 64

11:25:34. 697982 IP dd. local> 192.168.240.255: ICMP echorequest, id 10022, seq 6, length 64

The packet matches the ICMP broadcast packet. to generate this packet, you only need to run ping-b192.168.240.255 on another host in the same LAN. of course, you can also generate multicast packets, there is no suitable software for simulation, so we will not give an example here.

(4) TCP packet matching

TCP is also one of the most important protocols in the TCP/IP protocol stack. It provides end-to-end reliable data streams. at the same time, many application layer protocols use TCP as the underlying communication protocol, because TCP matching is very important.

If you want to match the HTTP communication data, you only need to specify a condition that matches port 80.

Tcpdump 'tcp dst port 80'

Ylin@linuxso.com :~ $ Wget http://www.baidu.com 2> 1>/dev/null & sudo tcpdump-c 5 'tcp port 80'

[1] 10762

Tcpdump: verbose output suppressed, use-v or-vv for fullprotocol decode

Listening on eth0, link-type EN10MB (Ethernet), capture size96 bytes

12:02:47. 549056 IP xd-22-43-a8.bta.net.cn.www> ylin. local.47945: S 1202130469: 1202130469 (0) ack 1132882351 win2896

12:02:47. 549085 IP ylin. local.47945> xd-22-43-a8.bta.net.cn.www:. ack 1 win 183

12:02:47. 549226 IP ylin. local.47945> xd-22-43-a8.bta.net.cn.www: P (101) ack 1 win 183

12:02:47. 688978 IP xd-22-43-a8.bta.net.cn.www> ylin. local.47945:. ack 102 win 698

12:02:47. 693897 IP xd-22-43-a8.bta.net.cn.www> ylin. local.47945:. 1409 (1408) ack 102 win 724

(5) udp packet matching

Udp is a connectionless and unreliable user datagram. Therefore, the main feature of udp is also a port. you can use the following method to match a Port:

Tcpdump 'upd port 53 'to view DNS data packets

Ylin@linuxso.com :~ $ Ping-c 1 www.baidu.com>/dev/null & sudo tcpdump-p udp port 53

[1] 11424

Tcpdump: verbose output suppressed, use-v or-vv for fullprotocol decode

Listening on eth0, link-type EN10MB (Ethernet), capture size96 bytes

12:28:09. 221950 IP ylin. local.32853> 192.168.200.150.domain: 63228 + PTR? 43.22.108.202.in-addr. arpa. (44)

12:28:09. 222607 IP ylin. local.32854> 192.168.200.150.domain: 5114 + PTR? 150.200.168.192.in-addr. arpa. (46)

12:28:09. 487017 IP 192.168.200.150.domain> ylin. local.32853: 63228 1/0/0 (80)

12:28:09. 487232 IP 192.168.200.150.domain> ylin. local.32854: 5114 NXDomain * 0/1/0 (140)

12:28:14. 488054 IP ylin. local.32854> 192.168.200.150.domain: 60693 + PTR? 69.240.168.192.in-addr. arpa. (45)

12:28:14. 755072 IP 192.168.200.150.domain> ylin. local.32854: 60693 NXDomain 0/1/0 (122)

Ping www.baidu.com to generate DNS requests and promises. 53 is the DNS port number.

In addition, there are many qualitifer that have not been mentioned. Below are other valid primitive which can be directly used in tcpdump.

Gateway host

Match the data packet that uses the host as the gateway, that is, the mac address (source or destination) in the data packet is the host, but the source and destination addresses reported by the IP are not the data packets of the host.

Dst net

Src net

Net

Net mask netmask

Net/len

Match the IPv4/v6 address as the net network datagram.

Net can be 192.168.0.0 or 192.168. For example, net 192.168 or net192.168.0.0

Net mask netmask is only valid for IPv4 packets, such as net 192.168.0.0 mask1_255.0.0

Net/len is only valid for IPv4 packets, such as net 192.168.0.0/16.

Dst portrange port1-port2

Src portrange port1-port2

Portrange port1-port2

Ip/tcp, ip/upd, ip6/tcp and ip6/udp packets that match the port within the port1-port2 range. Dst and src indicate the source or target respectively. If not, it indicates src or dst.

The less length matches packets whose length is less than or equal to the length.

Greater length matches packets whose length is greater than or equal to length.

The ip protochain protocol matches the ip packet whose protocol field value is protocol.

The ip6 protochain protocol matches the packet whose protocol field value is protocol in the ipv6 packet.

For example, tcpdump 'IP protochain 6 matches the TCP packet in the ipv4 network and is used in the same way as tcpdump 'IP & tcp '. Here, two primitive messages are connected. 6 is the number of the TCP protocol in the IP message.

Ether broadcast

Matching Ethernet broadcast packets

Ether multicast

Match multiple Ethernet broadcasts

Ip broadcast

Matches IPv4 broadcast packets. That is, IPv4 packets whose host number is all 0 or all 1 in the IP address.

Ip multicast

Match IPv4 multicast packets, that is, packets with IP addresses that are multicast addresses.

Ip6 multicast

Match IPv6 multicast packets, that is, packets with IP addresses that are multicast addresses.

Vlan ID

Packets that match vlan packets and whose vlan is vlan_id

For this reason, we have been introducing how primitive is used, that is, expression has only one primitive. By learning to write each primtive, we can easily combine multiple primitive into an expression. the method is simple and can be connected by logical operators. logical operators include the following three:

"&" Or "and"

"|" Or "or"

"!" Or "not"

Complex join operations can be performed through.

For example, tcpdump 'IP & tcp'

Tcpdump 'host 192.168.240.3 & (tcp port 80 | tcpport 443 )'

Through the above various primitive, we can write a lot of conditions, such as ip, tcp, udp, vlan, and so on. For example, IP addresses can be matched by address, and tcp/udp can be matched by Port. But what if I want to match more detailed conditions? For example, what if tcp only contains syn and fin packets? The above primitive may be powerless. Don't worry, tcpdump provides you with the most powerful primitive for the last function. remember to use primitive instead of expression. You can use multiple primitive to form a more complex expression.

The last primitive form is expr relop expr.

If you mark this form as A, you can write tcpdump 'A1 & A2 & ip src192.168.200.1 'and so on.

Next, let's analyze the form of A to see how powerful it is. if you think it is messy, we suggest you use the above knowledge to perform the operations several times, or else it will be messy, because expression is too complex.

Form: expr relop expr

Relop indicates the relational operator, which can be >,<,>=, <=, = ,! = One,

Expr is an arithmetic expression consisting of integers and binary operators (+,-, *,/, &, |, <,>), length operations, and packet data access sub. All integers are unsigned, that is, 0x80000000 and 0 xffffffff> 0. To access data in packets, you can use the following method:

Proto [expr: size]

Proto indicates the message to be asked. The expr result indicates the offset of the message. The size is optional, indicating the szie bytes starting from the expr offset. the entire expression is in the proto message, the content of the szie byte starting from expr (unsigned integer)

The following is an example of primitive in the form of expr relop expr:

'Ether [0] & 1! = 0 'Ether the first bit in the message is 1, that is, the primtive of Ethernet broadcast or multicast.

In this way, we can match any byte of the message, so its function is very powerful.

The first byte in the 'IP [0] = 4' ip packet is version, that is, the packet that matches IPv4,

If we want to match a syn packet, we can use: 'tcp [13] = 2' because the tcp flag is 13th bytes of the tcp packet, the syn is 1 bit lower in this byte, so it matches packets with only the syn sign. the above conditions are sufficient and strict.

If you want to match the request message of the ping command, you can use 'icmp [0] = 8' because the 0th characters of the icmp message indicate the type, if the type value is 8, the request is displayed.

For common TCP and ICMP bytes, such as the flag in TCP and the type in ICMP, this offset is sometimes forgotten. However, tcpdump provides you with more convenient usage. you do not need to remember these numbers and can replace them with characters.

For ICMP packets, the type byte can be icmptype to indicate its partial weighing. the above primitive can be changed to 'icmp [icmptype] = 8'. what if 8 cannot be remembered? Tcpdump also provides character representation for the value of this byte, for example, 'icmp [icmptype] = icmp-echo '.

The following is the character offset provided by tcpdump:

Icmptype: the offset of the byte in the icmp message.

Icmpcode: the offset of the encoded byte in the icmp message.

Tcpflags: the offset of the flag byte in the TCP message.

In addition, many values are provided to correspond to the above offset bytes:

The value of type bytes in ICMP can be:

Icmp-echoreply, icmp-unreach, icmp-sourcequench, icmp-redi \ rect, icmp-echo, icmp-routeradvert, icmp-routersolicit,

Icmp-timxceed, icmp-paramprob, icmp-tstamp, icmp-tstam \ preply, icmp-ireq, icmp-ireqreply, icmp-maskreq, and icmp-maskreply.

The value of the flag byte in TCP can be:

Tcp-fin, tcp-syn, tcp-rst, tcp-push, tcp-ack, tcp-urg.

With the above characters, we can write the following primitive

'Tcp [tcpflags] = tcp-sync' matches tcp packets whose syn flag is set to 1.

'Tcp [tcpflags] & (tcp-syn | tcp-ack | tcp-fin )! = 0' match TCP packets containing syn, ack, or fin flag

For IP packets, no character support is provided. if you want to match more detailed conditions, you can use the numeric offset directly. However, you must have a deeper understanding of IP packets.

After learning to write primitive, expression is a piece of cake, composed of one or more primitive, and logical connector composition:

Tcpdump 'host 192.168.240.91 & icmp [icmptype] = icmp-echo'

Tcpdump 'host 192.168.1.100 & vrrp'

Tcpdump 'Ether src 00: 00: 00: 00: 02 & ether [0] & 1! = 0'

It allows you to use tcpdump as you like, and you no longer need to pick packets from complicated output!

In this way, we can write more complex expressions to match packets, such as the IP address or the packet id in TCP, the IP address is a segment mark in ICMP, and the type and so on.