Actually, for the tcpdump program, you can even say that this program is actually a customer experience, because not only can he analyze the packet flow direction, but the internal content of the packet can also be "audible". If the information you use is clear, on the router, it may have been heard by others! Awesome! So, let's get to know this experience! (Authorization: This tcpdump must use the root identity to upload rows)
[[Email protected] ~] #Tcpdump [-nn] [-I interface] [-W] [-C times] [-AE] [-QX] [-r case] [Information Content retrieved by volume retrieval]Parameter:-NN: IP address and port number are used directly, instead of the Host Name and service name-I: the backend is connected to the "listen" Web interface, such as eth0, lo, and ppp0 interfaces.-W: suppose you want to store the received packets, and use this parameter! Followed by the callback name-C: Number of listener packets. If this parameter is not available, tcpdump will listen without interruption, until the user inputs [CTRL]-C. -A: The content of the packet is displayed in ASCII format. It is often used to capture the WWW web packet information. -E: displays the Mac packet information connected to the OSI second packet.-Q: lists the packets whose values are short, the content ratio of each row is refined-X: It can list the Hex and ASCII packet content, which is very useful for the listen packet content-R: from the subsequent response case, the packet information is sent out. The "legal case" is an existing legal case, and this "legal case" was created by W. Metadata retrieved: we are able to directly Route packets to some sources by using custom policies or IP addresses, then the results can be written and the most practical information can be obtained. The following methods are commonly used: 'host foo', 'host 127.0.0.1 ': Collect 'net 192.168' for the incoming packets of a single host ': obtains the packets sent from a certain network domain. 'src host 127.0.0.1 ''dst net 100': adds the source (SRC) or destination (DST) at the same time) limit 'tcp port 21': You can also set a benchmark test for the TCP port, such as TCP, UDP, ARP, ether and others can also use and or to display the integrated information of packets! Example 1: capture the packets on the eth0 network card using the IP address and port number for 3 seconds [[email protected] ~] #Tcpdump-I eth0-nnTcpdump: verbose output suppressed, use-V or-VV for full protocol decodelistening on eth0, link-type en10mb (Ethernet), capture size 96 bytes01: 33: 40.41 IP 192.168.1.100.22> 192.168.1.11.1190: P :232 (116) ack 1 win 964801: 33: 40.41 IP 192.168.1.100.22> 192.168.1.11.1190: P 232: 364 (132) ack 1 win 9648 <= Press [CTRL]-C and end with 6680 packets captured <= capture the number of packets: 14250 packets converted ed by filter <= from the past the total number of packets received by the kernel is 7512 packets dropped by kernel <= The number of packets distributed by the core |
Assume that you are reading the man page of tcpdump for the first time. It must be one head and two heads, because tcpdump is basically the table header of the analysis package, the user assumes that there is no easy-to-use web packet baseline! Therefore, at least you have to go back to the network base to understand the table information of the TCP packet! ^_^! As for the outgoing example produced by that example, we can divide the region into several digits, let's explain the following using the special characters in Example 1:
- 01:33:40. 41: this is the time when the packet is taken, the unit of "time: minute: Second;
- IP Address: The passthrough traffic must be IP address;
- 192.168.1.100.22>: the sender is the IP address 192.168.1.100, and the sender's port number is 22. You must understand that, greater than (>) the delimiter refers to the direction of the packet!
- 192.168.1.11.1190: the IP address of the acceptor is 192.168.1.11, and the master machine opens port 1190 to receive the IP address;
- P :232 (116): this package carries the push information standards, and the overall data is 116 ~ 232 bytes, so this package carries 116 bytes of data;
- Ack 1 win 9648: the relationship between ack and window size.
The simplest way to say is that the packets are sent from 192.168.1.100 bytes to 192.168.1.11, And the passthrough ports are 22 to 1190, with 116 bytes of data, the push flag is used, rather than the SYN-based primary dynamic token. Haha! It's not easy to understand! Therefore, the top part of the TCP table header is required!
Again, on a very busy master machine, when you want to obtain the packet information that a master machine blocks to you, tcpdump can also be used in combination with the render command and regular expression. However, it is hard to catch the hacker! We can easily retrieve the required information through the tcpdump notation. In the preceding example, we listened to eth0, so the information on the entire eth0 interface will be displayed on the screen, poor analysis! So can we implement regionalization? For example, if you just retrieve the zookeeper packet of port 21, you can do this:
[[email protected] ~]# tcpdump -i eth0 -nn port 21tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes01:54:37.96 IP 192.168.1.11.1240 > 192.168.1.100.21: . ack 1 win 6553501:54:37.96 IP 192.168.1.100.21 > 192.168.1.11.1240: P 1:21(20) ack 1 win 584001:54:38.12 IP 192.168.1.11.1240 > 192.168.1.100.21: . ack 21 win 6551501:54:42.79 IP 192.168.1.11.1240 > 192.168.1.100.21: P 1:17(16) ack 21 win 6551501:54:42.79 IP 192.168.1.100.21 > 192.168.1.11.1240: . ack 17 win 584001:54:42.79 IP 192.168.1.100.21 > 192.168.1.11.1240: P 21:55(34) ack 17 win 5840 |
Look! In this case, I just proposed port 21 information, and when I read it, you will find that the packets are always directed, the client sends a "request" and the server returns the response! We can also understand the packet operation process through the flow of this package. For example:
- We first listened to "tcpdump-I lo-nn" in a terminal window,
- Another terminal window is opened to log on to the Local Machine (127.0.0.1) to "ssh localhost 』
So what is the final result?
[[email protected] ~]# tcpdump -i lo -nn 1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 2 listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes 3 11:02:54.253777 IP 127.0.0.1.32936 > 127.0.0.1.22: S 933696132:933696132(0) win 32767 <mss 16396,sackOK,timestamp 236681316 0,nop,wscale 2> 4 11:02:54.253831 IP 127.0.0.1.22 > 127.0.0.1.32936: S 920046702:920046702(0) ack 933696133 win 32767 <mss 16396,sackOK,timestamp 236681316 236681316,nop, wscale 2> 5 11:02:54.253871 IP 127.0.0.1.32936 > 127.0.0.1.22: . ack 1 win 8192 <nop, nop,timestamp 236681316 236681316> 6 11:02:54.272124 IP 127.0.0.1.22 > 127.0.0.1.32936: P 1:23(22) ack 1 win 8192 <nop,nop,timestamp 236681334 236681316> 7 11:02:54.272375 IP 127.0.0.1.32936 > 127.0.0.1.22: . ack 23 win 8192 <nop, nop,timestamp 236681334 236681334> |
The first two rows shown in the table above are the basic descriptions of tcpdump, and then:
- The second line shows the "packets with SYN active zookeeper on the client side 』,
- The second line shows the "back-to-server side, in addition to the response client side (ACK), but also the mark of the SYN master dynamic listener;
- Line 3 shows that the client responds to the server and determines whether the primary node is established (ACK)
- The next step of Row 3 begins to import data.
From the 3rd-5 steps, are you familiar with it? No! That's the three-way handshake process! Fun! However, the reason why tcpdump is regarded as a feature that can not only be introduced in the guest community! The features described above can be used to analyze the packet forwarding and packet forwarding processes of our host. This will help us understand the operation of packets, at the same time, I learned whether there is a need for repair in the fire control setting rules of the host.
More amazing use is coming! Let's assume that we use tcpdump to listen to the "plaintext" Information on the router. For example, what problems do you think will happen to the FTP? We will first download "tcpdump-I lo port 21-nn-X" on the master terminal, then log on to the host using FTP, and then upload the hosts and passwords, as a result, you can find the following example:
[[email protected] ~]# tcpdump -i lo -nn -X ‘port 21‘ 0x0000: 4500 0048 2a28 4000 4006 1286 7f00 0001 E..H*(@[email protected] 0x0010: 7f00 0001 0015 80ab 8355 2149 835c d825 .........U!I./.% 0x0020: 8018 2000 fe3c 0000 0101 080a 0e2e 0b67 .....<.........g 0x0030: 0e2e 0b61 3232 3020 2876 7346 5450 6420 ...a220.(vsFTPd. 0x0040: 322e 302e 3129 0d0a 2.0.1).. 0x0000: 4510 0041 d34b 4000 4006 6959 7f00 0001 [email protected]@.iY.... 0x0010: 7f00 0001 80ab 0015 835c d825 8355 215d ........./.%.U!] 0x0020: 8018 2000 fe35 0000 0101 080a 0e2e 1b37 .....5.........7 0x0030: 0e2e 0b67 5553 4552 2064 6d74 7361 690d ...gUSER.dmtsai. 0x0040: 0a . 0x0000: 4510 004a d34f 4000 4006 694c 7f00 0001 [email protected]@.iL.... 0x0010: 7f00 0001 80ab 0015 835c d832 8355 217f ........./.2.U!. 0x0020: 8018 2000 fe3e 0000 0101 080a 0e2e 3227 .....>........2‘ 0x0030: 0e2e 1b38 5041 5353 206d 7970 6173 7377 ...8PASS.mypassw 0x0040: 6f72 6469 7379 6f75 0d0a ordisyou.. |
The above output result has been simplified. You must search for the correlated strings in your output result. From the special words above, we can find that "the FTP user uses vsftpd and the user adds the domain name" dmtsai, and the password is mypasswordisyou! You said it was not terrible! Suppose you are using a clear method to collect your network resources? This is why we often find our website insecure and low!
In addition, you have to understand that in order to make the network interface listen to tcpdump, the network interface will be dynamic in the "promiscuous" mode when tcpdump is executed )』, therefore, you will see a lot of warning messages in/var/log/messages to inform you that your network card has been set to the bandwidth mode! Don't worry. That's normal. For many other applications, see man tcpdump success!
Example: How to Use tcpdump listeners to listen (1) from the eth0 adapter and (2) Determine port 22 through failover, (3) why is the source packet information 192.168.1.100?
A:
Tcpdump-I eth0-nn 'port 22 and SRC host 192.168.1.100'
|
Ethereal
In addition to tcpdump, you can also use ethereal, a handy online traffic analysis tool! Ethereal is divided into a text interface and a text interface. The use of the text interface is similar to that of tcpdump, but its command name should be tethereal. Because the usage method is almost the same, we recommend that you use man tethereal to check the token directly! Ethereal already exists on centos, so please take out the CD and install it! You need to install Ethereal and ethereal-gnome!
The animation method is very simple. You must open a terminal under X Window, and then directly access ethereal, the following response is displayed:
Step 5. Use ethereal as an Example
In simple mode, you can click the button shown in the preceding example to display the interface dialog box, as shown in the following figure:
Lifecycle 6. ethereal use lifecycle example
You should choose the interface to listen to. Here, because it is used for testing, this internal interface is called Lo, you should select your own network interface. Then press start to display the testing details:
Lifecycle 7. ethereal use lifecycle example
In this example, you can see many types of packets. After you finish processing the packets, you can press "stop" to end your hearing, and begin to enter the following packet analysis plane.
4.1.8. Use ethereal as an Example
The packet analysis area is divided into three regions. As shown in the preceding figure, the first region mainly shows the packet standards, the content shows the result of some operations similar to tcpdump. In the second region, the content is the table head of the transaction, including the content in the response box, the content specified by the response box, and socket pair. The Third Region is the result of the 16-step and ASCII representation. Through this ethereal, you can get all the packet content you need! It is also a simplified interface, which is very convenient! By selecting different packets in the first region, you can check the information content of each packet!
NC, Netcat
This NC can be used for testing certain services, because it can be connected to a port for communication. In addition, you can also activate a port on your own to listen to other users! Very useless! Let's assume that the parameter "gaping_security_hole" is provided during the upload period! This software can also be used to obtain bash on the terminal! Terrible! Our centos is more user-friendly and has not been given to the above parameters. Therefore, we cannot use it as our customer reference ~ However, it is a great function to replace Telnet! (Some systems rename the dynamic route entry as Netcat !)
[[Email protected] ~] #NC [IP | host] [port][[Email protected] ~] #NC-l-P [port]Parameter:-L: Used as a listener, that is, a port is opened to indicate the listener;-P: example 1: Connect Port 25 to the local terminal to check the related information [[email protected] ~] #NC localhost 25Localhost. localdomain [127.0.0.1] 25 (SMTP) open220 PC. dm. Tsai ESMTP PostfixEHLO localhost250-pc.dm.tsai250-pipelining250-size 40000000250-etrnQuit221 bye |
The simplest function is similar to telnet! I am able to query a certain service! However, even more amazing in the backend, we can build two channels to improve our performance! For example, we will first invoke a port on the client side to listen:
Example 2: When a port is triggered to listen to the user's authentication requirements [[email protected] ~] #NC-l-P 20000# Activate a port 20000 on the master machine, if netstat-tlnp # is used at this time, we can see an additional port 20000 on the system to listen to the user's response! |
Then, at the host end, NC is also used to connect to the slave end, and some commands are added to the slave end!
[[Email protected] ~] #NC localhost 20000<= The string can be added here! |
At this time, we can enter some words on the host, and you will find the words you entered at the same time on the client side! Suppose that you give out-of-the-box parameters at the same time, for example, using stdout (stdin, so we can do a lot of things through this notebook! Of course, not only does the NC function work like this, but you can also find a lot of uses! Please go to your host's/usr/share/doc/nc-1.10/scripts directory to see these scripts, helpful thanks! However, assume that you need the response handler that contains the gap _ security_hole function to enable the two ends.
Tcpdump packet capture Analysis