Tcpdump tutorial-capture and analyze data packets from the command line

Preface

Before introducing and using tcpdump, make sure that you have mastered or understand the following key concepts. Otherwise, the subsequent content will make you suffer.

1. Able to work in Linux Command Line

2. Measure the test taker's understanding about the concept of OSI Layer-7 network protocol.

3. Familiar with the protocol headers of each layer, focusing on IP/TCP/UDP

4. The vswitch and vro correspond to the OSI protocol layer.

Note that:

Tcpdump is a command-line Packet sniffing Tool Based on UNIX systems.If you want to use tcpdump to capture packets from MAC addresses of other hosts, you must enable Nic hybrid mode.In the hybrid mode, the simplest language is to let the network adapter capture any data packet that passes through it. no matter whether the data packet is sent to it or not, click [http://en.wikipedia.org/wiki/promiscuous_mode.pdf to obtain more information with mixed mode. In general, Unix does not allow common users to set the mixed mode, because this allows users to see other people's information, such as the Telnet user name and password, which may cause some security problems, therefore, only the root user can enable the hybrid mode. The command to enable the hybrid mode is ifconfig eth0 promisc, and eth0 is the NIC to enable the hybrid mode. Someone must ask if you want to enable the hybrid mode in windows,In Windows, there is no mixed mode for NICs, but the application itself. For example, when you use Wireshark to capture packets, you can set it to capture packets in the mixed mode.(That's why the damn ARP spoofing virus is rampant ). Tcpdump can also specify a packet capture filter, which is well-known as the Berkeley Packet filtering language (BPF.

Tcpdump Introduction

Tcpdump is the premier network analysis tool for information security configursionals. tcpdump is a CommandLine network analyzer tool or more technically a packet sniffer. having a solid grasp of this uber-powerful application is mandatory for Anyone desiring a thorough understanding of TCP/IP. it can be thought of as the CommandLine version of wiresharek (only to a certain extent, since Wireshark is much more powerful and capable. please prefer to use higher level analysis tools Wireshark, but I believe this To usually be a mistake, you must know how Wireshark work ).

As a CommandLine tool tcpdump is quite powerful for network analysis as filter expressions can be passwd in and tcpdump wowould pick up only the matching packets and dump them.

Install tcpdump

### CentOS[[email protected] ~]# yum search tcpdump======================== Matched: tcpdump ===============================arpwatch.i386 : Network monitoring tools for tracking IP addresses on a network.libpcap.i386 : A system-independent interface for user-level packet capture.libpcap-devel.i386 : A pcap library.tcpdump.i386 : A network traffic monitoring tool.[[email protected] ~]# yum -y install tcpdump### Ubuntu$ sudo apt-get install tcpdump

For Linux, tcpdump depends on the libpcap library. For more libpcap libraries, see here.

Tcpdump command line options

The following options help us better utilize tcpdump. These options are easy to forget and confusing, so please try again.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/45/D4/wKioL1PsKPiitu0iAAJW4esvUWs195.jpg "Title =" 1.png" alt = "wkiol1pskpiitu0iaa4244esvuws195.jpg"/>

First, I will like to add some options in the tcpdump command itself according to the actual situation. The first one is-N. No name resolution is performed and the result is displayed as an IP address. The second is-X, which displays the contents of the package in hexadecimal format and ASCII format. The last one is-s, which is displayed with an absolute serial number instead of relative.

By default, tcpdump only captures the first 96 bytes of the package. If you want to capture more, add the-s number option, number indicates the number of bytes to capture. I suggest using 0 (zero) as the number of captured bytes, which will capture all the contents of all the packets.

The following are frequently used options:

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/45/D4/wKioL1PsKE7APjoUAAN13Toi4FY198.jpg "Title =" 1.png" alt = "wkiol1pske7apjouaan13toi4fy198.jpg"/>

Basic tcpdump usage

1.-N don't convert host addresses to names.This can be used to avoid DNS

Lookups.

[[email protected] ~]# tcpdump -ntcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes17:25:33.472001 IP 192.168.27.129.46255 > 192.168.27.2.53:  36340+ A? www.baidu.com. (31)

By default, tcpdump monitors all the data packets flowing through the first network adapter. Let's take a look at the information output by tcpdump.

The first field "17:25:33. 472001" is a timestamp with millisecond-level precision.

The second field "ip" is the protocol of the data packet.

The third field "192.168.27.129.46255" is source IP address joined with the source port.

The fourth field "192.168.27.2.53" is destination IP address joined with destination port and then some information about the packet.

2.-V-VV-vvv verbose, very verbose, very verbose

-SPrint absolute, rather than relative, TCP sequence numbers.

[[email protected] ~]# tcpdump -nnvvS

3.-X print each packet (minus its link level header) in Hex and ASCII.

[[email protected] ~]# tcpdump -nnvvXS

4.-S increases the default snaplength, grabbing the whole packet

[[email protected] ~]# tcpdump -nnvvXS -s 1514[[email protected] ~]# tcpdump -nnvvXS -s0

5. Capture of exactly two (-C2) ICMP packets (A Ping)

[[email protected] ~]# tcpdump -nnvvXS -s0 -c2 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes19:20:16.361251 IP (tos 0x0, ttl  64, id 28517, offset 0, flags [DF], proto: UDP (17), length: 59) 192.168.27.129.56183 > 192.168.27.2.53: [udp sum ok]  8002+ A? www.baidu.com. (31)0x0000:  4500 003b 6f65 4000 4011 1379 c0a8 1b81  E..;[email protected]@..y....0x0010:  c0a8 1b02 db77 0035 0027 90dc 1f42 0100  .....w.5.‘...B..0x0020:  0001 0000 0000 0000 0377 7777 0562 6169  .........www.bai0x0030:  6475 0363 6f6d 0000 0100 01              du.com.....19:20:16.468176 IP (tos 0x0, ttl 128, id 182, offset 0, flags [none], proto: UDP (17), length: 118) 192.168.27.2.53 > 192.168.27.129.56183: [udp sum ok]  8002 q: A? www.baidu.com. 3/0/0 www.baidu.com. CNAME www.a.shifen.com., www.a.shifen.com. A 61.135.169.105, www.a.shifen.com. A 61.135.169.125 (90)0x0000:  4500 0076 00b6 0000 8011 81ed c0a8 1b02  E..v............0x0010:  c0a8 1b81 0035 db77 0062 48e9 1f42 8180  .....5.w.bH..B..0x0020:  0001 0003 0000 0000 0377 7777 0562 6169  .........www.bai0x0030:  6475 0363 6f6d 0000 0100 01c0 0c00 0500  du.com..........0x0040:  0100 0000 0500 0f03 7777 7701 6106 7368  ........www.a.sh0x0050:  6966 656e c016 c02b 0001 0001 0000 0005  ifen...+........0x0060:  0004 3d87 a969 c02b 0001 0001 0000 0005  ..=..i.+........0x0070:  0004 3d87 a97d                           ..=..}2 packets captured3 packets received by filter0 packets dropped by kernel

Common syntax

Expressions allow you to trim out various types of traffic and find exactly what you're looking for. Mastering the expressions and learning to combine them creatively is what makes one truly powerful with tcpdump.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/45/D6/wKiom1PsXCXhpVzYAACEUpEpGoE734.jpg "Title =" 1.png" alt = "wkiom1psxcxhpvzyaaceupepgoe734.jpg"/>

Expression

Select which packets will be dumped. If no expression is given, all packets on the net will be dumped. Otherwise, only packets for which expression is 'true' will be dumped.

There are three different kinds of qualifier.

TypeQualifiers say what kind of thing the ID name or number refers to. Possible types areHost, NetAndPort. If there is no type qualifier,HostIs assumed.

DirQualifiers specify a special transfer ction to and/or from ID. Possible directions areSRC,DST,SRC or DSTAndSRC and DST. If there is no dir qualifier,SRC or DSTIs assumed.

 PROTOQualifiers restrict the match to a participating protocol. Possible PROTOS are:Ether,FDDI,Tr,IP,Ip6,ARP,RARP,Decnet,TCPAndUDP. E. g 'tcp SRC 192.168.1.2 '. If there is no proto qualifier, all protocols consistent with the type are assumed.

Expressions are nice, but the real magic of tcpdump comes from the ability to combine them in creative ways in order to isolate exactly what you're re looking. there are three ways to do combinations, and if you 've studied computers at all they'll be pretty familar to you:

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/45/D5/wKiom1PsU4mivi3uAABU_1HpNPw588.jpg "Title =" 1.png" alt = "wkiom1psu4mivi3uaabu_1hpnpw588.jpg"/>

Example:

### type## host# tcpdump host 1.2.3.4## net# tcpdump net 1.2.3.0/24# tcpdump net 1.2## port# tcpdump port 80## src, dst# tcpdump src 1.2.3.4# tcpdump dst 1.2.3.4## proto# tcpdump icmp### type, dir, proto# tcpdump ‘src port 3306 and tcp‘# tcpdump ‘udp and src port 53‘

Writing to a file

Tcpdump allows you to send what you're re capturing to a file for later use using-WOption, and then to read it back using-ROption. This is an excellent way to capture raw traffic and then run it through varous tools later.

The traffic captured in this way is stored in tcpdump format, which is pretty much universal in the network analysis space. this means it can be read in by all sorts of tools, including Wireshark, snort, etc.

## capture all port 80 traffic to a file# tcpdump -s 1514 port 80 -w capture_file## read captured traffic back into tcpdump# tcpdump -r capture_file

More examples

# Tcpdump-nnvvs 'src 10.5.2.3 and DST port 100' # tcpdump 'src 10.0.2.4 and (DST port 3306 or 22) '# You know # [email protected] ~] # Tcpdump-I eth0-nnvvxs-s1514 'port 22 or port 23 or port 25 or port 100' | egrep-I 'pass = | Pwd = | log = | login = | user = | username = | PW = | passw = | passwd = | pass: | User: | Username: | password: | login: | pass | user '-B20

Http://danielmiessler.com/study/tcpdump/

Http://openmaniak.com/tcpdump.php

Http://www.binarytides.com/tcpdump-tutorial-sniffing-analysing-packets/

Http://www.cnblogs.com/ggjucheng/archive/2012/01/14/2322659.html)

Http://blog.csdn.net/langeldep/article/details/6156818

Http://roclinux.cn /? P = 2474

Http://www.chinaunix.net/old_jh/29/674578.html

Http://blog.chinaunix.net/uid-10328574-id-2951040.html

This article is from the share your knowledge blog, please be sure to keep this source http://skypegnu1.blog.51cto.com/8991766/1539930