It is very convenient to use tcpdump to grab the bag under Linux, but it is convenient to pick up the packet to extract it for analysis, or to use Wireshark to filter the analysis.
Let's introduce the use of TCPDUMP
Example: Tcpdump host 172.16.29.40 and Port 4600-x-S 500
The tcpdump takes the command line, and its command format is:
tcpdump [-ADEFLNNOPQSTVX] [-C Quantity] [-f filename]
[-I Network interface] [-R FileName] [-S Snaplen]
[-T type] [-w file name] [Expression]
1. Introduction to Tcpdump Options
-A converts the network address and broadcast address into a name;
-D gives the code of the matching packets in a compiled format that people can understand;
-DD the code of the matching packet is given in the format of the C Language Program section;
-DDD the code for matching packets is given in decimal form;
-e Prints the header information of the data link layer in the output line;
-F Print out the external Internet address in digital form;
-L causes the standard output to become the buffer line form;
-N Do not convert the network address into a name;
-T does not print timestamps on each line of the output;
-V outputs a slightly more detailed information, such as the TTL and the type of service that can be included in the IP packet;
-VV output detailed message information;
-C After receiving the specified number of packets, the tcpdump will stop;
-F reads an expression from the specified file, ignoring other expressions;
-i specifies the network interface for listening;
-R reads packets from the specified file (these packages are typically generated via the-w option);
-W writes the package directly to the file and does not parse and print it;
-T interprets the heard packet directly as a specified type of message, with the common type of RPC (remote procedure
Call) and SNMP (Simple Network Management Protocol;)
2. Introduction to Tcpdump expressions
An expression is a regular expression that Tcpdump uses as a condition for filtering messages if a message satisfies the table
The message will be captured when the condition is reached. If no conditions are given, all packets on the network will be
Be intercepted.
In expressions, there are generally several types of keywords, one for the type of keywords, mainly including host,
Net,port, such as host 210.27.48.2, indicates that 210.27.48.2 is a host, and net 202.0.0.0 indicates
202.0.0.0 is a network address, port 23 indicates that the port number is 23. If no type is specified, the default type is
Host.
The second is to determine the transmission direction of the keywords, mainly including SRC, DST, DST or SRC, DST and SRC,
These keywords indicate the direction of the transmission. For example, SRC 210.27.48.2 indicates that the source address in the IP packet is 210.27.
48.2, DST net 202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified, the
The default is src or DST keywords.
The third is the agreement of the key words, mainly including Fddi,ip, ARP,RARP,TCP,UDP and other types. FDDI indicates that the
The specific network protocol on FDDI (Distributed Optical Data Interface Network), in fact it is the alias of "Ether", FDDI and E
Ther has a similar source address and destination address, so the FDDI protocol packet can be treated and analyzed as a ether packet.
The other key words are the protocol content of the listening packet. If no protocol is specified, tcpdump will
Listen for all protocol packets.
In addition to these three types of keywords, other important keywords are as follows: Gateway, broadcast,less,
Greater, there are three kinds of logic operations, take non-operation is ' not '! ', and the operation is ' and ', ' && '; or the operation is ' O
R ', ' | | ' ;
These keywords can be combined to form a powerful combination of conditions to meet people's needs, here are a few examples to
Description
(1) to intercept all packets received and sent by all 210.27.48.1 hosts:
#tcpdump Host 210.27.48.1
(2) to intercept host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3 communication, use the command
: (When applying parentheses in the command line, be sure to
#tcpdump host 210.27.48.1 and/(210.27.48.2 or 210.27.48.3/)
(3) If you want to get host 210.27.48.1 except for the IP packets that communicate with all hosts outside the host 210.27.48.2
, use the command:
#tcpdump IP host 210.27.48.1 and! 210.27.48.2
(4) If you want to get the Telnet packet received or issued by the host 210.27.48.1, use the following command:
#tcpdump TCP port, host 210.27.48.1
3. Introduction of Tcpdump Output results
Below we describe the output information of several typical tcpdump commands
(1) Data Link Layer header information
Use the command #tcpdump--E host ice
Ice is a Linux-equipped host and her MAC address is 0:90:27:58:af:1a
H219 is a sun workstation with Solaric, and its MAC address is 8:0:20:79:5b:46;
The output of the command is as follows:
21:50:12.847509 eth0 < 8:0:20:79:5b:46 0:90:27:58:af:1a IP 60:h219.33357 > ice.
Telne
T 0:0 (0) Ack 22535 win 8760 (DF)
Analysis: 21:50:12 is the displayed time, 847509 is the ID number, eth0 < represents from the network interface eth0 accept the
Packet, Eth0 > represents a packet sent from a network interface device, 8:0:20:79:5B:46 is the MAC address of the host H219, and it
Indicates that the packet was sent from the source address H219. 0:90:27:58:AF:1A is the MAC address of the host ice, which indicates that the packet
The destination address is ice. IP is an indication that the packet is an IP packet, and 60 is the length of the packet, h219.33357 > ice.
Telnet indicates that the packet is a telnet (23) port destined for host ice from Port 33357 of the host H219. Ack 22535
Indicates a response to a package with a sequence number of 222535. Win 8760 indicates that the size of the Send window is 8760.
(2) Tcpdump output information for ARP packets
Using the command #tcpdump ARP
The resulting output is:
22:32:42.802509 eth0 > arp who-has route tell Ice (0:90:27:58:AF:1A)
22:32:42.802902 Eth0 < ARP reply route is-at 0:90:27:12:10:66 (0:90:27:58:AF
: 1a)
Analysis: 22:32:42 is a timestamp, 802509 is the ID number, eth0 > indicates that the packet was emitted from the host, and ARP indicates that it is
The ARP Request packet, Who-has route tell Ice, indicates the MAC address of the host ice request host route. 0:90:27:5
8:AF:1A is the MAC address of the host ice.
(3) Output information for TCP packets
The general output information for TCP packets captured with Tcpdump is:
src > Dst:flags data-seqno ack window urgent options
src > DST: Indicates from the source address to the destination address, flags is the flag information in the TCP packet, S is the SYN flag, F (f
IN), P (PUSH), R (RST) "." (not marked); Data-seqno is the sequence number of the data in the packet, and the ACK is
The next expected order number, window is the size of the windows that receives the cache, and urgent indicates whether there is an emergency pointer in the packet.
Options is the option.
(4) Output information for UDP packets
The general output information for UDP packets captured with Tcpdump is:
Route.port1 > Ice.port2:udp lenth
UDP is very simple, the above output line indicates a UDP packet sent from the PORT1 port of the host route to the host
ICE's Port2 port, type is UDP, packet length is lenth
To allow Wireshark to analyze the tcpdump package, the key is the-s parameter, as well as to save as the-W file, such as the following example:
./tcpdump-i eth0-s 0-w successc2server.pcap host 192.168.1.20 grab all the packages on the host, let Wireshark filter
./tcpdump-i eth0 ' DST host 239.33.24.212 '-W raw.pcap capture the packet when it is filtered
Wireshark filter, it is not necessary for me to say, very simple.
Like Tcp.port eq 5541
IP.ADDR eq 192.168.2.1
After filtering out, use Fllow tcp to view the contents of the package
Tcpdump Grab bag let Wireshark to analyze