Tcpdump Grab Bag Tool

Tcpdump Grab Bag Tool One: tcpdump introduction

? Tcpdump can intercept the "head" of the packets that are transmitted in the network to provide analysis. It supports filtering on the network layer, protocol, host, network, or port, and provides logical statements such as and, or, not, to help you get rid of useless information. Tcpdump is a free network analysis tool, in particular, it provides source code, exposes the interface, so it has a strong scalability, for network maintenance and intruders are very useful tools. Tcpdump exists in the basic FreeBSD system, because it needs to set the network interface to promiscuous mode, the normal user cannot execute normally, but the root user can directly execute it to obtain the information on the network. Therefore, the existence of network analysis tools in the system is not a threat to native security, but a threat to the security of other computers on the network.

Second: daily use 1. Parameter introduction

Tcpdump

• -i specifies the network interface
• -c Specifies the number of packages to monitor
• -W stores the results of the capture package in a file format
• -A converts the network address and broadcast address into a name;
• -D gives the code of the matching packets in a compiled format that people can understand;
• -DD the code of the matching packet is given in the format of the C Language Program section;
• -DDD the code for matching packets is given in decimal form;
• -e Prints the header information of the data link layer in the output line;
• -F Print out the external Internet address in digital form;
• -L causes the standard output to become the buffer line form;
• -N Do not convert the network address into a name;
• -T does not print timestamps on each line of the output;
• -V outputs a slightly more detailed information, such as the TTL and the type of service that can be included in the IP packet;
• -VV output detailed message information;
• -F reads an expression from the specified file, ignoring other expressions;
• -R reads packets from the specified file (these packages are typically generated via the-w option);
• -T directly interprets the heard packet as a specified type of message, common types are RPC (remote Procedure Call) and SNMP (Simple Network Management Protocol;)

2. Introduction to Expressions

? The expression is a regular expression that Tcpdump uses to filter the message, and if a message satisfies the condition of the expression, the message will be captured. If an expression is empty, all packets are captured

Expression type:

1. Type keyword
   • Host 192.168.30.10 Specify a single console (default)
   • NET 192.168.30.0 Specifies a network segment
   • Port 80 Specify port number
2. Direction keywords
   • SRC 192.168.30.10 The source address in the specified package
   • DST 192.168.30.20 The destination address in the specified package
   • DST 192.168.30.20 or src 192.168.30.20 DST and src meet one on Get
   • DST 192.168.30.20 and src 192.168.30.20 DST and SRC must both meet
3. Protocol keywords
   • Specific network protocols on FDDI FDDI (Distributed Optical Data Interface Network)
   • Ip
     
   • Arp
   • Rarp
   • Tcp
   • Utp
4. Other less commonly used keywords and gateway,broadcast,less,greater, there are three kinds of logic operations, take the non-operation is ' not '! ', and the operation is ' and ', ' && ', or the operation is ' or ', ' ││ '; These keywords can be combined to form a powerful combination of conditions to meet people's needs.

Three. Daily use examples

2. Crawl all the current host packets, tcpdump by default in the current terminal run

4. Fetching 100 packets, and storing them in the specified file, the default tcpdump file is not allowed to be viewed directly

   [[email protected] ~]# tcpdump -c 100 -w tcpdump.outtcpdump: WARNING: eth0: no IPv4 address assignedtcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes100 packets captured     # 抓取100个包后，他就会自动停止100 packets received by filter0 packets dropped by kernel

6. Read the file with the-W parameter exported

   [[email protected] ~]# tcpdump -r 443_tcpdump.out reading from file 443_tcpdump.out, link-type EN10MB (Ethernet)10:22:49.771433 IP 180.168.69.242.50838 > mweb07.https: Flags [.], seq 1094068907:1094068908, ack 4179967795, win 16537, length 110:22:49.771447 IP mweb07.https > 180.168.69.242.50838: Flags [R], seq 4179967795, win 0, length 010:22:51.525702 IP 180.168.69.242.50836 > mweb07.https: Flags [F.], seq 932060733, ack 2342938202, win 16344, length 0

8. Crawl 6379 ports of 100 packets

   [[email protected] ~]# tcpdump -i bond0 -c 100 -w 443_tcpdump.out tcp port 443 tcpdump: listening on bond0, link-type EN10MB (Ethernet), capture size 65535 bytes100 packets captured102 packets received by filter0 packets dropped by kernel

10. Fetch a packet with a source address of 180.168.69.242 and a port of 443

    [[email protected] ~]# tcpdump -i bond0 -c 3 -w 443_tcpdump.out src 180.168.69.242 and tcp port 443tcpdump: listening on bond0, link-type EN10MB (Ethernet), capture size 65535 bytes3 packets captured3 packets received by filter0 packets dropped by kernel

11. Fetching packets for the specified host

    # fetching packets for the specified host [[email protected] ~]# tcpdump-i bond0-c host 172.20.10.17tcpdump:verbose output suppressed, use-v OR-VV for full protocol decodelistening on BOND0, Link-type EN10MB (Ethernet), capture size 65535 bytes10:28:40.375233 I P mweb07.34822 > Mweb08.vrace:Flags [P.], seq 2258399624:2258400017, Ack 3133621198, Win 18960, options [Nop,nop,ts VA L 941802562 ECR 941809211], length 39310:28:40.375935 IP mweb08.vrace > Mweb07.34822:flags [.], seq 1:4345, Ack 393, W In 2841, options [Nop,nop,ts Val 941811328 ECR 941802562], length 434410:28:40.375945 IP mweb07.34822 > Mweb08.vrace:f lags [.], ACK 4345, Win 18960, options [Nop,nop,ts Val 941802563 ECR 941811328], length 010:28:40.375957 IP mweb08.vrace & Gt Mweb07.34822:flags [.], seq 4345:7241, Ack 393, Win 2841, options [Nop,nop,ts Val 941811328 ECR 941802562], length 289610 : 28:40.375960 IP mweb07.34822 > Mweb08.vrace:Flags [.], ACK 7241, Win 18960, options [Nop,nop,ts Val 941802563 ECR 941 811328], length 010:28:40.376008 IP mweb08.vrace > Mweb07.34822:flags [.], seq 7241:10137, Ack 393, Win 2841, options [Nop,nop,ts Val 9418 11328 ECR 941802562], length 289610:28:40.376012 IP mweb07.34822 > Mweb08.vrace:Flags [.], ACK 10137, win 18960, Optio NS [Nop,nop,ts val 941802563 ECR 941811328], length 010:28:40.376015 IP mweb08.vrace > Mweb07.34822:flags [P.], seq 10 137:10298, Ack 393, Win 2841, options [Nop,nop,ts Val 941811328 ECR 941802562], length 16110:28:40.376017 IP mweb07.34822 > mweb08.vrace:Flags [.], ACK 10298, Win 18960, options [Nop,nop,ts Val 941802563 ECR 941811328], length 010:28:40.397 701 IP mweb07.46871 > Mweb08.6379:flags [P.], seq 2597564002:2597564092, ACK 617045751, WIN 1260, options [Nop,nop,ts Val 941802584 ECR 941811100], length 9010 packets CAPTURED10 Packets received by FILTER0 packets dropped by kernel# can be found, as  If there is no communication between the two hosts, it is not possible to crawl [[email protected] ~]# tcpdump-i bond0-c host 172.20.10.10tcpdump:verbose output suppressed, Use-v OR-VV for full pRotocol decodelistening on Bond0, Link-type EN10MB (Ethernet), capture size 65535 bytes Four: Everyday scenes 

Tcpdump Grab Bag tool