Actually, for the tcpdump program, you can even say that this program is actually a customer experience, because not only can he analyze the packet flow direction, but the internal content of the packet can also be "audible". If the information you use is clear, on the router, it may have been heard by others! Awesome! So, let's get to know this experience! (Authorization: This tcpdump must use the root identity to upload rows)
[[email protected] ~]# tcpdump [-nn] [-i 介面] [-w 儲存檔名] [-c 次數] [-Ae] [-qX] [-r 檔案] [所欲擷取的資料內容]参數:-nn:直接以 IP 及 port number 顯示,而非主機名與服務名稱-i :後面接要『監聽』的網路介面,比如 eth0, lo, ppp0 等等的介面;-w :假设你要將監聽所得的封包資料儲存下來,用這個参數就對了!後面接檔名-c :監聽的封包數,假设沒有這個参數, tcpdump 會持續不斷的監聽, 直到使用者輸入 [ctrl]-c 為止。-A :封包的內容以 ASCII 顯示,通经常使用來捉取 WWW 的網頁封包資料。-e :使用資料連接層 (OSI 第二層) 的 MAC 封包資料來顯示;-q :僅列出較為簡短的封包資訊,每一行的內容比较精簡-X :能够列出十六進位 (hex) 以及 ASCII 的封包內容,對於監聽封包內容非常实用-r :從後面接的檔案將封包資料讀出來。那個『檔案』是已經存在的檔案, 並且這個『檔案』是由 -w 所製作出來的。所欲擷取的資料內容:我們能够專門針對某些通訊協定或者是 IP 來源進行封包擷取, 那就能够簡化輸出的結果,並取得最实用的資訊。常見的表示方法有: ‘host foo‘, ‘host 127.0.0.1‘ :針對單部主機來進行封包擷取 ‘net 192.168‘ :針對某個網域來進行封包的擷取; ‘src host 127.0.0.1‘ ‘dst net 192.168‘:同時加上來源(src)或目標(dst)限制 ‘tcp port 21‘:還能够針對通訊協定偵测,如 tcp, udp, arp, ether 等 還能够利用 and 與 or 來進行封包資料的整合顯示呢!範例一:以 IP 與 port number 捉下 eth0 這個網路卡上的封包,持續 3 秒[[email protected] ~]# tcpdump -i eth0 -nntcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes01:33:40.41 IP 192.168.1.100.22 > 192.168.1.11.1190: P 116:232(116) ack 1 win 964801:33:40.41 IP 192.168.1.100.22 > 192.168.1.11.1190: P 232:364(132) ack 1 win 9648<==按下 [ctrl]-c 之後結束6680 packets captured <==捉下來的封包數量14250 packets received by filter <==由過濾所得的總封包數量7512 packets dropped by kernel <==被核心所丟棄的封包 |
Assume that you are reading the man page of tcpdump for the first time. It must be one head and two heads, because tcpdump is basically the table header of the analysis package, the user assumes that there is no easy-to-use web packet baseline! Therefore, at least you have to go back to the network base to understand the table information of the TCP packet! ^_^! As for the outgoing example produced by that example, we can divide the region into several digits, let's explain the following using the special characters in Example 1:
- 01:33:40. 41: this is the time when the packet is taken, the unit of "time: minute: Second;
- IP Address: The passthrough traffic must be IP address;
- 192.168.1.100.22>: the sender is the IP address 192.168.1.100, and the sender's port number is 22. You must understand that, greater than (>) the delimiter refers to the direction of the packet!
- 192.168.1.11.1190: the IP address of the acceptor is 192.168.1.11, and the master machine opens port 1190 to receive the IP address;
- P :232 (116): this package carries the push information standards, and the overall data is 116 ~ 232 bytes, so this package carries 116 bytes of data;
- Ack 1 win 9648: the relationship between ack and window size.
The simplest way to say is that the packets are sent from 192.168.1.100 bytes to 192.168.1.11, And the passthrough ports are 22 to 1190, with 116 bytes of data, the push flag is used, rather than the SYN-based primary dynamic token. Haha! It's not easy to understand! Therefore, the top part of the TCP table header is required!
Again, on a very busy master machine, when you want to obtain the packet information that a master machine blocks to you, tcpdump can also be used in combination with the render command and regular expression. However, it is hard to catch the hacker! We can easily retrieve the required information through the tcpdump notation. In the preceding example, we listened to eth0, so the information on the entire eth0 interface will be displayed on the screen, poor analysis! So can we implement regionalization? For example, if you just retrieve the zookeeper packet of port 21, you can do this:
[[Email protected] ~] #Tcpdump-I eth0-nn port 21Tcpdump: verbose output suppressed, use-V or-VV for full protocol decodelistening on eth0, link-type en10mb (Ethernet), capture size 96 bytes01: 54: 37.96 IP 192.168.1.11.1240> 192.168.1.100.21 :. ack 1 win 6553501: 54: 37.96 IP 192.168.1.100.21> 192.168.1.11.1240: p 21 (20) ack 1 win 584001: 54: 38.12 IP 192.168.1.11.1240> 192.168.1.100.21 :. ack 21 win 6551501: 54: 42.79 IP 192.168.1.11.1240> 192.168.1.100.21: P (16) ack 21 win 6551501: 54: 42.79 IP 192.168.1.100.21> 192.168.1.11.1240 :. ack 17 Win 584001: 54: 42.79 IP 192.168.1.100.21> 192.168.1.11.1240: P (34) ack 17 Win 5840 |
Look! In this case, I just proposed port 21 information, and when I read it, you will find that the packets are always directed, the client sends a "request" and the server returns the response! We can also understand the packet operation process through the flow of this package. For example:
- We first listened to "tcpdump-I lo-nn" in a terminal window,
- Another terminal window is opened to log on to the Local Machine (127.0.0.1) to "ssh localhost 』
So what is the final result?
[[email protected] ~] # tcpdump-I lo-nn 1 tcpdump: verbose output suppressed, use-V or-VV for full protocol decode 2 listening on lo, link-type en10mb (Ethernet), capture size 96 bytes 3 11:02:54. 253777 IP 127.0.0.1.32936> 127.0.0.1.22: s 933696132: 933696132 (0) Win 32767
4 11:02:54. 253831 IP 127.0.0.1.22> 127.0.0.1.32936: s 920046702: 920046702 (0) ack 933696133 win 32767
5 11:02:54. 253871 IP 127.0.0.1.32936> 127.0.0.1.22 :. ack 1 win 8192
6 11:02:54. 272124 IP 127.0.0.1.22> 127.0.0.1.32936: P 11:02:54 (22) ack 1 win 8192
7. 272375 IP 127.0.0.1.32936> 127.0.0.1.22 :. ack 23 win 8192
|
The first two rows shown in the table above are the basic descriptions of tcpdump, and then:
- The second line shows the "packets with SYN active zookeeper on the client side 』,
- The second line shows the "back-to-server side, in addition to the response client side (ACK), but also the mark of the SYN master dynamic listener;
- Line 3 shows that the client responds to the server and determines whether the primary node is established (ACK)
- The next step of Row 3 begins to import data.
From the 3rd-5 steps, are you familiar with it? No! That's the three-way handshake process! Fun! However, the reason why tcpdump is regarded as a feature that can not only be introduced in the guest community! The features described above can be used to analyze the packet forwarding and packet forwarding processes of our host. This will help us understand the operation of packets, at the same time, I learned whether there is a need for repair in the fire control setting rules of the host.
More amazing use is coming! Let's assume that we use tcpdump to listen to the "plaintext" Information on the router. For example, what problems do you think will happen to the FTP? We will first download "tcpdump-I lo port 21-nn-X" on the master terminal, then log on to the host using FTP, and then upload the hosts and passwords, as a result, you can find the following example:
[[email protected] ~]# tcpdump -i lo -nn -X ‘port 21‘ 0x0000: 4500 0048 2a28 4000 4006 1286 7f00 0001 E..H*(@[email protected] 0x0010: 7f00 0001 0015 80ab 8355 2149 835c d825 .........U!I./.% 0x0020: 8018 2000 fe3c 0000 0101 080a 0e2e 0b67 .....<.........g 0x0030: 0e2e 0b61 3232 3020 2876 7346 5450 6420 ...a220.(vsFTPd. 0x0040: 322e 302e 3129 0d0a 2.0.1).. 0x0000: 4510 0041 d34b 4000 4006 6959 7f00 0001 [email protected]@.iY.... 0x0010: 7f00 0001 80ab 0015 835c d825 8355 215d ........./.%.U!] 0x0020: 8018 2000 fe35 0000 0101 080a 0e2e 1b37 .....5.........7 0x0030: 0e2e 0b67 5553 4552 2064 6d74 7361 690d ...gUSER.dmtsai. 0x0040: 0a . 0x0000: 4510 004a d34f 4000 4006 694c 7f00 0001 [email protected]@.iL.... 0x0010: 7f00 0001 80ab 0015 835c d832 8355 217f ........./.2.U!. 0x0020: 8018 2000 fe3e 0000 0101 080a 0e2e 3227 .....>........2‘ 0x0030: 0e2e 1b38 5041 5353 206d 7970 6173 7377 ...8PASS.mypassw 0x0040: 6f72 6469 7379 6f75 0d0a ordisyou.. |
The above output result has been simplified. You must search for the correlated strings in your output result. From the special words above, we can find that "the FTP user uses vsftpd and the user adds the domain name" dmtsai, and the password is mypasswordisyou! You said it was not terrible! Suppose you are using a clear method to collect your network resources? This is why we often find our website insecure and low!
In addition, you have to understand that in order to make the network interface listen to tcpdump, the network interface will be dynamic in the "promiscuous" mode when tcpdump is executed )』, therefore, you will see a lot of warning messages in/var/log/messages to inform you that your network card has been set to the bandwidth mode! Don't worry. That's normal. For many other applications, see man tcpdump success!
Example: How to Use tcpdump listeners to listen (1) from the eth0 adapter and (2) Determine port 22 through failover, (3) why is the source packet information 192.168.1.100?
A:
Tcpdump-I eth0-nn 'port 22 and SRC host 192.168.1.100'
|
Ethereal
In addition to tcpdump, you can also use ethereal, a handy online traffic analysis tool! Ethereal is divided into a text interface and a text interface. The use of the text interface is similar to that of tcpdump, but its command name should be tethereal. Because the usage method is almost the same, we recommend that you use man tethereal to check the token directly! Ethereal already exists on centos, so please take out the CD and install it! You need to install Ethereal and ethereal-gnome!
The animation method is very simple. You must open a terminal under X Window, and then directly access ethereal, the following response is displayed:
Step 5. Use ethereal as an Example
In simple mode, you can click the button shown in the preceding example to display the interface dialog box, as shown in the following figure:
Lifecycle 6. ethereal use lifecycle example
You should choose the interface to listen to. Here, because it is used for testing, this internal interface is called Lo, you should select your own network interface. Then press start to display the testing details:
Lifecycle 7. ethereal use lifecycle example
In this example, you can see many types of packets. After you finish processing the packets, you can press "stop" to end your hearing, and begin to enter the following packet analysis plane.
4.1.8. Use ethereal as an Example
The packet analysis area is divided into three regions. As shown in the preceding figure, the first region mainly shows the packet standards, the content shows the result of some operations similar to tcpdump. In the second region, the content is the table head of the transaction, including the content in the response box, the content specified by the response box, and socket pair. The Third Region is the result of the 16-step and ASCII representation. Through this ethereal, you can get all the packet content you need! It is also a simplified interface, which is very convenient! By selecting different packets in the first region, you can check the information content of each packet!
NC, Netcat
This NC can be used for testing certain services, because it can be connected to a port for communication. In addition, you can also activate a port on your own to listen to other users! Very useless! Let's assume that the parameter "gaping_security_hole" is provided during the upload period! This software can also be used to obtain bash on the terminal! Terrible! Our centos is more user-friendly and has not been given to the above parameters. Therefore, we cannot use it as our customer reference ~ However, it is a great function to replace Telnet! (Some systems rename the dynamic route entry as Netcat !)
[[Email protected] ~] #NC [IP | host] [port][[Email protected] ~] #NC-l-P [port]Parameter:-L: Used as a listener, that is, a port is opened to indicate the listener;-P: example 1: Connect Port 25 to the local terminal to check the related information [[email protected] ~] #NC localhost 25Localhost. localdomain [127.0.0.1] 25 (SMTP) open220 PC. dm. Tsai ESMTP PostfixEHLO localhost250-pc.dm.tsai250-pipelining250-size 40000000250-etrnQuit221 bye |
The simplest function is similar to telnet! I am able to query a certain service! However, even more amazing in the backend, we can build two channels to improve our performance! For example, we will first invoke a port on the client side to listen:
Example 2: When a port is triggered to listen to the user's authentication requirements [[email protected] ~] #NC-l-P 20000# Activate a port 20000 on the master machine, if netstat-tlnp # is used at this time, we can see an additional port 20000 on the system to listen to the user's response! |
Then, at the host end, NC is also used to connect to the slave end, and some commands are added to the slave end!
[[Email protected] ~] #NC localhost 20000<= The string can be added here! |
At this time, we can enter some words on the host, and you will find the words you entered at the same time on the client side! Suppose that you give out-of-the-box parameters at the same time, for example, using stdout (stdin, so we can do a lot of things through this notebook! Of course, not only does the NC function work like this, but you can also find a lot of uses! Please go to your host's/usr/share/doc/nc-1.10/scripts directory to see these scripts, helpful thanks! However, assume that you need the response handler that contains the gap _ security_hole function to enable the two ends.
Tcpdump packet capture Analysis