Actually, For tcpdump, you can even say that this experience is actually a customer experience, because he can not only analyze the packet flow direction, but also "listen" to the content of the packet. If the information you use is clear, on the router, it may have been heard by others! Terrible success! So, let's get to know this experience! (Authorization: This tcpdump must use the root identity to upload rows)
[Root @ Linux ~] #Tcpdump [-nn] [-I interface] [-W] [-C times] [-AE] [-QX] [-r case] [Information Content retrieved by volume retrieval]Metric data:-NN: the IP address and port number are used directly, instead of the Host Name and service name-I: the backend is connected to the "listen" network interface, such as eth0, lo, ppp0, and so on.-W: if you want to save the received packets, use this parameter! Followed by the audio name-C: The number of audio packets. If this number does not exist, tcpdump will continue to listen, until the user inputs [CTRL]-C. -A: The content of the packet is displayed in ASCII format. It is usually used to capture the WWW website packet information. -E: displays the Mac packet information connected to the OSI second packet.-Q: lists the packets whose values are short, the content ratio of each row is refined-X: the Hex and ASCII packet content can be listed, which is useful for the listen packet content.-R: from the subsequent response case, the packet information is sent out. The "legal case" is an existing legal case, and this "legal case" was created by W. Metadata retrieved: We can directly determine whether to Route packets to the source by using a specified IP address, then the results can be written and the most useful information can be obtained. The following methods are commonly used: 'host foo', 'host 127.0.0.1 ': Collect 'net 192.168' for the incoming packets of a single host ': obtains the packets sent from a certain network domain. 'src host 127.0.0.1 ''dst net 100': adds the source (SRC) or destination (DST) at the same time) restrict 'tcp port 21': You can also set protocol limits for communication, such as TCP, UDP, ARP, ether and so on can also use and or to display the integration of packets! Example 1: capture the packets on the eth0 network card with the IP address and port number for 3 seconds [root @ Linux ~] #Tcpdump-I eth0-nnTcpdump: verbose output suppressed, use-V or-VV for full protocol decodelistening on eth0, link-type en10mb (Ethernet), capture size 96 bytes01: 33: 40.41 IP 192.168.1.100.22> 192.168.1.11.1190: P :232 (116) ack 1 win 964801: 33: 40.41 IP 192.168.1.100.22> 192.168.1.11.1190: P 232: 364 (132) ack 1 win 9648 <= Press [CTRL]-C and end with 6680 packets captured <= capture the number of packets: 14250 packets converted ed by filter <= from the past the total number of packets received by the kernel is 7512 packets dropped by kernel <= The number of packets distributed by the core |
If this is the first time you read the man page of tcpdump, it must be one head and two heads, because tcpdump is basically the table header of the analysis package, if the user does not have an easy-to-use web packet baseline, you need to understand the problem! Therefore, at least you have to go back to the network base to understand the table information of the TCP packet! ^_^! In the outgoing example produced by that example, we can divide the dimension into several digits, let's explain the following using the special characters in Example 1:
- 01:33:40. 41: this is the time when the packet is taken, the unit of "time: minute: Second;
- IP Address: The passthrough traffic must be IP address;
- 192.168.1.100.22>: the sender is the IP address 192.168.1.100, and the sender's port number is 22. You must understand that, greater than (>) the delimiter refers to the direction of the packet!
- 192.168.1.11.1190: the IP address of the acceptor is 192.168.1.11, and the master machine opens port 1190 to receive the IP address;
- P :232 (116): this package carries the push information standards, and the overall data is 116 ~ 232 bytes, so this package carries 116 bytes of data;
- Ack 1 win 9648: the relationship between ack and window size.
The simplest way to say is that the packets are sent from 192.168.1.100 bytes to 192.168.1.11, And the passthrough ports are 22 to 1190, with 116 bytes of data, the push flag is used, rather than the SYN-based primary dynamic token. Haha! It's not easy to understand! Therefore, the top part of the TCP table header is required!
Again, on a very busy master machine, you only want to obtain the packet information that a host sends to you, you can also use tcpdump in combination with the render command and the regular expression. However, it is hard to catch the timer! We can easily retrieve the required information through the tcpdump notation. In the preceding example, we listened to eth0, so the information on the entire eth0 interface will be displayed on the screen, poor analysis! So can we implement regionalization? For example, to retrieve only the zookeeper packet of port 21, you can do this:
[root@linux ~]# tcpdump -i eth0 -nn port 21tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes01:54:37.96 IP 192.168.1.11.1240 > 192.168.1.100.21: . ack 1 win 6553501:54:37.96 IP 192.168.1.100.21 > 192.168.1.11.1240: P 1:21(20) ack 1 win 584001:54:38.12 IP 192.168.1.11.1240 > 192.168.1.100.21: . ack 21 win 6551501:54:42.79 IP 192.168.1.11.1240 > 192.168.1.100.21: P 1:17(16) ack 21 win 6551501:54:42.79 IP 192.168.1.100.21 > 192.168.1.11.1240: . ack 17 win 584001:54:42.79 IP 192.168.1.100.21 > 192.168.1.11.1240: P 21:55(34) ack 17 win 5840 |
Look! In this case, I just proposed port 21 information, and when I read it, you will find that the packets are always directed, the client sends a "request" and the server returns the response! We can also understand the packet operation process through the flow of this package. For example:
- We first listened to "tcpdump-I lo-nn" in a terminal window,
- Another terminal window is opened to log on to the Local Machine (127.0.0.1) to "ssh localhost 』
So what is the final result?
[root@linux ~]# tcpdump -i lo -nn 1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 2 listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes 3 11:02:54.253777 IP 127.0.0.1.32936 > 127.0.0.1.22: S 933696132:933696132(0) win 32767 <mss 16396,sackOK,timestamp 236681316 0,nop,wscale 2> 4 11:02:54.253831 IP 127.0.0.1.22 > 127.0.0.1.32936: S 920046702:920046702(0) ack 933696133 win 32767 <mss 16396,sackOK,timestamp 236681316 236681316,nop, wscale 2> 5 11:02:54.253871 IP 127.0.0.1.32936 > 127.0.0.1.22: . ack 1 win 8192 <nop, nop,timestamp 236681316 236681316> 6 11:02:54.272124 IP 127.0.0.1.22 > 127.0.0.1.32936: P 1:23(22) ack 1 win 8192 <nop,nop,timestamp 236681334 236681316> 7 11:02:54.272375 IP 127.0.0.1.32936 > 127.0.0.1.22: . ack 23 win 8192 <nop, nop,timestamp 236681334 236681334> |
The first two rows shown in the table above are the basic descriptions of tcpdump, and then:
- The second line shows the "packets with SYN active zookeeper on the client side 』,
- The second line shows the "back-to-server side, in addition to the response client side (ACK), but also the mark of the SYN master dynamic listener;
- Line 3 shows that the client responds to the server and determines whether the primary node is established (ACK)
- The second row begins the step of data import.
From the 3rd-5 steps, are you familiar with it? No! That's the three-way handshake process! Fun! However, the reason why tcpdump is regarded as one of the customer's guest bodies is that it does not only support the introduction of the function! The features introduced above can be used to analyze the packet forwarding and packet forwarding processes of our host. This will help us understand the operation of packets, at the same time, I learned whether there is a need for repair in the fire control setting rules of the host.
More amazing use is coming! What problems do you think will happen if we use tcpdump to listen to the "plaintext" Information on the router, such as the FTP protocol? We will first download "tcpdump-I lo port 21-nn-X" on the master terminal, then log on to the host using FTP, and then upload the hosts and passwords, as a result, you can find the following example:
[root@linux ~]# tcpdump -i lo -nn -X 'port 21' 0x0000: 4500 0048 2a28 4000 4006 1286 7f00 0001 E..H*(@.@....... 0x0010: 7f00 0001 0015 80ab 8355 2149 835c d825 .........U!I./.% 0x0020: 8018 2000 fe3c 0000 0101 080a 0e2e 0b67 .....<.........g 0x0030: 0e2e 0b61 3232 3020 2876 7346 5450 6420 ...a220.(vsFTPd. 0x0040: 322e 302e 3129 0d0a 2.0.1).. 0x0000: 4510 0041 d34b 4000 4006 6959 7f00 0001 E..A.K@.@.iY.... 0x0010: 7f00 0001 80ab 0015 835c d825 8355 215d ........./.%.U!] 0x0020: 8018 2000 fe35 0000 0101 080a 0e2e 1b37 .....5.........7 0x0030: 0e2e 0b67 5553 4552 2064 6d74 7361 690d ...gUSER.dmtsai. 0x0040: 0a . 0x0000: 4510 004a d34f 4000 4006 694c 7f00 0001 E..J.O@.@.iL.... 0x0010: 7f00 0001 80ab 0015 835c d832 8355 217f ........./.2.U!. 0x0020: 8018 2000 fe3e 0000 0101 080a 0e2e 3227 .....>........2' 0x0030: 0e2e 1b38 5041 5353 206d 7970 6173 7377 ...8PASS.mypassw 0x0040: 6f72 6469 7379 6f75 0d0a ordisyou.. |
The above output result has been simplified. You must search for the correlated strings in your output result. From the special fonts shown above, we can find that "the FTP community uses vsftpd and the user adds the domain name" dmtsai, and the password is mypasswordisyou! You said it was not terrible! If you are using a clear method to collect your network resources? This is why we are always confused. The network is very insecure and low!
In addition, you have to understand that in order to make the network interface listen to tcpdump, the network interface will be dynamic in the "promiscuous" mode when tcpdump is executed )』, therefore, you will see a lot of warning messages in/var/log/messages to inform you that your network card has been set to the bandwidth mode! Don't worry. That's normal. For more applications, please test man tcpdump!
Example: How to Use tcpdump listeners to listen (1) from the eth0 adapter and (2) port 22, (3) why is the source packet information 192.168.1.100? A:
Tcpdump-I eth0-nn 'port 22 and SRC host 192.168.1.100'
|
Ethereal
In addition to tcpdump, you can also use ethereal, a handy online traffic analysis tool! Ethereal is divided into a text interface and a text interface. Its usage is similar to that of tcpdump, but its command name is tethereal. Because the usage is similar, it is recommended that you use man tethereal to check the token directly! Ethereal already exists on centos, so please take out the CD and install it! You need to install Ethereal and ethereal-gnome!
The manual action method is very simple. You must open a terminal under X Window, and then directly access ethereal, the following response is displayed:
Step 5. Use ethereal as an Example
Click the button shown in the preceding example to display the interface dialog box, as shown in the following figure:
Lifecycle 6. ethereal use lifecycle example
You should choose the interface to listen to. Here, because it is intended for internal use, this internal interface is called Lo, you should select your own network interface. Then, press start to display the opening plane of the starting snapshot:
Lifecycle 7. ethereal use lifecycle example
In this example, you can see many types of packets. After you finish processing the packets, you can press "stop" to listen, start with the following packet analysis plane.
4.1.8. Use ethereal as an Example
The packet analysis area is divided into three regions. As shown in the preceding figure, the first region mainly shows the packet standards, the content shows the result of some operations similar to tcpdump. In the second region, the content is the table head of the transaction, including the content in the dialog box, the content set by the user, and socket pair. The Third Region is the result of the 16-step and ASCII representation. Through this ethereal, you can get all the packet content you need! It is also a graphic interface, which is very convenient! By selecting different packets in the first region, you can check the information content of each packet!
NC, Netcat
This NC can be used as an example for some services, because it can be connected to a port for communication. In addition, you can also manually activate a port to listen to other user-defined links! Very useless! If you want to grant the parameter "gaping_security_hole" during the upload, hey! This notebook can also be used to obtain bash on the terminal! Terrible! Our centos is more user-friendly and has not been given to the above data. Therefore, we cannot use it as a customer experience ~ However, it is a great feature to replace Telnet! (Some systems rename the dynamic route entry as Netcat !)
[Root @ Linux ~] #NC [IP | host] [port][Root @ Linux ~] #NC-l-P [port]Parameter number:-L: Used as a listener. That is, a port is opened to indicate the listener.-P: example 1: connect to port 25 on the local end to check the related information [root @ Linux ~] #NC localhost 25Localhost. localdomain [127.0.0.1] 25 (SMTP) open220 PC. dm. Tsai ESMTP PostfixEHLO localhost250-pc.dm.tsai250-pipelining250-size 40000000250-etrnQuit221 bye |
The simplest function is similar to telnet! You can check a service in the website! However, even more amazing in the backend, we can build two channels to improve our performance! In another example, we first invoke a port on the client side to listen:
Example 2: activate a port to listen to the user's response requirements [root @ Linux ~] #NC-l-P 20000# Activate a port 20000 on the master machine, if netstat-tlnp # is used at this time, an additional port 20000 is displayed on the system! |
Then, at the host end, NC is also used to connect to the slave end, and some commands are added to the slave end!
[Root @ Linux ~] #NC localhost 20000<== You can start to upload strings here! |
At this time, we can enter some words on the host, and you will find the words you entered at the same time on the client side! If you give external data at the same time, such as stdout and stdin, then we can do a lot of things through this notebook! Of course, not only does NC function work like this, but you can also find a lot of usage! Please go to your host's/usr/share/doc/nc-1.10/scripts directory to see these scripts, helpful thanks! However, if you need the response handler that contains the gap _ security_hole function