tcpdump use commands on Ubuntu to learn notes/tcp, IP, ICMP packet format

-Frequently used commands detailed Basic Commands

$ tcpdump//default crawl all packets of the first NIC interface
$ tcpdump–i ens33//crawl NIC ENS33 packet
$ tcpdump host 47.95.224.4// Listen for host 47.95.224.4 receive all packets sent
$tcpdump host 47.95.224.4 
and 10.13.32.60//intercept all packets between host 47.95.224.4 and 10.13.32.60

$ tcpdump host 47.95.224.4 and \ (10.13.32.60 or 10.13.32.169\)
//intercept all packets between the host 47.95.224.4 and 10.13.32.60 or 10.13.32.169
$tcpdump host 47.95.224.4 and!10.13.32.169
//intercepts all packets of host 47.95.224.4 and non-10.13.32.169 hosts
$ tcpdump-i ens33 SRC host 47.95.224.4//Intercept all packets issued by the host 47.95.224.4
$ tcpdump-i ens33 DST host  47.95.224.4// Intercepts all packets received by host 47.95.224.4
$ tcpdump TCP port 443 and host www.baidu.com
// Intercepting packets between native 443 ports (HTTPS) and www.baidu.com

monitor packets that specify network addresses

$ tcpdump Net 47.95.224.0/24//listens for all packets sent and received by network address 47.95.224.0/24
$ tcpdump IP and not net 10.13.32.169//listening for all IP packets on the local network

listening for ICMP packets

$ Tcpdump ' icmp[icmptype]!= Icmp-echo and Icmp[icmptype]!= icmp-echoreply '
//print except ' echo Request ' or ' echo ICMP packets other than the reply ' type (for example, you can use this expression when you need to print all the packets that are not generated by the ping program). Both types of ICMP packets ' echo reuqest ' and ' echo reply ' are usually generated by the ping program)
/note that single quotes or backslashes cannot be omitted, which prevents the shell from interpreting or replacing &.

*ICMP protocol: It is a connectionless protocol for transmission of error reporting control information. It is a very important protocol, it is very important for network security. The full name of ICMP is the Internet control message Protocol. From a technical point of view ICMP is a "error detection and return mechanism", the purpose of which is to enable us to detect the network connection status.
ICMP is a very useful protocol, especially when we want to make judgments about the state of the Internet connection.
ICMP protocol is of great significance to network security. The characteristics of the ICMP protocol itself determine that it is very easy to attack routers and hosts on the network. For example, in August 1999 Hisense Group "reward" 500,000 yuan test firewall, its firewall suffered more than 334,050 ICMP attacks, accounting for more than 90% of the total number of attacks. It can be seen that the importance of ICMP must not be overlooked.
For example, a "Ping of Death" (Ping of Death) attack can be initiated against the host by using the operating system's maximum ICMP packet size of no more than 64KB. The rationale for the Ping of Death attack is that if the size of the ICMP packet exceeds the 64KB limit, a memory allocation error will occur on the host, causing the TCP/IP stack to crash and cause the host to panic. (The operating system has canceled the size limit for sending ICMP packets to resolve this vulnerability)
In addition, sending ICMP packets for a long, continuous, and large amount to the target host can eventually paralyze the system. A large number of ICMP packets will form an "ICMP Storm", so that the target host consumes a lot of CPU resources processing, tired. * http Grab bag

$tcpdump –xvvennss 0–i eth0 tcp[20:2]=0x4745 or tcp[20:2]=0x4850 get
:  (E), (G)
http:h:48  t:54
ASC code 65~90 to 26 uppercase English letters

Listen for packets that specify the contents of the Ip/tcp field

$ Tcpdump ' ip[2:2]>3 '
//Intercept packet//ip[2 with a native IP packet length greater than 3 bytes 
represents the content of the third byte of the IP packet, Ip[2:2] represents all content of the third byte and the fourth byte
/ That is, the value of the total Length field in the IP packet

$ tcpdump ' TCP port and ((Ip[2:2)-((IP[0]&0XF) <<2))-((tcp[12]&0xf0) >>2 )!= 0) '
//intercept port for 80,IP packet data payload not 0 packets
//Determine whether the IP packet data payload is 0:IP packet length-ip header length-tcp first ministerial =ip data load length
//ip[0] Represents the contents of the Version field and the Header Length field 
//ip[0]&0xf represents the header Length field
//ip[0]&0xf<<2 header length is 32bit (4 bytes), so you need to move 2 digits to the left, that is four times times larger The
//tcp[12]&0xf0>>2 principle is the same as Ip[0], which represents TCP's first ministerial degree

$ Tcpdump ' tcp[tcpflags] & (Tcp-syn|tcp-fin)!=0 and Host 47.95.224.4 '
//interception of hosts 47.95.224.4 data packets to establish or disconnect TCP connections

Summary of tcpdump basic format

$ tcpdump tcp-i eth1-t-S 0-c MB and DST Port! and src net 192.168.1.0/24-w./target.cap
(1) tcp:ip icmp arp rarp and TCP, UDP, ICMP, and so on, are placed in the position of the first parameter, which is used to filter the type
of the datagram (2)-I eth1: only eth1 packets
(3)-T: Do not display timestamp
(4)-S 0: The default crawl length is 68 bytes when fetching packets. Plus-S 0 can be captured after the full packet
(5)-C 100: Only grab 100 packets, after grasping automatically stop
(6) DST Port! 22: Do not crawl the destination port is 22 packets
(7) src net 192.168.1.0/24 : The source network address for the packet is 192.168.1.0/24
(8)-W./target.cap: Save as a cap file for easy ethereal (i.e. Wireshark) analysis

Summary of Options

  -C Count Tcpdump exits after the Count packet is accepted.
-e output of  each line will include Data link layer header information for the packet-
w  file packet output to file, for Wireshark analysis package-
s Len set tcpdump packet crawl length of Len, If you do not set the default of 262144byte-
W    to write the package data directly to the file without parsing and printing output. These packet data can be reread and parsed and printed
later through the-r option.    -X when parsing and printing, tcpdump prints the header data for each package, and prints out the data for each package (but not the header of the connection layer) in 16. The total size of the data printed will not exceed the size of the entire packet and the minimum value in the Snaplen. It must be noted that If the high-level protocol data is not snaplen so long and the data link layer (for example, the Ethernet layer) has fill data, the fill data is also printed. (Nt:so for link  layers  that pad, which could not be understood and translated, needed to be supplemented)

-xx   tcpdump Prints the header data for each packet and prints out the data for each packet in 16 This includes the head of the data link layer.    -X when parsing and printing, tcpdump prints the header data for each package, and prints out the data for each package in 16 and ASCII format (excluding the header of the connection layer). This is convenient

for analyzing packets of new protocols. -xx   when parsing and printing, tcpdump prints the header data for each packet, and prints out the data for each packet in 16-in and ASCII form, including the head of the data link layer. This is convenient for analyzing packets of new protocols.

Operator Summary

Valid operators are:
 negative operations ('! ' or ' not ')
 and Operations (' && ' or ' and ')
 or operations (' | | ' or ' or ')

Port number

Weeks to ports: 0~1023
Dynamic ports: 1024~65535
by protocol type into TCP/UDP/IP/ICMP port TCP port: Reliable Transport for connections common 21 port with FTP service, 23 port of Telnet service, The 25 port of the SMTP service and the 80 port of the HTTP service, the 443 port of the HTTPS service. UDP port: Does not need to establish the connection, unreliable. Common to have the DNS service of 53 ports, SNMP Service 161 ports, NTP service 123 ports. There are also frequently used 8000-port and 4000-port. Port 1024 is assigned to the first port to which the system is requested.

http server, the default port number is 80/tcp (Trojan executor open this port); HTTPS (securely transferring Web pages) server, The default port number is 443/tcp 443/udp telnet (unsecured text transfer), the default port number is 23/TCP (the port opened by Trojans tiny Telnet server); FTP, the default port number is 21/tcp (Trojan Doly Trojan, Ports open for Fore, Invisible FTP, WebEx, Wincrash, and Blade Runner; TFTP (Trivial File Transfer Protocol), the default port number is 69/UDP; SSH (secure login), SCP (file transfer), port redirection, the default port number is 22/tcp SMTP simple Mail Transfer Protocol (e-mail), the default port number is 25/tcp (Trojan antigen, Email Password
Sender, Haebu Coceda, Shtrilitz Stealth, WINPC, winspy all open this port); POP3 Post Office Protocol (e-mail), the default port number is 110/tcp;
WebLogic, the default port number is 7001 WebSphere application, the default port number is 9080; WebSphere Administration Tool, the default port number is 9090; JBOSS, the default port number is 8080; TOMCAT, the default port number is 8080; WIN2003 remote login, the default port number is 3389; Symantec av/filter for MSE, the default port number is 8081; Oracle database, the default port number is 1521; Oracle Emctl, the default port number is 1158; oracl e XDB (XML database), the default port number is 8080 Oracle XDB FTP service, the default port number is 2100; Ms Sql*server database SERVER, the default port number is 1433/TCP 1433/udp; Ms Sql*server Database monitor, the default port number is 1434/tcp 1434/udp QQ, the default port number is 1080/ud 

- TCP packet format

Serial number: SEQ ordinal number, 32 bits, used to identify the stream of bytes sent from the TCP source to the destination, which is marked when the initiator sends the data. Confirm Serial Number: ACK serial number, account for 32 digits, only Ack mark bit is 1 o'clock, confirm ordinal field is valid, ack=seq+1. Sign bit: A total of 6, namely Urg, ACK, PSH, RST, SYN, FIN, etc., the specific meaning is as follows:
URG: The emergency pointer (urgent pointer) is valid.
ACK: Verify that the serial number is valid.
PSH: The receiver should hand over this message to the application layer as soon as possible.
RST: Resets the connection.
SYN: Initiating a new connection.
FIN: Frees a connection.

Logo bit: tcp[13] logo bit s place 1

| c| e| u| a| p| r| s| F|
| ---------------|
| 0 0 0 1 0 0 1 0|

TCP connection Establishment

C->s:syn = 1, randomly producing a seq=j,length=0
s->c:syn=1,ack=1,seq=i,ack=j+1,length=0
c->s:ack=1,ack=1, Length=0

TCP data transfer

Example: C->s sends cyn,s->c echo copy   cyn
c->s:psh=1,ack=1,seq=1:4,ack=1,length=3
s->c:psh=1,ack=1, seq=27:38,ack=4, length=11
c->s:ack=1,ack=38,length=0

TCP Disconnect

 example: C->s send exit,s Disconnect TCP connection after receiving this message c->s:psh=1,ack=1,seq=4:8,ack=38,length=4 C->s:fin =1,ack=1,seq=8,ack=38,length=0 s->c:ack=1,ack=9,length=0 c->s:rst=1,ack=1,seq=9,ack=38,length=0