Tcpdump Use Example

Objective

This period of time has been studying the network in Kubernetes, including through the keepalived to achieve the high availability of VIP often have to troubleshoot some of the network problems, here to comb the use of tcpdump posture, if there is a bad place to write, welcome to the road friends throw bricks.

Note:

The sample environment is a set of kubernetes clusters, including k8s master node and k8s work node, all VMS

• View the network interface where tcpdump can be used to grab packets

[[email protected] ~]# tcpdump -D1.eth02.docker03.cni04.vethd0fd7a3f5.nflog (Linux netfilter log (NFLOG) interface)6.nfqueue (Linux netfilter queue (NFQUEUE) interface)7.eth18.flannel.19.usbmon1 (USB bus number 1)10.vetha5e14de711.veth5b9890d012.vethf6e5a39c13.veth59af7cc714.vethf98a282315.veth628e223416.veth861a08f617.veth0912b7b618.vethf2889e2b19.vethd7109cca20.veth421502a421.vethf561756e22.any (Pseudo-device that captures on all interfaces)23.lo [Loopback][[email protected] ~]#

• Grasping packets on the Eth0 network interface

[[email protected] ~]# tcpdump -i eth0tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

• Grab packets for all interfaces (need to enter promiscuous mode, Linux kernel >= 2.2)

[[email protected] ~]# tcpdump -i anytcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

• Grasping packets in a detailed output manner

  Note: The default is to listen to the first network interface without the interface parameter, the environment is eth0

[[email protected] ~]# tcpdump -vtcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

• Grab packets in a more verbose output way

[[email protected] ~]# tcpdump -vvtcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

• Capture in the most verbose way

[[email protected] ~]# tcpdump -vvvtcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes17:03:19.298070 IP (tos 0x12,ECT(0), ttl 64, id 7354, offset 0, flags [DF], proto TCP (6), length 176)

• The packet is captured in verbose output and the packet is printed out in 16 and ASCII, in addition to the link level header

[[email protected] ~]# tcpdump -v -Xtcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes17:04:46.063040 IP (tos 0x12,ECT(0), ttl 64, id 19261, offset 0, flags [DF], proto TCP (6), length 176)

• Capture packets in verbose output and print the packets in 16 and ASCII, including the link level header

[[email protected] ~]# tcpdump -v -XXtcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes21:40:45.439798 IP (tos 0x12,ECT(0), ttl 64, id 34723, offset 0, flags [DF], proto TCP (6), length 176)

• Quiet mode to grab packets (less output than the default mode)

[[email protected] ~]# tcpdump -qtcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

• Limit the number of packets fetched

[[email protected] ~]# tcpdump-c 10tcpdump:verbose output suppressed, use-v OR-VV for full protocol Decodelisteni ng on Eth0, Link-type EN10MB (Ethernet), capture size 262144 bytes21:49:00.612030 IP 10-10-40-110.ssh > 121.121.0.65.54 289:flags [P.], seq 2802886126:2802886314, Ack 3182814556, win 1432, options [Nop,nop,ts Val 454928787 ecr 807548508], le Ngth 18821:49:00.612519 IP 10-10-40-110.44078 > public1.114dns.com.domain:11925+ PTR? 65.0.121.121.in-addr.arpa. (+) 21:49:00.623275 IP public1.114dns.com.domain > 10-10-40-110.44078:11925 NXDomain 0/1/0 (106) 21:49:00.624629 IP 10-10-40-110.51033 > public1.114dns.com.domain:25277+ PTR? 110.40.10.10.in-addr.arpa. 21:49:00.635649 IP public1.114dns.com.domain > 10-10-40-110.51033:25277 nxdomain* 0/1/0 (+) 21:49:00.635906 IP 10-10-40-110.39356 > public1.114dns.com.domain:9087+ PTR? 114.114.114.114.in-addr.arpa. (21:49:00.635952) IP 10-10-40-110.ssh > 121.121.0.65.54289:flags [P.], seq 188:408, ack 1,Win 1432, options [Nop,nop,ts Val 454928811 ECR 807548508], length 22021:49:00.644312 IP 121.121.0.65.54289 > 10-10-40- 110.ssh:flags [.], ACK 188, Win 32762, options [Nop,nop,ts Val 807549151 ECR 454928787], length 021:49:00.646272 IP publi C1.114dns.com.domain > 10-10-40-110.39356:9087 1/0/0 PTR public1.114dns.com. 21:49:00.646443 IP 10-10-40-110.ssh > 121.121.0.65.54289:flags [P.], seq 408:1396, ack 1, Win 1432, options [Nop,n Op,ts Val 454928821 ECR 807549151], length 98810 packets CAPTURED10 Packets received by FILTER0 packets dropped by kernel[ [Email protected] ~]#

• Save the crawled data to a file with a file suffix of.cap

  Note: If you want to save the data to a file while you want to view the terminal output, you can combine tee commands and pipelines to usetcpdump | tee > capture.cap

[[email protected] ~]# tcpdump -c 10 -w capture.captcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes10 packets captured10 packets received by filter0 packets dropped by kernel[[email protected] ~]#

View File types

[[email protected] ~]# file capture.capcapture.cap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 262144)[[email protected] ~]#

Directly through the cat view is not able to see, all is a bunch of garbled, if you want to view the contents of the saved .cap file, you can tcpdump -r read the

• Read the saved Cap file

[[email protected] ~]# tcpdump-r capture.capreading from File Capture.cap, Link-type en10mb (Ethernet) 21:51:09.223140 IP 10-10-40-110.ssh > 121.121.0.65.54289:flags [P.], seq 2802890002:2802890126, Ack 3182816820, win 14 The options [Nop,nop,ts Val 455057398 ECR 807672709], length 12421:51:09.596238 IP 121.121.0.65.54289 > 10-10-40-110.SS H:flags [.], ACK 124, Win 32764, options [Nop,nop,ts Val 807673597 ECR 455057398], length 021:51:09.732159 IP 10.10.40.10 3 > Vrrp.mcast.net:VRRPv2, advertisement, Vrid Wuyi, Prio, authtype simple, intvl 1s, length 2021:51:10.732853 IP 10 .10.40.103 > Vrrp.mcast.net:VRRPv2, advertisement, Vrid Wuyi, Prio, authtype simple, intvl 1s, length 2021:51:10.841 674 stp 802.1s, Rapid STP, CIST Flags [Learn, Forward, agreement], length 10221:51:11.055641 ARP, Request who-has 10-10-40 -110 tell 10.10.40.2, length 2821:51:11.055657 ARP, Reply 10-10-40-110 is-at fa:8a:41:0f:73:00 (oui Unknown), length 2821: 51:11.733994 IP 10.10.40.103 > VRRP. Mcast.net:VRRPv2, advertisement, Vrid Wuyi, Prio, authtype simple, intvl 1s, length 2021:51:12.735129 IP 10.10.40.103 > Vrrp.mcast.net:VRRPv2, advertisement, Vrid Wuyi, Prio, authtype simple, intvl 1s, length 2021:51:12.841619 STP 802 .1s, Rapid STP, CIST Flags [Learn, Forward, agreement], length 102[[email protected] ~]#

• Read the saved capture data in the most detailed way

[[email protected] ~]# tcpdump -vvv -r capture.cap

• Display as IP plus port instead of as domain name and service name (some systems need to specify the-NN parameter to display the port number)

[[email protected] ~]# tcpdump -nn

• Fetching all packets for the target host 10.10.40.200

[[email protected] ~]# tcpdump -nn dst host 10.10.40.200

• Fetch all packets from the source-side host to 10.10.40.200

[[email protected] ~]# tcpdump -nn src host 10.10.40.200

• Fetch all packets from source or target host to 10.10.40.200

[[email protected] ~]# tcpdump -nn host 10.10.40.200

• Crawl all packets for 10.10.40.0/24 on all target networks

[[email protected] ~]# tcpdump -nn dst net 10.10.40.0/24

• Captures all packets for 10.10.40.0/24 from all source-side networks

[[email protected] ~]# tcpdump -nn src net 10.10.40.0/24

• Capture all packets from the source-side network as 10.10.40.0/24 or the target network as 10.10.40.0/24

[[email protected] ~]# tcpdump -nn net 10.10.40.0/24

• Crawl all packets with a target port of 22

[[email protected] ~]# tcpdump -nn dst port 22

• Captures all packets in the 1-1023 range of all target ports

[[email protected] ~]# tcpdump -nn dst portrange 1-1023

• Crawl all TCP packets with a target port range of 1-1023

[[email protected] ~]# tcpdump -nn tcp dst portrange 1-1023

• Captures all UDP packets with a target port range of 1-1023

[[email protected] ~]# tcpdump -nn udp dst portrange 1-1023

• Captures all messages with target host 10.10.40.200 and Target Port 22

[[email protected] ~]# tcpdump -nn "dst host 10.10.40.200 and dst port 22"

• Captures all messages with a target host of 10.10.40.200 and a target port of 22 or 443

[[email protected] ~]# tcpdump -nn dst "host 10.10.40.200 and (dst port 22 or dst port 443)"

• Crawl all ICMP messages

  ICMP can be replaced by other protocols, such as ARP/TCP/UDP/VRRP, etc.

[[email protected] ~]# tcpdump -nn -v icmp

• Crawl all ARP or ICMP messages

[[email protected] ~]# tcpdump -nn -v "icmp or arp"

• Grab all the broadcasts or multi-broadcast text

[[email protected] ~]# tcpdump -nn "multicast or broadcast"

• Specifies the size of the fetch packet (Byte)

  0 means no Limit

[[email protected] ~]# tcpdump -nn icmp -s 100

• End Grab Bag

  Usually it takes a Ctl+C long time to exit the tcpdump, which can be done Ctl+\ in a way that forces the program to quit.

Reference

• man tcpdump
• Https://www.rationallyparanoid.com/articles/tcpdump.html

Tcpdump Use Example