The Tcpdump of the debugging tool is detailed

Brief introduction
You execute the man tcpdump command, and you will see that the description of tcpdump in the document is "Dump traffic on a network". As can be seen, tcpdump is a packet analysis tool that intercepts packets on the network based on the user's definition. Tcpdump can intercept the "head" of the packets that are transmitted in the network to provide analysis. It supports filtering on the network layer, protocol, host, network, or port, and provides logical statements such as and, or, not, to help you get rid of useless information. With its powerful function and flexible interception strategy, tcpdump is one of the necessary tools for each advanced system administrator to analyze the network, troubleshoot problems, etc.
Tcpdump provides source code, exposes interfaces, and is therefore highly extensible, and is a useful tool for network maintenance and intruders. Tcpdump exists in the basic FreeBSD system, because it needs to set the network interface to promiscuous mode, the normal user cannot execute normally, but the user with root permission can directly execute it to obtain the information on the network. Therefore, the existence of network analysis tools in the system is not a threat to native security, but a threat to the security of other computers on the network.

Installation
In some Linux distributions, tcpdump is usually installed as a standard package by default, and executing the "tcpdump" command will determine if Tcpdump is installed. If not installed, you can install tcpdump in three ways: Yum command, RPM package and source package. Tcpdump relies on Libpcap to capture network packets. Therefore, we must also install the LIBPCAP function package when installing tcpdump.
Here are three ways to do it each.
Yum Command mode installation:

1	[[email protected] ~]$ sudoyum installtcpdump

This way is the most time-saving worry. If it goes well, a command can solve the problem. If you install software that relies on other software packages, you will be prompted to install the packages that you are dependent on.

RPM Package Mode installation:
The RPM package is slightly more cumbersome to install than the Yum command method.
First, we want to download the tcpdump RPM package from the Internet.

1	[[email protected] ~]$ wget http://dag.wieers.com/redhat/el5/en/x86_64/testing/RPMS/tcpdump-4.4.0-1.el5.rft.x86_64.rpm

Then, install the downloaded RPM package via the rpm command.

1	[[email protected] ~]$ sudorpm -ivh ./tcpdump-3.9.4-15.el5.rpm

This form of installation is the simplest installation method, RPM package is the software compiled into a binary format, through the RPM command can be installed directly, no need to modify anything.

Source Mode installation:
Source mode installation is the most cumbersome. However, if the latest version is released, the RPM package download may not be available on the network and is not added to the Yum source. At this time, we can only install through the source code method.
First, we get the source of tcpdump first. This source code in Tcpdump's official website has the download. The official website address is http://www.tcpdump.org/.

12	[[email protected] ~]$ wget http://www.tcpdump.org/release/tcpdump-4.6.2.tar.gz[[email protected] ~]$ wget http://www.tcpdump.org/release/libpcap-1.6.2.tar.gz

Then, unzip the downloaded package.
Because the package we downloaded is a compressed package in tar.gz format. We can use the tar command to extract it, in order to get the source code.

12	[[email protected] ~]$ tar -xvf. /tcpdump-4 .6.2. tar .gz [[email protected] ~]$ tar -xvf. /libpcap-1 .6.2. tar .gz

Finally, the installation of the source code.
We need to install the LIBPCAP package first. Libpcap also relies on some other packages. If you report some errors during the installation process, you may need to install the appropriate dependent packages.
When you compile and install Libpcap, the "Configure:error:Your operating system's Lex is insufficient to compile Libpcap" appears. The error prompt. Indicates that you did not install the flex package. You need to download and install Flex. Open URL flex.sourceforge.net, download flex-2.5.35.tar.gz. Then extract the files via the TAR-XVF./flex-2.5.35.tar.gz command.

If you do not compile and install this file, when you compile and install Libpcap, the "Configure:WARNING:don ' t has both flex and bison, if it appears; Reverting to LEX/YACC checking for capable lex ... insufficient "error message. Description you did not install the Bison package. Open URL: ftp.gnu.org/gnu/bison/Download the bison-2.4.1.tar.gz software package and unzip the file via Tar zxvf bison-2.4.1.tar.gz.

When compiling the installation bison-2.4.1, if "Configure:error:GNU M4 1.4 is required" error appears. Description you did not install M4. Open URL: ftp.gnu.org/gnu/m4/download m4-1.4.1.tar.gz software package, unzip the file via tar zxvf m4-1.4.13.tar.gz

Then go to directory m4-1.4.1,bison-1.25,flex-2.5.35,libpcap-1.6.2 tcpdump-4.6.2 and execute the following command:

123	[[email protected] ~]$ ./configure[[email protected] ~]$ make[[email protected] ~]$ sudomakeinstall

After the command is completed, the LIBPCAP network packet Interface program can be used.
Note: Running such programs requires running as root because the system does not allow non-root users to perform some network operations.

Basic use
The tcpdump command format is as follows:
tcpdump [-ADDEFLLNNOPQRSTUUVXX] [-c Count]
[-C File_size] [-F file]
[-I. Interface] [-M module] [-M secret]
[-R File] [-S Snaplen] [-T type] [-W file]
[-W FileCount]
[-e [email protected] Algo:secret,...]
[-y Datalinktype] [-Z User]
[Expression]

The command-line arguments are:
-A prints out all the groupings in ASCII format and minimizes the head of the link layer.
-C Tcpdump will stop after receiving the specified number of packets.
-C Checks if the current size of the file exceeds the parameter before writing a raw group to the file File_size
The size specified in the. If the specified size is exceeded, the current file is closed, and then a new file is opened. Parameter file_size
The units are megabytes (1,000,000 bytes, not 1,048,576 bytes).
-D gives the code for matching packets in a compiled format that people can understand.
-DD the code for matching packets in the format of the C program segment.
The code for matching packets is given in decimal form-ddd.
-D prints out all network interfaces in the system that can be truncated with tcpdump.
-e Prints the header information of the data link layer on the output line.
-E uses the [email protected] Algo:secret to decrypt the IPSec ESP groupings with addr as the address and contains the Security parameter index value SPI.
-F Prints the external Internet address as a digital form.
-F reads an expression from the specified file, ignoring the expression given in the command line.
-i specifies the network interface to listen on.
-L changes the standard output to a buffered row form.
-l lists the known data links for the network interface.
-M imports the SMI MIB module definition from the file module. This parameter can be used multiple times to import multiple MIB modules.
-M if the TCP-MD5 option exists in the TCP message, you need to use secret as the shared verification code to verify the summary of the TCP-MD5 selection option (refer to RFC 2385 for details).
-N does not convert the network address into a name.
-N does not output the domain name portion of the hostname. For example, ' nic.ddn.mil ' only outputs ' NIC '.
-T does not print a timestamp on each line of the output.
-O does not run the grouping grouping matching (packet-matching) code optimizer.
-P does not set the network interface to promiscuous mode.
-Q fast output. Only less protocol information is output.
-R reads the package from the specified file (these packages are typically generated through the-w option).
-S outputs the serial number of TCP as absolute value, not relative.
-S reads the first Snaplen bytes from each packet, rather than the default of 68 bytes.
-T directly interprets the heard packet as a specified type of message, the common type has RPC remote procedure call) and SNMP (Simple Network Management Protocol;).
-T does not output a timestamp in each row.
-TT output a non-formatted timestamp in each row.
-TTT outputs the time difference between the line and the previous row.
-TTTT prints the timestamp of the default format processed by date in each row.
-U outputs an NFS handle that is not decoded.
-V outputs a slightly more detailed information, such as the TTL and the type of service that can be included in the IP packet.
The-VV outputs detailed message information.
-W directly writes the groupings to the file instead of parsing and printing them out.
-X displays each message in a 16-digit format (minus the link-layer header). A smaller complete message can be displayed, otherwise only Snaplen bytes are displayed.
-XX displays each message in 16 binary numbers (including the link layer header).
-X displays each message in 16 binary and ASCII format (minus the link layer header).
-XX displays each message in 16 binary and ASCII format (contains the link layer header).
-Y setting tcpdump capture Data Link layer protocol type
-Z causes Tcpdump to give up its super privilege (if the root user starts tcpdump, tcpdump will have superuser privileges), and the current tcpdump user ID is set to users, and the group ID is set to the ID of the user's primary owning group

Examples of commonly used parameters and application scenarios are introduced:

Default startup

1	[[email protected] ~]$ sudotcpdump

tcpdump If no parameters are added, all packets flowing through the first network interface are monitored by default after startup.

Observing network packets for a specified interface

1	[[email protected] ~]$ sudotcpdump -i eth0

Want to know that the machine has those network interface, can be viewed through the tcpdump-d command. If you want to listen to all network interfaces, just change the-i parameter value to any. That is,-I any.

View packets in ASCII mode

1	[[email protected] ~]$ sudotcpdump -A

Most Web programs communicate with other services to support the transmission of data in ASCII format. For example, the SQL statement transmitted to the MySQL server is transmitted in ASCII format. We can use the-a parameter to view the specific SQL statements that are transmitted.

Writes data to the specified file

1	tcpdump -w /tmp/tp.log

After the data is written to the specified file, it is easy to analyze using other packet analysis software. such as Wireshark. In the following, we will cover how to use Wireshark to analyze tcpdump packets.

Set the length of the read packet

1	tcpdump -s 200

The default read length is shorter if the information that needs to be viewed is truncated. You can specify this parameter.

Tcpdump can intercept packets for a specified interface or any interface, depending on how the tcpdump is configured. By default, tcpdump typically displays any packets intercepted from the network, but often such information is too large to be conducive to analysis. As a result, Tcpdump provides the use of expressions to filter message conditions to filter intercepted packets to show only packets that meet specific needs. Here's an introduction to the tcpdump expression.
An expression is a regular expression that Tcpdump uses as a condition for filtering messages that will be captured if a message conforms to the conditions of the expression. If no conditions are given, all packets on the network will be intercepted. There are generally several types of keywords in an expression.
The first is about the type of keywords, mainly including host,port,net. For example:

1	#tcpdump host 102.168.1.100

Intercept all message data from and to the host 102.168.1.100.

1	#tcpdump net 192.168.1.0/24

Intercept packet data from and to all hosts that are sent to the network address 192.168.1.0/24.

1	#tcpdump port 23

Intercept all message data sent from Port 23rd and destined for port number 23rd. If no type is specified, the default type is host.

The second is to determine the transmission direction of the keywords, mainly including SRC, DST, DST or SRC, DST and src, these keywords indicate the direction of transmission. To illustrate:

1	#tcpdump src host 102.168.1.100

Intercept all message data from the host 102.168.1.100

1	#tcpdump dst net 192.168.1.0/24

Intercepts packet data sent to all hosts with a network address of 192.168.1.0/24. It can be either a name (in/etc/networks) or a network number.
If no direction keyword is indicated, the default is the src or DST keyword.

The third is the key word of the agreement, mainly including IP,ARP,RARP,TCP,UDP and other types. The keyword refers to the protocol content of the monitored packet. If no protocol is specified, tcpdump will listen for all protocol packets.

1	#tcpdump udp

Intercept packet data for all UDP protocols.

The fourth type is the logical operation keyword, mainly including, take non-operation is ' not '! ', and the operation is ' and ', ' && ', or the operation is ' or ', ' ││ '; These keywords can be combined to form a powerful combination of conditions to meet people's needs.

1	#tcpdump "dst host 192.168.1.100 and (port 80 or port 8080)"

Intercept all 80-port or 8080-port packet data destined for the host 192.168.1.100.

In addition to the above several types of keywords, other important keywords are as follows: Portrange,gateway, Broadcast,less,greater.

1	#tcpdump -n dst portrange 1-1023

Intercept all packet data between 1 and 1023 on the target port.

1	#tcpdump greater 20

Intercept all message data with a message length greater than 20.

Basic format for output information:
Although the tcpdump will vary depending on the specified parameters, the output may vary. But its basic output format is the same: the system time source host. Port > Destination host. Port packet parameters. Let's take a look at the typical output in the focus.
Data Link Layer Header information:

1234	#tcpdump -e host host2 and port 11211......16:49:57.940257 00:16:3e:00:00:2f (oui Unknown) > 00:16:3e:00:6c:fc (oui Unknown), ethertype IPv4 (0x0800), length 110: host1.41684 > host2.11211: P 1036863:1036907(44) ack 839113 win 115 <nop,nop,timestamp 1914224417 1914343362>......

16:49:57 is the time. The format is, hours: minutes: seconds.
940257 is the ID number.
00:16:3E:00:00:2F sends the MAC address of the packet host.
The Oui (vendor code) that corresponds to the Oui Unknown surface MAC address is not recognized.
00:16:3E:00:6C:FC the MAC address of the destination host for the packet.
The EtherType IPv4 (0x0800) Ethernet frame carries the upper-layer data type IPV4.
110 is the length of the packet.
host1.41684 indicates that the host name of the sending packet is host1 and the port is 41684.
The host name of the HOST2.11211 packet Destination address host is HOST2, and the port that accepts the packet is 11211.
P means sending the data.
(44) Indicates the length of the sending data is 44 bytes.
An ACK of 839113 indicates a response to a package with a sequence number of 839113.
Win 115 means that the size of the sent window is 115.

Output information for TCP packets:

1234	#tcpdump tcp port 11211....17:31:47.143178 IP host1.48232 > host2.11211: S 307816357:307816357(0) win 14600 <mss 1460,sackOK,timestamp 1916733618 0,nop,wscale 7>....

17:31:47.143178 is the time
IP is the protocol description.
host1.48232 > is the sending side host and port. Symbol > indicates the direction of data transmission.
host2.11211 the host name and port on the receiving side.
s flags are the flag information in the TCP packet (S is the SYN flag, F (FIN), P (PUSH), R (RST), "." (not marked)).
The fifth column, Ata-seqno, is the sequence number of the data in the packet.
The sixth column ACK is the next expected order number.
The seventh column of Windows is the size of the window that receives the cache.

Output information for UDP packets:
The general output information for UDP packets captured with Tcpdump is:
Route.port1 > Ice.port2:udp lenth

1234	#tcpdump udp......06:03:21.199876 IP v101081217.sqa.zmf.bo56.com.65535 > 224.7.3.1.entextxid: UDP, length 64......

UDP is very simple, the above output line indicates a UDP packet from the PORT1 port of the host route to the PORT2 port of the host ice, the type is UDP, the packet length is lenth.

Job Examples:
Observe MySQL data communication.

Ps:
In addition you have to understand, in order to let the network interface can let tcpdump monitoring, so the execution of tcpdump when the network interface will start in "promiscuous mode (promiscuous)", so you will see in/var/log/messages a lot of warning messages, Notifies you that your NIC is set to promiscuous mode. Don't worry, it's normal. For more applications, please refer to man tcpdump.

Resources
http://www.cnblogs.com/ggjucheng/archive/2012/01/14/2322659.html output format
http://wangjunle23.blog.163.com/blog/static/1178381712012724196814/
Http://blog.chinaunix.net/uid-11242066-id-4084382.html
Http://bbs.chinaunix.net/thread-1508322-1-1.html
http://blog.csdn.net/jiayanhui2877/article/details/5953725
http://www.360doc.com/content/11/1013/12/1162697_155701557.shtml#
Http://www.startos.com/linux/tips/2010122818605_5.html
Http://albanianwizard.org/how-to-read-tcpdump-output-tcpdump-advanced-use.albanianwizard
http://blog.csdn.net/chinainvent/article/details/5177877 TCP three-time handshake

Source Address: http://www.bo56.com/%E8%B0%83%E8%AF%95%E5%88%A9%E5%99%A8%E4%B9%8Btcpdump/

The Tcpdump of the debugging tool is detailed