Usage parameters of the tcpdump command

Tcpdump is defined as simple as possible, namely: dumpthetrafficeonanetwork. a packet analysis tool that intercepts packets on the network according to the user's definition. As a necessary tool for the classic system administrator on the Internet, tcpdump, with its powerful functions and flexible interception policies, becomes an analysis network for every senior system administrator,

We should define it as simple as possibleTcpdumpDump the traffice on anetwork. it is a packet analysis tool that intercepts packets on the network according to the user's definition. As an essential tool for system administrators on the Internet,TcpdumpWith its powerful functions and flexible interception policies, each advanced system administrator can analyze the network and troubleshoot problems. TcpDump can completely intercept the "header" of the packets transmitted in the network for analysis. It supports filtering network layer, protocol, host, network or port, and provides logical statements such as and, or, not to help you remove useless information. Tcpdump is a free network analysis tool. It provides source code and open interfaces. Therefore, tcpdump is highly scalable and useful for network maintenance and intruders. Tcpdump exists in the basic FreeBSD System. because it needs to set the network interface to the mixed mode, normal users cannot execute normally, however, users with root permissions can directly execute the command to obtain information on the network. Therefore, the network analysis tools in the system are not a threat to the security of the local machine, but a threat to the security of other computers on the network.

   Under normal circumstances, directly starting tcpdump will monitor all the data packets flowing through the first network interface.
# Tcpdump
Tcpdump: listening on fxp0
11:58:47. 873028 202.102.245.40.netbios-ns> 202.102.245.127.netbios-ns: udp 50
11:58:47. 974331 0: 10: 7b: 8: 3a: 56> 1: 80: c2: 0: 0: 0 802.1d ui/Clen = 43
                        00000000 0080 0000 1007 cf08 0900 0000
                        0e800000 902b 4695 0980 8701 0014
                        000f0000 902b 4695 0008 00
11:58:48. 373134 0: 0: e8: 5b: 6d: 85> Broadcast sap e0 ui/Clen = 97
                        Ffff0060 0004 ffff
                        0452 ffff 0000 e85b 6d85 4008 0002
                        06404d41 5354 4552 5f57 4542 0000 0000
                        000000
^ C

   Tcpdump supports many different parameters. for example, you can use the-I parameter to specify the network interface of the tcpdump listener, which is useful when the computer has multiple network interfaces, use the-c parameter to specify the number of data packets to be monitored, and use the-w parameter to specify to write the data packets to the file for storage, and so on.

   However, the more complex tcpdump parameter is used for filtering, because the traffic in the network is large. If no difference is added, all data packets are intercepted, and the data volume is too large, instead, it is difficult to find the required data packets. Filter rules defined by these parameters can be used to intercept specific data packets to narrow down the target so as to better analyze problems in the network. Tcpdump uses parameters to specify the type, address, and port of the data packet to be monitored. based on specific network problems, making full use of these filtering rules can quickly locate faults. Use mantcpdump to view the specific usage of these filter rules.

   Obviously, this type of network analysis software should not be run on computers that are not used for network management. to shield them, we can shield bpfilter pseudo devices in the kernel. Generally, network hardware and TCP/IP stacks do not support receiving or sending data packets unrelated to the computer. to receive these data packets, you must use the network adapter's hybrid mode, and bypass the standard TCP/IP stack. In FreeBSD, the kernel must support bpfilter, a pseudo-device. Therefore, network analysis tools such as tcpdump can be shielded by canceling bpfilter in the kernel.

   When the NIC is set to the hybrid mode, the system will leave a record in the console and log files, reminding the administrator to check whether the system is used as a springboard to attack other computers on the same network.

   May 15 16:27:20 host1/kernel: fxp0: promiscuous mode enabled

   Although the network analysis tool can record the data transmitted over the network, the data traffic in the network is quite large, how to analyze, classify, and collect statistics on the data, and discover and report errors is more critical. Data packets in the network belong to different protocols, and the formats of data packets in different protocols are also different. Therefore, decoding captured data and displaying packet information as much as possible is more important for protocol analysis tools. The advantage of expensive commercial analysis tools is that they support many types of application layer protocols, not only tcp, udp and other low-layer protocols.

   According to the output of tcpdump, tcpdump does not thoroughly decode the intercepted data. most of the content in the data packet is printed in hexadecimal format. Obviously, this is not conducive to the analysis of network faults. The common solution is to first use tcpdump with The-w parameter to capture data and save it to the file, and then use other programs for decoding and analysis. Of course, filter rules should also be defined to prevent the captured data packets from filling the entire hard disk. A valid decoding program provided by FreeBSD is tcpshow, which can be installed through PackagesCollection.

# Pkg_add/cdrom/packages/security/tcpshow *
# Tcpdump-c 3-w tcpdump. out
Tcpdump: listening on fxp0
# Tcpshow <tcpdump. out
---------------------------------------------------------------------------
Packet 1
TIME: 12: 00: 59.984829
LINK: 00: 10: 7B: 08: 3A: 56-> 01: 80: C2: 00: 00: 00 type = 0026
<*** No decode support for encapsulated protocol ***>
---------------------------------------------------------------------------
Packet 2
TIME: 12: 01: 01.074513 (1.089684)
LINK: 00: A0: C9: AB: 3C: DF-> FF: FF type = ARP
ARP: htype = Ethernet ptype = IP hlen = 6 plen = 4 op = request
Sender-MAC-addr = 00: A0: C9: AB: 3C: DFsender-IP-address = 202.102.245.3
Target-MAC-addr = 00: 00: 00: 00: 00target-IP-address = 202.102.245.3
---------------------------------------------------------------------------
Packet 3
TIME: 12: 01:01.985023 (0.910510)
LINK: 00: 10: 7B: 08: 3A: 56-> 01: 80: C2: 00: 00: 00 type = 0026
<*** No decode support for encapsulated protocol ***>

   Tcpshow can decode data packets in different ways and display the decoded data in different ways. you can select the most suitable parameter based on the manual to analyze the intercepted data packets. As shown in the preceding example, tcpshow does not support many protocols and cannot decode protocols that it does not support.

   In addition to tcpdump, FreeBSD PackagesCollecion provides two network analysis tools, Ethereal and Sniffit, and other security tools based on network analysis. Ethereal runs in XWindow and has a good graphic interface. Sniffit uses the character window format and is also easy to operate. However, because tcpdump has more powerful support for filtering rules, system administrators still prefer to use it. For experienced network administrators, using these network analysis tools can not only be used to understand how the network runs, where the fault occurs, but also conduct effective statistics, for example, the protocol generates a major proportion of the traffic, the busiest host, and the network bottleneck. Therefore, the network analysis tool is a valuable system tool for network management. To prevent the interception of network analysis tools with data abuse, the key is to solve the problem in the physical structure of the network. A common method is to use a switch or bridge to separate a trusted network from an untrusted network, which can prevent external network segments from eavesdropping on internal data transmission, but it still cannot solve the data security problem when the internal network and the external network communicate with each other. If you do not have sufficient funds to upgrade the shared hub on the network to an Ethernet switch, you can use the FreeBSD system to execute the bridge task. This requires you to use the optionBRIDGE compilation option to re-customize the kernel, and then use the bridge command to start the bridge function.

Tcpdump adopts the command line method. its command format is:
   Tcpdump [-adeflnNOpqStvx] [-c quantity] [-F file name]
[-I network interface] [-r file name] [-s snaplen]
[-T type] [-w file name] [expression]

 

(1) Introduction to tcpdump options

-A converts a network address and broadcast address into a name;
-D. give the code that matches the information package in an assembly format that people can understand;
-Dd provides the code that matches the information package in the format of the C program segment;
-Ddd provides the matching information package code in decimal format;
-E prints the header information of the data link layer in the output line;
-F print the Internet address in numbers;
-L changes the standard output to the buffer row format;
-N does not convert the network address into a name;
-T no timestamp is printed on each output line;
-V outputs a slightly detailed information. for example, the IP package can contain ttl and service type information;
-Vv: output detailed message information;
-C. after receiving the specified number of packages, tcpdump stops;
-F read the expression from the specified file and ignore other expressions;
-I indicates the network interface of the listener;
-R reads packets from a specified file (these packets are generally generated using the-w option );
-W directly writes the package into the file and does not analyze or print it out;
-T directly interpret the listening packet as a specified type of message. Common types include rpc (remote process call) and snmp (Simple Network Management Protocol ;)

(2) Introduction to tcpdump expressions
 

   The expression is a regular expression. tcpdump uses it as a condition for filtering packets. if a packet meets the expression conditions, the packet will be captured. If no conditions are provided, all information packets on the network will be intercepted. The following types of keywords are generally used in expressions.
 

   The first type keyword mainly includes host, net, port, for example host 210.27.48.2. it indicates that 210.27.48.2 is a host, and net 202.0.0.0 indicates that 202.0.0.0 is a network address, port 23 indicates that the port number is 23. If no type is specified, the default type is host.
 

   The second type is the key words for determining the transmission direction, including src, dst, dst or src, dst and src, which indicate the transmission direction. For example, src 210.27.48.2 indicates that the source address in the IP package is 210.27.48.2, and dst net 202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified, the src or dst keyword is used by default.

      The third type is the protocol keyword, which mainly includes fddi, ip, arp, rarp, tcp, udp, and other types. Fddi indicates a specific network protocol on FDDI (distributed optical fiber data interface network). In fact, it is an alias of "ether". fddi and ether have similar source and destination addresses, therefore, the fddi protocol package can be processed and analyzed as the ether package. The other keywords indicate the protocol content of the listener package. If no protocol is specified, tcpdump listens to the information packages of all protocols.

   In addition to these three types of keywords, other important keywords include gateway, broadcast, less, greater, and three logical operations. The non-operation type is 'not ''! ', And the operation is 'and',' & '; or the operation is 'or',' │ '; these keywords can be combined to form a powerful combination condition to meet people's needs. The following are several examples.

      A wants to intercept all packets received and sent by all 210.27.48.1 hosts:
# Tcpdump host 210.27.48.1
B. to intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, run the following command: (when parentheses are applied in the command line, be sure
# Tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)
C if you want to obtain the IP package for all hosts except 210.27.48.1 and 210.27.48.2, run the following command:
# Tcpdump ip host 210.27.48.1 and! 210.27.48.2
D. to obtain the telnet packet received or sent by the host 210.27.48.1, run the following command:
# Tcpdump tcp port 23 host 210.27.48.1

(3) Introduction to output results of tcpdump

      Below we will introduce the output information of several typical tcpdump commands.

A. data link layer header information

Use commands
# Tcpdump -- e host ice
Ice is a linux host. her MAC address is 0: 90: 27: 58: AF: 1A.
H219 is a SUN workstation with SOLARIC. its MAC address is 8: 0: 20: 79: 5B: 46. the output result of the previous command is as follows:
21:50:12. 847509 eth0 <8: 0: 20: 79: 5b: 46 0: 90: 27: 58: af: 1a ip 60: h219.33357> ice. telne
T 0: 0 (0) ack 22535 win 8760 (DF)

   Analysis: 21: 50: 12 indicates the display time, 847509 indicates the ID number, and eth0 indicates the display time. <表示从网络接口eth0 接受该数据包，eth0> The packet sent from the network interface device. 8: 0: 20: 79: 5b: 46 is the MAC address of the host H219. it indicates the packet sent from the source address H219. 0: 90: 27: 58: af: 1a is the MAC address of the host ICE, indicating that the destination address of the data packet is ICE. ip indicates that the data packet is an IP data packet, and 60 indicates the length of the data packet, h219.33357> ice. telnet indicates that the packet is the TELNET (23) Port sent from Port 33357 of host H219 to host ICE. ack 22535 indicates to respond to a packet whose serial number is 222535. win 8760 indicates that the size of the sending window is 8760.

B. TCPDUMP output information of ARP packets
 

Use commands
# Tcpdump arp
The output result is:
22:32:42. 802509 eth0> arp who-has route tell ice (0: 90: 27: 58: af: 1a)
22:32:42. 802902 eth0 <arp reply route is-at 0: 90: 27: 12: 10: 66 (0: 90: 27: 58: af: 1a)
Analysis: 22:32:42 is the timestamp, 802509 is the ID number, eth0> indicates that the packet is sent from the host, arp indicates that the packet is an ARP Request packet, who-has route tell ice indicates that it is the MAC address of the host ROUTE requested by the host ICE. 0: 90: 27: 58: af: 1a is the MAC address of the host ICE.

C. TCP packet output information

      The common output information of TCP packets captured with TCPDUMP is:
Src> dst: flags data-seqno ack window urgent options
Src> dst: Indicates from the source address to the destination address. flags indicates the flag information in the TCP packet, S indicates the SYN mark, F (FIN), P (PUSH), R (RST )". "(not marked); data-seqno is the sequence number of data in the data packet, ack is the sequence number expected next time, window is the size of the window that receives the cache, and urgent indicates whether there is an emergency pointer in the data packet. options is an option.

D. UDP packet output information

      The general output information of the UDP packet captured with TCPDUMP is:
Route. port1> ice. port2: udp lenth
UDP is very simple. the output line above indicates a UDP packet sent from the port1 port of the host ROUTE to the port2 port of the host ICE. the type is UDP and the package length is lenth.