Use sniffer to diagnose Linux network faults

O & M personnel, good or false, such as sniffer)

Sniffer is a double-edged sword in the field of network security. It can be used by hackers as a network attack tool or assists O & M personnel in diagnosing network faults, this article takes three common network sniffer Tcpdump, Ethereal and EtherApe on Linux as an example. This section describes how to use sniffer to diagnose network faults to ensure efficient and secure network operation. However, because sniffer is too powerful, this article is just an introductory introduction, and interested friends can learn more.

● Tcpdump is a command line network traffic monitoring tool. It was born earlier and is the prototype of many graphical sniffing devices.

● Ethereal is a graphical network traffic monitoring tool, which is much more user-friendly than command line Tcpdump and allows you to view the capture process in real time.

● EtherApe is also a graphical network traffic monitoring tool. Unlike Ethereal, EtherApe can detect connections between hosts.

(I) Tcpdump

When the network performance drops sharply, you can use Tcpdump to analyze the cause and find out the root cause of network congestion.

Tcpdump can intercept packets received by the network card and help the network administrator analyze the contents.

It is a basic skill for O & M personnel to understand how to use Tcpdump to capture data packets of interest.

(1) Tcpdump Installation

GNU/Linux distributions are installed by default, if not available to: http://www.tcpdump.org download

(2) Tcpdump command line options

Tcpdump is a command line network sniffer. If it is not filtered out, too many packages will make it difficult for O & M personnel to clarify the clues.

Tcpdump common command line options:

-A: converts network addresses and broadcast addresses into easily identifiable names.

-D: outputs the intercepted data packet code in a format that is easy to understand.

-Dd: outputs the intercepted data packet code in the C program format.

-Ddd: outputs the intercepted data packet code in decimal format.

-E: outputs the header information of the data link layer.

-F: outputs internet addresses in numbers.

-L: changes the standard output to the row buffer mode.

-N: Do not convert the network address to a host name that is easy to recognize. Only host addresses (such as IP addresses) are listed in numbers. This avoids DNS queries.

-T: No timestamp output

-V: outputs more detailed information, such as the TTL and service type information in the IP package.

-Vv: outputs detailed message information.

-C: exit after capturing a specified number of data packets

-F: Read the filtering rules from the specified file and ignore other filtering rules specified in the command line.

-I: network interface of the listener

-R: reads data packets from a specified file (this file is generally generated using the-w option)

-W: Write the intercepted data packets directly to the specified file and do not analyze or output the data packets.

-T: The intercepted packets are directly interpreted as packets of the specified type.

1 2 3 Next Page