Use Tcpdump in linux to analyze network details

Source: Internet
Author: User

Introduction to network data collection and analysis tool TcpDump

As the name suggests, TcpDump can completely intercept the "Header" of the packets transmitted in the network for analysis. It supports filtering network layer, protocol, host, network or port, and provides logical statements such as and, or, not to help you remove useless information. Tcpdump is a free network analysis tool. It provides source code and open interfaces. Therefore, tcpdump is highly scalable and useful for network maintenance and intruders. Tcpdump exists in the basic FreeBSD system. Because it needs to set the network interface to the mixed mode, normal users cannot execute normally, however, users with root permissions can directly execute the command to obtain information on the network. Therefore, the network analysis tools in the system are not a threat to the security of the local machine, but a threat to the security of other computers on the network.

Tcpdump is defined as simple as possible: dump the traffice on a network. It is a packet analysis tool that intercepts packets on the network according to the user's definition. As a necessary tool for the classic system administrator on the internet, tcpdump, with its powerful functions and flexible interception policies, becomes one of the essential tasks for every senior system administrator to analyze the network and troubleshoot problems. Tcpdump provides source code and open interfaces, so it has high scalability and is a very useful tool for network maintenance and intruders. Tcpdump exists in the basic FreeBSD system. Because it needs to set the network interface to the mixed mode, normal users cannot execute normally, however, users with root permissions can directly execute the command to obtain information on the network. Therefore, the network analysis tools in the system are not a threat to the security of the local machine, but a threat to the security of other computers on the network.

Installation of network data collection and analysis tool TcpDump

In linux, the installation of tcpdump is very simple. Generally, there are two installation methods. An rpm package is used for installation. In addition, it is installed in the form of a source program. Rpm package installation: the simplest installation method is to compile the software and package it into a binary format. You can directly install the rpm package through the rpm command, you do not need to modify anything. Use the following command to log on as a Super User:
# Rpm-ivh tcpdump-3_4a5.rpm so tcpdump can be successfully installed on your linux system. It's easy.
Source program installation: Since the rpm package installation is very simple, why should we use a more complex source program installation? In fact, the biggest attraction of linux is that there are a lot of software on it that provides the source program. People can modify the source program to meet their special needs. Therefore, I especially recommend that you install the source program.

The first step is to get the source program. Z), the other is the rpm distribution package (tcpdump-3_4a5.src.rpm ). The two types of content are similar. Different types of content are compressed. You can use the following command to uncompress The. Tar compressed package:
# Tar xvfz tcpdump-3_4a5.tar.Z
Run the following command to install the rpm package:
# Rpm-ivh tcpdump-3_4a5.src.rpm
In this way, extract the source code of tcpdump to the/usr/src/redhat/SOURCES directory.

Step 2 prepare the source program for compilation
Before compiling the source program, you are advised to confirm that the library file libpcap has been installed. This library file is the library file required by tcpdump software. Similarly, you also need a standard C language compiler. In linux, the standard c language compiler is generally gcc. In the tcpdump source program directory. One file is Makefile. in. The configure command automatically generates the Makefile file from the Makefile. in file. In the Makefile. in file, you can modify the BINDEST and MANDEST macro definitions according to the system configuration. The default value is
BINDEST = @ sbindir @
MANDEST = @ mandir @
The first macro value indicates the path name of the binary file where tcpdump is installed, and the second macro value indicates the path name of the tcpdump man help page. You can modify them to meet system requirements.

Step 3 compile the source program
Use the configure script in the source program directory to read various required attributes from the system. The Makefile file is automatically generated according to the Makefile. in file, so that the. make command can be used to compile the tcpdump source program according to the rules in the Makefile file. Run the make install command to install the compiled binary file tcpdump.
Summary:
# Tar xvfz tcpdump-3_4a5.tar.Z
# Vi Makefile. in
#./Configure
# Make
# Make install
3 Use of network data collection and analysis tool TcpDump

Under normal circumstances, directly starting tcpdump will monitor all the data packets flowing through the first network interface.
# Tcpdump
Tcpdump: listening on fxp0
11:58:47. 873028 202.102.245.40.netbios-ns> 202.102.245.127.netbios-ns: udp 50
11:58:47. 974331 0: 10: 7b: 8: 3a: 56> 1: 80: c2: 0: 0: 0 802.1d ui/C len = 43
0000 0000 0080 0000 1007 cf08 0900 0000
0e80 0000 902b 4695 0980 8701 0014
000f 0000 902b 4695 0008 00
11:58:48. 373134 0: 0: e8: 5b: 6d: 85> Broadcast sap e0 ui/C len = 97
Ffff 0060 0004 ffff
0452 ffff 0000 e85b 6d85 4008 0002
0640 4d41 5354 4552 5f57 4542 0000 0000
00, 0000
^ C
Tcpdump supports many different parameters. For example, you can use the-I parameter to specify the network interface of the tcpdump listener, which is useful when the computer has multiple network interfaces, use the-c parameter to specify the number of data packets to be monitored, and use the-w parameter to specify to write the data packets to the file for storage, and so on.

However, the more complex tcpdump parameter is used for filtering, because the traffic in the network is large. If no difference is added, all data packets are intercepted, and the data volume is too large, instead, it is difficult to find the required data packets. Filter rules defined by these parameters can be used to intercept specific data packets to narrow down the target so as to better analyze problems in the network. Tcpdump uses parameters to specify the type, address, and port of the data packet to be monitored. Based on specific network problems, making full use of these filtering rules can quickly locate faults. Use man tcpdump to view the specific usage of these filter rules.

Obviously, this type of network analysis software should not be run on computers that are not used for network management. To shield them, we can shield bpfilter pseudo devices in the kernel. Generally, network hardware and TCP/IP stacks do not support receiving or sending data packets unrelated to the computer. To receive these data packets, you must use the network adapter's hybrid mode, and bypass the standard TCP/IP stack. In FreeBSD, the kernel must support bpfilter, a pseudo-device. Therefore, network analysis tools such as tcpdump can be shielded by canceling bpfilter in the kernel.

When the NIC is set to the hybrid mode, the system will leave a record in the console and log files, reminding the Administrator to check whether the system is used as a springboard to attack other computers on the same network.

May 15 16:27:20 host1/kernel: fxp0: promiscuous mode enabled

Although the network analysis tool can record the data transmitted over the network, the data traffic in the network is quite large, how to analyze, classify, and collect statistics on the data, and discover and report errors is more critical. Data packets in the network belong to different protocols, and the formats of data packets in different protocols are also different. Therefore, decoding captured data and displaying packet information as much as possible is more important for protocol analysis tools. The advantage of expensive commercial analysis tools is that they support many types of application layer protocols, not only tcp, udp and other low-layer protocols.

According to the output of tcpdump, tcpdump does not thoroughly decode the intercepted data. Most of the content in the data packet is printed in hexadecimal format. Obviously, this is not conducive to the analysis of network faults. The common solution is to first use tcpdump with the-w parameter to capture data and save it to the file, and then use other programs for decoding and analysis. Of course, filter rules should also be defined to prevent the captured data packets from filling the entire hard disk. A valid decoding program provided by FreeBSD is tcpshow, which can be installed through Packages Collection.

# Pkg_add/cdrom/packages/security/tcpshow *
# Tcpdump-c 3-w tcpdump. out
Tcpdump: listening on fxp0
# Tcpshow <tcpdump. out
---------------------------------------------------------------------------
Packet 1
TIME: 12: 00: 59.984829
LINK: 00: 10: 7B: 08: 3A: 56-> 01: 80: C2: 00: 00: 00 type = 0026
<*** No decode support for encapsulated protocol ***>
---------------------------------------------------------------------------
Packet 2
TIME: 12: 01: 01.074513 (1.089684)
LINK: 00: A0: C9: AB: 3C: DF-> FF: FF type = ARP
ARP: htype = Ethernet ptype = IP hlen = 6 plen = 4 op = request
Sender-MAC-addr = 00: A0: C9: AB: 3C: DF sender-IP-address = 202.102.245.3
Target-MAC-addr = 00: 00: 00: 00: 00 target-IP-address = 202.102.245.3
---------------------------------------------------------------------------
Packet 3
TIME: 12: 01: 01.985023 (0.910510)
LINK: 00: 10: 7B: 08: 3A: 56-> 01: 80: C2: 00: 00: 00 type = 0026
<*** No decode support for encapsulated protocol ***>

Tcpshow can decode data packets in different ways and display the decoded data in different ways. You can select the most suitable parameter based on the manual to analyze the intercepted data packets. As shown in the preceding example, tcpshow does not support many protocols and cannot decode protocols that it does not support.

In addition to tcpdump, FreeBSD Packages Collecion provides two network analysis tools, Ethereal and Sniffit, and other security tools based on network analysis. Ethereal runs in X Window and has a good graphic interface. Sniffit uses character Window format and is also easy to operate. However, because tcpdump has more powerful support for filtering rules, system administrators still prefer to use it. For experienced network administrators, using these network analysis tools can not only be used to understand how the network runs, where the fault occurs, but also conduct effective statistics, for example, the Protocol generates a major proportion of the traffic, the busiest host, and the network bottleneck. Therefore, the network analysis tool is a valuable system tool for network management. To prevent the interception of network analysis tools with data abuse, the key is to solve the problem in the physical structure of the network. A common method is to use a switch or bridge to separate a trusted network from an untrusted network, which can prevent external network segments from eavesdropping on internal data transmission, but it still cannot solve the data security problem when the internal network and the external network communicate with each other. If you do not have sufficient funds to upgrade the shared hub on the network to an Ethernet switch, you can use the FreeBSD system to execute the bridge task. This requires you to use the option BRIDGE compilation option to re-customize the kernel, and then use the bridge command to start the BRIDGE function.

Tcpdump adopts the command line method. Its command format is:
Tcpdump [-adeflnNOpqStvx] [-c quantity] [-F file name]
[-I network interface] [-r file name] [-s snaplen]
[-T type] [-w file name] [expression]

(1). Introduction to tcpdump options-a converts network addresses and broadcast addresses into names;
-D. Give the code that matches the information package in an Assembly format that people can understand;
-Dd provides the code that matches the information package in the format of the C program segment;
-Ddd provides the matching information package code in decimal format;
-E prints the header information of the data link layer in the output line;
-F print the Internet address in numbers;
-L changes the standard output to the buffer row format;
-N does not convert the network address into a name;
-T no timestamp is printed on each output line;
-V outputs a slightly detailed information. For example, the IP package can contain ttl and service type information;
-Vv: Output detailed message information;
-C. After receiving the specified number of packages, tcpdump stops;
-F Read the expression from the specified file and ignore other expressions;
-I indicates the network interface of the listener;
-R reads packets from a specified file (these packets are generally generated using the-w option );
-W directly writes the package into the file and does not analyze or print it out;
-T directly interpret the listening packet as a specified type of message. Common types include rpc (Remote process call) and snmp (Simple Network Management Protocol ;)
(2) Introduction to tcpdump expressions

The expression is a regular expression. tcpdump uses it as a condition for filtering packets. If a packet meets the expression conditions, the packet will be captured. If no conditions are provided, all information packets on the network will be intercepted. The following types of keywords are generally used in expressions. The first type keyword mainly includes host, net, port, for example host 210.27.48.2. It indicates that 210.27.48.2 is a host, and net 202.0.0.0 indicates that 202.0.0.0 is a network address, port 23 indicates that the port number is 23. If no type is specified, the default type is host. the second type is the key words for determining the transmission direction, including src, dst, dst or src, dst and src, which indicate the transmission direction. For example, src 210.27.48.2 indicates that the source address in the IP package is 210.27.48.2, and dst net 202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified, the src or dst keyword is used by default. The third type is the protocol keyword, which mainly includes fddi, ip, arp, rarp, tcp, udp, and other types. Fddi indicates a specific network protocol on FDDI (Distributed Optical Fiber Data Interface Network). In fact, it is an alias of "ether". fddi and ether have similar source and destination addresses, therefore, the fddi protocol package can be processed and analyzed as the ether package. The other keywords indicate the Protocol content of the listener package. If no protocol is specified, tcpdump listens to the information packages of all protocols.
In addition to these three types of keywords, other important keywords include gateway, broadcast, less, greater, and three logical operations. The non-operation type is 'not ''! ', And the operation is 'and',' & '; or the operation is 'or',' │ '; these keywords can be combined to form a powerful combination condition to meet people's needs. The following are several examples.

A wants to intercept all packets received and sent by all 210.27.48.1 hosts:
# Tcpdump host 210.27.48.1
B. to intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, run the following command: (when parentheses are applied in the command line, be sure
# Tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)
C If You Want To obtain the IP package for all hosts except 210.27.48.1 and 210.27.48.2, run the following command:
# Tcpdump ip host 210.27.48.1 and! 210.27.48.2
D. To obtain the telnet packet received or sent by the host 210.27.48.1, run the following command:
# Tcpdump tcp port 23 host 210.27.48.1
(3) Introduction to output results of tcpdump

The following describes the output information A of several typical tcpdump commands and the command for using the data link layer header.
# Tcpdump -- e host ice
Ice is a linux host. Her MAC address is 0: 90: 27: 58: AF: 1A.
H219 is a SUN Workstation With SOLARIC. Its MAC address is 8: 0: 20: 79: 5B: 46. The output result of the previous command is as follows:
21:50:12. 847509 eth0 <8: 0: 20: 79: 5b: 46 0: 90: 27: 58: af: 1a ip 60: h219.33357> ice. telne
T 0: 0 (0) ack 22535 win 8760 (DF)
Analysis: 21: 50: 12 indicates the display time, 847509 indicates the ID number, and eth0 indicates that eth0 accepts the data packet from the network interface, eth0> indicates that the data packet is sent from the network interface device, 8: 0: 20: 79: 5b: 46 is the MAC address of the host H219. It indicates that it is a packet sent from the source address H219. 0: 90: 27: 58: af: 1a is the MAC address of the host ICE, indicating that the destination address of the data packet is ICE. ip indicates that the data packet is an IP data packet, and 60 indicates the length of the data packet, h219.33357> ice. telnet indicates that the packet is the TELNET (23) port sent from Port 33357 of host H219 to host ICE. ack 22535 indicates to respond to a packet whose serial number is 222535. win 8760 indicates that the size of the sending window is 8760.

B. TCPDUMP output information of ARP packets

Use commands
# Tcpdump arp
The output result is:
22:32:42. 802509 eth0> arp who-has route tell ice (0: 90: 27: 58: af: 1a)
22:32:42. 802902 eth0 <arp reply route is-at 0: 90: 27: 12: 10: 66 (0: 90: 27: 58: af: 1a)
Analysis: 22:32:42 is the timestamp, 802509 is the ID number, eth0> indicates that the packet is sent from the host, arp indicates that the packet is an ARP request packet, who-has route tell ice indicates that it is the MAC address of the host ROUTE requested by the host ICE. 0: 90: 27: 58: af: 1a is the MAC address of the host ICE.
C. TCP packet output information

The common output information of TCP packets captured with TCPDUMP is:
Src> dst: flags data-seqno ack window urgent options
Src> dst: indicates from the source address to the destination address. flags indicates the Flag Information in the TCP packet, S indicates the SYN mark, F (FIN), P (PUSH), R (RST )". "(not marked); data-seqno is the sequence number of data in the data packet, ack is the sequence number expected next time, window is the size of the window that receives the cache, and urgent indicates whether there is an emergency pointer in the data packet. options is an option.
D. UDP packet output information

The general output information of the UDP packet captured with TCPDUMP is:
Route. port1> ice. port2: udp lenth
UDP is very simple. The output line above indicates a UDP packet sent from the port1 port of the host ROUTE to the port2 port of the host ICE. The type is UDP and the package length is lenth.

Original article address

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.