Use tcpdump for Network Package Analysis

Tcpdump Introduction

Tcpdump is a packet capture tool running on the command line. It allows users to intercept and display the TCP/IP and other packets sent or received by the network connected to the computer. Tcpdump applies

Most Unix-like operating systems (such as linux and BSD ). For Unix-like tcpdump, libpcap is used to capture data, just like WinPcap in windows.

Before learning tcpdump, you 'd better understand the network knowledge of the basic network.

Tcpdump Command Format and common parameters

The general form of Tcpdump is as follows:

Example: tcpdump-I eth0 'port 1111 '-X-c 3

Tcpdump adopts the command line method. Its command format is:

Tcpdump [-adeflnNOpqStvx] [-c quantity] [-F file name]

[-I network interface] [-r file name] [-s snaplen]

[-T type] [-w file name] [expression]

Introduction to tcpdump options

-A converts a network address and broadcast address into a name;

-D. Give the code that matches the information package in an Assembly format that people can understand;

-Dd provides the code that matches the information package in the format of the C program segment;

-Ddd provides the matching information package code in decimal format;

-E prints the header information of the data link layer in the output line;

-F print the Internet address in numbers;

-L changes the standard output to the buffer row format;

-N does not convert the network address into a name;

-T no timestamp is printed on each output line;

-V outputs a slightly detailed information. For example, the IP package can contain ttl and service type information;

-Vv: Output detailed message information;

-C. After receiving the specified number of packages, tcpdump stops;

-F Read the expression from the specified file and ignore other expressions;

-I indicates the network interface of the listener;

-R reads packets from a specified file (these packets are generally generated using the-w option );

-W directly writes the package into the file and does not analyze or print it out;

-T directly interpret the listening packet as a specified type of message. Common types include rpc (Remote process call) and snmp (Simple Network Management Protocol ;)

For example, enter the command tcpdump-I eth0 'port 1111 '-X-c 3.

 

-I refers to the interface meaning, which means we are obligated to tell tcpdump which Nic he wants to listen,

-X tells the tcpdump command that both the protocol header and Package content must be displayed in the original version (tcpdump will be displayed in hexadecimal and ASCII Formats ), this is an absolute tool for protocol analysis.

Port 1111: We only care about data packets whose source port or destination port is 1111.

-C indicates the meaning of Count. We hope tcpdump can help us capture several packages.

There is another important parameter-lChanges the output to a row buffer.

-L option is used to change the output of tcpdump to the "Row buffer" mode. This ensures that once the content encountered by tcpdump is a line break, the buffered content is output to the standard output to facilitate pipeline utilization.

Or the redirection Method for subsequent processing.

Standard Linux/unix I/O provides three buffer modes: Full buffer, row buffer, and no buffer. Standard errors are not buffered, and terminal devices are always row-buffered. In other cases, full buffering is used by default.

For example, we only want to extract the first domain (Time Domain) of each row of the package. In this case, we need-l to change the default full buffer to the row buffer.

 

Parameter-w-r

-W directly writes the package into the file (that is, the original package. If redirection is used>, only the displayed result is saved, not the original file ), the so-called "Traffic storage" means that the captured network package can be stored on the disk,

Save it for future use. The parameter-r reaches "Traffic playback", which means to re-simulate and play back the traffic in a certain period of time in history for traffic analysis.

 

The-w option stores all traffic in the cp. pcap (binary format) file. You can use-r to read the raw packets file cp. pcap.

For example, sudo tcpdump I-eth0 'port 1111 '-c 3-r cp. pcap can be used for traffic playback.

Introduction to output results of tcpdump

Enter the command: sudo tcpdump-I eth0-e-nn-X-c 2 'port1111'. The intercepted packets are as follows:

Line 1: "tcpdump: verbose output suppressed, use-v or-vv for fullprotocol decode"

You are prompted to use the options-v and-vv to view more complete output content.

Line 2 "listening on eth0, link-type EN10MB (Ethernet), capture size 65535bytes"

We listen to the Network Package of the NIC device through eth0, and its link layer is based on Ethernet. The packet size to be captured is limited to 65535 bytes. You can use the-s option to set the package size limit.

Row 3 "12:40:33. 569037 00: 19: e0: b5: 10: 94> 00: 1a: a0: 31: 39: d4, ethertypeIPv4 (0x0800 ),"

12:40:33. 569037 corresponds to the "Hour", "Minute", "second", and "subtle" captured by the package ".

00: 19: e0: b5: 10: 94> 00: 1a: a0: 31: 39: d4 indicates the MAC address 00: 19: e0: b5: 10: 94 the host sent to MAC address 00: 1a: a0: 31: 39: d4. ethertype IPv4 (0x0800) indicates

The protocol type of the Ethernet frame is ipv4 (that is, the code is 0x0800 ).

Row 4 "length 66: 210.45.123.249.27236> 172.16.0.11.1111: Flags [S], seq 1624463808,

Length 66 indicates that the Ethernet frame length is 66. 210.45.123.249.27236 indicates that the package's source IP address is 210.45.123.249, the source port is 27236, '>' indicates the data packet transmission direction, 172.16.0.11.1111,

This indicates that the destination ip address of this data packet is 172.16.0.11, the destination port is 1111, and the 1111 port is one of my web server listening ports. Flags is [S], indicating that it is the first time that syn establishes a connection packet (that is, the three-way handshake ).

Handshake), seq1624463698 is 1624463808, which is the first handshake of TCP three handshakes: client (210.45.123.249) sends a syn request to establish a connection packet.

Fifth line "win 8192, options [mss 1460, nop, wscale 2, nop, nop, sackOK], length 0"

Win 8192 indicates that the window size is 8192 bytes. Options [mss 1460, nop, wscale 2, nop, nop, sackOK] is the optional field of tcp Header mss 1460, which indicates that mss is the maximum advertised by the sender (client ).

The length of the packet segment. The sender will not receive any TCP packet segment exceeding this length (this value is related to MTU ). Nop is an empty operation option. wscale indicates that the extended window factor used by the sender is 2 and sackOK.

Indicates that the sender supports and agrees to use SACK.

The following lines are IP addresses and TCP headers.

Introduction to tcpdump filter statements

You can send a "filter expression" to tcpdump to filter network packets. In addition, you can pass in one or more filter expressions.

You can use the man pcap-filter command to refer to the help document of the filter expression.

A filter expression can be roughly divided into three filter conditions: "type", "direction", and "protocol". The combination of these conditions constitutes our filter expression.

Keyword about the type, including host, net, port, such as host 210.45.114.211, specifying host 210.45.114.211, net 210.11.0.0 specifying host 210.11.0.0 is a network address, port 21 specifying

The port number is 21. If no type is specified, the default type is host.

Key words about the transmission direction include src, dst, dst or src, dst and src,

These keywords indicate the transmission direction. For example, src 210.45.114.211 indicates that the source address in the IP package is 210.45.114.211, and dst net 210.11.0.0 indicates that the destination network address is 210.11.0.0. If not specified

The direction keyword. The default value is the srcor dst keyword.

Keyword about the protocol, including ether, ip, ip6, arp, rarp, tcp, udp, and so on. These keywords indicate the Protocol content of the listener package. If no protocol is specified, tcpdump listens

Information Package.

For example, we only want to capture the tcp packet command: sudo tcpdump-I eth0-nn-c1 'tcp'

 

In addition to the three types of keywords, other important keywords are as follows:

Gateway, broadcast, less, greater, there are three logical operations. The non-calculation is 'not ''! ', And the operation is 'and',' & '; or the operation is 'or',' | ';

These keywords can be combined to form powerful filter conditions. The following is an example

(1) I only want to check if the target machine port is a network packet of port 21 or port 80. I do not pay attention to other ports:

Sudo tcpdump-I eth0-c 10 'dst port 21 or dst port 80'

(2) to intercept the communication between host 172.16.0.11 and host 210.45.123.249 or 210.45.123.248, run the following command (note the brackets ):

Sudo tcpdump-I eth0-c 3 'host 172.16.0.11 and (210.45.123.249 or210.45.123.248 )'

(3) obtain the network package using the ftp port and ftp data port

Sudo tcpdump 'port ftp or ftp-data'

Which port does ftp and ftp-data correspond? In linux, the/etc/services file stores the correspondence between all well-known services and transport layer ports. If you directly put

The port value corresponding to the ftp is changed from 21 to 3333, then tcpdump will capture the network package with port 3333.

(4) If you want to obtain an IP packet for all hosts except 172.16.0.11 and 210.45.123.249, run the following command:

Sudo tcpdump ip 'host 172.16.0.11 and! 210.45.123.249'

(5) Capture port 80 of 172.16.0.11 and packets of ports other than 110 and 25

Sudo tcpdump-I eth0 'host 172.16.0.11 and! Port 80 and! Port 25 and! Port 110'

The following describes some advanced filter statements in tcpdump.

To obtain a network packet with a SYN flag in the TCP three-way handshake between 172.16.10.11 and google.com.

Command: sudo tcpdump-I eth0 'host 172.16.0.11 andhost google.com and tcp [tcpflags] & tcp-syn! = 0 '-c 3-nn

The above command is not a bit dizzy, the following detailed introduction of relevant knowledge.

In fact, we understand this syntax: proto [expr: size], it is not difficult to understand the above statement.

The following describes in detail proto [expr: size]

Proto is the abbreviation of protocol. It indicates a specific protocol name, such as ip, tcp, and udp. In short, there are more than 10 protocols that can be specified, such as link layer protocols ether, fddi, tr, wlan, ppp, slip, link,

Network Layer Protocol ip, ip6, arp, rarp, icmp transport layer protocol tcp, udp, etc.

Expr is used to specify the offset of the datagram byte unit. The default start position of the Offset relative to the specified protocol layer is 0, and size indicates how many bytes are extracted from the offset position, which can be set

1, 2, and 4. The default value is 1 byte. If only expr is set, but size is not set, 1 byte is extracted by default. For example, ip Address [2] indicates that 3rd or 4 bytes are extracted, while ip Address [0] indicates that ip Address Header

The first byte. After we extract specific content, we need to set our filter conditions. Our available "comparison operators" include: >,<,>=, <=, = ,! =, There are 6 in total.

Example: You want to intercept the start and end packets (SYN and FIN packets) of each TCP session, and there is a remote host in the session.

Sudo tcpdump 'tcp [13] & 3! = 0 and not (src and dst net 172.16.0.0) '-nn

If you are familiar with the tcp Header message format, it is easier to understand this sentence, because the 13-byte advantage of tcp is two-bit reserved bits and six-Bit Flag bits (URG, ACK, PSH, RST, SYN, FIN), so we can obtain

SYN, FIN whether it is a set bit 1.

From the above we can see that when writing a filter expression, we need to have a better understanding of the Protocol format to write the expression to the correct. This is more difficult... To make the tcpdump tool more user-friendly, there are some common offsets,

Some names can be used instead. For example, icmptype indicates the type domain of ICMP, icmpcode indicates the code domain of ICMP, and tcpflags indicates the flag field domain of TCP.

Further, for ICMP Type domains, you can use these names to refer to: icmp-echoreply, icmp-unreach, icmp-sourcequench, icmp-redirect, icmp-echo, icmp-routeradvert, icmp-routersolicit, icmp-timxceed, icmp-paramprob, icmp-tstamp, icmp-tstampreply, icmp-ireq, icmp-ireqreply, icmp-maskreq, and icmp-maskreply.

For the TCP flag field fields, it can be subdivided into tcp-fin, tcp-syn, tcp-rst, tcp-push, tcp-ack, tcp-urg.

Tcpdump can only be proficient in these statements through regular operations. You can also use tcpdump to capture and save the network package to a specified file, and then use wireshark and other visual software to analyze the network package.