Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to use tcpdump to grab packages in Linux. The editor thinks it is very practical, so I share it for you as a reference. I hope you can get something after reading this article.

Most of the time, our system is deployed on the Linux system. In some cases, to locate the problem, you need to check whether it is normal to send data messages between the various systems. Let me briefly explain how to use tcpdump to grab packets.

Network packet interception analysis tool. Supports filtering for network layer, protocol, host, network, or port. And provide and, or, not and other logic statements to help remove useless information.

Tcpdump-dump traffic on a network

Command format of tcpdump

There are many parameters for tcpdump. You can view the detailed description of tcpdump through man tcpdump. Only some commonly used parameters are listed here:

Tcpdump [- I Nic]-nnAX 'expression'

The parameters are described as follows:

-the network card monitored by i:interface.

-nn: indicates that the source and destination hosts are displayed in ip and port instead of hostname and service.

-A: display packets as ascii, which is useful when crawling web data.

-X: the packet will be displayed in hexadecimal and ascii.

Expressions: there are many kinds of expressions, the common ones are: host host; port port; src host sending host; dst host receiving host. Multiple conditions can be combined with and and or, reverse can be used!, for more use, you can see man 7 pcap-filter.

Examples

Do not specify any parameters

Listen for packets passing on the first network card. There may be more than one network card on the host, so you often need to specify a network card.

Tcpdump

Monitor a specific network card

Tcpdump-I en0

Monitor a specific host

Example: monitor communication packets between this computer and host 182.254.38.55.

Note: both outgoing and incoming packets will be monitored.

Tcpdump host 182.254.38.55

Communication with a specific source and destination address

Specific source

Tcpdump src host hostname

Specific destination address

Tcpdump dst host hostname

If src and dst are not specified, traffic from or to the hostname will be monitored

Tcpdump host hostname

Specific port

Tcpdump port 3000

Monitor TCP/UDP

Different services on the server use TCP and UDP as the transport layer respectively. If you only want to listen to TCP packets,

Tcpdump tcp

Source host + port + TCP

Listen for TCP packets from host 123.207.116.169 on port 22

Tcpdump tcp port 22 and src host 123.207.116.169

Monitor communication between specific hosts

Tcpdump ip host 210.27.48.1 and 210.27.48.2

210.27.48.1 Communication between hosts other than 210.27.48.2

Tcpdump ip host 210.27.48.1 and! 210.27.48.2

A slightly more detailed example

Tcpdump tcp-I eth2-t-s 0-c 100 and dst port! 22 and src net 192.168.1.0 Universe 24-w. / target.cap

(1) tcp: ip icmp arp rarp and tcp, udp, icmp and other options should be placed in the first parameter to filter the type of Datagram.

(2)-I eth2: only grab packets that pass through interface eth2

(3)-t: no timestamp is displayed

(4)-s 0: when fetching packets, the default crawling length is 68 bytes. After adding-S 0, you can catch the complete data packet.

(5)-c 100: only grab 100 packets

(6) dst port! 22: do not crawl packets whose destination port is 22

(7) src net 192.168.1.0 take 24: the source network address of the packet is 192.168.1.0 take 24

(8)-w. / target.cap: saved as a cap file to facilitate analysis with ethereal (i.e. wireshark)

Grab the http bag

TODO

Limit the number of bags to be captured

As follows, after catching 1000 packages, exit automatically

Tcpdump-c 1000

Save to local

Note: tcpdump writes the output to the buffer by default. Only when the buffer content reaches a certain size, or when tcpdump exits, will the output be written to the local disk.

Tcpdump-n-vvv-c 1000-w / tmp/tcpdump_save.cap

You can also add-U to force writing to the local disk immediately (generally not recommended, relatively poor performance)

Actual combat example

Let's take a look at the following common deployment method, which deploys nodejs server on the server and listens on port 3000. The nginx reverse proxy listens on port 80 and forwards the request to nodejs server (127.0.0.1).

Browser-> nginx reverse proxy-> nodejs server

Question: suppose the user (183.14.132.117) visits the browser and finds that the request has not been returned, how to troubleshoot it?

Step 1: check whether the request arrives at nodejs server-> can be viewed through the log.

Step 2: check to see if nginx forwards the request to nodejs server.

Tcpdump port 8383

At this point you will find that there is no output, even if nodejs server has received the request. Because the address to which nginx is forwarded is 127.0.0.1 and the default interface is not used, the specified interface needs to be displayed.

Tcpdump port 8383-I lo

Note: configure nginx to let nginx take the host on the request side, otherwise nodejs server cannot obtain src host, that is to say, the following monitoring is invalid, because for nodejs server, the src host is 127.0.0.1

Tcpdump port 8383-i lo and src host 183.14.132.117

Step 3: check whether the request reaches the server

Tcpdump-n tcp port 8383-i lo and src host 183.14.132.117 this is the end of the article on "how to grab packages with tcpdump in Linux". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.