Shulou(Shulou.com)06/01 Report--

Recently, I started to sort out the tools and methods that were often used before. Today, I sorted out the following key points of tools, which are often used in system operation and maintenance network analysis. Very practical.

Divided into two parts,

The first part is my own self-test training questions, which have been run on the machine.

The second part, the rough knowledge points, is sufficient for most network analysis.

1-Training:

1. tcpdump eth0 interface 192.168.100.178 and save all packets as pcap files for wireshark analysis.

tcpdump -i eth0 host 192.168.100.178 -w 178.pcap

2.tcpdumpeth0 interface All packets destined for 192.168.100.178 port 80

tcpdump -i eth0 host 192.168.100.178 and dst port 22 -nn

3.tcpdumpetho interface all packets of ssh protocol with source address 192.168.100.178

tcpdump -i eth0 src host 192.168.100.178 and tcp dst port 22 -nn

4. tcpdump eth0 interface 192.168.100.178 all udp protocol packages.

tcpdump -i eth0 host 192.168.100.178 and udp port 23

5. Trying to intercept communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3

tcpdump -i eth0 host 192.168.0.128 and \(192.168.200.6 or 192.168.200.5\) -nn

Wireshark expression:

1. Show all traffic packets from wireshark to 192.168.0.128

ip.addr==192.168.0.128 and tcp.port ==22

2. Show all traffic from wireshark to 192.168.0.128 ssh protocol

ip.addr==192.168.0.128 and tcp.port ==22

3. Filter http traffic from a website

http

4. Filters specified protocol ports for a source and destination address.

Ip.src==192.168.100.178and tcp.dstport ==80

5. Filter traffic packets with http request header get

http.request.method== "GET"

nmap rule:

1. Scan a host 192.168.100.178 for open ports

nmap -O 192.168.100.178 /nmap-sV 192.168.100.178

2. Scan 192.168.100.0/24 segment for Ip already in use

Nmap -sP 192.168.100.0/24

3. Scan the 192.168.200/0/24 network segment for machines that open ports 80,3306

Nmap -sU 192.168.0.0/24-p 80,3306 -s[scan][type

nmap -sS 192.168.0.0/24 -p 80,3306

]

4. Scan a network segment host to see if udp port is open

Nmap -sU 192.168.0.0/24 -p 80,3306

5. Combined scan (no ping, software version, kernel version, details)

nmap -P0 -sV -O -v 192.168.30.251

2-Key points:

Tcpdump Points:

The first type is keywords about type, mainly including host, net, port.

The second type is keywords that determine the direction of transmission, mainly including src, dst, dst or src, dst and src.

The third type is protocol keywords, mainly including fddi, ip, arp, rarp, tcp, udp and other types.

The three types must be separated internally by the expression and,or ,not.

If we only want to list packets going to port 80, we use dst port; if we only want packets returning to port 80, we use src port.

#tcpdump -i eth0 host hostname and dst port 80 destination port is 80

Wireshark filter rules:

filter IP

ip.dst==10.10.10.10

ip.src==10.10.10.10

ip.addr==10.10.10.10

Equal signs can be replaced with eq, e.g. ip.dst eq 10.10.10.10

dst represents the filtering target ip, src represents the filtering source ip, and addr filters both;

·The or operator can use multiple filtering rules simultaneously, such as ip.dst==10.10.10.10 orip.dst= 10.10.10.11

filter port

tcp.port==80

tcp.dstport==80

tcp.srcport==80

dstport represents the filtering target port, and the others are similar to ip filtering rules;

Protocol filtering

Enter the protocol name directly in the filter box. such as http, tcp, udp, ftp, etc.

http mode filtering

http.host=="www.baidu.com"

http.uri=="/img/logo-edu.gif"

http.request.method=="GET"

http.request.method=="POST"

http contains "baidu"

Namp Rules:

-sS(TCP SYN): sends out a TCP SYN packet and waits for a response.

-sU (UDP scan: nmap) First send a UDP packet of 0 bytes to each port of the target host, if we receive

ICMP message with port unreachable, port is closed, otherwise we assume it is open)

-p (range of ports)

-sV(detection of service version)

Finally, the commonly used nmap parameters are summarized

1, nmap -sP 59.69.139.0/24(scan online host)

2. nmap -sS 59.69.139-10 -p 80,22,23,52-300 (SYN scanning mode, ip and port restrictions can be added)

3. nmap -sV 59.69.139.1-p1-65535 (service and version of probe port)

4. nmap -O 192.168.1.1 or nmap -A 192.168.1.1(detect type and version of operating system)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.