Shulou(Shulou.com)06/01 Report--

Today, I will introduce to you how to use tcpdump, a tool for grabbing bags in Linux system. The content of the article is good. Now I would like to share it with you. Friends who feel in need can understand it. I hope it will be helpful to you. Let's read it along with the editor's ideas.

Tcpdump is a packet parsing tool in Linux system, and its main purpose is to listen to the server network card to obtain data.

Parameter introduction

The tcpdump command has many parameters, as detailed in the following

Only some commonly used parameters are introduced here

-c count

Count represents quantity. When the number of crawling packets reaches count, the command ends. If the-c parameter is not used, the data packets will be crawled continuously until they are stopped manually.

-C file_size

When crawling a packet and saving it to a file, use this command to specify the size of the file. When the file reaches the specified size, a new file is created with a sequence number after the name of the original file, such as dump.txt,dump.txt1. The unit of file_size is b

-D

List all network cards on the server. By default, tcpdump listens to the network card with the lowest number, usually eth0. When grabbing packets, you can specify the network card you are listening to with the-I parameter. Any means to monitor all network cards.

-I interface

Specify the name of the network card you are listening to. Any means to monitor all network cards.

-n

In the output, the ip is not converted to the hostname (hostname is displayed by default)

-Q

Fast output, only brief packet information is output

-r file

Get packets from files instead of getting packets from the network

-t

Do not output timestamp

-w file

Save the crawled packet to a file, and the-r parameter can read the packet from the file

-W filecount

Specifies the number of files that will be overwritten from the first file when the file is scrolled to the specified number

In addition to the above parameters, there are some keywords that can be used for conditional filtering. The common keywords are as follows

-host

Filter hosts, such as tcpdump host 192.168.1.110, only crawl packets passing through this ip

-src

The parameters used to filter the source of the request, such as: tcpdump src host 192.168.1.110 only crawls packets from this ip

-dst

The parameters used to filter the recipient of the request, such as: tcpdump dst host 192.168.1.110 only crawls packets sent to this ip

-port

Filter port, such as tcpdump port 8080, only crawls packets passing through port 8080

-net

Filter network, such as tcpdump net 192.168, only crawl packets passing through this network segment

-and, not, or

Conditional filtering, literally. For example, tcpdump net 192.168 and port 8080 grabs packets passing through 192.168 network segments and through port 8080

Packet analysis

The format of the crawled packet is as follows

20:17:43.496528

Timestamp, hours: minutes: seconds. Microsecond

IP

The name of the Internet protocol

180.101.49.12.http > iZbp14w0b2rs7i1400bjjmZ.42468180.101.49.12.http

The ip and port of the request sender > the ip and port of the request receiver. The port sometimes appears as a network protocol, such as http, ssh, mysql, etc.

Flags [R]

Flag identification and status, optional states are: [s.] [.] [P.] f.

Seq 、 ack 、 fin

Represents the process of 3 handshakes and 4 waves of the tcp protocol. Seq represents the sequence number of the request, ack is the sequence number of the answer, and fin indicates completion. The sequence number shown here is a relative value, and the-S parameter can display an absolute value.

Win

Represents the available size of the current window

Length

Indicates the length of the message style, from which you can simply analyze whether the request has been received correctly

Through the above results can only do a simple analysis, you can use the-w parameter to write the packet to the file, the packet recorded in the file is much more detailed than the command line. With the help of analysis tools, you can further analyze the files. Wireshark is recommended here. This tool is open source and easy to use out of the box. I will not introduce it in detail here.

Common command combinations

Grab the packet of port 8080

Tcpdump-i any port 8080 crawls packets sent from 192.168.1.110 to 192.168.1.111

Tcpdump-i any src host 192.168.1.110 and dst host 192.168.1.111 crawls packets from the 192.168 network segment except for the request of 192.168.1.110

Tcpdump-i any src net 192.168 and 'src host not 192.168.1.110' grab the packet of port 8080 and write it to the dump.log file

Tcpdump-i any port 8080-w dump.log considerations

1.tcpdump needs to be run with administrator privileges. You can use the sudo command or the root user.

two。 Captured packets can only be judged simply through the length field. If you want to analyze them in detail, you need to use packet analysis tools, such as Wireshark.

What is Linux system Linux is a free-to-use and free-spread UNIX-like operating system, is a POSIX-based multi-user, multi-task, multi-threaded and multi-CPU operating system, using Linux can run major Unix tools, applications and network protocols.

The above is the Linux system grab tool tcpdump how to use all the content, more and Linux system grab tool tcpdump how to use the related content can search the previous articles or browse the following articles to learn ha! I believe the editor will add more knowledge to you. I hope you can support it!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.