Shulou(Shulou.com)06/01 Report--

This article mainly introduces "the use of Tcpdump command under linux". In daily operation, I believe that many people have doubts about the use of Tcpdump command under linux. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts about "the use of Tcpdump command under linux". Next, please follow the editor to study!

Brief introduction of Network data acquisition and Analysis tool TcpDump

As the name implies, TcpDump can completely intercept the "header" of packets transmitted in the network for analysis. It supports filtering against network layer, protocol, host, network or port, and provides and, or, not and other logic statements to help you get rid of useless information. Tcpdump is a free network analysis tool, especially it provides the source code and exposes the interface, so it has a strong expansibility and is a very useful tool for network maintenance and users. Tcpdump exists in the basic FreeBSD system, because it needs to set the network interface to mixed mode, ordinary users can not execute normally, but users with root authority can directly execute it to get the information on the network. Therefore, the existence of network analysis tools in the system is not a threat to the security of this computer, but a threat to the security of other computers on the network.

We define tcpdump as simple as possible, that is, dump the traffice on a network., is a packet analysis tool that intercepts packets on the network according to the definition of the user. As a classic necessary tool for system administrators on the Internet, tcpdump, with its powerful functions and flexible interception strategy, has become one of the necessary things for every senior system administrator to analyze the network and troubleshoot problems. Tcpdump provides source code and exposes interfaces, so it is highly extensible and is a very useful tool for network maintenance and users. Tcpdump exists in the basic FreeBSD system, because it needs to set the network interface to mixed mode, ordinary users can not execute normally, but users with root authority can directly execute it to get the information on the network. Therefore, the existence of network analysis tools in the system is not a threat to the security of this computer, but a threat to the security of other computers on the network.

Installation of Network data acquisition and Analysis tool TcpDump

The installation of tcpdump under linux is very simple and is generally installed in two ways. One is to install in the form of a rpm package. The other is installed in the form of a source program.

Installation in the form of rpm package: this form of installation is the easiest way to install. Rpm package compiles and packages the software into a binary format, which can be installed directly through the rpm command without modifying anything. Log in as a superuser, using the following command:

# rpm-ivh tcpdump-3_4a5.rpm

In this way, tcpdump can be successfully installed into your linux system. Well, it's easy.

Installation of source programs: since the installation of the rpm package is simple, why use a more complex source program installation? In fact, one of the biggest attractions of linux is that there are a lot of software on her that provide source programs, and people can modify the source programs to meet their special needs. Therefore, I particularly recommend that friends adopt this method of installing source programs.

The first step is to get the source program. in the installation of the source program, we first need to obtain the source program distribution package of tcpdump. There are two forms of this distribution package, one is the tar package (tcpdump-3_4a5.tar.Z), the other is the rpm distribution package (tcpdump-3_4a5.src.rpm). The content of both forms is the same, except that the only difference is the way it is compressed. Tar's package can be unpacked using the following command:

# tar xvfz tcpdump-3_4a5.tar.Z

Packages for rpm can be installed using the following command:

# rpm-ivh tcpdump-3_4a5.src.rpm

This unzips the tcpdump source code to the / usr/src/redhat/SOURCES directory.

The second step is to prepare for the compilation of the source program.

Before compiling the source program, it is best to make sure that the library file libpcap, which is required by the tcpdump software, has been installed. Similarly, you also need to have a standard c language compiler. The standard c language compiler under linux is generally gcc. In the source program directory of tcpdump. One file is the Makefile.in,configure command that automatically generates Makefile files from Makefile.in files. In the Makefile.in file, you can modify the BINDEST and MANDEST macro definitions according to the configuration of the system. The default value is

BINDEST = @ sbindir@

MANDEST = @ mandir@

The first macro value indicates the path name of the binary where tcpdump is installed, and the second indicates the path name of tcpdump's man help page, which you can modify to meet the needs of the system.

Step 3 compiling the source program

Using the configure script in the source program directory, it reads the various required attributes from the system. And the Makefile file is automatically generated according to the Makefile.in file, so that the source program of tcpdump is compiled according to the rules in the Makefile file using the .make command. Use the make install command to install the compiled tcpdump binaries.

To sum up, it is:

# tar xvfz tcpdump-3_4a5.tar.Z

# vi Makefile.in

#. / configure

# make

# make install

(3) the use of network data acquisition and analysis tool TcpDump

Normally, starting tcpdump directly will monitor all packets that flow through the first network interface.

# tcpdump

Tcpdump: listening on fxp0

11 udp 58 202.102.245.40.netbios-ns > udp 47.873028

11RV 58 ui/C len=43 47.974331 0:10:7b:8:3a:56 > 1:80:c2:0:0:0 802.1d

0000 0000 0080 0000 1007 cf08 0900 0000

0e80 0000 902b 4695 0980 8701 0014 0002

000f 0000 902b 4695 0008 00

11 ui/C len=97 58 0:0:e8:5b:6d:85 48.373134 ui/C len=97 > Broadcast sap e0

Ffff 0060 0004 ffff ffff ffff ffff ffff

0452 ffff ffff 0000 e85b 6d85 4008 0002

0640 4d41 5354 4552 5f57 4542 0000 0000

0000 00

^ C

Tcpdump supports quite a number of different parameters, such as using the-I parameter to specify the network interface for tcpdump listening, which is useful when the computer has multiple network interfaces, using the-c parameter to specify the number of packets to listen for, using the-w parameter to specify that the monitored packets are written to a file to save, and so on.

However, the more complex tcpdump parameters are used for filtering purposes, because the traffic in the network is very large, if all the packets are intercepted without discrimination, the amount of data is too large, but it is not easy to find the required packets. The filtering rules defined by these parameters can intercept specific packets in order to reduce the target and better analyze the problems existing in the network. Tcpdump uses parameters to specify the type, address, port and so on of data packets to be monitored. According to specific network problems, making full use of these filtering rules can achieve the purpose of fault location quickly. Use man tcpdump to see how these filtering rules are used.

Obviously for the sake of security, this kind of network analysis software should not be run on computers that are not used for network management purposes, and in order to shield them, bpfilter pseudo devices in the kernel can be shielded. In general, network hardware and TCP/IP stack do not support receiving or sending packets that have nothing to do with this computer. In order to receive these packets, you must use the promiscuous mode of the network card and bypass the standard TCP/IP stack. Under FreeBSD, this requires the kernel to support pseudo device bpfilter. Therefore, network analysis tools such as tcpdump can be blocked by removing bpfilter support from the kernel.

And when the network card is set to promiscuous mode, the system will leave records in the console and log files to remind the administrator whether the system is used as a springboard for other computers on the same network.

May 15 16:27:20 host1 / kernel: fxp0: promiscuous mode enabled

Although network analysis tools can record the data transmitted in the network, the data flow in the network is quite large, so how to analyze, classify and statistics these data, find and report errors is a more critical problem. Packets in the network belong to different protocols, and the formats of packets in different protocols are also different. Therefore, it is more important for protocol analysis tools to decode the captured data and display the information in the packet as much as possible. The advantage of expensive business analysis tools is that they can support many kinds of application layer protocols, not just low-level protocols such as tcp and udp.

As can be seen from the output of tcpdump above, tcpdump did not decode the intercepted data thoroughly, and most of the contents of the packet were printed directly in hexadecimal form. Obviously, this is not conducive to the analysis of network faults, the usual solution is to use tcpdump with-w parameter to intercept the data and save it to a file, and then use other programs for decoding and analysis. Of course, filtering rules should also be defined to prevent captured packets from filling the entire hard disk. A valid decoding program provided by FreeBSD is tcpshow, which can be installed through Packages Collection.

# pkg_add / cdrom/packages/security/tcpshow*

# tcpdump-c 3-w tcpdump.out

Tcpdump: listening on fxp0

# tcpshow

< tcpdump.out --------------------------------------------------------------------------- Packet 1 TIME:12:00:59.984829 LINK:00:10:7B:08:3A:56 ->

01:80:C2:00:00:00 type=0026

Packet 2

TIME:12:01:01.074513 (1.089684)

LINK:00:A0:C9:AB:3C:DF-> FF:FF:FF:FF:FF:FF type=ARP

ARP:htype=Ethernet ptype=IP hlen=6 plen=4 op=request

Sender-MAC-addr=00:A0:C9:AB:3C:DF sender-IP-address=202.102.245.3

Target-MAC-addr=00:00:00:00:00:00 target-IP-address=202.102.245.3

Packet 3

TIME:12:01:01.985023 (0.910510)

LINK:00:10:7B:08:3A:56-> 01:80:C2:00:00:00 type=0026

Tcpshow can decode data packets in different ways and display the decoded data in different ways. Users can choose the most appropriate parameters to analyze the intercepted data packets according to their manuals. As can be seen from the above example, the protocols supported by tcpshow are not rich, and it is impossible to decode the protocols it does not support.

In addition to tcpdump, two network analysis tools, Ethereal and Sniffit, are also provided in FreeBSD's Packages Collecion, as well as other security tools based on network analysis. Among them, Ethereal runs under X Window and has a good graphical interface. Sniffit uses the form of character window, which is also easy to operate. However, because tcpdump is more capable of supporting filtering rules, system administrators still prefer to use it. For experienced network administrators, these network analysis tools can be used not only to understand how the network works and where the faults occur, but also to carry out effective statistical work, such as the traffic generated by that protocol is dominant, which host is the busiest, where the network bottleneck is located, and so on. Therefore, the network analysis tool is a valuable system tool for network management. In order to prevent data from being intercepted by misused network analysis tools, the key is to solve the problem in the physical structure of the network. The common method is to use a switch or bridge to separate the trusted network from the untrusted network, which can prevent the external network from eavesdropping on the internal data transmission, but it still can not solve the data security problem when the internal network communicates with the external network. If there is not enough money to upgrade a shared hub on the network to an Ethernet switch, the FreeBSD system can be used to perform bridge tasks. This requires recustomizing the kernel with the option BRIDGE compilation option, and then using the bridge command to start the bridge function.

Tcpdump uses the command line mode, and its command format is:

Tcpdump [- adeflnNOpqStvx] [- c quantity] [- F file name]

[- I network interface] [- r file name] [- s snaplen]

[- T type] [- w file name] [expression]

(2)。 Introduction to the expression of tcpdump

An expression is a regular expression that tcpdump uses as a condition to filter a message. If a message satisfies the condition of the expression, the message will be captured. If no conditions are given, all packets on the network will be intercepted. There are generally several types of keywords in expressions.

The first is about type keywords, which mainly include host,net,port, such as host 210.27.48.2, which indicates that 210.27.48.2 is a host, net 202.0.0.0 indicates that 202.0.0.0 is a network address, and port 23 indicates that the port number is 23. If no type is specified, the default type is host.

The second is to determine the direction of transmission keywords, including src, dst, dst or src, dst and src, these keywords indicate the direction of transmission. For example, src 210.27.48.2 indicates that the source address in the ip packet is 210.27.48.2 and dst net 202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified, the default is the src or dst keyword.

The third is the keyword of the protocol, which mainly includes fddi,ip,arp,rarp,tcp,udp and other types. Fddi indicates that it is a specific network protocol on FDDI (distributed Optical Fiber data Interface Network). In fact, it is an alias for "ether". Fddi and ether have similar source and destination addresses, so fddi protocol packets can be processed and analyzed as ether packets. Several other keywords indicate the protocol content of the listening packet. If no protocol is specified, tcpdump will listen for packets for all protocols.

In addition to these three types of keywords, other important keywords are as follows: gateway, broadcast,less,greater, there are three logical operations, take non-operation as' not'!', and operation is' and','&&';'or operation is' or', '││'; these keywords can be combined to form a strong combination of conditions to meet people's needs, here are a few examples to illustrate.

A wants to intercept all packets received and sent by 210.27.48.1 hosts:

# tcpdump host 210.27.48.1

B to intercept communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, use the command: (be sure to apply parentheses on the command line

# tcpdump host 210.27.48.1 and\ (210.27.48.2 or 210.27.48.3\)

C if you want to get the ip packets of host 210.27.48.1 communicating with all hosts except host 210.27.48.2, use the command:

# tcpdump ip host 210.27.48.1 and! 210.27.48.2

D if you want to get the telnet packets received or sent by host 210.27.48.1, use the following command:

# tcpdump tcp port 23 host 210.27.48.1

(3)。 Introduction to the output result of tcpdump

Let's introduce the output of several typical tcpdump commands

A, data link layer header information

Use the command

# tcpdump-e host ice

Ice is a host with linux, and her MAC address is 0:90:27:58:AF:1A

H219 is a SUN workstation with SOLARIC installed, and its MAC address is 8 MAC. The output of the previous command is as follows:

21:50:12.847509 eth0

< 8:0:20:79:5b:46 0:90:27:58:af:1a ip 60: h319.33357 >

Ice.telne

T 0:0 (0) ack 22535 win 8760 (DF)

Analysis: 21:50:12 is the time displayed, 847509 is the ID number, eth0 indicates that a packet is sent from the network interface device, and 8:0:20:79:5b:46 is the MAC address of the host H219, which indicates that the packet is sent from the source address H219. 0:90:27:58:af:1a is the MAC address of the host ICE, indicating that the destination address of the packet is ICE. Ip indicates that the packet is IP, 60 is the length of the packet, and h319.33357 > ice.telnet indicates that the packet is sent from port 33357 of host H219 to port TELNET (23) of host ICE. Ack 22535 indicates a response to a packet with a sequence number of 222535. Win 8760 indicates that the size of the send window is 8760.

TCPDUMP output information of BJA ARP package

Use the command

# tcpdump arp

The output is as follows:

22 eth0 32 eth0 > arp who-has route tell ice (0:90:27:58:af:1a)

22:32:42.802902 eth0

< arp reply route is-at 0:90:27:12:10:66 (0:90:27:58:af:1a) 分析: 22:32:42是时间戳, 802509是ID号, eth0 >

Indicates that the packet is sent from the host, arp indicates that it is an ARP request packet, and who-has route tell ice indicates that the host ICE requests the MAC address of the host ROUTE. 0:90:27:58:af:1a is the MAC address of the host ICE.

The output information of Cpene TCP packet

The general output information of the TCP package captured with TCPDUMP is:

Src > dst: flags data-seqno ack window urgent options

Src > dst: indicates that from source address to destination address, flags is the flag information in the TCP packet, S is the SYN flag, F (FIN), P (PUSH), R (RST) "." Data-seqno is the sequence number of the data in the packet, ack is the next expected sequence number, window is the size of the window that receives the cache, and urgent indicates whether there is an emergency pointer in the packet. Options is the option.

Output information of DGraine UDP package

The general output information of the UDP package captured with TCPDUMP is:

Route.port1 > ice.port2: udp lenth

UDP is very simple. The output line above indicates that a UDP packet is sent from the port1 port of the host ROUTE to the port2 port of the host ICE. The type is UDP and the length of the packet is lenth.

(1)。 Introduction to the options for tcpdump

-a convert network and broadcast addresses into names

-ddd gives the code that matches the packet in decimal form

-f print out the external Internet address as a number

-l turns standard output into buffered line form

-n does not convert network addresses into names

-t does not print a timestamp on each line of the output

-v outputs a slightly more detailed information, such as ttl and service type information that can be included in the ip package

-vv outputs detailed message information

-c after receiving the specified number of packets, tcpdump will stop

-F reads expressions from the specified file, ignoring other expressions

-I specify the network interface on which to listen

-r reads packages from the specified file (these packages are usually generated by the-w option)

-w writes the package directly to the file and does not analyze and print it

-T interprets the intercepted packet directly as a specified type of message. The common types are rpc (remote procedure call) and snmp (simple Network Management Protocol).

Transferred from: http://tcpdump.anheng.com.cn/news/24/586.html

Add:

-R sets tcpdump to parse ESP/AH packets according to RFC1825 rather than RFC1829 (nt: AH, authentication header, ESP, security payload encapsulation)

Both of these will be used in the secure transport mechanism of IP packets. If this option is set, tcpdump will not print out the 'disable relay' field (nt: relay prevention field). In addition,

Because the ESP/AH specification does not stipulate that ESP/AH packets must have a protocol version number domain

-r file

Read the package data from the file file. If the file field is a'- 'symbol, tcpdump reads the packet data from the standard input.

-S prints the sequence number of a TCP packet using an absolute sequence number instead of a relative sequence number. (nt: the relative sequence number can be understood as the difference from the first TCP packet sequence number

For example, the absolute sequence number of the first packet received by the receiver is 232323, and for the second and third packets received later, tcpdump will print the sequence numbers of 1 and 2 respectively.

If the-S option is set at this time, for the second packet received later, the third packet prints its absolute sequence number:

232324, 232325).

-s snaplen

Set the packet capture length of tcpdump to snaplen, which will be 68 bytes by default if not set. (network interface tap (nt: NIT, as described above) is supported.

Search for the 'network interface tap' keyword to find there) the default and minimum value in the SunOS series operating system is 96).

68 bytes for IP, ICMP (nt: Internet Control Message Protocol

Internet Control message Protocol (TCP), TCP and UDP protocol messages are sufficient, but for name services (nt: can be understood as dns, nis, etc.), NFS services are related

Packets will result in packet truncation. If packet truncation occurs, the'[| proto] 'flag appears in the corresponding printout line of the tcpdump (proto actually appears as

The relevant protocol level of the truncated packet. It should be noted that using a long grab length (nt: snaplen is relatively large) will increase the processing time of the packet and reduce it.

The number of packets that can be cached by tcpdump, which can result in packet loss. Therefore, on the premise that we can grab the package we want, the smaller the grab length, the better.

Setting snaplen to 0 means that tcpdump automatically chooses the appropriate length to grab the packet.

-w writes the packet data directly to the file without analysis and printout. The packet data can then be re-read, analyzed and printed with the-r option.

-W filecount

This option is used in conjunction with the-C option, which limits the number of files that can be opened, and when the file data exceeds the limit set here, cycle through the previous files in turn, which is equivalent to

At the same time, this option causes enough zeros at the beginning of each file name to occupy space, which makes it easier for these files to be sorted correctly.

At this point, the study of "how to use the Tcpdump command under linux" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.