Shulou(Shulou.com)05/31 Report--

What are the grammar and parameters of tcpdump, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

A brief introduction to Tcpdump

Tcpdum is a powerful network data acquisition and analysis tool on Linux.

1.1 the first type of keyword: host net port

Host 210.27.48.3 indicates that 210.27.48.3 is a host net202.0.0.0 indicates 202.0.0.0 is a network address port 23 indicates port 23

1.2 the second keyword for determining the direction of transmission, which mainly includes src,dst,dst or src,dst and src. These keywords indicate the direction of transmission.

Src source; dst purpose; if no direction keyword is specified, the default is src or dst.

1.3 the third is the key words of the protocol, mainly including ip,arp,udp,tcp,fddi

II. Grammar

Tcpdump [- adeflnNOpqStvx] [- c] [- dd] [- ddd] [- F] [- I] [- r] [- s] [- tt] [- T] [- vv] [- w] [output data field]

Use the-I parameter to specify the network interface for tcpdump monitoring, which is useful when the computer has multiple network interfaces

Use the-c parameter to specify the number of packets to listen for

Use the-w parameter to specify that the monitored packet is written to a file to save

The overall output format of tcpdump is: system time source host. Port > target host. Port packet parameters

Additional note: execute the tcpdump instruction to list the packet headers that have passed through the specified network interface. In the Linux operating system, you must be the system administrator root

Tcpdump without parameters will collect all the packet headers in the network, and the amount of data is huge and must be filtered.

Third, details of specific parameters

-A prints out all packets in ASCII format and minimizes the headers of the link layer.

-c after receiving the specified number of packets, tcpdump stops.

-C checks whether the current size of the file exceeds the size specified in the parameter file_size before writing an original packet to the file. If the specified size is exceeded, the current file is closed and a new file is opened. The unit of the parameter file_size is megabytes (1000000 bytes, not 1048576 bytes).

-d gives the code that matches the packet in an assembly format that people can understand.

-dd gives the code to match the packet in the format of a C language program segment.

-ddd gives the code to match the packet in decimal form.

-D prints out all the network interfaces in the system that can be intercepted with tcpdump.

-e prints the header information of the data link layer on the output line.

-E uses spi@ipaddr algo:secret to decrypt IPsec ESP packets with addr as the address and containing the security parameter index value spi.

-f prints out the external Internet address as a number.

-F reads the expression from the specified file, ignoring the expression given on the command line.

-I specifies the network interface on which to listen.

-l makes the standard output in the form of buffered lines, and the data can be exported to a file.

-L lists the known data links for the network interface.

-m imports the SMI MIB module definition from the file module. This parameter can be used multiple times to import multiple MIB modules.

-M if the TCP-MD5 option exists in the tcp message, you need to use secret as the shared CAPTCHA to verify the TCP-MD5 option summary (for more information, please see RFC 2385).

-b Select protocols on the data-link layer, including ip, arp, rarp, and ipx.

-n does not convert network addresses into names.

-nn does not translate port names.

-N does not output the domain name portion of the hostname. For example, 'nic.ddn.mil' only outputs' nic'.

-t does not print a timestamp on each line of the output.

-O does not run the packet matching (packet-matching) code optimizer.

-P does not set the network interface to promiscuous mode.

-Q fast output. Output only a small amount of protocol information.

-r reads packages from the specified file (these packages are usually generated by the-w option).

-S outputs the sequence number of the tcp as an absolute value instead of a relative value.

-s reads the first snaplen bytes from each packet instead of the default 68 bytes.

-T interprets the intercepted packet directly as a specified type of message, such as rpc remote procedure call and snmp (simple Network Management Protocol;).

-t does not output a timestamp on each line.

-tt outputs unformatted timestamps on each line.

-ttt outputs the time difference between this line and the previous line.

-tttt outputs a timestamp in the default format processed by date on each line.

-u outputs an undecoded NFS handle.

-v outputs a slightly more detailed information, such as ttl and service type information that can be included in the ip package.

-vv outputs detailed message information.

-w writes the packet directly to the file, rather than not parsing and printing it out.

Data filtering

-b Select protocols on the data-link layer, including ip, arp, rarp, and ipx. For example, tcpdump-b arp will display only the arp or address translation protocol information in the network.

-I choose to filter the network interface, if the router has at least two network interfaces, through this option, you can filter only the data passed on the specified interface. For example: tcpdump-I eth0 displays only all headers on the eth0 interface.

IV. Examples

4.1 use tcpdump to sniff the access to port 80 to see who is the highest

# tcpdump-I eth0-tnn dst port 80-c 1000 | awk-F "."'{print $1 "." $2 "." $3 "." $4}'| sort | uniq-c | sort-nr | head-20 commands commonly used in website fault analysis of Linux Web server

4.2 A wants to intercept all packets received and sent by 210.27.48.1 hosts

# tcpdump host 210.27.48.1

4.3 B to intercept communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, use the command:

# tcpdump host 210.27.48.1 and\ (210.27.48.2 or 210.27.48.3\)

4.3 C think that if you want to get the ip packets that host 210.27.48.1 communicates with all hosts except host 210.27.48.2, use the command:

# tcpdump ip host 210.27.48.1 and! 210.27.48.2

4.4 D if you want to get the telnet packets received or sent by host 210.27.48.1, use the following command:

# tcpdump tcp port 23 host 210.27.48.1

4.5E to monitor the local UDP123 port 123is the service port of ntp

# tcpdump udp port 123

The 4.6F system will only monitor the communication packets of the host named hostname. The host name can be either local or other.

# tcpdump-I eth0 src host hostname

The command below 4.7g monitors all packets sent to the host hostname

# tcpdump-I eth0 dst host hostname

4.8 H We can also monitor packets passing through specified gateways

# tcpdump-I eth0 gateway gatewayname

4.9I if you want to get the ssh packets received or sent by host 192.168.228.246 and do not convert the hostname, use the following command:

# tcpdump-nn-n src host 192.168.228.246 and port 22 and tcp

5.0J gets the ssh packet received or sent by host 192.168.228.246, and displays the mac address together:

# tcpdump-e src host 192.168.228.246 and port 22 and tcp-n-nn

5.1 K filters headers with source host 192.168.0.1 and destination network 192.168.0.0:

Tcpdump src host 192.168.0.1 and dst net 192.168.0.0/24

5.2L filter the header with the physical address of the source host XXX:

Tcpdump ether src 00:50:04:BA:9B and dst...

5.3m filter source host 192.168.0.1 and destination port are not telnet headers and import them into the tes.t.txt file:

Tcpdump src host 192.168.0.1 and dst port not telnet-l > test.txt

Options such as ip icmp arp rarp and tcp, udp, icmp, etc., are placed in the first parameter to filter the type of Datagram.

Example: how do I use tcpdump to listen for packets from an eth0 adapter card with a communication protocol of port 22 and a destination source of 192.168.1.100?

Answer: tcpdump-I eth0-nn port 22 and src host 192.168.1.100

Example question: how to use tcpdump crawl to access the eth0 adapter card and the access port is tcp 9080?

Answer: tcpdump-I eth0 dst 172.168.70.35 and tcp port 9080

Example question: how to use tcpdump to capture the communication message with host 192.168.43.23 or host 192.168.43.24 and display it on the console

Tcpdump-X-s 1024-I eth0 host (192.168.43.23 or 192.168.43.24) and host 172.16.70.35 for example:

If you want to capture the HTTP packets received or sent by 119.75.219.38, generate a detailed report

You can use the following command:

Tcpdump tcp port 80 and host 119.75.219.38-w / tmp/111.pcap

If you want to monitor packets on 80

Tcpdump tcp port 80-s 0-w / tmp/222.pcap

Pcap packages can be analyzed using wireshark's tool software.

V. introduction of the output result

(1) data link layer header information

# tcpdump-e host ICE

ICE is a mainframe with linux. Its MAC address is 0:90:27:58:AF:1A.

H219 is a SUN workstation with Solaris. The MAC address of the previous command is as follows, the output of the previous command is as follows:

21:50:12.847509 eth0

< 8:0:20:79:5b:46 0:90:27:58:af:1a ip 60: h319.33357 >

ICE. Telne t 0:0 ack 22535 win 8760 (DF)

21:50:12 is the time displayed, 847509 is the ID number, and eth0 means to send packets from the network interface device.

8:0:20:79:5b:46 is the MAC address of host H 2 19, which indicates that it is a packet sent from source address H 2 19.

0:90:27:58:af:1a is the MAC address of the host ICE, indicating that the destination address of the packet is ICE.

Ip indicates that the packet is IP packet, 60 is the length of packet, h319.33357 > ICE. Telnet indicates that the packet is sent from port 33357 of host H219 to port TELNET (23) of host ICE.

Ack 22535 indicates a response to a packet with a sequence number of 222535. Win 8760 indicates that the size of the send window is 8760.

(2) tcpdump output information of ARP package

Use the command:

# tcpdump arp

The output is as follows:

22 eth0 32 eth0 > arp who-has route tell ICE (0:90:27:58:af:1a)

22:32:42.802902 eth0

< arp reply route is-at 0:90:27:12:10:66 (0:90:27:58:af:1a) 22:32:42是 时间戳， 802509是 ID号， eth0 >

Indicates that the packet is sent from the host, arp indicates that it is an ARP request packet, and who-has route tell ICE indicates that the host ICE requests the MAC address of the host route. 0:90:27:58:af:1a is the MAC address of the host ICE.

(3) output information of TCP package

The general output information of the TCP package captured with tcpdump is:

Src > dst: flags data-seqno ack window urgent options

Src > dst: indicates that from source address to destination address, flags is the flag information in TCP message, S is SYN flag, F (FIN), P (PUSH), R (RST) "." Data-seqno is the sequence number of the data in the message, ack is the expected sequence number next time, window is the size of the window that receives the cache, and urgent indicates whether there is an emergency pointer in the message. Options is the option.

(4) output information of UDP package

The general output information of the UDP package captured with tcpdump is:

Route.port1 > ICE.port2: udp lenth

UDP is very simple. The output line above indicates that a UDP message is sent from the port1 port of the host route to the port2 port of the host ICE. The type is UDP and the length of the packet is lenth.

VI. Other aids

(1) to view the usage of TCP or UDP ports, use netstat-anp

If some processes are not visible, such as displaying only "-", you can try

# sudo netstat-anp

To see information about a port, use the lsof command, such as:

# sudo lsof-I: 631

The netstat-tln command is used to view the port usage of linux

# netstat-tln

/ etc/init.d/vsftp start is used to start the ftp port ~!

Netstat to view connected service ports (ESTABLISHED)

Netstat-a view all service ports (LISTEN,ESTABLISHED)

Sudo netstat-ap looks at all the service ports and displays the corresponding service program names

When we use netstat-apn to look at network connections, we will find a lot of things like the following:

File:///C:/Documents%20and%20Settings/Administrator/Local%20Settings/Application%20Data/youdao/ynote/p_w_picpaths/83EDB0DBC37645DCA0BA3BB7060BCAF6/clipboard.png

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

Tcp 0 52 218.104.81.152:7710 211.100.39.250:29488 ESTABLISHED 6111/1

It shows that this server has opened port 7710, so which program does this port belong to? We can use the lsof-I: 7710 command to query:

File:///C:/Documents%20and%20Settings/Administrator/Local%20Settings/Application%20Data/youdao/ynote/p_w_picpaths/26F6C96985F54339956B7351DD65FD97/clipboard.png

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME

Sshd 1990 root 3U IPv4 4836 TCP *: 7710 (LISTEN)

In this way, we know that port 7710 belongs to the sshd program.

(2) troubleshooting of error messages when running tcpdump command

Tcpdump: no suitable device found

Tcpdump: no devices found / dev/bpf4: A file or directory in the path name does not exist.

2 reasons for the solution:

1. Permissions are not enough, generally without processing, only root users can use tcpdump

two。 By default, you can only use 4 tcpdump at the same time. If you run out of it, you will report such an error. The excess tcpdump needs to be stopped.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.