Shulou(Shulou.com)06/01 Report--

1. Tcpdump

Overview of 1.Tcpdump

Tcpdump:dump the traffic on a network, a packet analysis tool that intercepts packets on the network according to the definition of the user.

The packets transmitted in the network can be completely intercepted for analysis. It supports filtering for network layer, protocol, host, network or port, and provides and, or, not and other logic statements for information filtering.

two。 working principle

In general, the network hardware and TCP/IP stack do not support receiving or sending packets that are independent of this computer. In order to receive these packets, you must use the hybrid mode of the network card (promisc) and bypass the standard TCP/IP stack. Under FreeBSD, this requires the kernel to support pseudo device bpfilter. When the network card is set to promiscuous mode, the system will leave records in the console and log files to remind the administrator whether the system is used as a springboard for other computers on the same network.

3. Basically the overall output format of tcpdump

The system time source host. Port > target host. Port packet parameters

2. Simple usage

1. Basic format

Tcpdump [- AdDefIJKlLnNOpqRStuUvxX] [- B buffer_size] [- c count]

[- C file_size] [- G rotate_seconds] [- F file]

[- I interface] [- j tstamp_type] [- mmodule] [- M secret]

[- P in | out | inout]

[- r file] [- s snaplen] [- T type] [- w file]

[- W filecount]

[- E spi@ipaddr algo:secret,...]

[- y datalinktype] [- zpostrotate-command] [- Z user]

[expression]

Description: TcpDump without any parameters will search for the first network interface in the system and display all the data it intercepts

two。 Common options:

-I

Indicates the interface of the network card that receives network data

-w FILE

Write the package directly to the file without parsing and printing it.

-n

IP address to hostname translation is not performed.

-nn

No IP address to hostname translation, no port name translation.

A

Display each packet in ASCII code (no link layer header information in the packet)

-X

Hexadecimal and ASCII codes

-XX

Link layer correlation will be displayed

-v

Output a little more detailed information, such as ttl and service type information that can be included in the ip package

-vv

Output detailed message information

3. Expression expression

Expressions are generally composed of keywords, which are divided into three categories and can be used together; multiple sets of keywords can be connected using logical conditions.

Type keyword

Host 、 net 、 port

Transmission direction keyword

Src 、 dst 、 dst or src 、 dst and src

Protocol keyword

Ether 、 ip 、 arp 、 rarp 、 tcp 、 udp...

Logical condition: negative operation (`!' Or `not'), and operation (`& &'or `or'), or operation (` | |'or `or')

Example:

Tcpdumpsrc host 192.168.0.1 and dst net 192.168.0.0/24

Tcpdump-nn-I eth0 tcp port 80

Tcpdump-nn-I eth0 host172.16.100.6

Tcpdump-nn-I eth0 src host172.16.100.6

Tcpdump-nn-I eth0 host 172.16.100.6 and 172.16.100.7 # Communication between two hosts

Tcpdump-nn-I host 172.16.100.6 and\ (172.16.100.7 or 172.16.100.8\) # communicate with the latter two hosts

Tcpdump ip host 210.27.48.1 and! 210.27.48.2 # get ip packets for all hosts except host 210.27.48.2

Appendix: simple options for tcpdump

-A displays each packet in ASCII code (no link layer header information in the packet). When grabbing packets containing web data, you can easily view the data (nt: that is, Handy for capturing web pages).

-c count

Tcpdump will exit after receiving count packets.

-C file-size (nt: this option is used with the-w file option)

This option causes tcpdump to check whether the file size exceeds file-size. Exe before saving the original packet directly to the file. If it is exceeded, the file will be closed and another file will continue to be used for the record of the original packet. The newly created file name matches the file name specified by the-w option, but with an extra number after the file name. This number will increase with the number of newly created files starting at 1. File-size is in megabytes (nt: here it means 1000000 bytes, not 1048576 bytes, which is calculated with 1024 bytes as 1k and 1024k bytes as 1m, i.e. 1M=1024 * 1024 = 1048576).

-d prints the choreographed packet matching code on the standard output in an easy-to-read form, and then tcpdump stops. (nt | rt: human readable, which is easy to read, usually refers to printing some information in ascii code. Compiled, choreographed. Packet-matchingcode, package matching code, meaning unknown, need to add)

-dd prints the packet matching code in C language.

-ddd prints the packet matching code as a decimal number (preceded by an 'count' prefix).

The network interface on which all tcpdump can grab packets in a printing system. Each interface prints a number, a corresponding interface name, and a possible network interface description. The network interface name and number can be used in the-I flag option of tcpdump (nt: replace the name or number with flag) to specify the network interface on which the packet is to be grabbed.

This option is useful on systems that do not support interface list commands (nt: for example, Windows systems, or UNIX systems that lack ifconfig-a); interface numbers are useful in windows 2000 or later systems because the interface names on these systems are complex and difficult to use.

If the libpcap library on which tcpdump is compiled is too old, the-D option is not supported because of the lack of the pcap_findalldevs () function.

-e the printout of each line will include the data link layer header information of the packet

-E spi@ipaddr algo:secret,...

You can decrypt IPsec ESP packets through spi@ipaddr algo:secret (nt | rt:IPsec Encapsulating Security Payload,IPsec encapsulates the security payload. IPsec can be understood as a complete set of encryption protocols for ip packets. ESP is the encrypted data of the whole IP packet or the upper layer of the protocol. The working mode of the former is called tunnel mode, and the working mode of the latter is called transmission mode. The working principle needs to be added.

It is important to note that when the terminal starts tcpdump, you can set the key (secret) for IPv4 ESP packets.

The algorithms available for encryption include des-cbc, 3des-cbc, blowfish-cbc,rc3-cbc, cast128-cbc, or none (none). The default is des-cbc (nt: des, Data Encryption Standard, data encryption standard, the encryption algorithm is unknown and needs to be added). Secret is the key used for ESP and is expressed as an ASCII string. If it starts with 0x, the key will be read in hexadecimal.

The definition of ESP in this option follows RFC2406, not RFC1827. Also, this option is for debugging only, and it is not recommended to use it with a real key (secret), because it is not safe: the secret entered on the command line can be viewed by others through commands such as ps.

In addition to the above syntax format (nt: refers to spi@ipaddr algo:secret), you can also add a syntax input file name for tcpdump to use (nt: that is, spi@ipaddr algo:secret,... Medium. Replace it with a grammar file name. This file opens the file when it receives the first ESP package, so it's best to cancel some of the privileges given to tcpdump at this time (nt: it can be understood as a precaution, so that when the file is written maliciously, it won't cause too much damage).

-f when displaying an external IPv4 address (nt: foreign IPv4 addresses, which can be understood as a non-native ip address), use a number instead of a name. (this option is used to deal with the shortcomings of Sun's NIS server (nt: NIS, network information service, tcpdump uses her name service when displaying the names of external addresses): this NIS server often falls into an endless query cycle when querying non-local address names.

Because the test of the external (foreign) IPv4 address needs to use the local network interface (the interface used in nt:tcpdump packet capture) and its IPv4 address and network mask. If this address or network mask is not available, or if the interface does not have the corresponding network address and mask set at all (the 'any' network interface under nt:linux does not need to set the address and mask, but this' any' interface can receive packets from all interfaces in the system), this option does not work properly.

-F file

Use the file file as the input of the filter conditional expression, and the input on the command line will be ignored.

-I interface

Specify the interface that tcpdump needs to listen on. If not specified, tcpdump searches the list of system interfaces for the lowest configured interface (excluding the loopback interface). As soon as the first qualified interface is found, the search ends immediately.

On Linux operating systems with kernel version 2.2 or later, the virtual network interface 'any'' can be used to receive packets on all network interfaces (nt: this includes those destined for that network interface as well as those that are not intended for that network interface). It should be noted that if the real network interface does not work in 'hybrid' mode (promiscuous), its packets cannot be crawled on the virtual network interface 'any'.

If the-D flag is specified, tcpdump prints the interface number in the system, which can be used for the interface parameter here.

-l buffers the standard output lines (nt: causes the standard output device to print out the contents of the line immediately when it encounters a newline character). It is useful when you need to observe the package printing and save the bag record at the same time. For example, you can do this by combining the following commands:

``tcpdump-l | tee dat'' or ``tcpdump-l > dat & tail-f dat''. (nt: the former uses tee to put the output of tcpdump into both the file dat and standard output, while the latter puts the output of tcpdump into the dat file through the redirect operation'> 'and puts the contents of the dat file into standard output through tail)

-L lists the types of data link layers supported by the specified network interface and exits. (nt: specify the interface to be specified by-I)

-m module

Load SMI MIB module (nt:SMI,Structure of Management Information, management information structure MIB, Management InformationBase, management information base) through file specified by module. It can be understood that both of them are used to crawl SNMP (Simple Network Management Protoco) protocol packets. The working principle of specific SNMP is unknown and needs to be added.

This option can be used multiple times to load different MIB modules for tcpdump.

-M secret if the TCP packet (TCP segments) has the TCP-MD5 option (described in RFC 2385), specify a public key secret for the authentication of its digest.

-n does not convert addresses (for example, host addresses, port numbers) from numeric representation to name representation.

-N does not print out the domain name portion of host. For example, if this check is set, tcpdump will print 'nic' instead of' nic.ddn.mil'.

-O does not enable the optimized code used for package matching. This option is useful when you suspect that some bug is caused by optimized code.

In general, the network interface is set to non-'hybrid' mode. However, it must be noted that under special circumstances, this network interface will still work in 'hybrid' mode; therefore, the setting of'- p 'cannot be used as a synonym for the following choices:' ether host {local-hw-add}'or 'ether broadcast' (the former indicates that only packets with Ethernet address host and the latter match packets with Ethernet address as broadcast address).

-Q fast (maybe 'quiet' is better?) Printout. That is, very little protocol-related information is printed, so the output lines are relatively short.

-R sets tcpdump to parse ESP/AH packets according to RFC1825 rather than RFC1829 (nt: AH, authentication header, ESP, security payload encapsulation, both of which will be used in the secure transmission mechanism of IP packets). If this option is set, tcpdump will not print out the 'disable relay' field (nt: relay prevention field). In addition, because the ESP/AH specification does not stipulate that ESP/AH packets must have a protocol version number domain, tcpdump cannot derive the protocol version number from the received ESP/AH packets.

-r file

Read the package data from the file file. If the file field is a'- 'symbol, tcpdump reads the packet data from the standard input.

-S prints the sequence number of a TCP packet using an absolute sequence number instead of a relative sequence number. (nt: the relative sequence number can be understood as the difference between the sequence number of the first TCP packet and the sequence number of the first TCP packet. For example, the absolute sequence number of the first packet received by the receiver is 1, and for the second packet received later, the tcpdump will print the sequence number as 1. 2 indicates that the gap between the first packet and the first packet is 1 and 2 respectively. If the-S option is set at this time, for the second packet received later, the third packet will print its absolute sequence number: 232324, 232325).

-s snaplen

Set the packet crawl length of tcpdump to snaplen. If not, it will be 68 bytes by default (and the default minimum value is 96 in SunOS series operating systems that support network interface taps (nt: NIT, as described above, which can be found by searching for the 'network interface tap' keyword). 68 bytes are sufficient for IP, ICMP (nt:Internet Control Message Protocol, Internet Control message Protocol), TCP and UDP protocol messages But for name services (nt: can be understood as dns, nis and other services), packets related to NFS services will produce packet truncation. If packet truncation occurs, the'[| proto] 'flag appears in the corresponding printout line of the tcpdump (proto is actually displayed as the relevant protocol hierarchy of the truncated packet). It should be noted that using a long grab length (nt: snaplen is relatively large) will increase the processing time of packets and reduce the number of packets cached by tcpdump, which will lead to packet loss. Therefore, on the premise that we can grab the package we want, the smaller the grab length, the better. Setting snaplen to 0 means that tcpdump automatically chooses the appropriate length to grab the packet.

-T type

Forces tcpdump to analyze received packets according to the packet structure described by the protocol specified by type. The known preferable protocols for type are:

Aodv (Ad-hoc On-demand Distance Vectorprotocol, on-demand distance vector routing protocol, used in Ad hoc (point-to-point mode) networks)

Cnfp (Cisco NetFlow protocol), rpc (Remote Procedure Call), rtp (Real-TimeApplications protocol)

Rtcp (Real-Time Applications con-trolprotocol), snmp (Simple Network Management Protocol)

Tftp (Trivial File Transfer Protocol, shredded File Protocol), vat (Visual Audio Tool, can be used to make electricity on internet

Application layer protocol for video conferencing), and wb (distributed WhiteBoard, an application layer protocol that can be used for web conferencing).

-t does not print a timestamp in each line of output

-tt does not format the time of each line output (nt: this format may not see its meaning at a glance, such as a timestamp printed as 1261798315)

-when ttt tcpdump output, there is a delay (in milliseconds) between every two lines of printing

-tttt adds date printing before the timestamp of each line

-u prints out unencrypted NFS handles (nt: handle can be understood as a file handle used in NFS, which will include folders and files in folders)

-U makes the file write synchronize with the package save when tcpdump uses the-w option. (nt: when each packet is saved, it will be written to the file in time, rather than waiting for the file's output buffer to be full.)

The-U flag does not work on older versions of the libcap library (nt: the message capture library on which tcpdump depends) because of the lack of the pcap_cump_flush () function.

-v produces a detailed output when analyzed and printed. For example, the lifetime of the package, identification, total length, and some options for IP packages. This also turns on some additional packet integrity checks, such as a checksum for IP or ICMP packet headers.

-vv produces more detailed output than-v. For example, the additional fields in the NFS response packet will be printed and the SMB packet will be fully decoded.

-vvv produces more detailed output than-vv. For example, the SB and SE options used in telent will be printed, if telnet also uses a graphical interface

The corresponding graphics options will be printed in hexadecimal format (the SB,SE option of nt: telnet is unknown and needs to be added).

-w writes the packet data directly to the file without analysis and printout. The packet data can then be re-read, analyzed and printed with the-r option.

-W filecount

This option is used in conjunction with the-C option, which limits the number of files that can be opened, and when the file data exceeds the limit set here, the previous files are iterated in turn, which is equivalent to a file buffer pool with filecount files. At the same time, this option causes enough zeros at the beginning of each file name to occupy space, which makes it easier for these files to be sorted correctly.

-x when analyzing and printing, tcpdump prints the header data of each packet and prints the data of each packet in hexadecimal (but not the header of the connection layer). The total printed data size will not exceed the entire packet size and the minimum value in the snaplen. It must be noted that if the high-level protocol data is not as long as snaplen, and there is populated data in the data link layer (for example, Ethernet layer), the populated data will also be printed. (nt: so forlink layers that pad, unable to connect to understanding and translation, need to be added)

Xx tcpdump prints the header data of each packet and prints the data of each packet in hexadecimal, including the header of the data link layer.

-X when analyzing and printing, tcpdump prints the header data of each packet and prints the data of each packet in hexadecimal and ASCII format (but not the header of the connection layer). This is very convenient for analyzing the packets of some new protocols.

-XX when analyzing and printing, tcpdump prints the header data of each packet and prints the data of each packet in hexadecimal and ASCII format, including the header of the data link layer. This is very convenient for analyzing the packets of some new protocols.

-y datalinktype

Set tcpdump to capture only packets whose data link layer protocol type is datalinktype

-Z user

Make tcpdump relinquish its super rights (if you start tcpdump,tcpdump as root, you will have superuser privileges), and set the user ID of the current tcpdump to user, and the group ID to the ID of the group to which the user first belongs (nt: tcpdump can be understood here as the corresponding process after tcpdump runs)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.