Shulou(Shulou.com)06/01 Report--

This article focuses on "how to use the tcpdump tool in Linux". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn how to use the tcpdump tool in Linux.

Let's start with a more basic usage:

The code is as follows:

Tcpdump-I eth0

Eth0 is a parameter value, which indicates the network port that needs to grab the packet, which is a required parameter.

The specific parameters and significance of tcpdump:

-I: specify the network interface for tcpdump listening

-s: specify the length of the packet to listen for

-c: specify the number of packets to be monitored, and stop grabbing packets automatically when the specified number is reached

-w: specifies that the monitored packet is written to a file to save

-A: specifies that each monitored packet will be printed in ACSII visible characters

-n: specifies that the domain name in each listening packet is translated into an IP address to be displayed

-nn: specifies that the domain name in each monitored packet is converted to IP, and the port is displayed after the conversion from the application name to the port number

-e: specifies that the monitored packet link layer information is printed, including the source mac and destination mac, as well as the network layer protocol

-p: set the Nic to non-promiscuous mode and cannot be used with host or broadcast

-r: specifies that the packet is read from a file

-S: specifies that the TCP absolute sequence number instead of the relative sequence number of each monitored packet is printed

Tcpdump supports many keywords. Here are a few examples:

(example 1) tcpdump-I eth0 host 192.168.0.250-crawls all packets with host address 192.168.0.250 on the network port eth0.

(example 2) tcpdump-I eth0 net 192.168.0.0Universe 24-crawls all packets with network address 192.168.0.0and24 on the network port eth0

(example 3) tcpdump-I eth0 port 80-crawl all packets with port 80 on the network port eth0 (note that there is no distinction between the source port and the destination port)

Of course, we can also specify the source port or destination port

(example 4) tcpdump-I eth0 src port 80 and dst port 6100-capture packets with source port 80 and destination port 6100 on the network port eth0, where the and logical operator is used

(example 5) tcpdump-I eth0 icmp-crawl all icmp protocol packets on the network port eth0

The above examples can roughly reflect the basic usage of tcpdump.

In fact, tcpdump mainly includes three types of keywords, the first is about type keywords, mainly including host,net,port, such as the above example (1) (2) (3), the second

Is to determine the direction of transmission keywords, mainly including src,dst,src or dst,src and dst, these keywords indicate the direction of transmission, such as the above example (4). The third is the protocol keyword, including fddi,ip,arp

Rarp,tcp,udp,imcp et al., such as the above example (5).

In addition to these three types of keywords, there are other important keywords, such as: gateway,broadcast,less,greater, there are three logical operations, the non-operation is' not','!', and the operators are 'and',' & &',

Or the operator is' or','| |', these keywords can be combined to form a powerful combination condition to meet our needs.

Count http requests with tcpdump

The statistical http requests mentioned here refer to the statistics of QPS (requests per second) and the url with the most visits in the top ten. Generally speaking, when doing such statistics, we often use the website visit log to make statistics. When we come to an unfamiliar server environment, we need to immediately count the top ten most visited url to initially determine whether there is an attack, but it is much easier to use tcpdump, because we do not need to care about where the site log is, do not need to consider whether the site log is open or not, directly use tcpdump to capture the current http package, and then further filter, we will get the statistics we want. This feature has been integrated into EZHTTP, and the following is the effect picture:

The statistical method is described below.

1. Capture a packet of 10 seconds.

The code is as follows:

Tcpdump-I eth0 tcp [20:2] = 0x4745 or tcp [20:2] = 0x504f-w / tmp/tcp.cap-s 5122 > & 1 &

Sleep 10

Kill `ps aux | grep tcpdump | grep-v grep | awk'{print $2}'`

This command indicates the monitoring network card eth0, captures tcp, and 21-22 bytes of characters are GE or PO, indicating packets that match GET or POST requests, and write to the / tmp/tcp.cap file.

2. At this point, we get the latest 10-second binary packet file, and our next step is to find out the url and Host of GET/POST through the strings command.

The code is as follows:

Strings / tmp/tcp.cap | grep-E "GET / | POST / | Host:" | grep-- no-group-separator-B1 "Host:" | grep-- no-group-separator-A1-E "GET / | POST /" | awk'{url=$2;getline;host=$2;printf ("% s\ n", host "" url)}'> url.txt "

This command is the key to this article, displaying all the printable characters of the binary file tcp.cap through strings, then filtering out the http request through grep and awk, and writing the spliced url (including the domain name + uri) into a file url.txt.

3. At this time, we got all the visits to the url in nearly 10 seconds, and the following statistics can be easily obtained, such as:

Statistics QPS:

The code is as follows:

((qps=$ (wc-l / tmp/url.txt | cut-d'- f 1) / 10))

Exclude the top 10 access to url for static file statistics:

The code is as follows:

Grep-v-I-E "\. (gif | png | jpg | jpeg | ico | js | swf | css)" / tmp/url.txt | sort | uniq-c | sort-nr | head-n 10

At this point, I believe you have a deeper understanding of "how to use the tcpdump tools in Linux". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.