Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to use the tcpdump command in Linux. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have some understanding of the relevant knowledge after reading this article.

The tcpdump command, namely: dump the traffic on a network, is a packet analysis tool that intercepts packets on the network according to the definition of the user.

Tcpdump can completely intercept the "header" of packets transmitted in the network for analysis. It supports filtering against network layer, protocol, host, network or port, and provides and, or, not and other logic statements to help you get rid of useless information.

Practical command example

Start by default

Tcpdump

Normally, starting tcpdump directly will monitor all packets flowing on the first network interface.

Monitor packets for a specified network interface

The code is as follows:

Tcpdump-I eth2

If you do not specify a network card, the default tcpdump only monitors the first network interface, usually eth0. None of the following examples specify a network interface.

Monitor packets for specified hosts

Print all packets entering or leaving sundown.

The code is as follows:

Tcpdump host sundown

You can also specify ip, such as intercepting all packets received and sent by hosts of 210.27.48.1

The code is as follows:

Tcpdump host 210.27.48.1

Print packets for communication between helios and hot or with ace

The code is as follows:

Tcpdump host helios and\ (hot or ace\)

Intercept communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3

The code is as follows:

Tcpdump host 210.27.48.1 and\ (210.27.48.2 or 210.27.48.3)

Print IP packets for communication between ace and any other host, excluding packets with helios.

The code is as follows:

Tcpdump ip host ace and not helios

If you want to get the ip packets that host 210.27.48.1 communicates with all hosts except host 210.27.48.2, use the command:

The code is as follows:

Tcpdump ip host 210.27.48.1 and! 210.27.48.2

Intercept all data sent by the host hostname

The code is as follows:

Tcpdump-I eth0 src host hostname

Monitor all packets sent to the host hostname

The code is as follows:

Tcpdump-I eth0 dst host hostname

Monitor packets for specified hosts and ports

If you want to get the telnet packets received or sent by host 210.27.48.1, use the following command

The code is as follows:

Tcpdump tcp port 23 host 210.27.48.1

Monitor the udp 123port of this machine. 123 is the service port of ntp.

The code is as follows:

Tcpdump udp port 123

Monitor packets for a specified network

Print all communication packets between the local host and the host on the Berkeley network (nt: ucb-ether, which can be understood here as the network address of the 'Berkeley network'. The original meaning of this expression can be expressed as: print all packets with a network address of ucb-ether)

The code is as follows:

Tcpdump net ucb-ether

Print all ftp packets that pass through the gateway snup (note that the expression is enclosed in single quotation marks, which prevents shell from incorrectly parsing the parentheses)

The code is as follows:

Tcpdump 'gateway snup and (port ftp or ftp-data)'

Print all IP packets whose source or destination address is the local host

If the local network is connected to another network through a gateway, the other network does not count as the local network. (nt: this sentence is translated with twists and turns, need to be added). Localnet should really be replaced with the name of the local network.)

The code is as follows:

Tcpdump ip and not net localnet

Monitor packets for specified protocols

Print the start and end packets in a TCP session, and the source or destination of the packet is not a host on the local network. (nt: localnet, actually replace it with the name of the local network)

The code is as follows:

Tcpdump'tcp [tcpflags] & (tcp-syn | tcp-fin)! = 0 and not src and dst net localnet'

Print all source or destination ports are 80, the network layer protocol is IPv4, and contain data, rather than data-free packets such as SYN,FIN and ACK-only. (the ipv6 version of the expression can be practiced)

The code is as follows:

Tcpdump 'tcp port 80 and ((ip [2:2]-((ip [0] & 0xf) 2))! = 0)'

(nt: it can be understood that ip [2:2] represents the length of the entire ip packet, (ip [0] & 0xf) 4 represents the length of the 32bit header, and the unit of this field is also 32bit, which is converted to ((tcp [12] & 0xf0) > > 4) 2). (ip [2:2]-(ip [0] & 0xf) 2)! = 0 means: the length of the entire ip packet minus the length of the IP header Then subtract.

The length of the tcp header is not 0, which means that there is data in the ip packet. For the ipv6 version, you only need to consider the difference between the Payload Length' and the length of the ipv6 header, and the expression'ip [] 'needs to be replaced by' ip6 []'.)

Print IP packets with more than 576 bytes in length and the gateway address is snup

The code is as follows:

Tcpdump 'gateway snup and ip [2:2] > 576'

Print all IP layer broadcast or multicast packets, but not physical Ethernet layer broadcast or multicast datagrams

The code is as follows:

Tcpdump 'ether [0] & 1 = 0 and ip [16] > = 224'

Print ICMP packets other than 'echo request'' or 'echo reply'' (for example, this expression is used when you need to print packets generated by all non-ping programs.

(nt: two types of ICMP packets, 'echo reuqest' and' echo reply', are usually generated by ping programs))

The code is as follows:

Tcpdump'icmp [icmptype]! = icmp-echo and icmp [icmptype]! = icmp-echoreply'

Tcpdump and wireshark

Wireshark (formerly ethereal) is a very easy-to-use package grabbing tool under Windows. But it is difficult to find a good graphical bag grabbing tool under Linux.

It's a good thing there's Tcpdump. We can use the perfect combination of Tcpdump + Wireshark: grab the packet in Linux, and then analyze the package in Windows.

Tcpdump tcp-I eth2-t-s 0-c 100 and dst port! 22 and src net 192.168.1.0 Universe 24-w. / target.cap

(1) tcp: ip icmp arp rarp and tcp, udp, icmp and other options should be placed in the first parameter to filter the type of Datagram.

(2)-I eth2: only grab packets that pass through interface eth2

(3)-t: no timestamp is displayed

(4)-s 0: when fetching packets, the default crawling length is 68 bytes. After adding-S 0, you can catch the complete data packet.

(5)-c 100: only grab 100 packets

(6) dst port! 22: do not crawl packets whose destination port is 22

(7) src net 192.168.1.0 take 24: the source network address of the packet is 192.168.1.0 take 24

(8)-w. / target.cap: saved as a cap file to facilitate analysis with ethereal (i.e. wireshark)

Crawling HTTP packages using tcpdump

The code is as follows:

Tcpdump-XvvennSs 0-I eth0 tcp [20:2] = 0x4745 or tcp [20:2] = 0x4854

0x4745 is the first two letters of "GET"GE", and 0x4854 is the first two letters of "HTTP"HT".

Tcpdump does not decode the intercepted data thoroughly, and most of the contents of the packet are printed directly in hexadecimal form. Obviously, this is not conducive to the analysis of network faults, the usual solution is to use tcpdump with-w parameter to intercept the data and save it to a file, and then use other programs (such as Wireshark) for decoding and analysis. Of course, filtering rules should also be defined to prevent captured packets from filling the entire hard disk.

Meaning of output information

First of all, let's note that basically the general output format of tcpdump is: system time source host. Port > target host. Port packet parameters

The output format of tcpdump is related to the protocol. The following briefly describes most of the commonly used formats and related examples.

Link layer header

For FDDI networks,'- e' causes tcpdump to print out the 'frame control' domain, source and destination addresses, and packet length of the specified packet. (frame control domain

Controls the resolution of other fields in the package. General packets (such as those IP datagrams) are packets with 'async' (Asynchronous Flag) and have a priority of 0 to 7

For example, 'async4'' means that the packet is asynchronous and has a priority of 4. 5. It is generally believed that these packets will contain a LLC packet (logical link control packet); in this case, if the packet

If it is not an ISO datagram or so-called SNAP package, its LLC header will be printed (nt: it should refer to the header of the LLC package contained in this package).

For Token Ring networks (token ring networks),'- e' causes tcpdump to print out the 'frame control' and' access control' domains of the specified packet, as well as source and destination addresses

Add the length of the bag. Similar to FDDI networks, this packet usually contains LLC packets. Whether or not there is an'- e 'option. For 'source-routed' type packets on this network (nt:

If the source address is tracked, the specific meaning of the packet is unknown, and the source routing information of the packet will always be printed.

For 802.11 networks (WLAN, that is, wireless local area network),'- e' causes tcpdump to print out the 'frame control domain of the specified packet.

All addresses contained in the packet header, as well as the length of the packet. Similar to FDDI networks, this packet usually contains LLC packets.

(note: the following description assumes that you are familiar with the SLIP compression algorithm (nt:SLIP is Serial Line Internet Protocol.), which can be found in RFC-1144.

For a SLIP network (nt:SLIP links, which can be understood as a network, that is, a connection established through a serial line, and a simple connection can also be regarded as a network), the packet's' direction indicator' ('direction indicator') ("I" indicates in, "O" indicates), type and compression information will be printed. The package type will be printed first.

The types are ip, utcp and ctcp (nt: unknown, need to be added). For ip packages, connection information will not be printed (on nt:SLIP connections, connection information for ip packages may be useless or undefined.

Reconfirm). For TCP packets, the connection ID is printed immediately after the type representation. If the packet is compressed, its encoded header will be printed.

At this point, for a special compressed package, it will be shown as follows:

* nt or * SA+n, where n represents the increase or decrease in the number of packets (sequence number or (sequence number and answer number)) (nt | rt:S,SA mouthful, which needs to be retranslated).

For non-special compression packages, 0 or more 'changes' will be printed. Change'is printed in the following format:

'Flag'+ /-/ = n packet data length compressed header length.

The 'flag' can be taken as the following value:

U (for emergency pointer), W (for buffer window), A (reply), S (serial number), I (packet ID), while the incremental expression'= n 'indicates that a new value is given, and + /-indicates increase or decrease.

For example, the following shows the printing of an outgoing compressed TCP packet that implies a connection ID (connection identifier); the response number increases by 6, the sequence number increases by 49, and the packet ID number increases by 6; the packet data length is 3 bytes (octect) and the compression header is 6 bytes. (nt: so it should not be a special compressed packet).

ARP/RARP packet

The output of tcpdump to Arp/rarp package contains the request type and the corresponding parameters of the request. The display format is simple and clear. Here is the 'rlogin' from the host rtsg to the host csam

Sample packets at the beginning of the process (Telnet):

The code is as follows:

Arp who-has csam tell rtsg

Arp reply csam is-at CSAM

The first line says: rtsg sent an arp packet (nt: sent to the entire network segment, arp packet) to ask for the Ethernet address of csam

Csam (nt: Csam, as you can see below) responded with her own Ethernet address (in this case, the Ethernet address is identified with an uppercase name, while internet

The address (i.e. ip address) is identified by all lowercase names.

If you use tcpdump-n, you can clearly see Ethernet and ip addresses instead of name identifiers:

The code is as follows:

Arp who-has 128.3.254.6 tell 128.3.254.68

Arp reply 128.3.254.6 is-at 02:07:01:00:01:c4

If we use tcpdump-e, we can clearly see that the first packet is network-wide, while the second packet is peer-to-peer:

RTSG Broadcast 0806 64: arp who-has csam tell rtsg

CSAM RTSG 0806 64: arp reply csam is-at CSAM

The first packet indicates that the source Ethernet address of the arp packet is RTSG, the destination address is the all-Ethernet segment, and the value of the type domain is hexadecimal 0806 (indicating ETHER_ARP (type identification of the nt:arp packet)).

The total length of the packet is 64 bytes.

On how to use the tcpdump command in Linux to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.