Shulou(Shulou.com)06/01 Report--

Editor to share with you how to use Tcpdump, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

1. TCPDump introduction

TcpDump can completely intercept the "header" of packets transmitted in the network for analysis. It supports filtering against network layer, protocol, host, network or port, and provides and, or, not and other logic statements to help you get rid of useless information. Tcpdump is a free network analysis tool, especially it provides the source code and exposes the interface, so it has a strong expansibility and is a very useful tool for network maintenance and users. Tcpdump exists in the basic FreeBSD system, because it needs to set the network interface to mixed mode, ordinary users can not execute normally, but users with root authority can directly execute it to get the information on the network. Therefore, the existence of network analysis tools in the system is not a threat to the security of this computer, but a threat to the security of other computers on the network.

We define tcpdump as simple as possible, that is, dump the traffice on anetwork., is a packet analysis tool that intercepts packets on the network according to the definition of the user. As a classic necessary tool for system administrators on the Internet, tcpdump, with its powerful functions and flexible interception strategy, has become one of the necessary things for every senior system administrator to analyze the network and troubleshoot problems. Tcpdump provides source code and exposes interfaces, so it is highly extensible and is a very useful tool for network maintenance and users. Tcpdump exists in the basic FreeBSD system, because it needs to set the network interface to mixed mode, ordinary users can not execute normally, but users with root authority can directly execute it to get the information on the network. Therefore, the existence of network analysis tools in the system is not a threat to the security of this computer, but a threat to the security of other computers on the network.

2. The use of TcpDump

Normally, starting tcpdump directly will monitor all packets that flow through the first network interface.

# tcpdump

Tcpdump: listening on fxp0

11 udp 58 202.102.245.40.netbios-ns > udp 47.873028

11RV 58 ui/C len=43 47.974331 0:10:7b:8:3a:56 > 1:80:c2:0:0:0 802.1d

0000 0000 0080 0000 1007 cf08 0900 0000

0e80 0000 902b 4695 0980 8701 0014 0002

000f 0000 902b 4695 0008 00

11 ui/C len=97 58 0:0:e8:5b:6d:85 48.373134 ui/C len=97 > Broadcast sap e0

Ffff 0060 0004 ffff ffff ffff ffff ffff

0452 ffff ffff 0000 e85b 6d85 4008 0002

0640 4d41 5354 4552 5f57 4542 0000 0000

0000 00

Tcpdump supports quite a number of different parameters, such as using the-I parameter to specify the network interface for tcpdump listening, which is useful when the computer has multiple network interfaces, using the-c parameter to specify the number of packets to listen for, using the-w parameter to specify that the monitored packets are written to a file to save, and so on.

However, the more complex tcpdump parameters are used for filtering purposes, because the traffic in the network is very large, if all the packets are intercepted without discrimination, the amount of data is too large, but it is not easy to find the required packets. The filtering rules defined by these parameters can intercept specific packets in order to reduce the target and better analyze the problems existing in the network. Tcpdump uses parameters to specify the type, address, port and so on of data packets to be monitored. According to specific network problems, making full use of these filtering rules can achieve the purpose of fault location quickly. Use man tcpdump to see how these filtering rules are used.

Obviously for the sake of security, this kind of network analysis software should not be run on computers that are not used for network management purposes, and in order to shield them, bpfilter pseudo devices in the kernel can be shielded. In general, network hardware and TCP/IP stack do not support receiving or sending packets that have nothing to do with this computer. In order to receive these packets, you must use the promiscuous mode of the network card and bypass the standard TCP/IP stack. Under FreeBSD, this requires the kernel to support pseudo device bpfilter. Therefore, network analysis tools such as tcpdump can be blocked by removing bpfilter support from the kernel.

And when the network card is set to promiscuous mode, the system will leave records in the console and log files to remind the administrator whether the system is used as a springboard for other computers on the same network.

May 15 16:27:20 host1 / kernel: fxp0: promiscuous mode enabled

Although network analysis tools can record the data transmitted in the network, the data flow in the network is quite large, so how to analyze, classify and statistics these data, find and report errors is a more critical problem. Packets in the network belong to different protocols, and the formats of packets in different protocols are also different. Therefore, it is more important for protocol analysis tools to decode the captured data and display the information in the packet as much as possible. The advantage of expensive business analysis tools is that they can support many kinds of application layer protocols, not just low-level protocols such as tcp and udp.

As can be seen from the output of tcpdump above, tcpdump did not decode the intercepted data thoroughly, and most of the contents of the packet were printed directly in hexadecimal form. Obviously, this is not conducive to the analysis of network faults, the usual solution is to use tcpdump with-w parameter to intercept the data and save it to a file, and then use other programs for decoding and analysis. Of course, filtering rules should also be defined to prevent captured packets from filling the entire hard disk. A valid decoding program provided by FreeBSD is tcpshow, which can be installed through Packages Collection.

# pkg_add / cdrom/packages/security/tcpshow*

# tcpdump-c 3-w tcpdump.out

Tcpdump: listening on fxp0

# tcpshow

< tcpdump.out --------------------------------------------------------------------------- Packet 1 TIME:12:00:59.984829 LINK:00:10:7B:08:3A:56 ->

01:80:C2:00:00:00 type=0026

Packet 2

TIME:12:01:01.074513 (1.089684)

LINK:00:A0:C9:AB:3C:DF-> FF:FF:FF:FF:FF:FF type=ARP

ARP:htype=Ethernet ptype=IP hlen=6 plen=4 op=request

Sender-MAC-addr=00:A0:C9:AB:3C:DF sender-IP-address=202.102.245.3

Target-MAC-addr=00:00:00:00:00:00 target-IP-address=202.102.245.3

Packet 3

TIME:12:01:01.985023 (0.910510)

LINK:00:10:7B:08:3A:56-> 01:80:C2:00:00:00 type=0026

Tcpshow can decode data packets in different ways and display the decoded data in different ways. Users can choose the most appropriate parameters to analyze the intercepted data packets according to their manuals. As can be seen from the above example, the protocols supported by tcpshow are not rich, and it is impossible to decode the protocols it does not support.

In addition to tcpdump, two network analysis tools, Ethereal and Sniffit, are also provided in FreeBSD's PackagesCollecion, as well as other security tools based on network analysis. Among them, Ethereal runs under X Window and has a good graphical interface. Sniffit uses the form of character window, which is also easy to operate. However, because tcpdump is more capable of supporting filtering rules, system administrators still prefer to use it. For experienced network administrators, these network analysis tools can be used not only to understand how the network works and where the faults occur, but also to carry out effective statistical work, such as the traffic generated by that protocol is dominant, which host is the busiest, where the network bottleneck is located, and so on. Therefore, the network analysis tool is a valuable system tool for network management. In order to prevent data from being intercepted by misused network analysis tools, the key is to solve the problem in the physical structure of the network. The common method is to use a switch or bridge to separate the trusted network from the untrusted network, which can prevent the external network from eavesdropping on the internal data transmission, but it still can not solve the data security problem when the internal network communicates with the external network. If there is not enough money to upgrade a shared hub on the network to an Ethernet switch, the FreeBSD system can be used to perform bridge tasks. This requires recustomizing the kernel with the option BRIDGE compilation option, and then using the bridge command to start the bridge function.

Tcpdump uses the command line mode, and its command format is:

Tcpdump [- adeflnNOpqStvx] [- c quantity] [- F file name]

[- I network interface] [- r file name] [- s snaplen]

[- T type] [- w file name] [expression]

(1)。 Introduction to the options for tcpdump

-a convert network and broadcast addresses into names

-d give the code that matches the packet in an assembly format that people can understand

-dd gives the code to match the packet in the format of a c language program segment

-ddd gives the code that matches the packet in decimal form

-e prints the header information of the data link layer on the output line

-f print out the external Internet address as a number

-l turns standard output into buffered line form

-n does not convert network addresses into names

-t does not print a timestamp on each line of the output

-v outputs a slightly more detailed information, such as ttl and service type information that can be included in the ip package

-vv outputs detailed message information

-c after receiving the specified number of packets, tcpdump will stop

-F reads expressions from the specified file, ignoring other expressions

-I specify the network interface on which to listen

-r reads packages from the specified file (these packages are usually generated by the-w option)

-w writes the package directly to the file and does not analyze and print it

-T interprets the intercepted packet directly as a specified type of message. The common types are rpc (remote procedure call) and snmp (simple Network Management Protocol).

(2)。 Introduction to the expression of tcpdump

Http://anheng.com.cn/news/24/586.html

An expression is a regular expression that tcpdump uses as a condition to filter a message. If a message satisfies the condition of the expression, the message will be captured. If no conditions are given, all packets on the network will be intercepted. There are generally several types of keywords in expressions.

The first is about type keywords, which mainly include host,net,port, such as host 210.27.48.2, which indicates that 210.27.48.2 is a host, net 202.0.0.0 indicates that 202.0.0.0 is a network address, and port 23 indicates that the port number is 23. If no type is specified, the default type is host.

Http://anheng.com.cn/news/24/586.html

The second is to determine the direction of transmission keywords, including src, dst, dst or src, dst and src, these keywords indicate the direction of transmission. For example, src 210.27.48.2 indicates that the source address in the ip packet is 210.27.48.2 and dst net202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified, the default is the src or dst keyword.

Http://anheng.com.cn/news/24/586.html

The third is the keyword of the protocol, which mainly includes fddi,ip,arp,rarp,tcp,udp and other types. Fddi indicates that it is a specific network protocol on FDDI (distributed Optical Fiber data Interface Network). In fact, it is an alias for "ether". Fddi and ether have similar source and destination addresses, so fddi protocol packets can be processed and analyzed as ether packets. Several other keywords indicate the protocol content of the listening packet. If no protocol is specified, tcpdump will listen for packets for all protocols.

In addition to these three types of keywords, other important keywords are as follows: gateway,broadcast,less,greater, there are three logical operations, take non-operation as' not'!', and operation is' and','&&';'or operation is' or',' ││'; these keywords can be combined to form a powerful combination condition to meet people's needs, here are a few examples to illustrate.

A wants to intercept all packets received and sent by 210.27.48.1 hosts:

# tcpdump host 210.27.48.1

B to intercept communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, use the command: (be sure to add'\ 'when using parentheses on the command line)

# tcpdump host 210.27.48.1 and\ (210.27.48.2 or 210.27.48.3\)

C if you want to get the ip packets of host 210.27.48.1 communicating with all hosts except host 210.27.48.2, use the command:

# tcpdump ip host 210.27.48.1 and! 210.27.48.2

D if you want to get the telnet packets received or sent by host 210.27.48.1, use the following command:

# tcpdump tcp port 23 host 210.27.48.1

E monitors the local udp 123service port for ntp

# tcpdump udp port 123

The F system will only monitor the communication packets of the host named hostname. The hostname can be the local host or any computer on the network. The following command reads all data sent by the host hostname:

# tcpdump-I eth0 src host hostname

The following command G monitors all packets sent to the host hostname:

# tcpdump-I eth0 dst host hostname

H We can also monitor packets passing through specified gateways:

# tcpdump-I eth0 gateway Gatewayname

I if you also want to monitor TCP or UDP packets addressed to a specified port, execute the following command:

# tcpdump-I eth0 host hostname and port 80

J if you want to get the ip packets of host 210.27.48.1 communicating with all hosts except host 210.27.48.2, use the command:

# tcpdump ip host 210.27.48.1 and! 210.27.48.2

To intercept communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, use the command:

# tcpdump host 210.27.48.1 and\ (210.27.48.2 or 210.27.48.3\)

If you want to get the ip packets of host 210.27.48.1 communicating with all hosts except host 210.27.48.2, use the command:

# tcpdump ip host 210.27.48.1 and! 210.27.48.2

If M wants to get the telnet packets received or sent by host 210.27.48.1, use the following command:

# tcpdump tcp port 23 host 210.27.48.1

(3)。 Introduction to the output result of tcpdump

Http://anheng.com.cn/news/24/586.html

Let's introduce the output of several typical tcpdump commands

A, data link layer header information

Use the command: # tcpdump-- e host ice

Ice is a host with linux, and her MAC address is 0:90:27:58:AF:1A

H219 is a SUN workstation with SOLARIC installed, and its MAC address is 8 MAC. The output of the previous command is as follows:

21:50:12.847509 eth0

< 8:0:20:79:5b:46 0:90:27:58:af:1a ip 60: h319.33357 >

Ice.telne

T 0:0 (0) ack 22535 win 8760 (DF)

Analysis: 21:50:12 is the time displayed, 847509 is the ID number, eth0 means to send a packet from the network interface device, 8:0:20:79:5b:46 is the MAC address of the host H219, it indicates that the packet is sent from the source address H219. 0: 90:27:58:af:1a is the MAC address of the host ICE, indicating that the destination address of the packet is ICE. Ip indicates that the packet is IP, 60 is the length of the packet, and h319.33357 > ice.telnet indicates that the packet is sent from port 33357 of host H219 to port TELNET (23) of host ICE. Ack 22535 indicates a response to a packet with a sequence number of 222535. Win 8760 indicates that the size of the send window is 8760.

TCPDUMP output information of BJA ARP package

Use the command: # tcpdump arp

The output is as follows:

22 eth0 32 eth0 > arp who-has route tell ice (0:90:27:58:af:1a)

22:32:42.802902 eth0

< arp reply route is-at 0:90:27:12:10:66 (0:90:27:58:af:1a) 分析: 22:32:42是时间戳, 802509是ID号, eth0 >

Indicates that the packet is sent from the host, arp indicates that it is an ARP request packet, and who-has route tell ice indicates that the host ICE requests the MAC address of the host ROUTE. 0:90:27:58:af:1a is the MAC address of the host ICE.

The output information of Cpene TCP packet

The general output information of the TCP package captured with TCPDUMP is:

Src > dst: flags data-seqno ack window urgent options

Src > dst: indicates that from source address to destination address, flags is the flag information in the TCP packet, S is the SYN flag, F (FIN), P (PUSH), R (RST) "." Data-seqno is the sequence number of the data in the packet, ack is the next expected sequence number, window is the size of the window that receives the cache, and urgent indicates whether there is an emergency pointer in the packet. Options is the option.

Output information of DGraine UDP package

The general output information of the UDP package captured with TCPDUMP is:

Route.port1 > ice.port2: udp lenth

UDP is very simple. The output line above indicates that a UDP packet is sent from the port1 port of the host ROUTE to the port2 port of the host ICE. The type is UDP and the length of the packet is lenth.

3. Auxiliary tool

(1) to view the usage of TCP or UDP ports, use netstat-anp

If some processes are not visible, such as displaying only "-", you can try

Sudo netstat-anp

To see information about a port, use the lsof command, such as:

Sudo lsof-I: 631

-bash-3.00# netstat-tln

The netstat-tln command is used to view the port usage of linux

/ etc/init.d/vsftp start is used to start the ftp port ~!

Look at the file / etc/services

Netstat

View the connected service port (ESTABLISHED)

Netstat-a

View all service ports (LISTEN,ESTABLISHED)

Sudo netstat-ap

View all service ports and display the corresponding service program names

Nmap < scan type > < scan parameters >

For example:

Nmap localhost

Nmap-p 1024-65535 localhost

Nmap-PT 192.168.1.127-245

When we use netstat-apn to look at network connections, we will find a lot of things like the following:

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

Tcp 0 52 218.104.81.152:7710 211.100.39.250:29488 ESTABLISHED 6111/1

It shows that this server has opened port 7710, so which program does this port belong to? We can use the lsof-I: 7710 command to query:

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME

Sshd 1990 root 3U IPv4 4836 TCP *: 7710 (LISTEN)

In this way, we know that port 7710 belongs to the sshd program.

(2) troubleshooting of error messages when running tcpdump command

Tcpdump: no suitable device found

Tcpdump: no devices found / dev/bpf4: A file or directory in the path name does not exist.

2 reasons for the solution:

1. Permissions are not enough, generally without processing, only root users can use tcpdump

two。 By default, you can only use 4 tcpdump at the same time. If you run out of it, you will report such an error. The excess tcpdump needs to be stopped.

The above is all the contents of this article "how to use Tcpdump". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.