Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "the course of using TcpDump in Linux system". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

A powerful network data acquisition and analysis tool in Linux

Tcpdump uses the command line mode, and its command format is:

Tcpdump [- adeflnNOpqStvx] [- c quantity] [- F file name]

[- I network interface] [- r file name] [- s snaplen]

[- T type] [- w file name] [expression]

1. Introduction to tcpdump's options

-a convert network and broadcast addresses into names

-d give the code that matches the packet in an assembly format that people can understand

-dd gives the code to match the packet in the format of a c language program segment

-ddd gives the code that matches the packet in decimal form

-e prints the header information of the data link layer on the output line

-f print out the external Internet address as a number

-l turns standard output into buffered line form

-n does not convert network addresses into names

-v outputs a slightly more detailed information, such as ttl and service type information that can be included in the ip package

-vv outputs detailed message information

-c after receiving the specified number of packets, tcpdump will stop

-F reads expressions from the specified file, ignoring other expressions

-I specify the network interface on which to listen

-T interprets the intercepted packet directly as a message of the specified type, the common type being rpc (remote procedure)

Call) and snmp (simple Network Management Protocol;)

2. Introduction to the expression of tcpdump

An expression is a regular expression that tcpdump uses as a condition to filter a message if a message satisfies the table

Intercepted.

In general, there are several types of keywords in expressions. One is about type keywords, mainly including host.

Net,port, such as host 210.27.48.2, indicates that 210.27.48.2 is a host, and net 202.0.0.0 indicates

Host.

The second is the keywords that determine the direction of transmission, including src, dst, dst or src and dst and src.

These keywords indicate the direction of transmission. For example, src 210.27.48.2 indicates that the source address in the ip packet is 210.27.

Dst net 202.0.0.0 indicates that the destination network address is 202.0.0.0.

The default is the src or dst keyword.

The third is the keywords of the protocol, including fddi,ip, arp,rarp,tcp,udp and other types. Fddi indicates that it is in the

A specific network protocol on FDDI (distributed Optical data Interface Network), which is actually an alias for "ether", fddi and e

Ther has similar source and destination addresses, so fddi protocol packets can be processed and analyzed as ether packets.

Several other keywords indicate the protocol content of the listening packet. If no protocol is specified, tcpdump will

In addition to these three types of keywords, other important keywords are as follows: gateway, broadcast,less

Greater, there are also three logical operations, taking the non-operation as' not'! 'and the operation is' and','&&';'or the operation is'o

R','| |'

These keywords can be combined to form powerful combination conditions to meet people's needs. Here are a few examples.

It means.

(1) want to intercept all packets received and sent by hosts of 210.27.48.1:

The code is as follows:

# tcpdump host 210.27.48.1

(2) to intercept communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, use the command

: (when applying parentheses on the command line, be sure to

The code is as follows:

# tcpdump host 210.27.48.1 and\ (210.27.48.2 or 210.27.48.3\)

(3) if you want to obtain the ip packets communicated by all hosts except host 210.27.48.1

, use the command:

The code is as follows:

# tcpdump ip host 210.27.48.1 and! 210.27.48.2

(4) if you want to obtain the telnet packets received or sent by host 210.27.48.1, use the following command:

The code is as follows:

# tcpdump tcp port 23 host 210.27.48.1

3. Introduction to the output result of tcpdump

Let's introduce the output of several typical tcpdump commands

(1) data link layer header information

Use the command # tcpdump-- e host ice

Ice is a host with linux, and her MAC address is 0:90:27:58:AF:1A

H219 is a SUN workstation with SOLARIC installed. Its MAC address is 8-0-20-7-7-7-7-7-7-7-7-4-4.

The output of the command is as follows:

21:50:12.847509 eth0

< 8:0:20:79:5b:46 0:90:27:58:af:1a ip 60: h319.33357 >

Ice.

Telne

T 0:0 (0) ack 22535 win 8760 (DF)

Analysis: 21:50:12 is the time displayed, 847509 is the ID number, eth0 means to send a packet from the network interface device, 8:0:20:79:5b:46 is the MAC address of host H219, it

Indicates that it is a packet from the source address H 219. 0:90:27:58:af:1a is the MAC address of the host ICE, indicating the

The destination address is ICE. Ip indicates that the packet is an IP packet, 60 is the length of the packet, h319.33357 > ice.

Telnet indicates that the packet is from port 33357 of host H 219 to port TELNET (23) of host ICE. Ack 22535

Indicates a response to a packet with a sequence number of 222535. Win 8760 indicates that the size of the send window is 8760.

(2) TCPDUMP output information of ARP package

Use the command # tcpdump arp

The output is as follows:

22 eth0 32 eth0 > arp who-has route tell ice (0:90:27:58:af:1a)

22:32:42.802902 eth0

< arp reply route is-at 0:90:27:12:10:66 (0:90:27:58:af :1a) 分析: 22:32:42是时间戳, 802509是ID号, eth0 >

Indicates that the packet was sent from the host, and the arp indicates that it is

ARP request packet, who-has route tell ice indicates that the host ICE requests the MAC address of the host ROUTE. 0:90:27:5

8:af:1a is the MAC address of the host ICE.

(3) output information of TCP package

The general output information of the TCP package captured with TCPDUMP is:

Src > dst: flags data-seqno ack window urgent options

Src > dst: indicates that from the source address to the destination address, flags is the flag information in the TCP packet, S is the SYN flag, F (F)

The next expected sequence number, window is the size of the window that receives the cache, and urgent indicates whether there is an emergency pointer in the packet.

Options is the option.

(4) output information of UDP package

The general output information of the UDP package captured with TCPDUMP is:

Route.port1 > ice.port2: udp lenth

UDP is very simple, and the above output line indicates that a UDP packet sent from the port1 port of the host ROUTE to the host

4. Example

The code is as follows:

[root@www ~] # tcpdump-I eth2 # monitors packets for specified network interfaces

The code is as follows:

[root@www ~] # tcpdump host webserver # prints all packets entering or leaving webserver.

The code is as follows:

[root@www ~] # tcpdump host 210.27.48.1 # can also specify ip, such as intercepting all packets received and sent by hosts of 210.27.48.1

The code is as follows:

[root@www] # tcpdump host 210.27.48.1 and\ (210.27.48.2 or 210.27.48.3\) # intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3

The code is as follows:

[root@www ~] # tcpdump ip host 210.27.48.1 and! 210.27.48.2 # get ip packets for all hosts except host 210.27.48.2

The code is as follows:

[root@www ~] # tcpdump-I eth0 src host webserver # intercepts all data sent by host webserver

The code is as follows:

[root@www ~] # tcpdump-I eth0 dst host webserver # monitors all packets sent to the host webserver

The code is as follows:

[root@www ~] # tcpdump tcp port 23 host 210.27.48.1 # get telnet packets received or sent by host 210.27.48.1

The code is as follows:

[root@www ~] # tcpdump udp port 123 # monitors the udp 123port of this machine. 123Service port of ntp

The code is as follows:

[root@www ~] # tcpdump net ucb-ether # prints all communication packets between the local host and the host on the Berkeley network (nt: ucb-ether, which can be understood here as the network address of the 'Berkeley network'. The original meaning of this expression can be expressed as: print all packets with a network address of ucb-ether)

The code is as follows:

[root@www ~] # tcpdump 'gateway snup and (port ftp or ftp-data)' # prints all ftp packets passing through the gateway snup (note that the expression is enclosed in single quotes, which prevents shell from incorrectly parsing the parentheses)

The code is as follows:

[root@www ~] # tcpdump ip and not net localnet # print all IP packets whose source or destination address is the local host

The code is as follows:

[root@www ~] # tcpdump'tcp [tcpflags] & (tcp-syn | tcp-fin)! = 0 and not src and dst net localnet' # prints the start and end packets in a TCP session, and the source or destination of the packet is not a host on the local network. (nt: localnet, actually replace it with the name of the local network))

The code is as follows:

[root@www ~] # tcpdump 'tcp port 80 and ((ip [2:2]-((ip [0] & 0xf) 2))! = 0)' # print all source or destination ports are 80, the network layer protocol is IPv4, and contains data, rather than data-free packets such as SYN,FIN and ACK-only

The code is as follows:

[root@www ~] # tcpdump 'gateway snup and ip [2:2] > 576' # print an IP packet with a gateway address of snup

The code is as follows:

[root@www ~] # tcpdump 'ether [0] & 1 = 0 and ip [16] > = 224' # print all IP layer broadcast or multicast packets, but not physical Ethernet layer broadcast or multicast datagrams

The code is as follows:

[root@www ~] # tcpdump'icmp [icmptype]! = icmp-echo and icmp [icmptype]! = icmp-echoreply' # print ICMP packets other than 'echo request' or' echoreply' type

The code is as follows:

[root@www] # tcpdump tcp-I eth2-t-s 0-c 100 and dst port! 22 and src net 192.168.1.0 24-w. / target.cap

# (1) tcp: ip icmp arp rarp and tcp, udp, icmp, etc. should be placed in the position of the first parameter to filter the type of Datagram

# (3)-t: no timestamp is displayed

# (4)-s 0: when fetching packets, the default crawling length is 68 bytes. After adding-S 0, you can catch the complete data packet.

# (5)-c 100: only grab 100 packets

# (6) dst port! 22: do not crawl packets whose destination port is 22

# (7) src net 192.168.1.0 pick 24: the source network address of the packet is 192.168.1.0 pick 24

# (8)-w. / target.cap: save it as a cap file to facilitate analysis with ethereal (i.e. wireshark)

The code is as follows:

[root@www ~] # tcpdump-XvvennSs 0-I eth0 tcp [20:2] = 0x4745 or tcp [20:2] = 0x4854 # crawling HTTP packets using tcpdump

This is the end of the "tutorial on the use of TcpDump in the Linux system". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.