Shulou(Shulou.com)05/31 Report--

How to understand the network packet analysis tool tcpdump, aiming at this problem, this article introduces the corresponding analysis and answer in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

Preface

Tcpdump is a tool for intercepting network packets and outputting packet contents. With its powerful function and flexible interception strategy, it becomes the preferred tool for network analysis and problem troubleshooting in UNIX-like systems. Tcpdump can support filtering against network layer, protocol, host, network or port, and provide and, or, not and other logical statements to help you get rid of useless information.

Tcpdump syntax Usage: tcpdump [- aAdDefhIJKlLnNOpqRStuUvxX] [- B size] [- c count] [- C file_size] [- E algo:secret] [- F file] [- G seconds] [- I interface] [- j tstamptype] [- M secret] [- Q |-P in | out | inout] [- r file] ] [- s snaplen] [- T type] [- w file] [- W filecount] [- y datalinktype] [- z command] [- Z user] [expression] tcpdump semantics

Grab bag option

-c: specifies the number of packets to crawl. -I interface: specify the interface that the tcpdump needs to listen to. By default, the first network interface is crawled-n: the address is numerically explicit, otherwise the hostname is explicit, that is, the-n option does not do hostname resolution. -nn: in addition to the function of-n, the port is displayed as a numeric value, otherwise the port service name is displayed. -P: specifies whether the packet to be crawled is an incoming or outgoing packet. The values that can be given are "in", "out", and "inout", and the default is "inout". -s len: set the packet crawl length of tcpdump to len. If it is not set, the default will be 65535 bytes. When the packet to be crawled is large, packet truncation may occur if the length is not set enough. If packet truncation occurs, the "[| proto]" flag appears in the output line (proto is actually displayed as the protocol name). However, the longer the crawl len, the longer the packet processing time, and it will reduce the number of cacheable packets in tcpdump, which will lead to the loss of packets, so under the premise that we can grab the packets we want, the smaller the crawl length, the better.

Output option

-e: data link layer header information, such as source MAC and destination MAC, will be included in each line of the output. -Q: fast printout. That is, very little protocol-related information is printed, so that the output lines are relatively short. -X: the header data of the output package will be output in both hexadecimal and ASCII. -XX: the header data of the output package will be output in both hexadecimal and ASCII, in more detail. -v: when analyzed and printed, detailed output is generated. -vv: produces more detailed output than-v. -vvv: produces more detailed output than-vv.

Other functional options

-D: list the interfaces that can be used to grab packets. The numerical number and interface name of the interface will be listed, both of which can be used after "- I". -F: reads the expression of the grab package from the file. If you use this option, other expressions given on the command line will be invalidated. -w: output package data to a file instead of standard output. You can also use the "- G time" option to automatically switch the output file to another file every time second. These files can be loaded through the "- r" option for analysis and printing. -r: reads data from a given packet file. Use "-" to indicate reading from standard input.

Expression expression

= A basic expression unit format is "proto dir type ID" = = for expression syntax, refer to pcap-filter [pcap-filter-packet filter syntax] types type host, net, port, portrange for example: host 192.168.201.128, net 128.3, port 20, portrange 6000-6008' destination dir src, dst, src or dst, src and dst protocol proto tcp, udp, icmp, if no protocol type is given Then the operator "and / & & / or / | | / not /!" can be used to match all possible types of = = expression units. "to connect to form a complex conditional expression = =. For example, "host foo and not port ftp and not port ftp-data", this means that the filtered packet satisfies "packets whose host is foo and the port is not ftp (port 21) and ftp-data (port 20). The correspondence between common ports and names can be found in the / etc/service file in the linux system." In addition, the same modifiers can be omitted, such as "tcp dst port ftp or ftp-data or domain" and "tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain" have the same meaning, indicating that the protocol of the packet is tcp and the destination port is ftp or ftp-data or domain (port 53). Using parentheses "()" can change the priority of the expression, but it is important to note that parentheses are interpreted by shell, so you should use backslashes and escape to "()" and enclose them in quotation marks if necessary. Tcpdump example

Monitor packets for a specified network interface

Tcpdump-I eth0

Monitor packets for specified hosts

Tcpdump-I eth0 host 10.0.0.13

Monitor packets for 2 hosts

Tcpdump-I eth0 host 10.0.0.11 and host 10.0.0.13

Monitor packets between 1 host and non-1 host

Tcpdump-I eth0 host 10.0.0.11 and not host 10.0.0.13

Monitor packets sent by a host

Tcpdump-I eth0 src host 10.0.0.11

Monitor packets sent to a host

Tcpdump-I eth0 dst host 10.0.0.11

Monitor packets for specified hosts and ports

Tcpdump-I eth0 host 10.0.0.11 and port 3306

Monitor the packets of the specified network segment and crawl only 10 packets

Tcpdump-I eth0-c 10 net 10.0

Monitor packets of ftp protocol type that pass through the gateway snup

Tcudump 'gateway snup and (port ftp or ftp-data)'

Monitor ping protocol packet

Tcpdump-c 5-nn-I eth0

Monitor the ping protocol packets of the specified host

Tcpdump-c 5-nn-I eth0 icmp and src 10.0.0.11

Monitor packets to port 3306 of the machine

Tcpdump-c 10-nn-I eth0 tcp dst port 3306

Monitor complete and detailed packets

Tcpdump-c 2-Q-XX-vvv-nn-I eth0 tcp dst port 3306tcpdump and mysqltcpdump commands tcpdump host 10.92.143.15-tttt-S-nn login mysqlmysql-u root-h 10.92.143.15-p execute exit to exit the mysql client

# three-way handshake, where S stands for Syn,. Stands for Ack,S. Stands for Syn, Ack

2018-08-19 22 IP 52V 42.768100 IP 10.119.124.24.45298 > 10.92.143.15.3306: Flags [S], seq 864854527, win 14600, options [mss 1460 SackOKMed TS val 2246810963 ecr 0mnopMagna WScale 8], length 02018-08-19 22V 52V 52V IP 42.810055 IP 10.92.143.15.3306 > 10.119.124.45298: Flags [S.], seq 4288771247, ack 864854528, win 14480, options [mss 1460 SackOKD TS val 2062159250 ecr 2246810963 WScale] Length 02018-08-19 22 Flags 52V 42.810065 IP 10.119.124.24.45298 > 10.92.143.15.3306: Flags [.], ack 4288771248, win 58, options [nop,nop,TS val 2246811005 ecr 2062159250], length 0

# Login verification, transfer user name and password verification phase, where P stands for Push, data transfer is required. It includes the exchange of metadata such as login authentication and version information.

2018-08-19 22 22 IP 42.852102 IP 10.92.143.15.3306 > 10.119.124.24.45298: Flags [P.], seq 4288771248 seq 4288771308, ack 864854528, win 57, options [nop,nop,TS val 2062159292 ecr 2246811005], length 602018-08-19 22 charge 52ren 42.852118 IP 10.119.124.24.45298 > 10.92.143.15.3306: Flags [.], ack 4288771308, win 58, options [nop,nop,TS val 2246811047 ecr 206159292] Length 02018-08-19 22 Flags 52purl 42.853251 IP 10.119.124.24.45298 > 10.92.143.15.3306: Flags [P.], seq 864854528 seq 864854590, ack 4288771308, win 58, options [nop,nop,TS val 2246811048 ecr 2062159292], length 622018-08-19 22 seq 52azz5198 IP 10.92.143.15.3306 > 10.119.124.45298: Flags [.], ack 864854590, win 57, options [nop,nop,TS val 206215335 ecr 2246811048] Length 02018-08-19 22 Flags 52 IP 10.92.143.15.3306 > 10.119.124.24.45298: Flags [P.], seq 4288771308 Flags 4288771319, ack 864854590, win 57, options [nop,nop,TS val 2062159335 ecr 2246811048], length 112018-August-19 22 Flags 52are52.895264 IP 10.119.124.24.45298 > 10.92.143.15.3306: Flags [.], ack 4288771319, win 58, options [nop,nop,TS val 2246811090 ecr 206159335] Length 02018-08-19 22 Flags 52 IP 10.119.124.24.45298 > 10.92.143.15.3306: Flags [P.], seq 864854590 Flags 864854627, ack 4288771319, win 58, options [nop,nop,TS val 2246811090 ecr 2062159335], length 372018-August 19 22 lane 52268 IP 10.92.143.15.3306 > 10.119.124.45298: Flags [.], ack 864854627, win 57, options [nop,nop,TS val 206215977 ecr 2246811090] Length 02018-08-19 22 Flags 52VR 42.937405 IP 10.92.143.15.3306 > 10.119.124.24.45298: Flags [P.], seq 4288771319 Flags 4288771409, ack 864854627, win 57, options [nop,nop,TS val 2062159377 ecr 2246811090], length 902018-August 19 22 Flags 52IN 42.937414 IP 10.119.124.24.45298 > 10.92.143.15.3306: Flags [.], ack 4288771409, win 58, options [nop,nop,TS val 2246811132 ecr 20615977], length 0

# send exit; exactly 5 characters

2018-08-19 22 52 IP 44.366633 IP 10.119.124.24.45298 > 10.92.143.15.3306: Flags [P.], seq 864854627 seq 864854632, ack 4288771409, win 58, options [nop,nop,TS val 2246812561 ecr 2062159377], length waves four times, where F stands for FIN Completed data transmission 2018-08-19 22 seq 52V 44.366649 IP 10.119.124.24.45298 > 10.92.143.15.3306: Flags [F.], seq 864854632, ack 4288771409, win 58, options [nop,nop,TS val 2246812561 ecr 2062159377], length 0

# # this is exit's reply

2018-08-19 22 ack 5221 IP 44.408575 IP 10.92.143.15.3306 > 10.119.124.24.45298: Flags [.], ack 864854632, win 57, options [nop,nop,TS val 2062160848 ecr 2246812561], length 02018-08-19 2222 Vane 52VR 44.408618 IP 10.92.143.15.3306 > 10.119.124.24.45298: Flags [.], ack 864854633, win 57, options [nop,nop,TS val 206216848 ecr 2246812561] Length 02018-08-19 22 22 Flags 52V 44.408652 IP 10.92.143.15.3306 > 10.119.124.24.45298: Flags [F.], seq 4288771409, ack 864854633, win 57, options [nop,nop,TS val 2062160848 ecr 2246812561], length 02018-19 22 Flags 52V 44.408657 IP 10.119.124.45298 > 10.92.143.15.3306: Flags [.], ack 4288771410, win 58, options [nop,nop,TS val 2246812603 ecr 2062160848], length 0

Illustration of the above packet interaction

Through tcpdump, we can accurately analyze the detailed process of communication and interaction between mysql client and mysql server.

3 handshakes for tcp when establishing a connection

4 handshakes when disconnecting from tcp

This handshake refers to an one-way request or reply between the mysql client and the mysql server

The login of mysql client to MySQL server is divided into three stages: tcp 3-way handshake to establish tcp connection, data transmission based on tcp connection, and 4-way handshake to disconnect tcp connection.

Through tcpdump, we can combine the state of netstat to deeply analyze the complex problems that some mysql clients can't connect to the mysql server.

This is the answer to the question about how to understand the network packet analysis tool tcpdump. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.