Shulou(Shulou.com)05/31 Report--

Editor to share with you there are several uses of Tcpdump, I believe that most people do not know much about it, so share this article for your reference, I hope you will learn a lot after reading this article, let's learn about it!

The first is about type keywords, which mainly include host,net,port, such as host 210.27.48.2, which indicates that 210.27.48.2 is a host, net 202.0.0.0 indicates that 202.0.0.0 is a network address, and port 23 indicates that the port number is 23. If no type is specified, the default type is host.

The second is to determine the direction of transmission keywords, including src, dst, dst or src, dst and src, these keywords indicate the direction of transmission. For example, src 210.27.48.2 indicates that the source address in the ip packet is 210.27.48.2 and dst net 202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified, the default is the src or dst keyword.

The third is the keyword of the protocol, which mainly includes fddi,ip,arp,rarp,tcp,udp and other types. Fddi indicates that it is a specific network protocol on FDDI (distributed Optical Fiber data Interface Network). In fact, it is an alias for "ether". Fddi and ether have similar source and destination addresses, so fddi protocol packets can be processed and analyzed as ether packets. Several other keywords indicate the protocol content of the listening packet. If no protocol is specified, tcpdump will listen for packets for all protocols.

In addition to these three types of keywords, other important keywords are as follows: gateway, broadcast,less,greater, there are three logical operations, take non-operation as' not'!', and operation is' and','&&';'or operation is' or', '││'; these keywords can be combined to form a strong combination of conditions to meet people's needs, here are a few examples to illustrate.

Normally, starting tcpdump directly will monitor all packets that flow through the first network interface. [@ more@] # tcpdump

Tcpdump: listening on fxp0

11 udp 58 202.102.245.40.netbios-ns > udp 47.873028

11RV 58 ui/C len=43 47.974331 0:10:7b:8:3a:56 > 1:80:c2:0:0:0 802.1d

0000 0000 0080 0000 1007 cf08 0900 0000

0e80 0000 902b 4695 0980 8701 0014 0002

000f 0000 902b 4695 0008 00

11 ui/C len=97 58 0:0:e8:5b:6d:85 48.373134 ui/C len=97 > Broadcast sap e0

Ffff 0060 0004 ffff ffff ffff ffff ffff

0452 ffff ffff 0000 e85b 6d85 4008 0002

0640 4d41 5354 4552 5f57 4542 0000 0000

0000 00

Use the-I parameter to specify the network interface for tcpdump monitoring, which is useful when the computer has multiple network interfaces

Use the-c parameter to specify the number of packets to listen for

Use the-w parameter to specify that the monitored packet is written to a file to save

A wants to intercept all packets received and sent by 210.27.48.1 hosts:

# tcpdump host 210.27.48.1

B to intercept communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, use the command: (be sure to apply parentheses on the command line

# tcpdump host 210.27.48.1 and (210.27.48.2 or 210.27.48.3)

C if you want to get the ip packets of host 210.27.48.1 communicating with all hosts except host 210.27.48.2, use the command:

# tcpdump ip host 210.27.48.1 and! 210.27.48.2

D if you want to get the telnet packets received or sent by host 210.27.48.1, use the following command:

# tcpdump tcp port 23 host 210.27.48.1

E monitors the local udp 123service port for ntp

# tcpdump udp port 123

The F system will only monitor the communication packets of the host named hostname. The hostname can be the local host or any computer on the network. The following command reads all data sent by the host hostname:

# tcpdump-I eth0 src host hostname

The following command G monitors all packets sent to the host hostname:

# tcpdump-I eth0 dst host hostname

H We can also monitor packets passing through specified gateways:

# tcpdump-I eth0 gateway Gatewayname

I if you also want to monitor TCP or UDP packets addressed to a specified port, execute the following command:

# tcpdump-I eth0 host hostname and port 80

J if you want to get the ip packet of host 210.27.48.1 for all hosts except host 210.27.48.2

, use the command:

# tcpdump ip host 210.27.48.1 and! 210.27.48.2

K wants to intercept communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, use the command

: (when applying parentheses on the command line, be sure to

# tcpdump host 210.27.48.1 and (210.27.48.2 or 210.27.48.3)

If you want to get the ip packets of host 210.27.48.1 communicating with all hosts except host 210.27.48.2, use the command:

# tcpdump ip host 210.27.48.1 and! 210.27.48.2

If M wants to get the telnet packets received or sent by host 210.27.48.1, use the following command:

# tcpdump tcp port 23 host 210.27.48.1

The third is the keywords of the protocol, including fddi,ip, arp,rarp,tcp,udp and other types.

In addition to these three types of keywords, other important keywords are as follows: gateway, broadcast,less

Greater, there are also three logical operations, taking the non-operation as' not'! 'and the operation is' and','&&';'or the operation is'o

R','| |'

The second is the keywords that determine the direction of transmission, including src, dst, dst or src and dst and src.

If we only need to list the packets sent to port 80, use dst port;. If we only want to see packets returning to port 80, use src port.

# tcpdump-I eth0 host hostname and dst port 80 destination port is 80

Or

# tcpdump-I eth0 host hostname and src port 80 source port is 80, which is generally the host providing http services

If there are many conditions, add and or not before the conditions.

# tcpdump-I eth0 host! 211.161.223.70 and! 211.161.223.71 and dst port 80

If you use promiscuous mode in ethernet, the log of the system will be recorded

May 7 20:03:46 localhost kernel: eth0: Promiscuous mode enabled.

May 7 20:03:46 localhost kernel: device eth0 entered promiscuous mode

May 7 20:03:57 localhost kernel: device eth0 left promiscuous mode

Tcpdump does not decode the intercepted data thoroughly, and most of the contents of the packet are printed directly in hexadecimal form. Obviously, this is not conducive to the analysis of network faults, the usual solution is to use tcpdump with-w parameter to intercept the data and save it to a file, and then use other programs for decoding and analysis. Of course, filtering rules should also be defined to prevent captured packets from filling the entire hard disk.

# tcpdump-I eth2 src host 211.167.237.199

03.096713 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 2010208 2010352 (144) ack 33377 win 8576

03.096951 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 2010352 2010496144 ack 33377 win 8576

IP 211.167.237.199.ssh > 221.216.165.189.1467: P 2010496 2010640 (144) ack 33377 win 8576

03.101165 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 2010640 2010784 (144) ack 33377 win 8576

03.102554 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 2010784win 2010928144 ack 33425 win 8576

Indicates that at 00:02: 03:00, 211.167.237.199 is connected to port 1467 of 221.216.165.189 through the ssh source port.

# tcpdump-I eth2 src host 211.167.237.199 and dst port 1467

00Rose 09VERV 27.603075 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 180400Rose 180544 (144) ack 2833 win 8576

00Rose 09PUR 27.605631 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 180544P180688 (144) ack 2881 win 8576

Intercept all packets entered by eth0 with a source address (src) of 192.168.0.5 (host) and a (and) destination (dst) port (port) of 80

Watch the status of data packets transmitted and received by the network card

$netstat-I

Kernel Interface table

Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg

Eth0 1500 0 14639 00 0 5705 119 00 BMRU

Iface: network card

RX-OK RX-ERR RX-DRP RX-OVR: the number of packets correctly received by the Nic and the total number of errors, losses, and collisions

TX-OK TX-ERR TX-DRP TX-OVR: the number of packets correctly sent by the Nic and the total number of errors, losses, and collisions

These are all the contents of the article "there are several uses of Tcpdump". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.