Shulou(Shulou.com)06/01 Report--

When you encounter packet loss or packet loss, the network is not connected to the network failure, then you will inevitably hear the keyword packet capture, then what is packet capture?

Most operators must be familiar with the bag grab artifact wireshark under windows. Although it supports the installation of wireshare under Linux, there is a more powerful package grab artifact under Linux, which is tcpdump. In a word, it is "dump the traffic on a network". It supports filtering on the network layer, protocol, host, network or port, and provides and/&&,or/ | |, notplink! And other logical statements to filter useless information.

I. introduction of parameters

Tcpdump uses the command line mode, and its command format is:

Tcpdump [- AdDeflLnNOpqRStuUvxX] [- ccount]

[- C file_size] [- F file]

[- I interface] [- m module] [- M secret]

[- r file] [- s snaplen] [- T type] [- w file]

[- W filecount]

[- E spi@ipaddr algo:secret,...]

[- y datalinktype] [- Z user]

[expression]

Parameter introduction of tcpdump

-A displays each packet in ASCII code (no link layer header information in the packet). When grabbing packets containing web data, you can easily view the data (nt: that is, Handy for capturing web pages).

-c count

Tcpdump will exit after receiving count packets.

-C file-size (this option is used with the-w file option)

This option causes tcpdump to check whether the file size exceeds file-size. Exe before saving the original packet directly to the file. If it is exceeded, the file will be closed and another file will continue to be used for the record of the original packet. The newly created file name matches the file name specified by the-w option, but with an extra number after the file name. This number will increase with the number of newly created files starting at 1. File-size is measured in megabytes (nt: 1000000 bytes, not 1048576 bytes, which is calculated as 1024 bytes as 1k and 1024k bytes as 1m, that is, 1M=1024 * 1024 = 1048576).

-d prints out the choreographed package matching code on the standard output in an easy-to-read form, and then tcpdump stops. (nt | rt: human readable, easy to read, usually refers to printing some information in ascii code. Encoded, choreographed. Packet-matching code, package matching code, meaning unknown, need to add)

-dd prints the packet matching code in C language.

-ddd prints the packet matching code as a decimal number (preceded by an 'count' prefix).

The network interface on which all tcpdump can grab packets in a printing system. Each interface prints a number, a corresponding interface name, and a possible network interface description. The network interface name and number can be used in the-I flag option of tcpdump (replace flag with name or number) to specify the network interface on which the packet is to be grabbed.

-e the printout of each line will include the data link layer header information of the packet

-E spi@ipaddr algo:secret,...

You can decrypt IPsec ESP packets through spi@ipaddralgo:secret (nt | rt:IPsec Encapsulating Security Payload,IPsec encapsulates the security payload. IPsec can be understood as a complete set of encryption protocols for ip packets. ESP is the encrypted data of the whole IP packet or the upper protocol part of it. The working mode of the former is called tunnel mode; the working mode of the latter is called transmission mode.

It is important to note that when the terminal starts tcpdump, you can set the key (secret) for IPv4 ESP packets.

The algorithms available for encryption include des-cbc,3des-cbc, blowfish-cbc, rc3-cbc, cast128-cbc, or none (none). The default is des-cbc (nt:des, Data Encryption Standard, data encryption standard, the encryption algorithm is unknown and needs to be added). Secret is the key used for ESP and is expressed as an ASCII string. If it starts with 0x, the key will be read in hexadecimal.

The definition of ESP in this option follows RFC2406, not RFC1827. Also, this option is for debugging only, and it is not recommended to use it with a real key (secret), because it is not safe: the secret entered on the command line can be viewed by others through commands such as ps.

In addition to the above syntax format (nt: refers to spi@ipaddr algo:secret), you can also add a syntax input file name for tcpdump to use (nt: that is, spi@ipaddr algo:secret,... Medium. Replace it with a grammar file name. This file opens the file when it receives the first ESP package, so it's best to cancel some of the privileges given to tcpdump at this time (nt: it can be understood as a precaution, so that when the file is written maliciously, it won't cause too much damage).

-f when displaying external IPv4 addresses (foreignIPv4 addresses, which can be understood as non-native ip addresses), use numbers instead of names. (this option is used to deal with the shortcomings of Sun's NIS server (NIS, network information service, tcpdump uses her name service when displaying the names of external addresses): this NIS server often falls into an endless query loop when querying non-local address names.

Because the test of the external (foreign) IPv4 address needs to use the local network interface (nt: the interface used in tcpdump packet capture) and its IPv4 address and network mask. If this address or network mask is not available, or if the interface does not have the corresponding network address and mask set at all (the 'any' network interface under nt: linux does not need to set the address and mask, but this' any' interface can receive packets from all interfaces in the system), this option will not work properly.

-F file

Use the file file as the input of the filter conditional expression, and the input on the command line will be ignored.

-I interface

Specify the interface that tcpdump needs to listen on. If not specified, tcpdump searches the list of system interfaces for the lowest configured interface (excluding the loopback interface). As soon as the first qualified interface is found, the search ends immediately.

On Linux operating systems with kernel version 2.2 or later, the virtual network interface 'any'' can be used to receive packets on all network interfaces (including those destined for that network interface and those that are not intended for that network interface). It should be noted that if the real network interface does not work in 'hybrid' mode (promiscuous), its packets cannot be crawled on the virtual network interface 'any'.

If the-D flag is specified, tcpdump prints the interface number in the system, which can be used for the interface parameter here.

-l buffers the standard output lines (nt: causes the standard output device to print out the contents of the line immediately when it encounters a newline character). It is useful when you need to observe the package printing and save the bag record at the same time. For example, you can do this by combining the following commands:

``tcpdump-l | teedat'' or ``tcpdump-l > dat & tail-f dat''. (the former uses tee to put the output of tcpdump into both the file dat and standard output, while the latter puts the output of tcpdump into the dat file through the redirect operation'> 'and puts the contents of the dat file into standard output through tail.)

-L lists the types of data link layers supported by the specified network interface and exits. (nt: specify the interface to be specified by-I)

-m module

Load SMI MIB module (SMI,Structure ofManagement Information, management information structure MIB, Management Information Base, management information base) through file specified by module. It can be understood that both of them are used to crawl SNMP (SimpleNetwork Management Protoco) protocol packets.

This option can be used multiple times to load different MIB modules for tcpdump.

-M secret if the TCP packet (TCPsegments) has the TCP-MD5 option (described in RFC 2385), specify a public key secret for the authentication of its digest.

-n does not convert addresses (for example, host addresses, port numbers) from numeric representation to name representation.

-N does not print out the domain name portion of host. For example, if this option is set, tcpdump will print 'nic' instead of' nic.ddn.mil'.

-O does not enable the optimized code used for package matching. This option is useful when you suspect that some bug is caused by optimized code.

-p in general, if the network interface is set to non-'hybrid' mode, the network interface will still work in 'hybrid' mode under special circumstances Thus, the setting or absence of'- p 'cannot be used as a synonym for the following selections:' ether host {local-hw-add}'or 'ether broadcast' (nt: the former indicates that only packets with Ethernet address host are matched, and the latter matches packets with Ethernet address as broadcast address).

-Q fast (maybe 'quiet' is better?) Printout. That is, very little protocol-related information is printed, so the output lines are relatively short.

-R sets tcpdump to parse ESP/AH packets according to RFC1825 rather than RFC1829 (nt: AH, authentication header, ESP, security payload encapsulation, both of which will be used in the secure transmission mechanism of IP packets). If this option is set, tcpdump will not print out the 'disable relay' field (nt: relay prevention field). In addition, because the ESP/AH specification does not stipulate that ESP/AH packets must have a protocol version number domain, tcpdump cannot derive the protocol version number from the received ESP/AH packets.

-r file

Read the package data from the file file. If the file field is a'- 'symbol, tcpdump reads the packet data from the standard input.

-S prints the sequence number of a TCP packet using an absolute sequence number instead of a relative sequence number. The relative sequence number can be understood as the difference between the sequence number of the first TCP packet and that of the first packet. For example, the absolute sequence number of the first packet received by the receiver is 232323. For the second and third packet received later, tcpdump will print the sequence number 1, and 2 indicates that the difference between the first packet and the first packet is 1 and 2, respectively. If the-S option is set at this time, for the second packet received later, the third packet will print its absolute sequence number: 232324, 232325).

-s snaplen

Set the packet crawl length of tcpdump to snaplen. If not, it will be 68 bytes by default (and the default minimum value is 96 in SunOS operating systems that support network interface taps (nt: NIT, as described above, can be found by searching for the 'network interface tap' keyword). 68 bytes are sufficient for IP, ICMP (nt: Internet Control Message Protocol, Internet Control message Protocol), TCP and UDP protocol messages. But for name services (nt: can be understood as dns, nis and other services), packets related to NFS services will produce packet truncation. If packet truncation occurs, the'[| proto] 'flag appears in the corresponding printout line of the tcpdump (proto is actually displayed as the relevant protocol hierarchy of the truncated packet). It should be noted that using a long grab length (nt: snaplen is relatively large) will increase the processing time of packets and reduce the number of packets cached by tcpdump, which will lead to packet loss. Therefore, on the premise that we can grab the package we want, the smaller the grab length, the better. Setting snaplen to 0 means that tcpdump automatically chooses the appropriate length to grab the packet.

-T type

Forces tcpdump to analyze received packets according to the packet structure described by the protocol specified by type. The known preferable protocols for type are:

Aodv (Ad-hoc On-demand Distance Vector protocol, on-demand distance vector routing protocol, used in Ad hoc (point-to-point mode) networks)

Cnfp (Cisco NetFlow protocol), rpc (Remote Procedure Call), rtp (Real-Time Applications protocol)

Rtcp (Real-Time Applications con-trol protocol), snmp (Simple NetworkManagement Protocol)

Tftp (Trivial File Transfer Protocol, broken document Protocol), vat (VisualAudio Tool, an application layer protocol that can be used for teleconferencing on internet), and wb (distributed White Board, an application layer protocol that can be used for web conferencing).

-t does not print a timestamp in each line of output, that is, does not display the time

-tt does not format the time of each line of output (this format may not see its meaning at a glance and is not recommended)

-when ttt tcpdump output, there is a delay (in milliseconds) between every two lines of printing

-tttt adds date printing before the timestamp of each line

-u prints out unencrypted NFS handles (handle can be understood as a file handle used in NFS, which will include folders and files in folders)

-U makes the file write synchronize with the package save when tcpdump uses the-w option. (nt: when each packet is saved, it will be written to the file in time, rather than waiting for the file's output buffer to be full.)

-v produces a detailed output when analyzed and printed. For example, the lifetime of the package, identification, total length, and some options for IP packages. This also turns on some additional packet integrity checks, such as a checksum for IP or ICMP packet headers.

-vv produces more detailed output than-v. For example, the additional fields in the NFS response packet will be printed and the SMB packet will be fully decoded.

-vvv produces more detailed output than-vv. For example, the SB and SE options used in telent will be printed, and if telnet also uses a graphical interface, the corresponding graphical options will be printed in hexadecimal format.

-w writes the packet data directly to the file without analysis and printout. The packet data can then be re-read, analyzed and printed with the-r option.

-W filecount

This option is used in conjunction with the-C option, which limits the number of files that can be opened, and when the file data exceeds the limit set here, the previous files are iterated in turn, which is equivalent to a file buffer pool with filecount files. At the same time, this option causes enough zeros at the beginning of each file name to occupy space, which makes it easier for these files to be sorted correctly.

-x when analyzing and printing, tcpdump prints the header data of each packet and prints the data of each packet in hexadecimal (but not the header of the connection layer). The total printed data size will not exceed the entire packet size and the minimum value in the snaplen. It must be noted that if the high-level protocol data is not as long as snaplen and there is populated data in the data link layer (for example, Ethernet layer), the populated data will also be printed.

Xx tcpdump prints the header data of each packet and prints the data of each packet in hexadecimal, including the header of the data link layer.

-X when analyzing and printing, tcpdump prints the header data of each packet and prints the data of each packet in hexadecimal and ASCII format (but not the header of the connection layer).

-XX when analyzing and printing, tcpdump prints the header data of each packet and prints the data of each packet in hexadecimal and ASCII format, including the header of the data link layer.

-y datalinktype

Set tcpdump to capture only packets whose data link layer protocol type is datalinktype

-Z user

Make tcpdump relinquish its super rights (if you start tcpdump as root, tcpdump will have superuser privileges), and set the user ID of the current tcpdump to user, and the group ID to the ID of the group to which user first belongs (tcpdump can be understood here as the corresponding process after tcpdump runs)

2. Introduction to Tcpdump expressions:

Expressions are regular expressions that can be used to filter packets that are useless, that is, only messages that satisfy the expression will be intercepted.

Keyword type of the expression:

The first is about type keywords, mainly including host, net, and port. For example, host 192.168.1.1 indicates that 192.168.1.1 is a host, net 192.168.1.0 indicates that it is a network segment, and port 443 indicates a port number of 443 (https protocol). If default, it means host.

The second is to determine the direction of the keyword, including src, dst, src or dst, src and dst. For example, src 192.168.1.1 indicates that the source address in the intercepted packet is 192.168.1.1 192.168.1.0 indicates that the destination address is the 192.168.1.0 network segment. If default, it means src or dst.

The third is about the key words of the protocol, including ip, tcp, udp, arp and so on.

Other keywords include gateway, broadcast, greater, and less.

The keywords of logical operation include notplash!, and/&&, or/ | |.

III. Examples

1. Intercept all packets received or sent by 192.168.1.1 hosts:

Tcpdumphost 192.168.1.1

2. Intercept telent packets received or sent by host 192.168.1.1:

Tcpdumptcp port 23 host 192.168.1.1

3. Intercept packets passing through the gateway

Tcpdump-i eth0 gateway xxxxx

4. Intercept all packets passing through eth2 with a source / destination port of 443

Tcpdump-i eth2 port 443

Tcpdump-i eth2 src port 443

Tcpdump-i eth2 dst port 443

5. Save the intercepted packet to the specified file

Tcpdump-I eth2 dst 10.13.204.73 and port 56716-w 20160831.pcap / / wireshark analysis

Tcpdump-r 20160831.pcap

6. Grab packets of specific destination ip and port

Tcpdump-i eth0 dst 10.13.204.73 and port 56716

7. Increase the timestamp of grabbing the bag

Tcpdump-n-ttt-I eth2-c 5 / / specify 5 packets to be crawled

IV. Packet analysis

For packet analysis, it is recommended to save the crawled packet as a .pcap file, and then analyze it under wireshark. As for the specific data packet, it will not be detailed here, you can refer to it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.