Shulou(Shulou.com)06/01 Report--

Introduction

Wireshark is a very good package grabbing software, which occupies an absolutely dominant position in the graphical interface. Although it has some options to use under the character interface, it is not very convenient after all. I would like to introduce tcpdump, a terminal package grabbing tool of NB.

1. Hybrid mode

The linux network card has a hybrid mode, which says that when the hybrid mode is turned on, the network card can grab all the data packets, regardless of whether the packet is sent to itself or not. Because there is a certain security problem in intercepting other people's packets at will, linux disables promiscuous mode by default for Nic. Only root users can enable promiscuous mode.

Ifconfig ethX promisc

2. Common options

Parameter description sample-D to see which network cards can be used to capture packets.

-I name specifies to grab packets through the name network card.

Tcpdump-I eth0

Tcpdump-I any

-w file

Save the crawled packet into the file file (which can be used by wireshark). By default, print it to the terminal tcpdump-I eth0-w packet.pcap-r file to read the previously crawled packet and use it as the input tcpdump-r file-s length to grab the packet length. The default is 68 bytes. Set to 0, it means to grab all the data.

-c count

Number of packets crawled

-t

Do not display timestamp

-S

Print absolute sequence number

-x/-xx

Press HEX to print header information / include link information for each packet

-n

Do not convert ip to hostname

-nn

Do not convert ip and port to the corresponding name tcpdump-nnSs 0 tcp port! 22mure

Displays link layer information, which is not displayed by default

-F file

The filter condition is obtained from the file file content, and the command line content is ignored.

-X/-XX

Press HEX and ASCII to print header information / include link information for each packet

-C file_size

Specify a maximum length of 30m per file and use tcpdump-I eth0-C 30-W 50-w / tmp/net.pcap-W filecount with-W

Specify a maximum of 50 files to be generated, using tcpdump-I eth0-C 30-W 50-w / tmp/net.pcap with-C

3. Filter

3.1 、 host

Specify host or network crawl, which can be ip or domain name or network segment

Tcpdump host 192.168.12.1tcpdump net 192.168.12.0/24

You can also set the source or destination

Tcpdump [src | dst] host 192.168.12.1

Specify a package that crawls multiple ip and cannot add directions, such as src or dst

Tcpdump host 10.27.82.223 and\ (10.27.82.222 or 10.27.82.221\)

Exclusion mode specifies the target

Tcpdump ip net 192.168.12.0/24 and! 192.168.12.3

3.2 、 port / portrange

Specify port / port range (0-1024) and host, and can specify direction at the same time

Tcpdump tcp [src | dst] port 23 and [src | dst] host 192.168.12.1

Exclude packets from a port

Tcpdump tcp port! 22

3.3. Loop overwrite and crawl network packets, which are stored in 30 files, each with a maximum of 50m

Tcpdump-I eth0-C 30-W 50-w / tmp/net.pcap

4. Advanced features

4.1. Specify the packet log bit

Tcpdump'tcp [tcpflags] & (tcp-syn | tcp-fin)! = 0' # get the packet tcpdump'tcp [tcpflags] & (tcp-fin)! = 0' # get the packet tcpdump'tcp [tcpflags] & (tcp-syn)! = 0' # get the packet tcpdump-AXtnni eth0 'src host 192.168.12 at the beginning of the connection. 1 and dst port 9876 and tcp [(tcp [12:1] & 0xf0) > > 2): 4] = 0x47455420'# get GET request data

5. Output result

Print format:

The system time source host. Port > target host. Port packet parameters

Eg:20:09:53.584715 IP 100.109.225.128.30207 > 10.27.82.228.443: Flags [R.], seq 241841040, ack 631822021, win 58, options [nop,nop,TS val 144058912 ecr 3829113521], length 0

6. Problems

Add the-C option and prompt "Permission denied"

The solution is to add "- Z root"

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.