Shulou(Shulou.com)06/01 Report--

This article introduces the knowledge of "how to use tcpdump". In the operation of actual cases, many people will encounter such a dilemma. Next, let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

(1) tcp: ip icmp arp rarp and tcp, udp, icmp and other options should be placed in the first parameter to filter the type of Datagram.

(2)-I eth2: only grab packets that pass through interface eth2

(3)-t: no timestamp is displayed

(4)-s 0: when fetching packets, the default crawling length is 68 bytes. After adding-S 0, you can catch the complete data packet.

(5)-c 100: only grab 100 packets

(6) dst port! 22: do not crawl packets whose destination port is 22

(7) src net 192.168.1.0 take 24: the source network address of the packet is 192.168.1.0 take 24

(8)-w. / target.cap: saved as a cap file to facilitate analysis with ethereal (i.e. wireshark)

Crawling HTTP packages using tcpdump

Tcpdump-XvvennSs 0-I eth0 tcp [20:2] = 0x4745 or tcp [20:2] = 0x4854

0x4745 is the first two letters of "GET"GE", and 0x4854 is the first two letters of "HTTP"HT".

-A displays each packet in ASCII code (no link layer header information in the packet). When grabbing packets containing web data, you can easily view the data (nt: that is, Handyforcapturing web pages).

-t does not print a timestamp in each line of output

-tt does not format the time of each line output (nt: this format may not see its meaning at a glance, such as a timestamp printed as 1261798315)

-when ttt tcpdump output, there is a delay (in milliseconds) between every two lines of printing

-tttt adds date printing before the timestamp of each line

-u prints out unencrypted NFS handles (nt: handle can be understood as a file handle used in NFS, which will include folders and files in folders)

-U makes the file write synchronize with the package save when tcpdump uses the-w option. (nt: when each packet is saved, it will be written to the file in time, rather than waiting for the file's output buffer to be full.)

The-U flag does not work on older versions of the libcap library (nt: the message capture library on which tcpdump depends) because of the lack of the pcap_cump_flush () function.

-v produces a detailed output when analyzed and printed. For example, the lifetime of the package, identification, total length, and some options for IP packages. This also turns on some additional packet integrity checks, such as a checksum for IP or ICMP packet headers.

-vv produces more detailed output than-v. For example, the additional fields in the NFS response packet will be printed and the SMB packet will be fully decoded.

-vvv produces more detailed output than-vv. For example, the SB and SE options used in telent will be printed, if telnet also uses a graphical interface

The corresponding graphics options will be printed in hexadecimal format (the SB,SE option of nt: telnet is unknown and needs to be added).

-w writes the packet data directly to the file without analysis and printout. The packet data can then be re-read, analyzed and printed with the-r option.

-W filecount

-x when analyzing and printing, tcpdump prints the header data of each packet and prints the data of each packet in hexadecimal (but not the header of the connection layer). The total printed data size will not exceed the entire packet size and the minimum value in the snaplen. It must be noted that if the high-level protocol data is not as long as snaplen, and there is populated data in the data link layer (for example, Ethernet layer), the populated data will also be printed. (nt: soforlink layers that pad, unable to connect to understanding and translation, need to be added)

Xx tcpdump prints the header data of each packet and prints the data of each packet in hexadecimal, including the header of the data link layer.

-X when analyzing and printing, tcpdump prints the header data of each packet and prints the data of each packet in hexadecimal and ASCII format (but not the header of the connection layer). This is very convenient for analyzing the packets of some new protocols.

-XX when analyzing and printing, tcpdump prints the header data of each packet and prints the data of each packet in hexadecimal and ASCII format, including the header of the data link layer. This is very convenient for analyzing the packets of some new protocols.

-y datalinktype

Set tcpdump to capture only packets whose data link layer protocol type is datalinktype

-Z user

Make tcpdump relinquish its super privileges (if you start tcpdump as root, tcpdump will have superuser privileges), and set the user ID of the current tcpdump to user, and the group ID to the ID of the group to which user first belongs (nt: tcpdump can be understood here as the corresponding process after tcpdump runs)

This option can also be set to be turned on by default when compiling. (nt: the value of user is unknown at this time and needs to be added)

Some examples:

A. want to intercept all packets received and sent by hosts of 210.27.48.1:

# tcpdump host 210.27.48.1

B. to intercept communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, use the command: (be sure to apply parentheses on the command line

# tcpdump host 210.27.48.1 and\ (210.27.48.2 or 210.27.48.3\)

C. If you want to get the ip packets that communicate with all hosts except host 210.27.48.1, use the command:

# tcpdump ip host 210.27.48.1 and! 210.27.48.2

D. If you want to get the telnet packets received or sent by host 210.27.48.1, use the following command:

# tcpdump tcp port 23 and host 210.27.48.1

Capture packets from all network cards

$tcpdump-I any

Capture a packet from a specified network card

$tcpdump-I eth0

That's all for "how to use tcpdump". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.