Shulou(Shulou.com)06/01 Report--

Editor to share with you how to use the bag grabbing tool tcpdump, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

Tcpdump uses command-line mode to filter and crawl the packets of the interface, and its rich characteristics are shown in flexible expressions.

Tcpdump without any options crawls the first network interface by default, and packet grabbing stops only if the tcpdump process is terminated.

For example:

Shell > tcpdump-nn-I eth0 icmp

Here is the detailed usage of tcpdump.

1.1 tcpdump options

Its command format is:

Tcpdump [- DenNqvX] [- c count] [- F file] [- I interface] [- r file] [- s snaplen] [- w file] [expression] grab packet option:-c: specify the number of packets to be crawled. Note that you end up getting so many packages. For example, specifying "- c 10" will get 10 packages, but 100 packages may have been processed, but only 10 packages meet the criteria. -I interface: specify the interface that the tcpdump needs to listen to. If this option is not specified, the configured interface with the lowest number will be searched from the list of system interfaces (excluding loopback interface, use tcpdump-I lo to grab loopback interface). The search will end as soon as the first qualified interface is found. You can use the 'any' keyword to represent all network interfaces. -n: the address is explicit numerically, otherwise the hostname is explicit, that is, the-n option does not do hostname resolution. -nn: in addition to the function of-n, the port is displayed as a numeric value, otherwise the port service name is displayed. -N: do not print out the domain name part of host. For example, tcpdump will print 'nic' instead of' nic.ddn.mil'. -P: specifies whether the packet to be crawled is an incoming or outgoing packet. The values that can be given are "in", "out", and "inout", and the default is "inout". -s len: set the packet crawl length of tcpdump to len. If it is not set, the default will be 65535 bytes. When the packet to be crawled is large, packet truncation may occur if the length is not set enough. If packet truncation occurs, the "[| proto]" flag appears in the output line (proto is actually displayed as the protocol name). However, the longer the crawl len, the longer the packet processing time, and it will reduce the number of cacheable packets in tcpdump, which will lead to the loss of packets, so under the premise that we can grab the packets we want, the smaller the crawl length, the better. Output option:-e: each line of the output will include data link layer header information, such as source MAC and destination MAC. -Q: fast printout. That is, very little protocol-related information is printed, so that the output lines are relatively short. -X: the header data of the output package will be output in both hexadecimal and ASCII. -XX: the header data of the output package will be output in both hexadecimal and ASCII, in more detail. -v: when analyzed and printed, detailed output is generated. -vv: produces more detailed output than-v. -vvv: produces more detailed output than-vv. Other functional options:-D: list the interfaces that can be used to grab the package. The numerical number and interface name of the interface will be listed, both of which can be used after "- I". -F: reads the expression of the grab package from the file. If you use this option, other expressions given on the command line will be invalidated. -w: output package data to a file instead of standard output. You can also use the "- G time" option to automatically switch the output file to another file every time second. These files can be loaded through the "- r" option for analysis and printing. -r: reads data from a given packet file. Use "-" to indicate reading from standard input.

Recommended to you: worth collecting! Quick check manual of common commands in Linux system

So there are only a few common options:

Tcpdump-D

Tcpdump-c num-I int-nn-XX-vvv

1.2 tcpdump expression

Expressions are used to filter which types of packets are output. If no expression is given, all packets will be output, otherwise only packets with the expression true will be output. Shell metacharacters that appear in expressions are recommended to be enclosed in single quotation marks.

The expression of a tcpdump consists of one or more "units", each of which generally contains the modifier of ID and an ID (number or name). There are three modifiers:

(1) .type: specifies the type of ID

The value that can be given is host/net/port/portrange. Such as "host foo", "net 128.3", "port 20", "portrange 6000-6008". The default type is host.

(2) .dir: specifies the direction of the ID.

The values that can be given include src/dst/src or dst/src and dst, which defaults to src or dst. For example, "src foo" represents a packet with a source host of foo, "dst net 128.3" represents a packet with a destination network of 128.3, and "src or dst port 22" represents a packet with a source or destination port of 22.

(3) .proto: qualifies the matching packet type by a given protocol.

The commonly used protocols are tcp/udp/arp/ip/ether/icmp and so on. If no protocol type is given, all possible types are matched. Such as "tcp port 21", "udp portrange 7000-7009".

So, a basic expression unit format is "proto dir type ID"

In addition to expression units that use modifiers and ID, there are also keyword expression units: gateway,broadcast,less,greater and arithmetic expressions.

Expression units can be concatenated using the operator "and / & & / or / | | / not /!" to form complex conditional expressions. For example, "host foo and not port ftp and not port ftp-data", this means that the filtered packet satisfies "packets whose host is foo and the port is not ftp (port 21) and ftp-data (port 20). The correspondence between common ports and names can be found in the / etc/service file in the linux system."

In addition, the same modifiers can be omitted, such as "tcp dst port ftp or ftp-data or domain" and "tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain" have the same meaning, indicating that the protocol of the packet is tcp and the destination port is ftp or ftp-data or domain (port 53).

Using parentheses "()" can change the priority of the expression, but it is important to note that parentheses are interpreted by shell, so you should use the backslash "\" to escape to "\ (\)" and enclose it in quotation marks if necessary.

1.3 tcpdump example

Note that tcpdump can only crawl packets that flow through the machine.

(1)。 Start by default

Tcpdump

By default, starting tcpdump directly will monitor all packets flowing on the first network interface (non-loo port). In this way, there will be a lot of results to grab, and the scrolling will be very fast.

(2)。 Monitor packets for a specified network interface

Tcpdump-I eth2

If you do not specify a network card, the default tcpdump monitors only the first network interface, such as eth0.

(3)。 Monitor packets for specified hosts, such as all packets entering or leaving the longshuai

Tcpdump host longshuai

(4)。 Print packets for communication between helioshot or heliosace

Tcpdump host helios and\ (hot or ace\)

(5)。 Print IP packets for communication between ace and any other host, excluding packets with helios

Tcpdump ip host ace and not helios

(6)。 Intercept all data sent by the host hostname

Tcpdump src host hostname

(7)。 Monitor all packets sent to the host hostname

Tcpdump dst host hostname

(8)。 Monitor packets for specified hosts and ports

Tcpdump tcp port 22 and host hostname

(9)。 Monitor the local udp 123port (123is the service port of ntp)

Tcpdump udp port 123

(10)。 Monitor packets on a specified network, such as those that communicate with a 192.168 network segment. "- c 10" means that only 10 packets are crawled.

Tcpdump-c 10 net 192.168

(11)。 Print all ftp packets that pass through the gateway snup (note that the expression is enclosed in single quotation marks, which prevents shell from incorrectly parsing the parentheses)

Shell > tcpdump 'gateway snup and (port ftp or ftp-data)'

(12)。 Grab ping package

[root@server2 ~] # tcpdump-c 5-nn-I eth0 icmp tcpdump: verbose output suppressed, use-v or-vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 12 capture size 1123. 273638 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16422, seq 10, length 64 12 Vista 1123. 273666 IP 192.168.100.62 > 192.168.100.70: ICMP echo reply, id 16422, seq 10 Length 64 12 id 11 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16422, seq 11, length 64 12 V 11V 24.356936 IP 192.168.100.62 > 192.168.100.70 > 192.168.100.70: ICMP echo reply, id 16422, seq 11, length 64 12 11 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16422, seq 12, length 64 packets captured packets received by filter packets dropped by kernel

If you explicitly want to grab the ping of the host 192.168.100.70 pair, use the and operator.

[root@server2] # tcpdump-c 5-nn-I eth0 icmp and src 192.168.100.62 tcpdump: verbose output suppressed, use-v or-vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 12 purl 0957132 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16166, seq 1, length 64 12 rider 091.041035 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16166, seq 2 Length 64 12 id 09 IP 32.124562 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16166, seq 3, length 64 12 V 09V 33.208514 IP 192.168.100.70 > 192.168.100.62 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16166, seq 5, length 64 packets captured packets received by filter packets dropped by kernel

Note that you cannot write icmp src 192.168.100.70 directly, because the icmp protocol does not support the direct application of the host type.

(13)。 Grab to the local 22 port package

[root@server2 ~] # tcpdump-c 10-nn-I eth0 tcp dst port 22 tcpdump: verbose output suppressed, use-v or-vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 12) 06nn 57.574293 IP 192.168.100.1.5788 > 192.168.100.5788 > 192.168.100.62.22: Flags [.], ack 535528834, win 2053, length 012061457.629125 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 193 Win 2052, length 0 12 IP 06V 57.684688 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 385, win 2051, length 0 12 IP 06V 57.738977 IP 192.168.100.1.5788 > 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 577, win 2050, length 0 12 Vane 06Vue 57.794305 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 769, win 2050 Length 0 12 ack 06V 57.848720 IP 192.168.100.1.5788 > 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 961, win 2049, length 0 12 V 06V 57.904057 IP 192.168.100.1.5788 > 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 1153, win 2048, length 012 virtual 57.958477 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 1345, win 2047 Length 0 12 ack 06D 58.014338 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 1537, win 2053, length 0 12. 06V 58.069361 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 1729, win 2052, length 0 packets captured packets received by filter packets dropped by kernel

(14)。 Parsing packet data

[root@server2] # tcpdump-c 2-Q-XX-vvv-nn-I eth0 tcp dst port 22 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 12 Groupe 15purl 54.788812 IP (tos 0x0, ttl 64, id 19303, offset 0, flags [DF], proto TCP (6) Length 40) 192.168.100.1.5788 > 192.168.100.62.22: tcp 0 0x0000: 000C 2908 9234 0050 56c0 0008 0800 4500..) .4.PV.E .0x0010: 0028 4b67 4000 4006 a5d8 c0a8 6401 c0a8. (Kg@.@.d... 0x0020: 643e 169c 0016 2426 5fd6 1fec 2b62 5010 d >.... $& _... + bP. 0x0030: 0803 7844 0000 0000 0000.. xD. 1215id 54.842641 IP (tos 0x0, ttl 64, id 19304, offset 0, flags [DF], proto TCP (6), length 40) 192.168.100.1.5788 > 192.168.100.62.22: tcp 0 0x0000: 000c 2908 9234 0050 56c0 0008 0800 4500..) .4.PV.E. 0x0010: 0028 4b68 4000 4006 a5d7 c0a8 6401 c0a8. (Kh@.@.d... 0x0020: 643e 169c 0016 2426 5fd6 1fec 2d62 5010 d >.... $& _...-bP. 0x0030: 0801 7646 0000 0000 0000.. vF. Packets captured packets received by filter packets dropped by kernel above is all the contents of this article entitled "how to use the package tool tcpdump". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.