Shulou(Shulou.com)06/01 Report--

This article is about how to use tcpdump to view raw packets in linux. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

While tools such as Snort do a great job of filtering all the content coming through our network, it is sometimes necessary to look at the raw data. Our best tool for this is "tcpdump".

The most basic way to use tcpdump is to simply issue the following command:

Tcpdump

You can use the-v option to get more details, while-vv can get more information.

Useful options

Suppose you are logged in to the remote computer you want to manage. If you run "tcpdump" without any options, the output will be flooded with packets from your SSH connection. To avoid this, simply remove port 22 from the output:

Tcpdump not port 22

You can use many different ports to do this:

Tcpdump not port 143 and not port 25 and not port 22

If you want to do the opposite, monitoring only a port (which is useful for debugging network applications), you can do the following:

Tcpdump port 143

You can also get data from specific hosts on the network:

Tcpdump host hal9000

If your computer has more than one network interface, you can also specify the network interface to listen to:

Tcpdump-I eth2

You can also specify the protocol:

Tcpdump udp

You can find a list of protocols in / etc / protocols.

Save the output for later use

In some cases, you may want to redirect the output to a file so that you can later study it in detail or use another program to parse the output. In the following example, you can still view the output when you save the output to a file:

Tcpdump-l | tee tcpdump_ `date +% Y% m% e muri% k.% M`

In the above example, we can use the date and time to identify each dump. This may come in handy when dealing with problems that arise at a specific time of day.

Tcpdump can also choose to dump its output in binary format for later reading. To create a binary file:

Tcpdump-w tcpdump_raw_ `date +% Y% m% eMury% k.% M`

Later, you can have tcpdump read the file using the following command

Tcpdump-r tcpdump_raw_YYYMMDD-H.M

You can also use the ethereal program to open the original dump and interpret it.

Tcpdump provides us with information about all packets going back and forth to the network.

Using Ethereal with Ethereal and tcpdump

Ethereal is a tool that can also be used to capture network packets. After installation, you can open the original dump file you made.

It becomes quite easy to see what is happening. You can see the source IP and destination IP and what type of packet it is. This is easy, and then you can troubleshoot any network problems you may encounter and analyze suspicious behavior. Just to add an anecdote, when I wrote this lesson and explained my dump, I saw some strange activity on my personal workstation. I check port 32772 on different IP machines in the world almost at regular intervals. I ran a specific dump for port 32772, as follows:

Tcpdump port 32772-w dump_32772

Read the original output

As you can see, even reading so-called "human readable" output from tcpdump can be a bit mysterious. Looking at the following example, I just picked a random packet from the dump:

17 ack 26 ack 22.924493 IP www.linux.org.www > test.linux.org.34365: P 2845 ack 1624 win 9648

All we have is a Web server request to https://www.linux.org/. After the timestamp, you will notice .www at the end of the hostname (that is, port 80). This will be sent to port 34365 of the host test.linux.org that made the request. "P" represents the TCP "oush" function. This means that data should be sent immediately. 2845 marks the number of the octet of the first packet in the digits after 2845 The number 3739 is the number of the last byte sent by the packet plus 1. The number 894 is the length of the packet sent. The part that stands for "ack 1624" is the TCP term for "acknowledge"-meaning that the packet has been accepted, and the next expected packet number is 1624. After that, we see that the "win 9648" sending host is waiting for a packet with a window size of 9648 octets. After that, there's a timestamp.

Now, if you find it difficult to explain, use the-x option, which will include the packet contents in the hexadecimal output.

18 IP www.linux.org.www 12 IP www.linux.org.www > 45.149977: 1Ru 1449 (1448) ack 487 win 6432 0x0000: 4500 05dc 6a81 4000 4006 493b c0a8 0006 E.. j.birthday. 0x0010: c0a8 0009 0050 86e8 8fa4 1d47 1c33 e3af .P.G.3.. 0x0020: 8010 1920 b4d9 0000 0101 080a 13a0 7a77 .zw 0x0030: 019e 5f14 4854 5450 2f31 2e31 2032 3030.. _ .HTTP / 1.1.200 0x0040: 204f 4b0d 0a44 6174 653a 2054 6875 2c20 .OK..Date: .Thu,. 0x0050: 3135

We can tell from the output that this is a HTTP request. As for the rest, it is not human-readable, but it is easy to know that this is a legitimate packet. Another benefit of using this format is that even if we cannot fully explain the state of the packet, we can send it to possible people. In the end, this is the raw data transmitted over the network without any filtering.

Thank you for reading! This is the end of this article on "how to use tcpdump to view raw packets in linux". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.