Shulou(Shulou.com)06/01 Report--

Wandering for a long time suddenly feel to sort out some of their own things, I believe many people are like me, although learned but never used, but technology this kind of thing is not just spell Baidu understanding can be. Some time ago, the company interface root branch interface said nothing, I just like a fool, do not know what to do, chat with senior for a while to know, this should do. Below is my first experience of catching a bag, with some things I use.

First of all, you have to make sure you are there to catch, for example, my server is linux, then you need to download an analysis package of things, I prefer wireshark, of course, this also depends on personal habits. Then you will use a common command tcpdump to grab packets, here are some parameters of tcpdump:

Example:tcpdump host 172.16.29.40 and port 4600 -X -s 500

tcpdump uses the command line, and its command format is:

tcpdump [ -adeflnNOpqStvx ] [ -c Quantity] [ -F Filename]

[ -i network interface] [ -r filename] [ -s snaplen ]

[ -T type] [ -w filename] [expression]

1. Tcpdump Options Introduction

-a converting network addresses and broadcast addresses into names;

-d Give the code matching the packet in an assembly format that people can understand;

-dd the code of matching information package is given in the format of C language program segment;

-ddd giving the code of the matching packet in decimal form;

-e printing header information of the data link layer in the output line;

-f Print out external Internet addresses as numbers;

-l Change standard output to buffered line form;

-n Do not convert network addresses to names;

-t Do not print a timestamp on each line of output;

-v Output a slightly more detailed information, for example, in the ip packet can include ttl and service type information;

-vv output detailed message information;

-c tcpdump stops after receiving the specified number of packets;

-F Reads expressions from the specified file, ignoring other expressions;

-i Specify the network interface to listen on;

-r reads packages from the specified file (these packages are typically generated with the-w option);

-w Write packages directly to files without parsing and printing them out;

-T Interpret the monitored packet directly into a message of a specified type. The common type is rpc (remote process).

call) and snmp (simple Network Management Protocol;)

2. Tcpdump expression introduction

The expression is a regular expression that tcpdump uses as a condition for filtering messages if a message satisfies the table

If the condition is met, the message will be captured. If no conditions are given, all packets on the network will

Intercepted.

There are several types of keywords in the expression, one is about the type of keyword, mainly including host,

net, port, e.g. host 210.27.48.2, indicates that 210.27.48.2 is a host, net 202.0.0.0 indicates

202.0.0.0 Is a network address, port 23 indicates port number 23. If no type is specified, the default type is

host.

The second type is keywords that determine the direction of transmission, mainly including src , dst ,dst or src, dst and src ,

These keywords indicate the direction of transmission. For example, src 210.27.48.2 indicates that the source address in the ip packet is 210.27.

48.2, dst net 202.0.0.0 indicates that the destination network address is 202.0.0.0. If no directional keyword is specified,

Default is src or dst keyword.

The third type is protocol keywords, mainly including fddi,ip ,arp,rarp,tcp,udp and other types. Fddi indicates that

A specific network protocol over FDDI(Distributed Fiber Data Interface Network), which is actually an alias for ether, fddi and e.

Ther has similar source and destination addresses, so fddi packets can be processed and analyzed as ether packets.

The other keywords indicate the protocol content of the packet being monitored. If no protocol is specified, tcpdump will

Listen for all protocol packets.

In addition to these three types of keywords, other important keywords are as follows: gateway, broadcast,less,

There are three logical operations, the negation operation is 'not'! ', AND operation is' and','&&'; OR operation is 'o'

r' ,'||';

These keywords can be combined to form powerful combination conditions to meet people's needs. Here are a few examples

Description.

(1)To intercept all packets received and sent by all hosts of 210.27.48.1:

#tcpdump host 210.27.48.1

(2)To intercept communications between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, use the command

:(applies on the command line In parenthesis, be sure to

#tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)

(3)If you want to get ip packets for all hosts communicating with host 210.27.48.1 except host 210.27.48.2

Use the command:

#tcpdump ip host 210.27.48.1 and ! 210.27.48.2

(4)If you want to get telnet packets received or sent by host 210.27.48.1, use the following command:

#tcpdump tcp port 23 host 210.27.48.1

3. tcpdump output results introduction

Here are a few typical tcpdump outputs

(1)Data Link Layer Header Information

Use the command #tcpdump --e host ice

ice is a Linux host with MAC address 0:90:27:58: AF: 1A

H219 is a SUN workstation equipped with SOLARIC, its MAC address is 8:0:20:79:5B: 46;

The output of the command looks like this:

21:50:12.847509 eth0 ice.

telnet 0:0(0) ack 22535 win 8760 (DF)

Analysis: 21:50:12 is the displayed time, 847509 is the ID number, eth0 represents the packet sent from the network interface device, 8:0:20:79:5b:46 is the MAC address of the host H219, which

Indicates a packet from source address H 219. 0:90:27:58:af:1a is the MAC address of the host ICE, indicating the packet's

The destination address is ICE . ip indicates that the packet is an IP packet, 60 is the packet length, h319.33357 > ice.

telnet indicates that the packet was sent from port 33357 on host H 219 to port TELNET(23) on host ICE. ack 22535

Indicates a response to packet sequence number 222535. win 8760 indicates that the size of the send window is 8760.

(2)TCPDUMP output information of ARP packet

Use the command #tcpdump arp

The resulting output is:

22:32:42.802509 eth0 > arp who-has route tell ice (0:90:27:58:af:1a)

22:32:42.802902 eth0

Indicates that the packet was sent from the host, arp indicates yes

ARP request packet, who-has route tell ice indicates that host ICE is requesting the MAC address of host ROUTE. 0:90:27:5

8:af:1a is the MAC address of the host ICE.

(3)TCP packet output information

The general output information of TCP packets captured with TCP DUMP is:

src > dst: flags data-seqno ack window urgent options

src > dst: Indicates the path from source to destination, flags is the flag information in TCP packets,S is the SYN flag, F (F

IN), P (PUSH) , R (RST) ". " (no tag); data-seqno is the sequence number of the data in the packet, ack is

Next expected sequence number, window is the size of the window receiving the buffer, urgent indicates whether there is an emergency pointer in the packet.

Options are options.

(4)UDP packet output information

The general output information for UDP packets captured with TCP DUMP is:

route.port1 > ice.port2: udp lenth

UDP is very simple, the output line above indicates a UDP packet sent from port1 of host ROUTE to the host

ICE port2, UDP type, lenth packet length

(http://www.fanqiang.com)

Under normal circumstances you will use this parameter-i, he specified that you want to listen to the network card package, the default is eth0, of course, in order to be able to put the contents of the package into wireshark analysis, you also have to specify a file-w, save it inside, said here I think xhell is quite good, ftp function, you can download your file directly from the server to your own computer analysis. Below is a screenshot of my own.

If you want to grab the firewall, take Tianrong's example. You log in to his machine. He also has the command tcpdump. If you die, you add the system + tcpdump+ parameter. It is worth mentioning that Tianrongxin seems to have no way for you to grab the record to the format supported by the city wrieshark (ps: at least I don't know), so I can only tcpdump with the parameter-vv to see the details, of course it is quite laborious. xshell has a logging feature (file-log-start), just open it before you start grabbing and stop it after you finish.

How to analyze the bag! well

Next time! Try the first time you write a blog. Let's take a look. Take it slow. I'm a rookie.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.