Shulou(Shulou.com)06/02 Report--

Preface

Tcpdump is a packet grabbing tool in a Unix/Linux-like environment that allows users to intercept and display network packets sent or received. Tcpdump can completely intercept the "header" of packets transmitted in the network for analysis. It supports filtering against network layer, protocol, host, network or port, and provides and, or, not and other logic statements to help you get rid of useless information. Tcpdump is a free software released under the BSD license.

The following article will introduce you in detail about the tcpdump command in Linux, and share it for your reference and study. Let's take a look at the detailed introduction.

Command format

Tcpdump [- AbdDefhlLnNOpqRStuUvxX] [- B buffer_size] [- c count] [- C file_size] [- F file] [- G rotate_seconds] [- I interface] [- m module] [- M secret] [- r file] [- s snaplen] [- T type] [- w file] [- W filecount] [- E spi@ipaddr algo:secret] [- y datalinktype] [- z postrotate-command] [- Z user] [expression]

II. Description of options

-A: displays each packet in ASCII code (no link layer header information in the packet). When crawling packets containing web page data, you can easily view the data-b:Print the AS number in BGP packets in ASDOT notation rather than ASPLAIN notation-B [buffer_size],-- buffer-size=buffer_size: set the operating system capture buffer size, unit KB-c [number of packets]: after receiving the specified number of packets, stop the capture operation-C [file-size]: used in conjunction with the-w [file] option. This option causes tcpdump to check whether the file size exceeds file-size before saving the original packet directly to the file. If it is exceeded, the file will be closed and another file will be created to continue saving the original packet. The newly created file name is the same as the file name specified by the-w option, but the file name is followed by a number that increases with the number of newly created files starting at 1. File-size is in megabytes (nt: 1000000 bytes, not 1048576 bytes, which is calculated at 1024 bytes for 1k and 1024k bytes for 1m, that is, 1M=1024*1024 = 1048576)-d: converts the compiled packet encoding to a readable format and dumps it to standard output-dd: converts the compiled packet encoding to C format And dump to standard output-ddd: convert the compiled packet encoding to decimal digital format, and dump it to standard output-DLLLLAFI interfaces: the network interface on which all tcpdump in the printing system can grab packets. Each interface prints a number, a corresponding interface name, and a possible network interface description. The network interface name and number can be used in the-I [flag] option of tcpdump (nt: replace the name or number with flag) to specify the network interface on which the packet is to be grabbed. This option is useful on systems that do not support interface list commands (nt: for example, Windows systems, or UNIX systems that lack ifconfig-a); the numbering of interfaces is useful in windows 2000 or later systems because the interface names on these systems are complex and difficult to use. If the libpcap library on which tcpdump is compiled is too old, the-D option will not be supported because of the lack of the pcap_findalldevs () function-e: the data link layer header information of the packet will be included in each line printout-f: when displaying the external IPv4 address (nt:foreign IPv4 addresses, which can be understood as a non-native ip address), use a number instead of a name. This option is used to address the shortcomings of Sun's NIS server (nt: NIS, network information service, tcpdump uses the name service it provides when displaying the name of an external address): this NIS server looks up non-local address names It is often trapped in an endless query cycle) because the test of the external (foreign) IPv4 address requires the use of the local network interface (nt: the interface used for tcpdump packet capture) and its IPv4 address and network mask. If this address or netmask is not available, or if the interface does not have the appropriate network address and mask set at all (the 'any' network interface under nt: linux does not need to set the address and mask, but this' any' interface can receive packets from all interfaces in the system), this option does not work properly. -F [file]: use the file file as the input of the filter condition expression, and the input on the command line will be ignored-G [rotate_seconds]: similar to the-C [file_size] command option,-C creates a new file storage packet by file size, and-G writes the monitored packet to a new file based on the specified time period, and the new file name is specified by the-w option. And the file name is followed by a time string, and the format of the time string is specified by strftime (3). If you do not specify the format of the time string, the new file will overwrite the old one. If used with-C option, the file name format will be file. Help: print the help of tcpdump and the version of libpcap. (nt:libpcap is the network packet capture function package under the unix/linux platform)-- version: print the version of tcpdump and libpcap. -I [interface],-- interface=interface: specify the interface that the tcpdump needs to listen to. If not specified, tcpdump searches the list of system interfaces for the lowest configured interface (excluding the loopback interface). The search ends as soon as the first qualified interface is found. On Linux operating systems with kernel version 2.2 or later, the virtual network interface 'any'' can be used to receive packets on all network interfaces (nt: this includes those destined for that network interface as well as those that are not destined for that network interface). It is important to note that if the real network interface does not work in 'promiscuous' mode, its packets cannot be crawled on the virtual network interface 'any''. If the-D flag is specified, tcpdump prints the interface number in the system This number can be used here in the interface parameter-l: buffering the standard output line (nt: causes the standard output device to print the contents of the line as soon as it encounters a newline character)-L: lists the types of data link layers supported by the specified network interface and exits. (nt: specify the interface to be specified by-I)-n: do not convert the network address of the host to a name- M [module]: load SMI and MIB modules through the file specified by module (nt: SMI) Structure of Management Information, management information structure MIB, Management Information Base, Management Information Base. It can be understood that both of them are used to crawl SNMP (Simple Network Management Protoco) protocol packets. The working principle of specific SNMP is unknown and needs to be added. This option can be used multiple times to load different MIB modules for tcpdump-M [secret]: if the TCP packet (TCP segments) has the TCP-MD5 option (described in RFC 2385), specify a public key secret-n for the verification of its digest: do not convert addresses (such as host address, port number, etc.) to the corresponding name-N: do not print domain name qualification for hostname For example, print 'nic' instead of' nic.ddn.mil'-O,--no-optimize: do not enable the optimized code used for package matching. This option can be useful when it is suspected that some bug is caused by optimized code-pmam talk non-hybrid mode: set the network interface to non-'hybrid' mode. However, it must be noted that this network interface will still work in 'hybrid' mode under special circumstances. Thus, the setting of-p cannot be used as a synonym for the following options: 'ether host {local-hw-add}' or 'ether broadcast' (nt: the former indicates that only packets with Ethernet address host are matched, and the latter matches packets with Ethernet address as broadcast address-Q: fast printout That is, very little protocol-related information is printed, so the output lines are relatively short-r [file]: read the packet from the specified file, and if file is'-', the tcpdump will read the packet data from the standard input-R: set tcpdump to parse the ESP/AH packet according to RFC1825 rather than RFC1829 (nt:AH: authentication header, ESP: security payload encapsulation, both will be used in the secure transmission mechanism of IP packets). If this option is set, tcpdump will not print out the 'disable Relay' field (nt: relay prevention field). In addition, because the ESP/AH specification does not stipulate that ESP/AH packets must have a protocol version number domain, tcpdump cannot derive the protocol version number-s [snaplen] from received ESP/AH packets.-- snapshot-length=snaplen: set the packet crawl length of tcpdump to snaplen instead of the default 262144 bytes. If packet truncation occurs, the'[| proto] 'flag appears in the corresponding printout line of the tcpdump (proto is actually displayed as the relevant protocol hierarchy of the truncated packet). It should be noted that using a long grab length (nt: snaplen is relatively large) will increase the processing time of packets and reduce the number of packets cached by tcpdump, which will lead to packet loss. Therefore, on the premise that we can grab the package we want, the smaller the grab length, the better. Setting snaplen to 0 means that tcpdump automatically selects the appropriate length to crawl packets-S -- absolute-tcp-sequence-numbers: when printing the sequence number of a TCP packet, use an absolute sequence number instead of a relative sequence number. (nt: the relative sequence number can be understood as the difference between the sequence number of the first TCP packet and that of the first TCP packet. For example, the absolute sequence number of the first packet received by the receiver is 232323, and for the second packet received later, tcpdump prints its sequence number as 1. 2 indicates that the gap between the first packet and the first packet is 1 and 2 respectively. And if the-S option is set at this time, for the second packet received later, the third packet will print its absolute sequence number: 232324, 232325)-t: do not print timestamps in each line of output-tt: do not format the time of each line output (nt: this format may not see its meaning at a glance, such as timestamps printed as 1261798315)-ttt:tcpdump output There is a delay between every two lines of printing. Unit millisecond-tttt: add date printing before the timestamp of each line-ttttt: set the time interval of each line output relative to the first line, unit millisecond-T [type]: force tcpdump to analyze received packets according to the packet structure described by the protocol specified by type. The known type preferable protocols are: (1) aodv (Ad-hoc On-demand Distance Vector protocol, on-demand distance vector routing protocol, used in Ad hoc (point-to-point mode) networks); (2) cnfp (Cisco NetFlow protocol); (3) rpc (Remote Procedure Call); (4) rtp (Real-Time Applications protocol); (5) rtcp (Real-Time Applications con-trol protocol); (6) snmp (Simple Network Management Protocol) (7) tftp (Trivial File Transfer Protocol, broken document Protocol) (8) vat (Visual Audio Tool, an application layer protocol that can be used for teleconferencing on internet), and wb (distributed White Board, an application layer protocol that can be used for web conferencing)-u: print out an unencrypted NFS handle (nt:handle can be understood as a file handle used in NFS, which will include files in folders and folders)-U: so that when tcpdump uses the-w option, its file writing is synchronized with the save of the package. (nt: that is, when each packet is saved, it will be written to the file in time, rather than waiting for the file's output buffer to be full.) The-U flag does not work on older versions of the libpcap library (the message capture library on which nt:tcpdump depends) because it lacks the pcap_cump_flush () function-v: produces detailed output. For example, the lifetime, identification, total length of the package, and some options for the IP package. This also turns on some additional packet integrity checks, such as the checksum-vv: for the IP or ICMP packet header to produce more detailed output than-v. For example, the additional fields in the NFS (Network File System) response packet will be printed, and the SMB (Server Message Block) packet will be fully decoded-vvv: more detailed output. For example, the SB,SE option used in telent will be printed, and if telnet also uses the-X graphical interface option, its corresponding graphical option will be printed in hexadecimal. -w [file]: writes packet data directly to a file without analysis and printout The packet data can then be re-read and analyzed and printed with the-r option-W [filecount]: this option is used in conjunction with the-C option, which limits the number of files that can be opened and, when the file data exceeds the limit set here, cycles through the previous files in turn, which is equivalent to a file buffer pool with filecount files. At the same time, this option will cause enough zeros at the beginning of each file name to make it easier for these files to be sorted correctly-x: print the header data of each packet and print out the data of each packet in hexadecimal (but not including the header of the connection layer), so that the total printed data size does not exceed the size of the entire packet and the minimum value in snaplen. It is important to note that if the high-level protocol data is not as long as snaplen, and there is populated data in the data link layer (for example, Ethernet layer), the populated data will also be printed-xx: print the header data of each packet and print out the header data of each packet in hexadecimal, including the header of the data link layer-X: when analyzing and printing, tcpdump will print the header data of each packet. The data for each packet is printed in both hexadecimal and ASCII code (but does not include the header of the link layer). This is very convenient for analyzing packets of some new protocols-XX: when analyzing and printing, tcpdump prints the header data of each packet and prints the data of each packet in hexadecimal and ASCII codes, including the header of the data link layer. This is very convenient for analyzing packets of some new protocols-y [datalinktype],-- linktype=datalinktype: set tcpdump to capture only packets of the data link layer protocol type datalinktype-z [postrotate-command]: in conjunction with-C or-G, execute the command postrotate-command when each file is closed. For example,-z gzip or-z bzip2 will compress each saved file-Z [user],-- relinquish-privileges=user: make tcpdump relinquish its super permissions (if you start tcpdump,tcpdump with root, you will have superuser privileges), and set the user ID of the current tcpdump to user, and the group ID to the IDexpression of the group to which user first belongs: the conditional expression is used to choose to capture qualified packets without expression. All packets between any two hosts on the network will be intercepted

III. Common examples

3.1 Monitoring packets for specified hosts

(1) print all packets arriving at or from the host sunrise. The host can be an IP address or hostname.

Tcpdump host sunrise

(2) print all packets between host An and B or C

Tcpdump host An and\ (B or C\)

(3) print IP packets communicating between ace and any other host, excluding packets with helios.

Tcpdump ip host ace and not helios

3.2 Monitoring packets for a specified network

(1) print all communication packets between the local host and the host on the Berkeley network

Tcpdump net ucb-ether

(2) print all ftp packets that pass through the gateway snup. Note that the expression is enclosed in single quotation marks, which prevents shell from misparsing the parentheses in it.

Tcpdump 'gateway snup and (port ftp or ftp-data)'

(3) print packets that are not local networks

Tcpdump ip and not net localnet

3.3 Monitoring packets for specified protocols

(1) print the start and end packets in the TCP session and the source or destination of the packet is not a host on the local network. (nt:localnet, actually replace it with the name of the local network)

Tcpdump'tcp [tcpflags] & (tcp-syn | tcp-fin)! = 0 and not src and dst net localnet'

(2) print IP packets longer than 576 bytes and the gateway address is snup

Tcpdump 'gateway snup and ip [2:2] > 576'

Ip [2:2] indicates the length of the entire ip packet.

(3) print ICMP packets other than the 'echo request'' or 'echo reply'' type (for example, this expression can be used when you need to print all packets generated by non-ping programs. (nt: two types of ICMP packets, 'echo reuqest' and' echo reply', are usually generated by ping programs))

Tcpdump'icmp [icmptype]! = icmp-echo and icmp [icmptype]! = icmp-echoreply'

3.4 Monitoring packets for specified hosts and ports

(1) crawl all packets received by host 100.94.138.110 via interface eth2, and the port number is 20700.

Tcpdump-I eth2-lnXps0 dst 100.94.138.110 and dst port 20700-c 10

Command options description: lnXps0, please refer to the above command options for details,-c 10 means to capture only 10 packets.

Summary

The above is the whole content of this article, I hope that the content of this article can bring some help to your study or work, if you have any questions, you can leave a message and exchange, thank you for your support.

Reference documentation

Wikipedia .TCPdump

[2] tcpdump official website

[3] detailed explanation of Linux tcpdump command

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.