Shulou(Shulou.com)06/02 Report--

Tcpdump (dump the traffic on a network) is a practical tool for packet analysis under Unix. It supports filtering against network layer, protocol, host, network or port, and provides header matching of logical statements such as and, or, not and Boolean expressions to the message. If it is not installed in the linux system, it can be installed through yum, but the appropriate permissions are required in use:

For SunOS's nit or bpf interface: to run tcpdump, you must have read access to / dev/nit or / dev/bpf*; for Solaris's dlpi: you must have read access to network emulation devices (network pseudo device), such as / dev/le; dlpi for HP-UX, IRIX's snoop, Linux: must be root, or install it as a root setup uid program For Ultrix and Digital UNIX: once the superuser uses the promiscuous mode of operation (promiscuous-mode), any user can run tcpdump; to BSD: must have read access to / dev/bpf*.

The common option parameters of tcpdump are as follows:

-A packet content is displayed in ASCII, which is usually used to capture the packet data of a web page. -a try to convert network and broadcast addresses into names. -c listens to the number of packets. If this parameter is not taken, tcpdump will continue to listen and exit when it receives the count message. -d converts the compiled packet encoding into a readable format and dumps it to standard output. Dd converts the compiled packet encoding into C format and dumps it to standard output. -ddd converts the compiled packet encoding into decimal digital format and dumps it to standard output. -e displays packets at the data link layer. -f use numbers to display Internet addresses. -F specifies the file that contains the expression. -I listen to the network interface. -l uses the buffer of the standard output column. -n does not convert the host's network address to ip-N does not list domain names. -O does not optimize packet coding, this option is useful only if you suspect that the optimizer has bug. -p does not allow the web interface to enter hybrid mode. -Q fast output, listing only a small number of transport protocol information. -r reads packet data from the specified file. -s sets the size of each packet. -T forces the packet specified by the expression to be translated into the set packet type. At present, the known types are: rpc (remote procedure call Remote Procedure Call), rtp (Real-time Application Protocol Real-Time Applications protocol), rtcp (Real-time Application Control Protocol Real-Time Applications control protocol), vat (Visual Audio Tool), and wb (distributed whiteboard distributed White Board). -S lists the number of TCP associations in absolute rather than relative values. -t suppresses the display of timestamp. -tt displays an unformatted timestamp. -v shows the execution of the instruction in detail. For example, display the life cycle and service type in the IP Datagram. -vv shows the instruction execution in more detail. For example, the additional domain that displays the NFS reply message. -w writes packet data to the specified file. -x displays each message in hexadecimal form (with the link layer header removed). Smaller full messages can be displayed, otherwise only snaplen bytes are displayed. Expression expression: used to select datagrams to dump. If no expression is specified, all messages on the network are dumped. Otherwise, only packets that are logically true relative to expression are dumped. Expression consists of one or more primitives (primitive). A primitive usually consists of an identity (id, name, or number) and one or more modifiers preceding it (qualifier). There are three different types of modifiers: type type modifiers indicate what type of thing the identification name or number represents. The types that can be used are host,net and port. For example, `host foo', `net128.3', `port 20cm. If you do not specify a type modifier, the default host. The dir direction modifier indicates the direction of transmission relative to the identity (whether the data is incoming or outgoing). Directions that can be used are src, dst, src or dst and src and dst. For example, `src foo', `dst net 128.3percent, `src or dst port ftp-data'. If you do not specify a direction modifier, the default src or dst. For the `null' link layer (that is, point-to-point protocols such as slip), use inbound and outbound modifiers to specify the desired transmission direction. The proto protocol modifier requires matching the specified protocol. The protocols that can be used are ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp. For example, `ether src foo', `arp net 128.3percent, `tcp port 21th. If no protocol modifier is specified, all protocols that match the type are used. For example, `src foo' refers to `(ip or arp or rarp) src foo' (note that the latter does not conform to syntax), and `net bar' refers to` (ip or arp or rarp) net bar', `port 53' means `(tcp or udp) port 53'. More complex filter expressions can be constructed using and, or, and not join primitives. For example, `host foo and not port ftp and not port ftp-data'. The allowed primitives are: dst host host if the destination address domain of the IP in the message is host, the logic is true. Host can be either an address or a host name. Src host host if the source address domain of IP in the message is host, then the logic is true. Host host if the source address domain or destination address domain of IP in the message is host, then the logic is true. All the above host expressions can be prefixed with ip,arp, or the rarp keyword, such as: ip host host it is equivalent to: ether proto\ ip and host host if host is a hostname with multiple IP addresses, each address will be checked. Ether dst ehost the logic is true if the etheric destination address of the message is ehost. Ehost can be either a name (in / etc/ethers) or a numeric ether src ehost. If the etheric source address of the message is ehost, the logic is true. Ether host ehost if the etheric source address or etheric destination address of the message is ehost, then the logic is true. Gateway host if the message uses host as a gateway, the logic is true. Dst net net if the IP destination address of the message belongs to the network number net, the logic is true. Src net net if the IP source address of the message belongs to the network number net, then the logic is true. Net net if the IP source or destination address of the message belongs to the network number net, then the logic is true. Net netmask mask if the IP address matches the net of the specified network mask (netmask), the logic is true. This primitive can be modified with src or dst. Net net/len if the IP address matches the net of the specified network mask, the logic is true. Dst port port the logic is true if the message is ip/tcp or ip/udp and the destination port is port. Src port port if the source port number of the message is port, the logic is true. Port port the logic is true if the source or destination port of the message is port. Less length if the length of the message is less than or equal to length, the logic is true. It is equivalent to: len = length. Ip proto protocol if the message is an IP Datagram and the protocol type of its content is protocol, then the logic is true. Ether broadcast if the message is an Ethernet broadcast message, then the logic is true. The keyword ether is optional. Ip broadcast if the message is an IP broadcast message, the logic is true. TCPdump checks the all-0 and all-1 broadcast conventions and checks the local subnet mask. Ether multicast logic is true if the message is multicast. The keyword ether is optional. Ip multicast if the message is an IP multicast message, the logic is true.

In short, the use of tcpdump can meet the needs of daily packet analysis. Here are some examples:

Listen for packet data from eth0 network card and communication protocol is ssh (default port 22) originating from 192.168.2.100

[root@localhost] # tcpdump-I eth0-nn 'port 22 and src host 192.168.2.100'

Intercept communication between host 192.168.1.100 and host 192.168.2.100 or 192.168.0.100

[root@localhost ~] # tcpdump host 192.168.1.100 and\ (192.168.1.100 or 192.168.0.100\)

Intercept ntp of native udp protocol (default port 123)

[root@localhost ~] # tcpdump udp port 123

In short, you can use tcpdump to analyze all kinds of data packets on a daily basis, so you don't need to explain too much here. If you need more tcpdump, you can see the relevant man help manual. Of course, you can use tcpdump to decode the data on layer 7 thoroughly, so you can also write the crawled data packets into a file and use wireshark for further analysis.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.