Shulou(Shulou.com)06/01 Report--

This article is about how to use the tcpdump package grab tool in the linux system, the editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

1.1 tcpdump options

Its command format is:

Tcpdump [- DenNqvX] [- c count] [- F file] [- I interface] [- r file]

[- s snaplen] [- w file] [expression]

Grab package options:

-c: specifies the number of packets to crawl. Note that you end up getting so many packages. For example, specifying "- c 10" will get 10 packages, but 100 packages may have been processed, but only 10 packages meet the criteria.

-I interface: specify the interface that the tcpdump needs to listen to. If this option is not specified, the configured interface with the lowest number will be searched from the list of system interfaces (excluding loopback interface, use tcpdump-I lo to crawl loopback interface)

The search ends as soon as the first qualified interface is found. You can use the 'any' keyword to represent all network interfaces.

-n: the address is explicit numerically, otherwise the hostname is explicit, that is, the-n option does not do hostname resolution.

-nn: in addition to the function of-n, the port is displayed as a numeric value, otherwise the port service name is displayed.

-N: do not print out the domain name part of host. For example, tcpdump will print 'nic' instead of' nic.ddn.mil'.

-P: specifies whether the packet to be crawled is an incoming or outgoing packet. The values that can be given are "in", "out", and "inout", and the default is "inout".

-s len: set the packet crawl length of tcpdump to len. If it is not set, the default will be 65535 bytes. When the packet to be crawled is large, packet truncation may occur if the length setting is not enough. If packet truncation occurs,

The "[| proto]" flag appears in the output line (proto will actually be displayed as the protocol name). But the longer the crawl len, the longer the packet processing time, and will reduce the number of tcpdump cacheable packets

This will lead to the loss of packets, so on the premise that we can grab the packet we want, the smaller the crawl length, the better.

Output options:

-e: data link layer header information, such as source MAC and destination MAC, will be included in each line of the output.

-Q: fast printout. That is, very little protocol-related information is printed, so that the output lines are relatively short.

-X: the header data of the output package will be output in both hexadecimal and ASCII.

-XX: the header data of the output package will be output in both hexadecimal and ASCII, in more detail.

-v: when analyzed and printed, detailed output is generated.

-vv: produces more detailed output than-v.

-vvv: produces more detailed output than-vv.

Other functional options:

-D: list the interfaces that can be used to grab packets. The numerical number and interface name of the interface will be listed, both of which can be used after "- I".

-F: reads the expression of the grab package from the file. If you use this option, other expressions given on the command line will be invalidated.

-w: output package data to a file instead of standard output. You can also use the "- G time" option to automatically switch the output file to another file every time second. These files can be loaded through the "- r" option for analysis and printing.

-r: reads data from a given packet file. Use "-" to indicate reading from standard input.

So there are only a few common options:

Tcpdump-D

Tcpdump-c num-I int-nn-XX-vvv

1.2 tcpdump expression

Expressions are used to filter which types of packets are output. If no expression is given, all packets will be output, otherwise only packets with the expression true will be output. Shell metacharacters that appear in expressions are recommended to be enclosed in single quotation marks.

The expression of a tcpdump consists of one or more "units", each of which generally contains the modifier of ID and an ID (number or name). There are three modifiers:

(1) .type: specifies the type of ID

The value that can be given is host/net/port/portrange. Such as "host foo", "net 128.3", "port 20", "portrange 6000-6008". The default type is host.

(2) .dir: specifies the direction of the ID.

The values that can be given include src/dst/src or dst/src and dst, which defaults to src or dst. For example, "src foo" represents a packet with a source host of foo, "dst net 128.3" represents a packet with a destination network of 128.3, and "src or dst port 22" represents a packet with a source or destination port of 22.

(3) .proto: qualifies the matching packet type by a given protocol.

The commonly used protocols are tcp/udp/arp/ip/ether/icmp and so on. If no protocol type is given, all possible types are matched. Such as "tcp port 21", "udp portrange 7000-7009".

So, a basic expression unit format is "proto dir type ID"

In addition to expression units that use modifiers and ID, there are also keyword expression units: gateway,broadcast,less,greater and arithmetic expressions.

Expression units can be concatenated using the operator "and / & & / or / | | / not /!" to form complex conditional expressions. For example, "host foo and not port ftp and not port ftp-data", this means that the filtered packet satisfies "packets whose host is foo and the port is not ftp (port 21) and ftp-data (port 20). The correspondence between common ports and names can be found in the / etc/service file in the linux system."

In addition, the same modifiers can be omitted, such as "tcp dst port ftp or ftp-data or domain" and "tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain" have the same meaning, indicating that the protocol of the packet is tcp and the destination port is ftp or ftp-data or domain (port 53).

Using parentheses "()" can change the priority of the expression, but it is important to note that parentheses are interpreted by shell, so you should use the backslash "\" to escape to "\ (\)" and enclose it in quotation marks if necessary.

1.3 tcpdump example

Note that tcpdump can only crawl packets that flow through the machine.

(1)。 Start by default

Tcpdump

By default, starting tcpdump directly will monitor all packets flowing on the first network interface (non-loo port). In this way, there will be a lot of results to grab, and the scrolling will be very fast.

(2)。 Monitor packets for a specified network interface

Tcpdump-I eth2

If you do not specify a network card, the default tcpdump monitors only the first network interface, such as eth0.

(3)。 Monitor packets for specified hosts, such as all packets entering or leaving the longshuai

Tcpdump host longshuai

(4)。 Print packets for communication between helioshot or heliosace

Tcpdump host helios and\ (hot or ace\)

(5)。 Print IP packets for communication between ace and any other host, excluding packets with helios

Tcpdump ip host ace and not helios

(6)。 Intercept all data sent by the host hostname

Tcpdump src host hostname

(7)。 Monitor all packets sent to the host hostname

Tcpdump dst host hostname

(8)。 Monitor packets for specified hosts and ports

Tcpdump tcp port 22 and host hostname

(9)。 Monitor the local udp 123port (123is the service port of ntp)

Tcpdump udp port 123

(10)。 Monitor packets on a specified network, such as those that communicate with a 192.168 network segment. "- c 10" means that only 10 packets are crawled.

Tcpdump-c 10 net 192.168

(11)。 Print all ftp packets that pass through the gateway snup (note that the expression is enclosed in single quotation marks, which prevents shell from incorrectly parsing the parentheses)

Shell > tcpdump 'gateway snup and (port ftp or ftp-data)'

(12)。 Grab ping package

[root@server2] # tcpdump-c 5-nn-I eth0 icmp

Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode

Listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

12 id 11 id 23.273638 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16422, seq 10, length 64

12 id 11 id 23.273666 IP 192.168.100.62 > 192.168.100.70: ICMP echo reply, id 16422, seq 10, length 64

12 id 11 id 24.356915 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16422, seq 11, length 64

12 id 11 id 24.356936 IP 192.168.100.62 > 192.168.100.70: ICMP echo reply, id 16422, seq 11, length 64

12 id 11 IP 25.440887 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16422, seq 12, length 64

5 packets captured

6 packets received by filter

0 packets dropped by kernel

If you explicitly want to grab the ping of the host 192.168.100.70 pair, use the and operator.

[root@server2] # tcpdump-c 5-nn-I eth0 icmp and src 192.168.100.62

Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode

Listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

12 id 09 seq 29.957132 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16166, seq 1, length 64

12 id 09 IP 31.041035 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16166, seq 2, length 64

12 id 09 IP 32.124562 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16166, seq 3, length 64

12 id 09 id 33.208514 IP 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16166, seq 4, length 64

12 id 09 IP 34.292222 192.168.100.70 > 192.168.100.62: ICMP echo request, id 16166, seq 5, length 64

5 packets captured

5 packets received by filter

0 packets dropped by kernel

Note that you cannot write icmp src 192.168.100.70 directly, because the icmp protocol does not support the direct application of the host type.

(13)。 Grab to the local 22 port package

[root@server2] # tcpdump-c 10-nn-I eth0 tcp dst port 22

Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode

Listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

12 ack 06 IP 57.574293 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 535528834, win 2053, length 0

12 ack 06 IP 57.629125 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 193, win 2052, length 0

12 ack 06 IP 57.684688 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 385, win 2051, length 0

12 ack 06 IP 57.738977 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 577, win 2050, length 0

12 ack 06 IP 57.794305 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 769, win 2050, length 0

12 ack 06 IP 57.848720 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 961, win 2049, length 0

12ack 06ack 57.904057 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 1153, win 2048, length 0

12 ack 06 IP 57.958477 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 1345, win 2047, length 0

12 ack 06win 58.014338 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 1537, win 2053, length 0

12 ack 06win 58.069361 IP 192.168.100.1.5788 > 192.168.100.62.22: Flags [.], ack 1729, win 2052, length 0

10 packets captured

10 packets received by filter

0 packets dropped by kernel

(14)。 Parsing packet data

[root@server2] # tcpdump-c 2-Q-XX-vvv-nn-I eth0 tcp dst port 22

Tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

12ttl 15 IP 54.788812 (tos 0x0, ttl 64, id 19303, offset 0, flags [DF], proto TCP (6), length 40)

192.168.100.1.5788 > 192.168.100.62.22: tcp 0

0x0000: 000C 2908 9234 0050 56c0 0008 0800 4500.. 4.PV.E.

0x0010: 0028 4b67 4000 4006 a5d8 c0a8 6401 c0a8. (Kg@.@.d...

0x0020: 643e 169c 0016 2426 5fd6 1fec 2b62 5010 d >.... $& _... + bP.

0x0030: 0803 7844 0000 0000 0000.. xD.

1215 IP 54.842641 IP (tos 0x0, ttl 64, id 19304, offset 0, flags [DF], proto TCP (6), length 40)

192.168.100.1.5788 > 192.168.100.62.22: tcp 0

0x0000: 000C 2908 9234 0050 56c0 0008 0800 4500.. 4.PV.E.

0x0010: 0028 4b68 4000 4006 a5d7 c0a8 6401 c0a8. (Kh@.@.d...

0x0020: 643e 169c 0016 2426 5fd6 1fec 2d62 5010 d >.... $& _...-bP.

0x0030: 0801 7646 0000 0000 0000.. vF.

2 packets captured

2 packets received by filter

0 packets dropped by kernel

Generally speaking, the basic packet crawling method of tcpdump is relatively simple. As long as you have a limited number of options (- nn-XX-vvv-I-c-Q), you can combine the expression.

The above is how to use the tcpdump package grabbing tool in the linux system. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.