Shulou(Shulou.com)06/03 Report--

Preface

Before introducing and using tcpdump, make sure that you have mastered or understood the following key concepts, otherwise the rest of the content will make you a little painful.

Able to work on the Linux command line

Understand the concept of OSI layer 7 network protocol

Familiar with the protocol headers of each layer, focusing on IP/TCP/UDP

Switches and routers correspond to the protocol layer of OSI

It is also important to note that:

Tcpdump is a command-line packet sniffing tool based on Unix system. If you want to use tcpdump to grab packets from the MAC addresses of other hosts, you must turn on the network card hybrid mode. The so-called hybrid mode is to let the network card grab any data packets passing through it, regardless of whether the packet is sent to it or not. Click [http://en.wikipedia.org/wiki/Promiscuous_mode] to get more information about the promiscuous mode. Generally speaking, Unix does not allow ordinary users to set promiscuous mode, because this way you can see other people's information, such as the user name and password of telnet, which will cause some security problems, so only root users can turn on promiscuous mode. The command to turn on promiscuous mode is: ifconfig eth0 promisc, eth0 is the network card that you want to open mixed mode. Someone must ask if you want to open hybrid mode under windows, there is no promiscuous mode for network cards under windows, it lies in the application itself, for example, when you use Wireshark to grab packets, you can set them to grab packets in promiscuous mode (which is why the damn ARP spoofing virus can be rampant). Of course, tcpdump can also specify packet capture filters, and its filter language is very famous, called Berkeley packet filtering, or BPF language for short.

Tcpdump introduction

Tcpdump is the premier network analysis tool for information security professionals. Tcpdump is a commandline network analyzer tool or more technically a packet sniffer. Having a solid grasp of this uber-powerful application is mandatory for anyone desiring a thorough understanding of TCP/IP. It can be thought of as the commandline version of wiresharek (only to a certain extent, since wireshark is much more powerful and capable. Many prefer to use higher level analysis tools Wireshark, but I believe this to usually be a mistake, you must know how wireshark work).

As a commandline tool tcpdump is quite powerful for network analysis as filter expressions can be passwd in and tcpdump would pick up only the matching packets and dump them.

Install tcpdump

# CentOS [root@localhost ~] # yum search tcpdump==== Matched: tcpdump== arpwatch.i386: Network monitoring tools for tracking IP addresses on a network.libpcap.i386: a system-independent interface for user-level packet capture.libpcap-devel.i386: a pcap library.tcpdump.i386: A network traffic monitoring tool. [root@localhost ~] # yum-y install tcpdump### Ubuntu$ sudo apt-get install tcpdump

For Linux,tcpdump 's dependency on the libpcap library, please refer to here for more libpcap libraries.

Tcpdump command line options

Here are some options that can help us make better use of tcpdump. These options are easy to forget and confuse, so please man all the time.

First of all, according to the actual situation, I would like to add some options in the tcpdump command itself. The first is-n, which does not resolve names, and the results are presented in the form of IP addresses. The second is-X, which displays the contents of the package in hexadecimal and ASCII. The last one is-S, which is shown as an absolute serial number, not relative.

It is important to note that by default, tcpdump will only grab the first 96 bytes of the package. If you want to grab more, please add the-s number option, and number specifies the number of bytes you want to grab. I recommend using 0 (zero) as the fetched byte number, which will grab all the contents of all packets.

Here are the options I often use:

Basic usage of tcpdump

1.-n Don't convert host addresses to names. This can be used to avoid DNS

Lookups.

[root@localhost] # tcpdump-ntcpdump: verbose output suppressed, use-v or-vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes17:25:33.472001 IP 192.168.27.129.46255 > 192.168.27.2.53: 36340 + A? Www.baidu.com. (31)

By default, tcpdump will monitor all packets flowing on the first network card. Let's take a look at this line of information output from tcpdump.

The first field is a timestamp with millisecond precision, which is "17VERV 25RU 33.472001".

The second field, IP, is the protocol of the packet.

The third field, "192.168.27.129.46255", is source IP Address joined with the source Port.

The fourth field, "192.168.27.2.53", is destination IP Address joined with destination Port and then some information about the packet.

2.-v-vv-vvv verbose, very verbose, very very verbose

-S Print absolute, rather than relative, TCP sequence numbers.

[root@localhost ~] # tcpdump-nnvvS

3. X Print each packet (minus its link level header) in hex and ASCII.

[root@localhost ~] # tcpdump-nnvvXS

4. S increases the default snaplength, grabbing the whole packet

[root@localhost ~] # tcpdump-nnvvXS-s 1514 [root@localhost ~] # tcpdump-nnvvXS-S0

5. Capture of exactly two (- c2) ICMP packets (a ping)

[root@localhost] # tcpdump-nnvvXS-s0-c2 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes19:20:16.361251 IP (tos 0x0, ttl 64, id 28517, offset 0, flags [DF], proto: UDP (17), length: 59) 192.168.27.129.56183 > 192.168.27.2.53: [udp sum ok] 8002 + A? Www.baidu.com. (31) 0x0000: 4500 003b 6f65 4000 4011 1379 c0a8 1b81 E. 0x0010: c0a8 1b02 db77 0035 0027 90dc 1f42 0100 .w.5. B.. 0x0020: 0001 0000 0000 0000 0377 7777 0562 6169. Www.bai 0x0030: 6475 0363 6f6d 0000 0100 01 du.com.19:20:16.468176 IP (tos 0x0, ttl 128, id 182, offset 0, flags [none], proto: UDP (17) Length: 118) 192.168.27.2.53 > 192.168.27.129.56183: [udp sum ok] 8002 Q: a? Www.baidu.com. 3-0-0 www.baidu.com. CNAME www.a.shifen.com., www.a.shifen.com. A 61.135.169.105, www.a.shifen.com. A 61.135.169.125 (90) 0x0000: 4500 0076 00b6 0000 8011 81ed c0a8 1b02 E. v. 0x0010: c0a8 1b81 0035 db77 0062 48e9 1f42 8180 .5.w.bH..B.. 0x0020: 0001 0003 0000 0000 0377 7777 0562 6169 .www.bai 0x0030: 6475 0363 6f6d 0000 0100 01c0 0c00 0500 du.com. 0x0040: 0100 0000 0500 0f03 7777 7701 6106 7368 .www.a.sh 0x0050: 6966 656e c016 c02b 0001 0001 0000 0005 ifen...+. 0x0060: 0004 3d87 a969 c02b 0001 0001 0000 0005.. =.. I. 0x0070: 0004 3d87 a97d.. =..} 2 packets captured3 packets received by filter0 packets dropped by kernel

Common Syntax

Expressions allow you to trim out various types of traffic and find exactly what you're looking for. Mastering the expressions and learning to combine them creatively is what makes one truly powerful with tcpdump.

Expression

Select which packets will be dumped. If no expression is given, all packets on the net will be dumped. Otherwise, only packets for which expression is' True' will be dumped.

There are three different kinds of qualifier.

Type qualifiers say what kind of thing the id name or number refers to. Possible types are host, net and port. If there is no type qualifier, host is assumed.

Dir qualifiers specify a particular transfer direction to and/or from id. Possible directions are src, dst, src or dst and src and dst. If there is no dir qualifier, src or dst is assumed.

Proto qualifiers restrict the match to a particular protocol. Possible protos are: ether, fddi, tr, ip, ip6, arp, rarp, decnet, tcp and udp. E. g 'tcp src 192.168.1.2'. If there is no proto qualifier, all protocols consistent with the type are assumed.

Expressions are nice, but the real magic of tcpdump comes from the ability to combine them in creative ways in order to isolate exactly what you're looking for. There are three ways to do combinations, and if you've studied computers at all they'll be pretty familar to you:

Examples are as follows:

# type## host# tcpdump host 1.2.3.4cycles # net# tcpdump net 1.2.3.0apace 2 "tcpdump net 1.2" # port# tcpdump port 80 cycles # src, dst# tcpdump src 1.2.3." tcpdump dst 1.2.3.4cycles # proto# tcpdump icmp### type, dir, proto# tcpdump 'src port 3306 and tcp'# tcpdump' udp and src port 53'

Writing to a File

Tcpdump allows you to send what you're capturing to a file for later use using the-w option, and then to read it back using the-r option. This is an excellent way to capture raw traffic and then run it through various tools later.

The traffic captured in this way is stored in tcpdump format, which is pretty much universal in the network analysis space. This means it can be read in by all sorts of tools, including Wireshark, Snort, etc.

# # capture all port 80 traffic to a file# tcpdump-s 1514 port 80-w capture_file## read captured traffic back into tcpdump# tcpdump-r capture_file

More Examples

# tcpdump-nnvvS 'src 10.5.2.3 and dst port 3306 steps # tcpdump' src 10.0.2.4 and (dst port 3306 or 22)'# you know # [root@localhost ~] # tcpdump-I eth0-nnvvXS-s1514 'port 22 or port 23 or port 25 or port 110' | egrep-I' pass= | pwd= | log= | login= | user= | username= | pw= | passw= | passwd= | pass: user: username: | password: login: pass | user'- B20

Http://danielmiessler.com/study/tcpdump/

Http://openmaniak.com/tcpdump.php

Http://www.binarytides.com/tcpdump-tutorial-sniffing-analysing-packets/

Http://www.cnblogs.com/ggjucheng/archive/2012/01/14/2322659.html (good)

Http://blog.csdn.net/langeldep/article/details/6156818

Http://roclinux.cn/?p=2474

Http://www.chinaunix.net/old_jh/29/674578.html

Http://blog.chinaunix.net/uid-10328574-id-2951040.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.