Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to use wireshark in Linux to analyze data packets crawled by tcpdump. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

In many cases, our system is deployed on the Linux system. In some cases, you need to check whether it is normal to send data messages between various systems. Here is a brief explanation on how to use wireshark to analyze the packets crawled by tcpdump. Network packet interception analysis tool. Supports filtering for network layer, protocol, host, network, or port. And provide and, or, not and other logic statements to help remove useless information.

1. First, check the software packages needed for tcpdump and wireshark through yum

[root@wjq2 ~] # yum search tcpdump

Loaded plugins: product-id, refresh-packagekit, security, subscription-manager

This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.

= S Matched: tcpdump = =

Tcpdump.x86_64: A network traffic monitoring tool

Name and summary matches only, use "search all" for everything.

[root@wjq2 ~] # yum search wireshark

Loaded plugins: product-id, refresh-packagekit, security, subscription-manager

This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.

= S Matched: wireshark = =

Wireshark-gnome.x86_64: Gnome desktop integration for wireshark and wireshark-usermode

Wireshark.i686: Network traffic analyzer

Wireshark.x86_64: Network traffic analyzer

Name and summary matches only, use "search all" for everything.

2. Check whether the software packages of tcpdump and wireshark are installed, and you can find that tcpdump is installed, but wireshark is not installed.

[root@wjq2 ~] # rpm-qa | grep wireshark

[root@wjq2 ~] # rpm-qa | grep tcpdump

Tcpdump-4.0.0-3.20090921gitdf3cb4.2.el6.x86_64

3. Use yum to install wireshark

[root@wjq2 tmp] # yum install wireshark*-y

[root@wjq2 tmp] # which tcpdump

/ usr/sbin/tcpdump

[root@wjq2 tmp] # which wireshark

/ usr/sbin/wireshark

4. The following is a detailed description of the use of the tcpdump command

Command format of tcpdump

There are many parameters for tcpdump. You can view the detailed description of tcpdump through man tcpdump or tcpdump-h. Only some commonly used parameters are listed here:

[root@wjq2 tmp] # tcpdump-h

Tcpdump version 4.1-PRE-CVS_2012_02_01

Libpcap version 1.0.0

Usage: tcpdump [- aAdDefIKlLnNOpqRStuUvxX] [- B size] [- c count]

[- C file_size] [- E algo:secret] [- F file] [- G seconds]

[- I interface] [- M secret] [- r file]

[- s snaplen] [- T type] [- w file] [- W filecount]

[- y datalinktype] [- z command] [- Z user]

[expression]

Tcpdump [- I Nic]-nnAX 'expression'

The parameters are described as follows:

-the network card monitored by i:interface.

-nn: indicates that the source and destination hosts are displayed in ip and port instead of hostname and service.

-A: display packets as ascii, which is useful when crawling web data.

-X: the packet will be displayed in hexadecimal and ascii.

Expressions: there are many kinds of expressions, the common ones are: host host; port port; src host sending host; dst host receiving host. Multiple conditions can be combined with and and or, and the reverse can be used.

Here are some examples of use

(1) without specifying any parameters, listen for packets passing on the first network card. There may be more than one network card on the host, so you often need to specify a network card.

Tcpdump

(2) Monitoring specific network cards

Tcpdump-I eth0

(3) Monitoring specific hosts: listening for communication packets between this machine and host 10.1.1.123.

Note: both outgoing and incoming packets will be monitored.

Tcpdump host 10.1.1.123

(4) Communication of specific source and destination address

Specific source

Tcpdump src host hostname

Specific destination address

Tcpdump dst host hostname

If src and dst are not specified, traffic from or to the hostname will be monitored

Tcpdump host hostname

(5) specific port

Tcpdump port 3000

(6) Monitoring TCP/UDP

Different services on the server use TCP and UDP as the transport layer respectively. If you only want to listen to TCP packets,

Tcpdump tcp

(7) Source host + port + TCP

A. listen for TCP packets from host 123.207.116.169 on port 22

Tcpdump tcp port 22 and src host 123.207.116.169

B. Monitor the communication between specific hosts

Tcpdump ip host 210.27.48.1 and 210.27.48.2

Communication between hosts other than C, 210.27.48.1 and 210.27.48.2

Tcpdump ip host 210.27.48.1 and! 210.27.48.2

(8) A slightly more detailed example

Tcpdump tcp-I eth2-t-s 0-c 100 and dst port! 22 and src net 192.168.1.0 Universe 24-w. / target.cap

Description:

Tcp: ip icmp arp rarp and tcp, udp, icmp and other options should be placed in the first parameter to filter the type of Datagram

-I eth2: only grab packets that pass through interface eth2

-t: no timestamp is displayed

-s 0: when fetching packets, the default crawl length is 68 bytes. After adding-S 0, you can catch the complete data packet.

-c 100: only crawl 100 packets

Dst port! 22: do not crawl packets whose destination port is 22

Src net 192.168.1.0 Compact 24: the source network address of the packet is 192.168.1.0 Compact 24

-w. / target.cap: saved as a cap file to facilitate ethereal (that is, wireshark) analysis

(9) limit the number of bags captured

As follows, after catching 1000 packages, exit automatically

Tcpdump-c 1000

(10) Save to local

Note: tcpdump writes the output to the buffer by default. Only when the buffer content reaches a certain size, or when tcpdump exits, will the output be written to the local disk.

Tcpdump-n-vvv-c 1000-w / tmp/tcpdump_save.cap

You can also add-U to force writing to the local disk immediately (generally not recommended, relatively poor performance)

(11) Save the results of tcpdump package capture

[root@wjq2 tmp] # tcpdump-I eth0-w eth0_dump.pcap

Tcpdump: WARNING: eth0: no IPv4 address assigned

Tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

^ C39 packets captured

39 packets received by filter

0 packets dropped by kernel

[root@wjq2 tmp] # ll-h eth0_dump.pcap

-rw-r--r-- 1 root root 3.4K Jan 18 11:19 eth0_dump.pcap

5. Use wireshark to analyze the crawled packets:

[root@wjq2 tmp] # wireshark eth0_dump.pcap

Three fast areas are marked in the image above:

In the red box, it is used to display simple packet information. When grabbing packets with tcpdump, the default is like this.

In the green box, the details of the selected packet are displayed according to the TCP/IP four-layer structure. The first line is the data link layer information, the second line is the network layer information (IP protocol), the third line is the transport layer information (TCP protocol), and the fourth layer is the application layer information (HTTP protocol). You can expand the first line to observe the specific content.

The blue box is used to show the true face of this packet. (the figure below is clearer.)

This is the end of the data packet about how to use wireshark to analyze tcpdump crawling in Linux. I hope the above content can be helpful to you and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.