Shulou(Shulou.com)06/01 Report--

Editor to share with you how to use tcpdump in the Linux system, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

Tcpdump is defined in simple words: dump the traffic on a network, a packet analysis tool that intercepts packets on the network according to the definition of the user.

1. Installing tcpdumptcpdump in Linux supports a variety of Linux distributions, so it is likely to be installed on your system. Check to see if tcpdump is installed with the following command:

$which tcpdump / usr/sbin/tcpdump if you don't already have tcpdump installed, you can install it with the package manager. For example, on a CentOS or Red Hat Enterprise system, install tcpdump with the following command:

$sudo yum install-y tcpdumptcpdump relies on libpcap, a library file used to capture network packets. If the library file is not installed, the system automatically installs it based on dependencies.

Now you can start grabbing the bag.

2. Using tcpdump to grab packets using tcpdump requires administrator permissions, so most of the commands in the following examples start with sudo.

First, use the tcpdump-D command to list the network interfaces that can capture packets:

$sudo tcpdump-D 1.eth0 2.virbr0 3.eth2 4.any (Pseudo-device that captures on all interfaces) 5.lo [Loopback] as shown above, you can see all the network interfaces in my machine that can grab packets. The special interface any can be used to crawl packets of all active network interfaces.

Let's grab the package of the any interface with the following command:

$sudo tcpdump-i any tcpdump: verbose output suppressed, use-v or-vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 09 use 56 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 3770820720 verbose output suppressed 3770820916, ack 3503648727, win 309, options [nop,nop,TS val 76577898 ecr 510770929], length 1960914 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 196, win 391 Options [nop,nop,TS val 510771017 ecr 76577898], length 009 length 56 IP rhel75.59883 18.295058 > gateway.domain: 2486 + PTR? 1.64.168.192.in-addr.arpa. (43) 09NXDomain* 56 IP gateway.domain 18.310225 IP gateway.domain > rhel75.59883: 2486 NXDomain* 0 Charley 0 (102) 09 NXDomain* 56 NXDomain* 18.312482 IP rhel75.49685 > gateway.domain: 34242 + PTR? 28.64.168.192.in-addr.arpa (44) 09NXDomain* 56 IP gateway.domain 18.322425 IP gateway.domain > rhel75.49685: 34242 NXDomain* 0 Charley 0 (103) 09 Vera 56 NXDomain* 18.323164 IP rhel75.56631 > gateway.domain: 29904 + PTR? 1.122.168.192.in-addr.arpa. IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 1984, ack 1, win 309, options [nop,nop,TS val 76577928 ecr 510771017], length 388 0956 IP rhel75.localdomain.ssh 18.323563 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 584, win 411, options [nop,nop,TS val 510771047 ecr 76577928] Length 009 NXDomain* 56 IP rhel75.44007 18.335569 IP gateway.domain > rhel75.56631: 29904 NXDomain* 0 Charger 0 (103) 09 Vera 56 IP rhel75.44007 > gateway.domain: 61677 + PTR? 98.122.168.192.in-addr.arpa. (45) 09 PTR rhel75 56 IP gateway.domain 18.336655 PTR rhel75 > rhel75.44007: 61677 * 1-0-0 (65) 09ack 56 IP rhel75.localdomain.ssh 18.337177 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 584Para1644, ack 1, win 309, options [nop,nop,TS val 76577942 ecr 510771047], length 1060-SKIPPING LONG OUTPUT-09VIEV 5619.342939 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 1752016, win 1444, options [nop,nop,TS val 510772067 ecr 76578948] Length 0 ^ C 9003 packets captured 9010 packets received by filter 7 packets dropped by kernel $tcpdump will continue to grab the packet until the interrupt signal is received. You can press Ctrl+C to stop grabbing the bag. As shown in the example above, tcpdump crawled more than 9000 packets. In this example, because I connected to the server through ssh, tcpdump also captured all such packets. The-c option can be used to limit the number of tcpdump capture packets:

$sudo tcpdump-I any-c 5 tcpdump: verbose output suppressed, use-v or-vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 11VOG 21VOV 30.242740 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 3772575680VOV 3772575876, ack 3503651743, win 309, options [nop,nop,TS val 81689848 ecr 515883153], length 196 11UM 2130.2430.2906 IP 192.168.64.1.56322 > rhel75.localdomain.ssh [.], ack 196 Win 1443, options [nop,nop,TS val 515883235 ecr 81689848], length 011 21 nop,nop,TS val 30.244442 IP rhel75.43634 > gateway.domain: 57680 + PTR? 1.64.168.192.in-addr.arpa. (43) 11 NXDomain 21 IP rhel75.33696 30.244829 IP gateway.domain > rhel75.43634: 57680 NXDomain 0 IP gateway.domain 0 (43) 11 NXDomain 21 NXDomain 30.247048 IP rhel75.33696 > gateway.domain: 37429 + PTR? 28.64.168.192.in-addr.arpa. (44) 5 packets captured 12 packets received by filter 0 packets dropped by kernel $as shown above, tcpdump automatically stops grabbing packets after grabbing five packets. This is useful in some scenarios-for example, you only need to crawl a small number of packets for analysis. The role of-c is prominent when we need to use filtering rules to crawl specific packets (as shown below).

In the above example, tcpdump resolves the IP address and port number to the corresponding interface name and service protocol name by default. In general, in network troubleshooting, the use of IP address and port number is more convenient to analyze the problem; use the-n option to display the IP address, and the-nn option to display the port number:

$sudo tcpdump-I any-c5-nn tcpdump: verbose output suppressed, use-v or-vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 2356 purse 24.292206 IP 192.168.64.28.22 > 192.168.64.1.35110: Flags [P.], seq 16619858080 purge 166198776, ack 2414541257, win 309, options [nop,nop,TS val 615664 ecr 540031155] Length 19623 IP 192.168.64.1.35110 > 192.168.64.28.22: Flags [.], ack 196, win 1377, options [nop,nop,TS val 540031229 ecr 615664], length 023Vera 56Flags 24.292570 IP 192.168.64.28.22 > 192.168.64.1.35110: Flags [P.], seq 196ack 568, ack 1, win 309, options [nop,nop,TS val 615664 ecr 540031229] Length 37223 IP 192.168.64.1.35110 > 192.168.64.28.22: Flags [.], ack 568, win 1400, options [nop,nop,TS val 540031229 ecr 615664], length 023ve5624292752 IP 192.168.64.28.22 > 192.168.64.1.35110: Flags [P.], seq 568 Swiss 908, ack 1, win 309, options [nop,nop,TS val 615664 ecr 540031229] Length 340 5 packets captured 6 packets received by filter 0 packets dropped by kernel as shown above The IP address and port number are displayed in the crawled packet. This also prevents tcpdump from issuing DNS lookups, helping to reduce data traffic in network troubleshooting.

Now that you know how to grab bags, let's analyze the meaning of the output of these bags.

3. Understand the crawled message tcpdump can crawl and decode data packets of various protocol types, such as TCP, UDP, ICMP and so on. Although it is not possible for us to introduce all the datagram types here, we can analyze the datagrams of TCP type to help you get started. For more details on tcpdump, you can refer to its help manual. The TCP message crawled by tcpdump looks as follows:

08ack 41seq 13.729687 IP 192.168.64.28.22 > 192.168.64.41916: Flags [P.], seq 196pur568, ack 1, win 309, options [nop,nop,TS val 117964079 ecr 816509256], the specific fields of IP 372vary according to different message types, but the above example is a general format.

The first field, 08Plus 41vir 13.729687, is the system local timestamp where the Datagram was crawled.

Then, IP is the network layer protocol type, here is IPv4, and in the case of IPv6 protocol, the field value is IP6.

192.168.64.28.22 is the source ip address and port number, followed by the destination ip address and its port number, in this case 192.168.64.1.41916.

After the source IP and destination IP, you can see that it is the TCP message tag segment Flags [P.]. The values of this field are usually as follows:

Value flag type description SSYNConnection StartFFINConnection FinishPPUSHData pushRRSTConnection reset.ACKAcknowledgment this field can also be a combination of these values, such as [S.] Represents a SYN-ACK packet.

Next is the sequence number of the data in the packet. For the first packet crawled, the field value is an absolute number, and subsequent packets use relative values to make it easier to query and track. Here, for example, the seq 196Plus 568 represents that the packet contains bytes 196 to 568 bytes of the data stream.

Next is the ack value: ack 1. The packet is the data sender with an ack value of 1. At the data receiver, this field represents the next expected byte of data on the data stream, for example, the ack value of the next packet in that data stream should be 568.

The next field is the receive window size win 309, which represents the number of bytes available in the receive buffer, followed by TCP options such as MSS (maximum segment size) or window scale value. For more details on the TCP protocol, please refer to Transmission Control Protocol (TCP) Parameters.

Finally, length 372 represents the packet payload byte length. This length is different from the byte numeric length in the seq serial number.

Now let's learn how to filter data packets to make it easier to analyze and locate problems.

4. Filter packets as mentioned above, tcpdump can grab many types of data packets, many of which may have nothing to do with the problems we need to find. For example, if you are locating a network problem connecting to a web server, you do not have to deal with SSH data packets, so filtering out SSH messages in the packet capture results may be easier for you to analyze the problem.

Tcpdump has many parameter options to set packet filtering rules, such as filtering packets based on source IP and destination IP address, port number, protocol, and so on. Here are some of the most commonly used filtering methods.

The protocol specifies the protocol in the command and can filter packets according to the protocol type. For example, just grab the ICMP message with the following command:

$sudo tcpdump-I any-c5 icmp tcpdump: verbose output suppressed, use-v or-vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes and then open a terminal to ping another machine:

$ping opensource.com PING opensource.com (54.204.39.132) 56 (84) bytes of data. 64 bytes from ec2-54-204-39-132.compute-1.amazonaws.com (54.204.39.132): when icmp_seq=1 ttl=47 time=39.6 ms returns to the terminal running the tcpdump command, you can see that it has filtered out the ICMP message. Here, tcpdump does not show the domain name resolution packet about opensource.com:

ICMP echo request, id 20361, seq 1, length 64 09 132.compute-1.amazonaws.com 34 ICMP echo request 20. 176402 IP ec2-54-20 4-39-132.compute-1.amazonaws.com > rhel75: ICMP echo reply, id 20361, seq 1, length 64 09 132.compute-1.amazonaws.com 21. 140230 IP rhel75 > ec2-54-20-39-132.compute-1.amazonaws.com: ICMP echo request, id 20361, seq 2 Length 64 09 132.compute-1.amazonaws.com 34 132.compute-1.amazonaws.com 21.180020 IP ec2-54-204-39-132.compute-1.amazonaws.com > rhel75: ICMP echo reply, id 20361, seq 2, length 64 09 rhel75 34 display 22.141777 IP rhel75 > ec2-54-39-132.compute-1.amazonaws.com: ICMP echo request, id 20361, seq 3, length 64 5 packets captured 5 packets received by filter 0 packets dropped by kernel the host uses the host parameter to grab only packets related to a specific host:

$sudo tcpdump-I any-c5-nn host 54.204.39.132 tcpdump: verbose output suppressed, use-v or-vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 09tcpdump 5420. 042023 IP 192.168.122.98.39326 > 54.204.39.132.80: Flags [S], seq 1375157070, win 29200, options [mss 1460 sackOKGet TS val 122350391 ecr 0CoopDome WScale 7] Length 009 Flags 5420.088127 IP 54.204.39.132.80 > 192.168.122.98.39326: Flags [S.], seq 1935542841, ack 1375157071, win 28960, options [mss 1460 sackOKMed TS val 522713542 ecr 122350391 ecr 522713542], length 009148.122.98.39326 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 122350437 ecr 522713542] Length 009 seq seq 5420. 088734 IP 192.168.122.98.39326 > 54.204.39.132.80: Flags [P.], seq 1pur113, ack 1, win 229, options [nop,nop,TS val 122350438 ecr 522713542], length 112: HTTP: GET / HTTP/1.1 09VOV 5420. 12933 IP 54.2039.132.80 > 192.168.122.98.39326: Flags [.], ack 113, win 57, options [nop,nop,TS val 522713552 ecr 122350438] Length 0 5 packets captured 5 packets received by filter 0 packets dropped by kernel as shown above Only packets related to 54.204.39.132 are crawled and displayed.

Port number tcpdump can filter packets based on the type of service or port number. For example, crawl packets related to HTTP services:

$sudo tcpdump-I any-c5-nn port 80tcpdump: verbose output suppressed, use-v or-vv for full protocol decodelistening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes09:58:28.790548 IP 192.168.122.98.39330 > 54.204.39.132.80: Flags [S], seq 1745665159, win 29200, options [mss 1460 sackOK camera TS val 122599140 ecr 0mnopre WScale 7] Length 009 IP 54.204.39.132.80 > 192.168.122.98.39330: Flags [S.], seq 4063583040, ack 1745665160, win 28960, options [mss 1460 ecr 122599140 ecr 522775728 ecr 122599140 IP 192.168.122.98.39330 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 122599183 ecr 522775728] Length 009 seq 58 IP 28.834588 IP 192.168.122.98.39330 > 54.204.39.132.80: Flags [P.], seq 1rang113, ack 1, win 229, options [nop,nop,TS val 122599184 ecr 522775728], length 112: HTTP: GET / HTTP/1.109:58:28.878445 IP 54.204.39.132.80 > 192.168.122.98.39330: Flags [.], ack 11313, win 57, options [nop,nop,TS val 522775739 ecr 122599184] Length 05 packets captured5 packets received by filter0 packets dropped by kernelIP address / hostname same You can also filter packets based on the source IP address or destination IP address or hostname. For example, capture a packet with a source IP address of 192.168.122.98:

$sudo tcpdump-I any-c5-nn port 80 tcpdump: verbose output suppressed, use-v or-vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 09 Verse 58 Groupe 28.790548 IP 192.168.122.98.39330 > 54.204.39.132.80: Flags [S], seq 1745665159, win 29200, options [mss 1460 sackOKLies TS val 122599140 ecr 0, nopArt WScale 7] Length 009 IP 54.834026 IP 54.204.39.132.80 > 192.168.122.98.39330: Flags [S.], seq 4063583040, ack 1745665160, win 28960, options [mss 1460 ecr sackOKMed TS val 522775728 ecr 122599140,525991493 IP 192.168.122.98.39330 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 122599183 ecr 522775728] Length 009 seq seq 589: 28834588 length 192.168.122.98.39330 > 54.204.39.132.80: Flags [P.], seq 1pur113, ack 1, win 229, options [nop,nop,TS val 122599184 ecr 522775728], length 112: HTTP: GET / HTTP/1.1 09Vant58 Vane 28.878445 IP 54.204.39.132.80 > 192.168.122.98.39330: Flags [.], ack 113, win 57, options [nop,nop,TS val 522775739 ecr 122599184] Length 0 5 packets captured 5 packets received by filter 0 packets dropped by kernel Note in this example, packets from port 53 and port 80 of the source IP address 192.168.122.98 are crawled Their reply packets are not displayed because the source IP addresses of those packets have changed.

In contrast, using dst filters packets by destination IP/ hostname.

$sudo tcpdump-I any-c5-nn src 192.168.122.98 tcpdump: verbose output suppressed, use-v or-vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 10purl 02purl 15.220824 IP 192.168.122.98.39436 > 192.168.122.1.53: 59332 + A? Opensource.com. (32) 10 IP 02lav 15.220862 IP 192.168.122.98.39436 > 192.168.122.1.53: 20749 + AAAA? Opensource.com. (32) 10seq 02seq 15.364062 IP 192.168.122.98.39334 > 54.204.39.132.80: Flags [S], seq 1108640533, win 29200, options [mss 1460 length 1460 sackOKMed TS val 122825713 ecr 0Magnum WScale 7], length 0 10Vl02win 15.409229 IP 192.168.122.98.39334 > 54.204.39.132.80: Flags [.], ack 669337581, win 229, options [nop,nop,TS val 12282558 ecr 522832372] Length 0 10 seq 02lav 15.409667 IP 192.168.122.98.39334 > 54.204.39.132.80: Flags [P.], seq 0v 112, ack 1, win 229, options [nop,nop,TS val 122825759 ecr 522832372], length 112: HTTP: GET / HTTP/1.1 5 packets captured 5 packets received by filter 0 packets dropped by kernel Multi-condition screening of course Multiple conditional combinations can be used to filter packets and or logical operators can be used to create filtering rules. For example, filter HTTP packets from the source IP address 192.168.122.98:

$sudo tcpdump-I any-c5-nn dst 192.168.122.98 tcpdump: verbose output suppressed, use-v or-vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked) Capture size 262144 bytes 10 IP 03.572931 IP 192.168.122.98.47049 > 192.168.122.98.47049: 2248 1-0-0 A 54.204.39.132 (48) 10V 05IP 03.572944 IP 192.168.122.1.53 > 192.168.122.98.47049: 33770 0Universe 0 (32) 10 IP 03.621833 IP 54.204.39.132.80 > 192.168.122.98.39338: Flags [S.], seq 3474204576, ack 3256851264, win 28960 Options [mss 1460 ecr sackOKJ TS val 522874425 ecr 122993922], length 010 val 053.667767 IP 54.204.39.132.80 > 192.168.122.98.39338: Flags [.], ack 11313, win 57, options [nop,nop,TS val 522874436 ecr 122993972], length 010val 053.672221 IP 54.204.39.132.80 > 192.168.122.98.39338: Flags [P.], seq 1are643, ack 113, win 57, options [nop,nop TS val 522874437 ecr 122993972], length 642: HTTP: HTTP/1.1 302 Found 5 packets captured 5 packets received by filter 0 packets dropped by kernel you can also use parentheses to create more complex filtering rules But in shell, please include your filtering rules in quotation marks to prevent them from being recognized as shell expressions:

$sudo tcpdump-I any-c5-nn "port 80 and (src 192.168.122.98 or src 54.204.39.132)" tcpdump: verbose output suppressed, use-v or-vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 10purge 10 or 37.602214 IP 192.168.122.98.39346 > 54.204.39.132.80: Flags [S], seq 871108679, win 29200, options [mss 1460 sackOKMed TS val 123327951 ecr 0ju WScale 7] Length 0 10 length 10 Flags 37.650651 IP 54.204.39.132.80 > 192.168.122.98.39346: Flags [S.], seq 854753193, ack 871108680, win 28960, options [mss 1460 ecr 123327951 ecr 123327951 ecr WScale 9], length 010 Color 1037.650708 IP 192.168.122.39346 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 123328000 ecr 522957932] Length 0 10 seq 10 Flags 37.651097 IP 192.168.122.98.39346 > 54.204.39.132.80: Flags [P.], seq 1Flags 11313, ack 1, win 229, options [nop,nop,TS val 123328000 ecr 522957932], length 112: HTTP: GET / HTTP/1.1 1010 Vera 37.692900 IP 54.204.39.132.80 > 192.168.122.98.39346: Flags [.], ack 113, win 57, options [nop,nop,TS val 522957942 ecr 123328000] Length 0 packets captured 5 packets received by filter 0 packets dropped by kernel$ sudo tcpdump-I any-c5-nn "port 80 and (src 192.168.122.98 or src 54.204.39.132)" tcpdump: verbose output suppressed, use-v or-vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 10Glug 37.602214 IP 192.168.122.98.346 > 54.204.39.132.80: Flags [S], seq 871108679, win 29200, options [mss 1460 SackOK] TS val 123327951 ecr 0 nopgramme WScale 7], length 010length 10 IP 37.650651 IP 54.204.39.132.80 > 192.168.122.98.39346: Flags [S.], seq 854753193, ack 871108680, win 28960, options [mss 1460 ecr 123327951 val 522957932 ecr 123327951 ecr 123327951 noppene WScale 9], length 010Jay 10IP 37.650708 IP 192.168.122.98.39346 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 123328000 ecr 522957932] Length 0 10 seq 10 Flags 37.651097 IP 192.168.122.98.39346 > 54.204.39.132.80: Flags [P.], seq 1Flags 11313, ack 1, win 229, options [nop,nop,TS val 123328000 ecr 522957932], length 112: HTTP: GET / HTTP/1.1 1010 Vera 37.692900 IP 54.204.39.132.80 > 192.168.122.98.39346: Flags [.], ack 113, win 57, options [nop,nop,TS val 522957942 ecr 123328000] Length 0 5 packets captured 5 packets received by filter 0 packets dropped by kernel in this example we only crawled packets from HTTP (port number 80) with the source IP of 192.168.122.98 or 54.204.39.132. Using this method, it is easy to grab the packets of both sides of the data flow.

5. Check packet content in the above example, we only filter packets according to the information in the packet header, such as source address, destination address, port number, and so on. Sometimes we need to analyze the network connection problem, and we may need to analyze the contents of the packet to determine what needs to be sent, what needs to be received, and so on. Tcpdump provides two options to view the contents of the packet,-X prints out the contents of the packet in hexadecimal, and-A prints the ASCII value of the packet.

For example, the HTTP request message is as follows:

$sudo tcpdump-I any-c10-nn-A port 80 tcpdump: verbose output suppressed, use-v or-vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 13 purge 02Viso 14.871803 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [S], seq 2546602048, win 29200, options [mss 1460 sackok camera TS val 133625221 ecr 0pjnwscale 7], length 0 E. 192.168.122.98.39366: Flags [S.], seq 1877348646, ack 2546602049, win 28960, options [mss 1460,sackOK,TS val 525532247 ecr 133625221,nop,wscale 9], length 0 E.. 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 133625260 ecr 525532247], length 0 E.. .R.W. 13 seq 02seq 14.911808 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [P.], ack 1, win 229, options [nop,nop,TS val 133625261 ecr 525532247] Length 12 12: HTTP: GET / HTTP/1.1 E. room.Austria.. 1.. zb6. Pm. Ao. .R.WGET / HTTP/1.1 User-Agent: Wget/1.14 (linux-gnu) Accept: * / * Host: opensource.com Connection: Keep-Alive. 13ack 02vig 14.951199 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [.], ack 113, win 57, options [nop,nop,TS val 525532257 ecr 133625261], length 0E.. 4.Founding. .R.a. 13seq 02ack 14.955030 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [P.], seq 1Rang643, ack 113, win 57, options [nop,nop,TS val 525532258 ecr 133625261], length 642: HTTP: HTTP/1.1 302 Found E....G@./...6.'...zb.P..o..'.9. .R.b....HTTP / 1.1 302 Found Server: nginx Date: Sun, 23 Sep 2018 17:02:14 GMT Content-Type: text/html Charset=iso-8859-1 Content-Length: 207X-Content-Type-Options: nosniff Location: https://opensource.com/ Cache-Control: max-age=1209600 Expires: Sun, 07 Oct 2018 17:02:14 GMT X-Request-ID: v-6baa3acc-bf52-11e8-9195-22000ab8cf2d X-Varnish: 632951979 Age: 0 Via: 1.1 varnish (Varnish/5.2) X-Cache: MISS Connection: keep-alive 302 Found Found The document has moved here. . 13 ack 02 IP 14.955083 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [.], ack 643, win 239, options [nop,nop,TS val 133625304 ecr 525532258], length 0 E..4..@.@.zb6.'....P....o. .R.b. 192.168.122.98.39366 > 54.204.39.132.80: Flags [F.], seq 13, ack 643, win 239, options [nop,nop,TS val 133625545 ecr 525532258], length 0 E..4..@.@.zb6.'....P....o. .R.b. 13 seq 02JV 15.236592 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [F.], seq 643, ack 114, win 57, options [nop,nop,TS val 525532329 ecr 133625545], length 0E.. 4.Handle.. 6.'...zb.P..o.9.I. .R.. 13 Flags 02V 15.236656 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [.], ack 644, win 239, options [nop,nop,TS val 133625586 ecr 525532329] Length 0 E..4..@.@.zb6.'....P....o. .R. 10 packets captured 10 packets received by filter 0 packets dropped by kernel this is useful for locating problems with normal HTTP calls to the API interface. Of course, if it is an encrypted message, this output is of little use.

6. Saving packet capture data tcpdump provides the function of saving packet capture data for subsequent analysis of packets. For example, you can let it grab the bag there at night, and then get up in the morning and analyze it. Similarly, when there are many packets, displaying too fast is not conducive to analysis, saving the packet is more conducive to the analysis of the problem.

Use the-w option to save the packet instead of displaying the captured packet on the screen:

$sudo tcpdump-I any-c10-nn-w webserver.pcap port 80 [sudo] password for ricardo: tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 10 packets captured 10 packets received by filter 0 packets dropped by kernelxxxxxxxxxx6 1$ sudo tcpdump-I any-c10-nn-w webserver.pcap port 802 [sudo] password for ricardo:3tcpdump: listening on any, link-type LINUX_SLL (Linux cooked) Capture size 262144 bytes410 packets captured510 packets received by filter60 packets dropped by kernel$ sudo tcpdump-I any-c10-nn-w webserver.pcap port 80 [sudo] password for ricardo:tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes10 packets captured10 packets received by filter0 packets dropped by kernel this command saves crawled packets to the file webserver.pcap. The suffix pcap indicates that the file is in the packet format that was crawled.

As shown in the example, there is no output of any related datagrams on the screen when the packet is saved to a file, where-c10 means that the packet crawl stops after 10 packets have been crawled. If you want some feedback that the packet was actually crawled, you can use the-v option.

Tcpdump saves the packet in a binary file, so you can't simply open it with a text editor. Use the-r option parameter to read the message contents in the file:

$tcpdump-nn-r webserver.pcap reading from file webserver.pcap, link-type LINUX_SLL (Linux cooked) 13VOV 36VAS 57.679494 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [S], seq 3709732619, win 29200, options [mss 1460 mater sackOKMed TS val 135708029 ecr 0mlnopThey WScale 7], length 0131336 val 57.718932 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [S.], seq 199929816, ack 370932620, win 28960 Options [mss 1460 ecr sackOKJ TS val 526052949 ecr 135708029], length 01336 val 57.719005 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 135708068 ecr 526052949], length 01313 purge 36RH 57.719186 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [P.], seq 1dro113, ack 1, win 229, options [nop,nop] TS val 135708068 ecr 526052949], length 11212: HTTP: GET / HTTP/1.1 13length 36TS val 57.756979 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [.], ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 013760122 IP 54.2039.132.80 > 192.168.122.98.39378: Flags [P.], seq 1length 643,113 ack, win 57, options [nop,nop,TS val 526052959 ecr 135708068] Length 642: HTTP: HTTP/1.1 302 Found 1315 36 Found 57.760182 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [.], ack 643, win 239, options [nop,nop,TS val 135708109 ecr 526052959], length 01336Switzerland 57.977602 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [F.], seq 113, ack 643, win 239, options [nop,nop,TS val 135708327 ecr 526052959] Length 01336 Flags 58.022089 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [F.], seq 643, ack 114, win 57, options [nop,nop,TS val 526053025 ecr 135708327], length 0131336MAV 58.022132 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [.], ack 644, win 239, options [nop,nop,TS val 135708371 ecr 526053025], length 0$ administrator authority sudo is not required here Because we are not grabbing packets at the network interface at the moment.

You can also use any of the filtering rules we discussed to filter the contents of the file, just as you would with real-time data. For example, check the packets in the file from the source IP address 54.204.39.132 by executing the following command:

$tcpdump-nn-r webserver.pcap src 54.204.39.132 reading from file webserver.pcap, link-type LINUX_SLL (Linux cooked) 13V 36V 57.718932 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [S.], seq 1999298316, ack 3709732620, win 28960, options [mss 1460 sackOKMold TS val 526052949 ecr 135708029 nopMAL WScale 9], length 01313MAG 57.756979 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [.] Ack 11322, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 01360122 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [P.], seq 1VOV 643, ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 642: HTTP: HTTP/1.1 302 Found 1315 322 IP 54.2039.132.80 > 192.168.122.98.39378: Flags [F.], seq 643, ack 114 Win 57, options [nop,nop,TS val 526053025 ecr 135708327], length 0 and above are all the contents of the article "how to use tcpdump in Linux system" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.