Shulou(Shulou.com)06/02 Report--

Detailed explanation of tcpdump packet grab Analysis

1 cause

Some time ago, there has been a problem on the line: online applications accept POST requests, and the parameters in the request body are not fully obtained, resulting in loss. This problem is sporadic, and the probability of occurrence is about 5% and 10%, which is already quite high. In the process of troubleshooting, tcpdump and Wireshark are used for packet analysis. I feel that these two tools work perfectly together. Under the combination of these two tools, all network transmissions have nowhere to hide.

In order to make better and easier use of these two tools, I specially organize this article in the hope that it can also bring you a harvest. For everyone to troubleshoot the problem later, add a sharp weapon.

2 introduction to tcpdump and Wireshark

In the debugging of network problems, tcpdump should be said to be an indispensable tool, like most excellent tools under linux, its characteristic is simple and powerful. It is a command-line packet sniffing tool based on Unix system, which can grab data packets flowing on the network card.

By default, tcpdump does not grab messages from internal communications on the local machine. According to the stipulation of the network protocol stack, for the message, even if the destination is the local machine, it needs to go through the local network protocol layer, so the local communication must enter the kernel through API and complete the routing. [for example, local TCP communication, must also be the basic element of socket communication: src ip port dst ip port]

If you want to use tcpdump to grab packets from the MAC addresses of other hosts, you must turn on the network card hybrid mode, which in the simplest language is to let the network card grab any data packets that pass through it, regardless of whether the packet is sent to it or not. Generally speaking, Unix does not allow ordinary users to set promiscuous mode, because this way you can see other people's information, such as the user name and password of telnet, which will cause some security problems, so only root users can turn on promiscuous mode. The command to turn on promiscuous mode is: ifconfig en0 promisc, en0 is the network card that you want to open mixed mode.

Linux packet grabbing principle:

Linux packet grabbing is to complete the processing of network messages (network devices, to be exact) by registering a virtual underlying network protocol. When the network card receives a network message, it traverses all the registered network protocols in the system, such as Ethernet protocol and x25 protocol processing module, to try to parse the message. this is similar to the mount of some file systems, that is, let all the registered file systems in the system try to mount, and if which one thinks it can handle it, then the mount will be completed.

When the packet capture module disguises itself as a network protocol, the system will give the pseudo protocol a chance to process the message received by the network card when it receives the message. at this time, the module will take the opportunity to snoop on the message, that is, copy the message completely, pretend to be the message received by itself, and report it to the packet capture module.

Wireshark is a network protocol testing tool that supports Windows platform, Unix platform and Mac platform. Generally speaking, Wireshark is only used under the graphical interface platform. If it is Linux, tcpdump is used directly, because generally speaking, Linux has its own tcpdump, or use tcpdump to grab the package and use Wireshark to open the analysis.

Under the Mac platform, Wireshark grabs packets through WinPcap, which is well packaged and easy to use, and it is easy to develop packet capture filters or display filters. The specific simple use will be described below. Wireshark is a free tool, and you can easily find a place to download with a click of google.

Therefore, tcpdump is used to grab data is very convenient, Wireshark is used to analyze the captured data is more convenient.

3 tcpdump usage

3.1 Grammar

Keyword of type

Host (default type): indicates a host, such as host 210.27.48.2

Net: indicates a network address, such as net 202.0.0.0

Port: indicates the port number, such as port 23

Keyword for determining direction

Src: src 210.27.48.2, IP packet source address is 210.27.48.2

Dst: dst net 202.0.0.0, destination network address is 202.0.0.0

Dst or src (default)

Dst and src

Key words of the protocol: the default value is to listen for packets of all protocols

Fddi

Ip

Arp

Rarp

Tcp

Udp

Other keywords

Gateway

Broadcast

Less

Greater

Common expressions: parentheses can be used for multiple conditions, but escape should be used

Non:! Or "not" (remove double quotation marks)

And: & & or "and"

Or: | | or "or"

3.2 option

3.3 Command practice

1. Start tcpdump directly and grab all the packets passing through the first network interface.

2. Grab all packets passing through the specified network interface

3. Grab all the network data that passes through en0 and the destination or source address is 10.37.63.255:

4. Capture the communication between host 10.37.63.255 and host 10.37.63.61 or 10.37.63.95:

5. Grab the packets communicated by host 192.168.13.210 to all hosts except host 10.37.63.61:

6. Grab the ip packets communicated with all hosts except the host 10.37.63.255

7. Grab all the data sent by the host 10.37.63.3:

8. Grab all the data received by the host 10.37.63.3:

9. Crawl all packets of host 10.37.63.3 on port 80 of TCP:

10. Grab the packet received by HTTP host 10.37.63.3 at port 80:

11. Grab all the network data that passes through en0 and the destination or source port is 25

12. Grab all packets that pass through en0. The network is 192.168.

13. Protocol filtering

14. Grab all TCP data passing through en0 with the destination address of 192.168.1.254 or port 80 of 192.168.1.200

15. Grab all ICMP data that passes through en0 and the destination MAC address is 00rig 01ICMP 02R 03R 04R 05.

16. Grab all TCP data that passes through en0 and the destination network is 192.168, but the destination host is not 192.168.1.200

17. Grab only the SYN bag

18. Arrest SYN, ACK

19. Grab the SMTP data, grab the packet whose data area starts with "MAIL", and the hexadecimal of "MAIL" is 0x4d41494c.

20. Grab HTTP GET data. The hexadecimal of "GET" is 0x47455420.

21. Grab SSH and return. The hexadecimal of "SSH-" is 0x5353482D.

22. Advanced header filtering, such as the first two packet header filtering, first learn how to filter information from the packet header:

23. Grab DNS request data

24. Other-c parameters are also commonly used for operation and maintenance personnel, because servers with large traffic still rely on manual CTRL+C to catch too much, so you can use the-c parameter to specify how many packets to catch.

3.4 grab a website for practice

Want to grab the network data when you visit a website. For example, what does the website http://www.baidu.com/ do?

1. Intercept host www.baidu.com through tcpdump to send and receive all data packets

2. Visit this website

3. Want to see a detailed http message. How?

4. Analyze the captured messages

4 Analysis of tcpdump crawling TCP packet

TCP transmission control protocol is a reliable connection-oriented transport layer protocol. Before data transmission, it is necessary to create a connection at both ends of the data transmission (client and server). The connection is uniquely identified by a pair of socket addresses, that is, the source IP address and destination IP address in the header of the IP message, as well as the source port address and destination port address in the header of the TCP Datagram. The header structure of TCP is as follows:

Note: normally, a normal TCP connection has three stages: 1, TCP three-way handshake; 2, data transfer; 3. TCP waving four times.

The key parts of the TCP connection and disconnection process are as follows:

Source port number: that is, the port number of the sender. During the TCP connection, for the client, the port number is often assigned by the kernel and does not need to be specified by the process

Destination port number: that is, the port number of the destination

Sequence number: that is, the sequence number of the first byte of the sent data segment

Confirmation serial number: the data sequence number to be sent next time during the period of receiving the Datagram sent by the other party.

SYN: synchronous sequence number, Synchronize Sequence Numbers

ACK: confirmation number, Acknowledgement Number

FIN: end flag, FINish

4.1 TCP three-way handshake

The process of the three-way handshake is as follows:

Step1. The client initiates a TCP connection request to the server. Client send: the synchronous sequence number SYN is set to 1, and the sending sequence number Seq is a random number, which is assumed to be X, and the confirmation serial number ACK is set to 0

Step2. The server side received a connection request. Server response: set the synchronous sequence number SYN to 1 and set the acknowledgement number ACK to Xreply 1, and then generate a random number Y as the sending serial number Seq (because the acknowledgement serial number of the acknowledged Datagram is not initialized)

Step3. The client acknowledges the acknowledgement received. Client send: set the acknowledgement serial number ACK to Ying1, and then set the sending serial number Seq to Xreply 1 (that is, the acknowledgement serial number of the received Datagram)

Why three-way handshakes instead of two for step3? suppose that client A sends a connection request Datagram to Server B, and then the Datagram is stuck in the network, causing it to be late. Although it is late, the server will still receive and send back an acknowledgement Datagram. However, because A has not received the confirmation from B for a long time, it sets the connection sent as invalid. after a period of time, it receives the confirmation sent by B. A thinks that he has not sent the connection now, while B always thinks that the connection has been successful. so he has been waiting for the action of A, and A will not do anything. This will cause the server resources to be wasted, so it is not possible to shake hands twice, so you need to add one more time to confirm the confirmation sent by B, that is, to confirm that the connection is valid, so as to establish the connection.

For both parties, what is the initialization value of the sending sequence number? in some systems, the explicit initialization number is 0, but this known initialization value is very dangerous because it will cause some loopholes and send some datagrams to break the connection. Therefore, it is better to initialize the sequence number because it is better to take a random number, and the more random the safer it is.

Analysis of tcpdump grasping TCP three-way handshake bag:

Sudotcpdump-n-S-ilo0host10.37.63.3andtcpport8080

# then run:

Curl http://10.37.63.3:8080/atbg/doc

Console output:

There is a logo carried by this bag in the middle of each line:

S=SYN, initiates the connection flag.

P=PUSH, transmit data flags.

F=FIN, turn off the connection flag.

Ack, which indicates the confirmation package.

RST=RESET, the connection is closed abnormally.

., which means there is no sign.

Line 1: 16 client 0015 13.486776, initiates a connection from temporary port 61725 of 10.37.63.3 (client) to port 8080 of 10.37.63.3 (server), client initial packet sequence number seq is 1944916150, sliding window size is 65535 bytes (sliding window is the size of tcp receive buffer for tcp congestion control), mss size is 16344 (the maximum packet length that can be received, usually MTU minus 40 bytes) The IP header and the TCP header are 20 bytes each. [seq=1944916150,ack=0,syn=1]

Line 2: 16 tcp 0015 13.486850 the server responds to the connection with the ack information of the first packet, adding 1 to the initial packet serial number of the client, that is, 1944916151, that is, the server is waiting for the packet to accept the packet serial number next time, which is used for the sequence control of the tcp byte stream. The initial packet serial number seq on the Server side is 1119565918 and the MSS is also 16344. [seq=1119565918,ack=1944916151,syn=1]

Line 3: 15 46 13.084161 Magi client sends confirmation connection again, and the three-way handshake of the tcp connection is completed, waiting for the data packet to be transmitted. [ack=1119565919,seq=1944916151]

4.2 TCP waved four times

Both sides of the connection need to be disconnected after completing the data transmission. Because the TCP connection belongs to full-duplex, that is, the two sides of the connection can transmit data to each other on a TCP connection, there is a half-closed state when the connection is disconnected, that is, one party loses the ability to send data, but can still receive data. Therefore, the disconnection needs to be divided into four times. The main process is as follows:

Step1. Host An initiates a disconnect request to host B, after which host An enters the FIN-WAIT-1 state

Step2. After receiving the request from host A, host B sends an acknowledgement back to host An and then enters the CLOSE-WAIT state.

Step3. After receiving the confirmation from B, host An enters the FIN-WAIT-2 state, which is semi-closed, that is, host A loses its ability to send data, but host B can still send data to A, and A can receive data. At this time, host B occupies the dominant position, and host B is needed to operate if you need to continue to shut down.

Step4. Host B sends a disconnect request to An and then enters the LAST-ACK state

Step5. Host A sends an acknowledgement after receiving the request, enters the TIME-WAIT state, waits for 2MSL to enter the CLOSED state, while host B enters the CLOSED state after receiving the confirmation.

Why does Host A not enter the CLOSED state after sending the final confirmation, but instead enter a TIME-WAIT waiting for 2MSL? there are two main functions:

First, make sure that the last acknowledgement sent by host A can reach host B. If host B in the LAST-ACK state does not receive an acknowledgement from host A, it will retransmit the disconnect request, and then host A will have enough time to send the acknowledgment again. But this can only do its best to ensure that it can be disconnected properly. If the confirmation of host An always fails in the network, which exceeds the 2MSL, it will not be able to disconnect normally in the end.

Second, if host An enters the CLOSED state immediately after sending an acknowledgment. Suppose that host A sends a connection request to host B again, and the connection request arrives at host B earlier than the previous acknowledgement message, which will make host B think that the connection request is a message sent by An in the old connection and is not regarded as a new connection request. Even if the connection request expires, increasing the 2MSL time can invalidate the invalid connection request message. This does not affect the invalid connection request in the next new connection request.

Why are there only three disconnection request messages instead of four? because in the process of TCP connection, there is a delay (that is, delayed acknowledgement) in the sending of acknowledgements. One end will wait for a period of time when sending acknowledgements. If it also has data to be sent within this event, it will be sent together with the acknowledgement. If not, the acknowledgement will be sent separately. In our packet capture experiment, the server disconnects the connection first, and then the client also has a request to disconnect within the confirmation delay time, so it is sent together with the last confirmation, so there are only three datagrams.

5 Wireshark analysis of tcpdump packet capture results

1. Start port 8080, and the tcpdump packet capture command is as follows:

Tcpdump-ilo0-s0-n-Shost10.37.63.3andport8080-w./Desktop/tcpdump_10.37.63.3_8080_20160525.cap

# and then execute curl

Curl http://10.37.63.3:8080/atbg/doc

2. Use Wireshark to open the tcpdump_10.37.63.3_8080_20160525.cap file

No. 1-4 lines: TCP three-way handshake

No. 5-8 lines: TCP data transmission link

No. Line 9-13: TCP waving four times

3. By the way, a way to view http requests and responses:

The pop-up window is shown in the following figure. The red part above is the request information, and the blue part below is the response information:

The above is the simple use of Wireshark analysis tcpdump, Wireshark is more powerful is the filter tool, we can go to study and learn more Wireshark, it is quite cool to use.

Recommend several articles about Wireshark:

Wireshark basic introduction and learning TCP three-way handshake

One-stop learning Wireshark

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.