Shulou(Shulou.com)06/02 Report--

Tcpdump is a flexible and powerful package grabbing tool, which can effectively help to troubleshoot network problems.

In my experience as an administrator, I often encounter problems that are very difficult to troubleshoot in network connections. In such cases, tcpdump can come in handy.

Tcpdump is a command-line utility that allows you to crawl and analyze traffic packets passing through the system. It is usually used as a network fault analysis tool and a security tool.

Tcpdump is a powerful tool that supports a variety of options and filtering rules and is suitable for a wide range of scenarios. Because it is a command line tool, it is suitable for collecting packets on remote servers or devices that do not have a graphical interface for post-mortem analysis. It can be started in the background, or you can use timing tools such as cron to create scheduled tasks to enable it.

In this article, we will discuss some of the most commonly used features of tcpdump.

1. Install tcpdump in Linux

Tcpdump supports a variety of Linux distributions, so there is a good chance that it is already installed on your system. Check to see if tcpdump is installed with the following command:

$which tcpdump/usr/sbin/tcpdump

If you don't already have tcpdump installed, you can install it with the package manager. For example, on a CentOS or Red Hat Enterprise system, install tcpdump with the following command:

$sudo yum install-y tcpdump

Tcpdump relies on libpcap, which is a library file used to capture network packets. If the library file is not installed, the system automatically installs it based on dependencies.

Now you can start grabbing the bag.

2. Grab the bag with tcpdump

Using tcpdump to grab packets requires administrator privileges, so most of the commands in the following examples start with sudo.

First, use the tcpdump-D command to list the network interfaces that can capture packets:

$sudo tcpdump-Deth0virbr0eth2any (Pseudo-device that captures on all interfaces) lo [Loopback]

As shown above, you can see all the network interfaces in my machine that can grab packets. The special interface any can be used to crawl packets of all active network interfaces.

Let's grab the package of the any interface with the following command:

$sudo tcpdump-I anytcpdump: verbose output suppressed, use-v or-vv for full protocol decodelistening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes09:56:18.293641 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 3770820720 seq 3770820916, ack 3503648727, win 309, options [nop,nop,TS val 76577898 ecr 510770929], length 19609 IP 5618.293794 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 196, win 391, options [nop] Nop,TS val 510771017 ecr 76577898], length 009 56 Vera 18.295058 IP rhel75.59883 > gateway.domain: 2486 + PTR? 1.64.168.192.in-addr.arpa. (43) 09NXDomain* 56 IP gateway.domain 18.310225 IP gateway.domain > rhel75.59883: 2486 NXDomain* 0 Charley 0 (102) 09 NXDomain* 56 NXDomain* 18.312482 IP rhel75.49685 > gateway.domain: 34242 + PTR? 28.64.168.192.in-addr.arpa (44) 09NXDomain* 56 IP gateway.domain 18.322425 IP gateway.domain > rhel75.49685: 34242 NXDomain* 0 Charley 0 (103) 09 Vera 56 NXDomain* 18.323164 IP rhel75.56631 > gateway.domain: 29904 + PTR? 1.122.168.192.in-addr.arpa. (44) 09ack 56 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 1984, ack 1, win 309, options [nop,nop,TS val 76577928 ecr 510771017], length 38809 56 Flags IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags, ack 584, win 411, options [nop,nop,TS val 510771047 ecr 76577928] Length 009 NXDomain* 56 IP rhel75.44007 18.335569 IP gateway.domain > rhel75.56631: 29904 NXDomain* 0 Charley 0 (103) 09 IP rhel75.44007 56 IP rhel75.44007 > gateway.domain: 61677 + PTR? 98.122.168.192.in-addr.arpa. (45) 09 PTR rhel75 56 IP gateway.domain 18.336655 PTR rhel75 > rhel75.44007: 61677 * 1-0-0 (65) 09seq 56 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 584Para1644, ack 1, win 309, options [nop,nop,TS val 76577942 ecr 510771047], length 1060What-SKIPPING LONG OUTPUT-09seq 5619.342939 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 1752016, win 1444, options [nop,nop,TS val 510772067 ecr 76578948], length 0C9003 packets captured9010 packets received by filter7 packets dropped by kernel$

Tcpdump will continue to grab the packet until the interrupt signal is received. You can press Ctrl+C to stop grabbing the bag. As shown in the example above, tcpdump crawled more than 9000 packets. In this example, because I connected to the server through ssh, tcpdump also captured all such packets. The-c option can be used to limit the number of tcpdump capture packets:

$sudo tcpdump-I any-c 5tcpdump: verbose output suppressed, use-v or-vv for full protocol decodelistening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes11:21:30.242740 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 3772575680 bytes11:21:30.242740 IP rhel75.localdomain.ssh 3772575876, ack 3503651743, win 309, options [nop,nop,TS val 81689848 ecr 515883153], length 19611pur2130.242906 IP 192.168.64.56322 > rhel75.localdomain.ssh: Flags [.], ack 196, win 1443 Options [nop,nop,TS val 515883235 ecr 81689848], length 011 Velcro 21VR 30.244442 IP rhel75.43634 > gateway.domain: 57680 + PTR? 1.64.168.192.in-addr.arpa. (43) 11 NXDomain 21 IP rhel75.33696 30.244829 IP gateway.domain > rhel75.43634: 57680 NXDomain 0 IP gateway.domain 0 (43) 11 NXDomain 21 NXDomain 30.247048 IP rhel75.33696 > gateway.domain: 37429 + PTR? 28.64.168.192.in-addr.arpa. (44) 5 packets captured12 packets received by filter0 packets dropped by kernel$

As shown above, tcpdump automatically stops grabbing packets after grabbing five packets. This is useful in some scenarios-for example, you only need to crawl a small number of packets for analysis. The role of-c is prominent when we need to use filtering rules to crawl specific packets (as shown below).

In the above example, tcpdump resolves the IP address and port number to the corresponding interface name and service protocol name by default. In general, in network troubleshooting, the use of IP address and port number is more convenient to analyze the problem; use the-n option to display the IP address, and the-nn option to display the port number:

$sudo tcpdump-I any-c5-nntcpdump: verbose output suppressed, use-v or-vv for full protocol decodelistening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes23:56:24.292206 IP 192.168.64.28.22 > 192.168.64.1.35110: Flags [P.], seq 166198580 Flags 166198776, ack 2414541257, win 309, options [nop,nop,TS val 615664 ecr 540031155] Length 192323 IP 192.168.64.1.35110 > 192.168.64.28.22: Flags [.], ack 196, win 1377, options [nop,nop,TS val 540031229 ecr 615664], length 023Vera 56Flags 24.292570 IP 192.168.64.28.22 > 192.168.64.1.35110: Flags [P.], seq 196ack 568, ack 1, win 309, options [nop,nop,TS val 615664 ecr 540031229] Length 37223 IP 192.168.64.1.35110 > 192.168.64.28.22: Flags [.], ack 568, win 1400, options [nop,nop,TS val 540031229 ecr 615664], length 023 Flags 5624292752 IP 192.168.64.28.22 > 192.168.64.1.35110: Flags [P.], seq 568 Swiss 908, ack 1, win 309, options [nop,nop,TS val 615664 ecr 540031229], length 3405 packets captured6 packets received by filter0 packets dropped by kernel

As shown above, the crawled packet shows the IP address and port number. This also prevents tcpdump from issuing DNS lookups, helping to reduce data traffic in network troubleshooting.

Now that you know how to grab bags, let's analyze the meaning of the output of these bags.

3. Understand the captured message

Tcpdump can crawl and decode data packets of various protocol types, such as TCP, UDP, ICMP and so on. Although it is not possible for us to introduce all the datagram types here, we can analyze the datagrams of TCP type to help you get started. For more details on tcpdump, you can refer to its help manual. The TCP message crawled by tcpdump looks as follows:

IP 192.168.64.41916: Flags [P.], seq 196pur568, ack 1, win 309, options [nop,nop,TS val 117964079 ecr 816509256], length 372

The specific fields vary depending on the type of message, but the above example is a general format.

The first field, 08Plus 41vir 13.729687, is the system local timestamp where the Datagram was crawled.

Then, IP is the network layer protocol type, here is IPv4, and in the case of IPv6 protocol, the field value is IP6.

192.168.64.28.22 is the source ip address and port number, followed by the destination ip address and its port number, in this case 192.168.64.1.41916.

After the source IP and destination IP, you can see that it is the TCP message tag segment Flags [P.]. The values of this field are usually as follows:

This field can also be a combination of these values, such as [S.] Represents a SYN-ACK packet.

Next is the sequence number of the data in the packet. For the first packet crawled, the field value is an absolute number, and subsequent packets use relative values to make it easier to query and track. Here, for example, the seq 196Plus 568 represents that the packet contains bytes 196 to 568 bytes of the data stream.

Next is the ack value: ack 1. The packet is the data sender with an ack value of 1. At the data receiver, this field represents the next expected byte of data on the data stream, for example, the ack value of the next packet in that data stream should be 568.

The next field is the receive window size win 309, which represents the number of bytes available in the receive buffer, followed by TCP options such as MSS (maximum segment size) or window scale value. For more details on the TCP protocol, please refer to Transmission Control Protocol (TCP) Parameters.

Finally, length 372 represents the packet payload byte length. This length is different from the byte numeric length in the seq serial number.

Now let's learn how to filter data packets to make it easier to analyze and locate problems.

4. Filter packets

As mentioned above, tcpdump can crawl many types of data packets, many of which may have nothing to do with the problem we are looking for. For example, if you are locating a network problem connecting to a web server, you do not have to deal with SSH data packets, so filtering out SSH messages in the packet capture results may be easier for you to analyze the problem.

Tcpdump has many parameter options to set packet filtering rules, such as filtering packets based on source IP and destination IP address, port number, protocol, and so on.

Here are some of the most commonly used filtering methods.

Agreement

By specifying the protocol in the command, you can filter packets by protocol type. For example, just grab the ICMP message with the following command:

$sudo tcpdump-I any-c5 icmptcpdump: verbose output suppressed, use-v or-vv for full protocol decodelistening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

Then open a terminal and ping another machine:

$ping opensource.comPING opensource.com (54.204.39.132) 56 (84) bytes of data.64 bytes from ec2-54-204-39-132.compute-1.amazonaws.com (54.204.39.132): icmp_seq=1 ttl=47 time=39.6 ms

Back in the terminal running the tcpdump command, you can see that it has filtered out the ICMP message. Here, tcpdump does not show the domain name resolution packet about opensource.com:

ICMP echo request, id 20361, seq 1, length 6409 132.compute-1.amazonaws.com 34ICMP echo request 20.176402 IP ec2-54-204-39-132.compute-1.amazonaws.com > rhel75: ICMP echo reply, id 20361, seq 1, length 6409 140230 IP rhel75 > ec2-54-204-39-132.compute-1.amazonaws.com: ICMP echo request, id 20361, seq 2 Length 6409 132.compute-1.amazonaws.com 34 rhel75 21.180020 IP ec2-54-204-39-132.compute-1.amazonaws.com > rhel75: ICMP echo reply, id 20361, seq 2, length 6409 ICMP echo request: ICMP echo request, id 20361, seq 3, length 645 packets captured5 packets received by filter0 packets dropped by kernel

Mainframe

Use the host parameter to crawl only packets related to a specific host:

$sudo tcpdump-I any-c5-nn host 54.204.39.132tcpdump: verbose output suppressed, use-v or-vv for full protocol decodelistening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes09:54:20.042023 IP 192.168.122.98.39326 > 54.204.39.132.80: Flags [S], seq 1375157070, win 29200, options [mss 1460 sackOKMIT TS val 122350391 ecr 0mnopDie WScale 7] Length 009 IP 54 20.088127 IP 54.204.39.132.80 > 192.168.122.98.39326: Flags [S.], seq 1935542841, ack 1375157071, win 28960, options [mss 1460 ecr 122350391 ecr 522713542 ecr 122350391 ecr 522713542], length 00954 IP 192.168.122.98.326 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 122350437 ecr 522713542] Length 009 seq 54 IP 20.088734 IP 192.168.122.98.39326 > 54.204.39.132.80: Flags [P.], seq 1pur113, ack 1, win 229, options [nop,nop,TS val 122350438 ecr 522713542], length 112: HTTP: GET / HTTP/1.109:54:20.129733 IP 54.204.39.132.80 > 192.168.122.98.39326: Flags [.], ack 113, win 57, options [nop,nop,TS val 522713552 ecr 122350438] Length 05 packets captured5 packets received by filter0 packets dropped by kernel

As shown above, only packets related to 54.204.39.132 are crawled and displayed.

Port number

Tcpdump can filter packets based on service type or port number. For example, crawl packets related to HTTP services:

$sudo tcpdump-I any-c5-nn port 80tcpdump: verbose output suppressed, use-v or-vv for full protocol decodelistening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes09:58:28.790548 IP 192.168.122.98.39330 > 54.204.39.132.80: Flags [S], seq 1745665159, win 29200, options [mss 1460 sackOK camera TS val 122599140 ecr 0mnopre WScale 7] Length 009 IP 54.204.39.132.80 > 192.168.122.98.39330: Flags [S.], seq 4063583040, ack 1745665160, win 28960, options [mss 1460 ecr 122599140 ecr 522775728 ecr 122599140 IP 192.168.122.98.39330 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 122599183 ecr 522775728] Length 009 seq 58 IP 28.834588 IP 192.168.122.98.39330 > 54.204.39.132.80: Flags [P.], seq 1rang113, ack 1, win 229, options [nop,nop,TS val 122599184 ecr 522775728], length 112: HTTP: GET / HTTP/1.109:58:28.878445 IP 54.204.39.132.80 > 192.168.122.98.39330: Flags [.], ack 11313, win 57, options [nop,nop,TS val 522775739 ecr 122599184] Length 05 packets captured5 packets received by filter0 packets dropped by kernel

IP address / hostname

Similarly, you can filter packets based on the source IP address or destination IP address or hostname. For example, capture a packet with a source IP address of 192.168.122.98:

$sudo tcpdump-I any-c5-nn src 192.168.122.98tcpdump: verbose output suppressed, use-v or-vv for full protocol decodelistening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes10:02:15.220824 IP 192.168.122.98.39436 > 192.168.122.1.53: 59332 + A? Opensource.com. (32) 10 IP 02lav 15.220862 IP 192.168.122.98.39436 > 192.168.122.1.53: 20749 + AAAA? Opensource.com. (32) 10seq 02purl 15.364062 IP 192.168.122.98.39334 > 54.204.39.132.80: Flags [S], seq 1108640533, win 29200, options [mss 1460 ack sackOKJ TS val 122825713 ecr 0Magnum WScale 7], length 02purl 15.409229 IP 192.168.122.98.39334 > 54.204.39.132.80: Flags [.], ack 669337581, win 229, options [nop,nop,TS val 12282558 ecr 522832372] Length 010 seq 02lav 15.409667 IP 192.168.122.98.39334 > 54.204.39.132.80: Flags [P.], seq 0rang112, ack 1, win 229, options [nop,nop,TS val 122825759 ecr 522832372], length 112: HTTP: GET / HTTP/1.15 packets captured5 packets received by filter0 packets dropped by kernel

Notice in this example that packets from port 53 and port 80 of the source IP address 192.168.122.98 are crawled, and their reply packets are not shown because the source IP addresses of those packets have changed.

In contrast, using dst filters packets by destination IP/ hostname.

$sudo tcpdump-I any-c5-nn dst 192.168.122.98tcpdump: verbose output suppressed, use-v or-vv for full protocol decodelistening on any, link-type LINUX_SLL (Linux cooked) Capture size 262144 bytes10:05:03.572931 IP 192.168.122.98.47049 > 192.168.122.98.47049: 2248 1-0-0 A 54.204.39.132 (48) 10IP 03.572944 IP 192.168.122.98.47049 > 192.168.122.98.47049: 33770 0Uniplex 053.621833 IP 54.204.39.132.80 > 192.168.122.98.39338: Flags [S.], seq 3474204576, ack 3256851264, win 28960 Options [mss 1460 ecr 122993922], length 010 val 053.667767 IP 54.204.39.132.80 > 192.168.122.98.39338: Flags [.], ack 11313, win 57, options [nop,nop,TS val 522874436 ecr 122993972], length 010 ecr 053.672221 IP 54.204.39.132.80 > 192.168.122.98.39338: Flags [P.], seq 1Rue 643, ack 113, win 57, options [nop,nop,TS val 522874437 ecr 122993972] Length 642: HTTP: HTTP/1.1 302 Found5 packets captured5 packets received by filter0 packets dropped by kernel

Multi-condition screening

Of course, multiple conditional combinations can be used to filter packets, and or logical operators can be used to create filtering rules. For example, filter HTTP packets from the source IP address 192.168.122.98:

$sudo tcpdump-I any-c5-nn src 192.168.122.98 and port 80tcpdump: verbose output suppressed, use-v or-vv for full protocol decodelistening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes10:08:00.472696 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [S], seq 2712685325, win 29200, options [mss 1460 sackOKJIT TS val 123170822 ecr 0mnopthewscale 7] Length 010 IP 00.516118 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [.], ack 268723504, win 229, options [nop,nop,TS val 123170865 ecr 522918648], length 010 Ride 080.516583 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [P.], seq 0Rank 112, ack 1, win 229, options [nop,nop,TS val 123170866 ecr 52291848] Length 1122HTTP: GET / HTTP/1.110:08:00.567044 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [.], ack 643, win 239, options [nop,nop,TS val 123170916 ecr 522918661], length 010 GET 0815 IP 00.788153 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [F.], seq 112, ack 643, win 239, options [nop,nop,TS val 123171137 ecr 522918661], length packets captured5 packets received by filter0 packets dropped by kernel 05

You can also use parentheses to create more complex filtering rules, but in shell, include your filtering rules in quotation marks to prevent them from being recognized as shell expressions:

$sudo tcpdump-I any-c5-nn "port 80 and (src 192.168.122.98 or src 54.204.39.132)" tcpdump: verbose output suppressed, use-v or-vv for full protocol decodelistening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes10:10:37.602214 IP 192.168.122.98.39346 > 54.204.39.132.80: Flags [S], seq 871108679, win 29200, options [mss 1460 sackOKJTS val 123327951 ecr 0wScale 7] Length 010 IP 54.204.39.132.80 > 192.168.122.98.39346: Flags [S.], seq 854753193, ack 871108680, win 28960, options [mss 1460 ecr sackOKMIT TS val 522957932 ecr 123327951 ecr WScale 9], length 010 Color 1037.650708 IP 192.168.122.39346 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 123328000 ecr 522957932] Length 010 IP 192.168.122.98.39346 > 54.204.39346 > 54.204.39.132.80: Flags [P.], seq 1pur113, ack 1, win 229, options [nop,nop,TS val 123328000 ecr 522957932], length 1212: HTTP: GET / HTTP/1.110:10:37.692900 IP 54.204.39.132.80 > 192.168.122.98.39346: Flags [.], ack 113, win 57, options [nop,nop,TS val 522957942 ecr 123328000] Length 05 packets captured5 packets received by filter0 packets dropped by kernel

In this example, we only crawled packets from HTTP (port number 80) with the source IP of 192.168.122.98 or 54.204.39.132. Using this method, it is easy to grab the packets of both sides of the data flow.

5. Check the contents of the packet

In the above example, we filter packets only based on the information in the packet header, such as source address, destination address, port number, and so on. Sometimes we need to analyze the network connection problem, and we may need to analyze the contents of the packet to determine what needs to be sent, what needs to be received, and so on. Tcpdump provides two options to view the contents of the packet,-X prints out the contents of the packet in hexadecimal, and-A prints the ASCII value of the packet.

For example, the HTTP request message is as follows:

$sudo tcpdump-I any-c10-nn-A port 80tcpdump: verbose output suppressed, use-v or-vv for full protocol decodelistening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes13:02:14.871803 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [S], seq 2546602048, win 29200, options [mss 1460 val sackOKMIT val 133625221 ecr 0rewScale 7], length 0E.. 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 133625260 ecr 525532247] Length 0E..4..@.@.zb6.'....P...Ao..'.R.W.13:02:14.911808 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [P.], seq 1purl 113, ack 1, win 229, options [nop,nop,TS val 133625261 ecr 525532247] Length: HTTP: GET / HTTP/1.1E.@.@..1..zb6.'....P...Ao..'.R.WGET / HTTP/1.1User-Agent: Wget/1.14 (linux-gnu) Accept: * / * Host: opensource.comConnection: Keep-Alive.13:02:14.951199 IP 54.204 .39.132.80 > 192.168.122.98.39366: Flags [.] Ack 113th, win 57, options [nop,nop,TS val 525532257 ecr 133625261], length 0E.. 4.Found.gray.. "6.'...zb.P..o..'.9.2.R.a.13:02:14.955030 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [P.], seq 1VO643, ack 113, win 57. Options [nop,nop,TS val 525532258 ecr 133625261], length 642: HTTP: HTTP/1.1 302 FoundE....G@./...6.'...zb.P..o..'.9.R.b....HTTP/1.1 302 FoundServer: nginxDate: Sun, 23 Sep 2018 17:02:14 GMTContent-Type: text/html Charset=iso-8859-1Content-Length: 207X-Content-Type-Options: nosniffLocation: https://opensource.com/Cache-Control: max-age=1209600Expires: Sun, 07 Oct 2018 17:02:14 GMTX-Request-ID: v-6baa3acc-bf52-11e8-9195-22000ab8cf2dX-Varnish: 632951979Age: 0Via: 1.1 varnish (Varnish/5.2) X-Cache: MISSConnection: keep-alive302 FoundFound

The document has moved here.

.13: 02ack 14.955083 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [.], ack 643, win 239, options [nop,nop,TS val 133625304 ecr 525532258] Length 0E..4..@.@.zb6.'....P....o.R.b.13:02:15.195524 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [F.], seq 113, ack 643, win 239, options [nop,nop,TS val 133625545 ecr 525532258] Length 0E..4..@.@.zb6.'....P....o.R.b.13:02:15.236592 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [F.], seq 643, ack 114, win 57, options [nop,nop,TS val 525532329 ecr 133625545] Length 0E.. 4.Handle. 6.'...zb.P..o.9.I.R..13:02:15.236656 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [.], ack 644, win 239, options [nop,nop,TS val 133625586 ecr 525532329] Length 0E..4..@.@.zb6.'....P....o.R.10 packets captured10 packets received by filter0 packets dropped by kernel

This is useful for locating some problems with normal HTTP calls to the API interface. Of course, if it is an encrypted message, this output is of little use.

6. Save the packet capture data

Tcpdump provides the function of saving packet capture data for subsequent analysis of packets. For example, you can let it grab the bag there at night, and then get up in the morning and analyze it. Similarly, when there are many packets, displaying too fast is not conducive to analysis, saving the packet is more conducive to the analysis of the problem.

Use the-w option to save the packet instead of displaying the captured packet on the screen:

$sudo tcpdump-I any-c10-nn-w webserver.pcap port 80 [sudo] password for ricardo:tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes10 packets captured10 packets received by filter0 packets dropped by kernel

This command saves the crawled packet to the file webserver.pcap. The suffix pcap indicates that the file is in the packet format that was crawled.

As shown in the example, there is no output of any related datagrams on the screen when the packet is saved to a file, where-c10 means that the packet crawl stops after 10 packets have been crawled. If you want some feedback that the packet was actually crawled, you can use the-v option.

Tcpdump saves the packet in a binary file, so you can't simply open it with a text editor. Use the-r option parameter to read the message contents in the file:

$tcpdump-nn-r webserver.pcapreading from file webserver.pcap, link-type LINUX_SLL (Linux cooked) 1314 webserver.pcapreading from file webserver.pcap 367 79494 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [S], seq 3709732619, win 29200, options [mss 1460 mast sackOKMed TS val 135708029 ecr 0MagneWScale 7], length 0131336 val 57.718932 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [S.], seq 199929816, ack 370932620, win 28960, options [mss 1460] SackOK,TS val 526052949 ecr 135708029 [sackOK,TS val 526052949 ecr 135708029], length 01313 IP 3615 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 135708068 ecr 526052949], length 01313L 3657.719186 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [P.], seq 1range 113, ack 1, win 229, options [nop,nop,TS val 1357068 ecr 526052949] Length 12 12: HTTP: GET / HTTP/1.113:36:57.756979 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [.], ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 013 36 IP 57.760122 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [P.], seq 1GET 643, ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068] Length 642: HTTP: HTTP/1.1 302 Found13:36:57.760182 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [.], ack 643, win 239, options [nop,nop,TS val 135708109 ecr 526052959], length 013 HTTP/1.1 36V 36V 57.977602 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [F.], seq 113, ack 643, win 239, options [nop,nop,TS val 135708327 ecr 526052959] Length 01336 Flags 58.022089 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [F.], seq 643, ack 114, win 57, options [nop,nop,TS val 526053025 ecr 135708327], length 01336MAV 58.022132 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [.], ack 644, win 239, options [nop,nop,TS val 135708371 ecr 526053025], length 0 $

Administrator privilege sudo is no longer required here, because you are not grabbing packets at the network interface at the moment.

You can also use any of the filtering rules we discussed to filter the contents of the file, just as you would with real-time data. For example, check the packets in the file from the source IP address 54.204.39.132 by executing the following command:

$tcpdump-nn-r webserver.pcap src 54.204.39.132reading from file webserver.pcap, link-type LINUX_SLL (Linux cooked) 13VOWScale 57.718932 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [S.], seq 1999298316, ack 3709732620, win 28960, options [mss 1460 sackOKMagazTS val 526052949 ecr 135708029], length 01313MAX 36MAX 57.756979 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [.], ack 113 Win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 013 Found13:36:58.022089 IP 57.760122 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [P.], seq 1nop,nop,TS val 643, ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 642: HTTP: HTTP/1.1 302 Found13:36:58.022089 IP 54.2039.132.80 > 192.168.122.98.39378: Flags [F.], seq 643,114, win 57 Options [nop,nop,TS val 526053025 ecr 135708327], length 0

What's the next step?

The above basic features can already help you use the powerful tcpdump package grabbing tool. Please refer to the tcpdump website and its help files for more information.

The tcpdump command line tool provides powerful flexibility for analyzing network traffic packets. If you need to use graphical tools to grab the bag, please refer to Wireshark.

Wireshark can also be used to read pcap files saved by tcpdump. You can use the tcpdump command line to grab packets on remote machines that do not have a GUI interface and then analyze the packets in Wireshark.

Via: https://opensource.com/article/18/10/introduction-tcpdump

Summary

The above is the editor introduced to you in the Linux command line in the use of tcpdump bag grab some functions, I hope to help you, if you have any questions, please leave me a message, the editor will reply to you in time. Thank you very much for your support to the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.