Shulou(Shulou.com)06/01 Report--

This article mainly introduces the Linux bag grab tool tcpdump how, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let Xiaobian take you to understand.

In the traditional network analysis and testing technology, sniffer (sniffer) is one of the most common and important technologies. Sniffer tools are first designed for network administrators and network programmers to conduct network analysis.

Matches the ether broadcast package. The characteristic of ether broadcast packet is mac all 1. Therefore, it can be matched as follows:

Tcpdump 'ether dst ff:ff:ff:ff:ff:ff'

Ylin@ylin:~$ sudo tcpdump-c 1 'ether dst ff:ff:ff:ff:ff:ff'

Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode

Listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

10:47:57.784099 arp who-has 192.168.240.77 tell 192.168.240.189

Here, only one package is matched and exited. The first is the arp request packet, the arp request packet is sent by broadcast, and it is well deserved to be matched.

Match ether multicast packet. The characteristic of ether multicast packet is that the highest bit of mac is 1, and other bits are used to represent the multicast group number. If you want to match its multicast group, you can know its group MAC address. Such as

Tcpdump 'ether dst' Mac_Address indicates the address, just fill in the appropriate address. If you want to match all ether multicast packets, please put it down for the time being, and we will continue to explain more advanced applications.

(2) match arp packets

Arp packet is a protocol used for IP-to-Mac address conversion, including arp request and arp permission messages. The arp request message is sent by ether broadcast, that is, the mac address of the arp request message is all 1, so the arp request message can be matched with ether dst FF;FF;FF;FF;FF;FF, but not the promise message. Therefore, to match the communication process of arp, only arp is used to specify the protocol.

Tcpdump 'arp' can match arp messages on the network.

Ylin@ylin:~$ arping-c 4 192.168.240.1 > / dev/null& sudo tcpdump-p 'arp'

[1] 9293

WARNING: interface is ignored: Operation not permitted

Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode

Listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

11 oui Unknown 09 oui Unknown 25.042479 arp who-has 192.168.240.1 (00:03:d2:20:04:28 (oui Unknown)) tell ylin.local

11PUR 09VR 25.042702 arp reply 192.168.240.1 is-at 00:03:d2:20:04:28 (oui Unknown)

11RU 09RV 26.050452 arp who-has 192.168.240.1 (00:03:d2:20:04:28 (oui Unknown)) tell ylin.local

11PUR 09RV 26.050765 arp reply 192.168.240.1 is-at 00:03:d2:20:04:28 (oui Unknown)

11 oui Unknown 09 oui Unknown 27.058459 arp who-has 192.168.240.1 (00:03:d2:20:04:28 (oui Unknown)) tell ylin.local

11 oui Unknown 09 oui Unknown 27.058701 arp reply 192.168.240.1

11:09:33.646514 arp who-has ylin.local tell 192.168.240.1

11PUR 09PUR 33.646532 arp reply ylin.local is-at 00:19:21:1d:75:e6 (oui Unknown)

In this example, arping-c 4 192.168.240.1 is used to generate arp request and receive acceptance messages, and tcpdump-p 'arp' is matched. The-p option here is to make the network work in normal mode (non-promiscuous mode), which makes it easy to see the matching results.

(3) match IP packets

As we all know, IP protocol is one of the most important protocols in TCP/IP protocol, and it is precisely because of it that Internet can be interconnected. It can be said that it plays an important role. Let's analyze the expressions that match IP packets.

Match the IP

Tcpdump'ip src 192.168.240.69'

Ylin@ylin:~$ sudo tcpdump-c 3'ip src 192.168.240.69'

Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode

Listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

1120 win 00.973605 IP ylin.local.51486 > walnut.crossbeamsys.com.ssh: s 2706301341 win 5840

1120 PTR 00.974328 IP ylin.local.32849 > 192.168.200.150.domain: 5858 + PTR. (45)

1120 IP ylin.local.51486 01.243490 IP ylin.local.51486 > walnut.crossbeamsys.com.ssh: Ack 2762262674 win 183

IP broadcast Multicast packet matching: just specify the broadcast or multicast address

Tcpdump'ip dst 240.168.240.255'

Ylin@ylin:~$ sudo tcpdump'ip dst 192.168.240.255'

Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode

Listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

11 id 25 seq 29.690658 IP dd.local > 192.168.240.255: ICMP echo request, id 10022, seq 1, length 64

11 id 25 id 30.694989 IP dd.local > 192.168.240.255: ICMP echo request, id 10022, seq 2, length 64

11 id 25 IP dd.local 31.697954 IP dd.local > 192.168.240.255: ICMP echo request, id 10022, seq 3, length 64

11 id 25 IP dd.local 32.697970 IP dd.local > 192.168.240.255: ICMP echo request, id 10022, seq 4, length 64

11 id 25 id 33.697970 IP dd.local > 192.168.240.255: ICMP echo request, id 10022, seq 5, length 64

11 id 25 IP dd.local 34.697982 IP dd.local > 192.168.240.255: ICMP echo request, id 10022, seq 6, length 64

What is matched here is the ICMP broadcast packet. To generate this packet, you only need another host on the same LAN to run ping-b 192.168.240.255. Of course, you can also generate a multicast packet. Since there is no suitable software for simulation generation, I will not give an example here.

(4) match TCP packets

TCP is also one of the most important protocols in the TCP/IP protocol stack. It provides end-to-end reliable data flow. At the same time, many application layer protocols use TCP as the underlying communication protocol, because the matching of TCP is very important.

If you want to match the communication data of HTTP, you only need to specify the condition that the matching port is 80

Tcpdump 'tcp dst port 80'

Ylin@ylin:~$ wget http://www.baidu.com 2 > 1 1 > / dev/null & sudo tcpdump-c 5 'tcp port 80'

[1] 10762

Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode

Listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

12 ack 02 ack 47.549056 IP xd-22-43-a8.bta.net.cn.www > ylin.local.47945: s 1202130469 ack 1132882351 win 2896

12 43-a8.bta.net.cn.www 02 IP ylin.local.47945 > xd-22-43-a8.bta.net.cn.www:. Ack 1 win 183

1243-a8.bta.net.cn.www 02ack 47.549226 IP ylin.local.47945 > xd-22-43-a8.bta.net.cn.www: P 1purl 102 (101) ack 1 win 183

12 ylin.local.47945 02 IP xd-22-43-a8.bta.net.cn.www > ylin.local.47945:. Ack 102 win 698

12 ylin.local.47945 02 IP xd-22-43-a8.bta.net.cn.www > ylin.local.47945:. 1purl 1409 (1408) ack 102win 724

(5) match udp packets

Udp is a connectionless and unreliable user Datagram, so the main feature of udp is also a port, which can be matched in the following ways

Tcpdump 'upd port 53' View packets of DNS

Ylin@ylin:~$ ping-c 1 www.baidu.com > / dev/null& sudo tcpdump-p udp port 53

[1] 11424

Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode

Listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

IP ylin.local.32853 > 192.168.200.150.domain: 63228 + PTR? 43.22.108.202.in-addr.arpa. (44)

12 150.200.168.192.in-addr.arpa 28 PTR 09.222607 IP ylin.local.32854 > 192.168.200.150.domain: 5114 + PTR. (46)

IP 192.168.200.150.domain > ylin.local.32853: 63228 1-0-0 (80)

12 NXDomain* 28 NXDomain* 09.487232 IP 192.168.200.150.domain > ylin.local.32854: 5114

IP ylin.local.32854 > 192.168.200.150.domain: 60693 + PTR? 69.240.168.192.in-addr.arpa. (45)

12 NXDomain 28 NXDomain 14.755072 IP 192.168.200.150.domain > ylin.local.32854: 60693

The goal of using ping www.baidu.com is to generate DNS requests and promises, and 53 is the port number of DNS.

In addition, there are many qualitifer that have not been mentioned, and here are other legal primitive that can be used directly in tcpdump.

Gateway host

Matches packets that use host as the gateway, that is, the mac address (source or destination) in the Datagram is host, but the source and destination addresses of the IP packet are not host packets.

Dst net net

Src net net

Net net

Net netmask netmask

Net net/len

Matches datagrams with the IPv4/v6 address of the net network.

Where net can be 192.168.0.0 or 192.168. Such as net 192.168 or net 192.168.0.0

Net netmask netmask is only valid for IPv4 packets, such as net 192.168.0.0 mask 255.255.0.0

Net net/len is also valid only for IPv4 packets, such as net 192.168.0.

Dst portrange port1-port2

Src portrange port1-port2

Portrange port1-port2

Matches ip/tcp,ip/upd,ip6/tcp and ip6/udp packets with ports within the port1-port2 range. Dst and src indicate the source or destination respectively. No, it means src or dst.

Less length matches messages whose length is less than or equal to length.

Greater length matches messages whose length is greater than or equal to length.

Ip protochain protocol matches messages with the value of protocol field protocol in ip messages.

Ip6 protochain protocol matches messages with the value of protocol field protocol in ipv6 messages.

For example, tcpdump'ip protochain 6 matches the TCP message in the ipv4 network, which is the same as tcpdump'ip & & tcp', where the & & connects two primitive. 6 is the number of TCP protocol in IP message.

Ether broadcast

Match Ethernet broadcast message

Ether multicast

Match Ethernet Multicast message

Ip broadcast

Matches the broadcast message of IPv4. That is, the IPv4 message with the host number of all 0 or all 1 in the IP address.

Ip multicast

Matches an IPv4 multicast message, that is, a message whose IP address is a multicast address.

Ip6 multicast

Matches IPv6 multicast messages, that is, messages whose IP address is the multicast address.

Vlan vlan_id

Match to vlan message with vlan number vlan_id

To this end, we have been describing how primitive is used, that is, expression has only one primitive. By learning to write each primtive well, we can easily combine multiple primitive into an expression. The method is simple and can be connected by logical operators. There are three logical operators:

"&" or "and"

"| |" or "or"

"!" Or "not"

And complex connection operations can be carried out through ().

Such as tcpdump'ip & & tcp'

Tcpdump 'host 192.168.240.3 & & (tcp port 80 | | tcp port 443)'

Through the various primitive above, we can write very rich conditions, such as ip, tcp, udp,vlan and so on. For example, IP can be matched by address, and tcp/udp can be matched by port. But what if I want to match more detailed conditions? For example, what about the message that contains only the syn logo and the fin logo in tcp? I'm afraid there's nothing the primitive above can do. Don't be afraid, tcpdump provides you with the last most powerful primitive, remember primitive, not expression. You can use multiple primitive of this to form a more complex expression.

Thank you for reading this article carefully. I hope the article "how about tcpdump under Linux" shared by the editor will be helpful to everyone. At the same time, I also hope you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.