Shulou(Shulou.com)06/01 Report--

This article is about how to analyze Tcpdump. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it with the editor.

What I want to share today is tcpdump, which is a very useful network tool in Linux system, which is usually used for fault diagnosis and network analysis.

Tcpdump is complex compared to other Linux tools. Of course, I do not recommend you to learn all of it, put what you have learned into practice, and being able to solve problems at work is the key.

Here will start from the application scenarios and basic principles, to provide a wealth of practical cases, so that you can quickly grasp the core use of tcpdump, enough to meet the needs of daily work.

Application scenario

Many network problems encountered in daily work can be elegantly solved by tcpdump:

1. I believe that most students have encountered slow SSH connection to the server, through the tcpdump packet grab, you can quickly locate the specific reason, generally because the DNS parsing speed is too slow.

two。 When our engineers and users quarrel with each other in the face of network problems, we can quickly locate the cause of the fault by grabbing the package through tcpdump, so that there is no pressure.

3. When our newly developed network program does not work as expected, we collect relevant data packets through tcpdump to analyze the specific reasons from the package level, so that the problem can be easily solved.

4. When the performance of our network program is relatively low, we use tcpdump to analyze the characteristics of data flow, combined with relevant protocols to optimize the network parameters to improve the network performance of the system.

5. When we learn network protocols, we grab packets through tcpdump and analyze the protocol format, which helps us to learn network protocols more intuitively, effectively and quickly.

The above is just a simple list of several common application scenarios, and tcpdump is indeed a very powerful network tool in network diagnosis, network optimization and protocol learning, as long as there are network problems.

Proficient in the use of tcpdump, can help us solve all kinds of network problems at work, the following we first briefly learn how it works.

working principle

Tcpdump is a very useful network tool in Linux system, which runs in user mode. In essence, it crawls data packets by calling all kinds of api of libpcap library.

From the figure above, we can see that after the packet arrives at the network card, it is filtered by the packet filter (BPF) and copied to the user-mode tcpdump program for the tcpdump tool to carry out subsequent processing, output or save to the pcap file.

The main function of packet filter (BPF) is to copy only the data packets that users care about to tcpdump according to the filtering rules entered by users, which can reduce unnecessary packet copies and reduce the performance loss caused by packet grabbing.

Think about it: share a real interview question here

Interviewer: if some packets are blocked by iptables, can they be caught through tcpdump?

Through the picture above, we can easily answer this question.

Because the netfilter in the Linux system works in the protocol stack phase, and the BPF of tcpdump works in front of the protocol stack, so of course you can catch the packet!

After we understand the basic principles of tcpdump, the following goes directly to the actual combat!

Practice: basic usage

Let's start with a few simple examples to introduce the basic usage of tcpdump.

1. Without any parameters, all packets on the first non-lo Nic will be crawled by default.

$tcpdump

two。 Grab all packets on the eth0 network card

$tcpdump-I eth0

3. The-n option is specified when grabbing the packet, and the host and port names are not resolved. This parameter is critical and will affect the performance of grabbing packets. This option is generally required when grabbing packets.

$tcpdump-n-I eth0

4. Grab all packets of the specified host 192.168.1.100

$tcpdump-ni eth0 host 192.168.1.100

5. Grab the packet sent by the specified host 10.1.1.2

$tcpdump-ni eth0 src host 10.1.1.2

6. Grab all packets sent to 10.1.1.2

$tcpdump-ni eth0 dst host 10.1.1.2

7. Grab the packets sent to the designated host on the eth0 network card, and stop as soon as you catch 10 packets. This parameter is also commonly used.

$tcpdump-ni eth0-c 10 dst host 192.168.1.200

8. Grab all SSH request packets on the eth0 Nic. The default port of SSH is 22.

$tcpdump-ni eth0 dst port 22

9. Grab 5 ping packets on the eth0 network card

$tcpdump-ni eth0-c 5 icmp

10. Grab all arp packets on the eth0 network card

$tcpdump-ni eth0 arp

11. Using hexadecimal output, hexadecimal output is helpful when you want to check if there is something wrong with the contents of the packet.

$tcpdump-ni eth0-C1 arp-X listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 12 tell 1315 31.602995 ARP, Request who-has 172.17.92.133 tell 172.17.95.253, length 28 0x0000: 0001 0800 0604 0001 eeff ffff ffff ac11. 0x0010: 5ffd 0000 0000 0000 ac11 5c85 _.

twelve。 Only grab the IPv6 traffic on the eth0 Nic.

$tcpdump-ni eth0 ip6

13. Capture traffic in a specified port range

$tcpdump-ni eth0 portrange 80-9000

14. Capture the traffic of a specified network segment

$tcpdump-ni eth0 net 192.168.1.0 take 24

Actual combat: advanced and advanced

The powerful function and flexible strategy of tcpdump are mainly reflected in the strong expression combination ability of BPF.

This section mainly shares some common so-called advanced usage, hoping that readers can draw examples and use it flexibly according to their actual needs.

1. Grab the packet of the specified client accessing the ssh

$tcpdump-ni eth0 src 192.168.1.100 and dst port 22

two。 Capture traffic from a certain network segment to a certain network segment

$tcpdump-ni eth0 src net 192.168.1.0 Universe 16 and dst net 10.0.0.0 Universe 8 or 172.16.0.0 Universe 16

3. Capture traffic from a host to a non-ssh port

$tcpdump-ni eth0 src 10.0.2.4 and not dst port 22

4. When building complex queries, you may need to use quotation marks. Single quotation marks tell tcpdump to ignore specific special characters. Here () is the special symbol. If you do not use quotation marks, you need to use escape characters.

$tcpdump-ni eth0 'src 10.0.2.4 and (dst port 3389 or 22)'

5. Filter based on package size, you can use this parameter if you are looking at a specific package size

Less than or equal to 64 bytes

$tcpdump-ni less 64

Greater than or equal to 64 bytes:

$tcpdump-ni eth0 greater 64

Equal to 64 bytes:

$tcpdump-ni eth0 length = = 64

6. Filter packets specially marked by TCP

Grab RST packets sent by a host:

$tcpdump-ni eth0 src host 192.168.1.100 and'tcp [tcpflags] & (tcp-rst)! = 0'

Grab SYN packets sent by a host:

$tcpdump-ni eth0 src host 192.168.1.100 and'tcp [tcpflags] & (tcp-syn)! = 0'

Grab FIN packets sent by a host:

$tcpdump-ni eth0 src host 192.168.1.100 and'tcp [tcpflags] & (tcp-fin)! = 0'

Grab SYN or FIN packets in a TCP connection

$tcpdump'tcp [tcpflags] & (tcp-syn | tcp-fin)! = 0'

7. Crawl all ICMP packages of non-ping type

$tcpdump'icmp [icmptype]! = icmp-echo and icmp [icmptype]! = icmp-echoreply'

8. The crawl port is 80, the network layer protocol is IPv4, and it contains data, not data packets such as SYN, FIN and ACK.

$tcpdump 'tcp port 80 and ((ip [2:2]-((ip [0] & 0xf) 2))! = 0)'

Explain this complex expression. The specific meaning is that the entire length of the IP packet minus the length of the IP header, and then the length of the TCP header. If the result is not 0, it means that the packet has data. If you do not quite understand it, you need to supplement the tcp/ip protocol by yourself.

9. Grab HTTP message. 0x4754 is the value of the first two characters of GET, and 0x4854 is the value of the first two characters of HTTP.

$tcpdump-ni eth0 'tcp [20:2] = 0x4745 or tcp [20:2] = 0x4854'

Common option

Through the above actual combat cases, I believe you have mastered the basic usage of tcpdump, here to sum up the commonly used option parameters in detail.

(I) basic options

-I: specify the interface

-D: list the interfaces that can be used to grab packets

-s: specify the length of the packet crawl

-c: specify the number of packets to crawl

-w: save the packet capture data in the file

-r: read data from a file

-C: specify the file size, used with-w

-F: read the expression of the grab package from the file

-n: the host and port numbers are not parsed. This parameter is very important and generally needs to be added.

-P: specify whether the packet to be crawled is inflow or outflow. You can specify the values in, out, inout.

(II) output options

-e: the output information contains the data link layer header information

-t: displays the timestamp, tttt shows the time in more detail

-X: display hexadecimal format

-v: display detailed message information. Try-the more vvv,v, the more detailed the display.

Filter expression

The powerful function and flexible strategy of tcpdump are mainly reflected in the strong expression combination ability of BPF.

(1) operating object

There are several types of objects that can be manipulated in an expression:

Type, which indicates the type of object, such as host, net, port, portrange. If type is not specified, the default is host.

Dir: indicates the direction of transmission. The preferred methods are: src, dst.

Proto: represents the protocol. Optional protocols are: ether, ip, ip6, arp, icmp, tcp, udp.

(2) conditional combination

Expression objects can also be connected by the keywords and, or, not to form more powerful expressions.

Or: denote or operate

And: representation and operation

Not: indicates non-operation

It is suggested that after reading here, I would like to look back at the examples of the actual combat chapter. I believe there will be a deeper understanding. If this is the case, it will achieve my desired effect!

experience

No more new knowledge points will be added here, and we will share some experiences learned in our work:

1. We need to know that tcpdump is not a panacea and does not solve all network problems.

two。 In high-traffic scenarios, packet grabbing may affect system performance. If you are in a production environment, please use it with caution!

3. In high traffic scenarios, tcpdump is not suitable for traffic statistics. If necessary, you can use the switch image to analyze the statistics.

4. Using tcpdump to grab packets on Linux, combined with wireshark tools for data analysis, can get twice the result with half the effort.

5. When grabbing a packet, try not to use the any interface to grab the packet.

6. When grabbing packets, specify a detailed packet filtering expression as much as possible to reduce the copy of useless packets.

7. When grabbing packets, try to specify the-n option to reduce the performance overhead caused by parsing hosts and ports.

Through the above, we know that tcpdump is a powerful fault diagnosis and network analysis tool. In our daily work, the network problems encountered can always be solved through tcpdump.

However, tcpdump is much more complex than other Linux commands, but given the allure of its powerful features, it's worth taking a little more time. If you want to master tcpdump well, you need to have some understanding of network message (TCP/IP protocol).

Of course, for simple use, as long as there is a basic concept of the network, mastering the common methods of tcpdump, it is enough to deal with most of the network-related problems at work.

The above is how to analyze Tcpdump, the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.