1. Introduction to the
tcpdump command The tcpdump command is a datagram sniffing tool based on the command line of the unix system, which can capture the data packets flowing on the network card. Its principle is roughly as follows: Linux packet capture is done by registering a virtual underlying network protocol to complete the processing power of network messages (to be precise, network equipment) messages. When the network card receives a network message, it will traverse all registered network protocols in the system, such as the Ethernet protocol and x25 protocol processing module, to try to analyze the message. When the packet capture module pretends to be a network protocol, the system will give this pseudo protocol a chance when it receives a message, and let it process the insulation received by the network card once, and then the module will take the opportunity Spy on the message, that is, make a complete copy of this message, pretend to be a message received by yourself, and report it to the packet capture module.
1.1 Syntax
View the status of the local network card:
[root@cnetos daocoder]# netstat -i
Kernel Interface table
Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
docker0 1500 40409 0 0 0 20376 0 0 0 BMU
ens5f0 1500 22999894941 0 0 0 25581016784 0 0 0 BMRU
lo 65536 850291094 0 0 0 850291094 0 0 0 LRU
Iface: The existing network card.
MTU: Maximum transmission unit.
RX-OK RX-ERR RX-DRP RX-OVR: The number of correctly received datagrams and the total number of errors, streaming, and collisions.
TX-OK TX-ERR TX-DRP TX-OVR: The number of correctly sent datagrams and the total number of errors, streaming, and collisions.
[root@centos daocoder]# tcpdump --help
tcpdump version 4.9.0
libpcap version 1.5.3
OpenSSL 1.0.1e-fips 11 Feb 2013
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ]
[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
[ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
[ -Q|-P in|out|inout ]
[ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
[ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
[ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ]
[ -Z user ] [ expression ]
This can be roughly divided into several categories:
1. Keyword
host of the type : Specify a host. Such as: host 10.1.110.110
net: specify a network address, such as: net 10.1.0.0
port: specify the port number: such as: port 8090
2. Keyword to determine the direction
src: the source address of the ip packet, such as: src 10.1.110.110
dst: the destination address of the ip packet. Such as: dst 10.1.110.110
3. The keyword of the protocol (the default is the information packet of all protocols)
fddi, ip, arp, rarp, tcp, udp.
4. Other keywords
gateway, broadcast, less, greater.
5、常用表达式
! or not
&& or and
|| or or
6. Detailed parameter explanation
A: Print each message in ascii encoding (not including the link header).
a: Convert network addresses and broadcast addresses into names.
c: Capture the specified number of packages.
C: Used to judge whether the size of the file written with the -w option exceeds this value, if it exceeds this value, create a new file (the file name suffix is 1, 2, and 3 in turn);
d: Will match the packet The code is given in an assembly format that people can understand;
dd: the code of the matching information package is given in the format of a C language program segment;
ddd: the code of the matching information package is given in decimal form;
D: the current host is listed The number and name of all network cards can be used in option -i;
e: Print out the header information of the data link layer in the output line;
f: Print out the external Internet address in digital form;
F<Expression file>: Read the expression from the specified file and ignore other expressions;
i<network interface>: monitor the data stream on the network card of the host, if not specified, the network card with the smallest network card number will be used (the option -D can be used) Yes, but not including the loop interface), Linux 2.2 kernel and later versions support any network card, which is used to refer to any network card;
l: If the -w option is not used, the message can be printed to the standard output terminal (at this time This is the default);
n: display ip instead of host name;
nn: display port instead of service name;
N: do not list domain names;
O: do not optimize packet encoding;
p: do not allow network interface access Promiscuous mode;
q: fast output, only a few transmission protocol information is listed;
r<data packet file>: read packets from the specified file (these packets are generally generated by the -w option);
s<data packet size>: Specify the width of the captured packet to display one line, -s0 means that the complete packet can be displayed according to the packet length. It is often used with -A. The default interception length is 60 bytes, but the general ethernet MTU is 1500 byte. Therefore, when you want to capture packets larger than 60 bytes, using the default parameters will cause packet data loss;
S: Use absolute rather than relative values to list the TCP association number;
t: Do not print a time stamp on each line of output;
tt : Display the unformatted time stamp on each line of the output;
T<Packet Type>: Interpret the monitored packet directly as a specified type of message. Common types are rpc (remote procedure call) and snmp ( Simple Network Management Protocol);
v: output a slightly detailed information, for example, ttl and service type information can be included in the ip packet;
vv: output detailed message information;
x/-xx/-X/-XX: Hexadecimal display package content, several options have only subtle differences, see the man manual for details;
w<data package file>: directly write the package to the file without analyzing and printing it out;
expression: the logic for filtering expression;
1.2 The meaning of view parameters
[root@centos dcocoder]# tcpdump host 10.1.110.110 -i ens5f0 -c 10 -l -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens5f0, link-type EN10MB (Ethernet), capture size 262144 bytes
10:59:51.071567 IP 10.1.85.21.ssh > 10.1.110.110.7608: Flags [P.], seq 1715331653:1715331865, ack 2259278754, win 65535, length 212
10:59:51.071699 IP 10.1.85.21.ssh > 10.1.110.110.7608: Flags [P.], seq 212:408, ack 1, win 65535, length 196
10:59:51.071794 IP 10.1.85.21.ssh > 10.1.110.110.7608: Flags [P.], seq 408:572, ack 1, win 65535, length 164
10:59:51.071861 IP 10.1.85.21.ssh > 10.1.110.110.7608: Flags [P.], seq 572:736, ack 1, win 65535, length 164
10:59:51.071910 IP 10.1.85.21.ssh > 10.1.110.110.7608: Flags [P.], seq 736:900, ack 1, win 65535, length 164
10:59:51.071958 IP 10.1.85.21.ssh > 10.1.110.110.7608: Flags [P.], seq 900:1064, ack 1, win 65535, length 164
10:59:51.072006 IP 10.1.85.21.ssh > 10.1.110.110.7608: Flags [P.], seq 1064:1228, ack 1, win 65535, length 164
10:59:51.072053 IP 10.1.85.21.ssh > 10.1.110.110.7608: Flags [P.], seq 1228:1392, ack 1, win 65535, length 164
10:59:51.072141 IP 10.1.85.21.ssh > 10.1.110.110.7608: Flags [P.], seq 1392:1556, ack 1, win 65535, length 164
10:59:51.077438 IP 10.1.110.110.7608 > 10.1.87.25.ssh: Flags [.], ack 212, win 63360, length 0
10 packets captured
13 packets received by filter
0 packets dropped by kernel
1. The first line:tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
Use options v and vv to see more complete details.
2. The second line listening on ens5f0, link-type EN10MB (Ethernet), capture size 262144 bytes:, it means that the network packet of the NIC device of ens5f0 is monitored, and its link layer is based on Ethernet. The size of the packet to be captured is limited to 262144, and the size of the package can be controlled with -s .
3, third 10:59:51.071567 IP 10.1.87.21.ssh > 10.1.110.110.7608: Flags [P.], seq 1715331653:1715331865, ack 2259278754, win 65535, length 212line: .
10:59:51.071567: The packet capture time is hour, minute, second, and subtle.
IP 10.1.87.21.ssh > 10.1.110.110.7608: Flags [P.], seq 1715331653:1715331865, ack 2259278754, win 65535, length 212, Here use the man dump command to quote and explain:
src > dst: flags data-seqno ack window urgent options
Src and dst are the source and destination IP addresses and ports.
Flags are some combination of S (SYN), F (FIN), P (PUSH), R (RST), U (URG), W (ECN CWR), E (ECN-Echo) or '.' (ACK), or 'none' if no flags are set.
Data-seqno describes the portion of sequence space covered by the data in this packet (see example below). Ack is sequence number of the next data expected the other direction on this connection.
Window is the number of bytes of receive buffer space available the other direction on this connection.
Urg indicates there is `urgent' data in the packet.
Options are tcp options enclosed in angle brackets (e.g., <mss 1024>).
The simple explanation of the above view is that the packet from 10.1.87.21 to 10.1.110.110 is passed through the port 22 (ssh port) to 7608, the first few use the PUSH logo, and the last one is the returned ACK logo.
1.3 Common scenarios
1. To obtain the communication between 10.1.85.21 and 10.1.85.19, use the command to pay attention to escape symbols.
[root@centos daocoder]# tcpdump host 10.1.85.21 and \( 10.1.85.19\) -i ens5f0 -nn -c 10
2. Get the package sent from 10.1.85.21.
[root@centos daocoder]# tcpdump src host 10.1.85.21 -c 10 -i ens5f1
3. Monitor the tcp (udp) port.
[root@centos daocoder]# tcpdump tcp port 22 -c 10
4. Get the communication between the host 10.1.85.21 and all hosts except 10.1.85.19.
[root@centos daocoder]# tcpdump ip host 10.1.85.21 and ! 10.1.85.19 -c 10 -i any
5. Obtain the communication from the 10.1.85.19 and port host to the 10.1.85.21 host.
[root@centos daocoder]# tcpdump src host 10.1.85.19 and src port 48565 and dst host 10.1.85.21 an
Reprinted: https://www.jianshu.com/p/23427a80fc9d