Linux network analysis essential skills: tcpdump detailed explanation of actual combat
Liang Xu Linux Yesterday
The following article comes from programming accomplishment, authored by programmer Chopin
What I want to share today is tcpdump
that it is a particularly useful network tool in the Linux system. It is usually used for fault diagnosis and network analysis and has very powerful functions.
Compared with other Linux tools, it tcpdump
is complicated. Of course, I don't recommend you to learn all of it. Applying what you have learned is the key to solving problems in your work.
This article will start from the application scenarios and basic principles , provide a wealth of practical cases , let you quickly grasp tcpdump
the core use methods, enough to meet the needs of daily work.
Application scenarios
Many network problems encountered in daily work can be solved elegantly by tcpdump:
1. I believe that most students have encountered slow SSH connection to the server. By capturing packets with tcpdump, you can quickly locate the specific cause, usually because the DNS resolution is too slow.
2. When our engineers and users are arguing about network problems, we can quickly locate the cause of the fault by capturing packets through tcpdump, making it easy and stress-free.
3. When our newly developed network program does not work as expected, collect relevant data packets through tcpdump, analyze the specific reasons from the packet level, and solve the problem.
4. When the performance of our network program is relatively low, use tcpdump to analyze the characteristics of the data stream, and combine the relevant protocols to optimize the network parameters to improve the system network performance.
5. When we learn network protocols, we use tcpdump to capture packets and analyze the protocol format to help us learn network protocols more intuitively, effectively and quickly.
The above is just a simple list of several common application scenarios, and tcpdump is indeed a very powerful network tool in terms of network diagnosis, network optimization, and protocol learning. As long as there are network problems, you can always see it.
Skilled use tcpdump
can help us solve various network problems in our work. Let's briefly learn how it works below.
working principle
tcpdump is a very useful network tool in the Linux system. It runs in the user mode and essentially implements the data packet capture function by calling libpcap
various libraries api
.
Through the above figure, we can see intuitively that after the data packet arrives at the network card, it is filtered by the data packet filter (BPF) and copied to the user-mode tcpdump program for subsequent processing, output or storage by the tcpdump tool. To the pcap file.
The main function of the data packet filter (BPF) is to copy only the data packets that the user cares about to tcpdump according to the filtering rules entered by the user, which can reduce unnecessary data packet copying and reduce the performance loss caused by packet capture.
Thinking : here to share a real interview question
Interviewer: If some data packets are blocked by iptables, can they be captured by tcpdump?
Through the above picture, we can easily answer this question.
Because the Linux system netfilter
is working in the protocol stack stage, the tcpdump filter (BPF) works before the protocol stack, so of course the packet can be captured!
After we understand the basic principles of tcpdump, let's go directly to the actual combat!
Actual combat: basic usage
We first introduce the basic usage of tcpdump through a few simple examples.
1. Without any parameters, all data packets on the first non-lo network card will be captured by default
$ tcpdump
2. Grab all packets on the eth0 network card
$ tcpdump -i eth0
3. Specify -n
options when capturing packets, and do not resolve host and port names. This parameter is very critical and will affect the performance of packet capture. Generally, you need to specify this option when capturing packets.
$ tcpdump -n -i eth0
4. Grab 192.168.1.100
all data packets of the specified host
$ tcpdump -ni eth0 host 192.168.1.100
5. Grab 10.1.1.2
the data packet sent by the specified host
$ tcpdump -ni eth0 src host 10.1.1.2
6. Grab 10.1.1.2
all packets sent to
$ tcpdump -ni eth0 dst host 10.1.1.2
7. Grab the data packets sent to the designated host on the eth0 network card, and stop when 10 packets are caught. This parameter is also commonly used
$ tcpdump -ni eth0 -c 10 dst host 192.168.1.200
8. Grab all SSH request packets on the eth0 network card, the default SSH port is 22
$ tcpdump -ni eth0 dst port 22
9. Grab 5 ping packets on the eth0 network card
$ tcpdump -ni eth0 -c 5 icmp
10. Grab all arp packets on the eth0 network card
$ tcpdump -ni eth0 arp
11. Use hexadecimal output. When you want to check whether there is a problem with the contents of the data packet, the hexadecimal output will be very helpful.
$ tcpdump -ni eth0 -c 1 arp -X
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:13:31.602995 ARP, Request who-has 172.17.92.133 tell 172.17.95.253, length 28
0x0000: 0001 0800 0604 0001 eeff ffff ffff ac11 ................
0x0010: 5ffd 0000 0000 0000 ac11 5c85 _.........\.
12. Capture only IPv6 traffic on the eth0 network card
$ tcpdump -ni eth0 ip6
13. Grab the traffic of the specified port range
$ tcpdump -ni eth0 portrange 80-9000
14. Grab the traffic of the specified network segment
$ tcpdump -ni eth0 net 192.168.1.0/24
Actual combat: advanced advanced
The powerful function and flexible strategy of tcpdump are mainly reflected in the powerful expression combination ability of the filter (BPF).
This section mainly shares some common so-called advanced usages. I hope readers can draw inferences from one another and use them flexibly according to their actual needs.
1. Grab the data packet of the specified client accessing ssh
$ tcpdump -ni eth0 src 192.168.1.100 and dst port 22
2. Grab the traffic from a certain network segment to a certain network segment
$ tcpdump -ni eth0 src net 192.168.1.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16
3. Grab the traffic from a host to a non-ssh port
$ tcpdump -ni eth0 src 10.0.2.4 and not dst port 22
4. When constructing complex queries, you may need to use quotation marks. Single quotation marks tell tcpdump to ignore specific special characters. Here ()
are special symbols. If you don’t need quotation marks, you need to use escape characters.
$ tcpdump -ni eth0 'src 10.0.2.4 and (dst port 3389 or 22)'
5. Filter based on packet size, if you are viewing a specific packet size, you can use this parameter
Less than or equal to 64 bytes:
$ tcpdump -ni less 64
64 bytes or more:
$ tcpdump -ni eth0 greater 64
Equal to 64 bytes:
$ tcpdump -ni eth0 length == 64
6. Filter TCP specially marked packets
Grab a RST
data packet sent by a host :
$ tcpdump -ni eth0 src host 192.168.1.100 and 'tcp[tcpflags] & (tcp-rst) != 0'
Grab a SYN
data packet sent by a host :
$ tcpdump -ni eth0 src host 192.168.1.100 and 'tcp[tcpflags] & (tcp-syn) != 0'
Grab a FIN
data packet sent by a host :
$ tcpdump -ni eth0 src host 192.168.1.100 and 'tcp[tcpflags] & (tcp-fin) != 0'
Grab the SYN
OR FIN
packet in the TCP connection
$ tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0'
7. Grab all non-ping ICMP
packets
$ tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'
8. The capture port is 80, the network layer protocol is IPv4, and contains data instead of SYN, FIN, ACK and other non-data packets
$ tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
Explain this complicated expression. The specific meaning is that the length of the entire IP data packet minus the length of the IP header, and then the length of the TCP header. If the result is not 0, it means there is a data packet data
. If you still don’t understand it, you need to do it yourself Make up the tcp/ip
agreement
9. Grab the HTTP message, which 0x4754
is GET
the value 0x4854
of the HTTP
first two characters and the value of the first two characters
$ tcpdump -ni eth0 'tcp[20:2]=0x4745 or tcp[20:2]=0x4854'
Common options
Through the above practical cases, I believe that everyone has mastered the tcpdump
basic usage, here is a detailed summary of the commonly used option parameters.
(1) Basic options
-
-i
: Specify the interface -
-D
: List the interfaces that can be used to capture packets -
-s
: Specify the length of the packet capture -
-c
: Specify the number of packets to be captured -
-w
: Save the captured data in a file -
-r
: Read data from the file -
-C
: Specify the file size, and-w
use it in conjunction with -
-F
: Read the expression of the captured packet from the file -
-n
: Do not resolve the host and port number, this parameter is very important, generally need to be added -
-P
: Specifies grab bag is flowing into or out of the bag, you can specify the value ofin
,out
,inout
(Two) output options
-
-e
: The output information contains the header information of the data link layer -
-t
:Display time stamp,tttt
display more detailed time -
-X
: Display hexadecimal format -
-v
: Display detailed message information, try-vvv
,v
the more you display, the more detailed
Filter expression
The powerful function and flexible strategy of tcpdump are mainly reflected in the powerful expression combination ability of the filter (BPF).
(1) Operation object
The objects that can be manipulated in expressions are as follows:
-
type
Indicates the type of object, suchhost
as:net
,port
, ,portrange
, if you do not specify a type, the default is the host -
dir
: Indicates the direction of transmission, the preferred methods are:src
,dst
. -
proto
: Protocol, the optional protocolether
are:ip
,ip6
,arp
,icmp
,tcp
,udp
, .
(2) Condition combination
Between objects can also be expressed by keyword and
, or
, not
are connected to form more powerful expression.
-
or
: Means or operation -
and
: Representation and operation -
not
: Indicates non-operation
It is recommended that after seeing this, look back and look at the examples in the actual combat chapter, I believe there will be a deeper understanding. If this is the case, then I have achieved the desired effect!
experience
No more new knowledge points are added here, and some experiences summarized in the work are shared:
1. We need to know that it tcpdump
is not a panacea and cannot solve all network problems.
2. In high-traffic scenarios, packet capture may affect system performance. If it is in a production environment, please use it with caution!
3. In high-traffic scenarios, it tcpdump
is not suitable for traffic statistics. If necessary, you can use switch mirroring to analyze the statistics.
4. Using tcpdump
packet capture on Linux , combined with wireshark
tools for data analysis, can get twice the result with half the effort.
5. When capturing packets, try not to use any
interfaces to capture packets as much as possible .
6. When capturing packets, specify detailed data packet filtering expressions as much as possible to reduce the copy of useless data packets.
7. When capturing packets, try to specify -n
options to reduce the performance overhead caused by the analysis of the host and port.
At last
Through the above content, we know that tcpdump is a powerful fault diagnosis and network analysis tool. In our daily work, network problems encountered can always be solved by tcpdump.
However, tcpdump is much more complicated than other Linux commands, but given the allure of its powerful features, it is worthwhile for us to spend some more time. To master tcpdump well, you need to TCP/IP
have a certain understanding of network messages ( protocols).