Super detailed Tcpdump usage
1. Grab the packet of the loopback port: tcpdump -i lo
2. Prevent packet truncation: tcpdump -s0
3. Display the host and port in numbers: tcpdump -n
The first one is about type keywords, mainly including host, net, port. For example, host 210.27.48.2 indicates that 210.27.48.2 is a host, net 202.0.0.0 indicates that 202.0.0.0 is a network address, and port 23 indicates a port. The number is 23. If no type is specified, the default type is host.
The second is the keywords to determine the transmission direction, mainly including src, dst, dst or src, dst and src, these keywords indicate the direction of transmission. For example, src 210.27.48.2 indicates that the source address in the ip packet is 210.27.48.2, and dst net 202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified, the default is the src or dst keyword.
The third is the keyword of the protocol, mainly including fddi, ip, arp, rarp, tcp, udp and other types. Fddi indicates a specific network protocol on FDDI (Distributed Fiber Data Interface Network), in fact it is an alias for "ether", fddi and ether have similar source and destination addresses, so fddi protocol packets can be regarded as ether packets are processed and analyzed. Several other keywords indicate the protocol content of the monitored packet. If no protocol is specified, tcpdump will listen for packets of all protocols.
In addition to these three types of keywords, other important keywords are as follows: gateway, broadcast, less, greater, and three logical operations, negation operation is 'not ' '! ', and operation is 'and', '&&; OR operation is 'or', '||'; these keywords can be combined to form a powerful combination condition to meet people's needs, the following are a few examples to illustrate.
Normally, starting tcpdump directly will monitor all packets flowing on the first network interface.
# tcpdump
tcpdump: listening on fxp0
11:58:47.873028 202.102.245.40.netbios-ns > 202.102.245.127.netbios-ns: udp 50
11:58:47.974331 0:10:7b:8:3a:56 > 1:80 : C2: 0: 0: 0 802.1D ui / c len = 43
0000 0000 0080 0000 1007 CF08 0900 0000
0E80 0000 902B 4695 0980 8701 0014 0002
000f 0000 902b 4695 0008 00
11: 58: 48.373134 0: 0: E8: 5B :6d:85 > Broadcast sap e0 ui/C len=97
ffff 0060 0004 ffff ffff ffff ffff ffff
0452 ffff ffff 0000 e85b 6d85 4008 0002
0640 4d41 5354 4552 5f57 4542 0000
0000
Use the -i parameter to specify the network interface that tcpdump listens on, which is very useful when the computer has multiple network interfaces,
use the -c parameter to specify the number of packets to listen for, and
use the -w parameter to specify to write the monitored packets to a file. Save
A wants to intercept all packets received and sent by all hosts at 210.27.48.1:
#tcpdump host 210.27.48.1
If B wants to intercept the communication between the host 210.27.48.1 and the host 210.27.48.2 or 210.27.48.3, use the command: (When using parentheses in the command line, be sure to
#tcpdump host 210.27.48.1 and / (210.27.48.2 or 210.27.48.3 /)
C If you want to get the ip packets of all hosts communicating with the host 210.27.48.1 except the host 210.27.48.2, use the command:
#tcpdump ip host 210.27.48.1 and ! 210.27.48.2
D If you want to obtain the telnet packets received or sent by the host 210.27.48.1, use the following command:
#tcpdump tcp port 23 host 210.27.48.1
E Monitor the udp 123 port of the machine. 123 is the ntp service port
# tcpdump udp port 123
The F system will only monitor communication packets from the host named hostname. The hostname can be the local host or any computer on the network. The following command can read all data sent by host hostname:
#tcpdump -i eth0 src host hostname
G The following command can monitor all packets sent to the host hostname:
#tcpdump -i eth0 dst host hostname
H We can also monitor packets passing through the specified gateway:
#tcpdump -i eth0 gateway Gatewayname
I If you also want to monitor TCP or UDP packets addressed to the specified port, execute the following command:
#tcpdump -i eth0 host hostname and port 80
J If you want to get the ip packets of all hosts communicating with the host 210.27.48.1 except the host 210.27.48.2
, use the command:
#tcpdump ip host 210.27.48.1 and ! 210.27.48.2
K To intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, use the command
: (When using parentheses in the command line, be sure to
#tcpdump host 210.27.48.1 and / (210.27.48.2 or 210.27.48.3 /)
L If you want to get the ip packets of all hosts communicating with the host 210.27.48.1 except the host 210.27.48.2, use the command:
#tcpdump ip host 210.27.48.1 and ! 210.27.48.2
M If you want to get the telnet packets received or sent by the host 210.27.48.1, use the following command:
#tcpdump tcp port 23 host 210.27.48.1
The third is the keywords of the protocol, mainly including fddi, ip, arp, rarp, tcp, udp, etc.
In addition to these three types of keywords, other important keywords are as follows: gateway, broadcast, less,
greater, There are also three logical operations, negation operation is 'not ' '! ', and operation is 'and', '&&'; or operation is 'o
r', '||';
the second is the key to determine the direction of transmission Word, mainly including src , dst , dst or src, dst and src ,
if we only need to list the data packets sent to port 80, use dst port; if we only want to see the data packets returned to port 80, use src port .
#tcpdump –i eth0 host hostname and dst port 80 The destination port is 80
or
#tcpdump –i eth0 host hostname and src port 80 The source port is 80. Generally, it is a host that provides http services.
If there are many conditions, add and or before the conditions. or or not
#tcpdump -i eth0 host ! 211.161.223.70 and ! 211.161.223.71 and dst port 80
If using promiscuous mode on ethernet the system log will record
May 7 20:03:46 localhost kernel: eth0: Promiscuous mode enabled.
May 7 20:03:46 localhost kernel: device eth0 entered promiscuous mode
May 7 20:03:57 localhost kernel: device eth0 left promiscuous
mode It is directly printed out in hexadecimal form. Obviously, this is not conducive to analyzing network failures. The usual solution is to use tcpdump with the -w parameter to intercept the data and save it to a file, and then use other programs for decoding and analysis. Of course, filtering rules should also be defined to avoid the captured packets filling up the entire hard disk.
# tcpdump -i eth1 src host 211.167.237.199
00:02:03.096713 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 2010208:2010352(144) ack 33377 win 8576
00:02:03.096951 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 2010352:2010496(144) ack 33377 win 8576
00:02:03.100928 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 2010496:2010640(144) ack 33377 win 8576
00:02:03.101165 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 2010640:2010784(144) ack 33377 win 8576
00:02:03.102554 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 2010784:2010928(144) ack 33425 win 8576
Indicates that at 00:02:03, 211.167.237.199 is connected to port 1467 of 221.216.165.189 through the ssh source port
#tcpdump -i eth1 src host 211.167.237.199 and dst port 1467
00:09:27.603075 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 180400:180544(144) ack 2833 win 8576
00:09:27.605631 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 180544:180688(144) ack 2881 win 8576
Intercept all packets entered by eth0, the source address (src) of the host (host) is 192.168.0.5, and (and) the destination (dst) port (port) is 80
Watch the status of the network card sending and receiving packets
$ netstat -i
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 14639 0 0 0 5705 119 0 0 BMRU
Iface: Network card
RX-OK RX-ERR RX-DRP RX-OVR : The number of packets correctly received by the network card and the total number of errors, losses and collisions
TX-OK TX-ERR TX-DRP TX-OVR : The network card sent packets correctly and the total number of errors, churns, collisions
[root@linux ~]# tcpdump [-nn] [-i interface] [-w filename] [-c times] [-Ae]
[-qX] [-r file] [content of data to be retrieved ]
parameter: -nn: Display directly with IP and port number instead of host name and service name -i : followed by the network interface to be "monitored", such as eth0, lo, ppp0, etc.; -w : If you want to store the packet data obtained by monitoring, use this parameter! file name followed -c : The number of packets to monitor, without this parameter, tcpdump will continue to monitor, until the user enters [ctrl]-c. -A : The content of the packet is displayed in ASCII, which is usually used to capture the web page packet data of the WWW. -e : Use the MAC packet data of the data link layer (OSI layer 2) to display; -q : List only brief packet information, and the content of each line is relatively concise -X : Can list hexadecimal (hex) and ASCII packet content, useful for monitoring packet content -r : Read the packet data from the following file. That "file" is an existing file, And this "file" is produced by -w. The content of the data to be captured: We can capture packets specifically for certain communication protocols or IP sources. That will simplify the output and get the most useful information. Common representations are: 'host foo', 'host 127.0.0.1' : packet capture for a single host 'net 192.168' : capture packets for a certain domain; 'src host 127.0.0.1' 'dst net 192.168': add both source (src) or destination (dst) restrictions 'tcp port 21': can also detect communication protocols, such as tcp, udp, arp, ether, etc. You can also use and and or to perform integrated display of packet data!
Example 1: Capture the packets on the network card eth0 with IP and port number for 3 seconds [root@linux ~]# tcpdump -i eth0 -nn tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
01:33:40.41 IP 192.168.1.100.22 > 192.168.1.11.1190: P 116:232(116) ack 1 win 9648 01:33:40.41 IP 192.168.1.100.22 > 192.168.1.11.1190: P 232 364(132) ack 1 win 9648 <== press [ctrl]-c to end 6680 packets captured <== number of captured packets 14250 packets received by filter <== total number of packets obtained by filtering 7512 packets dropped by kernel <== packets dropped by the kernel |
- 01:33:40.41 : This is the time when this packet was captured, the unit of "hour:minute:second";
- IP : The communication protocol used is IP;
- 192.168.1.100.22 > : The transmitting end is the IP 192.168.1.100, and the transmitted port number is 22. What you must understand is that the symbol greater than (>) refers to the transmission direction of the packet!
- 192.168.1.11.1190 : The IP of the receiver is 192.168.1.11, and the host opens port 1190 to receive;
- P 116:232(116) : This packet has the PUSH data transmission flag, and the transmitted data is 116~232 bytes of the overall data, so this packet contains 116 bytes of data;
- ack 1 win 9648 : ACK and Window size related information.
Furthermore, on a host with a very busy network status, when you want to obtain the packet data of a host connected to you, you can also use tcpdump with pipeline commands and regular expressions, but after all, it is not easy to capture! We can easily extract the required data independently through the notation function of tcpdump. In the above example 1, we only monitor eth0, so the data on the entire eth0 interface will be displayed on the screen, which is not easy to analyze! So can we simplify? For example, to extract only the connection packets of port 21, you can do the following:
[root@linux ~]# tcpdump -i eth0 -nn port 21
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
01:54:37.96 IP 192.168.1.11.1240 > 192.168.1.100.21: . ack 1 win 65535
01:54:37.96 IP 192.168.1.100.21 > 192.168.1.11.1240: P 1:21(20) ack 1 win 5840
01:54:38.12 IP 192.168.1.11.1240 > 192.168.1.100.21: . ack 21 win 65515
01:54:42.79 IP 192.168.1.11.1240 > 192.168.1.100.21: P 1:17(16) ack 21 win 65515
01:54:42.79 IP 192.168.1.100.21 > 192.168.1.11.1240: . ack 17 win 5840
01:54:42.79 IP 192.168.1.100.21 > 192.168.1.11.1240: P 21:55(34) ack 17 win 5840
|
- We first enter the monitor of "tcpdump -i lo -nn" in a terminal window,
- Open another terminal window to log in "ssh localhost" to this machine (127.0.0.1)
[root@linux ~]# tcpdump -i lo -nn
1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
2 listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes
3 11:02:54.253777 IP 127.0.0.1.32936 > 127.0.0.1.22: S 933696132:933696132(0) win 32767 <mss 16396,sackOK,timestamp 236681316 0,nop,wscale 2> 4 11:02:54.253831 IP 127.0.0.1.22 > 127.0.0.1.32936: S 920046702:920046702(0) ack 933696133 win 32767 <mss 16396,sackOK,timestamp 236681316 236681316,nop, wscale 2> 5 11:02:54.253871 IP 127.0.0.1.32936 > 127.0.0.1.22: . ack 1 win 8192 <nop, nop,timestamp 236681316 236681316> 6 11:02:54.272124 IP 127.0.0.1.22 > 127.0.0.1.32936: P 1:23(22) ack 1 win 8192 <nop,nop,timestamp 236681334 236681316> 7 11:02:54.272375 IP 127.0.0.1.32936 > 127.0.0.1.22: . ack 23 win 8192 <nop, nop,timestamp 236681334 236681334> |
- The third line shows the "packet from the client side with SYN active connection",
- The 4th line shows "from the server side, in addition to responding to the client side (ACK), it also has a SYN active connection sign;
- Line 5 shows that the client side responds to the server to confirm the connection establishment (ACK)
- After the 6th line, it starts to enter the step of data transmission.
More amazing uses are coming! If we use tcpdump to monitor the "clear" transmission data on the router, such as the FTP transmission protocol, what do you think will happen? We first issue "tcpdump -i lo port 21 -nn -X" on the host, then log in to the machine with ftp, and enter the account and password. As a result, you can find the following situation:
[root@linux ~]# tcpdump -i lo -nn -X 'port 21'
0x0000: 4500 0048 2a28 4000 4006 1286 7f00 0001 E..H*(@.@.......
0x0010: 7f00 0001 0015 80ab 8355 2149 835c d825 .........U!I./.%
0x0020: 8018 2000 fe3c 0000 0101 080a 0e2e 0b67 .....<.........g
0x0030: 0e2e 0b61 3232 3020 2876 7346 5450 6420 ...a220.(vsFTPd.
0x0040: 322e 302e 3129 0d0a 2.0.1)..
0x0000: 4510 0041 d34b 4000 4006 6959 7f00 0001 E..A.K@[email protected]....
0x0010: 7f00 0001 80ab 0015 835c d825 8355 215d ........./.%.U!]
0x0020: 8018 2000 fe35 0000 0101 080a 0e2e 1b37 .....5.........7
0x0030: 0e2e 0b67 5553 4552 2064 6d74 7361 690d ...gUSER.dmtsai.
0x0040: 0a .
0x0000: 4510 004a d34f 4000 4006 694c 7f00 0001 E..J.O@[email protected]....
0x0010: 7f00 0001 80ab 0015 835c d832 8355 217f ........./.2.U!.
0x0020: 8018 2000 fe3e 0000 0101 080a 0e2e 3227 .....>........2'
0x0030: 0e2e 1b38 5041 5353 206d 7970 6173 7377 ...8PASS.mypassw
0x0040: 6f72 6469 7379 6f75 0d0a ordisyou..
|
In addition, you have to understand that in order for the network interface to allow tcpdump to listen, the network interface will start in "promiscuous mode" when tcpdump is executed, so you will see a lot of warning messages in /var/log/messages , to inform you that your network card is set to panic mode! Don't worry, that's normal. For more applications, please refer to man tcpdump Hello!
Example: How to use tcpdump to monitor (1) packet data from the eth0 interface card and (2) the communication protocol is port 22 and (3) the destination source is 192.168.1.100? answer:
|
啟動的方法很簡單,你必須要在 X Window 底下,先開啟一個終端機,然後直接輸入 ethereal 後, 就會出現如下的畫面了:
圖五、ethereal 使用範例圖
簡單的作法,你可以點選如上圖顯示的那個按鈕,會出現挑選監聽的介面視窗,如下所示:
圖六、ethereal 使用範例圖
你應該選擇要監聽的介面,在這裡因為是測試用的,所以鳥哥使用的是 lo 這個內部介面, 你當然應該要選擇你自己的網路介面才是。然後按下 start 後,就會出現開始偵測的畫面了:
圖七、ethereal 使用範例圖
在這個畫面當中你可以看到很多類型的封包協定,在等你處理完畢後,就可以按下『stop』結束監聽, 而開始進入如下的封包分析畫面。
圖八、ethereal 使用範例圖
封包分析畫面共分為三大區塊,如上圖所示,第一區塊主要顯示的是封包的標頭資料, 內容就有點類似 tcpdump 的顯示結果,第二區塊則是詳細的表頭資料, 包括訊框的內容、通訊協定的內容以及 socket pair 等等資訊。 第三區塊則是 16 進位與 ASCII 碼的顯示結果。透過這個 ethereal 您就可以一口氣得到所需要的所有封包內容啦! 而且還是圖形介面的,很方便吧!透過在第一區塊選擇不同的封包,就能夠查閱每個封包的資料內容囉!
[root@linux ~]# nc [IP|host] [port]
[root@linux ~]# nc -l -p [port]
參數:
-l :作為監聽之用,亦即開啟一個 port 來監聽用戶的連線;
-p :開啟的這個 port number
範例一:連接本地端的 port 25 查閱相關訊息
[root@linux ~]# nc localhost 25
localhost.localdomain [127.0.0.1] 25 (smtp) open
220 pc.dm.tsai ESMTP Postfix
ehlo localhost 250-pc.dm.tsai 250-PIPELINING 250-SIZE 40000000 250-ETRN quit 221 Bye |
範例二:啟動一個 port 來監聽使用者的連線要求
[root@linux ~]# nc -l -p 20000
# 啟動一個 port 20000 在主機上,如果此時使用 netstat -tlnp
# 就可以看到系統上多出來一個 port 20000 在傾聽使用者的連線喔!
|
[root@linux ~]# nc localhost 20000
<==這裡可以開始輸入字串了!
|