Super detailed Tcpdump usage

Super detailed Tcpdump usage

1. Grab the packet of the loopback port: tcpdump -i lo

2. Prevent packet truncation: tcpdump -s0

3. Display the host and port in numbers: tcpdump -n

 

 The first one is about type keywords, mainly including host, net, port. For example, host 210.27.48.2 indicates that 210.27.48.2 is a host, net 202.0.0.0 indicates that 202.0.0.0 is a network address, and port 23 indicates a port. The number is 23. If no type is specified, the default type is host.

The second is the keywords to determine the transmission direction, mainly including src, dst, dst or src, dst and src, these keywords indicate the direction of transmission. For example, src 210.27.48.2 indicates that the source address in the ip packet is 210.27.48.2, and dst net 202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified, the default is the src or dst keyword.

The third is the keyword of the protocol, mainly including fddi, ip, arp, rarp, tcp, udp and other types. Fddi indicates a specific network protocol on FDDI (Distributed Fiber Data Interface Network), in fact it is an alias for "ether", fddi and ether have similar source and destination addresses, so fddi protocol packets can be regarded as ether packets are processed and analyzed. Several other keywords indicate the protocol content of the monitored packet. If no protocol is specified, tcpdump will listen for packets of all protocols.

 

  In addition to these three types of keywords, other important keywords are as follows: gateway, broadcast, less, greater, and three logical operations, negation operation is 'not ' '! ', and operation is 'and', '&&; OR operation is 'or', '||'; these keywords can be combined to form a powerful combination condition to meet people's needs, the following are a few examples to illustrate.

  Normally, starting tcpdump directly will monitor all packets flowing on the first network interface.
# tcpdump 
tcpdump: listening on fxp0
11:58:47.873028 202.102.245.40.netbios-ns > 202.102.245.127.netbios-ns: udp 50
11:58:47.974331 0:10:7b:8:3a:56 > 1:80 : C2: 0: 0: 0 802.1D ui ​​/ c len = 43
                       0000 0000 0080 0000 1007 CF08 0900 0000
                       0E80 0000 902B 4695 0980 8701 0014 0002
                       000f 0000 902b 4695 0008 00
11: 58: 48.373134 0: 0: E8: 5B :6d:85 > Broadcast sap e0 ui/C len=97
                       ffff 0060 0004 ffff ffff ffff ffff ffff
                       0452 ffff ffff 0000 e85b 6d85 4008 0002
                       0640 4d41 5354 4552 5f57 ​​4542 0000
                       0000

Use the -i parameter to specify the network interface that tcpdump listens on, which is very useful when the computer has multiple network interfaces,
use the -c parameter to specify the number of packets to listen for, and
use the -w parameter to specify to write the monitored packets to a file. Save
A wants to intercept all packets received and sent by all hosts at 210.27.48.1:
#tcpdump host 210.27.48.1

If B wants to intercept the communication between the host 210.27.48.1 and the host 210.27.48.2 or 210.27.48.3, use the command: (When using parentheses in the command line, be sure to
#tcpdump host 210.27.48.1 and / (210.27.48.2 or 210.27.48.3 /)

C If you want to get the ip packets of all hosts communicating with the host 210.27.48.1 except the host 210.27.48.2, use the command:
#tcpdump ip host 210.27.48.1 and ! 210.27.48.2

D If you want to obtain the telnet packets received or sent by the host 210.27.48.1, use the following command:
#tcpdump tcp port 23 host 210.27.48.1

E Monitor the udp 123 port of the machine. 123 is the ntp service port
# tcpdump udp port 123

 

The F system will only monitor communication packets from the host named hostname. The hostname can be the local host or any computer on the network. The following command can read all data sent by host hostname: 
#tcpdump -i eth0 src host hostname

 

G The following command can monitor all packets sent to the host hostname: 
#tcpdump -i eth0 dst host hostname

H We can also monitor packets passing through the specified gateway: 
#tcpdump -i eth0 gateway Gatewayname

I If you also want to monitor TCP or UDP packets addressed to the specified port, execute the following command: 
#tcpdump -i eth0 host hostname and port 80

J If you want to get the ip packets of all hosts communicating with the host 210.27.48.1 except the host 210.27.48.2
, use the command:
#tcpdump ip host 210.27.48.1 and ! 210.27.48.2

K To intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, use the command
: (When using parentheses in the command line, be sure to
#tcpdump host 210.27.48.1 and / (210.27.48.2 or 210.27.48.3 /)

L If you want to get the ip packets of all hosts communicating with the host 210.27.48.1 except the host 210.27.48.2, use the command:
　#tcpdump ip host 210.27.48.1 and ! 210.27.48.2

M If you want to get the telnet packets received or sent by the host 210.27.48.1, use the following command:
　#tcpdump tcp port 23 host 210.27.48.1

The third is the keywords of the protocol, mainly including fddi, ip, arp, rarp, tcp, udp, etc.
In addition to these three types of keywords, other important keywords are as follows: gateway, broadcast, less,
greater, There are also three logical operations, negation operation is 'not ' '! ', and operation is 'and', '&&'; or operation is 'o
r', '||';
the second is the key to determine the direction of transmission Word, mainly including src , dst , dst or src, dst and src ,
if we only need to list the data packets sent to port 80, use dst port; if we only want to see the data packets returned to port 80, use src port . 
#tcpdump –i eth0 host hostname and dst port 80 The destination port is 80
or
#tcpdump –i eth0 host hostname and src port 80 The source port is 80. Generally, it is a host that provides http services.
If there are many conditions, add and or before the conditions. or or not
#tcpdump -i eth0 host ! 211.161.223.70 and ! 211.161.223.71 and dst port 80
If using promiscuous mode on ethernet the system log will record
May 7 20:03:46 localhost kernel: eth0: Promiscuous mode enabled.
May 7 20:03:46 localhost kernel: device eth0 entered promiscuous mode
May 7 20:03:57 localhost kernel: device eth0 left promiscuous
mode It is directly printed out in hexadecimal form. Obviously, this is not conducive to analyzing network failures. The usual solution is to use tcpdump with the -w parameter to intercept the data and save it to a file, and then use other programs for decoding and analysis. Of course, filtering rules should also be defined to avoid the captured packets filling up the entire hard disk.

 

# tcpdump   -i eth1 src  host 211.167.237.199
00:02:03.096713 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 2010208:2010352(144) ack 33377 win 8576
00:02:03.096951 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 2010352:2010496(144) ack 33377 win 8576
00:02:03.100928 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 2010496:2010640(144) ack 33377 win 8576
00:02:03.101165 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 2010640:2010784(144) ack 33377 win 8576
00:02:03.102554 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 2010784:2010928(144) ack 33425 win 8576

Indicates that at 00:02:03, 211.167.237.199 is connected to port 1467 of 221.216.165.189 through the ssh source port

#tcpdump -i eth1 src host 211.167.237.199 and dst port 1467
00:09:27.603075 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 180400:180544(144) ack 2833 win 8576
00:09:27.605631 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 180544:180688(144) ack 2881 win 8576

Intercept all packets entered by eth0, the source address (src) of the host (host) is 192.168.0.5, and (and) the destination (dst) port (port) is 80

Watch the status of the network card sending and receiving packets
$ netstat -i
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 14639 0 0 0 5705 119 0 0 BMRU

Iface: Network card
RX-OK RX-ERR RX-DRP RX-OVR : The number of packets correctly received by the network card and the total number of errors, losses and collisions
TX-OK TX-ERR TX-DRP TX-OVR : The network card sent packets correctly and the total number of errors, churns, collisions

 

 

[root@linux ~]# tcpdump [-nn] [-i interface] [-w filename] [-c times] [-Ae] [-qX] [-r file] [content of data to be retrieved ] parameter: -nn: Display directly with IP and port number instead of host name and service name -i : followed by the network interface to be "monitored", such as eth0, lo, ppp0, etc.; -w : If you want to store the packet data obtained by monitoring, use this parameter! file name followed -c : The number of packets to monitor, without this parameter, tcpdump will continue to monitor, until the user enters [ctrl]-c. -A : The content of the packet is displayed in ASCII, which is usually used to capture the web page packet data of the WWW. -e : Use the MAC packet data of the data link layer (OSI layer 2) to display; -q : List only brief packet information, and the content of each line is relatively concise -X : Can list hexadecimal (hex) and ASCII packet content, useful for monitoring packet content -r : Read the packet data from the following file. That "file" is an existing file, And this "file" is produced by -w. The content of the data to be captured: We can capture packets specifically for certain communication protocols or IP sources. That will simplify the output and get the most useful information. Common representations are: 'host foo', 'host 127.0.0.1' : packet capture for a single host 'net 192.168' : capture packets for a certain domain; 'src host 127.0.0.1' 'dst net 192.168': add both source (src) or destination (dst) restrictions 'tcp port 21': can also detect communication protocols, such as tcp, udp, arp, ether, etc. You can also use and and or to perform integrated display of packet data! Example 1: Capture the packets on the network card eth0 with IP and port number for 3 seconds [root@linux ~]# tcpdump -i eth0 -nn tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 01:33:40.41 IP 192.168.1.100.22 > 192.168.1.11.1190: P 116:232(116) ack 1 win 9648 01:33:40.41 IP 192.168.1.100.22 > 192.168.1.11.1190: P 232 364(132) ack 1 win 9648 <== press [ctrl]-c to end 6680 packets captured <== number of captured packets 14250 packets received by filter <== total number of packets obtained by filtering 7512 packets dropped by kernel <== packets dropped by the kernel

If you read the man page of tcpdump for the first time, the first and the second must be big, because tcpdump almost always analyzes the header data of the packet. If the user does not have a simple network packet foundation, it is difficult to understand the fan! So, at least you have to go back to the basics of the network to understand the header data of the TCP packet! ^_^! As for the output example generated by the example 1, we can roughly distinguish it into several fields. Let's use the special font line in the example 1 to illustrate:

• 01:33:40.41 : This is the time when this packet was captured, the unit of "hour:minute:second";
• IP : The communication protocol used is IP;
• 192.168.1.100.22 >  : The transmitting end is the IP 192.168.1.100, and the transmitted port number is 22. What you must understand is that the symbol greater than (>) refers to the transmission direction of the packet!
• 192.168.1.11.1190 : The IP of the receiver is 192.168.1.11, and the host opens port 1190 to receive;
• P 116:232(116) : This packet has the PUSH data transmission flag, and the transmitted data is 116~232 bytes of the overall data, so this packet contains 116 bytes of data;
• ack 1 win 9648 : ACK and Window size related information.

The simplest way to say it is that the packet is sent from 192.168.1.100 to 192.168.1.11, the port through which is from 22 to 1190, and has 116 bytes of data, using the PUSH flag instead of SYN and the like active connection sign. Ha ha! It's not easy to understand! So, I said above, please be sure to  go to the part of the TCP header data to take a look!

Furthermore, on a host with a very busy network status, when you want to obtain the packet data of a host connected to you, you can also use tcpdump with pipeline commands and regular expressions, but after all, it is not easy to capture! We can easily extract the required data independently through the notation function of tcpdump. In the above example 1, we only monitor eth0, so the data on the entire eth0 interface will be displayed on the screen, which is not easy to analyze! So can we simplify? For example, to extract only the connection packets of port 21, you can do the following:

[root@linux ~]# tcpdump -i eth0 -nn port 21 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 01:54:37.96 IP 192.168.1.11.1240 > 192.168.1.100.21: . ack 1 win 65535 01:54:37.96 IP 192.168.1.100.21 > 192.168.1.11.1240: P 1:21(20) ack 1 win 5840 01:54:38.12 IP 192.168.1.11.1240 > 192.168.1.100.21: . ack 21 win 65515 01:54:42.79 IP 192.168.1.11.1240 > 192.168.1.100.21: P 1:17(16) ack 21 win 65515 01:54:42.79 IP 192.168.1.100.21 > 192.168.1.11.1240: . ack 17 win 5840 01:54:42.79 IP 192.168.1.100.21 > 192.168.1.11.1240: P 21:55(34) ack 17 win 5840

Voila! In this way, only the information of port 21 is presented. If you look closely, you will find that the transmission of packets is bidirectional. The client side sends a "request" and the server side "responds", so of course, there is a return. ! And we can also understand the process of the operation of the packet through the flow of the packet. for example:

1. We first enter the monitor of "tcpdump -i lo -nn" in a terminal window,
2. Open another terminal window to log in "ssh localhost" to this machine (127.0.0.1)

So what will the output look like?

[root@linux ~]# tcpdump -i lo -nn 1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 2 listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes 3 11:02:54.253777 IP 127.0.0.1.32936 > 127.0.0.1.22: S 933696132:933696132(0) win 32767 <mss 16396,sackOK,timestamp 236681316 0,nop,wscale 2> 4 11:02:54.253831 IP 127.0.0.1.22 > 127.0.0.1.32936: S 920046702:920046702(0) ack 933696133 win 32767 <mss 16396,sackOK,timestamp 236681316 236681316,nop, wscale 2> 5 11:02:54.253871 IP 127.0.0.1.32936 > 127.0.0.1.22: . ack 1 win 8192 <nop, nop,timestamp 236681316 236681316> 6 11:02:54.272124 IP 127.0.0.1.22 > 127.0.0.1.32936: P 1:23(22) ack 1 win 8192 <nop,nop,timestamp 236681334 236681316> 7 11:02:54.272375 IP 127.0.0.1.32936 > 127.0.0.1.22: . ack 23 win 8192 <nop, nop,timestamp 236681334 236681334>

The first two lines shown in the table above are basic instructions for tcpdump, then:

• The third line shows the "packet from the client side with SYN active connection",
• The 4th line shows "from the server side, in addition to responding to the client side (ACK), it also has a SYN active connection sign;
• Line 5 shows that the client side responds to the server to confirm the connection establishment (ACK)
• After the 6th line, it starts to enter the step of data transmission.

From the process of lines 3-5, are you familiar with it? That's right! That is  the basic process of the three-way handshake  ! Fun enough! However, the reason why tcpdump is called one of the hacking software is not only the function described above! The function described above can be used as a process analysis of the packet connection and transmission of our host, which will help us understand the operation of the packet, and at the same time know whether the firewall setting rules of the host need to be revised.

More amazing uses are coming! If we use tcpdump to monitor the "clear" transmission data on the router, such as the FTP transmission protocol, what do you think will happen? We first issue "tcpdump -i lo port 21 -nn -X" on the host, then log in to the machine with ftp, and enter the account and password. As a result, you can find the following situation:

[root@linux ~]# tcpdump -i lo -nn -X 'port 21' 0x0000: 4500 0048 2a28 4000 4006 1286 7f00 0001 E..H*(@.@....... 0x0010: 7f00 0001 0015 80ab 8355 2149 835c d825 .........U!I./.% 0x0020: 8018 2000 fe3c 0000 0101 080a 0e2e 0b67 .....<.........g 0x0030: 0e2e 0b61 3232 3020 2876 7346 5450 6420 ...a220.(vsFTPd. 0x0040: 322e 302e 3129 0d0a 2.0.1).. 0x0000: 4510 0041 d34b 4000 4006 6959 7f00 0001 E..A.K@[email protected].... 0x0010: 7f00 0001 80ab 0015 835c d825 8355 215d ........./.%.U!] 0x0020: 8018 2000 fe35 0000 0101 080a 0e2e 1b37 .....5.........7 0x0030: 0e2e 0b67 5553 4552 2064 6d74 7361 690d ...gUSER.dmtsai. 0x0040: 0a . 0x0000: 4510 004a d34f 4000 4006 694c 7f00 0001 E..J.O@[email protected].... 0x0010: 7f00 0001 80ab 0015 835c d832 8355 217f ........./.2.U!. 0x0020: 8018 2000 fe3e 0000 0101 080a 0e2e 3227 .....>........2' 0x0030: 0e2e 1b38 5041 5353 206d 7970 6173 7377 ...8PASS.mypassw 0x0040: 6f72 6469 7379 6f75 0d0a ordisyou..

The above output has been simplified, you have to search for the relevant strings in your output by yourself. From the special font of the output result above, we can find that " the FTP software uses vsftpd, and the user enters the account name dmtsai, and the password is mypasswordisyou " Hey! You say it's not scary! What if you are using clear text to transmit your internet data? That's why we often say that the Internet is very insecure!

In addition, you have to understand that in order for the network interface to allow tcpdump to listen, the network interface will start in "promiscuous mode" when tcpdump is executed, so you will see a lot of warning messages in /var/log/messages , to inform you that your network card is set to panic mode! Don't worry, that's normal. For more applications, please refer to man tcpdump Hello!

Example: How to use tcpdump to monitor (1) packet data from the eth0 interface card and (2) the communication protocol is port 22 and (3) the destination source is 192.168.1.100? answer: tcpdump -i eth0 -nn 'port 22 and src host 192.168.1.100'

---

ethereal

除了 tcpdump 這個軟體之外，其實你還可以使用 ethereal 這個好用的網路流量分析軟體吶！ ethereal 分為文字介面與圖形介面，文字介面的用法與 tcpdump 相當的類似，不過他的指令名稱為 tethereal 就是了。因為用法差不多，所以建議您直接使用 man tethereal 查閱吧！ 在 CentOS 上原本就有 ethereal 了，所以請拿出光碟來安裝即可喔！ 需要安裝 ethereal 與 ethereal-gnome 才行吶！

啟動的方法很簡單，你必須要在 X Window 底下，先開啟一個終端機，然後直接輸入 ethereal 後， 就會出現如下的畫面了：


圖五、ethereal 使用範例圖
簡單的作法，你可以點選如上圖顯示的那個按鈕，會出現挑選監聽的介面視窗，如下所示：


圖六、ethereal 使用範例圖
你應該選擇要監聽的介面，在這裡因為是測試用的，所以鳥哥使用的是 lo 這個內部介面， 你當然應該要選擇你自己的網路介面才是。然後按下 start 後，就會出現開始偵測的畫面了：


圖七、ethereal 使用範例圖
在這個畫面當中你可以看到很多類型的封包協定，在等你處理完畢後，就可以按下『stop』結束監聽， 而開始進入如下的封包分析畫面。


圖八、ethereal 使用範例圖
封包分析畫面共分為三大區塊，如上圖所示，第一區塊主要顯示的是封包的標頭資料， 內容就有點類似 tcpdump 的顯示結果，第二區塊則是詳細的表頭資料， 包括訊框的內容、通訊協定的內容以及 socket pair 等等資訊。 第三區塊則是 16 進位與 ASCII 碼的顯示結果。透過這個 ethereal 您就可以一口氣得到所需要的所有封包內容啦！ 而且還是圖形介面的，很方便吧！透過在第一區塊選擇不同的封包，就能夠查閱每個封包的資料內容囉！

---

nc, netcat

這個 nc 可以用來作為某些服務的檢測，因為他可以連接到某個 port 來進行溝通， 此外，還可以自行啟動一個 port 來傾聽其他用戶的連線吶！非常的不錯用！ 如果在編譯的時候給予『GAPING_SECURITY_HOLE』參數的話，嘿嘿！ 這個軟體還可以用來取得用戶端的 bash 哩！可怕吧！我們的 CentOS 比較人性化，並沒有給予上面的參數，所以我們不能夠用來作為駭客軟體～ 但是用來取代 telnet 也是個很棒的功能了！(有的系統將執行檔改名為 netcat 啦！)

[root@linux ~]# nc [IP|host] [port] [root@linux ~]# nc -l -p [port] 參數： -l ：作為監聽之用，亦即開啟一個 port 來監聽用戶的連線； -p ：開啟的這個 port number 範例一：連接本地端的 port 25 查閱相關訊息 [root@linux ~]# nc localhost 25 localhost.localdomain [127.0.0.1] 25 (smtp) open 220 pc.dm.tsai ESMTP Postfix ehlo localhost 250-pc.dm.tsai 250-PIPELINING 250-SIZE 40000000 250-ETRN quit 221 Bye

這個最簡單的功能與 telnet 幾乎一樣吧！可以去檢查某個服務啦！不過，更神奇的在後面， 我們可以建立兩個連線來傳訊喔！舉個例子來說，我們先在 client 端的地方啟動一個 port 來進行傾聽：

範例二：啟動一個 port 來監聽使用者的連線要求 [root@linux ~]# nc -l -p 20000 # 啟動一個 port 20000 在主機上，如果此時使用 netstat -tlnp # 就可以看到系統上多出來一個 port 20000 在傾聽使用者的連線喔！

然後在主機端的地方，也利用 nc 來連線到用戶端，並且輸入一些指令看看喔！

[root@linux ~]# nc localhost 20000 <==這裡可以開始輸入字串了！

此時，在主機端我們可以打入一些字，你會發現在 client 端會同時出現你輸入的字眼吶！ 如果你同時給予一些額外的參數，例如利用標準輸入與輸出 (stdout, stdin) 的話， 那麼就可以透過這個連線來作很多事情了！ 當然 nc 的功能不只如此，你還可以發現很多的用途喔！ 請自行到您主機內的 /usr/share/doc/nc-1.10/scripts 目錄下看看這些 script ，有幫助的吶！ 不過，如果你需要額外的編譯出含有 GAPING_SECURITY_HOLE 功能， 以使兩端