2018 Sangfor "Lion Awakening Project" Notes
Week 3 (5.07-5.13)
| course | Compulsory | Elective | basic requirements |
|---|---|---|---|
| Network Basics | TCP/IP model, protocol features | "Policy routing, Netfilter, iptables development knowledge training handout" | TCP, UDP, ARP, NAT, gateway, bridge, VLAN, routing, packet capture tool tcpdump/winshark |
The first part of the use of Wireshark
1. Wireshark installation
How to install network traffic analysis tool Wireshark under Ubuntu 16.04
sudo apt-add-repository ppa:wireshark-dev/stable
sudo apt-get update
sudo apt-get install wireshark
If the above window does not pop up, run the following command line
sudo dpkg-reconfigure wireshark-commonIf you want to use the command line version, you need to install tshark
sudo apt-get install tsharkThe command line grabs packets for a specific network card and port,
sudo tshark -i eth0 port 8080Now it is unsuccessful, you need to do the following steps first, set the permissions first
2. Permission/User Group Settings
GUI: Ordinary users cannot open network card devices for packet capture. Wireshark does not recommend users to run with root privileges through sudo
Solution
sudo vim /etc/group
“wireshark:x:130:”Enter the currently logged in user name in the back, here I am“luojie”. Tip: Press i to insert, then enter the user name, pressescand then enter ":wq" to save. After completing the above steps, you need to log out and log in again to make the settings take effect, and then open it again.
It can be used normally after restarting
3. Open
Type wireshark to open
wireshark
It is very inconvenient to type every time, so you can right-click the icon and lock from Launcher can be fixed on the desktop
4. Basic usage of Wireshark
Wireshark captures every message sent and received by the system. If the captured interface is wireless and the option is selected in mixed mode, other packets on the network will also be seen.
TCP/IP establishes a connection through a three-way handshake. The three kinds of messages in this process are: SYN, SYN/ACK, ACK. The first step is to find the first SYN message sent by the PC to the network server, which marks the beginning of the TCP three-way handshake.
If you can't find the first SYN message, select Display Filter, enter the filter conditionstcp.flags.syn==1, press Enter, and the content after filtering is displayed.
Because the school's traffic limit of 20G is not enough, and the poor have no money to surf the Internet, so my computer is configured with shadowsocks+ipv6 (traffic-free Internet access + also comes with a ladder), so the data packets in the screenshots all go to the local ip , the outside is all ipv6
The second part of the use of tcpdump
0_0 I accidentally watched it, Linux didn't need to watch wireshark.....
1. tcpdump -D to get a list of network adapters
tcpdump -D
2. Grab all the data
sudo tcpdump -i <需要监控的网络适配器编号>
sudo tcpdump -i any
tcpdumpverbose command
| parameter | Order |
|---|---|
| -i | The parameter specifies the listening network port |
| -c | The parameter specifies the number of packets to monitor |
| -s | The parameter specifies the size of the listening packet |
| -w | The parameter specifies that the listening packet is written to the file |
If you want to monitor certain hosts for data packets such as
10.10.10.10,20.20.20.20,30.30.30.30
tcpdump host 10.10.10.10 and \(20.20.20.20 or 30.30.30.30\)Try to grab the web packet, just take
CSDNtry the IP47.95.47.253
start listening
sudo tcpdump host 47.95.47.253
refresh the page
If you want to get the ip packets of all hosts that communicate with the
210.27.48.1host except the host210.27.48.2
tcpdump ip host 210.27.48.1 and ! 210.27.48.2If you get
10.10.10.10:80outgoing packets
tcpdump -i eth0 src host 10.10.10.10 and src port 80
10.10.10.10:80If you get the packets destined for
tcpdump -i eth0 dst host 10.10.10.10 and dst port 80Only grab
synthe package
tcpdump -i eth0 tcp[13]==2Only grab
finthe package
tcpdump -i eth2 tcp[13]==1Only grab
synackthe package
tcpdump -i eth2 tcp[13]==18grabbed , package
10.10.10.10:80_synsynack
tcpdump -i eth2 tcp[13]==2 or tcp[13]==18 and port 80 and host 10.10.10.10