Table of contents
1. Basic introduction and learning basis of tcpdump packet capture tool
1.1 Commonly used packet capture tools
1.2 Introduction to tcpdump packet capture tool
2. The use environment and initial experience of tcpdump packet capture tool
2.1 Compile and install tcpdump
3. Explain the TCP protocol packet header
4. General filtering rules of tcpdump packet capture tool
4.1 The host and net filtering rules of tcpdump
4.2 tcpdump port-based filtering rules
4.3 tcpdump rules based on protocol filtering
1. Basic introduction and learning basis of tcpdump packet capture tool
1.1 Commonly used packet capture tools
As an operation and maintenance and testing engineer, the packet capture tool is not only a tool that must be used in the work, but also a type of tool that will inevitably be asked during the interview process.
1.2 Introduction to tcpdump packet capture tool
TCPdump, full name dump the traffic on a network, is a packet capture tool that runs on the Linux platform and can capture data packets transmitted on the network according to user needs.
Functions that tcpdump can support:
- Capture all the data packets transmitted in the network on the Linux platform for analysis;
- Support network layer, transport layer protocols and other protocols to capture and filter;
- Various filtering and capturing data rules such as host, network card and port for data sending and receiving;
- Provide and, or, not and other statements for logical combination to capture data packets or remove unnecessary information;
- Combined with the wireshark tool to analyze the captured packets.
To use the tcpdump tool flexibly, there must be two necessary knowledge bases:
- Linux operating system: Because this is a packet capture tool based on the command line under the Linux system, it needs to have a certain foundation for the basic operations and common commands of Linux;
- Network knowledge: Because tcpdump completely intercepts the data packets transmitted in the network and then analyzes them, so if you want to analyze the captured packets, you need to understand the OSI seven-layer network model and common network protocols.
2. The use environment and initial experience of tcpdump packet capture tool
Official website for tcpdump download: Home | TCPDUMP & LIBPCAP
If you want to practice using this tool, you can install a Linux virtual machine yourself, or buy a Linux cloud server yourself. What I am here to demonstrate to you is a Linux virtual machine, a CentOS 7 system. But basically all distributions of Linux use this tool similarly.
2.1 Compile and install tcpdump
[root@mysql01 ~]# tar -zxvf tcpdump-4.99.4.tar.gz
[root@mysql01 ~]# tar -zxvf libpcap-1.10.4.tar.gz
[root@mysql01 ~]# cd libpcap-1.10.4/
[root@mysql01 ~/libpcap-1.10.4]# ./configure
[root@mysql01 ~/libpcap-1.10.4]# make && make install
[root@mysql01 ~/libpcap-1.10.4]# cd ../tcpdump-4.99.4/
[root@mysql01 ~/tcpdump-4.99.4]# ./configure
[root@mysql01 ~/tcpdump-4.99.4]# make && make install2.2 Capture packets
Ctrl+C interrupt packet capture
By default, enter the command tcpdump (tcpdump -i any). After pressing Enter, it will monitor all the data packets flowing on the first network interface, usually eth0, as shown in the following figure:
12:26:14.871117 IP mysql01.ssh > 192.168.170.1.62763: Flags [P.], seq 3365399120:3365399316, ack 384892789, win 261, length 196
From the above output, it can be concluded that:
- The first column: hours, minutes, seconds, milliseconds 12:26:14.871117
- The second column: network protocol IP
- The third column: the sender's ip address + port number, (such as 192.168.170.1.62763) where 192.168.170.1 is the ip, and 62763 is the port number; (such as mysql01.ssh) mysql01 is the host, ssh is the protocol port 22
- The fourth column: arrow >, indicating the data flow direction
- The fifth column: the receiver's ip address + port number, where 192.168.170.1 is the ip, and 62763 is the port number
- The sixth column: data packet content, including Flags identifier, seq number, ack number, win window, data length length, where [P.] indicates that the PUSH flag is 1, and you need to understand the flags of the TCP protocol for more identifiers .
3. Explain the TCP protocol packet header
TCP (Transmission Control Protocol) transmission control protocol, as the name implies, is to control the transmission of data to a certain extent.
4. General filtering rules of tcpdump packet capture tool
4.1 The host and net filtering rules of tcpdump
Filter based on IP address: host
Case 1: Intercept all data packets received and sent by the host of a specific host 192.168.170.134
tcpdump host 192.168.170.134Explanation: host 192.168.170.134 indicates that 192.168.170.134 is a host. If you are very clear about which host sends and receives packets, you can directly filter the data packets of this host. Add the IP address of the host after host, you can only capture all the data packets of this host, and the data packets of other hosts will be filtered out.
Case 2: Get the message whose destination address is 192.168.170.134
tcpdump dst 192.168.170.134Explanation: dst refers to the destination address; this is a keyword to determine the direction of transmission, src source; dst destination.
Filter based on network segment: net
Case 3: Intercept all data packets received and sent by hosts in a specific network segment 192.168.170.0/24
tcpdump net 192.168.170.0/24Explanation: net 192.168.170.0/24 indicates the network segment of 192.168.170.0/24, which can directly filter the data packets of this network segment. The network segment can also be subdivided into source network segment and target network segment.
$ tcpdump src net 192.168
$ tcpdump dst net 192.168 4.2 tcpdump port-based filtering rules
Filter based on port: port
Case 4: To get the package of a specific port such as http, use the following command:
tcpdump tcp port 80Explanation: port 80 indicates port 80, and only the data packets of this port 80 will be captured; adding a certain port of a specific protocol can capture the data packets of the corresponding business more accurately. As shown in the figure below, it will only capture the datagrams of port 80 of the TCP protocol, that is, the datagrams of the http protocol. (tcpdump src port 80 / tcpdump dst port 80)
If you want to specify two ports at the same time, you can write: tcpdump port 80 or port 22, tcpdump port 80 or 22;
If what you want to capture is no longer one or two ports, but a range, it is very troublesome to specify one by one. At this time, you can specify a port segment in this way.
- tcpdump portrange 8000-8080
- tcpdump src portrange 8000-8080
- tcpdump dst portrange 8000-8080
For the default ports of some common protocols, we can also directly use the protocol name instead of the specific port number: such as http==80, https==443, etc.: tcpdump tcp port http
4.3 tcpdump rules based on protocol filtering
Filter based on protocol: protocol
Case 5: Obtaining ICMP protocol messages
tcpdump icmpExplanation: Indicate the protocol packets to be captured, commonly used ones such as ip, ip6, arp, icmp, tcp, udp, etc.
Note: http, dns, https, ssh and other application layer protocols cannot be written directly in this way, they need to be written as: tcpdump port http or tcpdump port 53 (DNS)
Next article: tcpdump packet capture tool detailed graphic tutorial (below)_Stars.Sky's Blog-CSDN Blog