Sometimes you may want to see what data packets are on a certain network card, especially when you initially determine that there is a traffic attack on the server, you can use the packet capture tool to capture data packets to know which IPs are attacking.
14.2.1 The specific usage of the tcpdump tool is as follows:
# tcpdump -nn -i ens33tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes09:41:46.647812 IP 192.168.72.128.22 > 192.168.72.1.52219: Flags [P.], seq 3649233742:3649233954, ack 443629343, win 251, length 21209:41:46.647976 IP 192.168.72.1.52219 > 192.168.72.128.22: Flags [.], ack 212, win 253, length 009:41:46.648337 IP 192.168.72.128.22 > 192.168.72.1.52219: Flags [P.], seq 212:504, ack 1, win 251, length 29209:41:46.648493 IP 192.168.72.128.22 > 192.168.72.1.52219: Flags [P.], seq 504:668, ack 1, win 251, length 16409:41:46.648562 IP 192.168.72.1.52219 > 192.168.72.128.22: Flags [.], ack 668, win 252, length 009:41:46.648651 IP 192.168.72.128.22 > 192.168.72.1.52219: Flags [P.], seq 668:928, ack 1, win 251, length 26009:41:46.648744 IP 192.168.72.128.22 > 192.168.72.1.52219: Flags [P.], seq 928:1092, ack 1, win 251, length 16409:41:46.648800 IP 192.168.72.1.52219 > 192.168.72.128.22: Flags [.], ack 1092, win 256, length 009:41:46.648875 IP 192.168.72.128.22 > 192.168.72.1.52219: Flags [P.], seq 1092:1368, ack 1, win 251, length 27609:41:46.648978 IP 192.168.72.128.22 > 192.168.72.1.52219: Flags [P.], seq 1368:1532, ack 1, win 251, length 16409:41:46.649035 IP 192.168.72.1.52219 > 192.168.72.128.22: Flags [.], ack 1532, win 254, length 009:41:46.649128 IP 192.168.72.128.22 > 192.168.72.1.52219: Flags [P.], seq 1532:1808, ack 1, win 251, length 27609:41:46.649206 IP 192.168.72.128.22 > 192.168.72.1.52219: Flags [P.], seq 1808:1972, ack 1, win 251, length 16409:41:46.649297 IP 192.168.72.1.52219 > 192.168.72.128.22: Flags [.], ack 1972, win 253, length 009:41:46.649433 IP 192.168.72.128.22 > 192.168.72.1.52219: Flags [P.], seq 1972:2248, ack 1, win 251, length 27609:41:46.649531 IP 192.168.72.128.22 > 192.168.72.1.52219: Flags [P.], seq 2248:2412, ack 1, win 251, length 16409:41:46.649591 IP 192.168.72.1.52219 > 192.168.72.128.22: Flags [.], ack 2412, win 251, length 009:41:46.649675 IP 192.168.72.128.22 > 192.168.72.1.52219: Flags [P.], seq 2412:2688, ack 1, win 251, length 27609:41:46.649760 IP 192.168.72.128.22 > 192.168.72.1.52219: Flags [P.], seq 2688:2852, ack 1, win 251, length 16409:41:46.649809 IP 192.168.72.1.52219 > 192.168.72.128.22: Flags [.], ack 2852, win 256, length 0
复制代码After pressing Enter, a dense bunch of character strings will appear. Before pressing Ctrl+C, these character strings keep swiping the screen. The faster the screen swipes, the more data packets on the network card. If there is no tcpdump command, you need to use the following command to install it:
# dnf install -y tcpdump
复制代码In the above example, we only need to focus on columns 3 and 4, which show which IP+port number is connected to which IP+port number. The following information is the relevant information of the data packet, it doesn’t matter if you don’t understand it. Among them, the -i option is followed by the device name. If you want to capture the data packets of other network cards, it must be followed by the names of other network cards. The function of the -nn option is to make the third and fourth columns display in the form of "IP + port number". If the -nn option is not added, it will display "host name + service name". A Ming also often uses the tcpdump tool in shell scripts. You may ask, the shell script is executed automatically, so how do we press the shortcut key Ctrl+C to end the packet capture? There are other options available to tcpdump.
# tcpdump -nn -i ens33 -c 100
复制代码In the above example, the function of -c is to specify the number of captured packets, and it will automatically exit after capturing enough, so we don’t need to manually cancel it. A Ming will give you a few common examples:
- Only capture packets on port 22
# tcpdump -nn -i ens33 port 22
复制代码- Specifies to capture tcp packets, but not port 22
# tcpdump –nn –i ens33 tcp and not port 22
复制代码- Only capture packets on ports 22 and 53
# tcpdump –nn –i ens33 port 22 and port 53
复制代码14.2.2 wireshark tool Maybe you have used wireshark, a packet capture tool under Windows, and its function is very powerful. We can also use it on the Linux platform, but in the form of the command line. A Ming will not introduce the specific options of wireshark in detail. In daily work, tcpdump is actually enough for us to use. The following usages are used a lot by A Ming in his work, I hope you can master them.
# tshark -n -t a -R http.request -T fields -e "frame.time" -e "ip.src" -e "http.host" -e "http.request.method" -e "http.request.uri"
复制代码The command we want to execute is tshark. Your Linux does not have this command by default. Please use the following command to install it:
# dnf install -y wireshark
复制代码Then look at the packet capture command tshark above. This command is used for web servers and can display the following information:
Jun 26, 2022 09:11:44.017592529 CST" 116.179.32.105 ask.apelearn.comGET /question/96924473532
复制代码This is similar to web access logs. If the server is not configured with access logs, you can temporarily use this command to check the web requests on the current server. It should be noted here that if the web service is not enabled on your machine, nothing will be displayed.
# tshark -n -i eth1 -R 'mysql.query' -T fields -e "ip.src" -e "mysql.query"
复制代码The above command will capture the mysql queries of the eth1 network card, but this method is only applicable to the case where the mysql port is 3306. If it is not 3306, please use the following method:
# tshark -i eth1 port 3307 -d tcp.port==3307,mysql -z "proto,colinfo,mysql.query,