What is network data packet capture?
Network data packet capture is an important network troubleshooting and network security detection technology. It can capture and analyze data packets transmitted in the network, helping network administrators and security experts diagnose network faults, optimize network performance, and monitor network security. The following are some reasons for network data packet capture:
- Troubleshooting: Network data packet capture can help locate network faults, analyze abnormal situations such as loss, delay, duplication, and errors of network data packets, find out the cause of the fault, and solve it.
- Performance optimization: Network data packet capture can analyze network traffic and count network data packet size, quantity, transmission time and other parameters to help optimize network performance and improve network throughput and response speed.
- Security monitoring: Network data packet capture can monitor network security, detect network attacks, malware and other security threats, detect and prevent security incidents in a timely manner, and protect network security.
- Application analysis: Network data packet capture can analyze the data traffic, delay and throughput of the application, detect performance problems and errors of the application, and help optimize the design and implementation of the application.
Network data packet capture is an important network management technology that can help network administrators and security experts better manage and protect the network, and improve network availability, performance, and security.
How to capture network data packets
There are several main methods. For simple ones, you can directly use the tcpdump command line. For more complicated ones, you can use wireshark to capture packets. It is not convenient to take screenshots here, so I will introduce simple tcpdump.
tcpdump
tcpdump is a command line tool for capturing and analyzing network packets. It can be used on Unix, Linux, Windows and other operating systems. Tcpdump works by capturing packets on the network and using specific filters to filter and analyze these packets. This allows administrators to monitor network traffic, detect network problems, analyze network performance, and find network security vulnerabilities.
Use tcpdump
1. Before using tcpdump, we need to determine the captured network interface. Let's take Linux as an example and use the command ifconfig or ip a to view the network port list. If it is not found by running these two commands, you need to download the corresponding library first.
//ubuntu运行ifconfig
apt-get install net-tools
//centos运行ip a
yum -y install initscriptsroot@93da3b39d1f0:/# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.2 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:ac:11:00:02 txqueuelen 0 (Ethernet)
RX packets 4650 bytes 6677565 (6.6 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3744 bytes 250267 (250.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
2. Let’s first use the help command to see what parameters are available.
root@93da3b39d1f0:/# tcpdump -h
tcpdump version 4.99.1
libpcap version 1.10.1 (with TPACKET_V3)
OpenSSL 3.0.2 15 Mar 2022
Usage: tcpdump [-AbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ] [--count]
[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
[ -i interface ] [ --immediate-mode ] [ -j tstamptype ]
[ -M secret ] [ --number ] [ --print ] [ -Q in|out|inout ]
[ -r file ] [ -s snaplen ] [ -T type ] [ --version ]
[ -V file ] [ -w file ] [ -W filecount ] [ -y datalinktype ]
[ --time-stamp-precision precision ] [ --micro ] [ --nano ]
[ -z postrotate-command ] [ -Z user ] [ expression ]Simple to use
tcpdump -i interface -nn -w reputation.txt
//tcpdump -i eth0 -nn -w reputation.txtAmong them, -i interface indicates the network interface to be captured, -nn indicates not converting the IP address to a host name, and -w reputation.txt indicates saving the captured packets to the reputation.txt file.
3. Monitor data of specified protocol
tcpdump -i eth0 -nn 'icmp'To view the details of the captured packets, listen to the data of the icmp protocol, which is the protocol used by the ping command. You can draw inferences from one example. If you want to monitor the tcp or udp protocol, you only need to modify icmp to tcp or udp.
4. Listen to the specified host
tcpdump -i eth0 -nn 'host 192.168.1.2'In this case, the packets received and sent by the host 192.168.1.2 will be captured.
tcpdump -i eth0 -nn 'dst host 192.168.1.2'If dst is added, the target here is only 192.168.1.2, which means that only the packets received by this host will be captured.
$ tcpdump -i eth0 -nn 'src host 192.168.1.2'If this is src, it means that only the packets sent by this host will be captured.
5. Listen to the specified port
tcpdump -i eth0 -nn -A 'port 80'The A parameter is used to display detailed information of each packet, including the source address, destination address, protocol type, packet length, sequence number, confirmation number, etc. Use the -A parameter to analyze network packets in more detail, helping to identify potential network problems and security risks.
If the port is specified as 80 here, then you can only monitor all data packets sent by the host's port 80. You can use the -A parameter to view detailed information and view the information more conveniently.
Of course, the port can also be combined with the host, such as
tcpdump -i eth0 -nnA 'port 80 and src host 192.168.1.2'In this way, you can monitor port 80 and monitor the data sent by the IP 192.168.1.2.