The command format is: tcpdump [-nn] [-i Interface] [-w storage file name] [number of -C] [-Ae]
[-QX] [-r file] [desired content data captured]
parameter:
-nn, directly to the IP and Port Number displayed, rather than the host name and service name.
-i, to be followed by the "monitor" network interface, such as eth0, lo, ppp0, etc. interface.
-w, if you want to monitor the resulting packet data storage down, use this parameter on the right. Followed by the file name.
-c, the number of packets to listen, without this parameter, tcpdump will be continuous monitoring,
Until the user inputs [ctrl] -c far.
-A, content data packages in ASCII display, generally used to capture data packets on WWW pages.
-e, using data connection layer (second layer OSI) a MAC packet data for display.
-q, only a relatively short list of packet information, the contents of each line more streamlined.
-X, can be listed in hexadecimal (hex) and the ASCII packet contents, listening for the packet contents useful.
-r, followed by the files from the packet data read out. That "file" is a file that already exists, and the "File" is produced by the -w out. Data capture the desired content: we can capture packets specifically for certain communication protocol, or IP source.
You can simplify the output results, and obtain the most useful information. Common representation there.
'Host foo', 'host 127.0.0.1': packet capture is performed for a single host.
'Net 192.168': to capture data packets for a certain segment.
'Src host 127.0.0.1' 'dst net 192.168': simultaneously adding sources (the src) or destination (dst) limit.
'Tcp port 21': the communication protocol for the detection can also, as tcp, udp, arp, ether and the like.
In addition to these three types of keywords, other important keywords as follows: gateway, broadcast, less,
Greater, there are three logical operations, operation is negation 'not' '', the operation is' and ',' &&! '; or operation is' o
r' ,'||';
Example 1: using IP and Port Number to catch the next data packet on the network card eth0 for 3 seconds
[root@linux ~]# tcpdump -i eth0 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
01:33:40.41 IP 192.168.1.100.22 > 192.168.1.11.1190: P 116:232(116) ack 1 win
9648
01:33:40.41 IP 192.168.1.100.22 > 192.168.1.11.1190: P 232:364(132) ack 1 win
9648
<== Press [ctrl] -c after the end of
The number of packets 6680 packets captured <== capture down
14250 packets received by filter <== obtained by the filtering of the total number of packets
7512 packets dropped by kernel <== is discarded by the packet data core
As for the example of an output generated, we can roughly be divided into several fields, now an example of a row among the line of special fonts to illustrate:
5.01: 33: 40.41: This is the time the packet is captured, "hour: minute: second" unit.
· IP: communication protocol is IP.
· 192.168.1.100.22>: the transmitting end is the IP 192.168.1.100, and the Port Number 22 is transmitted, that is greater than (>) symbols refer to the transmission direction of the packet.
· 192.168.1.11.1190: receiving end IP is 192.168.1.11, and the open port 1190 to receive the host.
· P 116: 232 (116): The data transmission packets with the PUSH flag, and the data transmission is 116 ~ 232 Byte entire data, the packet with 116 Bytes of data amount.
· Ack 1 win 9648: ACK and Window size of the relevant information.
The simplest way, the packet is transmitted by 192.168.1.100 192.168.1.11, port by the amount of data from the 22 to 1190, and with 116 Bytes, the use of the PUSH flag, or the like instead of SYN active online logo.
Next, when the host state above a busy network, you want to get a host of data packets to you online, use tcpdump with a command line with regular expressions can be, but, after all, not capture. Tcpdump expression we can function, you can easily separate the data needed to be taken out. In the example above, one of them, we do monitor only for eth0, so entire interface above eth0 data will be displayed on the screen, but this is not good analysis, you can simplify it? For example, only the packets taken out port line 21, can do this:
[root@linux ~]# tcpdump -i eth0 -nn port 21
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
01:54:37.96 IP 192.168.1.11.1240 > 192.168.1.100.21:. ack 1 win 65535
01:54:37.96 IP 192.168.1.100.21 > 192.168.1.11.1240:P 1:21(20) ack 1 win 5840
01:54:38.12 IP 192.168.1.11.1240 > 192.168.1.100.21:. ack 21 win 65515
01:54:42.79 IP 192.168.1.11.1240 > 192.168.1.100.21:P 1:17(16) ack 21 win 65515
01:54:42.79 IP 192.168.1.100.21 > 192.168.1.11.1240: . ack 17 win 5840
01:54:42.79 IP 192.168.1.100.21 > 192.168.1.11.1240: P 21:55(34) ack 17 win 5840
Look! This will only remove the information port 21, and if you look carefully, you will find that pass packets of data are bi-directional, Client and Server side end request is to be a response, so, of course, have to go back there. And we also can flow through the packet to understand the process of moving the data packet. E.g:
• We first in a terminal window, enter "tcpdump-i lo-nn" monitor.
And re-open another terminal window to log "ssh localhost" to the machine (127.0.0.1), then the output results will be?
[root@linux ~]# tcpdump -i lo -nn
1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
2 listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes
3 11:02:54.253777 IP 127.0.0.1.32936 >
127.0.0.1.22: S 933696132:933696132(0)
win 32767
4 11:02:54.253831 IP 127.0.0.1.22 > 127.0.0.1.32936:
S 920046702:920046702(0)
ack 933696133 win 32767
5 11:02:54.253871 IP 127.0.0.1.32936 > 127.0.0.1.22: . ack 1 win 8192
6 11:02:54.272124 IP 127.0.0.1.22 > 127.0.0.1.32936:
P 1:23(22) ack 1 win 8192
7 11:02:54.272375 IP 127.0.0.1.32936 > 127.0.0.1.22: . ack 23 win 8192
The first two lines show the fundamental explanation of tcpdump, then:
· At line 3 shows the data with the SYN packet from the Client-side active online.
· Line Server 4 shows from an end, except in response to Client-side outside (the ACK), also with a SYN flag active online.
It is displayed line 5 · Client-Server determines the connection establishment response (ACK).
After the first-line six has begun to enter step data transmission.
From 3 to 5 lines of flow point of view, cooked unfamiliar ah? Yes. That is the basis of flow 3-way handshake, interesting. But tcpdump is known as one of much more than hacking software features described above. Features described above can be used as a data packet transmission line with our host of process analysis, which will help us understand the operation of the packet, while the firewall rule set hosts know if there are places in need of revision.
There are even more amazing usage. When we use tcpdump to listen to transmit data in plaintext Router above, such as FTP transport protocol, what problems do you think will happen? We first execute on the host side "tcpdump -i lo port 21 -nn -X", and then to the native FTP login and enter the account number and password, and you can find the following conditions:
[root@linux ~]# tcpdump -i lo -nn -X 'port 21'
0x0000: 4500 0048 2a28 4000 4006 1286 7f00 0001 E..H*(@.@.......
0x0010: 7f00 0001 0015 80ab 8355 2149 835c d825 .........U!I.\.%
0x0020: 8018 2000 fe3c 0000 0101 080a 0e2e 0b67 .....<.........g
0x0030: 0e2e 0b61 3232 3020 2876 7346 5450 6420 ...a220.(vsFTPd.
0x0040: 322e 302e 3129 0d0a 2.0.1)..
0x0000: 4510 0041 d34b 4000 4006 6959 7f00 0001 E..A.K@[email protected]....
0x0010: 7f00 0001 80ab 0015 835c d825 8355 215d .........\.%.U!]
0x0020: 8018 2000 fe35 0000 0101 080a 0e2e 1b37 .....5.........7
0x0030: 0e2e 0b67 5553 4552 2064 6d74 7361 690d ...gUSER.dmtsai.
0x0040: 0a .
0x0000: 4510 004a d34f 4000 4006 694c 7f00 0001 E..J.O@[email protected]....
0x0010: 7f00 0001 80ab 0015 835c d832 8355 217f .........\.2.U!.
0x0020: 8018 2000 fe3e 0000 0101 080a 0e2e 3227 .....>........2'
0x0030: 0e2e 1b38 5041 5353 206d 7970 6173 7377 ...8PASS.mypassw
0x0040: 6f72 6469 7379 6f75 0d0a ordisyou..
Above output has been simplified too, and you need to own a string of search-related job in your output results. Special fonts from the output of the above, we can see that the use of FTP software is vsFTPd, and user input dmtsai this account name and password are mypasswordisyou. If you are using plain text to transfer your data network it?
Also you have to understand, in order to allow tcpdump network interface allows the monitor, so execute tcpdump network interface will start in "promiscuous mode (promiscuous)", so you will see a lot of warning messages in / var / log / messages inside, notice you say your card is set to become promiscuous mode. Do not worry, that's normal. As more applications, please refer to the man tcpdump.
Example: How to use tcpdump to listen from eth0 adapter card and the communication protocol for the port 22, the target data source for the data packets of 192.168.1.100?
答:tcpdump -i eth0 -nn port 22 and src host 192.168.1.100
Example: How to use tcpdump crawl access eth0 adapter card and access port tcp 9080?
答:tcpdump -i eth0 dst 172.168.70.35 and tcp port 9080
Example: How to use tcpdump host 192.168.43.23 to crawl or communicate with the host 192.168.43.24 message, and displayed on the console
答:tcpdump -X -s 1024 -i eth0 host \(192.168.43.23 or 192.168.43.24\) and host 172.16.70.35
Note: You must specify the card