Tcpdump packet capture and analysis tool wireshark

1, installation tcpdump

yum install -y tcpdump

1.1 tcpdump parameter parsing

tcpdump concise usage 

    -A print all packets in ASCII format, and the link layer header minimized. 

    -c After receiving the specified number of packets, tcpdump will stop. 

    -C original packet before a write to a file, check the file size of the current exceeds a specified parameter file_size size. If you exceed the specified size, then close the current file, and then open a new file. The parameters file_size megabytes (1,000,000 bytes, not 1,048,576 bytes). 

    -d packet matching the code can be given to people appreciated assembly format. 

    -dd packet will match the code given in paragraph C language program format. 

    -ddd packet will match the code given in decimal. 

    -D print out all network interfaces in the system can be used to cut package tcpdump. 

    -e print out the data link layer header information in the output line. 

    -E with spi @ ipaddr algo: secret decrypting IPsec ESP packets to those addresses as addr and contain Security Parameter Index value spi of. 

    -f external Internet address printed out in digital form. 

    -F read the expression from the specified file, ignoring the expression given on the command line. 

    -i designated monitor network interfaces. 

    -l Make stdout line buffered, the data can be exported to a file. 

    -L list known network interface data link. 

    -m introduced SMI MIB file definition module from the module. This parameter can be used multiple times to import the plurality of MIB modules. 

    If the TCP-MD5 option -M tcp packets exist, you need to use the shared secret as the codes used to verify TCP-MD5 digest Options (details refer to RFC 2385). 

    -b data - the link layer protocol, including ip, arp, rarp, ipx is this layer. 

    -n Do not convert network addresses into names. 

    -nn no conversion port name. 

    -N output not part of the host domain name. For example, 'nic.ddn.mil' output only 'nic'. 

    -t Do not print a timestamp on each line of output. 

    -O packet matches the packet is not running (packet-matching) the program code optimization. 

    -P not the network interface into promiscuous mode. 

    -q fast output. Output only less protocol information. 

    -r packet read from the specified file (typically produced by these packets -w option). 

    The serial number -S tcp output as an absolute value, instead of relative values. 

    -s snaplen read the beginning of each byte from the packet, rather than the default of 68 bytes. 

    -T will listen to the explanation of the packets directly to the specified types of messages, common types rpc Remote Procedure Call) and snmp (SNMP;). 

    -t each row is not output timestamp. 

    -tt output unformatted timestamp in each row. 

    -ttt output time between the preceding line and the difference between the Bank. 

    -tttt by the default format output timestamp date processing in each row. 

    -u output undecoded NFS handles. 

    -v output a somewhat detailed information may include service type information and ttl example ip package. 

    -vv output detailed packet information. 

    -w file is written directly to the group, rather than not analyzed and printed out.

1.2 detailed interpretation

tcpdump detailed usage 

The first one is about the types of keywords, including the host, net, port, e.g. Host 192.168.0.2, 192.168.0.2 indicating a host, 
NET 10.0.0.0 10.0.0.0 indicating a network address, port 23 indicates the port number is 23. If you do not specify a type, the default is the type of host. 

The second is to determine the direction of transmission keywords, including src, dst, dst orsrc, dst and src, these keywords indicate the direction of transmission. 
Illustration, src 192.168.0.2, source address specified in the packet is ip 192.168.0.2, dst net10.0.0.0 specified destination network address is 10.0.0.0. 
If you do not specify the direction of the keyword, the default is src or dst keyword. 

The third is the key agreements, including fddi, ip, arp, rarp, tcp, udp and other types. Fddi is specified in the FDDI (Fiber Distributed Data Interface online 
specific network protocol, it is actually "ether" alias, and fddi ether have similar source and destination addresses, so it can be fddi protocol 
packet as the ether packet processing and analysis. several other keywords that indicate the contents of the package agreement listening. If you do not specify any agreement, 
tcpdump will monitor packets for all protocols. 

addition to these three types of keywords in addition to, other important keywords as follows: gateway, broadcast, less, greater , there are three logical operations, taking 
the non-operation is 'not' '', the operation is 'and', '&&'; or operation is 'or',! '││'
To meet the needs of the people, a few examples will be described below.

1.3 Example

1, the default startup 
    
tcpdump -vv -i eno16777736 

under ordinary circumstances, direct start tcpdump will monitor all packets flowing on the first network interface. 

2, the filter host 

tcpdump -i eno16777736 host 192.168.1.1 # fetch all through eno16777736, source or destination address is 192.168.1.1 network data 
tcpdump -i eno16777736 src host 192.168.1.1 # Specify the source address, 192.168.1.1 
the tcpdump -i eno16777736 dst host 192.168.1.1 # destination address, 192.168.1.1 

. 3, the port to filter 

the tcpdump -i port 25 eno16777736 
the tcpdump -i eno16777736 the src port 25 
the tcpdump -i eno16777736 DST port 25 

to fetch all through eno16777736, source or destination port 25 the data network 

4, the network filtering 
    
the tcpdump -i nET 192.168 eno16777736 
the tcpdump -i eno16777736 the src 192.168 nET 
the tcpdump -i eno16777736 DST nET 192.168 

. 5, protocol filtering
 
tcpdump -i eno16777736 arp
-i IP eno16777736 the tcpdump
tcp -i eno16777736 tcpdump 
tcpdump -i eno16777736 udp 
tcpdump -i eno16777736 ICMP 

6, an expression commonly used 
    
non-:! or "not" (remove the double quotes)  
and: && or "and"  
or: || or "or" 


crawling all after eno16777736, or destination address is 192.168.1.254 192.168.1.200 port number of the TCP 80 
    
tcpdump -i eno16777736 '((tcp) and (port 80) and ((dst host 192.168.1.254) or (dst host 192.168.1.200) )) ' 

grab all through eno16777736, the destination MAC address is 00: ICMP data 05 01: 02: 03:: 04 
    
tcpdump -i eno16777736' ((ICMP) and ((ether dst Host 00: 01: 02: 03: 04:05))) ' 

grab all through eno16777736, the destination network is 192.168, but not the destination host 192.168.1.200 TCP data of 
    
tcpdump -i eno16777736' ((tcp) and ((dst net 192.168) and (not dst host 192.168 .1.200))) ' 


save tcpdump packet capture file to the command parameter is -w xxx.cap 

    catch eno16777736 package
    tcpdump -i eno16777736 -w /tmp/xxx.cap 
    view capture files 
    tcpdump -r /tmp/xxx.cap 
    
    caught 192.168.0.203 package 
    tcpdump -i eno16777736 host 192.168.0.203 -w /tmp/xxx.cap 
    catch 192.168. 0.203 packet port 80 
    tcpdump -i eno16777736 host 192.168.0.203 and port 80 -w /tmp/xxx.cap 
    grip of 192.168.0.203 icmp packets 
    tcpdump -i eno16777736 host 192.168.0.203 and icmp -w / tmp / xxx. cap 
    grasping 192.168.0.203 port 80 and port packets other than 110 and 25 
    the tcpdump -i eno16777736 192.168.0.203 and Host! port 80 and! port 25 and! -w /tmp/xxx.cap port 110 
    grip the vlan 1 package 
    tcpdump -i eno16777736 port 80 and vlan 1 -w /tmp/xxx.cap 
    caught pppoe password 
    tcpdump -i eno16777736 pppoes -w /tmp/xxx.cap 
    to 100m split size to save the file, open a file other than 100m 
    -C 100m 
    arrested quit after 10,000 packets 
    -c 10000 
    background capture the console exit will not affect 
    nohup tcpdump -i eno16777736 port 110 -w /tmp/xxx.cap &

1.4 Examples

[root@localhost ~]# tcpdump -i eno16777736  dst host 192.168.0.203  -w /tmp/xxx.cap
tcpdump: listening on eno16777736, link-type EN10MB (Ethernet), capture size 262144 bytes

^C21 packets captured

[root@localhost ~]# ll /tmp/xxx.cap 
-rw-r--r-- 1 tcpdump tcpdump 1760 7月  13 14:33 /tmp/xxx.cap
[root@localhost ~]# tcpdump -r /tmp/xxx.cap 
reading from file /tmp/xxx.cap, link-type EN10MB (Ethernet)
14:32:58.145798 IP 192.168.0.201.46824 > 192.168.0.203.http: Flags [R], seq 3390683954, win 0, length 0
14:32:58.945777 IP 192.168.0.201.46828 > 192.168.0.203.http: Flags [S], seq 3069531638, win 29200, options [mss 1460,sackOK,TS val 246238969 ecr 0,nop,wscale 7], length 0
14:32:58.946461 IP 192.168.0.201.46828 > 192.168.0.203.http: Flags [R.], seq 3069531639, ack 3707664099, win 229, options [nop,nop,TS val 0 ecr 246266476], length 0
14:32:59.948016 IP 192.168.0.201.46828 > 192.168.0.203.http: Flags [R], seq 3069531639, win 0, length 0
14:33:00.949073 IP 192.168.0.201.46832 > 192.168.0.203.http: Flags [S], seq 11760599, win 29200, options [mss 1460,sackOK,TS val 246240972 ecr 0,nop,wscale 7], length 0
14:33:00.950145 IP 192.168.0.201.46832 > 192.168.0.203.http: Flags [R.], seq 11760600, ack 2581657852, win 229, options [nop,nop,TS val 0 ecr 246268480], length 0
14:33:02.152084 IP 192.168.0.201.46832 > 192.168.0.203.http: Flags [R], seq 11760600, win 0, length 0
14:33:02.953212 IP 192.168.0.201.46836 > 192.168.0.203.http: Flags [S], seq 3987661143, win 29200, options [mss 1460,sackOK,TS val 246242976 ecr 0,nop,wscale 7], length 0
14:33:02.953731 IP 192.168.0.201.46836 > 192.168.0.203.http: Flags [R.], seq 3987661144, ack 1117892437, win 229, options [nop,nop,TS val 0 ecr 246270483], length 0

2 Wireshark

yum install wireshark* -y

Reference https://www.cnblogs.com/liun1994/p/6142505.html

2.1 tshark parameter options:

Capture interface: 
　　-i: -i <interface> capture interface is specified, the default is the first non-local loop interfaces; 
　　-f: -f <Capture filter> Settings capture filter expression, follow libpcap filter syntax, this really capture the process of filtering, if the analysis is less than a local file. 
　　-s: -s <snaplen> snapshot length provided for reading a complete packet, transmitted in a network is limited because of the 65535, 65535 value of 0 represents the length of the snapshot, the default value is; 
　　-p: working mode unmixed , that is only concerned about the traffic and the machine. 
　　-B: -B <buffer size> set the buffer size, take effect only on the windows, the default is 2M; 
　　-Y: -Y <Link type> Set capture of data link layer protocol, is not set to the default -L the first protocol to find the LAN usually EN10MB the like; 
　　-D: print a list of interfaces and exit; 
　　-L lists supported by the machine data link layer protocol, for use -y parameters. 

Stop Capture option: 
　　-c: -c <Packet COUNT> n packets after the capture, capture an unlimited number of default; 
　　-a: -a <AutoStop cond.> ... DURATION: NUM, after num seconds, stop the capture; 
　　　　　　　　　　　　　　　　　　 filesize : NUM, after numKB stop capturing; 
　　　　　　　　　　　　　　　　　   files: NUM, after capturing num files to stop the capture; 
capture output options:
　　-b <. ringbuffer opt> ... ring buffer is determined by the file name -w parameters, -b parameters using test: value written in the form; 
　　　　　　　　　　　　　　　　 DURATION: NUM - switching to the next file after NUM seconds; 
　　　　　　　　　　　　　　　　 filesize: NUM - after switching to the next file NUM KB; 
　　　　　　　　　　　　　　　　 files: NUM - forming a ring buffer, after the file reaches NUM; 

the RPCAP options: 
　　remote Packet Capture protocol, the remote capture capture protocol; 
　　-A: -A <User>: < password>, using RPCAP password for authentication; 

input file: 
　　-R & lt: -R & lt <INFILE> set local file reading 

processing options: 
　　-2: analysis performed twice 
　　-R: -R <read filter>, read filtering package , you can view on filter syntax wireshark of; in view of wireshark -> filter view, click the expression in this column, it lists support for all protocols. 
　　-Y: -Y <display filter>, using the read filter syntax in a single analysis can replace -R options; 
　　-n: name resolution prohibit all addresses (default allow all) 
　　-N: Enabling the name of a layer address resolution. "M" represents the MAC layer, "n" represents the network layer, "t" on behalf of the transport layer, "C" represents the current asynchronous DNS lookup. If -n and -N parameters exist, -n will be ignored. If -n and -N parameters are not written, the default open all address name resolution.
　　-d: The specified data in accordance with relevant agreements unpacking output To tcp traffic on port 8888 by http unpacking, should be written as "-d tcp.port == 8888, http" ; tshark -d can be listed. All supported effective selector. 
　　
Output options: 
　　-w: -w <outfile | -> Set raw data output file. This parameter is not provided, tshark decoding result will be output to stdout, "- w -" represents the raw output to stdout. If you want to decoding results output to a file, using the redirection ">" instead of -w parameter. 
　　-F: -F <output file type> , set the output file format, the default is .pcapng, use tshark -F to list all supported output file types. 
　　-V: increasing the output in detail; 
　　-O: -O <Protocols>, only the details of this option to display specified protocol. 
　　-P: even if the decoding result is written in the summary file, and print package; 
　　-S: -S <Separator> line separator 
　　-x: decoded output results provided in back of each packet are shown in HEX dump manner precise data. 
　　-T: -T pdml | ps | text | fields | psml, set the output format decoding results, including text, ps, psml and pdml, default text 
　　-e: If -T fields option is specified, -e to specify output which fields; 
　　-E: -E <fieldsoption> = <value>
　　　　= F occurrence | L | A 
　　　　Aggregator =, | / S | <char> 
　　-t: A -t | AD | D | dd | E | R & lt | U | UD decoding result set time format. "Ad" represents absolute time with date, "a" represents a date with no absolute time, "r" denotes a packet from the first to the relative time now, "d" represents the increment between two adjacent packages time (delta). 
　　-u: s | hms second output format; 
　　-l: the flush standard output after the output of each packet 
　　-q: binding -z option used for statistical analysis; 
　　the -X-: <Key>: <value> extensions , lua_script, read_format, specifically refer to Pages and the man; 
　　the -z: statistics option, the specific reference documentation; tshark -z help, you can list, -z option is supported by statistical methods. 
　　
Other options: 
　　-h: Displays command line help; 
　　-v: Displays the version information of tshark;

2.2 Example

Http // print stream protocol information 
tshark -s 512 -i eth0 -n -f ' tcp dst port 80' -R 'http.host and http.request.uri' -T fields -e http.host -e http. request.uri -l | tr -d '\ t ' 
　　Notes: 
　　　　-s: just grab the first 512 bytes; 
　　　　-i: capture eth0 network card; 
　　　　-n: prohibit network object name resolution; 
　　　　-f: capture only the protocol is tcp , destination port 80; 
　　　　-R & lt: http.host filtered and http.request.uri; 
　　　　-T, -e: refers print these two fields; 
　　　　-I: output to command-line interface;  
// Print realtime mysql query 
tshark -s 512 -i eth0 -n -f ' tcp dst port 3306' -R 'mysql.query' -T fields -e mysql.query 
　　　NOTE: 
　　　　-R & lt: mysql filtered query; 
// derived smpp protocol header and an example value 
tshark -r test.cap -R '(smpp.command_id == 0x80000004) and (smpp.command_status == 0x0)' -e smpp.message_id -e frame.time -T fields -E header=y >test.txt
　　　NOTE: 
　　　　-R & lt: read the local file, and then can be analyzed after the first capture survive; 
　　　　-R & lt: SMPP ... wireshark filter expression can be found in the inside, will be detailed later; 
　　　　-E: field when -T when specified, set the output options, header = y mean the head to be printed; 
　　　　-e: when -T field specifies which fields to set the output; 
　　　　 >: redirect; 
// http statistics state 
tshark -n -q -z http , stat, -z http, tree 
　　　Notes: 
　　　　-q: only at the end of the output data capture is very useful for the statistical category of command; 
　　　　the -z: all kinds of statistics option, the specific reference documentation, will be introduced later, you can use tshark -z help command to see all the available fields; 
　　　　　　 HTTP, STAT: HTTP calculate statistics show the value of the HTTP status code and HTTP request methods. 
　　　　　　 http, tree: HTTP packets distributed computing. The values shown are HTTP requests and HTTP status code pattern. 
// fetch packet 500 to access URL extracted print 
tshark -s 0 -i eth0 -n -f ' tcp dst port 80' -R 'http.host and http.request.uri' -T fields -e http. host -e http.request.uri -l -c 500 
　　　NOTE:  
　　　　-f: before capture filter; 
　　　　-R & lt: capture after filtration;
　　　　-l: Clear result before printing buffer; 
　　　　-C: End packet 500 after grasping; 
// ssl data display data 
tshark -n -ta -R ssl -T fields -e "ip.src" -e "ssl. App_Data " 

// read the specified message contents are displayed in ssl filtering 
tshark -r temp.cap -R" ssl "-V -T text 
　　NOTE:  
　　　　-T text: output format, the default is the text; 
　　　　-V: increase package output; // - q tcp flow filter 13, the content data acquired 
tshark -R & lt temp.cap the -Z "follow, tcp, ASCII, 13" 

// displayed in a specified format -e 
tshark -R & lt temp.cap -R & lt SSL - -e tfields "ip.src" ip.dst -e -e -e tcp.srcport tcp.dstport 

// output data 
tshark -r vmx.cap -q -n -t ad -z follow, tcp, ascii, 10.1. 8.130: 56087,10.195.4.41: 446 | more 
　　NOTE: 
　　　　-t AD: output formatting timestamp; 
// time filter bag and rtp.seq
tshark -i eth0 -f "udp port 5004 " -T fields -e frame.time_epoch -e rtp.seq -o rtp.heuristic_rtp: true 1> test.txt 
　　Note: 
　　　　-o: overrides values in the attribute file set; 

/ / extraction protocol data portion of each 
tshark -r H: /httpsession.pcap -q -n -t ad -z follow, tcp, ascii, 71.6.167.142: 27017,101.201.42.120: 59381 | more