Basic use Tcpdump

Others 2019-12-29 04:34:30 views: null

tcpdump command originally designed for viewing the TCP / IP performance problems, it is one for 截取网络分组, and contents of the packet output of the tool. tcpdump the packet may be a network transmitted in the packet header is completely intercepted from providing analysis, which supports the filter for the network layer protocol, host, a network or port, and to provide and, or, not, etc. logic statements to assist the user by eliminating unnecessary Information. Ethereal is biased in favor of non-HTTP protocol, commonly used in the server, the client can use wireshark, tcpdump packet capture can be used to save data files using wireshark analysis.

tcpdump common options

tcpdump [ -AdDefIKlLnNOpqRStuUvxX ] [ -B buffer_size ] [ -c count ]

    [ -C file_size ] [ -G rotate_seconds ] [ -F file ]
    [ -i interface ] [ -m module ] [ -M secret ]
    [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
    [ -W filecount ]
    [ -E spi@ipaddr algo:secret,... ]
    [ -y datalinktype ] [ -z postrotate-command ] [ -Z user ] [ expression ]
Options Explanation
-i Specifies the crawl network interface -i interface, -i anyyou can capture all network interfaces
-D Lists all network interfaces machines
-w The captured packet data is written to a file, and then later be analyzed; -w -may be standard output, there will be a long list of hash, may be used to redirect or tee
-r Reading the packet data, playback of the scene from the file
-c size Specifies the number of packets to capture, use -wthe time to write the file, use -C, limit the maximum size of the file, open a new file is exceeded (in units of 1,000,000 bytes)
-p The network interface is provided non-promiscuous mode
-s Intercept length of the control data, typically a tcpdump default maximum number of bytes and will only be taken from a single message to the number of lengths, so that 0 is expressed as tcpdump automatically select the appropriate length to capture packets.
-S Print absolute serial number, a general analysis of the data or the use of relatively
-a Forcing the network address appears as the name of the default options
-n Do not convert addresses to host names. This can be used to avoid DNS lookup
-nn Do not protocol and port number to names
-N Prevent the domain name conversion FQDN
-f Prevent distal Name Resolution
-t Time is not displayed
-tt Output timestamp
-tttt 00: 00: 00.000000 verbose output time information
-v Show details -vdisplayed ttl information, using -vv,-vvvthe output when the packet capture more extensions
-q Fewer output
-e Display the link layer header
-x The packet dump in hexadecimal form out, excluding link layer header, -xxadd Ethernet header display
-A Displaying each data packet in ASCII mode (not displayed in the data link layer packet header information). When the page fetch packet contains data, the data can easily see
-X : Displays the contents of the package to hex and ASCII two forms, -XXincrease the display of the Ethernet header

Promiscuous mode is to receive all the data packets through the network card, including packets which are not native, i.e., does not verify the MAC address. In normal mode the card receives only packets which are native (including broadcast packets) transmitted to the upper layer programs, other packets will be dropped.
In general, promiscuous mode will not affect the normal operation of the card, on the multi-use network monitoring tool.

Card has several operating modes as follows:
1) a broadcast mode (the Broad Cast the Model) : its physical address (MAC) address of a frame 0Xffffff broadcast frames, broadcast frames received at NIC work broadcast mode.
2) multicasting (MultiCast the Model) : multicasting address simultaneously may be other host within the group received frame as the destination physical address, and the set of external host has not received. However, if the card is set to multicast transmission mode, it can receive all multicast transmission frame, and whether it is not the group members.
3) direct mode (Direct Model) : work card in direct mode only receives destination address is the address of the frame own Mac.
4) promiscuous mode (Promiscuous the Model) : in the work of receiving all the streams in the promiscuous mode frames card through the card, envelope capture program is running in this mode.
The default operating mode of the card contains the broadcast mode and direct mode, that is, it only receives the broadcast frame and sent to their own frames. If in promiscuous mode, a station will receive data packets card all sites within the same network can be transmitted to the destination so that the network monitoring information captured.

Filtering packets

Filter regular expressions

Filtering rules generally comprises a combination of three modifiers:

  • type: Specifies the type of object represented by id, id can be the name can also be a digital alternative types of objects:. host, net, port and portrange, default host
  • dir: Description id corresponding to transmission direction, i.e. from or destined id id received (and the id in the end means a need to see what type of front modifier) ​​is preferably direction:. src, dst, src or dst, src and dst
  • proto: Description Protocol id belongs optional agreement:. ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp

By brackets (\( xxx \))may be combined with various filter rules and bool operator, a pair of brackets is a group:

  • Negation operations:! Or not
  • Operation: and or &&
  • Or operations: or or ||

Common filtering rules

Filter address ip / domain name

Filter goal is www.baidu.com domain name:

sudo tcpdump -i any -Avvv dst host www.baidu.com

Ip ip filter source or destination is 172.27.0.14:

sudo tcpdump -i any -Avvv host 172.27.0.14

Ip filter source is 172.27.0.14:

sudo tcpdump -i any -Avvv src 172.27.0.14

Ip filter goal is 172.27.0.14:

sudo tcpdump -i any -Avvv dst host 172.27.0.14

Filter segment, ip segment:

sudo tcpdump -i any net 172.17.16.0/24
sudo tcpdump -i any net 172.17.16.0 mask 255.255.255.0

Filter port

Filter the specified port:

sudo tcpdump -i eth0 -Avvv port 8888 -c 10

Filtered source and destination port:

sudo tcpdump -i eth0 -nvvv 'port 22 && port 62644' -c 3

Exclude the specified port:

sudo tcpdump -i eth0  not port 22
sudo tcpdump -i eth0 not \(port 443 or port 80 or port 22\)

Filter port range:

sudo tcpdump -i eth0 portrange 79-81

Filtering protocol

Gripping protocol specified limit, the tcpdump be recognized keywords ip, ip6, arp, igmp, tcp, udp, icmp
there are many keywords transport layer service is not identifiable. In this case, you can use keywords protoor ip proto add a protocol name / etc / protocols that can be found or the corresponding protocol number

sudo tcpdump -i macvlan0 arp

Filtering protocol header

Commonly used tcp Tags: tcp-fin, tcp-syn, tcp-rst, tcp-push, tcp-ack, tcp-urg, tcp-ece,tcp-cwr

Filter tcp SYNpacket:

sudo tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn) != 0' -c 1
13:52:32.070747 IP 125.226.39.220.54500 > bestsre.microsoft-ds: Flags [S], seq 3744066256, win 8192, options [mss 1200,nop,wscale 2,sackOK,TS val 1380022 ecr 0], length 0

Filter tcp SYN/ACKpacket:

sudo tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn|tcp-ack) != 0' -c 1
13:54:47.889653 IP bestsre.ssh > YZ.62644: Flags [P.], seq 4178293879:4178294067, ack 3163427986, win 314, options [nop,nop,TS val 3890058229 ecr 558951371], length 188

HTTP filtering

Filter GET request:

sudo tcpdump -i eth0 -Anvvv  'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420 and port 8888'

0x47455420 GET is the hexadecimal

>>> list(map(hex, [ord(x) for x in 'GET ']))
['0x47', '0x45', '0x54', '0x20']

Filter POST request:

sudo tcpdump -i eth0 -Anvvv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354 && tcp[((tcp[12:1] & 0xf0) >> 2) + 4:1] = 0x20'

Filter the PUT request:

sudo tcpdump -i eth0 -Anvvv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x50555420'

Filter PATCH request:

sudo tcpdump -i eth0 -Anvvv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x50415443 && tcp[((tcp[12:1] & 0xf0) >> 2) + 4:2] = 0x4820'

Filter DELETE request:

sudo tcpdump -i eth0 -Anvvv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x44454c45 && tcp[((tcp[12:1] & 0xf0) >> 2) + 4:2] = 0x5445 && tcp[((tcp[12:1] & 0xf0) >> 2) + 6:1] = 0x20'

Filter HEAD request:

sudo tcpdump -i eth0 -Anvvv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48454144 && tcp[((tcp[12:1] & 0xf0) >> 2) + 4:1] = 0x20'

Filter OPTIONS request:

sudo tcpdump -i eth0 -Anvvv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x4f505449 && tcp[((tcp[12:1] & 0xf0) >> 2) + 4:4] = 0x4f4e5320'

Filtered HTTP response (HTTP / 1.):

sudo tcpdump -i eth0 -Anvvv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450 && tcp[((tcp[12:1] & 0xf0) >> 2) + 4:2] = 0x2f31 && tcp[((tcp[12:1] & 0xf0) >> 2) + 6:1] = 0x2e'

The packet size filter

Datagram size in bytes

tcpdump less 32
tcpdump greater 128
tcpdump > 32
tcpdump <= 128

More detailed information on filters, please visit the official map page tcpdump of PCAP-FILTER section.

To see how the message information output

tcpdump can crawl and decode various types of data packet protocols, such as TCP, UDP, ICMP and the like. Although we can not cover all the different types of data packets, but can be analyzed under a TCP data packets to help you get started.

tcpdump captured TCP packet looks like this:

sudo tcpdump -i eth0 -SXttttvvvnn -c 3
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
2019-01-23 14:24:11.889635 IP (tos 0x10, ttl 64, id 58162, offset 0, flags [DF], proto TCP (6), length 176)
    172.27.0.14.22 > 125.226.39.220.63970: Flags [P.], cksum 0x488a (incorrect -> 0xdcc4), seq 2687384271:2687384395, ack 2449155490, win 314, options [nop,nop,TS val 4064622229 ecr 643829509], length 124
    0x0000:  4510 00b0 e332 4000 4006 0f1e ac1b 000e  E....2@.@.......
    0x0010:  73ec 27d2 0016 f9e2 a02e 3acf 91fb 25a2  s.'.......:...%.
    0x0020:  8018 013a 488a 0000 0101 080a f245 3695  ...:H........E6.
    0x0030:  2660 0f05 86a8 9dad 926d 03c7 f118 6a29  &`.......m....j)
    0x0040:  28f2 03e9 aa82 00e2 7b89 3f8f ac0e 32eb  (.......{.?...2.
    0x0050:  7b56 9ce3 245f bef7 82a1 56b6 9793 3fa2  {V..$_....V...?.
    0x0060:  f04c bbd7 396a 8774 fb66 2683 9195 efe3  .L..9j.t.f&.....
    0x0070:  70e1 e295 c712 0b93 c168 c348 51cd 66e6  p........h.HQ.f.
    0x0080:  9336 20b0 d304 d754 3ed4 6f45 20a0 b574  .6.....T>.oE...t
    0x0090:  29c4 9ac0 9d00 166a b9dd 369f 465e fc7b  )......j..6.F^.{
    0x00a0:  1f11 4795 826f 4cbb 045f 00c5 d908 1ba3  ..G..oL.._......
  • 2019-01-2314: 24: 11.889635: Detailed readable time
  • IP: ip protocol, the default ipv4, ipv6 is displayed if ip6
  • tos: Indicates that the service type, 4bit tos represent the minimum of delay, maximum throughput, highest reliability and minimum cost. Here are all 0, indicating general services, and the remaining 4bit disuse, set to 0
  • ttl: survival datagram, each through a router minus 1
  • id: Identification the corresponding IP packet header, an IP fragment reassembly
  • offset: for IP fragment reassembly, indicating the position with respect to the original unfragmented packet of
  • flags: MF indicates more fragments, DF represents unfragmented, here DF, fragmentation is not used, and so the id value of offset can be ignored
  • proto: indicates the protocol can be TCP, UDP, etc.
  • length: total length field is the length of the entire IP datagram
  • 172.27.0.14.22> 125.226.39.220.63970: represents the data from the IP to IP 172.27.0.14 port 22 is transmitted 115.236.39.210 port 63970, ip address corresponding source packet header, destination address, source port destination port

  • Flags: tcp packet marker segment

    value Flag type description
    S SYN Connection Start
    F END Connection Finish
    P PUSH Data push
    R RST Connection reset
    . ACK Acknowledgment
  • chksum: IP header checksum and TCP segment (including the TCP header and data) and test
  • seq: representing the packet containing the first data stream from 2,687,384,271 to 2,687,384,395 bytes used herein absolute sequence number
  • ack: TCP is a reliable connection, so data is received the sender, the recipient will be sent ack confirmation, telling the sender, the recipient has received the data, otherwise, the sender think the data is not sent successfully, repeatedly transmitting data; if the packet is a data sender, ack value is 1, the data receiving side, the next expected byte of data on the field represents the data stream.
  • win: receive window size, which represents the number of bytes available in the receive buffer, followed by the TCP options such as the MSS (maximum segment size) or a window scale value

  • length: represent packet payload byte length. The length and length values ​​seq byte sequence number is not the same

Reference Documents

https://www.tcpdump.org/manpages/tcpdump.1.html
https://blog.wains.be/2007/2007-10-01-tcpdump-advanced-filters/
https://linuxwiki.github.io/NetTools/tcpdump.html
https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml

Guess you like

Origin www.cnblogs.com/knmax/p/12113872.html
Recommended
LFOSSA Yuanlaisusu Open Course | Mastering the Cloud Native Future: Comprehensive Guide to CNCF Certification and Exam Preparation Tips
Ranking
C++ Basic Syntax
bootstrapTable hides a column based on a condition
Why is reentrant lock recommended instead of Synchronized when dynamic high concurrency?
hexo create a blog
[Fully open source and non-encrypted version] Imitation of the eighth district distribution/online signature/multiple sets of download templates/APP distribution hosting/APP packaging and packaging
Polymerization combination
https://www.flysnow.org/2017/05/06/go-in-action-go-log.html
From the perspective of Flutter and the front-end, talk about how to ensure UI fluency under the single-threaded model
nginx-301, 302 redirect
Geolocation by IP Address in ASP.NET
Daily
More
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(31)

Code World

© 2018 codetd.com