Compiled the most comprehensive tcpdump (Chinese) packet capture guide

Today we will introduce a Unix under a network data collection and analysis tools, that is, we often say the packet capture tool.

The Wireshark has similar functions, but the Wireshark has a graphical interface, whereas the tcpdump has only command lines.

Because I’m more comfortable using the command line to capture packets, I’m going to skip the Wireshark and go straight to the tcpdump.

In this article, I spent several days researching tcpdump with the help of the Linux man command. It is not an overstatement to say that it is the clearest and most complete article on tcpdump in Chinese (at least from the perspective of Baidu and Google). So this post is worth bookkeeping, in case you miss it, and you’ll never find another one that talks tcpdump as bluntly and as thoroughly as this one.

Before I go on, there are two points to make:

1. The examples of tcpdump commands in sections 3 through 6 show that the parameters do not necessarily capture packets. To accurately capture the packets you need, you need to use the logical operators in section 5.
2. This article is based on tcpdump version 4.5.1 of CentOS 7.2. If it is not available in your environment, please refer to itman tcpdumpTargeted learning.

1. Diagram of tcpdump core parameters

As you know, there’s a lot of traffic, a lot of packets, on the network, so to catch the packets that we need, we need to define a very precise filter, and we need to capture those packets out of this huge network of packets.

So learning the packet capture tool is really a process of learning how to define filters.

In the world of tcpdump, filters are implemented by adding one parameter after another, adding another if one is not accurate, until we can filter out the useless packets and leave only the packets we are interested in.

Tcpdump has many parameters. Beginners who have not mastered tcpdump may be confused about the parameters of this command.

In the following command, we filter by specifying the host IP as the host parameter

$Tcpdump host 192.168.10.100
Copy the code

The combination of main program + parameter name + parameter value is what we normally think of a command line.

Tcpdump takes the unusual step of adding a qualifier before host to narrow down the filter.

$Tcpdump SRC host 192.168.10.100
Copy the code

Taken literally, it’s easy to understand, but it doesn’t fit into the normal logic of writing a command-line program, leading us to wonder:

1. Besides SRC, DST, what other determiners can be used?

2. SRC, host what should we think of them, called parameter names? No, because SRC is obviously inappropriate.

If you read blogs or tutorials about tcpdump on the Internet, they always give you a set of parameters and tell you what filter is implemented. With this approach, it’s easy to rely on other people’s articles to use tcpdump, and not digest tcpdump to the extent that it can be used flexibly and with filters.

Adding SRC on top of it is a bit of a surprise. You can also add more conditions, such as TCP, UDP, ICMP, and so on, before SRC, adding another layer of filtering on top of your previous ones.

$Tcpdump TCP SRC host 192.168.10.100
Copy the code

This uncertainty of parameters keeps most people from learning about tcpdump.

Therefore, before learning about tcpdump, I think it’s important to know how the parameters of tcpdump are composed. It’s very important.

To this end, I have drawn a diagram to give you an intuitive understanding of tcpdump’s parameters:

1. Option Optional parameters: each is explained later.
2. Proto filter: filter according to protocol. The identified keywords are TCP, UDP, ICMP, IP, IP6, ARP, RARP,ether, WLAN, FDDI, TR, decnet
3. Type filter: identify keywords such as host, net, port, portrange, these words need to be followed by parameters.
4. Direction filters: filter based on the flow of data. The identified keywords are SRC, DST, and you can combine them using logical operators such as SRC or DST

The three filters proto, Type, and Direction are simple and the most commonly used, so I’ll cover them first, in section 3: General filtering rules.

Option has many optional arguments, some of which are not often used, so I’ll drop them to a later point, section 4: Optional argument parsing

By the time you’ve read the first six sections, you’ll have reached a level where you can use tcpdump for at least 80% of your needs.

You must be asking, what about 20%?

Tcpdump also has some filter keywords that do not fit any of the above four filter rules, so you may need to memorize them separately. I’ll cover this in Section 6: Special Filtering Rules.

2. Understand the output of tcpdump

2.1 Output content structure

The output of tcpdump is large, but regular.

Let’s take a RANDOM TCP packet I grabbed as an example

IP 172.20.20.1.15605 > 172.20.20.2.5920: Flags [P.], SEq 49:97, ACK 106048, WIN 4723, Length 48Copy the code

From the above output, it can be concluded:

1. First column: hour, minute, second, millisecond 21:26:49.013621
2. The second column: Network protocol IP
3. The third column is the sender’s IP address + port number, where 172.20.20.1 is the IP address and 15605 is the port number
4. The fourth column: arrow >, indicating the data flow
5. The fifth column is the IP address + port number of the recipient, where 172.20.20.2 is the IP address and 5920 is the port number
6. Sixth column: colon
7. The seventh column: packet contents, including Flags identifier, SEQ number, ACK number, WIN window, data length length, where [P.] indicates PUSH flag bit is 1. See the following for more identifiers

2.2 Flags Identifier

After tcpdump is used to capture packets, the TCP packet Flags are as follows:

• [S]: SYN (start connection)
• [P]: PSH (push data)
• [F]: FIN (end connection)
• [R]: RST (reset connection)
• [.]: No Flag (meaning other than the above four types, could be ACK or URG)

3. General filtering rules

3.1 IP address-based filtering: Host

Use host to specify the host IP address for filtering

$Tcpdump host 192.168.10.100
Copy the code

The IP addresses of packets can be further divided into source IP addresses and destination IP addresses

#Filtering by source IP address
$Tcpdump -i eth2 SRC 192.168.10.100

#Filter by destination IP address
$Tcpdump -i eth2 DST 192.168.10.200
Copy the code

3.2 Filtering by network segment: net

If your IP address range is a network segment, you can specify this directly

$Tcpdump.net 192.168.10.0/24
Copy the code

A network segment can also be subdivided into a source network segment and a target network segment

#Filtering is performed by source network segment
$Tcpdump SRC.net 192.168

#Filter based on the target network segment
$Tcpdump DST.net 192.168
Copy the code

3.3 Filtering by port: Port

Use port to specify a specific port for filtering

$ tcpdump port 8088
Copy the code

Ports can also be subdivided into source ports and target ports

#Filter by source port
$ tcpdump src port 8088

#Filter by destination port
$ tcpdump dst port 8088
Copy the code

If you want to specify both ports you can write this

$ tcpdump port 80 or port 8088
Copy the code

But you could also write it this way

$ tcpdump port 80 or 8088
Copy the code

If you want to capture a range instead of just one or two ports, you can specify a range like this.

$ tcpdump portrange 8000-8080
$ tcpdump src portrange 8000-8080
$ tcpdump dst portrange 8000-8080
Copy the code

For the default port of some common protocols, we can also use the protocol name instead of the specific port number

For example, HTTP == 80, HTTPS == 443, etc

$ tcpdump tcp port http
Copy the code

3.4 Filtering by protocol: PROto

Common network protocols are: TCP, UDP, ICMP, HTTP, IP,ipv6 and so on

If you only want to view ICMP packets, you can write this

$ tcpdump icmp
Copy the code

Protocol The value can be IP, IP6, ARP, RARP, ATalk, AARP, Decnet, SCA, LAT, mopdl, moprc, ISO, STP, IPX, or Netbeui

3.5 Filtering by Basic IP protocol version

When you want to check TCP packets, you might write something like this

$ tcpdump tcp
Copy the code

That’s fine, but it’s not accurate. Why do you say that?

Depending on the version, IP can be divided into IPv4 and IPv6, but if you only specify TCP, both will be included.

So what are the ways to distinguish IPv4 from IPv6?

Simple, if it is an IPv4 TCP packet, write this. (Note: the number 6 indicates the TCP number in the IP packet.)

$ tcpdump 'ip proto tcp'

# or

$ tcpdump ip proto 6

# or

$ tcpdump 'ip protochain tcp'

# or 

$ tcpdump ip protochain 6
Copy the code

For IPv6 TCP packets, write this

$ tcpdump 'ip6 proto tcp'

# or

$ tcpdump ip6 proto 6

# or

$ tcpdump 'ip6 protochain tcp'

# or 

$ tcpdump ip6 protochain 6
Copy the code

There are two things to note about the above command examples:

1. If proto and protochain are followed by TCP, UDP, icmp, then filters need to be enclosed in quotes because TCP, UDP, icmp are keywords for tcpdump.
2. Proto and protochain following the IP and ip6 keywords are two new faces, they seem to be used similarly, are they equivalent, and what difference does it make?

On the second point, the network doesn’t have a very specific answer, and I can only give my own personal guess, which is not guaranteed to be correct, as prompted by man tcpdump.

Proto is a fixed keyword, It must be IP, IP6, ARP, RARP, ATalk, AARP, Decnet, SCA, LAT, mopdl, moprc, ISO, STP, IPX, or Netbeui.

The protocol that follows the protochain is less strict. It can be any word, as long as the protocol field in the IP packet header of the tcpdump is .

In theory, it works the same either way

$ tcpdump 'ip && tcp'
$ tcpdump 'ip proto tcp'
Copy the code

And once again, this is the same way

$ tcpdump 'ip6 && tcp'
$ tcpdump 'ip6 proto tcp'
Copy the code

4. Parameter analysis is optional

4.1 Setting the Speed at which Domain names are not resolved

• -n: Displays IP directly without converting IP into domain name, avoiding the process of executing DNS lookups, which is much faster
• -nn: Does not convert the protocol and port number into the name, will be much faster.
• -N: does not print the domain name part of host. For example, if this option is set, tcpdump will print ‘nic’ instead of ‘nic.ddn. Mil ‘.

4.2 Filtering Results to a File

After capturing packets using the tcpdump tool, you need to use other tools, such as wireshark, to analyze packets.

To use Wireshark, you need to generate packets captured by tcpdump into a file and then use Wireshark to open the file.

Using the -w parameter followed by a.pcap file name, you can save the data captured by tcpdump to a file.

$ tcpdump icmp -w icmp.pcap
Copy the code

4.3 Reading package Data from a file

Using -w is to write data to a file, while using -r is to read data from the file.

After reading, we can also use the above filter syntax for filter analysis.

$ tcpdump icmp -r all.pcap
Copy the code

4.4 Control the output of details

• -v: produces detailed output. Such as packet TTL, ID, packet length, and some options for IP packets. It also opens some additional packet integrity checks, such as checksums for IP or ICMP packet headers.
• -vv: produces more detailed output than -v. For example, the additional domains in the NFS response packet will be printed and the SMB packet will be fully decoded. (From the Internet, which I haven’t used yet)
• -vvv: produces more detailed output than -vv. For example, the SB and SE options used by Telent will be printed. If Telnet is also used with a graphical interface, the graphics options will be printed in hexadecimal format.

4.5 Control time display

• -t: Does not print the time in the output of each line
• -tt: Prints a timestamp in the output of each line
• -ttt: The time interval (in milliseconds) between two lines of output
• -ttttPrint to add a date before each line print timestamp (this option gives the most intuitive output time)

4.6 Displaying packet headers

• -x: prints the header data of each packet (but not the data link layer header) in hexadecimal format
• -xx: prints the header data of each packet (including the data link layer header) in hexadecimal format
• -X: Prints the data of each packet (but not the connection layer header) in hexadecimal and ASCII format, which is convenient for analyzing packets of some new protocols.
• -XX: Prints the data of each packet (including the connection layer header) in hexadecimal and ASCII format, which is convenient for analyzing packets of some new protocols.

4.7 Filtering The Data packets of a Specified NIC

• -i: Specifies the nic ports to be filtered. If you want to view all nics, you can-i any

4.8 Filtering packets with a specific direction

• -Q: Selects incoming or outgoing packets. The options are in, out, and inout. –direction=[direction] can also be used

4.9 Other Commonly used Parameters

• -a: displays each data packet in ASCII mode (without the link layer header information). In the crawl containing web data packets, it is convenient to view the data

• -l: Line-based output that you can save for review or give to another tool to analyze

• -q: Prints the output succinct. That is, little protocol information is printed, so the output lines are short.

• -c: after capturing count packets, tcpdump exits

• -s: By default, the tcpdump intercepts only the first 96 bytes. To intercept all packets, you can run the -s number command. The number is the number of packets to intercept.

• -s: The absolute serial number is used instead of the relative serial number

• -c: file-size, tcpdump checks whether the size of the file exceeds file-size before saving the original packets directly to the file. If this is exceeded, the file is closed and another file is created to continue recording the original packet. The newly created file name is the same as the file name specified by the -w option, but there is an extra number after the file name. This number increases from 1 as more files are created. The unit of file-size is megabytes (nt: This means 1,000,000 bytes, not 1,048,576 bytes, which is calculated using 1024 bytes as 1K and 1024K bytes as 1M, i.e. 1M=1024 * 1024 = 1,048,576)

• -f: The file is used as the input of the filter condition expression. In this case, the input on the command line is ignored.

4.10 Parameters that control the output

• -D: Displays a list of all available network interfaces
• -e: The output of each line will contain the data link layer header information of the packet
• -E: reveals IPSEC data
• -L: Lists the data link layer types supported by the specified network interface and exits
• -Z: Follows the user name, which is restricted by the permission when capturing packets. If you start tcpdump as the root user, tcpdump has super user privileges.
• -d: Prints a readable packet matching code
• -dd: Prints the packet matching code in C language.
• -ddd: Prints the packet matching code in decimal

5. Combination of filtering rules

For those of you who have a programming foundation, the following three logical operators should be familiar

• And: All conditions must be satisfied&&
• Or: As long as one of the conditions is met||
• “Not” : it can also be used!

For example, I want to grab a packet from 10.5.2.3 to port 3389 on any host

$Tcpdump SRC 10.5.2.3 and DST port 3389
Copy the code

When you combine multiple filters, you may need to use parentheses, which are special in the shell because you need to include them in quotes. Here’s an example:

$ tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'
Copy the code

In a single filter, it is often possible to determine whether a condition is true, and in this case, the following two symbols are used

• =: Determines that the two are equal
• = =: Determines that the two are equal
• ! =: Indicates that the two are not equal

When you use these two symbols, tcpdump also provides an interface for keywords, such as

• If: indicates the name of the NIC interface,
• Proc: indicates the process name
• Pid: indicates the PROCESS ID
• SVC: service class
• Dir: indicates direction, in and out
• Eproc: effective process name
• Epid: indicates the EFFECTIVE Process ID

For example, if I want to filter packets from a process named NC that flow through EN0, or incoming packets that do not flow through EN0, I can write like this

$ tcpdump "( if=en0 and proc =nc ) || (if ! = en0 and dir=in)"
Copy the code

6. Special filtering rules

5.1 Filtering by tcpFlags

From the previous article, we learned that TCP has a flag bit at the beginning.

Tcpdump allows us to filter packets by flag bit

proto [ expr:size ]
Copy the code

• Proto: Can be one of the well-known protocols (such as IP, ARP, TCP, UDP, ICMP, ipv6)

• Expr: Can be a numeric value or an expression representing a byte offset from the beginning of a specified protocol header.

• Size: Is optional and indicates the number of bytes to be taken from the byte offset.

I’m going to give you a few examples of how to write it, but before I do that, there are a few points that you need to understand, which will be used in the following examples:

**1, ** tcpFlags can be understood as an alias constant, equivalent to 13, which represents the byte offset associated with the specified protocol header, that is, the flag bit, so TCP [tcpFlags] is equivalent to TCP [13], corresponding to the packet location in the following figure.

**2, **tcp-fin, tcp-SYN, tcp-rst, TCP-push, tcp-ack, and tcp-URg can also be understood as aliasing constants, representing 1, 2, 4, 8, 16, 32, and 64, respectively. How are these numbers calculated?

In the case of TCP-SYN, you can look at the figure below and calculate a value of 2

Because numbers are not easy to remember, it is common to use such “alias constants”.

So when the following expression is true, it means that the packet is a SYN packet.

tcp[tcpflags] == tcp-syn
Copy the code

There are many ways to capture a particular packet.

The following uses the most common SYN packet as an example to show how to capture syn packets using tcpdump, as well as other types of packets.

According to my summary, there are mainly three ways to write:

1, the first way to write: use a number to represent the offset

$ tcpdump -i eth0 "tcp[13] & 2 ! = 0" 
Copy the code

2, the second way to write: use alias constants to represent offsets

$ tcpdump -i eth0 "tcp[tcpflags] & tcp-syn ! = 0" 
Copy the code

3, the third way to write: use mixed writing

$ tcpdump -i eth0 "tcp[tcpflags] & 2 ! = 0" 

# or

$ tcpdump -i eth0 "tcp[13] & tcp-syn ! = 0" 
Copy the code

What if I want to capture multiple types of packets simultaneously, such as SYN + ACK packets

1, the first way to write

$ tcpdump -i eth0 'tcp[13] == 2 or tcp[13] == 16'
Copy the code

2, the second way to write

$ tcpdump -i eth0 'tcp[tcpflags] == tcp-syn or tcp[tcpflags] == tcp-ack'
Copy the code

3, the third way to write

$ tcpdump -i eth0 "tcp[tcpflags] & (tcp-syn|tcp-ack) ! = 0" 
Copy the code

18 (SYN + ACK) = 2 (SYN) + 16 (ACK)

$ tcpdump -i eth0 'tcp[13] = 18'

# or

$ tcpdump -i eth0 'tcp[tcpflags] = 18'
Copy the code

TCP has an alias constant similar to TCP-SYN. Other protocols, such as ICMP, also have an alias constant

icmp-echoreply, icmp-unreach, icmp-sourcequench, 
icmp-redirect, icmp-echo, icmp-routeradvert,
icmp-routersolicit, icmp-timx-ceed, icmp-paramprob, 
icmp-tstamp, icmp-tstampreply,icmp-ireq, 
icmp-ireqreply, icmp-maskreq, icmp-maskreply
Copy the code

5.2 Filtering by Packet Size

If you want to view packets of a specified size, you can

$ tcpdump less 32 
$ tcpdump greater 64 
$ tcpdump <= 128
Copy the code

5.3 Filtering by MAC Address

For example, where ehost is the name recorded in /etc/ethers

$ tcpdump ether host [ehost]
$ tcpdump ether dst	[ehost]
$ tcpdump ether src	[ehost]
Copy the code

5.4 Filtering the Data packets that pass the specified gateway

$ tcpdump gateway [host]
Copy the code

5.5 Filtering broadcast/multicast Packets

$ tcpdump ether broadcast
$ tcpdump ether multicast

$ tcpdump ip broadcast
$ tcpdump ip multicast

$ tcpdump ip6 multicast
Copy the code

7. How to grab a more accurate bag?

Here’s a question for you: What if I just want to grab HTTP POST requests?

If you only learned the above, you still won’t be able to write a filter that meets the fetching requirements.

Before I start, I’ll give you the answer and then take a look at how this filter actually works, allowing us to make judgments about the contents of packages.

$ tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4]'
Copy the code

The optional arguments in the command have been discussed in detail earlier. I won’t go into detail here.

The focus of this section is on the quotes, which look complicated.

Breaking it down one by one, we can understand it if we first understand the following usages

• TCP [n] : indicates the NTH byte in the TCP packet

• TCP [n:c] : indicates that C bytes are taken from the NTH byte in the TCP packet. TCP [12:1] indicates that one byte is taken from the 12th byte (because there is the 0th byte, 12 actually means 13) in the packet, that is, 8 bits. Looking at the structure of the TCP packet header, it can be seen that the 8 bits are actually the positions circled in the red box in the figure below. In this case, we only need the first 4 bits, which are the offset of the actual data in the entire packet header.

  

• & : is the and operator in bitwise operations, such as 0011&0010 = 0010

• >> : is a right shift operation in a bit operation, such as 0111 >> 2 = 0001

• 0xf0: is a hexadecimal representation of 240, but for bit operations, both hexadecimal and hexadecimal are meaningless. What we need is binary, which is converted to binary: 11110000. What is the feature of this number? The first four bits are all 1’s and the next four bits are all 0’s, so you can see how this feature works.

After the decomposition, slowly merge together to see

1. TCP [12:1] &0xf0 is not intuitive, but let’s write it another way, assuming that the 12th byte in the TCP packet is composed of 10110000. So this expression can become 10110110&&11110000 = 10110000, and then when you get to 10110000, you go to the next step.

2, TCP [12:1] &0xf0) >> 2: If you don’t understand the data offset in the beginning of TCP packets, please click this to go to my previous article to understand the meaning of the data offset, otherwise I guarantee you will be completely confused here.

TCP [12:1] & 0xf0) >> 2 This expression is actually a short form of (TCP [12:1] & 0xf0) >> 4) << 2. So to understand TCP [12:1] & 0xf0) >> 2, just understand (TCP [12:1] & 0xf0) >> 4) << 2.

From the previous step, we calculated that the value of TCP [12:1] &0xf0 is actually one byte, that is, 8 bits. However, if you look at the above TCP header structure diagram, there are only 4 bits representing the data offset, that is, the value 10110000 obtained above. The first 4 bits (1011) are the correct offset, so in order to get 1011, we only need to shift 10110000 right 4 bits, that is TCP [12:1] & 0xf0) >> 4. So far, have we got the correct location of the actual data? Unfortunately, we haven’t. In the previous article, we explained that the Data Offset is in 4 bytes, because we have to multiply 1011 by 4. Dividing by 4 is equivalent to a 2 bit shift to the left, which is <<2. When combined with the previous >>4, the final operation can be reduced to >>2.

At this point, we finally get the actual data starting position is TCP [12:1] & 0xf0) >> 2 (in bytes).

Once you’ve found the starting point of the data, don’t forget that our goal is to GET the HTTP request from the data, is it GET or POST or something?

With this experience in mind, we naturally know how to use TCP [((TCP [12:1] & 0xf0) >> 2):4] to extract another four bytes from the starting position of the data, The result is then compared to the hexadecimal version of GET (note that GET has a space at the end), which is 0x47455420.

0 x47 - - > 71 > G 0 x45 -- - > 69 > 0 x54 E -- - > 84 > T 0 x20 -- - > 32 - > SpacesCopy the code

If so, the expression is True, and tcpdump says that this is the packet we need to capture and output to our terminal screen.

8. Actual application example of packet capture

8.1 Extracting the HTTP User-Agent

Extract the HTTP user-agent from the HTTP request header:

$ tcpdump -nn -A -s1500 -l | grep "User-Agent:"
Copy the code

Using egrep, you can extract both the user-agent and the host name (or other header files) :

$ tcpdump -nn -A -s1500 -l | egrep -i 'User-Agent:|Host:'
Copy the code

8.2 Fetching HTTP GET and POST requests

Fetching HTTP GET request packets:

$ tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'

# or

$ tcpdump -vvAls0 | grep 'GET'
Copy the code

You can grab HTTP POST request packets:

$ tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'

# or 

$ tcpdump -vvAls0 | grep 'POST'
Copy the code

Note: This method does not guarantee that HTTP POST traffic will be captured, because a POST request will be split into multiple TCP packets.

8.3 Finding the IP Address that Sends the most Packets

To find the IP address that sends the most packets in a period of time, or to find the IP address that sends the most packets in a bunch of packets, run the following command:

$ tcpdump -nnn -t -c 200 | cut -f1, 2, 3, 4-d '. ' | sort | uniq -c | sort -nr | head -n 20
Copy the code

• Cut -f 1,2,3, 4-d ‘.’To:.Prints the first four columns of each row for the delimiter. That is, the IP address.
• Sort | uniq -c: sorting and counting
• Sort-nr: sort in reverse order by value

8.4 Fetching DNS requests and Responses

The default DNS port is 53. Therefore, port filtering can be performed

$ tcpdump -i any -s0 port 53
Copy the code

8.5 Cutting pCAP Files

When a large amount of data is captured and written to a file, it can be automatically cut into multiple files of the same size. For example, the following command creates a new file capture-(hour).pcap every 3600 seconds with a maximum size of 200 x 1000000 bytes:

$ tcpdump  -w /tmp/capture-%H.pcap -G 3600 -C 200
Copy the code

These files are named capture-{1-24}.pcap. After 24 hours, the previous files will be overwritten.

8.6 Extracting the Password in the HTTP POST Request

Extract the password and hostname from the HTTP POST request:

$ tcpdump -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host:"
Copy the code

8.7 Extracting the HTTP Request URL

Extract the hostname and path for the HTTP request:

$ tcpdump -s 0 -v -n -l | egrep -i "POST /|GET /|Host:"
Copy the code

8.8 Capture valid HTTP Packets

Capture valid HTTP packets on port 80, excluding TCP connection setup packets (SYN/FIN/ACK) :

$ tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) ! = 0) '
Copy the code

8.9 Analysis using Wireshark

Generally, Wireshark (or Tshark) is easier to analyze application layer protocols than tcpdump. The common practice is to use tcpdump to capture data and write it to a file on a remote server, and then copy the file to a local workstation and use Wireshark to analyze the file.

A more efficient method is to send the captured data to Wireshark for analysis in real time over AN SSH connection. For the MacOS, run brew cask install Wireshark to install the wireshark. Then, run the following command:

$ ssh root@remotesystem 'tcpdump -s0 -c 1000 -nn -w - not port 22' | /Applications/Wireshark.app/Contents/MacOS/Wireshark -k -i -
Copy the code

For example, if you want to analyze the DNS protocol, use the following command:

$ ssh root@remotesystem 'tcpdump -s0 -c 1000 -nn -w - port 53' | /Applications/Wireshark.app/Contents/MacOS/Wireshark -k -i -
Copy the code

Captured data:

The -c option limits the size of fetched data. If you do not limit the size, you can only stop fetching using Ctrl-C, which closes both tcpdump and Wireshark.

So far, I’ve covered everything I know about tcpdump. If you’ve read this article carefully, it will be a great benefit to have a good grasp of packet capture tools, which will help you learn about networks, analyze network protocols, and locate network problems. Tcpdump is a tool I recommend for capturing packets.

9. Refer to articles

1. FreeBSD Manual Pages About tcpdump
2. Description of the Linux tcpdump command
3. A quick and useful tcpdump command reference manual
4. Detailed guide to tcpdump
5. Tcpdump example tutorial
6. Tcpdump example tutorial

---