A list,
Tcpdump A packet analysis tool that intercepts data packets on the network according to user definitions.
dump the traffic on a network
Tcpdump intercepts the header of packets sent on the network and provides analysis. It filters packets at the network layer, protocol, host, network, or port, and provides logical statements such as AND, OR, and NOT to remove useless information
Tcpdump is based on the underlying libpcap library and requires root permission to run it
2. Packet capture principle
Linux packet capture is to register a virtual underlying network protocol to complete the processing of network messages (specifically, network devices)
When a network card to receive a message, it will traverse all have registered in the system of network protocols, such as Ethernet protocol, x25 processing module message parsing process, attempts to this point and some similar to mount the file system, is to let all have registered in the system of the file system to try to mount, if which one think you can handle, Then the mount is complete.
When caught module to disguise themselves as a network protocol, the system after receiving the message will give the pseudo agreement when an opportunity to make it to the network card to receive a message, and at this point the modules will take to spy on message, that is, make a copy of this message together, pretending to be a received message, report to caught module
Diagram of core parameters
There are a lot of traffic and data packets on the network, so in order to catch the needed data packets, we need to define a precise filter to capture these target data packets from the huge data packet network
So learning the packet capture tool is really learning how to define filters, right
In the world of tcpdump, filters are created by combining one parameter after another, adding another parameter until you filter out useless packets and only the ones you need
Tcpdump has a lot of parameters, and we often get confused by the number of parameters in this command
For example, in the following command, we specify the host IP to filter
tcpdump host 192.168.10.100
Copy the codeThe combination of main program + parameter name + parameter value is what we normally expect from the command line
However, tcpdump takes the unusual step of adding a qualifier before host to narrow the filter scope
tcpdump src host 192.168.10.100
Copy the codeIt’s easy to understand on the face of it, but it doesn’t follow the normal logic of writing a command line program, leading to doubts:
- Besides SRC and DST, what other qualifiers can be used?
- SRC host parameter name
Adding SRC overturns our understanding, and we can add more conditions, such as TCP, UDP, ICMP, etc., before SRC to filter another layer on the basis of the previous one
tcpdump tcp src host 192.168.10.100
Copy the codeThis kind of parameter uncertainty keeps us from learning the essence of tcpdump
It is necessary to know how the parameters to tcpdump are composed:
- Option This parameter is optional
Parameter resolution is optional
-
The PROTO filter is based on the protocol. Keywords that can be identified are TCP, UDP, ICMP, IP, IP6, ARP, RARP,ether, WLAN, FDDI, TR, and DECnet
-
Direction filter
The identified keywords are SRC and DST and can be combined with logical operators, such as SRC or DST
- Type class filter
The key words that can be identified are host, net, port, portrange, which need parameters
The contents of proto, Type and direction filters are relatively simple and constitute different conventional filtering rules. Option has many optional parameters, some of which are not often used
Fourth, output content
4.1 Output content structure
Tcpdump: tcpdump: tcpdump: tcpdump: tcpdump: tcpdump
16:23:36.916846 IP 172.28.64.155.15605 > 10.180.1.19.80: Flags [P.], seq 172, ack 106048, win 4723, length 48
Copy the codeFrom the above output, it can be concluded that:
- The first column: time minute second millisecond 16:23:36.916846
- Column 2: Network protocol IP
- Column 3: IP address of the sender + port number. 172.28.64.155 is the IP address and 15605 is the port number
- Column 4: arrow >, indicating data flow direction
- Column 5: IP address of the receiver + port number, where 10.180.1.19 is the IP address and 80 is the port number
- Column 6: colon
- Column 7: packet content, including Flags identifier, SEQ number, ACK number, WIN window, and data length, where [P.] indicates that the PUSH flag bit is 1. For more identifiers, see Flags identifier
4.2 Packet Structure
The following is a packet data structure
4.3 Flags Identifiers
After packets are captured using tcpdump, the following Flags are displayed:
- [S] : SYN(start connection)
- [P] : PSH(push data)
- [F] : FIN(end connection)
- [R] : RST(Reset connection)
- [.] : No Flag(meaning any other case except the above four types, which may be ACK or URG)
5. General filtering rules
5.1 IP Address-based Filtering: host
Use host to specify the host IP address for filtering
tcpdump host 192.168.10.100
Copy the codeThe IP addresses of packets can be subdivided into source IP addresses and destination IP addresses
Filter by source IP address
tcpdump -i eth2 src 192.168.10.100
Filter by destination IP address
tcpdump -i eth2 dst 192.168.10.200
Copy the code5.2 Filtering by Network segment: net
If the IP address range is a network segment, you can specify it in this way
tcpdump net 192.168.10.0/24
Copy the codeThe network segment can also be subdivided into source network segment and target network segment
Filter by source network segment
tcpdump src net 192.168
Filter by target network segment
tcpdump dst net 192.168
Copy the code5.3 Filtering by port: port
Use port to specify specific ports for filtering
tcpdump port 8088
Copy the codePorts can also be subdivided into source ports and target ports
Filter by source port
tcpdump src port 8088
Filter by destination port
tcpdump dst port 8088
Copy the codeYou can write this if you want to specify both ports
# Multiple ports can be used to judge
tcpdump port 80 or port 8088
# can also be shortened like this
tcpdump port 80 or 8088
Copy the codeIf you want to grab a range instead of one or two ports, you can specify a port segment like this
tcpdump portrange 8000- 8080.
tcpdump src portrange 8000- 8080.
tcpdump dst portrange 8000- 8080.
Copy the codeFor the default port of some common protocols, we can directly use the protocol name instead of the specific port number, such as HTTP ==80, HTTPS ==443, etc
tcpdump tcp port http
Copy the code5.4 Protocol-based Filtering: proto
Common network protocols include TCP, UDP, ICMP, HTTP, IP, ipv6, and so on
If you only want to view icmp packets, you can write this directly
tcpdump icmp
Copy the codeProtocol Optional value: IP, IP6, ARP, RARP, ATALK, AARP, DECnet, SCA, LAT, MOPDL, MOPRC, ISO, STP, IPX, or netbeui
6. Optional parameter parsing
6.1 Setting the Promotion Speed for Resolving Domain Names
- -n
Instead of converting IP addresses to domain names, display IP addresses directly, avoiding the DNS lookups process, which is much faster
- -nn
It is also much faster without converting protocols and port numbers into names.
- -N
Does not print the domain part of host. For example, if this option is set, tcpdump will print nic instead of nic.dn.mil
6.2 Output filtering Results to files
After capturing packets using tcpdump, you need to use other tools, such as the Wireshark, to analyze packets. To use the Wireshark, you need to generate captured packets to a file, and then use the Wireshark to open the captured packets
Using the -w parameter followed by a file name with the. Pcap command suffix, you can save data captured in tcpdump to a file
tcpdump icmp -w icmp.pcap
Copy the code6.3 Reading Package Data from a File
Using -w writes data to a file, while using -r reads data from a file
After reading, you can still use the above filter syntax for filtering analysis
tcpdump icmp -r all.pcap
Copy the code6.4 Control the time display
- -t
No time is printed in the output of each line
- -tt
The timestamp is printed in the output of each line
- -ttt
The time interval (in milliseconds) between two lines of output printing
- -tttt
Add the date print before the time stamp printed on each line (with this option, the output time is most intuitive)
6.5 Other Common Parameters
- -A
Display each data packet in ASCII format (link layer header information is not displayed). When capturing data packets containing web page data, you can easily view the data
- -l
Line-based output is easy to save for viewing or hand over to other tools for analysis
- -q
Print out succinctly, that is, print very little protocol-specific information so that the output lines are short
- -c
Tcpdump exits when count packets are captured
- -s
By default, tcpdump intercepts only the first 96 bytes. To intercept all packets, run the -s number command. Number is the number of bytes to intercept packets
- -S
Use absolute, not relative, serial numbers
- -C
File-size: before saving the original data packets to a file, tcpdump checks whether the size of the file exceeds the size of file-size. If so, the file is closed and another file is created for recording the original data packets. The new file name is the same as that specified by -w. But there’s an extra number after the file name. The number starts at 1 and increases as more files are created. The unit of file-size is megabytes (nt: 1M=1024 * 1024 = 1048576)
- -F
The file file is used as the input of the filter condition expression. In this case, the input on the command line is ignored
7. Combination of filtering rules
Tcpdump supports the following logical operators:
- and
All of the conditions need to be met, which can also be expressed as &&
- or
As long as there is a condition is met, can also be expressed as | |
- not
Take reverse, can also be used!
For example, you need to capture a packet from 172.20.116.22 destined for port 3333 on any host
tcpdump src 172.20.116.22 and dst port 3333
Copy the code8. Common commands
8.1 chestnuts
1. tcpdump -i any port 80 or port 443 -A -nn
2. tcpdump -i any port 80 and host 192.168.1.1 -w ping.pcapng
3. timeout 600 tcpdump -i any port 80 or port 443 -A -nn
4. tcpdump -c 5 -i any port 80 or port 443 -A -nn
Copy the code- Tcpdump uses the — option class
| options | The sample | instructions |
|---|---|---|
| -i | tcpdump -i eth0 | Specify the network interface. The default is eth0. Any indicates all interfaces |
| -nn | tcpdump -nn | The names of IP addresses and port numbers are not resolved |
| -c | tcpdump -c 5 | Limits the number of network packets to be captured |
| -w | tcpdump -w file.pcap | Save to a file, usually named.pcap |
- Tcpdump uses the — filter expression class
| options | The sample | instructions |
|---|---|---|
| Host, SRC host, and DST host | Tcpdump – nn host 192.168.1.100 | Host filter |
| Port, SRC port, DST port | tcpdump -nn port 80 | Port filter |
| IP, IP6, ARP, TCP, UDP, and ICMP | tcpdump -nn tcp | The protocol filtering |
| And, or, not | Tcpdump -nn host 192.168.1.100 and prot 80 | Logical expression |
| tcp[tcoflages] | tcpdump -nn “tcp[tcoflages]&tcp-syn! = 0” | TCP packets in a specific state |
8.2 Detailed chestnuts
tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.cap
Copy the code- TCP: IP ICMP ARP RARP and TCP, UDP, and ICMP must be placed in the first place to filter the types of datagrams
- -i eth1: captures only the packets that pass through interface eth1
- -t: the timestamp is not displayed
- -s 0: The default packet capture length is 68 bytes. Add -s 0 to capture the complete packet
- -c 100: captures only 100 data packets
- dst port ! 22: does not capture the data packet whose destination port is 22
- SRC net 192.168.1.0/24: indicates that the source network address of the packet is 192.168.1.0/24
- -w./target.cap: Saved as a CAP file for easy analysis using Ethereal (wireshark)
Nine, in actual combat
Capture a packet of port 80, because the packet is very large, query the abnormal packet containing RST, obtain the port of the packet and save a complete TCP packet that meets the conditions
- Capture data packets on port 80
tcpdump -i any port 80 -w ceph.pcapng
Copy the code- View the generated PCAPng file
ls -alh
Copy the code- Convert pCAPng to log format
tcpdump -r ceph.pcapng > ceph.tcpdump.log
Copy the code- Query qualified RST packages
grep -i flags ceph.tcpdump.log | grep "\[R"
Copy the code- Obtain the port of the packet according to the condition and search to generate a new PCAPNG file
tcpdump -r ceph.pcapng port 33646 -w 33646.pcapng
Copy the codeThe above operations can search the saved packets based on criteria and generate a new packet