A tutorial of using tcpdump as a network data storage tool command in Linux system

Time:2020-2-25

Tcpdump: a powerful network data collection and analysis tool in Linux
Tcpdump adopts the command line mode, and its command format is:
Tcpdump [- adeflnnopqstvx] [- C quantity] [- f filename]
[- I network interface] [- R filename] [- s snaplen]
[- t type] [- W filename] [expression]

1. Introduction to tcpdump options
-A change network address and broadcast address into name;
-D. the code matching the information package is given in an assembly format that people can understand;
-DD gives the code of matching information package in the form of C program segment;
-DDD gives the code of matching packet in decimal form;
-E print out the header information of the data link layer in the output line;
-F print out the external Internet address in digital form;
-L change the standard output to buffer line form;
-N do not convert network address to name;
-T time stamp is not printed on each line of output;
-V outputs a slightly detailed information, for example, TTL and service type information can be included in the IP package;
-VV outputs detailed message information;
-C after receiving the specified number of packets, tcpdump will stop;
-F reads the expression from the specified file and ignores other expressions;
-I specify the network interface to be monitored;
-R reads packets from the specified file (these packets are generally generated through the – W option);
-W writes the package directly to the file, and does not analyze and print it out;
-T interprets the monitored packet as a message of the specified type. The common type is RPC (remote procedure
Call) and SNMP (simple network management protocol;)

2. Expression introduction of tcpdump
Expression is a regular expression. Tcpdump uses it as a condition to filter messages if a message satisfies the table
If the condition is reached, the message will be captured. If no condition is given, all packets on the network will
Intercepted.
There are several types of keywords in expressions. One is about the type of keywords, mainly including host,
Net, port, for example host 210.27.48.2, indicating that 210.27.48.2 is a host, net 202.0.0.0 indicates that
202.0.0.0 is a network address, and port 23 indicates that the port number is 23. If no type is specified, the default type is
host.
The second is to determine the transmission direction keywords, mainly including SRC, DST, DST or SRC, DST and Src,
These keywords indicate the direction of the transmission. For example, SRC 210.27.48.2 indicates that the source address in the IP packet is 210.27
48.2, DST net 202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction key is specified, then
The default is the SRC or DST keyword.
The third is protocol keywords, mainly including FDDI, IP, ARP, RARP, TCP, UDP and other types. FDDI indicates that
The specific network protocol on FDDI (distributed optical fiber data interface network) is actually the alias of “Ether”, FDDI and E
There has similar source address and destination address, so FDDI protocol package can be treated and analyzed as ether package.
Several other keywords indicate the protocol content of the monitored packet. If no protocol is specified, tcpdump will
Listen to all protocol packets.
In addition to these three types of keywords, other important keywords are as follows: gateway, broadcast, less,
Greater, there are three logical operations. The non operation is’ not ‘!, and the operation is’ and’ & & ‘; or the operation is’ o’
r’ ,’||’;
These keywords can be combined to form powerful combination conditions to meet people’s needs. Here are a few examples
Explain.
(1) To intercept all packets received and sent by 210.27.48.1 hosts:

Copy code

The code is as follows:

#tcpdump host 210.27.48.1

(2) To intercept the communication between the host 210.27.48.1 and the host 210.27.48.2 or 210.27.48.3, use the command
: (when using parentheses on the command line, be sure to

Copy code

The code is as follows:

#tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)

(3) If you want to obtain the IP packets of all hosts 210.27.48.1 except the host 210.27.48.2
, using the command:

Copy code

The code is as follows:

#tcpdump ip host 210.27.48.1 and ! 210.27.48.2

(4) If you want to obtain the telnet packets received or sent by the host 210.27.48.1, use the following command:

Copy code

The code is as follows:

#tcpdump tcp port 23 host 210.27.48.1

3. Introduction of output results of tcpdump
Next, we will introduce the output information of several typical tcpdump commands
(1) Data link layer header information
Use the command “tcpdump — e host ice”
Ice is a host with Linux. Her MAC address is 0:90:27:58: AF: 1A
H219 is a Sun workstation with solaric, and its MAC address is 8:0:20:79:5b:46; last
The output of the command is as follows:
21:50:12.847509 eth0 < 8:0:20:79:5b:46 0:90:27:58:af:1a ip 60: h219.33357 > ice.
telne
t 0:0(0) ack 22535 win 8760 (DF)
Analysis: 21:50:12 is the displayed time, 847509 is the ID number, and eth0 < indicates that eth0 is accepted from the network interface eth0
Packet, eth0 > means to send a packet from the network interface device. 8:0:20:79:5b:46 is the MAC address of the host h219
Indicates that it is a packet sent from the source address h219. 0:90:27:58: AF: 1A is the MAC address of the host ice, which indicates the packet’s
The destination address is ice. IP is to indicate that the packet is IP packet, 60 is the length of packet, h219.33357 > ice
Telnet indicates that the packet is sent from port 33357 of host h219 to port telnet (23) of host ice. ACK 22535
It indicates that the packet with serial number 222535 is responding. Win 8760 indicates that the size of sending window is 8760
(2) Tcpdump output information of ARP package
Use the command tcpdump ARP
The output is as follows:
22:32:42.802509 eth0 > arp who-has route tell ice (0:90:27:58:af:1a)
22:32:42.802902 eth0 < arp reply route is-at 0:90:27:12:10:66 (0:90:27:58:af
:1a)
Analysis: 22:32:42 is the timestamp, 802509 is the ID number, eth0 > indicates that the packet is sent from the host, and ARP indicates yes
ARP request package, who has route Tel ice indicates the MAC address of the host ice request host route. 0:90:27:5
8: AF: 1A is the MAC address of the host ice.
(3) Output information of TCP packet
The general output information of TCP packets captured with tcpdump is:
src > dst: flags data-seqno ack window urgent options
SRC > DST: indicates that from the source address to the destination address, flags is the flag information in the TCP packet, s is the syn flag, f (f
In, P (push), R (RST) “.” (unmarked); data seqno is the sequence number of the data in the packet, ACK is
The next expected sequence number, window is the size of the receiving cache window, and urgent indicates whether there is an emergency pointer in the packet
Options are options
(4) Output information of UDP package
The general output information of UDP packets captured with tcpdump is:
route.port1 > ice.port2: udp lenth
UDP is very simple. The output line above indicates a UDP packet sent from the port1 port of the host route to the host
Port 2 port of ice, type is UDP, packet length is lenth

4. examples

Copy code

The code is as follows:

[root @ www ~] (tcpdump – I eth1) monitor packets of the specified network interface
Copy code

The code is as follows:

[root @ www ~] (tcpdump host webserver) prints all packets entering or leaving webserver
Copy code

The code is as follows:

[root @ www ~] ා tcpdump host 210.27.48.1 ා IP can also be specified, such as intercepting all packets received and sent by 210.27.48.1 hosts
Copy code

The code is as follows:

[root @ www ~] ා tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \) ා intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3
Copy code

The code is as follows:

[root @ www ~] ා tcpdump IP host 210.27.48.1 and! 210.27.48.2 񖓿 obtain IP packets of all hosts except 210.27.48.2
Copy code

The code is as follows:

[root @ www ~] (tcpdump – I eth0 SRC host webserver) intercepts all data sent by the host webserver
Copy code

The code is as follows:

[root @ www ~] (tcpdump – I eth0 DST host webserver) monitors all packets sent to the host webserver

Copy code

The code is as follows:

[root @ www ~] (tcpdump TCP port 23 host 210.27.48.1)
Copy code

The code is as follows:

[root @ www ~] (tcpdump UDP port 123)
Copy code

The code is as follows:

[root @ www ~] ා tcpdump net UCB ether ා print all communication packets between the local host and the host on Berkeley network (NT: UCB ether, which can be understood as the network address of ‘Berkeley network’, the original meaning of this expression can be expressed as: print all packets with the network address of UCB ether)
Copy code

The code is as follows:

[root @ www ~] ා tcpdump ‘gateway snapup and (Port FTP or FTP data)’ ා print all FTP packets passing through the gateway snapup (note that expressions are enclosed in single quotation marks, which can prevent the shell from parsing the brackets incorrectly)
Copy code

The code is as follows:

[root @ www ~] (tcpdump IP and not net localnet) print all IP packets whose source or destination address is the local host
Copy code

The code is as follows:

[root @ www ~] ා tcpdump ‘TCP [tcpflags] & (TCP syn| TCP fin)! = 0 and not SRC and DST net localnet’ ා print the start and end packets in the TCP session, and the source or destination of the packets is not the host on the local network. (NT: localnet, replace with the name of the local network in actual use)
Copy code

The code is as follows:

[root @ www ~] ා tcpdump ‘TCP port 80 and ((IP [2:2] – ((IP [0] & 0xf) < 2 – = “” TCP = “” 12 = “” 0xf0 = “” > > 2))! = 0)’ ා all source or destination ports are 80, network layer protocol is IPv4, and contains data, not data packets such as syn, fin and ack-only
Copy code

The code is as follows:

[root @ www ~] (tcpdump ‘gateway snapup and IP [2:2] > 576’; the print length exceeds 576 bytes, and the gateway address is the IP packet of the snapup
Copy code

The code is as follows:

[root @ www ~] ා tcpdump ‘ether [0] & 1 = 0 and IP [16] >
Copy code

The code is as follows:

[root @ www ~] ා tcpdump ‘ICMP [icmptype]! = ICMP echo and ICMP [icmptype]! = ICMP echo reply’ ා print ICMP packets other than ‘echo request’ or ‘echo reply’ types
Copy code

The code is as follows:

[[email protected] ~]# tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.cap

#(1) TCP: IP ICMP ARP RARP and options such as TCP, UDP and ICMP should be put in the first parameter position to filter datagram types
#(2) – I eth1: only grasp packets passing through interface eth1
#(3) – t: do not show timestamps
#(4) – S 0: the default length of packet fetching is 68 bytes. With – S 0, you can catch the complete packet
#(5) – C 100: capture only 100 packets
#(6) DST port! 22: do not grab packets whose destination port is 22
#(7) SRC net 192.168.1.0/24: the source network address of the packet is 192.168.1.0/24
#(8) – W. / target.cap: save as a cap file for easy analysis with ethereal (Wireshark)

Copy code

The code is as follows:

[root @ www ~] (tcpdump – xvvennss 0 – I eth0 TCP [20:2] = 0x4745 or TCP [20:2] = 0x4854)