Explain the application of tcpdump tool in Linux with examples


Let’s look at a more basic usage:

Copy code

The code is as follows:

tcpdump -i eth0

Among them, eth0 is the parameter value, which indicates the network port to capture packets. This is a required parameter.

The specific parameters and significance of tcpdump are as follows

-i: Specifies the network interface that tcpdump listens to

-s: Specifies the length of the packet to listen for

-c: Specify the number of packets to be monitored. When the number reaches the specified number, packet capture will be stopped automatically

-w: Specifies that the monitored packets are written to a file and saved

-A: Specifies that each monitored packet is printed in acsii visible characters

-n: Specifies that each domain name monitored in the packet will be displayed after being converted to an IP address

-NN: Specifies that the domain name in each monitored packet will be converted to IP, and the port will be displayed after the application name is converted to port number

-e: Specifies to print out the information of the monitored packet link layer, including the source MAC and destination MAC, as well as the protocol of the network layer

-p: Set the network card to non hybrid mode and cannot be used with host or broadcast

-r: Specifies to read packets from a file

-S: Specifies to print the TCP absolute sequence number of each monitored packet instead of the relative sequence number

Tcpdump supports many keywords. Here are some examples:

(example 1) tcpdump – I eth0 host – grabs all packets with the host address of from eth0.

(example 2) tcpdump – I eth0 net – grabs all packets with network address from eth0

(example 3) tcpdump – I eth0 port 80 – grabs all packets with port 80 on Ethernet port eth0 (note that the source port or destination port is not distinguished here)

Of course, we can also specify the source port or destination port

(example 4) tcpdump – I eth0 SRC port 80 and DST port 6100 – grabs packets with source port 80 and destination port 6100 on Ethernet port eth0

(example 5) tcpdump – I eth0 ICMP — grabs all ICMP packets on eth0

The above examples can roughly reflect the basic usage of tcpdump.

In fact, tcpdump mainly includes three types of keywords. The first is about the type of keywords, mainly including host, net and port. For example (1) (2) (3) above, the second is about the type of keywords

It is the key to determine the transmission direction, mainly including SRC, DST, SRC or DST, SRC and DST. These key words indicate the transmission direction, such as example (4) above. The third is protocol keywords, including FDDI, IP, ARP,

RARP, TCP, UDP, IMCP, etc., as shown in example (5) above.

In addition to these three types of keywords, there are other important keywords, such as gateway, broadcast, less and greater. There are also three kinds of logical operations. The non operations are ‘not’, ‘!’, and the operators are ‘and’, ‘& &’, and ‘,’

Or operators are ‘or’, ‘|’, these keywords can be combined to form a powerful combination condition to meet our needs.

Count HTTP requests with tcpdump
The statistics of HTTP requests here refers to the statistics of QPS (requests per second) and the top ten most visited URLs. Generally, when doing such statistics, we often use the website access log to make statistics. When we come to a strange server environment, we need to immediately count the top ten most visited URLs, To initially determine whether there is an attack, it is much easier to use tcpdump, because we don’t need to care where the website log is, and we don’t need to consider whether the website log is opened or not. We can directly use tcpdump to capture the current HTTP packet, and then further filter it, and we can get the statistics we want. This function has been integrated into ezhttp. The following is the rendering:
20151028102323743.png (571×593)

The statistical method is introduced below.
1. Capture 10 second packets.

Copy code

The code is as follows:

tcpdump -i eth0 tcp[20:2]=0x4745 or tcp[20:2]=0x504f -w /tmp/tcp.cap -s 512 2>&1 &
sleep 10
kill `ps aux | grep tcpdump | grep -v grep | awk ‘{print $2}’`

This command means to monitor network card eth0 and capture TCP. The 21-22 byte character is ge or Po, which means to match the data packet requested by get or post and write it to / tmp/ tcp.cap Documents.
2. At this time, we get the latest 10 second binary packet file. Our next step is to find the URL and host of get / post through the strings command.

Copy code

The code is as follows:

strings /tmp/tcp.cap | grep -E “GET /|POST /|Host:” | grep –no-group-separator -B 1 “Host:” | grep –no-group-separator -A 1 -E “GET /|POST /” | awk ‘{url=$2;getline;host=$2;printf (“%s\n”,host””url)}’ > url.txt

This command is the key of this article, displaying binary files through strings tcp.cap All printable characters are filtered out by grep and awk, and the URL (including domain name + URI) is written into a file url.txt .
3. At this time, we get all the access URLs for nearly 10 seconds, and the following statistics are easy to get, such as:
Statistical QPS:

Copy code

The code is as follows:

(( qps=$(wc -l /tmp/url.txt | cut -d’ ‘ -f 1) / 10 ))

Exclude static file statistics top 10 access URL:

Copy code

The code is as follows:

grep -v -i -E “\.(gif|png|jpg|jpeg|ico|js|swf|css)” /tmp/url.txt | sort | uniq -c | sort -nr | head -n 10