Viewing the original packet using tcpdump

Time:2021-9-22

Although tools like snort do a great job filtering all the content coming through our network, sometimes you have to look at the raw data. Our best tool for this is “tcpdump”.

The most basic way to use tcpdump is to simply issue the following command:

tcpdump

You can use the – V option for more details, and – VV for more information.

Useful options

Suppose you are logged on to the remote computer you want to manage. If you run “tcpdump” without any options, the output will be flooded with packets from your SSH connection. To avoid this, simply remove port 22 from the output:

tcpdump not port 22

You can use many different ports to do this:

tcpdump not port 143 and not port 25 and not port 22

If you want to do the opposite, that is, monitor only one port (which is very useful for debugging network applications), you can do the following:

tcpdump port 143

You can also get data from specific hosts on the network:

tcpdump host hal9000

If your computer has more than one network interface, you can also specify the network interface to listen to:

tcpdump -i eth1

You can also specify an agreement:

tcpdump udp

You can find the protocol list in / etc / protocols.

Save the output for later use

In some cases, you may want to redirect the output to a file so that you can study it in detail later or use another program to parse the output. In the following example, you can still view the output while saving it to a file:

tcpdump -l | tee tcpdump_`date +%Y%m%e-%k.%M`

In the above example, we can use the date and time to identify each dump. This may come in handy when dealing with problems that arise at a specific time of the day.

Tcpdump can also choose to dump its output to binary format for later reading. To create a binary file:

tcpdump -w tcpdump_raw_`date +%Y%m%e-%k.%M`

Later, you can have tcpdump read the file using the following command

tcpdump -r tcpdump_raw_YYYMMDD-H.M

You can also use the ethereal program to open the raw dump and interpret it.

Tcpdump provides us with information about all packets going to and from the network.

Using ethereal with tcpdump

Ethereal is a tool that can also be used to capture network packets. After installation, you can open the original dump file you made.

It’s quite easy to see what’s happening. You can see the source IP and destination IP and what type of packet it is. This is easy, then you can troubleshoot network problems you may encounter and analyze suspicious behavior. Just to add an anecdote, when I wrote this lesson and explained my dump, I saw some strange activities on my personal workstation. I query port 32772 on different IP machines in the world almost every fixed time. I ran a specific dump for port 32772, as follows:

tcpdump port 32772 -w dump_32772

Read raw output

As you can see, even reading so-called “human readable” output from tcpdump can be a bit mysterious. Looking at the following example, I just select a random packet from the dump:

17:26:22.924493 IP www.linux.org.www > test.linux.org.34365: P 2845:3739(894) ack 1624 win 9648

What we have is right https://www.linux.org/ Web server request for. After the timestamp, you will notice. Www at the end of the host name (port 80). This will be sent to port 34365 of the requesting host test.linux.org. “P” stands for TCP “oush” function. This means that data should be sent immediately. In the number after 2845:3739 (894), 2845 marks the number of the octet of the first packet. The number 3739 is the number of the last byte sent by the packet plus 1. The number 894 is the length of the transmitted packet. The part indicating “ack 1624” is the TCP term of “ack nowledge” – indicating that the packet has been accepted and the next expected packet number is 1624. After that, we see that the “win 9648” sending host is waiting for packets with a window size of 9648 octets. This is followed by a timestamp.

Now, if you find it difficult to explain, use the – x option, which will include the packet content in the hexadecimal output.

18:12:45.149977 IP www.linux.org.www > test.linux.org.34536: . 1:1449(1448) ack 487 win 6432         0x0000:  4500 05dc 6a81 4000 4006 493b c0a8 0006  [email protected]@.I;....        0x0010:  c0a8 0009 0050 86e8 8fa4 1d47 1c33 e3af  .....P.....G.3..        0x0020:  8010 1920 b4d9 0000 0101 080a 13a0 7a77  ..............zw        0x0030:  019e 5f14 4854 5450 2f31 2e31 2032 3030  .._.HTTP/1.1.200        0x0040:  204f 4b0d 0a44 6174 653a 2054 6875 2c20  .OK..Date:.Thu,.        0x0050:  3135

We can know from the output that this is an HTTP request. As for the rest, it’s not human readable, but it’s easy to know that it’s a legitimate packet. Another advantage of using this format is that even if we can’t fully explain the condition of this packet, we can send it to potential people. Finally, this is the raw data transmitted over the network without any filtering.

The above is what Liangxu tutorial network shared for all friends. Use tcpdump to view the original data package. Want to know more about Linux knowledge, remember to pay attention to the official account “good Linux” or scan the underlying two-dimensional code for attention, more dry cargo waiting for you!
公众号Although tools like snort do a great job filtering all the content coming through our network, sometimes you have to look at the raw data. Our best tool for this is “tcpdump”.

The most basic way to use tcpdump is to simply issue the following command:

tcpdump

You can use the – V option for more details, and – VV for more information.

Useful options

Suppose you are logged on to the remote computer you want to manage. If you run “tcpdump” without any options, the output will be flooded with packets from your SSH connection. To avoid this, simply remove port 22 from the output:

tcpdump not port 22

You can use many different ports to do this:

tcpdump not port 143 and not port 25 and not port 22

If you want to do the opposite, that is, monitor only one port (which is very useful for debugging network applications), you can do the following:

tcpdump port 143

You can also get data from specific hosts on the network:

tcpdump host hal9000

If your computer has more than one network interface, you can also specify the network interface to listen to:

tcpdump -i eth1

You can also specify an agreement:

tcpdump udp

You can find the protocol list in / etc / protocols.

Save the output for later use

In some cases, you may want to redirect the output to a file so that you can study it in detail later or use another program to parse the output. In the following example, you can still view the output while saving it to a file:

tcpdump -l | tee tcpdump_`date +%Y%m%e-%k.%M`

In the above example, we can use the date and time to identify each dump. This may come in handy when dealing with problems that arise at a specific time of the day.

Tcpdump can also choose to dump its output to binary format for later reading. To create a binary file:

tcpdump -w tcpdump_raw_`date +%Y%m%e-%k.%M`

Later, you can have tcpdump read the file using the following command

tcpdump -r tcpdump_raw_YYYMMDD-H.M

You can also use the ethereal program to open the raw dump and interpret it.

Tcpdump provides us with information about all packets going to and from the network.

Using ethereal with tcpdump

Ethereal is a tool that can also be used to capture network packets. After installation, you can open the original dump file you made.

It’s quite easy to see what’s happening. You can see the source IP and destination IP and what type of packet it is. This is easy, then you can troubleshoot network problems you may encounter and analyze suspicious behavior. Just to add an anecdote, when I wrote this lesson and explained my dump, I saw some strange activities on my personal workstation. I query port 32772 on different IP machines in the world almost every fixed time. I ran a specific dump for port 32772, as follows:

tcpdump port 32772 -w dump_32772

Read raw output

As you can see, even reading so-called “human readable” output from tcpdump can be a bit mysterious. Looking at the following example, I just select a random packet from the dump:

17:26:22.924493 IP www.linux.org.www > test.linux.org.34365: P 2845:3739(894) ack 1624 win 9648

What we have is right https://www.linux.org/ Web server request for. After the timestamp, you will notice. Www at the end of the host name (port 80). This will be sent to port 34365 of the requesting host test.linux.org. “P” stands for TCP “oush” function. This means that data should be sent immediately. In the number after 2845:3739 (894), 2845 marks the number of the octet of the first packet. The number 3739 is the number of the last byte sent by the packet plus 1. The number 894 is the length of the transmitted packet. The part indicating “ack 1624” is the TCP term of “ack nowledge” – indicating that the packet has been accepted and the next expected packet number is 1624. After that, we see that the “win 9648” sending host is waiting for packets with a window size of 9648 octets. This is followed by a timestamp.

Now, if you find it difficult to explain, use the – x option, which will include the packet content in the hexadecimal output.

18:12:45.149977 IP www.linux.org.www > test.linux.org.34536: . 1:1449(1448) ack 487 win 6432         0x0000:  4500 05dc 6a81 4000 4006 493b c0a8 0006  [email protected]@.I;....        0x0010:  c0a8 0009 0050 86e8 8fa4 1d47 1c33 e3af  .....P.....G.3..        0x0020:  8010 1920 b4d9 0000 0101 080a 13a0 7a77  ..............zw        0x0030:  019e 5f14 4854 5450 2f31 2e31 2032 3030  .._.HTTP/1.1.200        0x0040:  204f 4b0d 0a44 6174 653a 2054 6875 2c20  .OK..Date:.Thu,.        0x0050:  3135

We can know from the output that this is an HTTP request. As for the rest, it’s not human readable, but it’s easy to know that it’s a legitimate packet. Another advantage of using this format is that even if we can’t fully explain the condition of this packet, we can send it to potential people. Finally, this is the raw data transmitted over the network without any filtering.

The above isLiangxu tutorial networkShare with your friends. Use tcpdump to view the original data package.

This article is composed of blog one article multi posting platformOpenWriterelease!