Text / Yang Peng
As a network server, in particular as a router and gateway, the data is essential. So, today we will take a look at the powerful network data acquisition and analysis tool in Linux - Tcpdump.
As the name suggests, TCPDUMP can provide an analysis of the "head" "head" of the packet transmitted in the network. It supports filtering for network layers, protocols, hosts, networks, or ports, and provides logical statements such as andLogical statements such as AND, OR, NOT to help you remove useless information.
Like other software in the Linux terminal, TCPDUMP is also based on parameters, which will be described in conjunction with examples.
Data filtering
TCPDUMP without any parameters will search all the network interfaces in the system, and display all of the data it intercepted, which do not necessarily all need, and the data is too much not to analyze. So, we should first think of which data is needed, TCPDUMP provides the following parameters to choose data:
-b Select protocol on the data-link layer, including IP, ARP, RARP, and IPX are of this layer.
For example: Tcpdump -b ARP will only display ARP, address translation protocol information in the network.
-i Select a filtering network interface. If there is at least two network interfaces as the router, through this option, you can only filter the data passed on the specified interface. E.g:
Tcpdump -i ETH0 shows only all headers on the Eth0 interface.
SRC, DST, Port, Host, Net, Ether, Gateway These options include additional options such as SRC, DST, Port, Host, Net, EHOST. They used to resolve the source and go of packets, SRC Host 192.168.0.1 Specify the source host IP address is 192.168.0.1, DST NET 192.168.0.0.04 Specified target is Network 192.168.0.0. With this type, Host is related to its designated host whether it is a source or purpose, NET is related to its specified network, and the Ether is not an IP address but is a physical address, while Gateway is used for gateway hosts. It may be a bit complicated, see the examples below know:
TCPDUMP SRC HOST 192.168.0.1 and Dst Net 192.168.0.0/24
Filtering is a header of 192.168.0.1 and a destination network as 192.168.0.0.
Tcpdump Ether SRC 00: 50: 04: BA: 9B and DST ......
Filter source host physical address is a header of XXX (whose Ether SRC does not have a host or NET? The physical address is of course impossible to have a network).
TCPDUMP SRC HOST 192.168.0.1 And Dst Port Not Telnet
Filter Source Host 192.168.0.1 and destination ports are not telnet's headers.
IP ICMP ARP RARP and TCP, UDP, ICMP These options, etc., all of them are placed in the position of the first parameter, used to filter the type of datagram. E.g:
TCPDUMP IP SRC ...
Only filter data - IP headers on the link layer.
TCPDUMP UDP AND SRC HOST 192.168.0.1
Only all UDP headers of the source 192.168.0.1.
Data display / input output
TCPDUMP provides enough parameters to make us choose how to handle the data, as shown below:
-L can redirect data.
Such as tcpdump -l> tcpcap.txt stores the obtained data into the TCPCap.txt file.
-n does not perform the conversion of the IP address to the host name.
If this is not used, when there is a host name in the system, Tcpdump converts the IP address to the host name, just like this: eth0
The above information becomes: Eth0
-N does not print the default domain name.
Still this information - N is: eth0
-O does not perform the optimization of matching code.
-t does not print the UNIX timestamp, that is, does not display time.
-TT prints the original, unformatted time.
-v detailed output, it is more than a TTL and service type than ordinary.
Ok, I said so much, is it very good for TCPDUMP? It still has a lot of functions to be limited to one level, and read more "help" will have a big gain, which is also a shortcut to enter the world of Linux.
full text:
Sidi Net