TCPDUMP uses a command line method, its command format is:
Tcpdump [-adeflnnopqstvx] [-C quantity] [-f file name]
[-i network interface] [-r file name] [-s snake]
[-T type] [-w file name] [expression]
1. TCPDUMP Option Introduction
-A converts network addresses and broadcast addresses into names;
-d will give the code of the matching packet to the assembly format that people understand;
-dd gives the code of the matching packet to the format of the C language block;
-ddd gives the code of the matching packet in decimal form;
-e Prints the head information of the data link layer in the output line;
-f Prints the external Internet address in the form of a number;
-L makes the standard output become buffered in form;
-n does not convert network addresses into names;
-t does not print a timestamp in each line output;
-v output a slightly detailed information, such as information of TTL and service types in the IP packet;
-VV output detailed message information;
-c After receiving the number of specified packets, TCPDUMP will stop;
-F reads expressions from the specified file to ignore other expressions;
-i Specifies the network interface of the listener;
-r Reads the package from the specified file (these packages are typically generated by the -w option);
-W Directly write the package into the file and does not analyze and print it;
-T will be listened to the package directly to interpret the message of the specified type, the common type has RPC (remote procedure)
Call) and SNMP (simple network management protocol;)
2. TCPDUMP expression introduction
Expression is a regular expression, TCPDUMP uses it as a condition for filtering packets, if a message meets the table
This message will be captured. If no condition is given, all the packets on the network will
Intercepted.
In the expression, the following types of keywords are generally related to the type of keyword, mainly including Host,
NET, PORT, such as Host 210.27.48.2, indicated 210.27.48.2 is a host, NET 202.0.0.0 indicated
202.0.0.0 is a network address, Port 23 indicates that the port number is 23. If there is no specified type, the default type is
Host.
The second is to determine the keywords in the transfer direction, mainly including SRC, DST, DST OR SRC, DST and SRC,
These keywords indicate the direction of transmission. For example, SRC 210.27.48.2 indicates that the source address of the IP package is 210.27.
48.2, DST NET 202.0.0.0 The network address indicated that the purpose is 202.0.0.0. If there is no keyword,
The default is the src or DST keyword.
The third is the keywords of the protocol, mainly including FDDI, IP, ARP, RARP, TCP, UDP, and other types. FDDI is indicated
The specific network protocol on the FDDI (Distributed Fiber Data Interface Network), in fact it is "Ether" alias, FDDI and E
The HER has a similar source address and destination address, so the FDDI protocol can be processed and analyzed as the package of Ether.
The other keywords are the contents of the protocols of the listener. If no protocol is specified, TCPDUMP will
Listen to all protocols.
In addition to these three types of keywords, other important keywords are as follows: Gateway, Broadcast, Less, Greater, there are three logical operations, withdrawal is 'NOT' '!', With the operation is 'and', '&&'; or operate is' O
R ',' || ';
These keywords can be combined to constitute a powerful combination to meet people's needs, and the following will mention several examples.
Description.
(1) Want to intercept the host received and all the packets received and issued:
#tcpdump host 210.27.48.1
(2) Want to intercept the host 210.27.48.1 and the host 210.27.48.2 or 210.27.48.3 communication, use commands
: (When you apply parentheses in the command line, you must
#tcpdump host 210.27.48.1 and / (210.27.48.2 or 210.27.48.3 /)
(3) If you want to get the host 210.27.48.1, in addition to the IP package of all hosts outside the host 210.27.48.2
Use the command:
#tcpdump ip Host 210.27.48.1 and! 210.27.48.2
(4) If you want to get the Telnet package received or sent by the host 210.27.48.1, use the following command:
#tcpdump TCP Port 23 Host 210.27.48.1
3. TCPDUMP output results
Let's introduce the output information of several typical TCPDUMP commands.
(1) Data Link Summer Information
Use command #tcpdump --e host ice
ICE is a host with Linux, her MAC address is 0: 90: 27: 58: AF: 1A
H219 is a Sun workstation with Solaric, its MAC address is 8: 0: 20: 79: 5b: 46; Previous
The output of the command is as follows:
21: 50: 12.847509 ETH0 <8: 0: 20: 79: 5B: 46 0: 90: 27: 58: AF: 1A IP 60: H219.33357> ICE.
Telne
T 0: 0 (0) ACK 22535 WIN 8760 (DF)
Analysis: 21: 50: 12 is the time displayed, 847509 is the ID number, Eth0 Packet, Eth0> Represents a packet from the network interface device, 8: 0: 20: 79: 5b: 46 is the MAC address of the host H219, it It is shown to be a packet from the source site H219. 0: 90: 27: 58: AF: 1A is the MAC address of the host ICE, indicating the packet The destination address is ICE. IP is indicating that the packet is an IP packet, 60 is the length of the packet, H219.33357> ICE. Telnet indicates that the packet is a Telnet (23) port sent from the host H219 33357 port. ACK 22535 Indicates that the serial number is a package of 222535 to respond. WIN 8760 indicates that the size of the send window is 8760. (2) TCPDUMP output information of the ARP package Use command #tcpdump ARP The result of the result is: 22: 32: 42.802509 ETH0> ARP WHO-HAS ROUTE TELL ICE (0: 90: 27: 58: AF: 1A) 22: 32: 42.802902 Eth0 : 1A) Analysis: 22:32:42 is the timestamp, 802509 is the ID number, Eth0> indicates that the data package is issued from the host, and the ARP indicates that The ARP request package, the WHO-HAS ROUTE TELL ICE indicates that the host ICE requests the host ROUTE MAC address. 0: 90: 27: 5 8: AF: 1A is the MAC address of the host ICE. (3) Output information of the TCP package General output information for TCP packets captured with TCPDUMP is: SRC> DST: Flags Data-Seqno Ack WINDOW Urgent Options SRC> DST: Indicates the source address to the destination address, Flags is the flag information in the TCP package, S is SYN flag, f (f IN), P (Push), R (RST) "." (Not marked); Data-seqno is the sequence number of the data in the packet, ACK is The next time the sequence number, Window is the window size of the receiving cache, and the Urgent indicates whether there is an emergency pointer in the packet. Options is an option. (4) Output information of the UDP package General output information for UDP packages captured by TCPDUMP is: Route.port1> Ice.port2: UDP LENTH UDP is very simple, the above output line indicates a UDP packet from the port1 port of the host Route to the host. ICE's port2 port, type is UDP, the length of the package is LENTH
