Table of contents
1. What is tcpdump?
2. Common parameters in tcpdump
1. Adaptable options
2. Type class filter [parameters]
1. What is tcpdump?
tcpdump is a packet capture and analysis software for character interface in Linux. tcpdump is a tool for intercepting network packets and outputting packet content.
tcpdump: where tcp: transmission control protocol, located in the transmission layer transmission control protocol. dump: Export.
Windows packet capture software: wireshark, Kelai network analysis system: network card data packets.
Using tcpdump to catch packets can tell which clients have access to their servers.
2. Common parameters in tcpdump
Only use the tcpdump command to capture packets: intercept all packets received and issued by the host.
The default packet header of the packet intercepted by tcpdump. By default, starting tcpdump directly will listen to all the data packets flowing on the first network interface.
[root@nginx-kafka01 ~]# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on docker0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
The parameters in tcpdump are used to filter.
1. Adaptable options
| -i | The interface specifies which interface packet to capture. |
| -vv | Show more detailed information. |
| -e | Show mac address. |
| -w | write Write save to file. The imported file can be opened using wireshark. |
| -r | read Read data in the file. |
| -c | After receiving the specified number of packages, tcpdump will stop. |
The suffix name of the file can be customized.pcap packet capture
For example:
1. Listen to all transmission packets of the specified network card ens33
tcpdump -i ens33
[root@nginx-kafka01 ~]# tcpdump -i ens33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on docker0, link-type EN10MB (Ethernet), capture size 262144 bytes
21:48:51.599093 IP 192.168.2.130.55734 > : Flags [.], ack 141668, win 4103, length 0
21:48:51.599156 IP > 192.168.2.130.55734: Flags [P.], seq 141668:141928, ack 37, win 261, length 260
21:48:51.599274 IP > 192.168.2.130.55734: Flags [P.], seq 141928:142084, ack 37, win 261, length 156
21:48:51.605319 IP 192.168.2.130.55734 > : Flags [.], ack 142084, win 4101, length 0
21:48:51.605373 IP > 192.168.2.130.55734: Flags [P.], seq 142084:142240, ack 37, win 261, length 156
21:48:51.608121 IP > 192.168.2.130.55734: Flags [P.], seq 142240:142500, ack 37, win 261, length 260
^C^C
21:48:51.610340 ARP, Request who-has 192.168.2.104 tell gateway, length 46
1032 packets captured
1086 packets received by filter
2. Create a file, the file name suffix can be taken at will, and then use the tcp protocol to capture all transmission packets of Ens33 in the network card, display the mac address and write it to the file.
[root@nginx-kafka01 shell]# touch
# -i ens33: Specify the data packets in the ens33 interface
[root@nginx-kafka01 shell]# tcpdump -i ens33 -e -vv tcp -w
# -r: Read file data
[root@nginx-kafka01 shell]# tcpdump5 -r3. -i: Crawl all transmission packets of network card ens33, -vv: Display more detailed information.
[root@nginx-kafka01 /]# tcpdump -vv -i ens33
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
22:26:53.664261 IP (tos 0x10, ttl 64, id 32581, offset 0, flags [DF], proto TCP (6), length 164)
> 192.168.2.130.60716: Flags [P.], cksum 0x8701 (incorrect -> 0xc90f), seq 1310010851:1310010975, ack 1763474695, win 284, length 124
22:26:53.664807 IP (tos 0x0, ttl 64, id 22115, offset 0, flags [DF], proto UDP (17), length 72)
nginx-kafka01.53273 > public1.: [bad udp cksum 0xa86a -> 0xc47a!] 235+ PTR? 130.2.168.. (44)
22:26:53.664962 IP (tos 0x10, ttl 64, id 32582, offset 0, flags [DF], proto TCP (6), length 172)
> 192.168.2.130.60716: Flags [P.], cksum 0x8709 (incorrect -> 0xbf23), seq 124:256, ack 1, win 284, length 132
22:26:53.665071 IP (tos 0x0, ttl 128, id 62460, offset 0, flags [DF], proto TCP (6), length 40)
192.168.2.130.60716 > : Flags [.], cksum 0xc900 (correct), seq 1, ack 256, win 4106, length 0
22:26:53.689765 IP (tos 0x0, ttl 152, id 0, offset 0, flags [none], proto UDP (17), length 149)
public1. > nginx-kafka01.53273: [udp sum ok] 235 NXDomain q: PTR? 130.2.168.. 0/1/0 ns: 168.. SOA . . 1 604800 60 604800 604800 (121)
22:26:53.691101 IP (tos 0x0, ttl 64, id 22121, offset 0, flags [DF], proto UDP (17), length 74)
4. -i: Crawl all transmission packets of network card ens33, -vv: Display more detailed information. -e: Show the mac address.
tcpdump -i ens33 -vv -e
[root@nginx-kafka01 ~]# tcpdump -i ens33 -vv -e2. Type class filter [parameters]
The corresponding parameters need to be followed by the type filter.
| host | Catch the packet according to the host ip |
| port | Catch packets according to the port |
| net | Catching according to network segment |
| protocol | Catch the package according to the agreement |
| protocol protocol | tcp, udp, icmp, ip, arp, rarp, ether protocol, etc. |
| icmp protocol |
ping command |
| mac address | Specify the mac address to catch packets src mac: source mac, dst mac: destination mac |
When combining multiple conditions: operators are required to connect: and , or , not
host:src host、 dst host
1. Specify the host IP for packet capture analysis. Crawl data packets with ip 192.168.2.152
[root@nginx-kafka01 /]# tcpdump -i ens33 host 192.168.2.152
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
2:09:09.020981 IP > 192.168.2.130.60716: Flags [P.], seq 1528452:1528616, ack 181, win 284, length 164
22:09:09.021904 IP > 192.168.2.130.60716: Flags [P.], seq 1528616:1528884, ack 181, win 284, length 268
22:09:09.023833 IP 192.168.2.130.60716 > : Flags [.], ack 1528884, win 4102, length 0
22:09:09.023872 IP > 192.168.2.130.60716: Flags [P.], seq 1528884:1529048, ack 181, win 284, length 164
22:09:09.023879 IP 192.168.2.130.60716 > : Flags [P.], seq 181:217, ack 1528884, win 4102, length 36
^C
10889 packets captured
10889 packets received by filter
0 packets dropped by kernelsrc host: Catch packets based on the source ip address
dst host: Catch the packet according to the destination IP address
Catch packets according to source ip: two virtual machines are required to cooperate, virtual machine A will ping, and virtual machine B will catch packets.
The ip of virtual machine A is 192.168.2.43, and the ip of virtual machine B is 192.168.2.152.
First ping on machine A 192.168.2.152.
Then grab the packet on machine B (192.168.2.152) according to source ip: 192.168.2.43.
[root@nginx-kafka01 shell]# tcpdump -i ens33 icmp and src host 192.168.2.43
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
12:03:18.050672 IP 192.168.2.43 > nginx-kafka01: ICMP echo request, id 13063, seq 22, length 64
12:03:19.029060 IP 192.168.2.43 > nginx-kafka01: ICMP echo request, id 13063, seq 23, length 64
12:03:20.026979 IP 192.168.2.43 > nginx-kafka01: ICMP echo request, id 13063, seq 24, length 64
12:03:21.033853 IP 192.168.2.43 > nginx-kafka01: ICMP echo request, id 13063, seq 25, length 64
12:03:22.028979 IP 192.168.2.43 > nginx-kafka01: ICMP echo request, id 13063, seq 26, length 64
12:03:23.044427 IP 192.168.2.43 > nginx-kafka01: ICMP echo request, id 13063, seq 27, length 64
^C
6 packets captured
7 packets received by filter
0 packets dropped by kernel2. Port port: src port, dst port
src port: source port
dst port: destination port
For example: Crawl the packet accessing port 80 of this machine.
[root@nginx-kafka01 /]# tcpdump -i ens33 port 803. Net: Network segment
Crawl the source IP from the 192.168.0.0/24 network segment and access the packets on port 80 of this machine.
[root@nginx-kafka01 /]# tcpdump -i ens33 port 80 and src net 192.168.0.0/24
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
4. Mac: Catch packets according to the mac address
src 00:0c:29:ae:89:5d: refers to the source mac address: 00:0c:29:ae:89:5d
ether: It is the value icmp protocol that does not have source ip and destination ip, so it needs to rely on the ether protocol.
[root@nginx-kafka01 ~]# tcpdump -i ens33 ether src 00:0c:29:ae:89:5d
5. Crawl the packet with the source IP address of 192.168.2.137 and access the 80 port of the tcp protocol of the machine.
[root@nginx-kafka01 /]# tcpdump -i ens33 src host 192.168.2.137 and dst port 80 and tcp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
6. Catch the data packet of the Ens33 interface, the source ip is 192.168.0.1, the destination port is 80, the destination mac is 00:0c:29:ea:ac:65, it is the tcp protocol, please implement the tcpdump command for this requirement.
[root@nginx-kafka01 shell]# tcpdump -i ens33 -e -vv tcp and src host 192.168.0.1 and dst port 80 and ether src 00:0c:29:ea:ac:65
[root@nginx-kafka01 ~]# tcpdump -i ens33 tcp and src host 192.168.0.1 and dst port 80 and ether src 02:42:50:15:dc:29
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
1 packet received by filter
0 packets dropped by kernel7. Crawl the data packet pinged by the machine 192.168.2.137.
[root@nginx-kafka01 ~]# tcpdump -i ens33 icmp and src host 192.168.2.137
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
22:55:58.510368 IP nginx-kafka03 > nginx-kafka01: ICMP echo request, id 7518, seq 225, length 64
22:55:59.513581 IP nginx-kafka03 > nginx-kafka01: ICMP echo request, id 7518, seq 226, length 64
22:56:00.515075 IP nginx-kafka03 > nginx-kafka01: ICMP echo request, id 7518, seq 227, length 64
22:56:01.518040 IP nginx-kafka03 > nginx-kafka01: ICMP echo request, id 7518, seq 228, length 64
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel
8. Crawl the IMP or ARP packets accessing the local machine.
[root@nginx-kafka01 /]# tcpdump -nn -i ens33 icmp or arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
22:59:25.984345 ARP, Request who-has 192.168.2.129 tell 192.168.2.1, length 46
22:59:25.993326 IP 192.168.2.137 > 192.168.2.152: ICMP echo request, id 7518, seq 432, length 64
22:59:25.993363 IP 192.168.2.152 > 192.168.2.137: ICMP echo reply, id 7518, seq 432, length 64
22:59:26.290334 ARP, Request who-has 192.168.2.126 tell 192.168.2.1, length 46
22:59:26.995193 IP 192.168.2.137 > 192.168.2.152: ICMP echo request, id 7518, seq 433, length 64
22:59:26.995234 IP 192.168.2.152 > 192.168.2.137: ICMP echo reply, id 7518, seq 433, length 64
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
Analysis of the output results:
Column 1: hour, minute, second, millisecond
Second column: Network protocol IP
The third column: the sender's IP address
Column 4: Arrow >, indicating the flow of data
Column 5: IP address of the receiver
Column 6: Colon
Column 7: Data packet content, including Flags identifier, seq number, ack number, win window, data length length, where [P.] means that the PUSH flag is 1.
More identifiers: The following types of TCP packet flags you will encounter after using tcpdump to capture packets:
-
[S]: SYN (start connection) -
[P]: PSH (push data) -
[F]: FIN (end connection) -
[R]: RST (reset connection) -
[.]: No Flag (meaning other than the above four types, it is possible that ACK or URG may be).