Of Stack

Linux basic learning using tcpdump capture package example code

  • 2020-06-23 02:37:59
  • OfStack

Introduction to the

Most of the time, our system is deployed on Linux system. In some cases, the positioning problem requires checking whether the data packets sent between different systems are normal. Now I will briefly explain how to use tcpdump to capture packets

Network packet interception analysis tool. Supports filtering for the network layer, protocol, host, network, or port. and, or, not and other logical statements are provided to help remove unwanted information. 


tcpdump - dump traffic on a network

tcpdump command format

There are many parameters of tcpdump. You can check the detailed description of tcpdump through man tcpdump. Here, just list some common parameters: 


tcpdump [-i  The network card ] -nnAX ' expression '

The parameters are explained as follows:

-i: The nic on which interface listens. -ES27en: Indicates that the source and destination hosts are displayed as ip and port instead of hostname and service. -ES30en: displays packets as ascii, useful for fetching web data. -ES33en: Packets will be displayed in hex and ascii. Expression: There are many expressions, common are: host host; port port; src host subcontracting host; dst host packet host. Multiple conditions can be combined with and, or, reverse can be used! For more use, see man 7 pcap-ES45en.

example

No parameters are specified

Listen for packets passing through the first network card. There may be more than one network card on the host, so you often need to specify a network card. 


tcpdump

Listen for specific network CARDS 


tcpdump -i en0

Listen for specific hosts

Example: Monitor the communication packet between the machine and host 182.254.38.55.

Note: incoming and outgoing packets will be monitored. 


tcpdump host 182.254.38.55

Communication at a specific source or destination address

A particular source 


tcpdump src host hostname

Specific destination address 


tcpdump dst host hostname

If src and dst are not specified, communications from the source or target are monitored 


tcpdump host hostname

A specific port 


tcpdump port 3000

Monitor TCP/UDP

Different services on the server use TCP and UDP as the transport layer, if you only want to listen to TCP packets 


tcpdump tcp

Source host + port +TCP

Listen for TCP packets coming from host 123.207.116.169 on port 22 


tcpdump [-i  The network card ] -nnAX ' expression '
0

Listens for communication between specific hosts 


tcpdump [-i  The network card ] -nnAX ' expression '
1

210.27.48.1 Communication between hosts other than 210.27.48.2 


tcpdump [-i  The network card ] -nnAX ' expression '
2

A slightly more detailed example 


tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.cap

(1)tcp: ip icmp arp rarp and tcp, udp, icmp are placed in the first parameter to filter the datagram type

(2) -ES128en eth1: only catch packets passing through the interface eth1

(3) -ES134en: No time stamp is displayed

(4)-s 0: The default fetching length is 68 bytes. Add -S 0 to catch the complete packet

(5)-c 100: only 100 packets are captured

(6) dst port! 22: Does not grab packets whose destination port is 22

(7)src net 192.168.1.0/24: The packet's source network address is 192.168.1.0/24

(8) -ES157en./target.cap: Save as cap file for easy analysis with ethereal(wireshark)

Catch http package

TODO

Limit the number of clutches

Below, after 1000 bags are caught, automatic exit 


tcpdump [-i  The network card ] -nnAX ' expression '
4

Save locally

Note: BY default, tcpdump writes output to the buffer. Output will only be written to the local disk if the buffer reaches a certain size or tcpdump exits 


tcpdump [-i  The network card ] -nnAX ' expression '
5

You can also add -ES187en to force immediate writing to local disk (1 is generally not recommended, relatively poor performance)

Practical example

Let's start with a common deployment, nodejs server deployed on the server, listening on port 3000. The nginx reverse agent listens on port 80 and forwards the request to nodejs server (127.0.0.1:3000).

The browser - > nginx reverse proxy - > nodejs server

Question: Suppose the user (183.14.132.117) accesses the browser and finds that the request does not return, how should we check?

Step 1: See if the request arrived at nodejs server - > Can be viewed through the log.

Step 2: See if nginx forwards the request to nodejs server. 


tcpdump [-i  The network card ] -nnAX ' expression '
6

At this point you will find that there is no output even though nodejs server has received the request. Because nginx forwards to the address 127.0.0.1, instead of the default interface, the specified interface needs to be displayed 


tcpdump [-i  The network card ] -nnAX ' expression '
7

Note: Configure nginx to take nginx with host on the request side, otherwise nodejs server cannot get src host, that is, the following listening is invalid, as src host is 127.0.0.1 for nodejs server 


tcpdump port 8383 -i lo and src host 183.14.132.117

Step 3: See if the request reached the server 


tcpdump [-i  The network card ] -nnAX ' expression '
9

conclusion

Related articles: