tcpdump command example in Linux detail

preface

Use simple words to define tcpdump, be: dump the traffic on a network, according to the definition of users on the network data packets intercepted packet analysis tools. ES11en can completely intercept the "header" of the packet sent over the network for analysis. It supports filtering for network layer, protocol, host, network, or port, and provides and, or, not, and other logical statements to help you remove unwanted information.

Speaking of the tcpdump command, I have to mention that I participated in the development and implementation of the 3rd generation CRM system of China Mobile Inner Mongolia Branch. If I remember correctly, it should be 2016, when I was solely in charge of the overall transformation of the self-service channels of the 10086 customer service system. During the system pressure test phase, there is always a timeout phenomenon when the interface platform is called. Later, this problem became more and more serious, and the short hall channel and CBOSS channel also reported this problem. At this time, this problem was brought to the attention of the big BOSS, and then various experts consulted. In this kind of large-scale project, the expert consultation has one characteristic, that is, the expert directs, the younger brother does the work, and I was the younger brother at that time.

All right, the experts have spoken. Catch the bag first. This began my work on catching the bag, and began my full understanding of tcpdump.

First of all, tcpdump is a very powerful command. It is powerful, which means that it is very complicated to use, which means that I have a lot of things to tidy up. If you want to master the entire tcpdump command, you'll have to be a little patient to read the entire article. OK,Let's go!

Introduction of the command

tcpdump is a powerful network packet capture tool, running on the Linux platform. Familiarity with ES39en can help us analyze and debug network data. However, in order to have a good command of tcpdump, you must have some understanding of network packets (TCP/IP protocol). But for simple use, all you need is a network - based concept.

As the classic system administrator necessary tools on the Internet, tcpdump with its powerful functions, flexible interception strategy, become every senior system administrator analysis network, troubleshooting problems and other necessary tools of 1. In practice, this command needs to be executed with ES46en permissions.

tcpdump is a very complex commands, want to understand all aspects of it is very difficult, also not recommended, to be able to use it to solve problems in daily work is the key, so the following I will focus more on the end of the starting from the actual work, organize more often used in practical work of usage, for some less popular usage, 1 I basic not involved here, if in the work was used in the future, I will update in here.

The command,
The following is a summary of some common tcpdump1 options.

-s number: tcpdump intercepts only the first 96 bytes by default. If you want to intercept all the contents of a message, you need to use this option. -nn: means to display IP without resolving the domain name. In netstat, this option is also available. -X: Use hex and ascii to display the contents of the packet; -S: Display absolute serial number (sequence number) instead of relative number; -i: Specifies the network card to listen to, if -i, any means to listen to all network cards; -v, -vv, -vvv: display more details; -c number: means to intercept number packets and then terminate; -w: write the monitored packets to a file for saving, rather than analyze and print them out; -A: Only use ascii to print all the data of the packet, do not use it with -X option 1. HTTP requests can be intercepted using sudo tcpdump-nSA port 80

Although the tcpdump command has a large number of options, the above options are the only ones commonly used. I will focus more on using examples to learn the tcpdump command.

The filter

First for the use of detailed examples, it is necessary to master some basic theoretical knowledge of tcpdump1 use, first about the filter.

On the server of the network packet is abnormal, many times we only pay attention to and specific issues related to data packets, and the useful message 1 account for only a small part, in order to not let us lose yourself in the sea of message, we is very necessary to study 1 tcpdump provide flexible and powerful filters.

Filters can also be simply classified into three categories: type, dir, and proto.

type: It is mainly used to distinguish the source types of filtered messages, which are mainly composed of host host messages, net network segment messages and port specified port messages.

dir: Filters only source and destination addresses of packets, mainly including src source and dst destination addresses;

proto: Filters only the protocol type of packet, supports tcp, udp, icmp, etc. The proto keyword can be omitted when used:

tcpdump -i eth1 arp tcpdump -i eth1 ip tcpdump -i eth1 tcp tcpdump -i eth1 udp tcpdump -i eth1 icmp

These filters are necessary for the use of the tcpdump command.

Condition combination

In the vast network, want to find the network package that you want, still have a certain difficulty. In order to catch the network packet we want, the more restrictions we include in the packet capture command, the fewer irrelevant packets will be caught, so we can use the "and" (and, and, & & ), "or" (or, | |) and "not" (not,!) To combine multiple conditions. This is useful when we need to analyze network packets based on certain conditions.

Using the instance

Command: tcpdump -i eth1

Description: Monitor packets for the specified network interface

Command: tcpdump host 210.27.48.3

Description: Intercept all packets received and sent by host 210.27.48.3

Command: tcpdump host 210.27.48.4 and (210.27.48.5 or 210.27.48.6)

Description: Intercept all packets of communication between host 210.27.48.3 and host 210.27.48.5 or host 210.27.48.6

Command: tcpdump net 192.168.1.0/24

Description: Intercepted 192.168.1.0/24 whole network packets

Command: tcpdump -i eth0 src host 210.27.48.3

Note: Monitor all network packets on eth0 network card whose source address is 210.27.48.3

Command: tcpdump -i eth1 ip0

Note: Monitor all network packets with destination address 210.27.48.3 on eth0 network card

Command: tcpdump tcp port 23 and host 210.27.48.3

Note: Get all TCP protocol packets sent and received by an application on port 23 on host 210.27.48.3

Command: tcpdump udp port 123

Note: Get all UDP protocol packets sent and received on port 123 on the machine

Command: tcpdump src host 10.126.1.222 and dst net 10.126.1.0/24

Description: The intercepted source master address is 10.126.1.222, the destination address is 10.126.1.0/24 network

Command: tcpdump -i eth0 -s0 -G 60 -Z root -w %Y_%m%d_%H%M_%S.pcap

Instructions: Save the message according to the specified time interval after fetching the message; -G option is followed by time in seconds; The above command is to survive a file every 60 seconds

Command: tcpdump -i eth0 -s0 -C 1 -Z root -w eth0Packet.pcap

Instructions: Save the specified message size after fetching the message; -C option is followed by file size in MB; The above command is to use a new file to save the captured packet every time the captured packet reaches 1MB

As mentioned above, tcpdump captures the packet and generates the corresponding file. How to analyze this file? Yes, there is a software called "Wireshark", which can be perfectly combined with tcpdump to provide a visual analysis interface. If you are interested, you can go to learn 1. If you have time later, I will also compile a "Wireshark" introductory series.

conclusion

The delay time is relatively long, finally finished finishing! Of course, tcpdump is not a very complex command, but what I have compiled here will definitely not affect your use of tcpdump in your work. It is the same "28 rule". For complex commands, only 20% of common functions are used, while the remaining 80% are remote and cold functions, or functions rarely used in work.