tcpdump tutorial
*/-->
tcpdump tutorial
Table of Contents
1 Options
It's also important to note that tcpdump only takes the first [S:68:S] 96 bytes of data from a packet by default. If you
would like to look at more, add the -s number option to the mix, where number is the number of bytes you want to capture. I
recommend using 0 (zero) for a snaplength, which gets everything. Here's a short list of the options I use most:
- -i any : Listen on all interfaces just to see if you're seeing any traffic.
- -n : Don't resolve hostnames.
- -nn : Don't resolve hostnames or port names.
- -X : Show the packet's contents in both hex and ASCII.
- -XX : Same as -X, but also shows the ethernet header.
- -v, -vv, -vvv : Increase the amount of packet information you get back.
- -c : Only get x number of packets and then stop.
- -s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally
capturing less. - -S : Print absolute sequence numbers.
- -e : Get the ethernet header as well.
- -q : Show less protocol information.
- -E : Decrypt IPSEC traffic by providing an encryption key.
2 Basic Usage
So, based on the kind of traffic I'm looking for, I use a different combination of options to tcpdump, as can be seen
below:
- Basic communication // see the basics without many options
#!/bin/bash
tcpdump -nS
- Basic communication (very verbose) // see a good amount of traffic, with verbosity and no name help
#!/bin/bash
tcpdump -nnvvS - A deeper look at the traffic // adds -X for payload but doesn't grab any more of the packet
#!/bin/bash
tcpdump -nnvvXS - Heavy packet viewing // the final "s" increases the snaplength, grabbing the whole packet
#!/bin/bash
tcpdump -nnvvXSs 1514
Here's a capture of exactly two (-c2) ICMP packets (a ping and pong) using some of the options described above. Notice how
much we see about each packet.
#!/bin/bash
tcpdump -nnvXSs 0 -c2 icmp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), 23:11:10.370321 IP
(tos 0x20, ttl 48, id 34859, offset 0, flags [none], length: 84)
69.254.213.43 > 72.21.34.42: icmp 64: echo request seq 0 0x0000: 4520 0054 882b 0000 3001 7cf5 45fe d52b E..T.+..0.|.E..+
0x0010: 4815 222a 0800 3530 272a 0000 25ff d744 H."*..50'*..%..D
0x0020: ae5e 0500 0809 0a0b 0c0d 0e0f 1011 1213 .^..............
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"#
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123
0x0050: 3435 3637 4567
23:11:10.370344 IP (tos 0x20, ttl 64, id 35612, offset 0, flags [none],
length: 84) 72.21.34.42 > 69.254.213.43: icmp 64: echo reply seq 0
0x0000: 4520 0054 8b1c 0000 4001 6a04 4815 222a E..T....@.j.H."*
0x0010: 45fe d52b 0000 3d30 272a 0000 25ff d744 E..+..=0'*..%..D
0x0020: ae5e 0500 0809 0a0b 0c0d 0e0f 1011 1213 .^..............
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"#
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123
0x0050: 3435 3637 4567
2 packets captured
2 packets received by filter
0 packets dropped by kernel
3 Common Syntax
Type options are host, net, and port. Direction is indicated by dir, and there you can have src, dst, src or dst, and src
and dst. Here are a few that you should definitely be comfortable with:
- host // look for traffic based on IP address (also works with hostname if you're not using -n)
#!/bin/bash tcpdump host 1.2.3.4
- src, dst // find traffic from only a source or destination (eliminates one side of a host conversation)
#!/bin/bash tcpdump src 2.3.4.5
tcpdump dst 3.4.5.6
- net // capture an entire network using CIDR notation
#!/bin/bash
tcpdump net 1.2.3.0/24
- proto // works for tcp, udp, and icmp. Note that you don't have to type proto
#!/bin/bash tcpdump icmp
- port // see only traffic to or from a certain port
#!/bin/bash tcpdump port 3389
- src, dst port // filter based on the source or destination port
#!/bin/bash tcpdump src port 1025
tcpdump dst port 389
- src/dst, port, protocol // combine all three
#!/bin/bash
tcpdump src port 1025 and tcp
tcpdump udp and src port 53
You also have the option to filter by a range of ports instead of declaring them individually, and to only see packets that
are above or below a certain size.
- Port Ranges // see traffic to any port in a range
#!/bin/bash
tcpdump portrange 21-23
- Packet Size Filter // only see packets below or above a certain size (in bytes)
#!/bin/bash
tcpdump less 32
tcpdump greater 128
[ You can use the symbols for less than, greater than, and less than or equal / greater than or equal signs as well. ]
// filtering for size using symbols
#!/bin/bash
tcpdump > 32
tcpdump
4 Writing to a File
using the -r option. This is an excellent way to capture raw traffic and then run it through various tools later. The traffic captured in this way is stored in tcpdump format, which is pretty much universal in the network analysis space.
This means it can be read in by all sorts of tools, including Wireshark, Snort, etc. Capture all Port 80 Traffic to a File
#!/bin/bash
tcpdump -s 1514 port 80 -w capture_file
Then, at some point in the future, you can then read the traffic back in like so:
Read Captured Traffic back into tcpdump
#!/bin/bash
tcpdump -r capture_file
Getting Creative
Expressions are nice, but the real magic of tcpdump comes from the ability to combine them in creative ways in order to
isolate exactly what you're looking for. There are three ways to do combinations, and if you've studied computers at all
they'll be pretty familar to you:
- AND
and or && - OR
or or || - EXCEPT
not or !
More Examples
#!/bin/bash # TCP traffic from 10.5.2.3 destined for port 3389 tcpdump -nnvvS and src 10.5.2.3 and dst port 3389
#!/bin/bash # Traffic originating from the 192.168 network headed for the 10 or 172.16 networks tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16
#!/bin/bash # Non-ICMP traffic destined for 192.168.0.2 from the 172.16 network tcpdump -nvvXSs 1514 dst 192.168.0.2 and src net and not icmp
#!/bin/bash # Traffic originating from Mars or Pluto that isn't to the SSH port tcpdump -vv src mars and not dst port 22
As you can see, you can build queries to find just about anything you need. The key is to first figure out precisely what
you're looking for and then to build the syntax to isolate that specific type of traffic.
5 Grouping
Also keep in mind that when you're building complex queries you might have to group your options using single quotes.
Single quotes are used in order to tell tcpdump to ignore certain special characters – in this case the "( )" brackets.
This same technique can be used to group using other expressions such as host, port, net, etc. Take a look at the command
below:
#!/bin/bash # Traffic that's from 10.0.2.4 AND destined for ports 3389 or 22 (incorrect) tcpdump src 10.0.2.4 and (dst port 3389 or 22)
If you tried to run this otherwise very useful command, you'd get an error because of the parenthesis. You can either fix
this by escaping the parenthesis (putting a \ before each one), or by putting the entire command within single quotes:
#!/bin/bash # Traffic that's from 10.0.2.4 AND destined for ports 3389 or 22 (correct) tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'
Advanced
You can also filter based on specific portions of a packet, as well as combine multiple conditions into groups. The former
is useful when looking for only SYNs or RSTs, for example, and the latter for even more advanced traffic isolation.
[ Hint: An anagram for the TCP flags: Unskilled Attackers Pester Real Security Folk ]
Show me all URGENT (URG) packets…
#!/bin/bash
tcpdump 'tcp[13] & 32!=0'
Show me all ACKNOWLEDGE (ACK) packets…
#!/bin/bash
tcpdump 'tcp[13] & 16!=0'
Show me all PUSH (PSH) packets…
#!/bin/bash
tcpdump 'tcp[13] & 8!=0'
Show me all RESET (RST) packets…
#!/bin/bash
tcpdump 'tcp[13] & 4!=0'
Show me all SYNCHRONIZE (SYN) packets…
#!/bin/bash
tcpdump 'tcp[13] & 2!=0'
Show me all FINISH (FIN) packets…
#!/bin/bash
tcpdump 'tcp[13] & 1!=0'
Show me all SYNCHRONIZE/ACKNOWLEDGE (SYNACK) packets…
#!/bin/bash
tcpdump 'tcp[13]=18'
[ Note: Only the PSH, RST, SYN, and FIN flags are displayed in tcpdump's flag field output. URGs and ACKs are displayed,
but they are shown elsewhere in the output rather than in the flags field ]
Keep in mind the reasons these filters work. The filters above find these various packets because tcp1 looks at offset
13 in the TCP header, the number represents the location within the byte, and the !=0 means that the flag in question is
set to 1, i.e. it's on.
As with most powerful tools, however, there are multiple ways to do things. The example below shows another way to capture
packets with specific TCP flags set.
Capture TCP Flags Using the tcpflags Option…
#!/bin/bash
tcpdump 'tcp[tcpflags] & & tcp-syn != 0'
Specialized Traffic
Finally, there are a few quick recipes you'll want to remember for catching specific and specialized traffic, such as IPv6
and malformed/likely-malicious packets.
IPv6 traffic
#!/bin/bash
tcpdump ip6
Packets with both the RST and SYN flags set (why?)
#!/bin/bash
tcpdump 'tcp[13] = 6'
Traffic with the 'Evil Bit' Set
#!/bin/bash
tcpdump 'ip[6] & 128 != 0'
Conclusion
Well, this primer should get you going strong, but the man page should always be handy for the most advanced and one-off
usage scenarios. I truly hope this has been useful to you, and feel free to contact me if you have any questions. ::
Footnotes:
1 DEFINITION NOT FOUND: 13
tcpdump tutorial的更多相关文章
-
TCPDUMP Command Examples
tcpdump command is also called as packet analyzer. tcpdump command will work on most flavors of unix ...
-
抓包神器 tcpdump 使用介绍
tcpdump 命令使用简介 简单介绍 tcpdump 是一款强大的网络抓包工具,运行在 linux 平台上.熟悉 tcpdump 的使用能够帮助你分析.调试网络数据. 要想使用很好地掌握 tcpdu ...
-
OpenNF tutorial复现
这篇博客记录了自己实现OpenNF官网上tutorial的过程和遇见的问题,如果有不对的地方还请批评指正! tutorial链接 实验内容 这个实验展示了如何迅速且安全地把一个TCP流从一个NF实例迁 ...
-
如何利用tcpdump对mysql进行抓包操作
命令如下: tcpdump -s -l -w - dst -i eno16777736 |strings 其中-i指定监听的网络接口,在RHEL 7下,网络接口名不再是之前的eth0,而是 eno16 ...
-
[翻译+山寨]Hangfire Highlighter Tutorial
前言 Hangfire是一个开源且商业免费使用的工具函数库.可以让你非常容易地在ASP.NET应用(也可以不在ASP.NET应用)中执行多种类型的后台任务,而无需自行定制开发和管理基于Windows ...
-
运维之网络安全抓包—— WireShark 和 tcpdump
------------------------------------------------本文章只解释抓包工具的捕获器和过滤器的说明,以及简单使用,应付日常而已----------------- ...
-
tcpdump、nc网络工具使用
tcpdump: 网络嗅探器 nc: nmap: 端口扫描 混杂模式(promisc) C设置为监控,当A和B通信,C是无法探测到数据的,除非有交换机的权限,将全网端口的数据通信都发送副本到C的端口上 ...
-
Django 1.7 Tutorial 学习笔记
官方教程在这里 : Here 写在前面的废话:)) 以前学习新东西,第一想到的是找本入门教程,按照书上做一遍.现在看了各种网上的入门教程后,我觉得还是看官方Tutorial靠谱.书的弊端一说一大推 本 ...
-
【Network】TCPDUMP 详解
参考资料: https://www.baidu.com/s?ie=UTF-8&wd=tcpdump%20%E6%8C%87%E5%AE%9Aip tcpdump非常实用的抓包实例: http ...
随机推荐
-
linux之查看系统命令
cpu信息 1.查看逻辑cpu核数 # cat /proc/cpuinfo| grep "processor"| wc -l 2.查看物理cpu个数 # cat /proc/cpu ...
-
Markdown是怎样接管我的各种的写作工作的
对于一个程序猿来说,没有什么比单纯的写代码更能让人兴奋了.如果能让你像写代码一样写文档,不用再面对那些繁琐的样式,你会怎么看?它就是Markdown!即使博客园已经有不少介绍的文章了,但是我依然还是不 ...
-
java JSONObject/JSONArray详解
应用架包:json-lib-2.4-jdk15.jar.及相关依赖架包. 一.JSONObject和JSONArray对象 -------------------------------------- ...
-
JAVA字符串转换MD5值
简介: MD5即Message-Digest Algorithm 5(信息-摘要算法5),用于确保信息传输完整一致.是计算机广泛使用的杂凑算法之一(又译摘要算法.哈希算法),主流编程语言普遍已有MD5 ...
-
35.QT-多线程
程序和进程的区别 进程是动态的,程序是静态的,进程是程序运行时的实例,是占用系统运行资源的程序 进程是暂时的,程序是永久的, 进程是通过程序运行时得到的 程序是一个数据文件,进程是内存中动态的运行实体 ...
-
Android开发日常-listview滚动方法梳理
listview滚动方法梳理 1.setSelection(position); 滚动到指定条目 2.setSelectionFromTop(position,y): 距离指定条目向下偏移y(像素) ...
-
linux 开关机指令
shutdown -h now 现在关机 shutdown -h 1 1分钟后电脑关机 su 切换 用户 halt 关机 reboot 重启 sync :保存
-
git 报错 error: insufficient permission for adding an object to repository database ./objects
参照:http://*.com/questions/1918524/error-pushing-to-github-insufficient-permission-for-ad ...
-
AS3 判断双击事件
//双击事件触发的时候不触发单击事件 package { import com.greensock.TweenLite; import flash.display.DisplayObjectConta ...
-
老男孩Day13作业:ORM学员管理系统
一.作业需求: 用户角色,讲师\学员, 用户登陆后根据角色不同,能做的事情不同,分别如下 讲师视图: 管理班级,可创建班级,根据学员qq号把学员加入班级 可创建指定班级的上课纪录,注意一节上 ...