The linux packet capture command tcpdump is used to dump network transmission data, which can completely intercept the “header” of the data packet transmitted in the network for analysis; it supports network layer, protocol, host, network or port Filter and provide logical statements such as and, or, not to help you remove useless information.
The time it takes for the packet to pass from the physical line to the kernel, and the interrupt processing time the kernel spends on this packet are not counted.
command use
tcpdump adopts the command line mode, and its command format is:
tcpdump [ -AdDeflLnNOpqRStuUvxX ] [ -c count ]
[ -C file_size ] [ -F file ]
[ -i ] [ -m module ] [ -M secret ]
[ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -Z user ]
[ expression ]
Introduction to simple options of tcpdump
-A Displays each data packet in ASCII code (the link layer header information in the data packet will not be displayed). When capturing data packets containing web page data, it is convenient to view the data (nt: Namely Handy capturing web pages).-c count
tcpdump will exit after receiving count packets.-C file-size (nt: this option is used in conjunction with the -w file option)
This option causes tcpdump to check whether the file size exceeds file-size before saving the original packet directly to the file. If it does, it will close the file and create another file to continue recording the original packet. New created The file name of the file is the same as the file name specified by the -w option, but there is a number after the file name. The number will start from 1 and increase with the number of newly created files. The unit of file-size is megabytes (nt : This refers to 1,000 bytes, not 1,576 bytes, the latter is calculated by taking 1024 bytes as 1k and 1024k bytes as 1M, that is, 1M= * = ,,)-d Print out the compiled packet matching code on the standard output in an easy-to-read form, and then tcpdump stops. (nt | rt: human readable, easy to read, usually refers to printing some information in ascii code. compiled, Arranged. packet-matching code, packet matching code, meaning unknown, need to add)
-dd Print out the package matching code in the form of C language.
-ddd Print out the packet matching code in decimal form (there will be an additional prefix before the packet matching code).
-D Print all the network interfaces on which tcpdump can capture packets in the system. Each interface will print out the number, the corresponding interface name, and possibly a network interface description. The network interface name and number can be used in tcpdump's -i flag option (nt: replace flag with name or number), to specify the network interface on which to capture packets.
This option is useful on systems that do not support the interface list command (nt: eg, Windows systems, or UNIX systems that lack ifconfig -a); The interface name of is more complex and not easy to use.
If the libpcap library that tcpdump was compiled against is too old, the -D option will not be supported, because it lacks the pcap_findalldevs() function.
-e The printout of each line will include the data link layer header information of the packet
-E spi@ipaddr algo:secret,...
IPsec ESP packets can be decrypted by spi@ipaddr algo:secret (nt | rt:IPsec Encapsulating Security Payload, IPsec encapsulating security payload, IPsec can be understood as a set of encryption protocols for ip data packets, ESP is the entire IP data packet or Among them, the upper layer protocol part is encrypted data, the former working mode is called tunnel mode; the latter working mode is called transmission mode. Working principle, to be supplemented).
It should be noted that when the terminal starts tcpdump, the key (secret) can be set for IPv4 ESP packets.
Algorithms available for encryption include des-cbc, 3des-cbc, blowfish-cbc, rc3-cbc, cast128-cbc, or none (none). The default is des-cbc (nt: des, Data Encryption Standard, Data Encryption Standard , the encryption algorithm is unknown, it needs to be supplemented).secret is the key used for ESP, expressed in ASCII string. If it starts with 0x, the key will be read in hexadecimal.
The definition of ESP in this option follows RFC2406, not RFC1827. Moreover, this option is only used for debugging. It is not recommended to use this option with a real key (secret), because it is not safe: the secret entered on the command line can be It is viewed by others through commands such as ps.
In addition to the above grammatical format (nt: refers to spi@ipaddr algo:secret), you can also add a grammatical input file name for tcpdump to use (nt: that is, replace spi@ipaddr algo:secret,... in... This file will be opened when it receives the first ESP packet, so it is best to cancel some privileges granted to tcpdump at this time (nt: can be understood as, after this prevention, when the file is When written maliciously, it will not cause too much damage).
-f When displaying external IPv4 addresses (nt: foreign IPv4 addresses, which can be understood as non-local ip addresses), use numbers instead of names. (This option is used to deal with the defects of Sun's NIS server (nt: NIS, Network Information Service, and tcpdump display the names of external addresses using路'(nt: VPI=0 and VCI=1, 'Yuan signaling line', meta signaling circuit, the specific meaning is unknown, needs to be added),
then the corresponding conditional expression is true.bcc
If the data packet is an ATM data packet, the corresponding conditional expression is true. For the SunATM device on the Solaris operating system, if the data packet is ATM data Packet
and is from 'broadcast signaling circuit'(nt: VPI=0 and VCI=2 , 'Broadcast Signaling Line' ;, broadcast signaling circuit, the specific meaning is unknown and needs to be added),
The corresponding conditional expression is true.sc
The conditional expression corresponding to this is true if the packet is an ATM packet. For SunATM devices on the Solaris operating system, if the packet is an ATM packet
and is from'signaling line' (nt: VPI=0 and VCI=5, & #39;Signaling circuit', signaling circuit, the specific meaning is unknown, Need to add),
The corresponding conditional expression is true.ilmic
If the packet is an ATM packet, then The conditional expression corresponding to this is true. For the SunATM device on the Solaris operating system, if the packet is an ATM packet
and is from 'ILMI Line'(nt: VPI= 0 and VCI=16, 'ILMI', Interim Local Management Interface, can be understood as
based on SNMP (Simple Network Management Protocol) for network management interface)
The corresponding conditional expression is true.connectmsg
If the packet is an ATM packet, then The conditional expression corresponding to this is true. For the SunATM device on the Solaris operating system, if the packet is an ATM packet
and is from 'Signaling line'And it is the following messages specified in the Q.2931 protocol: Setup, Calling Proceeding, Connect,
Connect Ack, Release, or Release Done. The corresponding conditional expression is true.
(nt: Q. 2931 is a signaling protocol formulated by the ITU (International Telecommunication Union). It specifies the steps to establish, maintain and cancel
network connections at the user interface layer of the broadband integrated services digital network.)metaconnect
If the data packet is an ATM data packet, the corresponding condition expression is true. For the SunATM device on the Solaris operating system, if the data packet is an ATM packet
and is from 'meta-signaling line' and the following messages specified in the Q.2931 protocol: Setup, Calling Proceeding, Connect,
Connect Ack, Release, or Release Done. Then The conditional expression corresponding to this is true.expr relop expr
If the operands (expr) on both sides of relop satisfy the relationship specified by relop, Then the corresponding conditional expression is true.
relop can be one of the following relational operators: >, <, <=, =, !=.
expr is an arithmetic expression. The expression Integer constants can be used in the formula (the expression is consistent with standard C), binary operators (+, -, *, /, &, |,
<>), length operators, and pairs Reference operator for data in a particular packet. Note that all comparison operations have unsigned operands by default,
for example, 0x80000000 and 0xffffffff are all greater than 0 (nt: for signed comparison, according to the complement rule, 0xffffffff
will be less than 0). If you want to refer to the data in the data package, you can use the following expression:
proto [expr : size]The value of proto can be one of the following values: ether, fddi, tr, wlan, ppp, slip, link, ip, arp, rarp,
tcp, udp, icmp, ip6 or radio. This specifies the The protocol layer corresponding to the reference operation. (ether, fddi, wlan,
tr, ppp, slip and link correspond to the data link layer, radio corresponds to 802.11(wlan, wireless local area network) attached to some data packets
"radio" header (nt: which describes the baud rate, data encryption and other information)).
It should be noted that the upper layer protocols such as tcp and udp are currently It can only be applied to networks that use IPv4 or IPv6 protocols at the network layer (this restriction will be modified in future versions of tcpdump
). For the required data of the specified protocol, its offset byte in the packet data is given by expr to specify.The size in the above expression is optional, it is used to indicate the length of the data segment we care about (nt: usually this data
is a field of the data packet), its length can be 1, 2, or 4 bytes. If size is not given, the default is 1 byte . The keyword of the length operator is len,
This codes the length of the entire data packet.For example, 'ether[0] & 1 != 0' It will make tcpdump capture all multicast packets. (nt: ether[0] The lowest bit of the byte is 1 to indicate the destination address of the
packet is the multicast address). 'ip[0] & 0xf != 5' Corresponds to capture all
IPv4 packets with options. ' ip[6:2] & 0x1fff = 0' corresponds to grabbing unbroken IPv4 Data packets or
broken IPv4 packets whose segment number is 0. This data check method also applies to tcp and udp data references,
that is, tcp[0] corresponds to the first byte in the TCP header, not to any of the intermediate bytes.some offset And the value of the field can be expressed in addition to numbers and names. The following are the names of some fields (fields in the protocol header) that can be used: icmptype (refers to the type field in the ICMP protocol header
), icmpcode (refers to ICMP protocol header code field), and tcpflags (referring to the flags field of the TCP protocol header)The following are the available values of the type field in the ICMP protocol header:
icmp-echoreply, icmp-unreach, icmp-sourcequench, icmp-redirect, icmp-echo, icmp-routeradvert,
icmp-routersolicit, icmp-timx-ceed, icmp-paramprob, icmp-tstamp, icmp-tstampreply ,
icmp-ireq, icmp-ireqreply, icmp-maskreq, icmp-maskreply.The following are the available values of the flags field in the TCP protocol header :tcp-fin, tcp-syn, tcp-rst, tcp-push,
tcp-ack, tcp-urg.For more programming knowledge, please visit: Programming learning courses! !
The above is the use of the linux packet capture command tcpdump? For more details, please pay attention to other related articles on 1024programmer.com!
The shift byte is specified by expr.
The size in the above expression is optional, it is used to indicate the length of the data segment we care about (nt: Usually this piece of data
is a field of the data packet), its length can be 1, 2, or 4 bytes. If size is not given, The default is 1 byte. The keyword of the length operator is len,
this codes the length of the entire data packet.For example, 'ether[0] & 1 != 0&# 39; will make tcpdump capture all multicast packets. (nt: ether[0] The lowest bit of the byte is 1 means
Data packet destination address is multicast address). 'ip[0] & 0xf != 5 ' corresponds to capture all
IPv4 packets with options. ' 39;ip[6:2] & 0x1fff = 0' corresponds to capture Get unbroken IPv4 data packets or
broken IPv4 data packets whose fragment number is 0. This data checking method is also applicable to tcp and udp data references, ie, tcp[0] corresponds to the first byte in the TCP header, not to any intermediate byte.The values of some offsets and fields can be expressed not only by numbers but also by names. The following are the names of some fields (fields in the protocol header) that can be used: icmptype (refers to the type field in the ICMP protocol header
), icmpcode (referring to the code field of the ICMP protocol header), and tcpflags (referring to the flags field of the TCP protocol header)The following are available for the type field in the ICMP protocol header Values:
icmp-echoreply, icmp-unreach, icmp-sourcequench, icmp-redirect, icmp-echo, icmp-routeradvert,
icmp-routersolicit, icmp-timx-ceed, icmp-paramprob, icmp -tstamp, icmp-tstampreply,
icmp-ireq, icmp-ireqreply, icmp-maskreq, icmp-maskreply.The following is in the TCP protocol header Available values of the flags field: tcp-fin, tcp-syn, tcp-rst, tcp-push,
tcp-ack, tcp-urg.For more programming knowledge, please visit : Programming Learning Course! !
The above is the use of the linux packet capture command tcpdump? For more details, please pay attention to other related articles on 1024programmer.com!
微信扫一扫打赏
支付宝扫一扫打赏
