tcpdump 監測網絡包

tcpdump 監測網絡包,相似於 sniffer, netxray, ethereal

• tcpdump -c 8 收到8個packet 就退出程序
• tcpdump -a 將ip地址轉換成爲域名
• tcpdump -d -dd -ddd 將packet-matching code 顯示而後退出

  什麼是packet-matching code

  • d 方便於人閱讀的格式 (000) ret #96
  • dd 用C語言的格式 { 0x6, 0, 0, 0x00000060 },
  • ddd 用十進制數字的格式 1 6 0 0 96
• -e 顯示鏈路層的包頭信息
• -E 解密包頭 <pre> Use algo:secret for decrypting IPsec ESP packets algorithms :

  des-cbc default 3des-cbc blowfish-cbc rc3-cbc cast128-cbc </pre> secret 是ESP secrte key密鑰

例如

tcpdump -E 3des-cbc:aaa

• -i 選擇監視的網絡接口

    tcpdump -i eth1
    若是有兩個以上的網卡的時候會有用的.
    tcpdump -i lo
    監視loopback
    tcpdump -i any

linux 2.2 以上的版本支持any 網絡接口. 指全部的接口,包括loopback

• -l 讓標準輸出是行緩衝. tcpdump -l > some.data

  此時tcpdump的標準輸出不是行緩衝的. 因此再用 tail -f some.data 命令也不會當即看到結果.使用行緩衝後,就能夠當即看到了.

• -n 不使用主機域名解析
• -nn 不使用協議和端口的名稱解析
• -N 不使用完整的域名.host.domain.com 只顯示host而不是host.domain.com
• -m 裝載SMI MIB 模塊
• -q 只是簡短的顯示一些協議信息
• -r 從文件中讀包(packet),
• -w 向文件中寫入(packet).
• -S 顯示絕對的TCP序列號(Sequence Number),而不是相對的.
• -t 不顯示Time stamp
• -tt 顯示沒有格式的Time Stamp,eg. 1046592706.056390
• -ttt 顯示兩個報之間的時間差

ex:
    000040 毫秒
    998670 毫秒
    2.494458 秒

• -tttt 用缺省的格式顯示Time Stamp,

    03/02/2003 08:17:41.336789
    mm/dd/yyyy hh:mm:ss.ms

時間好像不是本地時間

若是沒有指定 -t -tt -ttt -tttt, 格式是

16:17:25.076892
hh:mm:ss.ms

• -T 把抓到的包(packet),通過expressiong 過濾後,認爲是某種特別的類型.

    ex: tcpdump -T cnfp <some filter expression>

支持的類型有:

1. cnfp(Cisco <nop>NetFlow</nop> Protocol)
2. rpc ( Remote Procedure Call),
3. rtp ( Real-Time protocal)
4. snmp( Simple Network Management Protocol)
5. vat ( Visual Audio Tool)
6. wb ( distributed White Board)

• -v 多一些顯示信息,如IP的選項.檢查IP ICMP 校驗和.SMB Packets
• -vv
• -vvv 更多的信息
• -x 顯示包的內容,用十六進制顯示,不包括鏈路層的

16:59:06.807010 ann.home.com.cn > ns.home.com.cn: icmp: echo request (DF)
             4500 0054 0000 4000 4001 2926 c0a8 c81f
             c0a8 c812 0800 d98e aa03 0100 f3c8 613e
             2763 0c00 0809 0a0b 0c0d 0e0f 1011 1213
             1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
             2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
             3435
16:59:06.807073 ns.home.com.cn > ann.home.com.cn: icmp: echo reply
             4500 0054 49cc 0000 4001 1f5a c0a8 c812
             c0a8 c81f 0000 e18e aa03 0100 f3c8 613e
             2763 0c00 0809 0a0b 0c0d 0e0f 1011 1213
             1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
             2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
             3435

• -X 顯示包的內容,用十六進制顯示,同時顯示ACCSI,不包括鏈路層的

16:59:38.706971 ann.home.com.cn > ns.home.com.cn: icmp: echo request (DF)
0x0000     4500 0054 0000 4000 4001 2926 c0a8 c81f    E..T..@.@.)&....
0x0010     c0a8 c812 0800 18f8 ab03 0100 13c9 613e    ..............a>
0x0020     c8f9 0a00 0809 0a0b 0c0d 0e0f 1011 1213    ................
0x0030     1415 1617 1819 1a1b 1c1d 1e1f 2021 2223    .............!"#
0x0040     2425 2627 2829 2a2b 2c2d 2e2f 3031 3233    $%&'()*+,-./0123
0x0050     3435                                       45
16:59:38.707026 ns.home.com.cn > ann.home.com.cn: icmp: echo reply
0x0000     4500 0054 49cd 0000 4001 1f59 c0a8 c812    E..TI...@..Y....
0x0010     c0a8 c81f 0000 20f8 ab03 0100 13c9 613e    ..............a>
0x0020     c8f9 0a00 0809 0a0b 0c0d 0e0f 1011 1213    ................
0x0030     1415 1617 1819 1a1b 1c1d 1e1f 2021 2223    .............!"#
0x0040     2425 2627 2829 2a2b 2c2d 2e2f 3031 3233    $%&'()*+,-./0123
0x0050     3435                                       45

過濾器表達式(expression)

Expression 由一或者多個原語(primitives)組成. Primitive 由一個id(名稱或者數字),前面加一個或者多個修飾詞(Qulifiers)構成 有三種不一樣的Qualifiers

類型

說明id是指哪一種意思. 類型能夠是host,net port

如 "host foo", 'net 128.3', 'port 20' 沒有指定類型的時候,缺省類型是host

方向

說明傳輸的方向.

有四種可能的值 src,dst,src and dst, src or dst 若是沒有指定方向 src or dst 是缺省的值 如: src foo, dst net 128.3, src or dst port ftp-data

協議

說明協議的名稱 ether,fddi,tr,ip,ip6,arp,rarp,decnet,tcp,udp

如 'ether src foo' 若是沒有指定協議,全部的協議都知足Expression

其餘

除了以上的Primitive,還有gateway,broadcast,less greadter arithmetic,他們有特殊的格式.

能夠使用and,or,not 聯接Primitive 組成Expression, 若是Primitive 的Qualifier 相同,能夠忽略Qualifier. 如

tcp dst port ftp or ftp-data or domain

和

tcp dst port ftp or tcp dst port ftp-data or dst port domain

是相同的意思

dst host hostname

IPv4/IPv6中目的地址是hostname, 能夠是IP地址或者主機名稱,要使用完整的域名

src host hostname

IPv4/IPv6中源地址是hostname, 能夠是IP地址或者主機名稱

host hostname

IPV4/v6中的目的地址或者源地址是host 能夠在host 前面加ip,arp,rarp,ip6

ether dst ehost , ether src ehost , ether ehost

ehost 或者在/etc/ethers 中有記錄,或者是48bit MAC 地址的形式

ether dst 00:00:e2:34:11:13

/etc/ethers 中的內容是

00:00:e2:34:11:13  HostName
    

其中 Hostname 是一個有效的主機名稱, 或者在/etc/hosts中有記錄,或者是域名

gateway host

用來監測經過host做爲網關的Packet. host 的名字必定要在/etc/ethers中有記錄

dst net netname, src net netname, net netname

netname 或者在/etc/networks 中有記錄或者是 192.168.200.0/24 前面是網絡地址,後面/24 表示子網掩碼的連1長度 /etc/ethers的內容是

    NetworkName 192.168.200.0/24

src port portnumber,dst port portnumber, port portnumber

portnumber 能夠是數字或者是/etc/services中指定的端口名稱

less length,greater lenght

Packet 的長度不大於和不小於length 如

less 100
greater 50

ip proto protocol,ip6 proto protocol,ip6 protochain protocol:: protocol的值能夠是數字,或者是 icmp,icmp6,igmp,igrp,pim,ah,esp,udp,tcp. 注意tcp,udp,icmp也是關鍵字,因此使用的時候前面加一個\

後面的有點亂,之後再整理

    ether broadcast,ether multicast,ip multicast,ip6 multicast,ether proto protocol::
        protocol can be a number or one of the names:ip,ip6,arp,rarp,
        note:
        these words must be escaped via backsslash

    decnet src host,decnet dst host, decnet host host::
       I don't care

    ip,ip6,arp,rarp,atalk,aarp,decnet,iso
        abbreviations for
            ether proto p
        where p is one of the above protocols
    vlan [vlan_id
        if [vlan_id] is specified, only true is the packet has the
        specified vlan_id.
    tcp,udp,icmp
        Abbreviations for
            ip proto p or ip6 proto p
        where p is one of the above protocols.
    iso proto protocol
        protocol: clnp,esis, isis

    expr relop expr
        relop can be:
            <,>,<=,>=,=,!=
            Note: when using a shell, please quote the above
            operator, especially for the >,<,>=,<=
        expr can be :
        1: an arithmetic expression,(expressed in standard C
        syntax),
        2.the normal binary operators[+,-,*,/,|,&],
        3.length operator
            keyword len
            ex: len = 45
        4.packet data accessors.
            proto[expr:size]
            proto can be :
                ether,fddi,tr,ip,arp,rarp,tcp,udp,icmp,ip6
            expr: index of the packet data of specified protocol
            size: 1,2,or 4,default 1

        ex:
            ether[0] &1 !=0
            all multicast traffic
            ip[0] &0xf !=5
            all IP packets with options.
            ip[6:2] &x1fff = 0
            only unfragmented datagrams and frag zero of
            fragmented dategrams.

    Primitives may be combined using:
        ! or not
        && or and
        || or or

OUTPUT FORMAT
    Protocol dependent.

    Link Level Header ( with -e options)
    21:35:08.146542 0:0:0:0:0:0 0:0:0:0:0:0 ip 98: localhost > localhost: icmp: echo request (DF)
    timestamp,src.ether.address,dst.ether.address,protocol, packet length

    FDDI
    frame control field,source addr,dest addr,packet length.

    TokenRing??
    access control, frame control,source addr,dest addr,packet length.

    SLIP
    a direction indicator(I for inbound, O for outband)
    packet type,compression information.
    packet type is printed first, can be ip,utcp,ctcp. no further ip
    information.

    Arp
    arp who-has csam tel rtsg
    arp reply csam is-at CSAM
    real example:
          arp who-has 128.3.254.6 tell 128.3.254.68
          arp reply 128.3.254.6 is-at 02:07:01:00:01:c4
    with -e option
          RTSG Broadcast 0806  64: arp who-has csam tell rtsg
          CSAM RTSG 0806  64: arp reply csam is-at CSAM

    TCP Packets
        src > dst: flags data-seqno ack window urgent options
    Src and  dst  are  the    source and destination IP addresses and ports.
    Flags: S(SYN),F(FIN),P(PUSH),R(RST),or "."
    Data-seqno: sequence number;
    ack:    is a sequence number of the next data expected the other
    direction on this connection.
    window: is hte number of bytes of receive buffer space available the
    oterh direction on this connection.
    Urg: indicate there is a urgent data in the packet.
    options: tcp options enclosed in angle brackets
          rtsg.1023 > csam.login: S 768512:768512(0) win 4096 <mss 1024>

          explain:>>>tcp port 1023 on rtsg sent a packet to port
          login on scam.
          S mean than SYN flag was set.
          the seqeunce number was 768512, it contained no data.
          (first:last(nbytes)' mean `sequence numbers first up to but not
           including last which is nbyes bytes of user data'

          csam.login > rtsg.1023: S 947648:947648(0) ack 768513 win 4096 <mss 1024>

          explain:>>> casm replies with a similar packet except it includes a
          piggy-backed ack for rtsg's SYN.

          rtsg.1023 > csam.login: . ack 1 win 4096

          explain:>>>  rtsg asks casm's SYN.
          . mean there is no flag
          there is no date, so no sequence number.
          ack sequence number is a small integer 1,the first time tcpdump
          sees a tcp conversation, it prints the sequence number from the
          packet. On the subsequent packets of the conversation, the
          differrence between the current packet's sequence number and
          this initial sequence number is printed. This means that
          sequence numbers after the first can be interpreted as relative
          byte positions in the conversation's data stream.(with the
          firest data byte each direction beging `1'.
          '-S' options, will override this feathure.

          rtsg.1023 > csam.login: P 1:2(1) ack 1 win 4096

          explain:>>>
          csam.login > rtsg.1023: . ack 2 win 4096
          rtsg.1023 > csam.login: P 2:21(19) ack 1 win 4096
          csam.login > rtsg.1023: P 1:2(1) ack 21 win 4077
          csam.login > rtsg.1023: P 2:3(1) ack 21 win 4077 urg 1
          csam.login > rtsg.1023: P 3:4(1) ack 21 win 4077 urg 1