Detailed explanation of tcpdump command examples in Linux

Preface

To put it simply, tcpdump is a packet analysis tool that dumps the traffic on a network and intercepts data packets on the network according to the user's definition. Tcpdump can completely intercept the "header" of the data packet transmitted in the network and provide analysis. It supports filtering for network layer, protocol, host, network or port, and provides logical statements such as and, or, not to help you remove useless information.

Speaking of the tcpdump command, I have to mention the development and implementation of the third-generation CRM system of China Mobile Inner Mongolia Branch, in which I participated. If I remember correctly, it should be 2016. I was solely responsible for the overall transformation of the self-service channel of the entire 10086 customer service system. During the system stress testing phase, timeouts always occurred when calling the interface platform. Later, this problem became more and more serious. At the same time, the short-term hall channel and CBOSS channel also reported this problem. At this time, this problem attracted the attention of the big boss, and then experts from all parties consulted. In such large-scale projects, expert consultations always have one characteristic, that is, the experts give commands and the younger brothers do the work, and at that time, I was that younger brother.

Okay, the expert has spoken, let’s capture the packet first. This is how I started my packet capture work and my comprehensive understanding of tcpdump.

First of all, I need to say that tcpdump is a very powerful command. Its powerful functions mean that the use of this command is very complicated, which means that there will be a lot of content that I will organize next. If you want to master the entire tcpdump command, you need to be a little patient to read the entire article. OK,Let's go!

Command Introduction

Tcpdump is a powerful network packet capture tool that runs on the Linux platform. Being familiar with the use of tcpdump can help us analyze and debug network data. However, in order to master tcpdump well, you must have a certain understanding of network messages (TCP/IP protocol). However, for simple use, basic network concepts are enough.

As a classic essential tool for system administrators on the Internet, tcpdump has become one of the essential tools for every senior system administrator to analyze the network and troubleshoot problems with its powerful functions and flexible interception strategies. In actual work, you need to execute this command with root privileges.

tcpdump is a very complicated command. It is not easy to understand all aspects of it, and it is not recommended. The key is to be able to use it to solve problems in daily work. Therefore, in the following summary, I will focus more on actual work and sort out some frequently used usages in actual work. For some unpopular usages, I will basically not involve them here. If they are used in work in the future, I will update them here.

Detailed command explanation Below is a summary of some commonly used options of tcpdump.

• -s number: By default, tcpdump will only capture the first 96 bytes. If you want to capture all the message content, you need to use this option. Number is the number of bytes to be captured. If it is 0, it means to capture the entire message content.
• -nn: indicates not resolving the domain name but directly displaying the IP address. This option is also available in the netstat command.
• -X: Use hex and ascii to display the message content at the same time;
• -S: Display absolute sequence numbers instead of relative numbers;
• -i: specifies the network card to monitor. If it is -i any, it means monitoring all network cards;
• -v, -vv, -vvv: Display more detailed information;
• -c number: intercepts number messages and then ends;
• -w: Write the monitored data packets into a file and save them without analyzing and printing them;
• -A: Print all the message data using ascii only. Do not use it with the -X option. When intercepting HTTP requests, you can use sudo tcpdump -nSA port 80

Although the tcpdump command has many options, the commonly used options are only the ones listed above. Here I will focus more on usage examples and learn the tcpdump command through usage examples.

Filters

Before we start with the detailed usage examples, it is necessary to master some basic theoretical knowledge of tcpdump. Let's talk about filters first.

There are an abnormally large number of network messages on the server. Many times, we only focus on data messages related to specific problems, and these useful messages only account for a small part. In order to prevent ourselves from getting lost in the ocean of messages, it is very necessary for us to learn the flexible and powerful filters provided by tcpdump.

Filters can also be simply divided into three categories: type, dir and proto.

type: Mainly used to distinguish the source type of the filtered message, which mainly consists of host host messages, net network segment messages and port specified port messages;

dir: Only filter the source address and destination address of the message, mainly including src source address and dst destination address;

proto: only filters the protocol type of the message, supporting tcp, udp and icmp, etc.; the proto keyword can be omitted when used:

• tcpdump -i eth1 arp
• tcpdump -i eth1 ip
• tcpdump -i eth1 tcp
• tcpdump -i eth1 udp
• tcpdump -i eth1 icmp

These filters are indispensable when we use the tcpdump command.

Condition combination

In the vast network, it is still difficult to find the network package you want. In order to capture the network packet we want, the more restrictive conditions we include in our packet capture command, the fewer irrelevant packets we will capture. Therefore, when capturing packets, we can use "and" (and &&), "or" (or, ||) and "not" (not, !) to combine multiple conditions. This is very useful when we need to analyze network packets based on certain conditions.

Use Case

Command: tcpdump -i eth1

Description: Monitor the data packets of the specified network interface

Command: tcpdump host 210.27.48.3

Description: Intercept all data packets received and sent by the host 210.27.48.3

Command: tcpdump host 210.27.48.4 and (210.27.48.5 or 210.27.48.6)

Description: Intercept all data packets between the 210.27.48.3 host and the 210.27.48.5 or 210.27.48.6 host.

Command: tcpdump net 192.168.1.0/24

Description: Intercept the data packets of the entire network 192.168.1.0/24

Command: tcpdump -i eth0 src host 210.27.48.3

Description: Monitor all network packets with source address 210.27.48.3 on eth0 network card

Command: tcpdump -i eth0 dst host 210.27.48.3

Description: Monitor all network packets on the eth0 network card with a destination address of 210.27.48.3

Command: tcpdump tcp port 23 and host 210.27.48.3

Description: Get all TCP protocol packets sent and received by the application with port 23 on the host 210.27.48.3

Command: tcpdump udp port 123

Description: Get all UDP protocol packets sent and received by port 123 of the local machine

Command: tcpdump src host 10.126.1.222 and dst net 10.126.1.0/24

Description: The intercepted source address is 10.126.1.222, and the destination address is the entire network 10.126.1.0/24

Command: tcpdump -i eth0 -s0 -G 60 -Z root -w %Y_%m%d_%H%M_%S.pcap

Note: After capturing the message, save it at the specified time interval; the -G option is followed by the time in seconds; the above command saves a file every 60 seconds

Command: tcpdump -i eth0 -s0 -C 1 -Z root -w eth0Packet.pcap

Note: After capturing packets, save them according to the specified packet size; the -C option is followed by the file size in MB; the above command uses a new file to save the newly captured packets when the packet capture file reaches 1MB

As mentioned above, tcpdump generates a corresponding file after capturing the packet, so how to analyze this file? Yes, there is a software called "Wireshark" that can be perfectly combined with tcpdump to provide a visual analysis interface. If you are interested, you can learn it. If I have time later, I will also organize an introductory series on "Wireshark".

Summarize

It took a long time to sort it out, but it’s finally done! Of course, I have not provided a very comprehensive summary of such a complex command as tcpdump, but the content I have compiled here will definitely not affect your use of the tcpdump command in your work. It’s still the “80/20 rule”. For complex commands, commonly used functions only account for 20%, and the remaining 80% are relatively obscure functions, or functions that are rarely used in work.

Well, the above is the full content of this article. I hope that the content of this article will have certain reference learning value for your study or work. If you have any questions, you can leave a message to communicate. Thank you for your support of 123WORDPRESS.COM.