|
|||||||
tcpdump
Время создания: 25.04.2013 21:58
Раздел: root - Linux
Запись: Yurons/mytetra/master/base/1366916330qk4svmqilw/text.html на raw.github.com
|
|||||||
|
|||||||
посмотреть трафик на интерфейсе: tcpdump -i fxp1 посмотреть трафик одного хоста: tcpdump host 1.2.3.4 посмотреть трафик на порте: tcpdump src port 80 посмотреть IP трафик на хост: tcpdump ip host 1.2.3.4 посмотреть ARP трафик на хост: tcpdump arp host 1.2.3.4 посмотреть RARP трафик на хост: tcpdump rarp host 1.2.3.4 посмотреть трафик, кроме хоста unixserver: tcpdump not host unixserver посмотреть трафик на server1 и server2 tcpdump host server1 or host server2 посмотреть содержимое пакетов на интерфейсе tun0 на хост ya.ru tcpdump -X -i tun0 host ya.ru подсмотреть номера и пароли к icq tcpdump -X -i fxp1 port aol посмотреть содержимое пакетов на интерфейсе tun0 на хост ya.ru, при этом прочитать из каждого пакета по 1500 байт и не преобразовывать IP в имя хоста tcpdump -X -s 1500 -n -i tun0 host ya.ru
Внешние ссылки http://www.linuxshare.ru/docs/net/tcpdump.html http://acs.lbl.gov/~jason/tcpdump_advanced_filters.txt Альтернативы Ethereal — GUI анализатор трафика Tethereal — консольная версия Ethereal // В FreeBSD - ставить из портов // В большинстве прочих дистрибутивов есть в опциональных пакетах tethereal -i fxp0 -T text -f 'tcp port 5190' -w icqtext Trafshow — консольный монитор трафика
Today I found myself needing to save packets from tcpdump to a file but also view them on screen. I've wanted to do that in the past, but today it became more important. It was suggested to me to use two instances of tcpdump, but I thought there had to be a better way. Luckily there is. # tcpdump -U -s 1500 -w - <bpf> |tee <file> | tcpdump -lnr -
tcpdump -U -i any -s 0 -w - 'tcp port 29080 or 180 or 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'| tee /root/out.tcpdump |tcpdump -vvv -A -lr - |egrep '(GET|HTTP|Job|opwv|flv|mp4|3gp|Host\:|low|medium|high)'
Fun with Tcpdump
Tcpdump is a really useful program for capturing packets that are on the wire. It can be used to view packets going through your own interface, on a network with a hub, or on a switched network (arp-cache poisoning or mirrored switch ports).
The output from tcpdump can either be sent to the screen, written to a raw file using -w and viewed with tcpdump (using -r) or the capture files can be read with a tool such as Wireshark.
Tcpdump is a tool that anyone who is interested in networks should be familiar with. It will help you understand what normal traffic looks like on your network at a packet level so you can quickly identify abnormal traffic.
The purpose of this blog post is to get a few of the commands documented to familierize myself with tool so i can quickly apply filters when needed.
For the Windows users there is a very good port of tcpdump called Windump, the syntax is very similar if not identical.
Using Tcpdump
When first running tcpdump without any filters the output can be overwhelming. Don't worry about this, as you begin to get familiar with the filters you can quickly get to the information you want.
If you have multiple interfaces that are up you may need to use the -i {interface} switch.
tcpdump -i eth1
The command can be terminated with ctrl+c.
I recommend using the -n switch to prevent name resolution whilst you are performing the capture. The name resolution can always be performed later.
tcpdump -i eth1 -n
You can also cut down the amount of data you capture by using the quiet option (-q)
tcpdump -q
Or to really cut down on what i can see I could use the following which would just display the from and to, the protocol and the packet size:
tcpdump -qt
As previously mentioned the output of tcpdump can be sent to a file using the -w switch or straight to a text file using the redirect >
I recommend writing the output to libpcap format using a command such as:
tcpdump -i eth1 -n -w capture.lpc
However, you may want to view the output on the screen as you write it to a file, this can be done by using the -l switch and piping through tee into the file:
tcpdump -l | tee mydump
You can also limit the capture to a certain amount of packets using the -c switch. To only collect 100 packets:
tcpdump -c 100
The -c switch can also be used when reading from a packet capture file:
tcpdump -n -s 1514 -r capture.lpc -c 5 tcp
The command above will read the first 5 tcp packets from the capture.lpc file.
Collecting Packets Based on Size
Usually tcpdump does not collect the entire packet. Use the snaplen option -s 0 to force it to do so:
tcpdump -s 0
Or to only collect the first 1514 bytes of a packet:
tcpdump -s 1514
1514 bytes will capture the ethernet portion without VLAN tagging. To capture the VLAN tagging information an additional 4 bytes will need to be added.
To only collect packets from a particular host:
tcpdump -i eth 1 -n -w capture.lpc host 208.68.234.113
Name Resolution
As mentioned earlier, by default tcpump will resolve network addresses into names. To disable this use the -n switch. And to disable port resolution use -nn:
tcpdump -nn
Use -f to prevent remote name resolution.
If you are on a local LAN and want to capture only traffic based on a MAC address use:
tcpdump ether host 11:22:33:44:55:66:77:00
Or if you want the Ethernet header in the output use the -e option:
tcpdump -i eth1 -e -n -s 1514-w capture.lpc
To restrict the capture to a network use:
tcpdump -i eth1 -n -w capture.lpc -s 1514 net 192.168.1
or
tcpdump -i eth1 -n -w capture.lpc -s 1514 net 192.168.1.0 mask 255.255.255.0
Using Keywords
Keywords alow you to easily filter traffic. The Keywords that can be used are ip, tcp, udp, icmp and igmp.
As an example of using keywords, to capture all IP traffic use keywords:
tcpdump -i eth1 -n -w capture.lpc -s 1514 ip
or to capture just TCP traffic:
tcpdump -i eth1 -n -w capture.lpc -s 1514 tcp
Other traffic types without keywords can be captured using the "ip proto" option:
tcpdump -i eth1 -n -w capture.lpc -s 1514 ip proto l2tp
or by its protocalnumber as found in the /etc/protocols file:
tcpdump -i eth1 -n -w capture.lpc -s 1514 ip proto 115
To capture traffic based on it's application from further up the stack such as ftp traffic specify the port:
tcpdump -i eth1 -n -w capture.lpc -s 1514 port 21
And to capture the data portion of the FTP traffic as well you could add port 20:
tcpdump -i eth1 -n -w capture.lpc -s 1514 port 21 && port 20
This could have been specified by name as detailed in the /etc/services file.
tcpdump -i eth1 -n -w capture.lpc -s 1514 port ftp && port ftp-data
In the examples above I have used && to add 2 filters together. I could have used the word 'and' instead. You can also use 'or' to idicate that i want one filter to apply or another filter to apply. || means the same as 'or' also.
tcpdump -i eth1 -n -w capture.lpc -s 1514 port http or https tcpdump -i eth1 -n -w capture.lpc -s 1514 port 80 || 443
The above filters will capture the same data.
Filtering by Packet Size
You could create a filter to capture packets that are larger than a certain size (in bytes):
tcpdump -i eth1 -n -w capture.lpc -s 1514 greater 250
This type of filter can be useful if you are trying to locate certain types of packet based on attributes from further up the stack.
We can also tell tcpdump to leave out certain types of traffic, in this example we don't want http or https traffic but we want everything else:
tcpdump -i eth1 -n -w capture.lpc -s 1514 " (not tcp port http and not tcp port https)"
To view the output in output in ascii use -X (the verbose -v is optional):
tcpdump -i eth1 -n -w capture.lpc -s 1514 -X -v
To dump the whole packet in hex use:
tcpdump -i eth1 -n -w capture.lpc -s 1514 -x -v
Further Examples
To display a list of visited sites:
tcpdump -w dumpfile tcpdump -r dumpfile > textfile cat textfile /usr/bin/cut -f 8 -d ' ' /bin/grep -i www*
Looking at ICMP
Although you can capture all ICMP traffic, you could actually capture only particular types of ICMP based on attributes of the protocol. For example, if i wanted to capture just ICMP echo requests knowing that an ICMP echo request is a Type 8 i might use:
tcpdump -e -x "icmp[0]=8" tcpdump
посмотреть трафик на интерфейсе: tcpdump -i fxp1 посмотреть трафик одного хоста: tcpdump host 1.2.3.4 посмотреть трафик на порте: tcpdump src port 80 посмотреть IP трафик на хост: tcpdump ip host 1.2.3.4 посмотреть ARP трафик на хост: tcpdump arp host 1.2.3.4 посмотреть RARP трафик на хост: tcpdump rarp host 1.2.3.4 посмотреть трафик, кроме хоста unixserver: tcpdump not host unixserver посмотреть трафик на server1 и server2 tcpdump host server1 or host server2 посмотреть содержимое пакетов на интерфейсе tun0 на хост ya.ru tcpdump -X -i tun0 host ya.ru подсмотреть номера и пароли к icq tcpdump -X -i fxp1 port aol посмотреть содержимое пакетов на интерфейсе tun0 на хост ya.ru, при этом прочитать из каждого пакета по 1500 байт и не преобразовывать IP в имя хоста tcpdump -X -s 1500 -n -i tun0 host ya.ru
Внешние ссылки To capture just ICMP repies (Type 0) i might use:
tcpdump -e -x "icmp[0]=0"
Wireless Stuff
If i was curious about what networks wireless clients are probing for I could set my card into promiscuous mode (ifconfig -i eth1 promisc), configure my wireless settings to monitor (iwconfig eth1 mode monitor) and issue the following command:
tcpdump -i eth1 -s0 -nn -vv -t | grep -i request
This would reduce the output to just display probe requets from nearby wireless clients.
Note: I will update this blog entry with new and interesting uses for Tcpdump as I learn them.
Links
For a great book on network monitoring using Tcpdump as well as many other opensource tools try "The Tao of Network Security Monitoring" from Richard Bejtlich.
Another great book on this topic is "Practical Packet Analysis" Posted by SynJunkie Labels: Packet Sniffing, Traffic Analysis
Today I found myself needing to save packets from tcpdump to a file but also view them on screen. I've wanted to do that in the past, but today it became more important. It was suggested to me to use two instances of tcpdump, but I thought there had to be a better way. Luckily there is. # tcpdump -U -s 1500 -w - <bpf> |tee <file> | tcpdump -lnr - Export HTTP Objects 1. Find the gzipped object of interest and right-click on the corresponding packet in the packet list, selecting, "Follow TCP Stream" to isolate the stream. 2. Within the "Follow TCP Stream" window, note the name of the gzipped object in the previous GET block. 3. From the main window, choose File -> Export Objects -> HTTP. 4. Select the object. The packet number should match the packet number you discovered in step 1, and the Filename should match the name seen in step 2. Note that the content type that appears is the uncompressed content type, so e.g., text/html, and not gzip. 4. Choose Save As, then Save. This will be the uncompressed object. Note that you don't necessarily need to do "Follow TCP Stream" as long as you know the packet number and object name of the object of interest, or if you simply want to export all objects. TCPDUMP expressions are also known as BPF, or Berkeley Packet Filters. On a TCPDUMP command line it is recommended to place them inside single quotes (UNIX) or double quotes (Windows) to avoid confusion and possible parsing errors. Expressions tcpdump host profl dumps all packets to or from host profl tcpdump ether host 11:22:33:44:55:66 dumps all packets to or from that MAC address tcpdump net 192.168.12.4/30 dumps all packets to or from a network, specified using CIDR notation tcpdump net 192.168.12.4 mask 255.255.255.252 dumps all packets to or from a network, specified using a mask tcpdump tcp src port 53 dumps all packets with source port 22/tcp tcpdump host {thisIP} Show only IP traffic to or from thisIP tcpdump host {thisIP} && host {thatIP} Show only IP traffic between thisIP and thatIP tcpdump !(host {myIP}) && {remainder of expression} Ignore traffic from myIP (necessary if you're running TCPDUMP on a remote machine to stop it from capturing the terminal session with your machine) Primitives icmp[0] Show only echo reply tcp[13] & 3 != 0 show only SYN or FIN packets tcp[13] & 0x12 != 0 show only SYN/ACK packets tcp[tcpflags] & (tcp-syn | tcp-fin | tcp-rst) != 0 show SYN, FIN, and RST packets ip[2,2] > 576 show only packets longer than 576 bytes icmp[0] = 3 and icmp[1] = 4 Show ICMP type 3, code 4 (Needs fragmenting but DF bit set) ip[6] & 0x40 = 0x40 Show only IP packets with DF bit set vlan && ip Show only IEEE 802.1q IP packets. Changes the decoding offsets for the remainder of the expression, as if the VLAN header had been stripped away. vlan 186 && ip Show only IP packets in IEEE 802.1q VLAN number 186. Assorted ip proto 50 Show only ESP packets (IP protocol 50) ip proto 112 show only VRRP packets (IP protocol 112) proto vrrp all VRRP packets (works on IPSO) |