Linux Tcpdump抓包分析详解
Linux Tcpdump抓包分析详解
tcpdump提供了源代码,公开了接口,因此具备很强的可扩展性,对于网络维护和入侵者都是非常有用的工具。tcpdump存在于基本的Linux系统中,由于它需要将网络界面设置为混杂模式,普通用户不能正常执行,但具备root权限的用户可以直接执行它来获取网络上的信息。因此系统中存在网络分析工具主要不是对本机安全的威胁,而是对网络上的其他计算机的安全存在威胁。
一、概述
顾名思义,tcpdump可以将网络中传送的数据包的“头”完全截获下来提供分析。它支持针对网络层、协议、主机、网络或端口的过滤,并提供and、or、not等逻辑语句来帮助你去掉无用的信息。
#tcpdump
17:14:26.650373 IP 192.168.41.241.53674 > 192.168.41.160.ssh: Flags [.], ack 2508812, win 42, length 0
17:14:26.650379 IP 192.168.41.160.ssh > 192.168.41.241.53674: Flags [P.], seq 2508812:2508976, ack 417, win 2546, length 164
17:14:26.650405 IP 192.168.41.160.ssh > 192.168.41.241.53674: Flags [P.], seq 2508976:2509252, ack 417, win 2546, length 276
17:14:26.650472 IP 192.168.41.160.ssh > 192.168.41.241.53674: Flags [P.], seq 2509252:2509416, ack 417, win 2546, length 164
17:14:26.650516 IP 192.168.41.160.ssh > 192.168.41.241.53674: Flags [P.], seq 2509416:2509580, ack 417, win 2546, length 164
17:14:26.650563 IP 192.168.41.241.53674 > 192.168.41.160.ssh: Flags [.], ack 2509416, win 40, length 0
17:14:26.650568 IP 192.168.41.160.ssh > 192.168.41.241.53674: Flags [P.], seq 2509580:2509744, ack 417, win 2546, length 164
17:14:26.650631 IP 192.168.41.160.ssh > 192.168.41.241.53674: Flags [P.], seq 2509744:2510020, ack 417, win 2546, length 276
17:14:26.650676 IP 192.168.41.160.ssh > 192.168.41.241.53674: Flags [P.], seq 2510020:2510184, ack 417, win 2546, length 164
17:14:26.650742 IP 192.168.41.160.ssh > 192.168.41.241.53674: Flags [P.], seq 2510184:2510348, ack 417, win 2546, length 164
17:14:26.650771 IP 192.168.41.241.53674 > 192.168.41.160.ssh: Flags [.], ack 2510184, win 37, length 0
17:14:26.650777 IP 192.168.41.160.ssh > 192.168.41.241.53674: Flags [P.], seq 2510348:2510512, ack 417, win 2546, length 164
17:14:26.650840 IP 192.168.41.160.ssh > 192.168.41.241.53674: Flags [P.], seq 2510512:2510788, ack 417, win 2546, length 276
17:14:26.650884 IP 192.168.41.160.ssh > 192.168.41.241.53674: Flags [P.], seq 2510788:2510952, ack 417, win 2546, length 164
17:14:26.650945 IP 192.168.41.241.53674 > 192.168.41.160.ssh: Flags [.], ack 2510952, win 34, length 0
17:14:26.650958 IP 192.168.41.160.ssh > 192.168.41.241.53674: Flags [P.], seq 2510952:2511116, ack 417, win 2546, length 164
17:14:26.651053 IP 192.168.41.160.ssh > 192.168.41.241.53674: Flags [P.], seq 2511116:2511392, ack 417, win 2546, length 276
17:14:26.651096 IP 192.168.41.160.ssh > 192.168.41.241.53674: Flags [P.], seq 2511392:2511556, ack 417, win 2546, length 164
17:14:26.651163 IP 192.168.41.160.ssh > 192.168.41.241.53674: Flags [P.], seq 2511556:2511720, ack 417, win 2546, length 164
17:14:26.651206 IP 192.168.41.160.ssh > 192.168.41.241.53674: Flags [P.], seq 2511720:2511884, ack 417, win 2546, length 164
17:14:26.651273 IP 192.168.41.160.ssh > 192.168.41.241.53674: Flags [P.], seq 2511884:2512048, ack 417, win 2546, length 164
17:14:26.651312 IP 192.168.41.241.53674 > 192.168.41.160.ssh: Flags [.], ack 2511884, win 30, length 0
17:14:26.651320 IP 192.168.41.160.ssh > 192.168.41.241.53674: Flags [P.], seq 2512048:2512212, ack 417, win 2546, length 164
17:14:26.651383 IP 192.168.41.160.ssh > 192.168.41.241.53674: Flags [P.], seq 2512212:2512488, ack 417, win 2546, length 276
17:14:26.651427 IP 192.168.41.160.ssh > 192.168.41.241.53674: Flags [P.], seq 2512488:2512652, ack 417, win 2546, length 164
17:14:26.651492 IP 192.168.41.241.53674 > 192.168.41.160.ssh: Flags [.], ack 2512652, win 27, length 0
17:14:26.651499 IP 192.168.41.160.ssh > 192.168.41.241.53674: Flags [P.], seq 2512652:2512816, ack 417, win 2546, length 164
17:14:26.651525 IP 192.168.41.160.ssh > 192.168.41.241.53674: Flags [P.], seq 2512816:2513092, ack 417, win 2546, length 276
17:14:26.651592 IP 192.168.41.160.ssh > 192.168.41.241.53674: Flags [P.], seq 2513092:2513256, ack 417, win 2546, length 164
17:14:26.651636 IP 192.168.41.160.ssh > 192.168.41.241.53674: Flags [P.], seq 2513256:2513420, ack 417, win 2546, length 164
17:14:26.651702 IP 192.168.41.160.ssh > 192.168.41.241.53674: Flags [P.], seq 2513420:2513584, ack 417, win 2546, length 164
17:14:26.651731 IP 192.168.41.241.53674 > 192.168.41.160.ssh: Flags [.], ack 2513420, win 24, length 0
17:14:26.651740 IP 192.168.41.160.ssh > 192.168.41.241.53674: Flags [P.], seq 2513584:2513748, ack 417, win 2546, length 164
17:14:26.651782 IP 192.168.41.160.ssh > 192.168.41.241.53674: Flags [P.], seq 2513748:2514060, ack 417, win 2546, length 312
17:14:26.651830 IP 192.168.41.160.ssh > 192.168.41.241.53674: Flags [P.], seq 2514060:2514224, ack 417, win 2546, length 164
17:14:26.651896 IP 192.168.41.241.53674 > 192.168.41.160.ssh: Flags [.], ack 2514224, win 21, length 0
17:14:26.651902 IP 192.168.41.160.ssh > 192.168.41.241.53674: Flags [P.], seq 2514224:2514388, ack 417, win 2546, length 164
17:14:26.651928 IP 192.168.41.160.ssh > 192.168.41.241.53674: Flags [P.], seq 2514388:2514664, ack 417, win 2546, length 276
不带参数的tcpdump,数据包信息巨大,需要过滤
二、tcpdump的表达式
-
第一种是关于类型的关键字,主要包括host,net,port,例如 host 210.27.48.2, 指明
210.27.48.2是一台主机,net 202.0.0.0指明202.0.0.0是一个网络地址,port 23 指明端口号是23。如果没有指定类型,缺省的类型是host。第二种是确定传输方向的关键字,主要包括src,dst,dst or src,dst and src,
这些关键字指明了传输的方向。举例说明,src 210.27.48.2 ,指明ip包中源地址是 210.27.48.2 , dst net
202.0.0.0 指明目的网络地址是202.0.0.0。如果没有指明方向关键字,则缺省是src or dst关键字。- 第三种是协议的关键字,主要包括fddi,ip,arp,rarp,tcp,udp等类型。Fddi指明是在FDDI (分布式光纤数据接口网络)上的特定的网络协议,实际上它是”ether”的别名,fddi和ether
具有类似的源地址和目的地址,所以可以将fddi协议包当作ether的包进行处理和分析。
其他的几个关键字就是指明了监听的包的协议内容。如果没有指定任何协议,则tcpdump 将会 监听所有协议的信息包。
三、输出结果介绍
- 第三种是协议的关键字,主要包括fddi,ip,arp,rarp,tcp,udp等类型。Fddi指明是在FDDI (分布式光纤数据接口网络)上的特定的网络协议,实际上它是”ether”的别名,fddi和ether
-
(1) 数据链路层头信息 使用命令:
#tcpdump --e host ICE ICE 是一台装有linux的主机。它的MAC地址是0:90:27:58:AF:1A H219是一台装有Solaris的SUN工作站。它的MAC地址是8:0:20:79:5B:46; 上一条命令的输出结果如下所示:21:50:12.847509 eth0 < 8:0:20:79:5b:46 0:90:27:58:af:1a ip 60:
h219.33357 > ICE. telne t 0:0(0) ack 22535 win 8760 (DF)21:50:12是显示的时间, 847509是ID号,eth0 <表示从网络接口eth0接收该分组, eth0
表示从网络接口设备发送分组, 8:0:20:79:5b:46是主机H219的MAC地址, 它表明是从源地址H219发来的分组. 0:90:27:58:af:1a是主机ICE的MAC地址, 表示该分组的目的地址是ICE。 ip 是表明该分组是IP分组,60
是分组的长度, h219.33357 > ICE. telnet 表明该分组是从主机H219的33357端口发往主机ICE的
TELNET(23)端口。 ack 22535 表明对序列号是222535的包进行响应。 win 8760表明发 送窗口的大小是8760。(2) ARP包的tcpdump输出信息
使用命令:
#tcpdump arp得到的输出结果是:
22:32:42.802509 eth0 > arp who-has route tell ICE (0:90:27:58:af:1a)
22:32:42.802902 eth0 < arp reply route is-at 0:90:27:12:10:66
(0:90:27:58:af:1a)22:32:42是时间戳, 802509是ID号, eth0 >表明从主机发出该分组,arp表明是ARP请求包, who-has
route tell ICE表明是主机ICE请求主机route的MAC地址。 0:90:27:58:af:1a是主机 ICE的MAC地址。(3) TCP包的输出信息
用tcpdump捕获的TCP包的一般输出信息是:
src > dst: flags data-seqno ack window urgent options
src > dst:表明从源地址到目的地址, flags是TCP报文中的标志信息,S 是SYN标志, F (FIN), P (PUSH)
, R (RST) “.” (没有标记); data-seqno是报文中的数据 的顺序号, ack是下次期望的顺序号,
window是接收缓存的窗口大小, urgent表明 报文中是否有紧急指针。 Options是选项。(4) UDP包的输出信息
用tcpdump捕获的UDP包的一般输出信息是:
route.port1 > ICE.port2: udp lenth
UDP十分简单,上面的输出行表明从主机route的port1端口发出的一个UDP报文 到主机ICE的port2端口,类型是UDP,
包的长度是lenth。
举例
- (1) 想要截获所有210.27.48.1 的主机收到的和发出的所有的分组:
#tcpdump host 210.27.48.1
(2) 想要截获主机210.27.48.1
和主机210.27.48.2或210.27.48.3的通信,使用命令(注意:括号前的反斜杠是必须的):
#tcpdump host 210.27.48.1 and (210.27.48.2 or 210.27.48.3 )
(3) 如果想要获取主机210.27.48.1除了和主机210.27.48.2之外所有主机通信的ip包,使用命令:
#tcpdump ip host 210.27.48.1 and ! 210.27.48.2
(4) 如果想要获取主机192.168.228.246接收或发出的ssh包,并且不转换主机名使用如下命令:
#tcpdump -nn -n src host 192.168.228.246 and port 22 and tcp
(5) 获取主机192.168.228.246接收或发出的ssh包,并把mac地址也一同显示:
2. # tcpdump -e src host 192.168.228.246 and port 22 and tcp -n -nn
(6) 过滤的是源主机为192.168.0.1与目的网络为192.168.0.0的报头: tcpdump src host
192.168.0.1 and dst net 192.168.0.0/24
(7) 过滤源主机物理地址为XXX的报头: tcpdump ether src 00:50:04:BA:9B and dst……
(为什么ether src后面没有host或者net?物理地址当然不可能有网络)。
- (8) 过滤源主机192.168.0.1和目的端口不是telnet的报头,并导入到tes.t.txt文件中: Tcpdump src
host 192.168.0.1 and dst port not telnet -l > test.txt