前言
在介绍和使用tcpdump之前,请确保您已经掌握或者了解如下几个关键概念,否则后面的内容让你有点痛苦。
能够在Linux命令行下工作
理解OSI七层网络协议的概念
熟悉各层的协议头部,重点是IP/TCP/UDP
交换机和路由器对应于OSI的协议层
另外还需要注意的是:
tcpdump是基于Unix系统的命令行式的数据包嗅探工具。如果要使用tcpdump抓取其他主机MAC地址的数据包,必须开启网卡混杂模式,所谓混杂模式,用最简单的语言就是让网卡抓取任何经过它的数据包,不管这个数据包是不是发给它或者是它发出的,点击【http://en.wikipedia.org/wiki/Promiscuous_mode】获取更多有关混杂模式的资料。一般而言,Unix不会让普通用户设置混杂模式,因为这样可以看到别人的信息,比如telnet的用户名和密码,这样会引起一些安全上的问题,所以只有root用户可以开启混杂模式,开启混杂模式的命令是:ifconfig eth0 promisc, eth0是你要打开混杂模式的网卡。肯定有人要问如果在windows下要不要打开混杂模式,windows下网卡没有什么混杂模式不混杂模式,在于应用程序本身,如使用Wireshark抓包的时候可以通过设置为在混杂模式下抓包(这就是为什么该死的ARP欺骗病毒可以猖狂的原因)。tcpdump当然也可以指定抓包过滤器,而且其过滤器语言非常著名,叫做Berkeley包过滤,简称BPF语言。
tcpdump介绍
tcpdump is the premier network analysis tool for information security professionals. tcpdump is a commandline network analyzer tool or more technically a packet sniffer. Having a solid grasp of this uber-powerful application is mandatory for anyone desiring a thorough understanding of TCP/IP. It can be thought of as the commandline version of wiresharek (only to a certain extent, since wireshark is much more powerful and capable. Many prefer to use higher level analysis tools Wireshark, but I believe this to usually be a mistake, you must know how wireshark work).
As a commandline tool tcpdump is quite powerful for network analysis as filter expressions can be passwd in and tcpdump would pick up only the matching packets and dump them.
安装tcpdump
### CentOS [root@localhost ~]# yum search tcpdump ======================== Matched: tcpdump =============================== arpwatch.i386 : Network monitoring tools for tracking IP addresses on a network. libpcap.i386 : A system-independent interface for user-level packet capture. libpcap-devel.i386 : A pcap library. tcpdump.i386 : A network traffic monitoring tool. [root@localhost ~]# yum -y install tcpdump ### Ubuntu $ sudo apt-get install tcpdump
对于Linux,tcpdump 依赖于libpcap库,关于更多libpcap库,请参考这里。
tcpdump命令行选项
下面的一些选项能够帮助我们更好的利用tcpdump工作。这些选项非常容易忘记而且比较容易混淆,所以,请时刻 man 一下。
首先,我会根据实际情况,喜欢添加一些选项在tcpdump命令本身。第一个是 -n ,不进行名称解析,结果以IP地址的形式展现。第二个是 -X, 它以十六进制和ASCII把包的内容显示。最后一个是 -S,以绝对序列号显示,而不是相对的。
需要重点关注的是,默认情况下,tcpdump只会抓取包的前96 bytes,如果你想抓取更多,请加上 -s number 选项,number 指定您想抓取的字节数。我建议使用 0(zero) 作为抓取的字节number,这将抓取所有的数据包的所有内容。
下面是我经常使用的选项:
tcpdump基本用法
1、-n Don't convert host addresses to names. This can be used to avoid DNS
lookups.
[root@localhost ~]# tcpdump -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 17:25:33.472001 IP 192.168.27.129.46255 > 192.168.27.2.53: 36340+ A? www.baidu.com. (31)
默认情况下,tcpdump将监视第一个网卡上所有流过的数据包,我们看一下tcpdump输出的这一行信息。
第一个字段"17:25:33.472001",是毫秒级精度的时间戳。
第二个字段"IP",是数据包的协议。
第三个字段"192.168.27.129.46255",是source IP Address joined with the source Port。
第四个字段"192.168.27.2.53",是destination IP Address joined with destination Port and then some information about the packet.
2、-v -vv -vvv verbose, very verbose, very very verbose
-S Print absolute, rather than relative, TCP sequence numbers.
[root@localhost ~]# tcpdump -nnvvS
3、-X Print each packet (minus its link level header) in hex and ASCII.
[root@localhost ~]# tcpdump -nnvvXS
4、-s increases the default snaplength, grabbing the whole packet
[root@localhost ~]# tcpdump -nnvvXS -s 1514 [root@localhost ~]# tcpdump -nnvvXS -s0
5、capture of exactly two(-c2) ICMP packets(a ping)
[root@localhost ~]# tcpdump -nnvvXS -s0 -c2 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 19:20:16.361251 IP (tos 0x0, ttl 64, id 28517, offset 0, flags [DF], proto: UDP (17), length: 59) 192.168.27.129.56183 > 192.168.27.2.53: [udp sum ok] 8002+ A? www.baidu.com. (31) 0x0000: 4500 003b 6f65 4000 4011 1379 c0a8 1b81 E..;oe@[email protected].... 0x0010: c0a8 1b02 db77 0035 0027 90dc 1f42 0100 .....w.5.'...B.. 0x0020: 0001 0000 0000 0000 0377 7777 0562 6169 .........www.bai 0x0030: 6475 0363 6f6d 0000 0100 01 du.com..... 19:20:16.468176 IP (tos 0x0, ttl 128, id 182, offset 0, flags [none], proto: UDP (17), length: 118) 192.168.27.2.53 > 192.168.27.129.56183: [udp sum ok] 8002 q: A? www.baidu.com. 3/0/0 www.baidu.com. CNAME www.a.shifen.com., www.a.shifen.com. A 61.135.169.105, www.a.shifen.com. A 61.135.169.125 (90) 0x0000: 4500 0076 00b6 0000 8011 81ed c0a8 1b02 E..v............ 0x0010: c0a8 1b81 0035 db77 0062 48e9 1f42 8180 .....5.w.bH..B.. 0x0020: 0001 0003 0000 0000 0377 7777 0562 6169 .........www.bai 0x0030: 6475 0363 6f6d 0000 0100 01c0 0c00 0500 du.com.......... 0x0040: 0100 0000 0500 0f03 7777 7701 6106 7368 ........www.a.sh 0x0050: 6966 656e c016 c02b 0001 0001 0000 0005 ifen...+........ 0x0060: 0004 3d87 a969 c02b 0001 0001 0000 0005 ..=..i.+........ 0x0070: 0004 3d87 a97d ..=..} 2 packets captured 3 packets received by filter 0 packets dropped by kernel
Common Syntax
Expressions allow you to trim out various types of traffic and find exactly what you're looking for. Mastering the expressions and learning to combine them creatively is what makes one truly powerful with tcpdump.
expression
select which packets will be dumped. If no expression is given, all packets on the net will be dumped. Otherwise, only packets for which expression is 'True' will be dumped.
There are three different kinds of qualifier.
type qualifiers say what kind of thing the id name or number refers to. Possible types are host, net and port. If there is no type qualifier, host is assumed.
dir qualifiers specify a particular transfer direction to and/or from id. Possible directions are src, dst, src or dst and src and dst. If there is no dir qualifier, src or dst is assumed.
proto qualifiers restrict the match to a particular protocol. Possible protos are: ether, fddi, tr, ip, ip6, arp, rarp, decnet, tcp and udp. E.g 'tcp src 192.168.1.2' . If there is no proto qualifier, all protocols consistent with the type are assumed.
Expressions are nice, but the real magic of tcpdump comes from the ability to combine them in creative ways in order to isolate exactly what you're looking for. There are three ways to do combinations, and if you've studied computers at all they'll be pretty familar to you:
举例说明:
### type ## host # tcpdump host 1.2.3.4 ## net # tcpdump net 1.2.3.0/24 # tcpdump net 1.2 ## port # tcpdump port 80 ## src, dst # tcpdump src 1.2.3.4 # tcpdump dst 1.2.3.4 ## proto # tcpdump icmp ### type, dir, proto # tcpdump 'src port 3306 and tcp' # tcpdump 'udp and src port 53'
Writing to a File
tcpdump allows you to send what you're capturing to a file for later use using the -w option, and then to read it back using the -r option. This is an excellent way to capture raw traffic and then run it through various tools later.
The traffic captured in this way is stored in tcpdump format, which is pretty much universal in the network analysis space. This means it can be read in by all sorts of tools, including Wireshark, Snort, etc.
## capture all port 80 traffic to a file # tcpdump -s 1514 port 80 -w capture_file ## read captured traffic back into tcpdump # tcpdump -r capture_file
More Examples
# tcpdump -nnvvS 'src 10.5.2.3 and dst port 3306' # tcpdump 'src 10.0.2.4 and (dst port 3306 or 22)' ## 你懂的 # [root@localhost ~]# tcpdump -i eth0 -nnvvXS -s1514 'port 22 or port 23 or port 25 or port 110' | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|pass:|user:|username:|password:|login:|pass |user ' -B20
http://danielmiessler.com/study/tcpdump/
http://openmaniak.com/tcpdump.php
http://www.binarytides.com/tcpdump-tutorial-sniffing-analysing-packets/
http://www.cnblogs.com/ggjucheng/archive/2012/01/14/2322659.html (good)
http://blog.csdn.net/langeldep/article/details/6156818
http://roclinux.cn/?p=2474
http://www.chinaunix.net/old_jh/29/674578.html
http://blog.chinaunix.net/uid-10328574-id-2951040.html