Prerequisites For Linux network analysis: Tcpdump

Hi, I’m Chopin and this is my 11th original article.

Tcpdump is a very useful network tool in Linux. It is usually used for fault diagnosis and network analysis.

Tcpdump is complex compared to other Linux tools. Of course, I do not recommend you to learn all of it, learn to apply, can solve problems in the work is the key.

Based on application scenarios and basic principles, this document provides rich practical cases to help you quickly master the core methods of using tcpdump and meet daily requirements.

Application scenarios

Many network problems encountered in daily work can be gracefully solved with tcpdump:

1. Most of you have experienced slow SSH connection to the server. By capturing packets through tcpdump, you can quickly locate the specific cause.

2. When engineers and users have a dispute over a network problem, packets can be captured using tcpdump to quickly locate the fault cause and remove the fault easily without any pressure.

3. When our newly developed network program does not work as expected, we collect relevant data packets through tcpdump, analyze the specific reasons from the packet level, and solve the problem easily.

4. When the performance of our network program is low, tcpdump is used to analyze the characteristics of data flow and optimize network parameters in combination with relevant protocols to improve the network performance of the system.

5. When learning network protocols, you can use tcpdump to capture packets and analyze the protocol format, which helps you learn network protocols more intuitively, effectively, and quickly.

The above is a brief list of common application scenarios. Tcpdump is a powerful network tool for network diagnosis, network optimization, and protocol learning. It can be found wherever there are network problems.

Skilled use of tcpdump can help us solve a variety of network problems in work. Let’s briefly learn how it works.

The working principle of

Tcpdump is a useful network tool in Linux. It runs in user mode and captures data packets by calling various apis of the Libpcap library.

The preceding figure shows that after packets arrive at the network adapter, they are filtered by packet filter (BPF) and copied to the tcpdump program in user mode for subsequent processing and output or save to the PCAP file.

The data packet filter (BPF) copies only the data packets that users care about to the tcpdump based on the filtering rules entered by users. This reduces unnecessary data packet copying and reduces performance loss caused by packet capture.

Think about it: Here’s a real interview question

Interviewer: If some packets are blocked by Iptables, can I catch them using tcpdump?

We can easily answer this question by looking at the picture above.

On Linux, netfilter works in the protocol stack, while tcpdump filters (BPF) work in the protocol stack.

Now that we understand the basics of tcpdump, let’s get right into the action!

Actual combat: Basic usage

Let’s start with a few simple examples to introduce the basic usage of tcpdump.

1. Without any parameters, all data packets on the first non-LO NIC are captured by default

$ tcpdump 
Copy the code

2. Capture all data packets on the eth0 nic

$ tcpdump -i eth0
Copy the code

3. During packet capture, specify the -n option and do not resolve the host and port names. This parameter is critical because it affects the packet capture performance. You need to specify this parameter when capturing packets.

$ tcpdump -n -i eth0
Copy the code

4. Capture all data packets of the specified host 192.168.1.100

$tcpdump -ni eth0 host 192.168.1.100Copy the code

5. Capture the packets sent by the specified host 10.1.1.2

$tcpdump -ni eth0 SRC host 10.1.1.2Copy the code

6. Capture all packets sent to 10.1.1.2

$tcpdump -ni eth0 DST host 10.1.1.2Copy the code

7. Capture data packets sent from eth0 to the specified host and stop after catching 10 packets. This parameter is also common

$tcpdump -ni eth0 -c 10 DST host 192.168.1.200Copy the code

8. Capture all SSH request packets on eth0. The default SSH port is 22

$ tcpdump -ni eth0 dst port 22
Copy the code

9. Capture five ping packets from the eth0 network adapter

$ tcpdump -ni eth0 -c 5 icmp
Copy the code

10. Capture all ARP packets on the eth0 network adapter

$ tcpdump -ni eth0 arp
Copy the code

11. Use hexadecimal output, which is useful when you want to check the contents of a packet for problems.

$ tcpdump -ni eth0 -c 1 arp -X listening on eth0, link-type EN10MB (Ethernet), Capture size 262144 bytes 12:13:31.602995 ARP, Request who-has 172.17.92.133 tell 172.17.95.253, length 28 0x0000: 0001 0800 0604 0001 eeff ffff ffff ac11 ................ 0x0010: 5ffd 0000 0000 0000 ac11 5c85 _......... \.Copy the code

12. Capture only IPv6 traffic on eth0

$ tcpdump -ni eth0 ip6
Copy the code

13. Capture the traffic of the specified port range

$ tcpdump -ni eth0 portrange 80-9000
Copy the code

14. Capture the traffic of the specified network segment

$tcpdump -ni eth0 net 192.168.1.0/24Copy the code

Actual combat: advanced advanced

The powerful function and flexible policies of tcpdump are mainly reflected in the powerful expression combination capability of filter (BPF).

This section mainly shares some common so-called advanced usage, hoping that the reader can use it flexibly according to their actual needs.

1. Capture the packets that the specified client accesses SSH

$tcpdump -ni eth0 SRC 192.168.1.100 and DST port 22Copy the code

2. Capture the traffic from and to a certain network segment

$tcpdump -ni eth0 SRC net 192.168.1.0/16 and DST net 10.0.0.0/8 or 172.16.0.0/16Copy the code

3. Capture the traffic from a host destined for non-SSH ports

$tcpdump -ni eth0 SRC 10.0.2.4 and not DST port 22Copy the code

4. When building complex queries, you may need to use quotes. Single quotes tell tcpdump to ignore specific special characters, such as ()

$tcpdump -ni eth0 'SRC 10.0.2.4 and (DST port 3389 or 22)'Copy the code

5. Filter based on package size. Use this parameter if you are looking at a specific package size

Less than or equal to 64 bytes:

$ tcpdump -ni less 64
Copy the code

Greater than or equal to 64 bytes:

$ tcpdump -ni eth0 greater 64
Copy the code

Equals 64 bytes:

$ tcpdump -ni eth0 length == 64
Copy the code

6. Filter packets marked by TCP

Capture RST packets sent by a host:

$tcpdump -ni eth0 SRC host 192.168.1.100 and'tcp[tcpflags] & (tcp-rst) ! = 0 '
Copy the code

Capture SYN packets sent by a host:

$tcpdump -ni eth0 SRC host 192.168.1.100 and'tcp[tcpflags] & (tcp-syn) ! = 0 '
Copy the code

Capture FIN packets sent by a host:

$tcpdump -ni eth0 SRC host 192.168.1.100 and'tcp[tcpflags] & (tcp-fin) ! = 0 '
Copy the code

Captures SYN or FIN packets in TCP connections

$ tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) ! = 0 '
Copy the code

7. Capture all non-ping ICMP packets

$ tcpdump 'icmp[icmptype] ! = icmp-echo and icmp[icmptype] ! = icmp-echoreply'
Copy the code

8. Capture packets whose port number is 80, network layer protocol is IPv4, and contain data rather than packets that do not contain data, such as SYN, FIN, and ACK packets

$ tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) ! = 0) '
Copy the code

If the result is not 0, the packet contains data. If the result is not 0, the packet contains data. If the result is not 0, the packet contains data

9. Capture HTTP packets. 0x4754 is the first two characters of GET, and 0x4854 is the first two characters of HTTP

$ tcpdump  -ni eth0 'tcp[20:2]=0x4745 or tcp[20:2]=0x4854'
Copy the code

Commonly used options

Based on the above examples, we believe that you have mastered the basic usage of tcpdump. Here we summarize the common options in detail.

(I) Basic options

• -i: Specifies the interface.
• -D: Lists the interfaces that can be used to capture packets
• -s: Specifies the packet capture length
• -c: Specifies the number of packets to capture
• -w: Saves captured packet data in a file
• -r: Reads data from a file
• -C: Specifies the file size, and-wTogether with
• -F: Reads an expression to capture packets from a file
• -n: Do not resolve the host and port numbers. This parameter is important and usually needs to be added
• -P: Specifies whether the packet to be captured is an incoming or outgoing packet, and can be specifiedin,out,inout

(2) Output options

• -e: The output information contains the header information of the data link layer
• -t: Displays the timestamp,ttttDisplays more detailed times
• -X: Displays the hexadecimal format
• -v: Displays detailed packet information-vvv.vThe more detailed the display

Filter expression

The powerful function and flexible policies of tcpdump are mainly reflected in the powerful expression combination capability of filter (BPF).

(1) Operation object

The following objects can be operated on in an expression:

• typeRepresents the type of the object, for example:host,net,port,portrangeIf type is not specified, the default is host
• dir: indicates the direction of transmission. You can use the following methods:src,dst.
• proto: indicates the protocol. The options are as follows:ether,ip,ip6,arp,icmp,tcp,udp.

(2) Combination of conditions

Expression objects can also be connected by keywords AND, OR, and not to form more powerful expressions.

• or: Indicates or operations
• and: Indicates and operations
• not: indicates no operation

After reading this, I suggest you go back to the examples of the actual practice chapter, and I believe you will have a deeper understanding. If so, that’s what I’m looking for!

experience

Without adding new knowledge here, I would like to share some experience from my work:

1. Remember that tcpdump is not a panacea and will not solve all network problems.

2. Packet capture may affect system performance in high traffic scenarios. Exercise caution when using packet capture in a production environment.

3. In high traffic scenarios, tcpdump is not suitable for traffic statistics. If necessary, you can use switch mirroring to analyze statistics.

4. On Linux, you can capture packets using tcpdump and analyze data using Wireshark.

5. Do not use the any interface to capture packets.

6. During packet capture, specify a detailed packet filtering expression to reduce the copying of useless packets.

7. During packet capture, specify the -n option to reduce the performance overhead caused by resolving hosts and ports.

The last

Tcpdump is a powerful tool for fault diagnosis and network analysis. In our daily work, network problems can always be solved with tcpdump.

Tcpdump can be a lot more complex than other Linux commands, but its power is worth the extra time. To understand tcpdump well, you need to understand network packets (TCP/IP).

Of course, for simple use, as long as you have the basic concept of network on the line, master the common methods of tcpdump, is enough to deal with most of the work of the network related problems.

That’s all. Thank you for reading. I’m Chopin. Pay attention to my public number “programming accomplishment”, a large number of dry goods articles waiting for you!

Public number background reply “1024” have surprise!

Recommended reading:

• A letter for Linux beginners
• The most detailed load balancing principle diagram in the whole network
• Sed tutorial details, xiao Bai can understand
• Linux three Musketeers grep tutorial details
• Linux file search artifact find actual combat detailed solution, recommended collection!
• Prerequisites For Linux network analysis: Tcpdump