[Linux Network] Linux network packet capture tool tcpdump

1. Introduction to tcpdump

tcpdump is a Linux network packet capture tool. It allows users to intercept and display TCP/IP and other data packets sent or received over the network connection to the computer. tcpdump is suitable for most Unix-like operating systems (such as linux, BSD, etc.).

2. Installation & Usage Instructions

1) Installation

$ yum -y install tcpdump

2) Instructions for use
tcpdump uses the command line, and its command format is

tcpdump [ -DenNqvX ] [ -c count ] [ -F file ] [ -i interface ] [ -r file ] [ -s snaplen ] [ -w file ] [ expression ]

Packet capture options:

  • -c: Specify the number of packets to be captured. Note that you will eventually get so many packages. For example, specifying “-c 10” will obtain 10 packages, but 100 packages may have been processed, but only 10 packages meet the conditions.

  • -i interface: Specify the interface that tcpdump needs to monitor. If this option is not specified, the configured interface with the lowest number will be searched from the system interface list (excluding the loopback interface, to capture the loopback interface, use tcpdump -i lo). Once the first interface that meets the conditions is found, search End now. You can use the ‘any’ keyword to represent all network interfaces.

  • -n: Explicitly display the address in numeric form, otherwise it will be explicit as the host name. That is to say, the -n option does not perform host name resolution.

  • -nn: In addition to the function of -n, the port is also displayed as a numerical value, otherwise the port service name is displayed.

  • -N: Do not print out the domain name part of the host. For example tcpdump will print ‘nic’ instead of ‘nic.ddn.mil’.

  • -P: Specifies whether the packet to be captured is an incoming or outgoing packet. The values that can be given are “in”, “out” and “inout”, and the default is “inout”.

  • -s len: Set the packet capture length of tcpdump to len. If not set, the default will be 65535 bytes. When the data packets to be captured are large, insufficient length setting may cause packet truncation. If packet truncation occurs, a “[|proto]” sign will appear in the output line (proto will actually be displayed as the protocol name). However, the longer the capture len is, the longer the packet processing time will be, and it will reduce the number of data packets that can be cached by tcpdump, which will lead to the loss of data packets. Therefore, on the premise that the packets we want can be captured, capture The smaller the length, the better. -s0: Prevent packet truncation.

Output options:

  • -e: Each line of output will include data link layer header information. For example source MAC and destination MAC.

  • -q: Quick printout. That is, very little protocol-related information is printed, so the output lines are shorter.

  • -X: Output the header data of the packet, which will be output in both hexadecimal and ASCII modes.

  • -A: Print the ASCII value of the data message

  • -XX: The header data of the output packet will be output in both hexadecimal and ASCII format at the same time, more detailed.

  • -v: Produce verbose output when parsing and printing.

  • -vv: Produce more verbose output than -v.

  • -vvv: Produces more verbose output than -vv.

Other functional options:

  • -D: List the interfaces that can be used for packet capture. The numerical number and interface name of the interface will be listed, both of which can be used after “-i”.

  • -F: Read the packet capture expression from the file. If this option is used, all other expressions given on the command line will have no effect.

  • -w: Output the packet capture data to a file instead of standard output. You can also use the “-G time” option to make the output file automatically switch to another file every time seconds. These files can be loaded for analysis and printing with the “-r” option.

  • -r: Read data from the given packet file. Use “-” to read from standard input.

Three modifiers:

  • type: Specifies the type of ID.

The values that can be given are host/net/port/portrange. For example “host foo”, “net 128.3”, “port 20”, “portrange 6000-6008”. The default type is host.

  • dir: Specifies the direction of the ID.

The values that can be given include src/dst/src or dst/src and dst. The default is src or dst. For example, “src foo” indicates a packet whose source host is foo, “dst net 128.3” indicates a packet whose destination network is 128.3, “src or dst port 22” indicates a packet whose source or destination port is 22 data pack.

  • proto: Limit the matching packet types through the given protocol.

Commonly used protocols include tcp/udp/arp/ip/ether/icmp, etc. If the protocol type is not given, all possible types will be matched. For example, “tcp port 21”, “udp portrange 7000-7009”.

3. tcpdump example

3.1. Start by default, without parameters

$ tcpdump

By default, starting tcpdump directly will monitor all packets flowing on the first network interface (non-lo port). There will be a lot of results captured in this way, and the scrolling will be very fast.

3.2. The tcpdump -D command lists network interfaces that can capture packets

$ tcpdump -D

[root@localhost ~]# tcpdump -D
1.enp0s3 [Up, Running]
2.enp0s8 [Up, Running]
3.lo [Up, Running, Loopback]
4.any (Pseudo-device that captures on all interfaces) [Up, Running]
5.docker0 [Up]
6.virbr0 [Up]
7.bluetooth-monitor (Bluetooth Linux Monitor) [none]
8.nflog (Linux netfilter log (NFLOG) interface) [none]
9.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
10.usbmon0 (Raw USB traffic, all USB buses) [none]
11.usbmon1 (Raw USB traffic, bus number 1)
12.virbr0-nic [none]

3.4. Monitor the data packets of the specified network interface

$ tcpdump -i ens33

[root@localhost ~]# tcpdump -i enp0s3
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes

If you do not specify a network card, by default tcpdump will only monitor the first network interface, such as ens33.

3.5. Monitor the local UDP port 123 (123 is the NTP service port)

$ tcpdump udp port 123

3.6. Monitor the data packets of the specified network, such as the data packets of the communication between this machine and the 192.168 network segment. “-c 10” means only grabbing 10 packets

$ tcpdump -c 10 net 192.168

3.7. Capture ping packets

$ tcpdump -c 5 -nn -i ens33 icmp

picture

If you clearly want to capture the ping of the host 192.168.182.130 to this machine, use the and operator.

$ tcpdump -c 5 -nn -i ens33 icmp and src 192.168.182.130

[root@localhost ~]# tcpdump -c 5 -nn -i enp0s8 icmp and src 10.1.0.9
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s8, link-type EN10MB (Ethernet), capture size 262144 bytes
03:54:38.755221 IP 10.1.0.9 > 10.1.0.8: ICMP echo request, id 3406, seq 1, length 64
03:54:39.806249 IP 10.1.0.9 > 10.1.0.8: ICMP echo request, id 3406, seq 2, length 64
03:54:40.808812 IP 10.1.0.9 > 10.1.0.8: ICMP echo request, id 3406, seq 3, length 64
03:54:41.812041 IP 10.1.0.9 > 10.1.0.8: ICMP echo request, id 3406, seq 4, length 64
03:54:42.814696 IP 10.1.0.9 > 10.1.0.8: ICMP echo request, id 3406, seq 5, length 64
5 packets captured
5 packets received by filter
0 packets dropped by kernel

Note that you cannot write icmp src 192.168.182.130 directly because the icmp protocol does not support the direct application of the host type.

3.9. Capture the local port 22 packet

$ tcpdump -c 10 -nn -i bond0 tcp dst port 22

4.0, parsing packet data

$ tcpdump -c 2 -q -XX -vvv -nn -i bond0 tcp dst port 22

picture

4.1. Parameters only capture data packets related to specific hosts

$ tcpdump -i any -c5 -nn host 192.168.182.152
$ tcpdump -i any -c5 -nn host 192.168.182.130

4.2. Save packet capture data

tcpdump provides the function of saving packet capture data for subsequent analysis of data packets. It can also be analyzed using graphical tools such as wireshark.

1) Use the -w option to save the packets instead of displaying the captured packets on the screen

$ tcpdump -i any -c10 -nn -w webserver.pcap port 22

This command saves the captured packets to the file webserver.pcap. The suffix pcap indicates that the file is in the captured packet format.

2) tcpdump saves the data packet in a binary file, so it cannot simply be opened with a text editor. Use the -r option parameter to read the message content in this file

$ tcpdump -nn -r webserver.pcap

[Warm reminder] Generally, the network packets captured by tcpdump will be analyzed using the wireshark graphical tool. It is more clear and convenient to use wireshark to analyze the network packets.