最後更新: 2019-03-06
目錄
Usage
詳細程度
tcpdump -v <expression>
tcpdump -vv <expression>
tcpdump -vvv <expression>
Check 某 interface
-i interface
File
- -e # Print the link-level header on each dump line.
- -r # Read packets from file (which was created with the -w option). # -e 這參數係用到的
Useful opts
- -n # Don’t convert host addresses to names.
- -nn # Don’t convert protocol and port numbers
Filter:
IP
- tcpdump host <IP>
- tcpdump src <IP>
- tcpdump tcp src <IP>
Port
- tcpdump port <Port>
- tcpdump dst port <Port>
- tcpdump udp dst port <Port>
Protocol
- tcpdump -i eth0 arp
- tcpdump -i eth0 icmp
Logical Operators
and, or, not
tcpdump 是在 iptables 前
wire -> NIC -> tcpdump -> iptables (INPUT chain) [Host] iptables (OUPUT chain) -> tcpdump -> NIC -> wire
Result
1638 packets captured 3 packets received by filter # depends on the OS on which you're running tcpdump 0 packets dropped by kernel # lack of buffer space (OS 問題)
Sub-Interface
# sub-interface 介面卡不能行 tcpdump 會有 Error
tcpdump -i eth0.1
tcpdump: WARNING: eth0: no IPv4 address assigned tcpdump: syntax error
追查某 IP 的 In / Out
# 假設某 IP 是 s.s.s.s
tcpdump -n src s.s.s.s or dst s.s.s.s
iptables as tcpdump
開:
iptables -I INPUT -s 192.168.123.200/32 -j LOG
dmesg | grep 192.168.123.200
IN=eth0 OUT= MAC=52:54:00:f1:62:1d:00:ff:2b:0c:c1:c7:08:00 SRC=192.168.123.200 DST=192.168.123.251 LEN=92 TOS=0x00 PREC=0x00 TTL=128 ID=1195 DF PROTO=TCP SPT=50078 DPT=22 WINDOW=221 RES=0x00 ACK PSH URGP=0
關:
iptables -D INPUT 1
cksum incorrect
log:
16:04:46.708942 IP (tos 0x0, ttl 63, id 61154, offset 0, flags [DF], proto TCP (6), length 60) 192.168.88.18.53902 > 10.3.4.1.http: Flags [S], cksum 0x28c4 (correct), seq 2949757337, win 5840, options [mss 1460,sackOK,TS val 1307137915 ecr 0,nop,wscale 6], length 0 16:04:46.710258 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 60) 10.3.4.1.http > 192.168.88.18.53902: Flags [S.], cksum 0x26ed (incorrect -> 0xf2d2), seq 4179186300, ack 2949757338, win 14480, options [mss 1460,sackOK,TS val 2803810 ecr 1307137915,nop,wscale 3], length 0 16:04:47.828969 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 60) 10.3.4.1.http > 192.168.88.18.53902: Flags [S.], cksum 0x26ed (incorrect -> 0xf1ba), seq 4179186300, ack 2949757338, win 14480, options [mss 1460,sackOK,TS val 2804090 ecr 1307137915,nop,wscale 3], length 0
This is caused because you have checksum offloading on your network card (NIC) and
tcpdump reads IP packets from the Linux kernel right before the actual checksum takes place in the NIC’s chipset.
That’s why you only see errors in tcpdump and your network traffic works ok.
查看 offload setting
ethtool -k eth0
Capture Packets To A File
# Capture Packets To A File (-w)
tcpdump -w 0001.pcap -i eth0
# Read Captured Packets File (-r)
tcpdump -r 0001.pcap
# Read Content info
"-X" # print each packet data in hex and ascii (minus its link level header)
"-XX" # including its link level header, in hex and ASCII
進階 Capture Packets To A File
-W filecount
Used in conjunction with the -C /-G option
this will limit the number of files created to the specified number,
and begin overwriting files from the beginning, thus creating a 'rotating' buffer.
-C file_size
Before writing a raw packet to a savefile, check whether the file is currently larger than file_size
and, if so, close the current savefile and open a new one.
The units of file_size are millions of bytes (1,000,000 bytes)
-G rotate_seconds
If specified, rotates the dump file specified with the -w option every rotate_seconds seconds.
If no time format is specified, each new file will overwrite the previous.
-w which should include a time format as defined by strftime(%m%d%H%M%S)
If no time format is specified, each new file will overwrite the previous.
-s snaplen, --snapshot-length=snaplen
Snarf snaplen bytes of data from each packet rather than the default of 262144 bytes.
Packets truncated because of a limited snapshot are indicated in the output with ``[|proto]'',
where proto is the name of the protocol level at which the truncation has occurred.
set 0 => 262144(Default)
Note
taking larger snapshots both increases the amount of time it takes to process packets and,
effectively, decreases the amount of packet buffering.
This may cause packets to be lost.
You should limit snaplen to the smallest number that will capture the protocol information you're interested in.
Exampe:
# 建立 4 個會循環使用的檔案(https.pcap0 ... https.pcap3), 每個 4 mbyte
tcpdump -nn -i ens4 -C 4 -W 4 -w /root/net_chk/dump/https.pcap -B 40960 host d.d.d.d
# 每 10 秒建立一個 logfile, 當建立到第 4 個時停.
tcpdump -nn -i ens4 -G 10 -W 4 -w /root/net_chk/dump/https.%m%d%H%M%S.pcap -B 40960 host d.d.d.d
buffer_size
-B buffer_size, --buffer-size=buffer_size
Set the operating system capture buffer size to buffer_size, in units of KiB (1024 bytes).
Capture Plaintext Password
# pop3
tcpdump port pop3 -l -A | egrep -i 'pass |user ' --color --line-buffered -B20
Opt
-A # Print each packet (minus its link level header) in ASCII
-l # Make stdout line buffered. Useful if you want to see the data while capturing it.
一次原極的 dump
log
15:33:31.577460 IP c.c.c.c.SPORT > s.s.s.s.DPORT: Flags [S], seq 2946375389, win 29200, options [mss 1460,sackOK,TS val 3366815593 ecr 0,nop,wscale 7], length 0 15:33:31.577526 IP s.s.s.s.DPORT > c.c.c.c.SPORT: Flags [S.], seq 3519729639, ack 2946375390, win 28960, options [mss 1460,sackOK,TS val 252033521 ecr 3366815593,nop,wscale 7], length 0 15:33:31.578030 IP c.c.c.c.SPORT > s.s.s.s.DPORT: Flags [.], ack 1, win 229, options [nop,nop,TS val 3366815594 ecr 252033521], length 0 15:33:31.578256 IP c.c.c.c.SPORT > s.s.s.s.DPORT: Flags [P.], seq 1:86, ack 1, win 229, options [nop,nop,TS val 3366815594 ecr 252033521], length 85: HTTP: GET /myfile.php HTTP/1.1 15:33:31.578286 IP s.s.s.s.DPORT > c.c.c.c.SPORT: Flags [.], ack 86, win 227, options [nop,nop,TS val 252033522 ecr 3366815594], length 0 [server sleep 中] 15:33:38.967846 IP s.s.s.s.DPORT > c.c.c.c.SPORT: Flags [P.], seq 1:435, ack 86, win 227, options [nop,nop,TS val 252040912 ecr 3366815594], length 434: HTTP: HTTP/1.1 200 OK 15:33:38.968332 IP c.c.c.c.SPORT > s.s.s.s.DPORT: Flags [.], ack 435, win 237, options [nop,nop,TS val 3366817441 ecr 252040912], length 0 15:33:38.968442 IP c.c.c.c.SPORT > s.s.s.s.DPORT: Flags [F.], seq 86, ack 435, win 237, options [nop,nop,TS val 3366817441 ecr 252040912], length 0 15:33:38.968656 IP s.s.s.s.DPORT > c.c.c.c.SPORT: Flags [F.], seq 435, ack 87, win 227, options [nop,nop,TS val 252040913 ecr 3366817441], length 0 15:33:38.969058 IP c.c.c.c.SPORT > s.s.s.s.DPORT: Flags [.], ack 436, win 237, options [nop,nop,TS val 3366817441 ecr 252040913], length 0
Flags
[S] indicates that the SYN flag was set.
[SYN.] The `.' means the ACK flag was set. [SYN.] => SYN-ACK
[.] Placeholder, usually used for ACK.
[P.] Push Data
Signals the immediate push of data from the sending host to the receiving host.
For interactive applications such as telnet, the main issue is the quickest response time, which this “push” flag signals.
[F.] # =FIN 關閉連接標誌
[RST] # = RESET 異常關閉連接
Troubleshoot
[1]
Checksum: 0x93a2 incorrect, should be 0x2c51(maybe caused by "TCP checksum offload"?)
You see the "incorrect" checksums due to a feature called TCP checksum offloading.
The checksum fields for outgoing TCP packets are not pre-calculated by the operating system
Use tcpdump --dont-verify-checksums to ignore these.
ethtool -k ens4 | grep ': on'
generic-receive-offload: on
ethtool -K ens4 rx off tx off
ethtool -K ens4 gro off