tcpdump 與 ngrep

最後更新: 2019-03-06

目錄

 

 

 


Usage

 

詳細程度

tcpdump -v <expression>
tcpdump -vv <expression>
tcpdump -vvv <expression>

Check 某 interface

-i interface

File

-e                                 # Print the link-level header on each dump line.

-r                                  # Read packets from file (which was created with the -w option). # -e  這參數係用到的

Useful opts

-n                            # Don’t convert host addresses to names.

-nn                          # Don’t convert protocol and port numbers

Filter:

IP

tcpdump host <IP>

tcpdump src <IP>

tcpdump tcp src <IP>

Port

tcpdump port <Port>

tcpdump dst port <Port>

tcpdump udp dst port <Port>

Protocol

tcpdump -i eth0 arp

      
Logical Operators

and, or, not

 


tcpdump 是在 iptables 前

 

wire -> NIC -> tcpdump -> iptables (INPUT chain) [Host] iptables (OUPUT chain) -> tcpdump -> NIC -> wire

 


Result

 

1638 packets captured
3 packets received by filter             # depends on the OS on which you're running tcpdump
0 packets dropped by kernel              # lack of buffer space (OS 問題)

 


Sub-Interface

 

# sub-interface 介面卡不能行 tcpdump 會有 Error

tcpdump -i eth0.1

tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: syntax error

 


追查某 IP 的 In / Out

 

# 假設某 IP 是 s.s.s.s

tcpdump -n src s.s.s.s or dst s.s.s.s

 


iptables as tcpdump

 

開:

iptables -I INPUT -s 192.168.123.200/32 -j LOG

dmesg | grep 192.168.123.200

IN=eth0 OUT= MAC=52:54:00:f1:62:1d:00:ff:2b:0c:c1:c7:08:00 SRC=192.168.123.200 DST=192.168.123.251 LEN=92 TOS=0x00 PREC=0x00 TTL=128 ID=1195 DF PROTO=TCP SPT=50078 DPT=22 WINDOW=221 RES=0x00 ACK PSH URGP=0

關:

iptables -D INPUT 1

 


ICMP

 

tcpdump -i eth0 icmp

 


cksum incorrect

 

log:

16:04:46.708942 IP (tos 0x0, ttl 63, id 61154, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.88.18.53902 > 10.3.4.1.http: Flags [S], cksum 0x28c4 (correct), seq 2949757337, win 5840, 
    options [mss 1460,sackOK,TS val 1307137915 ecr 0,nop,wscale 6], length 0
    
16:04:46.710258 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    10.3.4.1.http > 192.168.88.18.53902: Flags [S.], cksum 0x26ed (incorrect -> 0xf2d2), seq 4179186300, 
    ack 2949757338, win 14480, options [mss 1460,sackOK,TS val 2803810 ecr 1307137915,nop,wscale 3], length 0

16:04:47.828969 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    10.3.4.1.http > 192.168.88.18.53902: Flags [S.], cksum 0x26ed (incorrect -> 0xf1ba), seq 4179186300, 
    ack 2949757338, win 14480, options [mss 1460,sackOK,TS val 2804090 ecr 1307137915,nop,wscale 3], length 0

This is caused because you have checksum offloading on your network card (NIC) and

tcpdump reads IP packets from the Linux kernel right before the actual checksum takes place in the NIC’s chipset.

That’s why you only see errors in tcpdump and your network traffic works ok.

查看 offload setting

ethtool -k eth0

 


Capture Packets To A File

# Capture Packets To A File

tcpdump -w 0001.pcap -i eth0

# Read Captured Packets File

tcpdump -r 0001.pcap

# Read Content info

"-X" # print each packet data in hex and ascii (minus its link level header)

-XX  # including its link level header, in hex and ASCII

 


進階 Capture Packets To A File

 

-W filecount

Used in conjunction with the -C /-G option

this will limit the number of files  created  to  the  specified number,

and begin overwriting files from the beginning, thus creating a 'rotating' buffer.

-C file_size

Before  writing  a  raw  packet to a savefile, check whether the file is currently larger than file_size

and, if so, close the current savefile and open a new one.

The  units of file_size are millions of bytes (1,000,000 bytes)

-G rotate_seconds

If specified, rotates the dump file specified with the -w option every rotate_seconds  seconds.

If no time format is specified, each new file will overwrite the previous.

-w which should include a time format as defined by strftime(%m%d%H%M%S)

If no time format is specified, each new file will overwrite the previous.

-s snaplen, --snapshot-length=snaplen

Snarf snaplen bytes of data from each packet rather than the default of 262144 bytes. 

Packets truncated because of a limited snapshot are indicated in the output with ``[|proto]'',

where proto is the name  of the  protocol  level  at  which  the  truncation  has  occurred. 

set 0 => 262144(Default)

Note

taking larger snapshots both increases the amount of time it takes to process packets  and, 

effectively,  decreases  the  amount  of packet  buffering.  

This may cause packets to be lost. 

You should limit snaplen to the smallest number that will capture the protocol information you're interested in.               
 

Exampe:

# 建立 4 個會循環使用的檔案(https.pcap0 ... https.pcap3), 每個 4 mbyte

tcpdump -nn -i ens4 -C 4 -W 4 -w /root/net_chk/dump/https.pcap -B 40960 host d.d.d.d

# 每 10 秒建立一個 logfile, 當建立到第 4 個時停.

tcpdump -nn -i ens4 -G 10 -W 4 -w /root/net_chk/dump/https.%m%d%H%M%S.pcap -B 40960 host d.d.d.d

buffer_size

-B buffer_size, --buffer-size=buffer_size

Set the operating system capture buffer size to buffer_size, in units of KiB (1024 bytes).

 


Capture Plaintext Password

 

# pop3

tcpdump port pop3 -l -A | egrep -i 'pass |user ' --color=auto --line-buffered -B20

opt

-A     Print each packet (minus its link level header) in ASCII.  Handy for capturing web pages.

-l     Make stdout line buffered.  Useful if you want to see the data while capturing it.

 

 


一次原極的 dump

 

log

15:33:31.577460 IP c.c.c.c.SPORT > s.s.s.s.DPORT: Flags [S], seq 2946375389, win 29200, options [mss 1460,sackOK,TS val 3366815593 ecr 0,nop,wscale 7], length 0
15:33:31.577526 IP s.s.s.s.DPORT > c.c.c.c.SPORT: Flags [S.], seq 3519729639, ack 2946375390, win 28960, options [mss 1460,sackOK,TS val 252033521 ecr 3366815593,nop,wscale 7], length 0
15:33:31.578030 IP c.c.c.c.SPORT > s.s.s.s.DPORT: Flags [.], ack 1, win 229, options [nop,nop,TS val 3366815594 ecr 252033521], length 0
15:33:31.578256 IP c.c.c.c.SPORT > s.s.s.s.DPORT: Flags [P.], seq 1:86, ack 1, win 229, options [nop,nop,TS val 3366815594 ecr 252033521], length 85: HTTP: GET /myfile.php HTTP/1.1
15:33:31.578286 IP s.s.s.s.DPORT > c.c.c.c.SPORT: Flags [.], ack 86, win 227, options [nop,nop,TS val 252033522 ecr 3366815594], length 0

[server sleep 中]

15:33:38.967846 IP s.s.s.s.DPORT > c.c.c.c.SPORT: Flags [P.], seq 1:435, ack 86, win 227, options [nop,nop,TS val 252040912 ecr 3366815594], length 434: HTTP: HTTP/1.1 200 OK
15:33:38.968332 IP c.c.c.c.SPORT > s.s.s.s.DPORT: Flags [.], ack 435, win 237, options [nop,nop,TS val 3366817441 ecr 252040912], length 0
15:33:38.968442 IP c.c.c.c.SPORT > s.s.s.s.DPORT: Flags [F.], seq 86, ack 435, win 237, options [nop,nop,TS val 3366817441 ecr 252040912], length 0
15:33:38.968656 IP s.s.s.s.DPORT > c.c.c.c.SPORT: Flags [F.], seq 435, ack 87, win 227, options [nop,nop,TS val 252040913 ecr 3366817441], length 0
15:33:38.969058 IP c.c.c.c.SPORT > s.s.s.s.DPORT: Flags [.], ack 436, win 237, options [nop,nop,TS val 3366817441 ecr 252040913], length 0

Flags

[S]                     indicates that the SYN flag was set.

[SYN.]               The `.' means the ACK flag was set. [SYN.] => SYN-ACK

[.]                      Placeholder, usually used for ACK.

[P.]                       Push Data

Signals the immediate push of data from the sending host to the receiving host.

For interactive applications such as telnet, the main issue is the quickest response time, which this “push” flag signals.

[F.]                      #  =FIN 關閉連接標誌

[RST]               # = RESET 異常關閉連接

 


Troubleshoot

 

[1]

Checksum: 0x93a2 incorrect, should be 0x2c51(maybe caused by "TCP checksum offload"?)

You see the "incorrect" checksums due to a feature called TCP checksum offloading.

The checksum fields for outgoing TCP packets are not pre-calculated by the operating system

Use tcpdump --dont-verify-checksums to ignore these.

ethtool -k ens4 | grep ': on'

generic-receive-offload: on

ethtool -K ens4 rx off tx off

ethtool -K ens4 gro off