tcpdump

Table of Contents

1 tcpdump简介

tcpdump is a common packet analyzer that runs under the command line. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.

tcpdump works on most Unix-like operating systems: Linux, Solaris, BSD, OS X, HP-UX, Android and AIX among others. In those systems, tcpdump uses the libpcap library to capture packets. The port of tcpdump for Windows is called WinDump; it uses WinPcap, the Windows port of libpcap.

参考:
man tcpdump
man pcap-filter
http://www.tcpdump.org/

1.1 IP and TCP header

Recall the structure of a IP header:

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version|  IHL  |Type of Service|          Total Length         |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|         Identification        |Flags|      Fragment Offset    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Time to Live |    Protocol   |         Header Checksum       |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                       Source Address                          |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Destination Address                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Options                    |    Padding    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Recall the structure of a TCP header:

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|          Source Port          |       Destination Port        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                        Sequence Number                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Acknowledgment Number                      |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Data |           |U|A|P|R|S|F|                               |
| Offset| Reserved  |R|C|S|S|Y|I|            Window             |
|       |           |G|K|H|T|N|N|                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           Checksum            |         Urgent Pointer        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Options                    |    Padding    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                             data                              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

说明:如果没有Options,则IP头和TCP头部各占20字节,两者共占40字节。

2 tcpdump用法实例

tcpdump的基本格式为:

tcpdump [ options ] [ expression ]

其中expression应该符合pcap-filter语法。如:

tcpdump 'tcp port 80 and host xx.yy.zz'

注:包围expression的单引号也可以省略。

要结束捕获,可以用向其发送SIGINT信号(一般是Ctrl+C)。

2.1 保存结果到pcap文件 (-w)

可以把tcpdump的结果保存为libpcap文件格式(一般用.pcap后缀),以便分析。

tcpdump -w 1.pcap

2.2 监视指定的网络接口 (-i)

可以用-i来指定需要监视的网络接口:

tcpdump -i eth0
tcpdump -i lo

不指定网络接口名字,tcpdump将监视默认网络接口上的所有数据包。

tcpdump

说明:tcpdump默认监视网络接口在不同的操作系统中不一样,如在Darwin系统中,它可能是由内核决定的多个网络接口的集合;具体说明可参考当前系统的 man tcpdump 说明。

2.3 监视指定的主机或ip (host)

所有进入或离开 www.baidu.com 的数据包。

tcpdump 'host www.baidu.com'

也可以指定ip(111.13.100.91为www.baidu.com对应ip)

tcpdump 'host 111.13.100.91'

2.3.1 指定数据发送方向 (src, dst)

监视主机hostname发送来的所有数据包:

tcpdump 'src host hostname'

监视所有送到主机hostname的数据包:

tcpdump 'dst host hostname'

2.4 指定端口 (port)

如果想要获取主机xx.yy.zz接收或发出的telnet包(tcp端口23),使用如下命令:

tcpdump 'tcp port 23 and host xx.yy.zz'

对本机的udp 123端口进行监视(udp端口123为ntp的服务端口):

tcpdump 'udp port 123'

2.5 以数字方式显示ip和端口号 (-n)

指定-n后,将显示主机对应的ip地址,而不是主机名;且端口号也显示为数字,而不是关联的服务名。

2.6 以ASCII方式显示数据包 (-A)

指定-A,将以ASCII方式显示数据包(分析HTTP很有用),如:

$ sudo tcpdump -c 10 -n -A 'host www.baidu.com'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
21:55:28.234988 IP 10.0.2.15.32936 > 111.13.100.92.80: Flags [S], seq 1256411412, win 29200, options [mss 1460,sackOK,TS val 1281664 ecr 0,nop,wscale 7], length 0
E..<..@.@.{.
...o.d\...PJ.Q.......r............
............
21:55:28.334330 IP 111.13.100.92.80 > 10.0.2.15.32936: Flags [S.], seq 59072001, ack 1256411413, win 65535, options [mss 1460], length 0
E..,f...@.4po.d\
....P....^.J.Q.`...:'........
21:55:28.334349 IP 10.0.2.15.32936 > 111.13.100.92.80: Flags [.], ack 1, win 29200, length 0
E..(..@.@.{.
...o.d\...PJ.Q...^.P.r.....
21:55:28.334619 IP 10.0.2.15.32936 > 111.13.100.92.80: Flags [P.], seq 1:549, ack 1, win 29200, length 548
E..L..@.@.y.
...o.d\...PJ.Q...^.P.r.....GET / HTTP/1.1
Host: www.baidu.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.6.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: BAIDUID=1DB997D389D1DAA4244478AA9E811639:FG=1; BIDUPSID=1DB997D389D1DAA4244478AA9E811639; PSTM=1443275677; BD_UPN=133352; BD_HOME=0; H_PS_PSSID=12897_1426_17506_12658_12824_14429_17246_17000_17471_17072_15293_17348_11476_17351_10634_17050
Connection: keep-alive

2.7 以十六进制和ASCII方式显示数据包 (-X)

指定-XA,将以十六进制和ASCII方式显示数据包(分析HTTP很有用),如:

$ sudo tcpdump -c 10 -n -X 'host www.baidu.com'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
22:02:07.912907 IP 10.0.2.15.47225 > 111.13.100.91.80: Flags [S], seq 4005336847, win 29200, options [mss 1460,sackOK,TS val 1381584 ecr 0,nop,wscale 7], length 0
	0x0000:  4500 003c 83df 4000 4006 d765 0a00 020f  E..<..@.@..e....
	0x0010:  6f0d 645b b879 0050 eebc 970f 0000 0000  o.d[.y.P........
	0x0020:  a002 7210 dfa5 0000 0204 05b4 0402 080a  ..r.............
	0x0030:  0015 14d0 0000 0000 0103 0307            ............
22:02:07.995583 IP 111.13.100.91.80 > 10.0.2.15.47225: Flags [S.], seq 87040001, ack 4005336848, win 65535, options [mss 1460], length 0
	0x0000:  4500 002c 67d8 0000 4006 337d 6f0d 645b  E..,g...@.3}o.d[
	0x0010:  0a00 020f 0050 b879 0530 2001 eebc 9710  .....P.y.0......
	0x0020:  6012 ffff 54d7 0000 0204 05b4 0000       `...T.........
22:02:07.995614 IP 10.0.2.15.47225 > 111.13.100.91.80: Flags [.], ack 1, win 29200, length 0
	0x0000:  4500 0028 83e0 4000 4006 d778 0a00 020f  E..(..@.@..x....
	0x0010:  6f0d 645b b879 0050 eebc 9710 0530 2002  o.d[.y.P.....0..
	0x0020:  5010 7210 df91 0000                      P.r.....
22:02:07.995816 IP 10.0.2.15.47225 > 111.13.100.91.80: Flags [P.], seq 1:549, ack 1, win 29200, length 548
	0x0000:  4500 024c 83e1 4000 4006 d553 0a00 020f  E..L..@.@..S....
	0x0010:  6f0d 645b b879 0050 eebc 9710 0530 2002  o.d[.y.P.....0..
	0x0020:  5018 7210 e1b5 0000 4745 5420 2f20 4854  P.r.....GET./.HT
	0x0030:  5450 2f31 2e31 0d0a 486f 7374 3a20 7777  TP/1.1..Host:.ww
	0x0040:  772e 6261 6964 752e 636f 6d0d 0a55 7365  w.baidu.com..Use
	0x0050:  722d 4167 656e 743a 204d 6f7a 696c 6c61  r-Agent:.Mozilla
	0x0060:  2f35 2e30 2028 5831 313b 204c 696e 7578  /5.0.(X11;.Linux
	0x0070:  2078 3836 5f36 343b 2072 763a 3331 2e30  .x86_64;.rv:31.0
	0x0080:  2920 4765 636b 6f2f 3230 3130 3031 3031  ).Gecko/20100101
	0x0090:  2046 6972 6566 6f78 2f33 312e 3020 4963  .Firefox/31.0.Ic
	0x00a0:  6577 6561 7365 6c2f 3331 2e36 2e30 0d0a  eweasel/31.6.0..
	0x00b0:  4163 6365 7074 3a20 7465 7874 2f68 746d  Accept:.text/htm
	0x00c0:  6c2c 6170 706c 6963 6174 696f 6e2f 7868  l,application/xh
	0x00d0:  746d 6c2b 786d 6c2c 6170 706c 6963 6174  tml+xml,applicat
	0x00e0:  696f 6e2f 786d 6c3b 713d 302e 392c 2a2f  ion/xml;q=0.9,*/
	0x00f0:  2a3b 713d 302e 380d 0a41 6363 6570 742d  *;q=0.8..Accept-
	0x0100:  4c61 6e67 7561 6765 3a20 656e 2d55 532c  Language:.en-US,
	0x0110:  656e 3b71 3d30 2e35 0d0a 4163 6365 7074  en;q=0.5..Accept
	0x0120:  2d45 6e63 6f64 696e 673a 2067 7a69 702c  -Encoding:.gzip,
	0x0130:  2064 6566 6c61 7465 0d0a 436f 6f6b 6965  .deflate..Cookie
	0x0140:  3a20 4241 4944 5549 443d 3144 4239 3937  :.BAIDUID=1DB997
	0x0150:  4433 3839 4431 4441 4134 3234 3434 3738  D389D1DAA4244478
	0x0160:  4141 3945 3831 3136 3339 3a46 473d 313b  AA9E811639:FG=1;
	0x0170:  2042 4944 5550 5349 443d 3144 4239 3937  .BIDUPSID=1DB997
	0x0180:  4433 3839 4431 4441 4134 3234 3434 3738  D389D1DAA4244478
	0x0190:  4141 3945 3831 3136 3339 3b20 5053 544d  AA9E811639;.PSTM
	0x01a0:  3d31 3434 3332 3735 3637 373b 2042 445f  =1443275677;.BD_
	0x01b0:  5550 4e3d 3133 3333 3532 3b20 4244 5f48  UPN=133352;.BD_H
	0x01c0:  4f4d 453d 303b 2048 5f50 535f 5053 5349  OME=0;.H_PS_PSSI
	0x01d0:  443d 3132 3839 375f 3134 3236 5f31 3735  D=12897_1426_175
	0x01e0:  3036 5f31 3236 3538 5f31 3238 3234 5f31  06_12658_12824_1
	0x01f0:  3434 3239 5f31 3732 3436 5f31 3730 3030  4429_17246_17000
	0x0200:  5f31 3734 3731 5f31 3730 3732 5f31 3532  _17471_17072_152
	0x0210:  3933 5f31 3733 3438 5f31 3134 3736 5f31  93_17348_11476_1
	0x0220:  3733 3531 5f31 3036 3334 5f31 3730 3530  7351_10634_17050
	0x0230:  0d0a 436f 6e6e 6563 7469 6f6e 3a20 6b65  ..Connection:.ke
	0x0240:  6570 2d61 6c69 7665 0d0a 0d0a            ep-alive....

2.8 读取pcap文件 (-r)

用-r可以读取之前保存的pcap文件,常常和-X一起使用:

tcpdump -qns 0 -X -r 1.pcap

http://serverfault.com/questions/38626/how-can-i-read-pcap-files-in-a-friendly-format

3 pcap-filter格式

命令 tcpdump [ options ] [ expression ] 中expression的语法就是pcap-filter的格式,可参考 man pcap-filter

pcap-filter的格式可以很复杂,如To select all IPv4 HTTP packets to and from port 80 (i.e. print only packets that contain data):

sudo tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

参考:http://www.tcpdump.org/manpages/pcap-filter.7.html

4 pcap文件格式

The libpcap file format is the main capture file format used in TcpDump/WinDump, snort, and many other networking tools.

There are some variants of the format "in the wild", the following will only describe the commonly used format in its current version 2.4. The file has a global header containing some global information followed by zero or more records for each captured packet, looking like this:

 Global Header   Packet Header   Packet Data   Packet Header   Packet Data   ... 

This header starts the libpcap file and will be followed by the first packet header:

/* Global Header */
typedef struct pcap_hdr_s {
        guint32 magic_number;   /* magic number */
        guint16 version_major;  /* major version number */
        guint16 version_minor;  /* minor version number */
        gint32  thiszone;       /* GMT to local correction */
        guint32 sigfigs;        /* accuracy of timestamps */
        guint32 snaplen;        /* max length of captured packets, in octets */
        guint32 network;        /* data link type */
} pcap_hdr_t;

Each captured packet starts with (any byte alignment possible):

/* Packet (Record) Header */
typedef struct pcaprec_hdr_s {
        guint32 ts_sec;         /* timestamp seconds */
        guint32 ts_usec;        /* timestamp microseconds */
        guint32 incl_len;       /* number of octets of packet saved in file */
        guint32 orig_len;       /* actual length of packet */
} pcaprec_hdr_t;

参考:https://wiki.wireshark.org/Development/LibpcapFileFormat

5 Tips

5.1 合并和分析pcap文件

mergecap 可以用来合并多个pcap文件, tshark 是功能丰富的分析pcap文件的工具。这两个工具都属于wireshark的组件。

参考:
https://www.wireshark.org/docs/man-pages/mergecap.html
https://www.wireshark.org/docs/man-pages/tshark.html
http://www.thegeekstuff.com/2009/03/mergecap-and-tshark-merge-packet-dumps-and-analyze-network-traffic/


Author: cig01

Created: <2011-04-03 Sun 00:00>

Last updated: <2017-06-14 Wed 18:06>

Creator: Emacs 25.1.1 (Org mode 9.0.7)