tcpdump
Table of Contents
1. tcpdump简介
tcpdump is a common packet analyzer that runs under the command line. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.
tcpdump works on most Unix-like operating systems: Linux, Solaris, BSD, OS X, HP-UX, Android and AIX among others. In those systems, tcpdump uses the libpcap library to capture packets. The port of tcpdump for Windows is called WinDump; it uses WinPcap, the Windows port of libpcap.
参考:
man tcpdump
man pcap-filter
http://www.tcpdump.org/
1.1. IP and TCP header
Recall the structure of a IP header:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| IHL |Type of Service| Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification |Flags| Fragment Offset | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time to Live | Protocol | Header Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Recall the structure of a TCP header:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgment Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data | |U|A|P|R|S|F| | | Offset| Reserved |R|C|S|S|Y|I| Window | | | |G|K|H|T|N|N| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | Urgent Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
说明:如果没有Options,则IP头和TCP头部各占20字节,两者共占40字节。
2. tcpdump用法实例
tcpdump的基本格式为:
tcpdump [ options ] [ expression ]
其中expression应该符合pcap-filter语法。如:
tcpdump 'tcp port 80 and host xx.yy.zz'
注:包围expression的单引号也可以省略。
要结束捕获,可以用向其发送SIGINT信号(一般是Ctrl+C)。
2.1. 保存结果到pcap文件 (-w
)
可以把tcpdump的结果保存为libpcap文件格式(一般用.pcap后缀),以便分析。
tcpdump -w 1.pcap
2.2. 监视指定的网络接口 (-i
)
可以用-i来指定需要监视的网络接口:
tcpdump -i eth0 tcpdump -i lo
不指定网络接口名字,tcpdump将监视默认网络接口上的所有数据包。
tcpdump
说明:tcpdump默认监视网络接口在不同的操作系统中不一样,如在Darwin系统中,它可能是由内核决定的多个网络接口的集合;具体说明可参考当前系统的 man tcpdump
说明。
2.3. 监视指定的主机或ip (host
)
所有进入或离开 www.baidu.com 的数据包。
tcpdump 'host www.baidu.com'
也可以指定ip(111.13.100.91为www.baidu.com对应ip)
tcpdump 'host 111.13.100.91'
2.3.1. 指定数据发送方向 (src
, dst
)
监视主机hostname发送来的所有数据包:
tcpdump 'src host hostname'
监视所有送到主机hostname的数据包:
tcpdump 'dst host hostname'
2.4. 指定端口 (port
)
如果想要获取主机xx.yy.zz接收或发出的telnet包(tcp端口23),使用如下命令:
tcpdump 'tcp port 23 and host xx.yy.zz'
对本机的udp 123端口进行监视(udp端口123为ntp的服务端口):
tcpdump 'udp port 123'
2.5. 以数字方式显示ip和端口号 (-n
)
指定-n后,将显示主机对应的ip地址,而不是主机名;且端口号也显示为数字,而不是关联的服务名。
2.6. 以ASCII方式显示数据包,分析HTTP很方便 (-A
)
指定-A,将以ASCII方式显示数据包(分析HTTP很有用),如:
$ sudo tcpdump -c 10 -n -A 'tcp port 80 and host www.baidu.com' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 21:55:28.234988 IP 10.0.2.15.32936 > 111.13.100.92.80: Flags [S], seq 1256411412, win 29200, options [mss 1460,sackOK,TS val 1281664 ecr 0,nop,wscale 7], length 0 E..<..@.@.{. ...o.d\...PJ.Q.......r............ ............ 21:55:28.334330 IP 111.13.100.92.80 > 10.0.2.15.32936: Flags [S.], seq 59072001, ack 1256411413, win 65535, options [mss 1460], length 0 E..,f...@.4po.d\ ....P....^.J.Q.`...:'........ 21:55:28.334349 IP 10.0.2.15.32936 > 111.13.100.92.80: Flags [.], ack 1, win 29200, length 0 E..(..@.@.{. ...o.d\...PJ.Q...^.P.r..... 21:55:28.334619 IP 10.0.2.15.32936 > 111.13.100.92.80: Flags [P.], seq 1:549, ack 1, win 29200, length 548 E..L..@.@.y. ...o.d\...PJ.Q...^.P.r.....GET / HTTP/1.1 Host: www.baidu.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.6.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: BAIDUID=1DB997D389D1DAA4244478AA9E811639:FG=1; BIDUPSID=1DB997D389D1DAA4244478AA9E811639; PSTM=1443275677; BD_UPN=133352; BD_HOME=0; H_PS_PSSID=12897_1426_17506_12658_12824_14429_17246_17000_17471_17072_15293_17348_11476_17351_10634_17050 Connection: keep-alive
2.7. 以十六进制和ASCII方式显示数据包 (-X
)
指定-X,将以十六进制和ASCII方式显示数据包(分析HTTP很有用),如:
$ sudo tcpdump -c 10 -n -X 'host www.baidu.com' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 22:02:07.912907 IP 10.0.2.15.47225 > 111.13.100.91.80: Flags [S], seq 4005336847, win 29200, options [mss 1460,sackOK,TS val 1381584 ecr 0,nop,wscale 7], length 0 0x0000: 4500 003c 83df 4000 4006 d765 0a00 020f E..<..@.@..e.... 0x0010: 6f0d 645b b879 0050 eebc 970f 0000 0000 o.d[.y.P........ 0x0020: a002 7210 dfa5 0000 0204 05b4 0402 080a ..r............. 0x0030: 0015 14d0 0000 0000 0103 0307 ............ 22:02:07.995583 IP 111.13.100.91.80 > 10.0.2.15.47225: Flags [S.], seq 87040001, ack 4005336848, win 65535, options [mss 1460], length 0 0x0000: 4500 002c 67d8 0000 4006 337d 6f0d 645b E..,g...@.3}o.d[ 0x0010: 0a00 020f 0050 b879 0530 2001 eebc 9710 .....P.y.0...... 0x0020: 6012 ffff 54d7 0000 0204 05b4 0000 `...T......... 22:02:07.995614 IP 10.0.2.15.47225 > 111.13.100.91.80: Flags [.], ack 1, win 29200, length 0 0x0000: 4500 0028 83e0 4000 4006 d778 0a00 020f E..(..@.@..x.... 0x0010: 6f0d 645b b879 0050 eebc 9710 0530 2002 o.d[.y.P.....0.. 0x0020: 5010 7210 df91 0000 P.r..... 22:02:07.995816 IP 10.0.2.15.47225 > 111.13.100.91.80: Flags [P.], seq 1:549, ack 1, win 29200, length 548 0x0000: 4500 024c 83e1 4000 4006 d553 0a00 020f E..L..@.@..S.... 0x0010: 6f0d 645b b879 0050 eebc 9710 0530 2002 o.d[.y.P.....0.. 0x0020: 5018 7210 e1b5 0000 4745 5420 2f20 4854 P.r.....GET./.HT 0x0030: 5450 2f31 2e31 0d0a 486f 7374 3a20 7777 TP/1.1..Host:.ww 0x0040: 772e 6261 6964 752e 636f 6d0d 0a55 7365 w.baidu.com..Use 0x0050: 722d 4167 656e 743a 204d 6f7a 696c 6c61 r-Agent:.Mozilla 0x0060: 2f35 2e30 2028 5831 313b 204c 696e 7578 /5.0.(X11;.Linux 0x0070: 2078 3836 5f36 343b 2072 763a 3331 2e30 .x86_64;.rv:31.0 0x0080: 2920 4765 636b 6f2f 3230 3130 3031 3031 ).Gecko/20100101 0x0090: 2046 6972 6566 6f78 2f33 312e 3020 4963 .Firefox/31.0.Ic 0x00a0: 6577 6561 7365 6c2f 3331 2e36 2e30 0d0a eweasel/31.6.0.. 0x00b0: 4163 6365 7074 3a20 7465 7874 2f68 746d Accept:.text/htm 0x00c0: 6c2c 6170 706c 6963 6174 696f 6e2f 7868 l,application/xh 0x00d0: 746d 6c2b 786d 6c2c 6170 706c 6963 6174 tml+xml,applicat 0x00e0: 696f 6e2f 786d 6c3b 713d 302e 392c 2a2f ion/xml;q=0.9,*/ 0x00f0: 2a3b 713d 302e 380d 0a41 6363 6570 742d *;q=0.8..Accept- 0x0100: 4c61 6e67 7561 6765 3a20 656e 2d55 532c Language:.en-US, 0x0110: 656e 3b71 3d30 2e35 0d0a 4163 6365 7074 en;q=0.5..Accept 0x0120: 2d45 6e63 6f64 696e 673a 2067 7a69 702c -Encoding:.gzip, 0x0130: 2064 6566 6c61 7465 0d0a 436f 6f6b 6965 .deflate..Cookie 0x0140: 3a20 4241 4944 5549 443d 3144 4239 3937 :.BAIDUID=1DB997 0x0150: 4433 3839 4431 4441 4134 3234 3434 3738 D389D1DAA4244478 0x0160: 4141 3945 3831 3136 3339 3a46 473d 313b AA9E811639:FG=1; 0x0170: 2042 4944 5550 5349 443d 3144 4239 3937 .BIDUPSID=1DB997 0x0180: 4433 3839 4431 4441 4134 3234 3434 3738 D389D1DAA4244478 0x0190: 4141 3945 3831 3136 3339 3b20 5053 544d AA9E811639;.PSTM 0x01a0: 3d31 3434 3332 3735 3637 373b 2042 445f =1443275677;.BD_ 0x01b0: 5550 4e3d 3133 3333 3532 3b20 4244 5f48 UPN=133352;.BD_H 0x01c0: 4f4d 453d 303b 2048 5f50 535f 5053 5349 OME=0;.H_PS_PSSI 0x01d0: 443d 3132 3839 375f 3134 3236 5f31 3735 D=12897_1426_175 0x01e0: 3036 5f31 3236 3538 5f31 3238 3234 5f31 06_12658_12824_1 0x01f0: 3434 3239 5f31 3732 3436 5f31 3730 3030 4429_17246_17000 0x0200: 5f31 3734 3731 5f31 3730 3732 5f31 3532 _17471_17072_152 0x0210: 3933 5f31 3733 3438 5f31 3134 3736 5f31 93_17348_11476_1 0x0220: 3733 3531 5f31 3036 3334 5f31 3730 3530 7351_10634_17050 0x0230: 0d0a 436f 6e6e 6563 7469 6f6e 3a20 6b65 ..Connection:.ke 0x0240: 6570 2d61 6c69 7665 0d0a 0d0a ep-alive....
2.8. 读取pcap文件 (-r
)
用-r可以读取之前保存的pcap文件,常常和-X一起使用:
tcpdump -qns 0 -X -r 1.pcap
http://serverfault.com/questions/38626/how-can-i-read-pcap-files-in-a-friendly-format
3. pcap-filter格式
命令 tcpdump [ options ] [ expression ]
中expression的语法就是pcap-filter的格式,可参考 man pcap-filter
。
pcap-filter的格式可以很复杂,如To select all IPv4 HTTP packets to and from port 80 (i.e. print only packets that contain data):
sudo tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
4. pcap文件格式
The libpcap file format is the main capture file format used in TcpDump/WinDump, snort, and many other networking tools.
There are some variants of the format "in the wild", the following will only describe the commonly used format in its current version 2.4. The file has a global header containing some global information followed by zero or more records for each captured packet, looking like this:
Global Header | Packet Header | Packet Data | Packet Header | Packet Data | ... |
This header starts the libpcap file and will be followed by the first packet header:
/* Global Header */ typedef struct pcap_hdr_s { guint32 magic_number; /* magic number */ guint16 version_major; /* major version number */ guint16 version_minor; /* minor version number */ gint32 thiszone; /* GMT to local correction */ guint32 sigfigs; /* accuracy of timestamps */ guint32 snaplen; /* max length of captured packets, in octets */ guint32 network; /* data link type */ } pcap_hdr_t;
Each captured packet starts with (any byte alignment possible):
/* Packet (Record) Header */ typedef struct pcaprec_hdr_s { guint32 ts_sec; /* timestamp seconds */ guint32 ts_usec; /* timestamp microseconds */ guint32 incl_len; /* number of octets of packet saved in file */ guint32 orig_len; /* actual length of packet */ } pcaprec_hdr_t;
5. Tips
5.1. 合并和分析pcap文件
mergecap
可以用来合并多个pcap文件, tshark
是功能丰富的分析pcap文件的工具。这两个工具都属于wireshark的组件。
参考:
https://www.wireshark.org/docs/man-pages/mergecap.html
https://www.wireshark.org/docs/man-pages/tshark.html
http://www.thegeekstuff.com/2009/03/mergecap-and-tshark-merge-packet-dumps-and-analyze-network-traffic/