Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Installation and use of Linux Sniffer tool Tcpdump     - Python format string (Programming)

- Oracle 10046 Event (Database)

- Preps - Print within the specified range of IP addresses (Linux)

- Objective-C basic program structure (Programming)

- Denyhosts prevent hackers using SSH scanning (Linux)

- Ubuntu Control Panel to resolve network-manager icon display issue (Linux)

- Incremental garbage collection mechanism for Ruby 2.2 (Programming)

- Spring Data study notes -Helloworld (Programming)

- CentOS5 installation Nodejs (Linux)

- Https (SSL / TLS) Detailed principles (Server)

- Linux System Getting Started Learning: Disable HTTP forwarding wget in (Linux)

- Install snort intrusion detection system on Debian (Linux)

- Use matplotlib scientific drawing in Linux (Linux)

- Linux Command Tutorial: Ubuntu apt-get command (Linux)

- Analysis of memory mapping process in Linux x86-32 mode (Linux)

- Linux Tutorial Share: How to sudo command to define the PATH environment variable (Linux)

- Advanced permissions Linux file system settings (Linux)

- Nagios (centreon) monitoring LVS (Server)

- The method of installing software under Ubuntu Linux (Linux)

- Git common skills (Linux)

 
         
  Installation and use of Linux Sniffer tool Tcpdump
     
  Add Date : 2017-01-08      
         
         
         
  In today numerous hacking techniques, sniffer (sniffer) is the most common and also the most important technology. Used sniffer tool windows platform's friends may know, in the shared LAN, using sniffer tools simply can network all traffic glance!

In today numerous hacking techniques, sniffer (sniffer) is the most common and also the most important technology. Used sniffer tool windows platform (for example, netxray and sniffer pro software) friends may know, in the shared LAN, using sniffer tools simply can network all traffic glance! Sniffer tool is actually a packet capture tool on the network, but also can analyze captured packets. Since the shared network, the packet will be broadcast to all hosts on the network interface to the network, but in the absence of the use of sniffer tools, host network device determines whether the packet should receive, so that it will not abandon packets to be received, sniffer tool filling the host network device receives all incoming packets, so that to achieve network monitoring results. In fact, sniffer tools can be adapted to both hackers use, also in favor of network administrators and network programmers. For network managers, using a network sniffer can keep track of the actual situation, a sharp decline in network performance, it can be analyzed by reason sniffer tool to identify the source of network congestion caused. For network programmers, by sniffer tools to debug procedures.

Here to introduce a ------- tcpdump on Linux excellent sniffer. (Our following operations are RedHat 6.2 Linux 2.2.14 After the actual test environment.)

A, Tcpdump installation

Install the lower tcpdump on Linux is very simple, generally it consists of two installation methods. One is in the form of rpm package to install. Another source in the form of installation.

Form 1. rpm package installed

This type of installation is the easiest installation method, rpm package after package is translated into binary format software, can be installed directly through the rpm command, you do not need to change anything. Log in as root, use the following command:

#rpm -ivh tcpdump-3_4a5.rpm

Thus tcpdump is smoothly installed on your Linux system. How kind, it is very simple.

2. Installation source

Since the installation of the rpm package is very simple, why use more complex source code to install it? In fact, Linux is one of the biggest fascination in her there are a lot of software to provide source code, the source code can be modified to meet people own particular needs. So I especially recommend my friends have adopted this method of installation source.

The first step to obtain the source code in the source of the installation, we must first get tcpdump source bundle, this bundle there are two forms, one is a tar archive (tcpdump-3_4a5.tar.Z), another is the rpm bundle (tcpdump-3_4a5.src.rpm). Both forms of content are the same, just a different way .tar compressed archive can use the following command to unlock:

#tar xvfz tcpdump-3_4a5.tar.Z

rpm package can use the following command to install:

#rpm -ivh tcpdump-3_4a5.src.rpm

This put the tcpdump source code extract to / usr / src / redhat / SOURCES directory.

The second step, ready to compile source code before the event

Before compiling the source code, has determined that the best libraries libpcap has been installed, the library is a library file tcpdump software. Likewise, you also have to have a standard c language compiler. In Linux under standard c language compiler typically gcc. In tcpdump source directory. There is a file Makefile.in, configure command from Makefile.in file is automatically generated Makefile files.

Makefile.in file can be modified according to the system configuration and MANDEST BINDEST two macro definition, the default is

BINDEST = @ sbindir @

MANDEST = @ mandir @

The first macro install tcpdump binary value indicates the file path name, the second show tcpdump man pages path name, you can modify them to meet the system requirements.

The third step is to compile the source code

Use the source directory configure script that reads all the necessary attributes from the system. And automatically generate the Makefile according to Makefile.in file to compile with .make command according to the rules in the Makefile to compile tcpdump source. Use make install tcpdump command to install the compiled binaries.

It boils down to this:

# Tar xvfz tcpdump-3_4a5.tar.Z

# Vi Makefile.in

#. / Configure

# Make

# Make install

Two, Tcpdump use

tcpdump using the command line, its command format is:

tcpdump [-adeflnNOpqStvx] [-c number] [-F filename]

[-i Network Interface] [-r filename] [-s snaplen]

[-T Type] [-w filename] [expression]

1. tcpdump options introduced

-a: convert network and broadcast addresses into names;

-d: The matching packet code to be able to understand people's assembly format is given;

-dd: The matching packet is given in the code format c language program segment;

-ddd: The matching information packets in decimal code given in the form;

-e: the output line to print out the header information of the data link layer;

-f: The external Internet address printed in digital form;

-l: Make stdout line buffered;

-n: Do not put the network addresses into names;

-t: In each line of output does not print a timestamp;

-v: output a little more information, such as ip ttl packets may include information and service types;

-vv: Output detailed packet information;

-c: Upon receipt of the number of packets specified, tcpdump will stop;

-F: Read from the file specified by the expression, ignoring other expressions;

-i: Specifies the listener network interface;

-r: read from the specified file packages (these packages are generally produced by the -w option);

-w: packet writing directly to the file, do not analyze and print out;

-T: Will listen to the explanation of the package directly to the specified type of packets common types rpc (Remote Procedure Call) and snmp (SNMP;)

2. tcpdump expression that describes

Expression is a regular expression, tcpdump use it as a filter packets conditions, if a message meets the conditions of the expression, then the packet will be captured. If you do not give any criteria, all packets on the network will be intercepted.

In general expressions are several types of keywords, one is about the types of keywords, including the host, net, port, such as host 210.27.48.2, 210.27.48.2 indicates a host, net 202.0.0.0 specified 202.0.0.0 is a network address, port 23 indicates the port number is 23. If you do not specify a type, the default type is host.

The second is to determine the key direction of transmission, including src, dst, dst or src, dst and src, these keywords indicates the direction of transmission. Illustration, src 210.27.48.2, indicating ip packet source address 210.27.48.2, dst net 202.0.0.0 specified destination network address is 202.0.0.0. If you do not indicate the direction keyword, the default is src or dst keyword.

The third is the key protocol, including fddi, ip, arp, rarp, tcp, udp and other types. Fddi indicate whether a particular network protocol FDDI (Fiber Distributed Data Interface network), it is actually "ether" alias, fddi and ether have similar source and destination addresses, so it can be used as protocol packets fddi processing and analysis of ether packets. Several other keyword is specified in the agreement listening package. If you do not specify any agreement, tcpdump will monitor all protocol packets.

In addition to these three types of keywords, other important keywords as follows: gateway, broadcast, less, greater, there are three logical operators, negated operation is not, and the operation is and, &&; OR operation is or! , ||;

These keywords can be combined together to form a powerful combination of conditions to meet people's needs, the following are some examples to illustrate.

(1) I want to intercept all hosts 210.27.48.1 and receive all packets sent:

#tcpdump host 210.27.48.1

(2) I want to intercept the host 210.27.48.1 210.27.48.2 or 210.27.48.3 and host communications using the command:

#tcpdump host 210.27.48.1 and (210.27.48.2 or 210.27.48.3)

(3) If you want to get the host and host outside except 210.27.48.1 210.27.48.2 ip packet to all hosts to communicate, use the command:

#tcpdump ip host 210.27.48.1 and! 210.27.48.2

(4) telnet package if you want to get the host 210.27.48.1 received or sent, use the following command:

#tcpdump tcp port 23 host 210.27.48.

3. tcpdump output presentation

Here we introduce some typical output of tcpdump command

(1) data link layer header information

Using the command #tcpdump --e host ice

ice is equipped with a host of linux, her MAC address is 0: 90: 27: 58: AF: 1A

H219 is a computer with SOLARIC the SUN workstation, its MAC address is 8: 0: 20: 79: 5B: 46; the output of the previous command is as follows:

21: 50: 12.847509 eth0 <8: 0: 20: 79: 5b: 46 0: 90: 27: 58: af: 1a ip 60: h219.33357> ice.telne

t 0: 0 (0) ack 22535 win 8760 (DF)

Analysis: 21: 50: 12 is the time display, 847 509 is the ID number, eth0 represents the network interface device to send packets, 8: 0: 20: 79: 5b: 46 is the host H219 MAC address, it indicates from the source address H219 sent packets 0:. 90: 27: 58: af: 1a host ICE MAC address indicates the destination address of the packet is the ICE ip. is to show that the packet is an IP packet, the packet length is 60, h219.33357> ice.telnet indicate that the packet is sent to the host port from 33357 ICE's TELNET host H219 (23) port. ack 22535 show on the serial number is 222,535 packets in response. win 8760 showed that the size of the send window is 8760.

TCPDUMP (2) ARP packets output

Using the command #tcpdump arp

Output result is:

22: 32: 42.802509 eth0> arp who-has route tell ice (0: 90: 27: 58: af: 1a)

22: 32: 42.802902 eth0
Analysis: The timestamp is 22:32:42, 802 509 is the ID number, eth0> indicates that the packet issued from the host, arp show the ARP request packet, who-has route tell ice show host ROUTE ICE requesting the host's MAC address. 0: 90: 27: 58: af: 1a ICE is the MAC address of the host.

Output (3) TCP packet

General output TCP packet capture information with TCPDUMP are:

src> dst: flags data-seqno ack window urgent options

src> dst: show from the source to destination, flags is a TCP packet flag information, S is the SYN flag, F (FIN), P (PUSH), R (RST) (unmarked); data- "." seqno is a packet sequence number data, ack is next expected sequence number, window is the receiver buffer window size, urgent packets indicate whether there are urgent pointer. options are options.

Output (4) UDP packet

General output UDP packet capture information with TCPDUMP are:

route.port1> ice.port2: udp lenth

UDP is very simple, the above output line indicates that a UDP data sent from the host ROUTE packets to the host port port1 port2 the ICE port type is UDP, the length of the packet is the lenth.

Above, I will detail the installation and use TCPDUMP, I hope will be helpful to everyone. If you want to skillfully use SNIFFER weapon TCPDUMP the LINUX environment, we also need to sum up experience in practice, give full play to its power.
     
         
         
         
  More:      
 
- Linux firewall settings -DNS server articles (Server)
- Oracle study notes view (Database)
- Linux start the process (Linux)
- Install Git on CentOS (Linux)
- Security experience: to see how the experts deal with DDoS attacks (Linux)
- Linux installation JDK1.6 rpm.bin assembly (Linux)
- Hadoop safe hftp (Server)
- AngularJS notes --- Scope and controller (Programming)
- Ubuntu 14.04 compile and install Apache (Server)
- linux system optimization and security configuration (Linux)
- Ubuntu 14.04 install the NVIDIA driver + CUDA + MATLAB (Linux)
- The correct way of logical backup mysqldump (Database)
- The execution order of Oracle WHERE condition is not from right to left (Database)
- Java in several ways of using MongoDB (Programming)
- pureftpd basis: Install, configure, implement, anonymous logon (Linux)
- MySQL event table to achieve timing build a small note (Database)
- Perl said method B if A judge (Programming)
- How to determine whether the Linux server was hacked (Linux)
- Getting jQuery - progress bar (Programming)
- Linux, set and view environment variables (Linux)
     
           
     
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.