Network data acquisition and analysis tools TcpDump Introduction
As the name suggests, TcpDump network can be transmitted in packets "head" down the offer completely intercepted analysis. It supports filtering for network layer protocol, host, network, or port, and to provide and, or, not and so logical statement to help you get rid of useless information. tcpdump is a free web analytics tool that provides in particular the source code, open interfaces, and therefore have a strong scalability for network maintenance and the invaders are very useful tools. tcpdump exist in the basic FreeBSD system, since it requires a network interface is set to promiscuous mode, normal users can not perform, but with root privileges can execute it directly to obtain information on the network. Therefore, this machine is not primarily to security threats, but there is a threat to the security of other computers on the network there is a network analysis tool system.
We try to use simple words to define tcpdump, it is: dump the traffice on a network, according to the definition of user data packets on the network packet analysis tool intercepted. As a classic on the Internet an indispensable tool for system administrators, tcpdump with its powerful features and flexible policy interception, each advanced to become one of the network system administrators to analyze, troubleshoot problems, and other things that are necessary. tcpdump provides the source code, open interfaces, and therefore have a strong scalability for network maintenance and the invaders are very useful tools. tcpdump exist in the basic FreeBSD system, since it requires a network interface is set to promiscuous mode, normal users can not perform, but with root privileges can execute it directly to obtain information on the network. Therefore, this machine is not primarily to security threats, but there is a threat to the security of other computers on the network there is a network analysis tool system.
Network data acquisition and analysis tool TcpDump installation
In linux tcpdump installation is very simple, generally consists of two installation methods. One is in the form of rpm package to install. Another source in the form of installation.
Forms rpm package installation: This type of installation is the easiest installation method, rpm package after package is translated into binary format software, can be installed directly through the rpm command, you do not need to change anything. Log in as root, use the following command:
#rpm -ivh tcpdump-3_4a5.rpm
Thus tcpdump is smoothly installed on your linux system. How kind, it is very simple.
Source installation: Since the install rpm package is very simple, why use more complicated to install it in fact the source, linux is one of the biggest fascination in her there are a lot of software to provide source code, people can? modify the source code to meet their particular needs. So I especially recommend my friends have adopted this method of installation source.
The first step to obtain the source code in the source of the installation, we must first get tcpdump source bundle, this bundle there are two forms, one is a tar archive (tcpdump-3_4a5.tar.Z), another is the rpm bundle (tcpdump-3_4a5.src.rpm). Both forms of content are the same, just a different way .tar compressed archive can use the following command to unlock:
#tar xvfz tcpdump-3_4a5.tar.Z
rpm package can use the following command to install:
#rpm -ivh tcpdump-3_4a5.src.rpm
This put the tcpdump source code extract to / usr / src / RedHat / SOURCES directory.
The second step to prepare activities before compiling a source program
Before compiling the source code, has determined that the best libraries libpcap has been installed, the library is a library file tcpdump software. Likewise, you also have to have a standard c language compiler. In linux under standard c language compiler typically gcc. In tcpdump source directory. There is a file Makefile.in, configure command from Makefile.in file is automatically generated Makefile files. In Makefile.in file, you can configure the system according to modify BINDEST and MANDEST two macro definition, the default is
BINDEST = @ sbindir @
MANDEST = @ mandir @
The first macro install tcpdump binary value indicates the file path name, the second show tcpdump man pages path name, you can modify them to meet the system requirements.
The third step is to compile the source code
Use the source directory configure script that reads all the necessary attributes from the system. And automatically generate the Makefile according to Makefile.in file to compile with .make command according to the rules in the Makefile to compile tcpdump source. Use make install tcpdump command to install the compiled binaries.
It boils down to this:
# Tar xvfz tcpdump-3_4a5.tar.Z
# Vi Makefile.in
#. / Configure
# Make install
Network data acquisition and analysis tools used TcpDump
Under ordinary circumstances, direct start tcpdump will monitor all flows on the first network interface packet.
tcpdump: listening on fxp0
11: 58: 47.873028 220.127.116.11.netbios-ns> 18.104.22.168.netbios-ns: udp 50
11: 58: 47.974331 0: 10: 7b: 8: 3a: 56> 1: 80: c2: 0: 0: 0 802.1d ui / C len = 43
0000 0000 0080 0000 1007 cf08 0900 0000
0e80 0000 902b 4695 0980 8701 0014 0002
000f 0000 902b 4695 0008 00
11: 58: 48.373134 0: 0: e8: 5b: 6d: 85> Broadcast sap e0 ui / C len = 97
ffff 0060 0004 ffff ffff ffff ffff ffff
0452 ffff ffff 0000 e85b 6d85 4008 0002
0640 4d41 5354 4552 5f57 4542 0000 0000
tcpdump supports a considerable number of different parameters, such as the use tcpdump -i parameter to specify the listener's network interface, which is very useful when you have multiple network interfaces on the computer, the number of packets with the -c parameter to specify to listen, use the -w parameter to specify listens to packet writing files to save, and so on.
However, more complex tcpdump parameters are used for filtration purposes, it is because the network traffic is heavy, if not resolved all of the data packet interception down, too much data, but not easy to find the required data package. Filtering rules can be defined using these parameters entrapped particular packet, to narrow the target, in order to better analyze the problems in the network. tcpdump use parameters to specify the monitoring packet type, address, port, etc., depending on the network issues, will be able to take advantage of these filtering rules to achieve the purpose of quickly locate faults. Please use the man tcpdump view these filtering rules specific usage.
Apparently for safety reasons, the computer is not used for network management purposes should not run this type of network analysis software, in order to shield them, can shield kernel bpfilter pseudo device. Under normal circumstances network hardware and TCP / IP stack does not support received or sent, regardless of the computer data packets, in order to receive these packets, it is necessary to use the card in promiscuous mode, and bypass the standard TCP / IP stack down. In FreeBSD, which requires kernel support pseudo-device bpfilter. Thus, in the kernel canceled bpfilter support, we will be able to shield network analysis tools like tcpdump.
And when the card is set to promiscuous mode, the system will leave a record in the console and the log file, alert administrators pay attention to whether this system is used as a springboard to attack other computer networks.
May 15 16:27:20 host1 / kernel: fxp0: promiscuous mode enabled
Although the data network analysis tool can record network transmission, but the network data traffic is quite large, and how these data are analyzed, classified statistics, find and report errors is a more important issue. Network data packets belonging to different protocols, different protocols and packet formats are different. Therefore, the captured data is decoded, the package information displayed as much as possible, even more important in terms of protocol analysis tools. Advantages expensive commercial analysis tools is that they can support many kinds of application layer protocols, not only supports tcp, udp and other low-level protocols.
From the above it can be seen the output of tcpdump, tcpdump data interception did not conduct a thorough decoding, most of the data package is to use hexadecimal form of direct printout. Obviously, this is not conducive to the analysis of network failure, the usual solution is to use tcpdump with -w parameter data captured and saved to a file, and then use another program to decode analysis. Of course, you should define filtering rules to avoid capture data packets to fill the entire hard disk. FreeBSD provides an efficient decoding procedure for the tcpshow, it can be installed by Packages Collection.
QUOTE: # pkg_add / cdrom / packages / security / tcpshow *
# Tcpdump -c 3 -w tcpdump.out
tcpdump: listening on fxp0
# Tcpshow 01: 80: C2: 00: 00: 00 type = 0026
TIME: 12: 01: 01.074513 (1.089684)
LINK: 00: A0: C9: AB: 3CF -> FF: FF: FF: FF: FF: FF type = ARP
ARP: htype = Ethernet ptype = IP hlen = 6 plen = 4 op = request
sender-MAC-addr = 00: A0: C9: AB: 3CF sender-IP-address = 22.214.171.124
target-MAC-addr = 00: 00: 00: 00: 00: 00 target-IP-address = 126.96.36.199
TIME: 12: 01: 01.985023 (0.910510)
LINK: 00: 10: 7B: 08: 3A: 56 -> 01: 80: C2: 00: 00: 00 type = 0026
tcpshow in a different way to decode data packets, and different ways to display the decoded data, the user can choose the most suitable parameters according to its manual on the intercepted data packets for analysis. As can be seen from the above examples, tcpshow supported protocols are not rich, for it does not support the protocol can not be decoded.
In addition to tcpdump, FreeBSD's Packages Collecion also provided two Sniffit Ethereal and network analysis tools, and other web-based analytical methods of security tools. Wherein Ethereal runs under X Window, with good graphical interface, Sniffit use the character window form, also easy to operate. However, due to filtering rules tcpdump ability to support more powerful, so the system administrators still prefer to use it. For experienced network administrator, network analysis using these tools can be used to not only understand how to run the network in the end, where the fault occurs, but also effective statistical work, such as the communication protocol that accounts for a major position arising , the host of the busiest, is located where network bottlenecks and so on. Therefore, network analysis tool is a valuable tool for network management systems. Network analysis tools in order to prevent misuse of data intercepted, the key is to resolve on the physical structure of the network. Commonly used method is to use a switch or network bridge will trust and mistrust separated network can prevent external network eavesdropping internal data transfer, but still can not solve the problem of data security internal network and external networks of mutual communication. If there is not enough funding to upgrade the shared hub network Ethernet switch, you can use the FreeBSD system to perform tasks bridge. This requires the use of option BRIDGE custom kernel compile option again, then use the command to start the bridge bridge function.
tcpdump using the command line, its command format is:
tcpdump [-adeflnNOpqStvx] [-c number] [-F filename]
[-i Network Interface] [-r filename] [-s snaplen]
[-T Type] [-w filename] [expression]
(1). Tcpdump options introduced
-a convert network and broadcast addresses into names;
-d matching packet code to be able to understand people's assembly format is given;
-dd packet will match the code given in the format c language program segment;
-ddd will match packets in decimal code given in the form;
-e in the output line to print out the header information of the data link layer;
-f external Internet address printed in digital form;
-l Make stdout line buffered;
-n do not network addresses into names;
-t on each line of output does not print a timestamp;
-v output a little more information, such as ip ttl packets may include information and service types;
-vv output detailed message information;
-c After receiving the specified number of packets, tcpdump will stop;
-F Expression read from the specified file, ignoring other expressions;
-i Specifies the listener network interface;
-r read from the specified file packages (these packages are generally produced by the -w option);
-w file is written directly to the package, does not parse and print out;
-T Will listen to the explanation of the packets directly to the specified type of packets common types rpc (Remote Procedure Call) and snmp (SNMP;)
(2). Tcpdump expression that describes
Expression is a regular expression, tcpdump use it as a filter packets conditions, if a message meets the conditions of the expression, then the packet will be captured. If you do not give any criteria, all packets on the network will be intercepted. In general expressions are several types of keywords.
The first one is about the types of keywords, including the host, net, port, such as host 188.8.131.52, 184.108.40.206 indicates a host, net 220.127.116.11 18.104.22.168 specify a network address, port 23 specified port number is 23. If you do not specify a type, the default type is host.
The second is to determine the key direction of transmission, including src, dst, dst or src, dst and src, these keywords indicates the direction of transmission. Illustration, src 22.214.171.124, indicating ip packet source address 126.96.36.199, dst net 188.8.131.52 specified destination network address is 184.108.40.206. If you do not indicate the direction keyword, the default is src or dst keyword.
The third is the key protocol, including fddi, ip, arp, rarp, tcp, udp and other types. Fddi indicate whether a particular network protocol FDDI (Fiber Distributed Data Interface network), it is actually "ether" alias, fddi and ether have similar source and destination addresses, so it can be used as protocol packets fddi processing and analysis of ether packets. Several other keyword is specified in the agreement listening package. If you do not specify any agreement, tcpdump will monitor all protocol packets.
In addition to these three types of keywords, other important keywords as follows: gateway, broadcast, less, greater, there are three logical operators, negated operation is 'not' '', and the operation is 'and',! '&&'; or operation is 'or', '||'; these keywords can be combined together to form a powerful combination of conditions to meet people's needs, the following are some examples to illustrate.
A host 220.127.116.11 want to intercept all received and all packets sent:
#tcpdump host 18.104.22.168
B wants to intercept the host and host 22.214.171.124 126.96.36.199 or 188.8.131.52 communications using the command :( applicable brackets on the command line, be sure to
#tcpdump host 184.108.40.206 and \ (220.127.116.11 or 18.104.22.168 \)
C If you want to get the host and host outside 22.214.171.124 126.96.36.199 In addition all ip packets host communication using the command:
#tcpdump ip host 188.8.131.52 and! 184.108.40.206
D 220.127.116.11 sent to or if you want to get the host telnet package, use the following command:
#tcpdump tcp port 23 host 18.104.22.168
(3). Tcpdump output presentation
Here we introduce some typical output of tcpdump command
A, the data link layer header information
Using the command
#tcpdump --e host ice
ice is equipped with a host of linux, her MAC address is 0: 90: 27: 58: AF: 1A
H219 is a computer with SOLARIC the SUN workstation, its MAC address is 8: 0: 20: 79: 5B: 46; the output of the previous command is as follows:
21: 50: 12.847509 eth0 ice.telne
t 0: 0 (0) ack 22535 win 8760 (DF)
Analysis: 21: 50: 12 is the time display, 847 509 is the ID number, eth0 represents from the network interface device to send data packets, 8: 0: 20: 79: 5b: 46 is the host H219 MAC address, it indicates from the source address H219 sent packets 0:. 90: 27: 58: af: 1a host ICE MAC address indicates the destination address of the packet is the ICE ip is indicating that the packet is an IP packet 60 data. length of the packet, h219.33357> ice.telnet indicate that the packet is sent to the host port from 33357 ICE's TELNET host H219 (23) port. ack 22535 show sequence number is 222 535 package responds. win 8760 show sent window size is 8760.
B, TCPDUMP ARP packets output
Using the command
Output result is:
22: 32: 42.802509 eth0> arp who-has route tell ice (0: 90: 27: 58: af: 1a)
22: 32: 42.802902 eth0 indicates that the packet issued from the host, arp show the ARP request packet, who-has route tell ice show host ROUTE ICE requesting the host's MAC address. 0: 90: 27: 58: af: 1a ICE is the MAC address of the host.
C, Output TCP packet
General output TCP packet capture information with TCPDUMP are:
src> dst: flags data-seqno ack window urgent options
src> dst: show from the source to destination, flags is a TCP packet flag information, S is the SYN flag, F (FIN), P (PUSH), R (RST) (unmarked); data- "." seqno is a packet sequence number data, ack is next expected sequence number, window is the receiver buffer window size, urgent packets indicate whether there are urgent pointer. options are options.
D, output UDP packet
General output UDP packet capture information with TCPDUMP are:
route.port1> ice.port2: udp lenth
UDP is very simple, the above output line indicates that a UDP data sent from the host ROUTE packets to the host port port1 port2 the ICE port type is UDP, the packet length is the lenth